Best practices
Best practices
- Create forwarding domains when VLANs are used and set
vlanforward
to disable
on all relevant physical interface.
- The forward-domain ID can be different to the VLAN ID, but it is recommended for troubleshooting and readability to keep them the same.
- Only interfaces from the same forwarding domains can have firewall policies between each others.
- In order to allow IVL (independent VLAN learning), the VLANs must be placed in separate forwarding domains.
- If an out-of-band management is desired, use if possible a VDOM in NAT mode as management VDOM and create (an) other transparent mode VDOM(s) for the user traffic.
- As Spanning Tree BPDUs are not forwarded by default, insert the FortiGate with caution to avoid L2 loops.
- Multicast packets are not forwarded by default; this might cause routing protocols (RIP2, OSPF) disruption.
- When using HSRP or VRRP configure static MAC entries for the Virtual MAC addresses.
Best practices
- Create forwarding domains when VLANs are used and set
vlanforward
to disable
on all relevant physical interface.
- The forward-domain ID can be different to the VLAN ID, but it is recommended for troubleshooting and readability to keep them the same.
- Only interfaces from the same forwarding domains can have firewall policies between each others.
- In order to allow IVL (independent VLAN learning), the VLANs must be placed in separate forwarding domains.
- If an out-of-band management is desired, use if possible a VDOM in NAT mode as management VDOM and create (an) other transparent mode VDOM(s) for the user traffic.
- As Spanning Tree BPDUs are not forwarded by default, insert the FortiGate with caution to avoid L2 loops.
- Multicast packets are not forwarded by default; this might cause routing protocols (RIP2, OSPF) disruption.
- When using HSRP or VRRP configure static MAC entries for the Virtual MAC addresses.