Aggregated, Redundant, VLAN Ports and Port Mapping
Go to System > Network Setting from the Web UI, click the label VLAN and Port Mapping in the upper-right corner to expand the configuration panel. This is a configuration that you can create logical network ports and define the port mapping to the physical and logical ports. The VLAN and Port Mapping panel consists of four tables, VLAN and Port Mapping, Redundant LAN Port, Redundant DMZ Port and Aggregated Port, which are described as followings:
VLAN and Port Mapping
As the previous description, FortiWAN’s physical network ports can be further programed as an aggregated port, a redundant port or several VLAN ports, which are generally called logical ports (see Network interfaces and port mapping). A network ports must function as a WAN, LAN or DMZ port and be connected with a corresponding network (a WAN, LAN or DMZ network), so that the FortiWAN can work correctly for the connected network. Although each of FortiWAN’s physical ports is mapped to a port type by default, the default mapping can be changed (even logical ports can be created) according to how you deploy your network site. For example, a FortiWAN 200B’s Port 1 could be programed as a LAN port, Port 2 could be programed as a DMZ port, and Port 3 ~ Port 5 could be programed as WAN ports, while Port 1 ~ Port 3 are WAN ports, Port 4 is a LAN port and Port 5 is a DMZ port by default. VLAN and Port Mapping is the configuration table for defining the port mapping and creating VLAN IDs on the ports. It consists of three elements; Port, VLAN Tag and Mapping:
Port
In the VLAN and Port Mapping table, each of the FortiWAN’s physical ports is listed in the Port column (indicated as Port1, Port2, Port3 …, corresponding to the numbers presented on the front panel of the FortiWAN device), so that port mapping can be programed and VLAN tags can be created on it. Moreover, the created aggregated ports (an logical port that is created by aggregating two physical ports, see Aggregated Port below for
more details) will also be listed here for defining mappings and VLAN tags to them. As for a FortiWAN-VM appliance, the ports listed in Port column are indicated as vNIC2, vNIC3, vNIC4 …, mapping of the ports and the vNICs is as bellow (vNIC 1 is used for HA port and can not be changed):
Ports | Port 1 | Port 2 | Port 3 | Port 4 | Port 5 | Port 6 | Port 7 | Port 8 | Port 9 |
vNICs | vNIC 2 | vNIC 3 | vNIC 4 | vNIC 5 | vNIC 6 | vNIC 7 | vNIC 8 | vNIC 9 | vNIC 10 |
Mapping
For the ports listed in the table, there are four options available for mapping them to a function (click the pulldown menus of Mapping column):
WAN | Specify a physical port or a VLAN port as a WAN port. This option is not available for an aggregated port. | |
LAN | Specify a physical port, a VLAN port or an aggregated port as a LAN port. | |
DNZ | Specify a physical port, a VLAN port or an aggregated port as a DMZ port. | |
None | Specify any port for non-purpose. To aggregate two physical ports, it requires to map the two ports to None first (see Aggregated Port below). |
Whether a physical port or a logical port (aggregated, redundant or VLAN port) is, it must be programed as one of the port types (WAN, LAN and DMZ) first to be used by other services. A port that is programmed as a WAN, LAN or DMZ port will become an option to setting items of some configurations:
- Port that is programed as a WAN port will be listed in the pull-down menus:
- [WAN Port] of WAN Setting for configuring and deploying a WAN subnet to the ports (see Configuring your WAN).
- [WAN Port] of WAN/DMZ Private Subnet for configuring and deploying a private WAN subnet to the ports (see WAN/DMZ Private Subnet).
- [Input Port] of Auto Routing‘s IPv4/IPv6 Filters for creating a filter rule to evaluate packets by the port receiving the packets (see Outbound Load Balancing and Failover).
- [Input Port] of Bandwidth Management‘s IPv4/IPv6 Filters of Outbound BM for creating a filter rule to evaluate packets by the port receiving the packets (see Bandwidth Management). l Port that is programed as a DMZ port will be listed in the pull-down menus:
- [DMZ Port] of WAN Setting for configuring and deploying a DMZ subnet to the ports (see Configuring your WAN). l [DMZ Port] of WAN/DMZ Private Subnet for configuring and deploying a private DMZ subnet to the ports (see WAN/DMZ Private Subnet). l [Input Port] of Auto Routing‘s IPv4/IPv6 Filters for creating a filter rule to evaluate packets by the port receiving the packets (see Outbound Load Balancing and Failover).
- [Input Port] of Bandwidth Management‘s IPv4/IPv6 Filters of Outbound BM for creating a filter rule to evaluate packets by the port receiving the packets (see Bandwidth Management).
