Fortinet black logo

Admin Guide (FGT-Managed)

Home FortiExtender 7.0.3 Admin Guide (FGT-Managed)

LAN extension configuration in a profile

7.0.3
7.4.1
7.4.0
7.2.5
7.2.0
7.0.3
7.0.2
7.0.1
Copy Link
Copy Doc ID 28937826-5dea-11ec-bdf2-fa163e15d75b:119170
Download PDF

LAN extension configuration in a profile

The following example shows the "lan-extension" configuration in an LAN extension profile.

FortiGate (extender-profile) # get FX200F-lanext-default
name : FX200F-lanext-default
id : 4
model : FX200F
extension : lan-extension
allowaccess :
login-password-change: no
enforce-bandwidth : enable
bandwidth-limit : 200
lan-extension:
link-loadbalance : loadbalance
ipsec-tunnel : fext-ipsec-rthk
backhaul-interface : lan
backhaul-ip :
backhaul:
== [ 1 ]
name: 1
== [ 2 ]
name: 2
Parameter Description
name The profile name
id The profile ID (for system internal record)
model The FortiExtender model for the profile
extension [lan-extension | wan-extension] The extension type for the profile
alloweaccess [telent|http|https|snmp|ping|ssh] The multi-option setting for the lan-extension switch interface of the FortiExtender. For more details, see Allowaccess for FortiExtender management.
login-password-change [yes|no|default] The setting of admin password of the FortiExtender. For more details, see Configure FortiExtender admin password
enforce-bandwidth [enable|disable]

Enable or disable enforcement of bandwidth limit.

Note: "enforce-bandwidth", which is disabled by default, is used to limit the egress bandwidth used to send traffic from the FortiExtender. For more details, see Set bandwidth limit for LAN extension.
bandwidth-limit Specify the bandwidth limit.

link-loadbalance [activebackup | loadbalance]

Two ports are configured for the FortiExtender for load-balancing. For activebackup mode, you can configure "role" (primary or secondary) on the two backhaul ports. For loadbalance mode, you can configure "weight" on each backhaul port.

ipsec-tunnel

This is the IPsec tunnel interface that will be used in underlying data transportation. It provide secure connection between the FortiExtender and the FortiGate. This entry will be auto-generated.

backhaul-interface

This is the egress interface for data transportation between the FortiGate and the other FortiExtenders using this profile. The default will be automatically filled with the interface that is used to manage the FortiExtender. You can configure it based on your network topology.

backhaul-ip

This is used for a FortiGate behind a NAT device (or DNAT, LoadBalancer, etc.). The "backhaul-ip" is the external IP of the NAT device. For more details, see Backhaul IP in LAN extension.

The following is an example of a backhaul configuration.

FortiGate (backhaul) # edit 1
   FortiGate (1) # get
   name : 1
   port : port1
   weight : 1

If link-loadbalance is configured as "activebackup", the following will be shown:

name : 1

port : port1

role : primary

Parameter Description
name The name of the backhaul entry.
port The port in the FortiExtender that sends traffic to the FortiGate in LAN extension.
weight

Enter the weight if the link-loadbalance is configured as "loadbalance".

role [primary | secondary]

Specify whether the port is primary or secondary.

Previous
Next

LAN extension configuration in a profile

The following example shows the "lan-extension" configuration in an LAN extension profile.

FortiGate (extender-profile) # get FX200F-lanext-default
name : FX200F-lanext-default
id : 4
model : FX200F
extension : lan-extension
allowaccess :
login-password-change: no
enforce-bandwidth : enable
bandwidth-limit : 200
lan-extension:
link-loadbalance : loadbalance
ipsec-tunnel : fext-ipsec-rthk
backhaul-interface : lan
backhaul-ip :
backhaul:
== [ 1 ]
name: 1
== [ 2 ]
name: 2
Parameter Description
name The profile name
id The profile ID (for system internal record)
model The FortiExtender model for the profile
extension [lan-extension | wan-extension] The extension type for the profile
alloweaccess [telent|http|https|snmp|ping|ssh] The multi-option setting for the lan-extension switch interface of the FortiExtender. For more details, see Allowaccess for FortiExtender management.
login-password-change [yes|no|default] The setting of admin password of the FortiExtender. For more details, see Configure FortiExtender admin password
enforce-bandwidth [enable|disable]

Enable or disable enforcement of bandwidth limit.

Note: "enforce-bandwidth", which is disabled by default, is used to limit the egress bandwidth used to send traffic from the FortiExtender. For more details, see Set bandwidth limit for LAN extension.
bandwidth-limit Specify the bandwidth limit.

link-loadbalance [activebackup | loadbalance]

Two ports are configured for the FortiExtender for load-balancing. For activebackup mode, you can configure "role" (primary or secondary) on the two backhaul ports. For loadbalance mode, you can configure "weight" on each backhaul port.

ipsec-tunnel

This is the IPsec tunnel interface that will be used in underlying data transportation. It provide secure connection between the FortiExtender and the FortiGate. This entry will be auto-generated.

backhaul-interface

This is the egress interface for data transportation between the FortiGate and the other FortiExtenders using this profile. The default will be automatically filled with the interface that is used to manage the FortiExtender. You can configure it based on your network topology.

backhaul-ip

This is used for a FortiGate behind a NAT device (or DNAT, LoadBalancer, etc.). The "backhaul-ip" is the external IP of the NAT device. For more details, see Backhaul IP in LAN extension.

The following is an example of a backhaul configuration.

FortiGate (backhaul) # edit 1
   FortiGate (1) # get
   name : 1
   port : port1
   weight : 1

If link-loadbalance is configured as "activebackup", the following will be shown:

name : 1

port : port1

role : primary

Parameter Description
name The name of the backhaul entry.
port The port in the FortiExtender that sends traffic to the FortiGate in LAN extension.
weight

Enter the weight if the link-loadbalance is configured as "loadbalance".

role [primary | secondary]

Specify whether the port is primary or secondary.

Previous
Next