Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
zp
New Contributor II

Forti VLANs with Cisco Switch

Hello, folks.

 

I'm fairly new to FortiGate and I'm in the process of configuring an 80F to replace a Cisco RV320 router. The RV320 has 4 sub-interfaces tagged with their respective VLANs:

- x.x.0.1 (default), x.x.10.1 (vlan10), x.x.20.1 (vlan 20), x.x.30.1 (vlan 30)

 

The Cisco core switch has virtual interfaces for each VLAN:

- x.x.0.2 (default), x.x.10.2 (vlan10), etc.

- Each VLAN interface points to a Windows server for a DHCP-helper address

- The DHCP scopes for each VLAN subnet points to the respective switch virtual interface (x.x.x.2) for its gateway

- The core switch has a single default route pointing to x.x.0.1 on the RV320

- The core switch is connected to the RV320 by single trunk port that carries all VLANs

 

As I'm setting up the 80F I thought it would be nice for each VLAN to have a dedicated physical port on the FortiGate to avoid having congestion on a single shared trunk port:

- I removed 3 ports from "internal" and configured them as standard ports (not VLAN) each with their x.x.x.1 address

- I plan to dedicate 1 core switch port for each VLAN and connect them to the respective 80F ports 1:1

- I plan to change the DHCP scopes for each subnet to point to the x.x.x.1 address of the 80F ports (the reason for using x.x.x.2 previously was to keep inter-VLAN traffic on the switch and off the trunk to the RV320)

 

I've done something similar for a Guest network on a different Forti device but in that instance the VLAN was carried through the network directly to the (untagged) FortiGate port which handed out DHCP itself. In that case it worked just fine.

 

Am I going about this the right way or is there a better/easier way? Can I setup a DHCP-helper address on the physical Forti interfaces? Is there benefit to configuring the Forti ports as VLAN interfaces?

 

Edit:

What about using a 4-port aggregate on the Forti to a 4-port Etherchannel on the Cisco and keeping the switch's default route to x.x.0.1?

 

Thanks!

zp

1 Solution
lobstercreed
Valued Contributor

Hey Zach,

 

zp wrote:

Am I going about this the right way or is there a better/easier way? Can I setup a DHCP-helper address on the physical Forti interfaces? Is there benefit to configuring the Forti ports as VLAN interfaces?

Yes, yes, and no.  This gives you the greatest flexibility in building firewall rules and controlling (or at least logging) inter-VLAN traffic.  You absolutely can have the FortiGate do the ip-helper and you can do it from the GUI interface config by selecting Advanced when you turn on the DHCP server and changing the Mode from "server" to "relay".

 

 

zp wrote:

Edit:

What about using a 4-port aggregate on the Forti to a 4-port Etherchannel on the Cisco and keeping the switch's default route to x.x.0.1?

 

I'm not sure what the switch's default route has to do with whether you use LACP or not, but I would imagine you could use the agg and do VLANs on that interface.  Honestly, not something I've ever had reason to do but if bandwidth or VLAN expansion is a concern, maybe you want to give it a try and let us know.  :)

 

- Daniel

View solution in original post

13 REPLIES 13
lobstercreed
Valued Contributor

Hey Zach,

 

zp wrote:

Am I going about this the right way or is there a better/easier way? Can I setup a DHCP-helper address on the physical Forti interfaces? Is there benefit to configuring the Forti ports as VLAN interfaces?

Yes, yes, and no.  This gives you the greatest flexibility in building firewall rules and controlling (or at least logging) inter-VLAN traffic.  You absolutely can have the FortiGate do the ip-helper and you can do it from the GUI interface config by selecting Advanced when you turn on the DHCP server and changing the Mode from "server" to "relay".

 

 

zp wrote:

Edit:

What about using a 4-port aggregate on the Forti to a 4-port Etherchannel on the Cisco and keeping the switch's default route to x.x.0.1?

