Unsolved
1 Rookie
•
1 Message
0
3
October 4th, 2025 18:50
FortiGate 100F Aggregation - Dell S4112F (VLT)
Hello everyone,
I’m planning to replace my current Vigor 3220 router with a FortiGate 100F as the main firewall and router for my network.
Current Network Topology
Core Switches: 2 × Dell S4112F (OS10), N160-N161 configured as a VLT pair.
Access: Dell N1148T Switches N162-N165 connected via trunk ports to Core Switch.
Old Router: Vigor 3220 (172.16.16.221) Connected via 1Gbit Link to Dell N1148T -N162 Switch port52. S
VLANs: 1 (Mgmt), 110 (Servers), 120 (Users), 140 (WiFi), 510 (Staging Server), 520 (Staging Users).
FortiGate 100F (test LAN 172.16.16.222 ): connected to Dell N1148T-N162 on port 51 (trunk)
Currently, all inter-VLAN communication happens at the Core Switch level (the Dell S4112F pair). Each VLAN has its own SVI and VRRP configuration on the cores.
Fortigate Test Network
At the moment, I created two testing VLANs (510, 520) and added static routes on the core switches so that those VLANs go through the FortiGate:
ip route 0.0.0.0/0 172.16.16.221
ip route 10.51.10.0/24 172.16.16.222
ip route 10.51.20.0/24 172.16.16.222
All test VLAN sub-interfaces (VLAN 510, 520, etc.) work fine.
Correct Topology
Now, I’m considering moving the FortiGate connection directly to the core layer using 10 Gbps uplinks (FortiGate x1, x2) to the two Dell S4112F core switches (N160,N161), which operate as a VLT pair.
Planned connections:
x1 → Dell S4112F #1 (N160) port 1/1/12
x2 → Dell S4112F #2 (N161) port 1/1/12
My Questions
- Can VLAN sub-interfaces work properly under a FortiGate aggregate interface (LACP x1+x2)?
- Should I assign an IP to the aggregate interface, or only to the VLAN sub-interfaces?
- What is the recommended configuration on the Dell OS10 switches for this setup (LACP + VLT)?
- If I move my current VLANs from interface “LAN” to the new aggregate, will they continue to work with the same IPs and DHCP relays?
- The Dell switch ports are currently configured in a port-channel (VLT). Should I delete and recreate the port-channel, or can I reuse it as it is?
Any advice or best practice for connecting a FortiGate 100F via LACP to a Dell VLT pair would be appreciated.
Note:
I also have the full configuration files for my current setup — FortiGate, Dell S4112F core switches, and access switch — available if needed for review.
Thank you in advance for your help!
Dell S4112F Configuration
!
interface vlan510
vlan-name Staging_Servers_Vlan
description ***_Staging_Server_***
no shutdown
ip address 10.51.10.3/24
no ip dhcp snooping
ip helper-address 10.51.10.11
!
vrrp-group 7
priority 150
virtual-address 10.51.10.1
!
!
interface port-channel1
description ***_THQ-N07-162_local_member_Eth1/1/1_***
no shutdown
switchport mode trunk
switchport access vlan 1
switchport trunk allowed vlan 110,116,120,140,150,160,180,510,520
vlt-port-channel 1
!
!
interface ethernet1/1/1
description ***_HQ-N07-162__Po1_member_***
no shutdown
channel-group 1
no switchport
flowcontrol receive off
!
!
ip route 0.0.0.0/0 172.16.16.221
ip route 10.51.10.0/24 172.16.16.222
ip route 10.51.20.0/24 172.16.16.222
!
Fortigate 100F Configuration
edit "lan"
set vdom "root"
set ip 172.16.16.222 255.255.252.0
set allowaccess ping https ssh fabric
set type hard-switch
set alias "Fortigate-100F"
set role lan
next
edit "VLAN 120"
set vdom "root"
set ip 10.11.20.222 255.255.255.0
set alias "Users"
set role lan
set interface "lan"
set vlanid 120
next
edit "VLAN 1"
set vdom "root"
set ip 10.11.1.222 255.255.255.0
set alias "Management"
set role lan
set interface "lan"
set vlanid 1
next
edit "VLAN 110"
set vdom "root"
set ip 10.11.10.222 255.255.255.0
set alias "Servers"
set role lan
set interface "lan"
set vlanid 110
next
edit "VLAN 510"
set vdom "root"
set ip 10.51.10.222 255.255.255.0
set alias "Staging Servers"
set role lan
set interface "lan"
set vlanid 510
next
edit "VLAN 520"
set vdom "root"
set ip 10.51.20.222 255.255.255.0
set alias "Staging Users"
set role lan
set interface "lan"
set vlanid 520
next