- Port that is programed as a LAN port will be listed in the pull-down menus:
- [LAN Port] of LAN Private Subnet for configuring and deploying a LAN subnet to the ports (see Configuring your WAN). l [Input Port] of Auto Routing‘s IPv4/IPv6 Filters for creating a filter rule to evaluate packets by the port receiving the packets (see Outbound Load Balancing and Failover).
- [Input Port] of Bandwidth Management‘s IPv4/IPv6 Filters of Outbound BM for creating a filter rule to evaluate packets by the port receiving the packets (see Bandwidth Management).
Changes to port mappings here will be updated immediately to the corresponding pull-down menus. If a port has been configured and deployed with a network, or been associated with a filter rule, a change to mapping of the port will fail the original deployments and settings. Please remember to reconfigure relative settings if a port mapping is changed.
VLAN Tag
FortiWAN supports IEEE 802.1Q, which is also known as VLAN Tagging (Cisco’s ISL is not supported). A FortiWAN’s physical port can be mapped to several VLAN ports. In a large-scale network that is segmented into smaller groups of subnets by a VLAN switch, FortiWAN allows data being exchanged between these subnets. Moreover, the VLAN switch ports can be programmed as DMZ, WAN or LAN ports. To introduce a VLAN Switch into the network working with FortiWAN, here is a example:
FortiWAN’s Port 1 is connected with the VLAN switch, and appropriate VLAN settings have been configured on the VLAN switch. Now, it requires to have VLAN tagging configured on FortiWAN to get the VLAN deployment workable. The steps are:
- In the VLAN and Port Mapping table, click the Add button in the VLAN Tag field of Port 1 to create a new VLAN tag. A VLAN tag input will then available to replace the original string “no VLAN Tag”.
- Enter the VLAN tag into the input field to define a VLAN to Port1.
- This VLAN tage can be edited, deleted, moved up/down by buttons aside it.
- Map the VLAN tag to WAN, LAN or DMZ in Mapping column.
- Define the next VLAN to Port1 by the same processes.
Port | VLAN Tag | Mapping |
Port 1 | 101 | WAN |
102 | WAN | |
103 | LAN | |
104 | DMZ |
After the configuration is applied, FortiWAN’s port 1 will no longer accept untagged VLAN packets. Through the VLAN switch, both Port 1.101 and port 1.102 are connected with a WAN link (Port 1.101 and Port 1.102 will be listed in the WAN Port pull-down menu for WAN Setting), while port 1.103 is connected the LAN subnet (Port 1.103 will be listed in the LAN Port pull-down menu for Private LAN Subnet setting) and port
1.104 is connected with the DMZ subnet (Port 1.104 will be listed in the DMZ Port pull-down menu for DMZ Setting). You can also define VLAN tags to an aggregated port from the table (it requires to create an aggregated port first for defining VLAN tags to it).
Note: This field (VRID) is only available when VRRP mode is enabled in LAN Private Subnet settings. The VRID indicates the virtual router identifier for every VR.
Redundant LAN/DMZ Port
A logical redundant port pairs an active and a standby physical network port. It means a logical redundant LAN port consists of two physical LAN ports, and a logical redundant DMZ port consists of two physical DMZ port. Under normal usage, the active port passes traffic and the standby port is just backup. Once the active port goes down (or unavailable), the standby port takes over the active role and starts passing traffic. Why a redundant LAN port and a redundant DMZ port are necessary? Because without the redundant ports, even if FortiWAN is working in HA mode, single point failure can still occur over connectivities between LAN/DMZ subnets and FortiWAN’s LAN/DMZ ports. Redundant ports increase the reliability of connectivity of FortiWAN’s LAN and DMZ. FortiWAN’s redundant port supports the Spanning Tree algorithm and sets the highest 0xffff as bridge priority. The configurations thus manage to avoid network failure caused by the possible packet looping.
Label | Name of the logical redundant LAN/DMZ port. Only the ASCII characters “09 a-z A-Z” are acceptable for a label and the first character must be nonnumeric. After applying the settings, the specified label, in the format Bridge: label name, will become one of the port options in corresponding pull-down menus used for configurations of LAN setting (see LAN Private
Subnet), DMZ setting (see Configuring your WAN), Auto Routing and Bandwidth Management (FortiWAN’s Auto Routing and Bandwidth Management support managing outbound traffic by input ports where the traffic received on, see Auto Routing and Bandwidth Management). All the configurations refer to the logical redundant port instead of its member physical ports. |
Mapping | There are two menus in the Mapping field for selecting the two memberports under a LAN/DMZ redundant port. All the physical ports and VLAN tags mapped to LAN/DMZ in the VLAN and Port Mapping table are listed here for options. It requires at least two are mapped to LAN/DMZ in VLAN and Port Mapping first for creating a LAN/DMZ redundant port, or there will be no items here for options.
