AnsweredHot!Forti VLANs with Cisco Switch

Author
zp
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/09/21 13:09:06
  • Status: offline
2020/09/21 13:51:09 (permalink)
0

Forti VLANs with Cisco Switch

Hello, folks.
 
I'm fairly new to FortiGate and I'm in the process of configuring an 80F to replace a Cisco RV320 router. The RV320 has 4 sub-interfaces tagged with their respective VLANs:
- x.x.0.1 (default), x.x.10.1 (vlan10), x.x.20.1 (vlan 20), x.x.30.1 (vlan 30)
 
The Cisco core switch has virtual interfaces for each VLAN:
- x.x.0.2 (default), x.x.10.2 (vlan10), etc.
- Each VLAN interface points to a Windows server for a DHCP-helper address
- The DHCP scopes for each VLAN subnet points to the respective switch virtual interface (x.x.x.2) for its gateway
- The core switch has a single default route pointing to x.x.0.1 on the RV320
- The core switch is connected to the RV320 by single trunk port that carries all VLANs
 
As I'm setting up the 80F I thought it would be nice for each VLAN to have a dedicated physical port on the FortiGate to avoid having congestion on a single shared trunk port:
- I removed 3 ports from "internal" and configured them as standard ports (not VLAN) each with their x.x.x.1 address
- I plan to dedicate 1 core switch port for each VLAN and connect them to the respective 80F ports 1:1
- I plan to change the DHCP scopes for each subnet to point to the x.x.x.1 address of the 80F ports (the reason for using x.x.x.2 previously was to keep inter-VLAN traffic on the switch and off the trunk to the RV320)
 
I've done something similar for a Guest network on a different Forti device but in that instance the VLAN was carried through the network directly to the (untagged) FortiGate port which handed out DHCP itself. In that case it worked just fine.
 
Am I going about this the right way or is there a better/easier way? Can I setup a DHCP-helper address on the physical Forti interfaces? Is there benefit to configuring the Forti ports as VLAN interfaces?
 
Edit:
What about using a 4-port aggregate on the Forti to a 4-port Etherchannel on the Cisco and keeping the switch's default route to x.x.0.1?
 
Thanks!
zp
post edited by zp - 2020/09/21 15:37:38
#1
lobstercreed
Platinum Member
  • Total Posts : 315
  • Scores: 37
  • Reward points: 0
  • Joined: 2018/11/28 14:57:58
  • Location: Sedalia, MO
  • Status: offline
Re: Forti VLANs with Cisco Switch 2020/09/23 03:21:59 (permalink) ☼ Best Answerby zp 2020/09/23 09:16:40
0
Hey Zach,
 
zp
Am I going about this the right way or is there a better/easier way? Can I setup a DHCP-helper address on the physical Forti interfaces? Is there benefit to configuring the Forti ports as VLAN interfaces?



Yes, yes, and no.  This gives you the greatest flexibility in building firewall rules and controlling (or at least logging) inter-VLAN traffic.  You absolutely can have the FortiGate do the ip-helper and you can do it from the GUI interface config by selecting Advanced when you turn on the DHCP server and changing the Mode from "server" to "relay".
 
 
zp
Edit:
What about using a 4-port aggregate on the Forti to a 4-port Etherchannel on the Cisco and keeping the switch's default route to x.x.0.1?

 
I'm not sure what the switch's default route has to do with whether you use LACP or not, but I would imagine you could use the agg and do VLANs on that interface.  Honestly, not something I've ever had reason to do but if bandwidth or VLAN expansion is a concern, maybe you want to give it a try and let us know.  :-)
 
- Daniel
#2
zp
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/09/21 13:09:06
  • Status: offline
Re: Forti VLANs with Cisco Switch 2020/09/23 09:23:24 (permalink)
0
Thanks, Daniel. VLAN expansion is something I started thinking about and as of now have decided to do the LAG port so that I can add more VLANs when needed. My thought on the gateway was that I would just use the physical x.x.0.1 address with no sub-interfaces and have my L3 switch use that address as the default gateway.
 
We have a similar setup at one of our offices (what I'm working on is a side project for someone else) and that FG is apparently able to assign rules based on the source subnets even though the FG itself has no sub-interfaces on those subnets.
#3
Toshi Esumi
Expert Member
  • Total Posts : 2275
  • Scores: 219
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Forti VLANs with Cisco Switch 2020/09/23 09:43:30 (permalink)
0
As Daniel pointed out, it's all about if you want/have to regulate inter VLAN traffic with FW policies or not. If the L3 switch route them each others, the traffic doesn't come to the FGT. And of course most of FW gears on the market can regulate traffic based on IP addresses/subnets for source and/or destination, not only FGT, as long as the traffic comes to it. 
 
