Description
This article applies for the FortiGate deployed in the transparent operating mode.
Solution
Here are some points to consider for transparent mode FortiGate deployment to prevent layer2 mess-ups.
- Do not connect two ports to the same VLAN on a switch or to the same hub. Some Layer 2 switches become unstable when they detect the same MAC address originating on more than one switch interface or from more than one VLAN.
- If multiple VLANs are operated on the FortiGate , assign each VLAN ID to its own forwarding domain to ensure that the scope of the broadcast does not extend beyond the VLAN it originated in.
To protect against Layer 2 loops.
- Enable stpforward on all interfaces.
- Use separate VDOMs for production traffic (TP mode VDOM) and management traffic (NAT mode VDOM).
- Only place those interfaces used for production in the TP mode VDOM. Place all other interfaces in the NAT mode VDOM. This protects against potential Layer 2 loops.