Select a LAN/DMZ port from each of the two pull-down menus to add the member-ports to the redundant port. By default, the first configured member-port becomes the active one for the redundant port, while the second one is in hot standby state. Note that the physical member ports that are redundant to each other must be equal in port speed and duplex (See “Port Speed/Duplex Settings”). |
Notices to create a redundant port
Before creating a redundant port, you need to know:
- The two member-ports of a redundant port can be two physical network ports, two VLAN tages, or a pair of one physical port and a VLAN tag.
- It requires to exactly map two member-ports to LAN or DMZ in VLAN and Port Mapping table before pairing the two ports to a logical LAN/DMZ redundant port. l VLAN tags can not be defined to an redundant port.
Creating an redundant LAN/DMZ port
To configure an redundant LAN port or redundant DMZ port, perform the following steps:
Step 1 Map two ports (two physical port, two VLAN ports, or a pair of one physical port and one VLAN port) to LAN or DMZ in VLAN and Port Mapping table.
Step 2 Create a new redundant port configuration by clicking the add button on Redundant LAN Port or Redundant DMZ Port table.
Step 3 Assign the redundant port a name by entering it in Label filed.
Step 4 Select a member-port from each of the two pull-down menus in Mapping field (the ports mapped to LAN or DMZ in VLAN and Port Mapping table are listed here for options).
Step 5 Apply the settings by clicking Apply.
Aggregated Port
FortiWAM’s port aggregation is implementation of IEEE 802.3ad active mode, which bundles two physical ports into a single logical aggregated port to provide the aggregated bandwidth of the two physical links. If single point failure occurs on connectivity of one of the physical member ports under an aggregated port, traffic will be carried within the remaining port channel. The related parameters of IEEE 802.3ad active mode are sat as follows:
Parameter | Value | Note | ||
ad_select | stable | as default | ||
all_slave_active | 0 | as default | ||
downdelay | 0 | as default | ||
lacp_rate | slow | as default | ||
max_bonds | 1 | as default | ||
miimon | 100 | as recommended | ||
min_links | 0 | as default | ||
updelay | 0 | as default | ||
use_carrier | 1 | as default | ||
xmit_hash_policy | layer2 | as default | ||
Label | Name of the logical aggregated port. Only the ASCII characters “0-9 a-z A-Z” are acceptable for a label and the first character must be non-numeric. After entering a label here, this label will be listed in VLAN and Port Mapping table at the same time so that the logical aggregated port can be mapped to LAN or DMZ, or have VLAN tags defined on it. After applying the settings, the specified label will become one of the port options in corresponding pulldown menus, in the format Bonding: label name, used for configurations of LAN setting (see LAN Private Subnet), DMZ setting (see Configuring your WAN), Auto Routing and Bandwidth Management (FortiWAN’s Auto Routing and Bandwidth Management support managing outbound traffic by input ports where the traffic received on, see Auto Routing and Bandwidth Management). All the configurations refer to the logical aggregated port instead of its member physical ports. | |||
Mapping | There are two menus in the Mapping field for selecting the two memberports under a aggregated port. All the physical ports and VLAN tags mapped to None in the VLAN and Port Mapping table are listed here for options. It requires at least two are mapped to None in VLAN and Port Mapping first for creating an aggregated port, or there will be no items here for options.
Select a port from each of the two pull-down menus to add the member-ports to the aggregated port. After this, you need to enable the aggregated port by mapping it to LAN/DMZ or defining VLAN tags on it from VLAN and Port Mapping table, or the aggregated port is mapped to None by default. Note that the physical member ports that are aggregated must be equal in port speed and duplex (See “Port Speed/Duplex Settings”). |
|||
Notices to create a redundant port
Before creating a redundant port, you need to know:
- The two member-ports of an aggregated port can be two physical network ports, two VLAN tages, or a pair of one physical port and a VLAN tag.
- A logical aggregated port requires two purposeless member-ports (both are mapped to None in VLAN and Port Mapping table).
- An aggregated port can only be mapped to a DMZ or LAN port. l VLAN tags can be defined to an aggregated port.
Creating an aggregated port
To configure an aggregated port, perform the following steps:
Step 1 Disable two ports (two physical port, two VLAN ports, or a pair of one physical port and one VLAN port) by mapping them to None in VLAN and Port Mapping table.
Step 2 Create a new port aggregation configuration by clicking the add button on Aggregated Port table.
Step 3 Assign the aggregated port a name by entering it in Label filed.
Step 4 Select a member-port from each of the two pull-down menus in Mapping field (the disabled ports in VLAN and Port Mapping table are listed here for options).
Step 5 The label name of the aggregated port will be listed in VLAN and Port Mapping table. Map the logical aggregated port to LAN or DMZ by selecting it from the pull-down menu in Mapping field. You can also define VLAN tags to the aggregated port in VLAN Tag field and Mapping field.
Step 6 Apply the settings by clicking Apply.
