Hot!One Vlan on multiple ethernet interfaces

Author
Tutek
Bronze Member
  • Total Posts : 21
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/03/16 08:23:40
  • Status: offline
2020/09/24 04:16:34 (permalink)
0

One Vlan on multiple ethernet interfaces

Hi,
it is possible on Fortigate 100F to have one vlan configured on multiple ports?
Let's say I have vlan5 192.168.5.0, it is possible to attach it on port1 and port2 so then I will have on these ports the same shared vlan5 subnet ?
 
thanks
#1

16 Replies Related Threads

    lobstercreed
    Platinum Member
    • Total Posts : 320
    • Scores: 37
    • Reward points: 0
    • Joined: 2018/11/28 14:57:58
    • Location: Sedalia, MO
    • Status: offline
    Re: One Vlan on multiple ethernet interfaces 2020/09/24 04:28:30 (permalink)
    0
    No, a VLAN interface is a sub-interface on a FortiGate (a tagged VLAN on a trunk port in switching parlance). 
     
    You *could* set up a switch on the FortiGate so that more than one physical port shared the same "interface" but you wouldn't be able to tag VLANs on those ports.  You'd have to connect it to a switch on an untagged VLAN to maybe kind of achieve what you're looking for, at which point why not just use a switch to begin with.  Tag the VLAN going to the FortiGate and set untagged VLANs on the other ports you need instead of using the FortiGate for them.
    #2
    Tutek
    Bronze Member
    • Total Posts : 21
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/16 08:23:40
    • Status: offline
    Re: One Vlan on multiple ethernet interfaces 2020/09/24 04:37:08 (permalink)
    0
    So how can I create setup like this:
    I have lan port1 and DMZ port, and one MGMT vlan subnet (tagged), how to have the same MGMT subnet vlan on lan and DMZ?
    On other routers I can bridge MGMT vlan with DMZ port and this is working, how about Fortigate?
    post edited by Tutek - 2020/09/24 04:38:43
    #3
    Benoit_Rech_FTNT
    Bronze Member
    • Total Posts : 37
    • Scores: 5
    • Reward points: 0
    • Joined: 2013/06/04 02:38:46
    • Location: Sophia Antipolis (France)
    • Status: offline
    Re: One Vlan on multiple ethernet interfaces 2020/09/24 05:40:54 (permalink)
    0
    Hello Wojtek,
    you can assign the same VLAN to multiple physical ports, and with different IPs on the same subnet.
    Do do that, you need to enable 'allow-subnet-overlap'
    See https://kb.fortinet.com/kb/documentLink.do?externalID=FD30014
    Best regards,
    Benoit
    #4
    Toshi Esumi
    Expert Member
    • Total Posts : 2284
    • Scores: 219
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: One Vlan on multiple ethernet interfaces 2020/09/24 08:43:45 (permalink)
    0
    I wouldn't do that. MGMT port is to separate management access network from all other "user" networks on the LAG. It's better kept alone with the management subnet and connected directly to the switch (access port) then you can control L2 switching/L3 routing at the L3 switch.
    #5
    Toshi Esumi
    Expert Member
    • Total Posts : 2284
    • Scores: 219
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: One Vlan on multiple ethernet interfaces 2020/09/24 08:51:10 (permalink)
    0
    Maybe I mixed up with another thread. But separation of MGMT port should still stand.
    #6
    lobstercreed
    Platinum Member
    • Total Posts : 320
    • Scores: 37
    • Reward points: 0
    • Joined: 2018/11/28 14:57:58
    • Location: Sedalia, MO
    • Status: offline
    Re: One Vlan on multiple ethernet interfaces 2020/09/24 10:58:24 (permalink)
    0
    100% agree with Toshi.  I refrained from saying anything but the design Wojtek described makes no sense to me.  Management is its own thing and should be on its own interface.  Can't imagine what the benefit would even be to having it on multiple interfaces.
    #7
    sw2090
    Expert Member
    • Total Posts : 790
    • Scores: 58
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: One Vlan on multiple ethernet interfaces 2020/09/25 00:52:15 (permalink)
    5 (1)
    allow-subnet-overlap is an evil option. The devil made it. Please do not use it ;)
     
    As said a vlan on a FGT is a virtuel interface that is tied to a physical one. So the only option to share one vlan on more than one port would be either to put those ports into a switch - then they are threated as one interface and you can tie a vlan to it.
    The only outher option might be Port Trunking - but then youo do no longer have sperate ports.
    #8
    Tutek
    Bronze Member
    • Total Posts : 21
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/16 08:23:40
    • Status: offline
    Re: One Vlan on multiple ethernet interfaces 2020/09/25 01:38:37 (permalink)
    0
    Yes it's great when you have on server multiple ethernet interfaces, but most of my servers have only two ethernet ports, one iRMC and one last is for data flow and MGMT vlan, I cannot do other way like only put MGMT on VLAN, and I would like to have one MGMT subnet spread on all my Fortigate Lan ports, so this is my problem.
     
