FortiGate 100F Aggregation - Dell S4112F (VLT)

Question

Hello everyone, I’m planning to replace my current Vigor 3220 router with a FortiGate 100F as the main firewall and router for my network. Current Network Topology Core Switches: 2 × Dell S4112F (OS10), N160-N161 configured as a VLT pair. Access: Dell N1148T Switches N162-N165 connected via trunk ports to Core Switch. Old Router: Vigor 3220 (172.16.16.221) Connected via 1Gbit Link to Dell N1148T -N162 Switch port52. S VLANs: 1 (Mgmt), 110 (Servers), 120 (Users), 140 (WiFi), 510 (Staging Server), 520 (Staging Users). FortiGate 100F (test LAN 172.16.16.222 ): connected to Dell N1148T-N162 on port 51 (trunk) Currently, all inter-VLAN communication happens at the Core Switch level (the Dell S4112F pair). Each VLAN has its own SVI and VRRP configuration on the cores.   Fortigate Test Network At the moment, I created two testing VLANs (510, 520) and added static routes on the core switches so that those VLANs go through the FortiGate:   ip route 0.0.0.0/0 172.16.16.221 ip route 10.51.10.0/24 172.16.16.222 ip route 10.51.20.0/24 172.16.16.222 All  test VLAN sub-interfaces (VLAN 510, 520, etc.) work fine. Correct Topology Now, I’m considering moving the FortiGate connection directly to the core layer using 10 Gbps uplinks (FortiGate x1, x2) to the two Dell S4112F core switches (N160,N161), which operate as a VLT pair. Planned connections: x1 → Dell S4112F #1 (N160) port 1/1/12 x2 → Dell S4112F #2 (N161) port 1/1/12   My Questions Can VLAN sub-interfaces work properly under a FortiGate aggregate interface (LACP x1+x2)? Should I assign an IP to the aggregate interface, or only to the VLAN sub-interfaces? What is the recommended configuration on the Dell OS10 switches for this setup (LACP + VLT)? If I move my current VLANs from interface 'LAN' to the new aggregate, will they continue to work with the same IPs and DHCP relays? The Dell switch ports are currently configured in a port-channel (VLT). Should I delete and recreate the port-channel, or can I reuse it as it is?   Any advice or best practice for connecting a FortiGate 100F via LACP to a Dell VLT pair would be appreciated. Note:I also have the full configuration files for my current setup — FortiGate, Dell S4112F core switches, and access switch — available if needed for review. Thank you in advance for your help!     Dell S4112F Configuration ! interface vlan510  vlan-name Staging_Servers_Vlan  description ***_Staging_Server_***  no shutdown  ip address 10.51.10.3/24  no ip dhcp snooping  ip helper-address 10.51.10.11  !  vrrp-group 7   priority 150   virtual-address 10.51.10.1 !   ! interface port-channel1  description ***_THQ-N07-162_local_member_Eth1/1/1_***  no shutdown  switchport mode trunk  switchport access vlan 1  switchport trunk allowed vlan 110,116,120,140,150,160,180,510,520  vlt-port-channel 1 !   ! interface ethernet1/1/1  description ***_HQ-N07-162__Po1_member_***  no shutdown  channel-group 1  no switchport  flowcontrol receive off !   ! ip route 0.0.0.0/0 172.16.16.221 ip route 10.51.10.0/24 172.16.16.222 ip route 10.51.20.0/24 172.16.16.222 !     Fortigate 100F Configuration edit 'lan'         set vdom 'root'         set ip 172.16.16.222 255.255.252.0         set allowaccess ping https ssh fabric         set type hard-switch         set alias 'Fortigate-100F'         set role lan     next         edit 'VLAN 120'         set vdom 'root'         set ip 10.11.20.222 255.255.255.0         set alias 'Users'         set role lan         set interface 'lan'         set vlanid 120     next     edit 'VLAN 1'         set vdom 'root'         set ip 10.11.1.222 255.255.255.0         set alias 'Management'         set role lan         set interface 'lan'         set vlanid 1     next     edit 'VLAN 110'         set vdom 'root'         set ip 10.11.10.222 255.255.255.0         set alias 'Servers'         set role lan         set interface 'lan'         set vlanid 110     next     edit 'VLAN 510'         set vdom 'root'         set ip 10.51.10.222 255.255.255.0         set alias 'Staging Servers'         set role lan         set interface 'lan'         set vlanid 510     next     edit 'VLAN 520'         set vdom 'root'         set ip 10.51.20.222 255.255.255.0         set alias 'Staging Users'         set role lan         set interface 'lan'         set vlanid 520     next