 

I'm not sure what the switch's default route has to do with whether you use LACP or not, but I would imagine you could use the agg and do VLANs on that interface.  Honestly, not something I've ever had reason to do but if bandwidth or VLAN expansion is a concern, maybe you want to give it a try and let us know.  :)

 

- Daniel

zp
New Contributor II

Thanks, Daniel. VLAN expansion is something I started thinking about and as of now have decided to do the LAG port so that I can add more VLANs when needed. My thought on the gateway was that I would just use the physical x.x.0.1 address with no sub-interfaces and have my L3 switch use that address as the default gateway.

 

We have a similar setup at one of our offices (what I'm working on is a side project for someone else) and that FG is apparently able to assign rules based on the source subnets even though the FG itself has no sub-interfaces on those subnets.

Toshi_Esumi
Esteemed Contributor III

As Daniel pointed out, it's all about if you want/have to regulate inter VLAN traffic with FW policies or not. If the L3 switch route them each others, the traffic doesn't come to the FGT. And of course most of FW gears on the market can regulate traffic based on IP addresses/subnets for source and/or destination, not only FGT, as long as the traffic comes to it. 

 

zp
New Contributor II

I understand now - policies between VLANs host them on the FG, otherwise keep them on the Cisco. Something to think about. I can do some ACLs for inter-VLAN routing on the Cisco but it won't be as granular as what the FG can do from what I've seen.

Edit: Thanks!

lobstercreed
Valued Contributor

I would strongly recommend putting the VLANs on the FGT as your default practice and only moving them off the FortiGate when you have capacity issues with your FGT.  Even if you don't need policies between VLANs you gain extra visibility into your network (down to MAC addresses) and can log traffic (set an allow all rule for example) that you wouldn't otherwise see.

zp
New Contributor II

I agree and I'm trying to go this route but I'm starting to see some difficulty with my lack of FGT experience :)

zp
New Contributor II

I won't be able to take this unit onsite until this weekend so I'm unable to test anything currently. I'm trying to config as much as I can ahead of time.

 

I have the LAG ports with an IP on the untagged VLAN and sub-interfaces with DHCP helper addresses. The DHCP server resides on the untagged VLAN - do I need to specifically allow the other VLANs access to this server?

 

For now I've made a subnet object of 10.100.0.0/16 and have a rule allowing any/any to/from this object. But I have to select an incoming and outgoing interface. Does the LAG interface encompass the sub-interfaces or do I need rules to/from each VLAN interface?

 

Eventually I would create a /32 object for the server and just allow DHCP/DNS to/from but for now I want to make sure everything works and I can tighten things up later.

 

Is there benefit to using a group object of all the interfaces instead of the /16 subnet beyond being more specific?

 

Thanks!

lobstercreed
Valued Contributor

zp wrote:

I have the LAG ports with an IP on the untagged VLAN and sub-interfaces with DHCP helper addresses. The DHCP server resides on the untagged VLAN - do I need to specifically allow the other VLANs access to this server?

Not necessarily for DHCP to hand out an address initially, but in order to allow the DHCP clients to do normal renewals, yes.   

 

zp wrote:
 

For now I've made a subnet object of 10.100.0.0/16 and have a rule allowing any/any to/from this object. But I have to select an incoming and outgoing interface. Does the LAG interface encompass the sub-interfaces or do I need rules to/from each VLAN interface?

 

What you have shown would not work, no.  You need policies for the VLAN interfaces, OR (and I would *strongly* recommend this) you can put them into a Zone and then create a policy from that zone to that zone.  You can still get granular on your rules and say subnet A can access subnets B, C, and D, but subnet B can't access any other subnet, while subnet C can access only A and B, or whatever you want.  That would be a reason for creating more granular address objects.

zp
New Contributor II

Daniel, thank you very much for your insights here - greatly appreciated.

- I took the IP address off the LAG port and added another sub-interface for the default VLAN and tagged it "1"

- Created a zone with all VLAN interfaces

- An address group with all subnets

- Rules allowing inter-VLAN traffic (hopefully) and all VLANs to the Internet (hopefully)

 

Goal right now is for everything to access the Internet and all VLANs to access each other. I'll work on tightening everything up moving forward. How are we looking now?

 

Thanks!

zp.

Labels
Top Kudoed Authors