Networking : Configuring network interfaces
 
Configuring network interfaces
This topic includes the following information:
“Using physical interfaces”
“Using VLAN interfaces”
“Using aggregate interfaces”
“Configuring network interfaces”
Using physical interfaces
Each physical network port (or, on FortiADC-VM, a vNIC) has a network interface that directly corresponds to it—that is, a “physical network interface.”
Physical ports have three uses:
Management—The network interface named port1 is typically used as the management interface.
HA—If you plan to deploy HA, you must reserve a physical port for HA heartbeat and synchronization traffic. Do not configure the network interface that will be used for HA; instead, leave it unconfigured or “reserved” for HA.
Traffic—The remaining physical ports can be used for your target traffic—these are your “traffic interfaces.”
Traffic interfaces can be associated with logical interfaces. The system supports three types of logical interfaces: VLAN, link aggregation, and loopback. Figure 35 illustrates how physical ports are associated with physical and logic interfaces.
Figure 35:  Physical and logical interfaces
With VLANs, multiple VLAN logical interfaces are associated with a single physical port. With link aggregation, it is the reverse: multiple physical interfaces are associated with a single aggregate logical interface.
Table 44 lists factory default IP addresses for physical network interfaces.
Table 44: Physical network interfaces
Network Interface*
IPv4 Address/Netmask
IPv6 Address/Netmask
port1
192.168.1.99/24
::/0
port2
0.0.0.0/0
::/0
port3
0.0.0.0/0
::/0
port4
0.0.0.0/0
::/0
...
* The number of physical network interfaces varies by model.
Using VLAN interfaces
You can use IEEE 802.1q VLAN to reduce the size of a broadcast domain, thereby reducing the amount of broadcast traffic received by network hosts, improving network performance.
Unlike physical LANs, VLANs do not require you to install separate hardware switches and routers to achieve this effect. Instead, VLAN-compliant switches restrict broadcast traffic based upon whether its VLAN ID matches that of the destination network. As such, VLAN trunks can be used to join physically distant broadcast domains as if they were close.
The VLAN ID is part of the tag that is inserted into each Ethernet frame in order to identify traffic for a specific VLAN. FortiADC appliances handle VLAN header addition automatically, so you do not need to adjust the maximum transmission unit (MTU). Depending on whether the device receiving a packet operates at Layer 2 or Layer 3 of the network, a VLAN tag might be added, removed, or rewritten before forwarding to other nodes on the network. For example, a Layer 2 switch typically adds or removes a tag when forwarding traffic among members of the VLAN, but does not route tagged traffic to a different VLAN ID. In contrast, a FortiADC content-based routing policy might forward traffic between different VLAN IDs (also known as inter-VLAN routing).
Cisco Discovery Protocol (CDP) is supported for VLANs.
Note: VLANs are not designed to be a security measure, and should not be used where untrusted devices and/or individuals outside of your organization have access to the equipment. VLAN tags are not authenticated, and can be ignored or modified by attackers. VLAN tags rely on the voluntary compliance of the receiving host or switch.
Using aggregate interfaces
Link aggregation (also called NIC teaming/bonding or link bundling) forms a network interface that queues and transmits over multiple wires (also called a port channel), instead of only a single wire (as FortiADC would normally do with a single network interface per physical port). This multiplies the bandwidth that is available to the network interface, and therefore is useful if FortiADC is deployed inline with your network backbone.
Link aggregation on FortiADC complies with IEEE 802.3ad and distributes Ethernet frames using a modified round-robin behavior. If a port in the aggregation fails, traffic is redistributed automatically to the remaining ports with the only noticeable effect being a reduced bandwidth. When broadcast or multicast traffic is received on a port in the aggregation, reverse traffic will return on the same port.
When link aggregation uses a round-robin that considers only Layer 2, Ethernet frames that belong to an HTTP request can sometimes arrive out of order. Because network protocols at higher layers often do not gracefully handle this (especially TCP, which may decrease network performance by requesting retransmission when the expected segment does not arrive), FortiADC’s frame distribution algorithm is configurable. For example, if you notice that performance with link aggregation is not as high as you expect, you could try configuring FortiADC to queue related frames consistently to the same port by considering the IP session (Layer 3) and TCP connection (Layer 4), not simply the MAC address (Layer 2).
You must also configure the router, switch, or other link aggregation control protocol (LACP)-compatible device to which FortiADC is connected with the same speed/duplex settings, and it must have ports that can be aggregated. In a deployment like this, the two devices use the cables between the ports to form a trunk, not an accidental Layer 2 (link) network loop. FortiADC uses LACP to detect the following conditions:
Suitable links between itself and the other device, and form a single logical link.
Individual port failure so that the aggregate can redistribute queuing to avoid a failed port.
Configuring network interfaces
You can edit the physical interface configuration. You cannot create or delete a physical interface configuration.
Before you begin:
You must have Read-Write permission for System settings.
To configure a network interface:
1. Go to Networking > Interface.
2. Double-click the row for a physical interface to edit its configuration or click Add if you want to configure an aggregate or VLAN interface.
3. Complete the configuration as described in Table 45.
4. Save the configuration.
Table 45: Network interface configuration
Settings
Guidelines
Common Settings
Name
Unique name. No spaces or special characters.
After you initially save the configuration, you cannot edit the name
Status
This Status column is not the detected physical link status; it is the administrative status (Up/Down) that indicates whether you permit the network interface to receive and/or transmit packets.
