Quantcast
Channel: Fortinet GURU
Viewing all articles
Browse latest Browse all 2380

FortiWAN Aggregated, Redundant, VLAN Ports and Port Mapping

$
0
0

Aggregated, Redundant, VLAN Ports and Port Mapping

Go to System > Network Setting from the Web UI, click the label VLAN and Port Mapping in the upper-right corner to expand the configuration panel. This is a configuration that you can create logical network ports and define the port mapping to the physical and logical ports. The VLAN and Port Mapping panel consists of four tables, VLAN and Port Mapping, Redundant LAN Port, Redundant DMZ Port and Aggregated Port, which are described as followings:

VLAN and Port Mapping

As the previous description, FortiWAN’s physical network ports can be further programed as an aggregated port, a redundant port or several VLAN ports, which are generally called logical ports (see Network interfaces and port mapping). A network ports must function as a WAN, LAN or DMZ port and be connected with a corresponding network (a WAN, LAN or DMZ network), so that the FortiWAN can work correctly for the connected network. Although each of FortiWAN’s physical ports is mapped to a port type by default, the default mapping can be changed (even logical ports can be created) according to how you deploy your network site. For example, a FortiWAN 200B’s Port 1 could be programed as a LAN port, Port 2 could be programed as a DMZ port, and Port 3 ~ Port 5 could be programed as WAN ports, while Port 1 ~ Port 3 are WAN ports, Port 4 is a LAN port and Port 5 is a DMZ port by default. VLAN and Port Mapping is the configuration table for defining the port mapping and creating VLAN IDs on the ports. It consists of three elements; Port, VLAN Tag and Mapping:

Port

In the VLAN and Port Mapping table, each of the FortiWAN’s physical ports is listed in the Port column (indicated as Port1, Port2, Port3 …, corresponding to the numbers presented on the front panel of the FortiWAN device), so that port mapping can be programed and VLAN tags can be created on it. Moreover, the created aggregated ports (an logical port that is created by aggregating two physical ports, see Aggregated Port below for

 

more details) will also be listed here for defining mappings and VLAN tags to them. As for a FortiWAN-VM appliance, the ports listed in Port column are indicated as vNIC2, vNIC3, vNIC4 …, mapping of the ports and the vNICs is as bellow (vNIC 1 is used for HA port and can not be changed):

Ports Port 1 Port 2 Port 3 Port 4 Port 5 Port 6 Port 7 Port 8 Port 9
vNICs vNIC 2 vNIC 3 vNIC 4 vNIC 5 vNIC 6 vNIC 7 vNIC 8 vNIC 9 vNIC 10

Mapping

For the ports listed in the table, there are four options available for mapping them to a function (click the pulldown menus of Mapping column):

WAN   Specify a physical port or a VLAN port as a WAN port. This option is not available for an aggregated port.
LAN   Specify a physical port, a VLAN port or an aggregated port as a LAN port.
DNZ   Specify a physical port, a VLAN port or an aggregated port as a DMZ port.
None   Specify any port for non-purpose. To aggregate two physical ports, it requires to map the two ports to None first (see Aggregated Port below).

Whether a physical port or a logical port (aggregated, redundant or VLAN port) is, it must be programed as one of the port types (WAN, LAN and DMZ) first to be used by other services. A port that is programmed as a WAN, LAN or DMZ port will become an option to setting items of some configurations:

  • Port that is programed as a WAN port will be listed in the pull-down menus:
  • [WAN Port] of WAN Setting for configuring and deploying a WAN subnet to the ports (see Configuring your WAN).
  • [WAN Port] of WAN/DMZ Private Subnet for configuring and deploying a private WAN subnet to the ports (see WAN/DMZ Private Subnet).
  • [Input Port] of Auto Routing‘s IPv4/IPv6 Filters for creating a filter rule to evaluate packets by the port receiving the packets (see Outbound Load Balancing and Failover).
  • [Input Port] of Bandwidth Management‘s IPv4/IPv6 Filters of Outbound BM for creating a filter rule to evaluate packets by the port receiving the packets (see Bandwidth Management). l Port that is programed as a DMZ port will be listed in the pull-down menus:
  • [DMZ Port] of WAN Setting for configuring and deploying a DMZ subnet to the ports (see Configuring your WAN). l [DMZ Port] of WAN/DMZ Private Subnet for configuring and deploying a private DMZ subnet to the ports (see WAN/DMZ Private Subnet). l [Input Port] of Auto Routing‘s IPv4/IPv6 Filters for creating a filter rule to evaluate packets by the port receiving the packets (see Outbound Load Balancing and Failover).
  • [Input Port] of Bandwidth Management‘s IPv4/IPv6 Filters of Outbound BM for creating a filter rule to evaluate packets by the port receiving the packets (see Bandwidth Management).
  • Port that is programed as a LAN port will be listed in the pull-down menus:
  • [LAN Port] of LAN Private Subnet for configuring and deploying a LAN subnet to the ports (see Configuring your WAN). l [Input Port] of Auto Routing‘s IPv4/IPv6 Filters for creating a filter rule to evaluate packets by the port receiving the packets (see Outbound Load Balancing and Failover).
  • [Input Port] of Bandwidth Management‘s IPv4/IPv6 Filters of Outbound BM for creating a filter rule to evaluate packets by the port receiving the packets (see Bandwidth Management).