DELL-Joey C · Accepted Answer

Hi,

With due to our support in the forum is limited to technical issue, we can't provide much about configuration on the switches. We would advice customers to contact the support to obtain deployment guide that is within scope for them.

I can help answer some questions in general.

Can VLAN sub-interfaces work properly under a FortiGate aggregate interface (LACP x1+x2)? Yes, the VLAN sub interface can work compatibly.
Should I assign an IP to the aggregate interface, or only to the VLAN sub-interfaces? Only to the VLAN sub interface.
What is the recommended configuration on the Dell OS10 switches for this setup (LACP + VLT)? VLT-Port Channel is recommended.
If I move my current VLANs from interface “LAN” to the new aggregate, will they continue to work with the same IPs and DHCP relays? Yes, it would work
The Dell switch ports are currently configured in a port-channel (VLT). Should I delete and recreate the port-channel, or can I reuse it as it is? The VLTi (ISL) should not be deleted as additional device can be connected through the VLT Port Channel with downstreams.

Above replies are based in general of the switch capabilities, but ultimately to achieve your desired outcome might need the support intervention to check entirely the switch config output. Attached below some of the reference guide:

https://infohub.delltechnologies.com/sv-se/l/dell-emc-smartfabric-os10-switch-configuration-guide-f…

https://infohub.delltechnologies.com/sv-se/l/dell-networking-layer-3-leaf-spine-deployment-and-best…

https://dl.dell.com/manuals/common/dell-emc-networking-l3-design-leaf-spine-os10.pdf

user_ca0ae4 · Answer

Thank you very much for your explanation. Everything is working perfectly now!

Ηere’s what I ended up doing:

Removed the default FortiLink configuration on X1/X2.
Created a new aggregate interface (LACP) combining X1 + X2 (agg-core) — no IP address on the aggregate itself.
Added VLAN sub-interfaces under the aggregate (edit the config file):
- agg.116 → 172.16.16.222/22 (backbone toward Dell core switches)
- agg.510 → 10.51.10.222/24 (Staging Servers)
- agg.520 → 10.51.20.222/24 (Staging Users)

On the Dell S4112F (n160 / n161):

Configured both Ethernet1/1/12 as LACP members of Port-Channel 12 with
channel-group 12 mode active
Shut down the SVIs for VLAN 510 and 520, and added static routes to the FortiGate
ip route 10.51.10.0/24 172.16.16.222
ip route 10.51.20.0/24 172.16.16.222

Now VLANs 510 and 520 are routed through the FortiGate for Internet access, while all other VLANs continue to use the existing Vigor 3220 router. After completing all the tests successfully, I applied the same configuration changes to all other VLANs.

Dell S4112F Config
!
interface ethernet1/1/12
description ***_Fortigate_X1_***
no shutdown
channel-group 12 mode active
no switchport
flowcontrol receive on
!

!
interface port-channel12
description ***_Fortigate_X1_Port12***
no shutdown
switchport mode trunk
switchport access vlan 1
switchport trunk allowed vlan 110,116,120,140,150,180,510,520
vlt-port-channel 12
!

!
interface vlan510
vlan-name Staging_Servers_Vlan
description ***_Staging_Server_***
shutdown
ip address 10.51.10.2/24
no ip dhcp snooping
ip helper-address 10.51.10.11
!
vrrp-group 7
priority 150
virtual-address 10.51.10.1
!
interface vlan520
vlan-name Staging_Users_Vlan
description ***_Staging_Server_***
shutdown
ip address 10.51.20.2/24
no ip dhcp snooping
ip helper-address 10.51.20.11
!
vrrp-group 8
priority 150
virtual-address 10.51.20.1
!

Networking General

FortiGate 100F Aggregation - Dell S4112F (VLT)

Was this post helpful?