    I cannot put lat port with my DMZ port on switch they need to be separated (security reasons).
    post edited by Tutek - 2020/09/25 01:43:06
    #9
    lobstercreed
    Platinum Member
    • Total Posts : 320
    • Scores: 37
    • Reward points: 0
    • Joined: 2018/11/28 14:57:58
    • Location: Sedalia, MO
    • Status: offline
    Re: One Vlan on multiple ethernet interfaces 2020/09/25 03:14:29 (permalink)
    0
    So if your servers are needing trunk ports (which is what I'm hearing) then you need to use a managed switch to connect between your servers and the FortiGate (maybe FortiSwitch would work; I have no personal experience).  There would be no security risk as your DMZ would be on its own VLAN and could not communicate with anything else.  This should be very easy to accomplish with any number of managed switch vendors.
    #10
    Tutek
    Bronze Member
    • Total Posts : 21
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/16 08:23:40
    • Status: offline
    Re: One Vlan on multiple ethernet interfaces 2020/09/25 03:35:20 (permalink)
    0
    This is no problem for me as I have managed switches and I use already tagged MGMT vlan. I'm asking if Fortigate is able to achieve this setup as I soon moving from my current router to Fortigate.
    #11
    lobstercreed
    Platinum Member
    • Total Posts : 320
    • Scores: 37
    • Reward points: 0
    • Joined: 2018/11/28 14:57:58
    • Location: Sedalia, MO
    • Status: offline
    Re: One Vlan on multiple ethernet interfaces 2020/09/25 03:54:00 (permalink)
    0
    I think you're conflating routers and layer 3 switches.  I'm not aware of any "router" that can do what you're asking, and that's more what the FortiGate is, so unfortunately not.
    #12
    sw2090
    Expert Member
    • Total Posts : 790
    • Scores: 58
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: One Vlan on multiple ethernet interfaces 2020/10/05 07:05:24 (permalink)
    0
    Sounds like you have a similar setup to us:
     
    We have management switches that have vlans tagged on their ports. The switches have some uplink to the next siwtch (redundant using spanning tree and trunking). All Traffic that wants to leave the vlan/subnet it comes from will hit the Fortigate in the end. So the FGT has one interface (one port or trunk) connected to the first switch and all vlans are tied to that on the FGT.
    Still those are seperated one one hand by the port tagging on the switches and also by the FGT because there will be no inter-vlan-traffic unless a policy explicitely allows it.
     
    This is working fine here.
    #13
    Tutek
    Bronze Member
    • Total Posts : 21
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/16 08:23:40
    • Status: offline
    Re: One Vlan on multiple ethernet interfaces 2020/10/05 11:44:10 (permalink)
    0
    Yes I'm going to do the same config when I will build my new Fortigate. 
    Have one more question I don't use in my LAN native VLAN1, my LAN is on other tagged VLANID, is any way on a trunk Fortigate port to ingress filter VLANS and do not accept any untagged vlans? This is intended to more secure my network.
    #14
    sw2090
    Expert Member
    • Total Posts : 790
    • Scores: 58
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: One Vlan on multiple ethernet interfaces 2020/10/06 07:37:02 (permalink)
    0
    hm don't think so. But does not matter since you could give the physical interface some dummy config or set it to dhcp ar anything else so it doesn't match any packet coming on there.
    Additionally all traffic that don't match any policy on the FGT will it Policy #0 and get dropped. This is FGT default :)
     
    Or you set the physical port up for the first vlan (ip config only) and set the uplink to the first switch after the FGT to be untagged in that vlan. This is the way we do. Ports that are not in any vlan are untagged in vid 1 (because HP Switches do require this) and the interface on the FGT carries the ipconfig for the first vlan.
    All other vlans are tied to this interface as virtual vlan interfaces with correct vid. Uplink on that switch is tagged in all other vlans. So traffic from other vlan hits the FGT with correct vid and hits the vlan iterface while traffic with no vid or invalid vid gets retagged to 1 by the switch and hits the physical interface because it matches the ip config.
    works fine here.
    #15
    Mistic
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/10/06 07:39:26
    • Status: offline
    Re: One Vlan on multiple ethernet interfaces 2020/10/06 07:42:10 (permalink)
    0
    You could configure the switch on FortiGate so that multiple physical ports share the same "interface", but you would not be able to tag VLANs on these ports.
    #16
    sw2090
    Expert Member
    • Total Posts : 790
    • Scores: 58
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: One Vlan on multiple ethernet interfaces 2020/10/12 02:31:14 (permalink)
    0
    the switch ports will share all vlans that are tied to the switch interface.
    #17
    Jump to:
    © 2020 APG vNext Commercial Version 5.5