Changes to port mappings here will be updated immediately to the corresponding pull-down menus. If a port has been configured and deployed with a network, or been associated with a filter rule, a change to mapping of the port will fail the original deployments and settings. Please remember to reconfigure relative settings if a port mapping is changed.

VLAN Tag

FortiWAN supports IEEE 802.1Q, which is also known as VLAN Tagging (Cisco’s ISL is not supported). A FortiWAN’s physical port can be mapped to several VLAN ports. In a large-scale network that is segmented into smaller groups of subnets by a VLAN switch, FortiWAN allows data being exchanged between these subnets. Moreover, the VLAN switch ports can be programmed as DMZ, WAN or LAN ports. To introduce a VLAN Switch into the network working with FortiWAN, here is a example:

FortiWAN’s Port 1 is connected with the VLAN switch, and appropriate VLAN settings have been configured on the VLAN switch. Now, it requires to have VLAN tagging configured on FortiWAN to get the VLAN deployment workable. The steps are:

  1. In the VLAN and Port Mapping table, click the Add button in the VLAN Tag field of Port 1 to create a new VLAN tag. A VLAN tag input will then available to replace the original string “no VLAN Tag”.
  2. Enter the VLAN tag into the input field to define a VLAN to Port1.
  3. This VLAN tage can be edited, deleted, moved up/down by buttons aside it.
  4. Map the VLAN tag to WAN, LAN or DMZ in Mapping column.
  5. Define the next VLAN to Port1 by the same processes.
Port VLAN Tag Mapping
Port 1 101 WAN
102 WAN
103 LAN
104 DMZ

After the configuration is applied, FortiWAN’s port 1 will no longer accept untagged VLAN packets. Through the VLAN switch, both Port 1.101 and port 1.102 are connected with a WAN link (Port 1.101 and Port 1.102 will be listed in the WAN Port pull-down menu for WAN Setting), while port 1.103 is connected the LAN subnet (Port 1.103 will be listed in the LAN Port pull-down menu for Private LAN Subnet setting) and port

1.104 is connected with the DMZ subnet (Port 1.104 will be listed in the DMZ Port pull-down menu for DMZ Setting). You can also define VLAN tags to an aggregated port from the table (it requires to create an aggregated port first for defining VLAN tags to it).

Note: This field (VRID) is only available when VRRP mode is enabled in LAN Private Subnet settings. The VRID indicates the virtual router identifier for every VR.

Redundant LAN/DMZ Port

A logical redundant port pairs an active and a standby physical network port. It means a logical redundant LAN port consists of two physical LAN ports, and a logical redundant DMZ port consists of two physical DMZ port. Under normal usage, the active port passes traffic and the standby port is just backup. Once the active port goes down (or unavailable), the standby port takes over the active role and starts passing traffic. Why a redundant LAN port and a redundant DMZ port are necessary? Because without the redundant ports, even if FortiWAN is working in HA mode, single point failure can still occur over connectivities between LAN/DMZ subnets and FortiWAN’s LAN/DMZ ports. Redundant ports increase the reliability of connectivity of FortiWAN’s LAN and DMZ. FortiWAN’s redundant port supports the Spanning Tree algorithm and sets the highest 0xffff as bridge priority. The configurations thus manage to avoid network failure caused by the possible packet looping.

Label Name of the logical redundant LAN/DMZ port. Only the ASCII characters “09 a-z A-Z” are acceptable for a label and the first character must be nonnumeric. After applying the settings, the specified label, in the format Bridge: label name, will become one of the port options in corresponding pull-down menus used for configurations of LAN setting (see LAN Private

Subnet), DMZ setting (see Configuring your WAN), Auto Routing and

Bandwidth Management (FortiWAN’s Auto Routing and Bandwidth Management support managing outbound traffic by input ports where the traffic received on, see Auto Routing and Bandwidth Management). All the configurations refer to the logical redundant port instead of its member physical ports.