Allow Access
Allow inbound service traffic. Select from the following options:
HTTP—Enables connections to the web UI. We recommend this option only for network interfaces connected to a trusted private network, or directly to your management computer.
HTTPS—Enables secure connections to the web UI. We recommend this option instead of HTTP.
Ping—Enables ping and traceroute to be received on this network interface. When it receives an ECHO_REQUEST (“ping”), FortiADC will reply with ICMP type 0 (ECHO_RESPONSE or “pong”).
SNMP—Enables SNMP queries to this network interface.
SSH—Enables SSH connections to the CLI. We recommend this option instead of Telnet.
Telnet—Enables Telnet connections to the CLI. We recommend this option only for network interfaces connected to a trusted private network, or directly to your management computer.
Speed
Select one of the following speed/duplex settings:
Auto—Speed and duplex are negotiated automatically. Recommended.
10half—10 Mbps, half duplex.
10full—10 Mbps, full duplex.
100half—100 Mbps, half duplex.
100full—100 Mbps, full duplex.
1000half—1000 Mbps, half duplex.
1000full—1000 Mbps, full duplex.
MTU
The default is 1500. We recommend you maintain the default.
Virtual Domain
If applicable, select the virtual domain to which the configuration applies.
Mode
Static—Specify a static IP address. The IP address must be on the same subnet as the network to which the interface connects. Two network interfaces cannot have IP addresses on the same subnet (i.e. overlapping subnets).
PPPoE—Use PPPoE to retrieve a configuration for the IP address, gateway, and DNS server. For example, if this interface uses a DSL connection to the Internet, your ISP may require this option.
Static
IPv4/Netmask
Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.5/24. Dotted quad formatted subnet masks are not accepted.
IPv6/Netmask
Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 2001:0db8:85a3:::8a2e:0370:7334/64. Dotted quad formatted subnet masks are not accepted.
Secondary IP Address
Secondary IP addresses can be used when you deploy the system so that it belongs to multiple logical subnets. If you assign multiple IP addresses to an interface, you must assign them static addresses.
To add secondary IP addresses, enable the feature and save the configuration. After you have saved it the first time, you can edit it to add secondary IP addresses and enable inbound traffic to that address.
PPPoE
Username
PPPoE account user name.
Password
PPPoE account password.
Discovery Retry Timeout
Seconds the system waits before it retries to discover the PPPoE server.
The default is 5 seconds.
DNS Server Override
Use the DNS addresses retrieved from the PPPoE server instead of the one configured in the FortiADC system settings.
Retrieve Default Gateway
Use the default gateway retrieved from the PPPoE server instead of the one configured in the FortiADC system settings.
Type
If you are editing the configuration for a physical interface, you cannot set the type.
If you are configuring a logical interface, you can select from the following options:
Aggregate—A logical interface you create to support the aggregation of multiple physical interfaces.
VLAN—A logical interface you create to VLAN subinterfaces on a single physical interface.
Aggregate
Redundant Member
Select the physical interfaces that are included in the aggregation.
Aggregate Mode
Link aggregation type:
802.3ad
Balance-alb
Balance-rr
Balance-tlb
Balance-xor
Broadcast
Aggregate Algorithm
Connectivity layers that will be considered when distributing frames among the aggregated physical ports:
Layer 2
Layer 2-3
Layer 3-4
VLAN
Interface
Physical interface associated with the VLAN; for example, port2.
VLAN ID
VLAN ID of packets that belong to this VLAN.
If one physical network port (that is, a VLAN trunk) will handle multiple VLANs, create multiple VLAN subinterfaces on that port, one for each VLAN ID that will be received.
If multiple different physical network ports will handle the same VLANs, on each of the ports, create VLAN subinterfaces that have the same VLAN IDs.
The valid range is between 1 and 4094. The value you specify must match the VLAN ID added by the IEEE 802.1q-compliant router or switch connected to the VLAN subinterface.
Secondary IP List
IP Address
Secondary IP addresses can be used when you deploy the system so that it belongs to multiple logical subnets. If you assign multiple IP addresses to an interface, you must assign them static addresses.
To add secondary IP addresses, enable the feature and save the configuration. After you have saved it the first time, you can edit it to add secondary IP addresses and enable inbound traffic to that address.
For each address, specify an IP address using the CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.5/24.
Allow Access
Select the services that are allowed to send inbound traffic.
HA Node IP List
IP Address
You use the HA node IP list configuration in an HA active-active deployment. For each HA cluster node, configure an HA node IP list that includes an entry for each cluster node. When the appliance is in standalone mode, it uses the physical port IP address; when it is in HA mode, it uses the HA node IP address.
For each address, specify an IP address using the CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.5/24.
Node ID
ID of the corresponding node.
Allow Access
Select the services that are allowed to send inbound traffic.
 
 
To configure a physical interface using the CLI:
config system interface
edit <port_name>
set ip <ip address/netmask>
set allowaccess {http https ping snmp ssh telnet}
end
To configure an aggregate interface using the CLI:
config system interface
edit <specified_name>
set type agg
set aggregate-mode {802.3ad | balance-alb | balance-rr | balance-tlb | balance-xor | broadcast}
set aggregate-algorithm {layer2 | layer2_3 | layer3_4}
set status up
set member <port_name> <port_name>
set ip <ip address/netmask>
end
To configure a VLAN interface using the CLI:
config system interface
edit <specified_name>
set type vlan
set vlanid <number>
set ip <ip address/netmask>
end