FortiGate100D/140D/200D/240D FortiGate600C/800C/1000C
The above models have numerous local ports that facilitates this with ease. So you can create multiple vlans and groups ports within that vlan.
In this example, we will create 3 named vlans , apply our ports, and a virtual-switch-interfaces into each defined vlan. The latter gives us our layer3 routing gateway for the vlan.
1st let's define a managed vlan admin;
config switch-controller managed-switch
edit FS324P3W11000634
set fsw-wan1-admin enable
end
2nd define the named vlans ( here's our 3 named vlans; main/DATA/PHONES ) ;
3rd define the ports to the vlan mapping;
And lastly, we place some layer3 SVI interfaces into the vlans;
This is very similar to some cisco ASA, Juniper SRX and PaloAltos. The layer3 interfaces can now be used from everything such as packet sniffer, assigned dhcp-servers, vpn end-points and firewall policies applied.
The ports on the PoE models, can be used for phones, but keep track of total instrument wattage usage. 
KeyPoints
- interfaces in the same vlan can communicate, there's no layer2 security-zone concept as what's is available in PaloAlto
- traffic between vlans, need a L3 SVI and firewall policies
- vlan contains broadcast and builds collision domains
- a limited fortigate models supports vlans
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
No comments:
Post a Comment