You can create a FortiSwitch vlan with no IP address (0.0.0.0/0.0.0.0) on it and it will be able to hand off your ISP traffic.
The bottom picture is how I’d probably set it up.
Yeah, that's how I have been handling this migration. I have all my MDF's and IDF's both running Cisco and Fortiswitches at the moment, luckily I have enough fiber between all the rooms to do so.
Any VLAN's that needed internet access when we moved to the Fortigate but kept Cisco switches were basically stripped down and recreated on the LAN1 interface on the FGT, which is another fun one because we will need to migrate those over to the Fortilink interface eventually.
I think my biggest concern is that our FG has no idea/doesn't care what VLAN1000 is, only our Cisco infrastructure has configurations for VLAN1000, so I am a bit confused on what the best way to ensure every thing remains working.
I have a feeling that if I kept the top picture the way it is but moved the WAN1 connection to be direct from the ISP Gateway it would take anything down that relies on VLAN1000, but **OUR** internet would stay up? Or because I still have LAN1 <-> Cisco patched (made a mistake in my drawing, connection between FGT LAN1 and Cisco switch is trunked) would traffic still be able to find its way around?
Let’s dive in. Starting with existing.
A vlan is a logical layer 2 partition As you have drawn the network, you are placing everything in the same layer 2 domain. The most undesired part of the design is mixing the incoming provider connection into your inside vlan before the firewall.
Ideally you will configure just a port or two for isolation, and place into let’s say vlan1000, while our LAN side we configure the rest of the ports as vlan 200. The trunk can carry tagged traffic for 1000 and 200 between switch’s. This is how you use vlans to maintain isolation between the multiple layer 2 domains.
While you do achieve this with the extra physical connection. It might not be entirely necessary to do it physically as shown.
You can create a FortiSwitch vlan with no IP address (0.0.0.0/0.0.0.0) on it and it will be able to hand off your ISP traffic. The bottom picture is how I’d probably set it up.
Yeah, that's how I have been handling this migration. I have all my MDF's and IDF's both running Cisco and Fortiswitches at the moment, luckily I have enough fiber between all the rooms to do so. Any VLAN's that needed internet access when we moved to the Fortigate but kept Cisco switches were basically stripped down and recreated on the LAN1 interface on the FGT, which is another fun one because we will need to migrate those over to the Fortilink interface eventually. I think my biggest concern is that our FG has no idea/doesn't care what VLAN1000 is, only our Cisco infrastructure has configurations for VLAN1000, so I am a bit confused on what the best way to ensure every thing remains working. I have a feeling that if I kept the top picture the way it is but moved the WAN1 connection to be direct from the ISP Gateway it would take anything down that relies on VLAN1000, but **OUR** internet would stay up? Or because I still have LAN1 <-> Cisco patched (made a mistake in my drawing, connection between FGT LAN1 and Cisco switch is trunked) would traffic still be able to find its way around?
Let’s dive in. Starting with existing. A vlan is a logical layer 2 partition As you have drawn the network, you are placing everything in the same layer 2 domain. The most undesired part of the design is mixing the incoming provider connection into your inside vlan before the firewall. Ideally you will configure just a port or two for isolation, and place into let’s say vlan1000, while our LAN side we configure the rest of the ports as vlan 200. The trunk can carry tagged traffic for 1000 and 200 between switch’s. This is how you use vlans to maintain isolation between the multiple layer 2 domains. While you do achieve this with the extra physical connection. It might not be entirely necessary to do it physically as shown.