Mapping There are two menus in the Mapping field for selecting the two memberports under a LAN/DMZ redundant port. All the physical ports and VLAN tags mapped to LAN/DMZ in the VLAN and Port Mapping table are listed here for options. It requires at least two are mapped to LAN/DMZ in VLAN and Port Mapping first for creating a LAN/DMZ redundant port, or there will be no items here for options.

Select a LAN/DMZ port from each of the two pull-down menus to add the member-ports to the redundant port. By default, the first configured member-port becomes the active one for the redundant port, while the second one is in hot standby state.

Note that the physical member ports that are redundant to each other must be equal in port speed and duplex (See “Port Speed/Duplex Settings”).

Notices to create a redundant port

Before creating a redundant port, you need to know:

  • The two member-ports of a redundant port can be two physical network ports, two VLAN tages, or a pair of one physical port and a VLAN tag.
  • It requires to exactly map two member-ports to LAN or DMZ in VLAN and Port Mapping table before pairing the two ports to a logical LAN/DMZ redundant port. l VLAN tags can not be defined to an redundant port.

Creating an redundant LAN/DMZ port

To configure an redundant LAN port or redundant DMZ port, perform the following steps:

Step 1 Map two ports (two physical port, two VLAN ports, or a pair of one physical port and one VLAN port) to LAN or DMZ in VLAN and Port Mapping table.

Step 2 Create a new redundant port configuration by clicking the add button on Redundant LAN Port or Redundant DMZ Port table.

Step 3 Assign the redundant port a name by entering it in Label filed.

Step 4 Select a member-port from each of the two pull-down menus in Mapping field (the ports mapped to LAN or DMZ in VLAN and Port Mapping table are listed here for options).

Step 5 Apply the settings by clicking Apply.

Aggregated Port

FortiWAM’s port aggregation is implementation of IEEE 802.3ad active mode, which bundles two physical ports into a single logical aggregated port to provide the aggregated bandwidth of the two physical links. If single point failure occurs on connectivity of one of the physical member ports under an aggregated port, traffic will be carried within the remaining port channel. The related parameters of IEEE 802.3ad active mode are sat as follows:

 

Parameter Value Note  
ad_select stable as default  
all_slave_active 0 as default  
downdelay 0 as default  
lacp_rate slow as default  
max_bonds 1 as default  
miimon 100 as recommended  
min_links 0 as default  
updelay 0 as default  
use_carrier 1 as default  
xmit_hash_policy layer2 as default  
Label Name of the logical aggregated port. Only the ASCII characters “0-9 a-z A-Z” are acceptable for a label and the first character must be non-numeric. After entering a label here, this label will be listed in VLAN and Port Mapping table at the same time so that the logical aggregated port can be mapped to LAN or DMZ, or have VLAN tags defined on it. After applying the settings, the specified label will become one of the port options in corresponding pulldown menus, in the format Bonding: label name, used for configurations of LAN setting (see LAN Private Subnet), DMZ setting (see Configuring your WAN), Auto Routing and Bandwidth Management (FortiWAN’s Auto Routing and Bandwidth Management support managing outbound traffic by input ports where the traffic received on, see Auto Routing and Bandwidth Management). All the configurations refer to the logical aggregated port instead of its member physical ports.
Mapping There are two menus in the Mapping field for selecting the two memberports under a aggregated port. All the physical ports and VLAN tags mapped to None in the VLAN and Port Mapping table are listed here for options. It requires at least two are mapped to None in VLAN and Port Mapping first for creating an aggregated port, or there will be no items here for options.

Select a port from each of the two pull-down menus to add the member-ports to the aggregated port. After this, you need to enable the aggregated port by mapping it to LAN/DMZ or defining VLAN tags on it from VLAN and Port Mapping table, or the aggregated port is mapped to None by default.

Note that the physical member ports that are aggregated must be equal in port speed and duplex (See “Port Speed/Duplex Settings”).

Notices to create a redundant port

Before creating a redundant port, you need to know:

  • The two member-ports of an aggregated port can be two physical network ports, two VLAN tages, or a pair of one physical port and a VLAN tag.
  • A logical aggregated port requires two purposeless member-ports (both are mapped to None in VLAN and Port Mapping table).
  • An aggregated port can only be mapped to a DMZ or LAN port. l VLAN tags can be defined to an aggregated port.