#4
zp
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/09/21 13:09:06
  • Status: offline
Re: Forti VLANs with Cisco Switch 2020/09/23 09:48:07 (permalink)
0
I understand now - policies between VLANs host them on the FG, otherwise keep them on the Cisco. Something to think about. I can do some ACLs for inter-VLAN routing on the Cisco but it won't be as granular as what the FG can do from what I've seen.
Edit: Thanks!
post edited by zp - 2020/09/23 09:54:13
#5
lobstercreed
Platinum Member
  • Total Posts : 315
  • Scores: 37
  • Reward points: 0
  • Joined: 2018/11/28 14:57:58
  • Location: Sedalia, MO
  • Status: offline
Re: Forti VLANs with Cisco Switch 2020/09/23 12:39:27 (permalink)
0
I would strongly recommend putting the VLANs on the FGT as your default practice and only moving them off the FortiGate when you have capacity issues with your FGT.  Even if you don't need policies between VLANs you gain extra visibility into your network (down to MAC addresses) and can log traffic (set an allow all rule for example) that you wouldn't otherwise see.
#6
zp
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/09/21 13:09:06
  • Status: offline
Re: Forti VLANs with Cisco Switch 2020/09/23 12:41:08 (permalink)
0
I won't be able to take this unit onsite until this weekend so I'm unable to test anything currently. I'm trying to config as much as I can ahead of time.
 
I have the LAG ports with an IP on the untagged VLAN and sub-interfaces with DHCP helper addresses. The DHCP server resides on the untagged VLAN - do I need to specifically allow the other VLANs access to this server?
 
For now I've made a subnet object of 10.100.0.0/16 and have a rule allowing any/any to/from this object. But I have to select an incoming and outgoing interface. Does the LAG interface encompass the sub-interfaces or do I need rules to/from each VLAN interface?
 
Eventually I would create a /32 object for the server and just allow DHCP/DNS to/from but for now I want to make sure everything works and I can tighten things up later.
 
Is there benefit to using a group object of all the interfaces instead of the /16 subnet beyond being more specific?
 
Thanks!

Attached Image(s)

#7
zp
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/09/21 13:09:06
  • Status: offline
Re: Forti VLANs with Cisco Switch 2020/09/23 12:43:23 (permalink)
0
I agree and I'm trying to go this route but I'm starting to see some difficulty with my lack of FGT experience :)
#8
lobstercreed
Platinum Member
  • Total Posts : 315
  • Scores: 37
  • Reward points: 0
  • Joined: 2018/11/28 14:57:58
  • Location: Sedalia, MO
  • Status: offline
Re: Forti VLANs with Cisco Switch 2020/09/24 03:31:54 (permalink)
0
zp
I have the LAG ports with an IP on the untagged VLAN and sub-interfaces with DHCP helper addresses. The DHCP server resides on the untagged VLAN - do I need to specifically allow the other VLANs access to this server?


Not necessarily for DHCP to hand out an address initially, but in order to allow the DHCP clients to do normal renewals, yes.   
 
zp 
For now I've made a subnet object of 10.100.0.0/16 and have a rule allowing any/any to/from this object. But I have to select an incoming and outgoing interface. Does the LAG interface encompass the sub-interfaces or do I need rules to/from each VLAN interface?

 
What you have shown would not work, no.  You need policies for the VLAN interfaces, OR (and I would *strongly* recommend this) you can put them into a Zone and then create a policy from that zone to that zone.  You can still get granular on your rules and say subnet A can access subnets B, C, and D, but subnet B can't access any other subnet, while subnet C can access only A and B, or whatever you want.  That would be a reason for creating more granular address objects.
#9
zp
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/09/21 13:09:06
  • Status: offline
Re: Forti VLANs with Cisco Switch 2020/09/24 13:24:22 (permalink)
0
Daniel, thank you very much for your insights here - greatly appreciated.
- I took the IP address off the LAG port and added another sub-interface for the default VLAN and tagged it "1"
- Created a zone with all VLAN interfaces
- An address group with all subnets
- Rules allowing inter-VLAN traffic (hopefully) and all VLANs to the Internet (hopefully)
 
Goal right now is for everything to access the Internet and all VLANs to access each other. I'll work on tightening everything up moving forward. How are we looking now?
 
Thanks!
zp.

Attached Image(s)

#10
sw2090
Expert Member
  • Total Posts : 783
  • Scores: 58
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: Forti VLANs with Cisco Switch 2020/09/25 01:06:52 (permalink)
0
On a FGT a vlan is threated as a virtual interface too. So you can tie it to a port or switch or trunk.
You cannot configure a physical interface as vlan interface on a FGT.
 
Then you can create policies or static routes using the vlan interface as source or destination interface.
However only traffic that leaves the cisco will hit the FGT.
 
And yes a virtual vlan interface can have rather the same options as a physical one. So you could set up secondary IP(s) or dhcp server or dhcp relay on it if needed.
#11
lobstercreed
Platinum Member
  • Total Posts : 315
  • Scores: 37
  • Reward points: 0
  • Joined: 2018/11/28 14:57:58
  • Location: Sedalia, MO
  • Status: offline
Re: Forti VLANs with Cisco Switch 2020/09/25 03:56:14 (permalink)
0
I believe you've got it, Zach!  That should work as far as I can tell from what we've discussed.
#12
zp
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/09/21 13:09:06
  • Status: offline
Re: Forti VLANs with Cisco Switch 2020/09/25 06:28:02 (permalink)
0
Thank you everyone, I appreciate it!
#13
zp
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/09/21 13:09:06
  • Status: offline
Re: Forti VLANs with Cisco Switch 2020/09/26 17:35:34 (permalink)
0
The change-over went great! One thing that I expected to possibly be an issue was having the one sub-interface tagged as "VLAN 1". I changed the VLAN ID for that (management) VLAN and adjusted some internal addressing. Worked out just fine and will end up being more secure anyway by preventing VLAN hopping.
 
Thanks again everyone!
#14
Jump to:
© 2020 APG vNext Commercial Version 5.5