I am using a Dell Powerconnect 6248 (layer 3 48 port gigabit Switch) and a Fortigate 310. I am attempting to use the switch in layer two mode and assign a vlan to each port where a server is attached and a "Trunk" line directly connected to the fortinet. on the Fortinet, I have virtual interfaces designed to match the vlan's for each port. The Goal here is to require any communications from server to serverto be evaluated by policiesdefined for the virual interfaces that corresponds to the vlans for the servers attempting to communicate.
So essentially, server A wants to talk to server B. Server A is in port 2 (defined as vlan 2) and Server B is in port 3 (defined as vlan 3). The firewall is attached to the switch port 1, and has virtual interface A (defined as vlan2) and virtual interface B (defined as vlan3). I have a policy that allows virtual interface A to communicate with virtual interface B. All of the server Apackets should flow up to the firewall and be passed back to the switch with a new vlan tag to go to the server B.
My question is, should port 1 on the switch be defined as a "TRUNK" and if so what is the method for doing so (docs are weak)? is there anything else I need to consider here?
THANKS!
I have a couple of 6224 switches, which should be similar.
I presume by "virtual interface", the firewall is tagging VLANs with 802.1q, with no untagged virtual interfaces, right? I also assume that you are using the firewall as the router between VLANs?
I couldn't get "Trunk" mode to work on these switches. I had to put the switch port into "General" mode. This lets you attach any VLAN, tagged or untagged, to a port. Which means you have to be careful about how VLANs are attached to the port. It will let you cross-connect VLANs in this configuration.
Also be careful about the "default" VLAN on tagged/general ports. Ideally it should be a VLAN which is never used anywhere else. I usually prefer to use VLAN1 for that, as I have hit gear in the past which depended on it in weird ways.