Scenarios
As illustrated in the topology below, FortiWAN port1 are mapped to WAN port. Port2 and port3 are paired to a logical redundant LAN port which is connected to Switch1, port4 and port5 are paired to a logical aggregated DMZ port which is connected to Switch2.
Step 1 To configure the settings for the deployment, you need to map Port1, Port2, Port3, Port4 and Port5 to WAN, LAN, LAN, None and None respectively in VLAN and Port Mapping table.
Port | VLAN Tag | Mapping | ||
Port1 | no VLAN Tag | WAN | ||
Port2 | no VLAN Tag | LAN | ||
Port3 | no VLAN Tag | LAN | ||
Port4 | no VLAN Tag | None | ||
Port | VLAN Tag | Mapping | ||
Port5 | no VLAN Tag | None | ||
Step 2 Create a new redundant LAN port labeled lan23 and mapped it to Port2 and Port3 in Redundant LAN Port table.
Label | Mapping |
lan23 | Port 2 |
Port 3 |
Step 3 Create a new aggregated port labeled dmz45 and mapped it to Port4 and Port5 in Aggregated Port table.
Label | Mapping |
dmz45 | Port 4 |
Port 5 |
Step 4 Map the created logical aggregated port dmz45 to DMZ in VLAN and Port Mapping table.
Port | VLAN Tag | Mapping |
Port1 | no VLAN Tag | WAN |
Port2 | no VLAN Tag | LAN |
Port3 | no VLAN Tag | LAN |
Port4 | no VLAN Tag | None |
Port5 | no VLAN Tag | None |
dmz45 | no VLAN Tag | DMZ |
After the configurations are applied, labels “Bridge: lan23” and “Bonding: dmz45” will be listed respectively in LAN Port and DMZ Port pull-down menus of LAN and DMZ subnets settings (see LAN Private Subnet and Configuring your WAN) for options. Moreover, the two labels will be also listed in Input Port pull-down menu of Auto Routing and Bandwidth Management (see Auto Routing and Bandwidth Management) for your options.
You can also have the deployment configured in an advanced way. First, if you need the LAN ports being defined with several VLAN tags and also having them in redundant pairs; second, if you need the aggregated port being mapped to one LAN and one DMZ by defining it with VLAN tags, the configurations will be the following steps:
Step 1 To configure the settings for the deployment, you need to define Port2 and Port3 with VLAN tags and map all of them to LAN in VLAN and Port Mapping table. Leaving Port4 and Port5 being mapped to None as previous.
Port | VLAN Tag | Mapping |
Port1 | no VLAN Tag | WAN |
Port2
Port3 |
01 | LAN |
02 | LAN | |
01 | LAN | |
02 | LAN | |
Port4 | no VLAN Tag | None |
Port5 | no VLAN Tag | None |
Step 2 Create a new redundant LAN port labeled lan23tag01 and mapped it to Port2.01 and Port3.01 in Redundant LAN Port table.
Label | Mapping |
lan23tag01 | Port 2.01 |
Port 3.01 |
Step 3 Create another new redundant LAN port labeled lan23tag02 and mapped it to Port2.02 and Port3.02 in Redundant LAN Port table.
Label | Mapping |
lan23tag02 | Port 2.02 |
Port 3.02 |
Step 4 Create a new aggregated port labeled agg45 and mapped it to Port4 and Port5 in Aggregated Port table.
Label | Mapping |
agg45 | Port 4 |
Port 5 |
Step 5 In VLAN and Port Mapping table, map the created logical aggregated port agg45 to a LAN and a DMZ by defining it with VLAN tags.
Port | VLAN Tag | Mapping |
Port1 | no VLAN Tag | WAN |
Port2
Port3 |
01 | LAN |
02 | LAN | |
01 | LAN | |
02 | LAN | |
Port4 | no VLAN Tag | None |
Port5 | no VLAN Tag | None |
agg45 | 01 | LAN |
02 | DMZ |
Hi Mike,
I have a Fortinet 500e connected to (2) Cisco 3780 using the SFP+ ports in Redundant interface setup. Is there a way I can use another 1gig port interface for Fortiswitch S448 but utilize same VLAN’s that hang off of that interface connected Cisco? Or do I have to create new VLAN’s for FortiSwitch? I know I can pass the same VLAN’s if not using FortiGate Firewall for management, rather using switch management and connecting it directly to Cisco 3780 switch via SFP+ port, sort of daisy chaining off Cisco to hang the same VLAN’s on Fortiswitch. But is there another way….
You can have multiple of the same VLAN on a FortiGate (multiple VLAN 20s etc) they just can’t live on the same interface. Bridging the traffic is where things would get hairy. Probably requiring a software switch or hardware switch of some sort to make the layer 2 connection. Interesting question. I will spin it up in my lab and see what I can do.