Creating an aggregated port

To configure an aggregated port, perform the following steps:

Step 1 Disable two ports (two physical port, two VLAN ports, or a pair of one physical port and one VLAN port) by mapping them to None in VLAN and Port Mapping table.

Step 2 Create a new port aggregation configuration by clicking the add button on Aggregated Port table.

Step 3 Assign the aggregated port a name by entering it in Label filed.

Step 4 Select a member-port from each of the two pull-down menus in Mapping field (the disabled ports in VLAN and Port Mapping table are listed here for options).

Step 5 The label name of the aggregated port will be listed in VLAN and Port Mapping table. Map the logical aggregated port to LAN or DMZ by selecting it from the pull-down menu in Mapping field. You can also define VLAN tags to the aggregated port in VLAN Tag field and Mapping field.

Step 6 Apply the settings by clicking Apply.

Scenarios

As illustrated in the topology below, FortiWAN port1 are mapped to WAN port. Port2 and port3 are paired to a logical redundant LAN port which is connected to Switch1, port4 and port5 are paired to a logical aggregated DMZ port which is connected to Switch2.

Step 1 To configure the settings for the deployment, you need to map Port1, Port2, Port3, Port4 and Port5 to WAN, LAN, LAN, None and None respectively in VLAN and Port Mapping table.

Port   VLAN Tag Mapping
Port1   no VLAN Tag WAN
Port2   no VLAN Tag LAN
Port3   no VLAN Tag LAN
Port4   no VLAN Tag None
Port VLAN Tag Mapping
Port5 no VLAN Tag None

Step 2 Create a new redundant LAN port labeled lan23 and mapped it to Port2 and Port3 in Redundant LAN Port table.

Label Mapping
lan23 Port 2
Port 3

Step 3 Create a new aggregated port labeled dmz45 and mapped it to Port4 and Port5 in Aggregated Port table.

Label Mapping
dmz45 Port 4
Port 5

Step 4 Map the created logical aggregated port dmz45 to DMZ in VLAN and Port Mapping table.

Port VLAN Tag Mapping
Port1 no VLAN Tag WAN
Port2 no VLAN Tag LAN
Port3 no VLAN Tag LAN
Port4 no VLAN Tag None
Port5 no VLAN Tag None
dmz45 no VLAN Tag DMZ

After the configurations are applied, labels “Bridge: lan23” and “Bonding: dmz45” will be listed respectively in LAN Port and DMZ Port pull-down menus of LAN and DMZ subnets settings (see LAN Private Subnet and Configuring your WAN) for options. Moreover, the two labels will be also listed in Input Port pull-down menu of Auto Routing and Bandwidth Management (see Auto Routing and Bandwidth Management) for your options.

You can also have the deployment configured in an advanced way. First, if you need the LAN ports being defined with several VLAN tags and also having them in redundant pairs; second, if you need the aggregated port being mapped to one LAN and one DMZ by defining it with VLAN tags, the configurations will be the following steps:

Step 1 To configure the settings for the deployment, you need to define Port2 and Port3 with VLAN tags and map all of them to LAN in VLAN and Port Mapping table. Leaving Port4 and Port5 being mapped to None as previous.

Port VLAN Tag Mapping
Port1 no VLAN Tag WAN
Port2

Port3

01 LAN
02 LAN
01 LAN
02 LAN
Port4 no VLAN Tag None
Port5 no VLAN Tag None

Step 2 Create a new redundant LAN port labeled lan23tag01 and mapped it to Port2.01 and Port3.01 in Redundant LAN Port table.

Label Mapping
lan23tag01 Port 2.01
Port 3.01

Step 3 Create another new redundant LAN port labeled lan23tag02 and mapped it to Port2.02 and Port3.02 in Redundant LAN Port table.

Label Mapping
lan23tag02 Port 2.02
Port 3.02

Step 4 Create a new aggregated port labeled agg45 and mapped it to Port4 and Port5 in Aggregated Port table.

Label Mapping
agg45 Port 4
Port 5

Step 5 In VLAN and Port Mapping table, map the created logical aggregated port agg45 to a LAN and a DMZ by defining it with VLAN tags.

Port VLAN Tag Mapping
Port1 no VLAN Tag WAN
Port2

Port3

01 LAN
02 LAN
01 LAN
02 LAN
Port4 no VLAN Tag None
Port5 no VLAN Tag None
agg45 01 LAN
02 DMZ

 


Viewing all articles
Browse latest Browse all 2380

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>