User Panel
Posted: 8/26/2024 3:19:57 PM EDT
Looking for recommendations on a good brand to use on both a FortiGate 201 and a Cisco 2960X POE switch
|
|
God's children are not for sale.
|
[#1]
If it's for home use. Fiber store. if it's for professional use fiber store, and buy spares. It's mission critical higher in third-party or OEM.
|
|
“As always the Laws of Physics are Laws, not suggestions.” Old_Painless
|
[#2]
Second https://www.fs.com/
|
|
I'm not the one REEING, motherfucker! -FCSD2162
|
[#3]
I know nothing about Fortigate and Cisco products so this may be a useless post . But, how much distance do you need to cover? RJ45 to SFPs get hot most of the time and suck power. If it is a short run, would a DAC work?
|
|
Who, What, Where? Call Sign, Snowball
|
[#4]
Originally Posted By Saker13: I know nothing about Fortigate and Cisco products so this may be a useless post . But, how much distance do you need to cover? RJ45 to SFPs get hot most of the time and suck power. If it is a short run, would a DAC work? View Quote That's a consideration, as this is a single-rack homelab run (They're 2U apart, in reality). I was trying to future-proof things somewhat, but a DAC isn't out of the question for now. |
|
God's children are not for sale.
|
[#5]
If they're close, definitely go for a DAC.
|
|
In the beginning, the universe was created. This made a lot of people very angry, and has been widely regarded as a bad move. -Douglas Adams
|
[#6]
Fs.com
|
|
|
[#7]
Wiitek module will work for anything.
|
|
|
[#8]
OP, do a before and after power assessment -- whatever you think you're going to gain using those transceivers from a speed perspective, you will pay for in power and heat. Also, I can't count how many of those I've discovered in a failing/failed state, brand hasn't mattered, but fs.com is fine as others have recommended -- buy spares.
If it starts acting up, throw it away and move on. Don't forget to tell your switch you'll be using an unsupported transceiver. Also, in case you're interested in upgrading that 2960x to something that performs 10GBaseT natively, and is inexpensive used, with uPOE, I'd recommend a Cisco 3850 model -- WS-C3850-24XU-L. Downgrade it to 16.6, implement the advanced ip services RTU license level, then upgrade it to 16.12. (I only advocate this for a home lab/learning environent so as not to be downmodded into oblivion) |
|
|
[#9]
Appreciate all the info and advice. I'm having to rethink the setup a little bit, I just found out I can get 2gig fiber for the same price I was paying for 1gig. The FortiGate won't support uplinks higher than 1gb, so I think I'm going to go with an OPNsense box with a dual 10gb fiber NIC into the Cisco. It also depends on if 5G cellular SDWAN is as easy on OPNsense as it is on the FortiGate.
|
|
God's children are not for sale.
|
[#10]
I route my 2G internet into my switch on a dedicated vlan and port aggergiate on my Palo FW to get past the 1G port limitation. It works very well.
|
|
“As always the Laws of Physics are Laws, not suggestions.” Old_Painless
|
[Last Edit: ssteph]
[#11]
Originally Posted By MMcCall: Appreciate all the info and advice. I'm having to rethink the setup a little bit, I just found out I can get 2gig fiber for the same price I was paying for 1gig. The FortiGate won't support uplinks higher than 1gb, so I think I'm going to go with an OPNsense box with a dual 10gb fiber NIC into the Cisco. It also depends on if 5G cellular SDWAN is as easy on OPNsense as it is on the FortiGate. View Quote The Fortigate supports link aggregation very nicely using 802.3ad/LACP - just set a couple ports on your cisco as 'channel group {x} mode active' and define your Po as switchport mode trunk, then set up your FG to use VLANs to segregate traffic. You'll have one for your WAN side, and the remainder as you wish, LAN, DMZ, IOT, whatever. I'd recommend 2x links in a port channel for your internet agg link and 2x (or heck, even 4) links for the remainder of your network. I'm assuming this is a FG201E. If so, it'll work fine. That 2960X *may* not support multigig, however, so there's concern there. Let's just map this out, and make an assumption that it does: On the cisco side: simplified: vlan 10 name inet ! vlan 20 name lan ! vlan 30 name dmz ! vlan 40 name iot ! Int Po1 descr Fortigate firewall inet uplink switchport mode trunk switchport trunk allowed vlan 10 ! Int Po2 descr Fortigate firewall lan uplink switchport mode trunk switchport trunk allowed vlan 20,30,40 ! int Te1/1/1 descr ISP uplink switchport mode access switchport access vlan 10 ! Int range Gi1/0/1-2 descr WAN uplink members to Fortigate switchport mode trunk switchport trunk allowed vlan 10 channel-group 1 mode active ! Int range Gi1/0/3-6 descr LAN uplink members to Fortigate switchport mode trunk switchport trunk allowed vlan 20,30,40 channel-group 2 mode active ! Int range Gi1/0/7-24 descr LAN switchport access vlan 20 spanning-tree portfast ! Int range Gi1/0/25-36 descr DMZ switchport access vlan 30 spanning-tree portfast ! Int range Gi1/0/37-48 descr IOT switchport access vlan 30 spanning-tree portfast ! int vlan20 ip address x.y.z.a/prefix ! ip route 10.0.0.0 255.0.0.0 ip route 172.16.0.0 255.240.0.0 ip route 192.168.0.0 255.255.0.0 On the fortigate side, simplified: config system interface edit "internet_aggregate" set vdom "whatever" set type aggregate set member "port1" "port2" next edit "lan_aggregate" set vdom "whatever" set type aggregate set member "port3" "port4" "port5" "port6" next edit "internet" set vdom "whatever" set mode dhcp set interface "wan_aggregate" set vlanid 10 next edit "lan" set vdom "whatever" set ip x.y.z.a/prefix set interface "lan_aggregate" set vlanid 20 next edit "dmz" set vdom "whatever" set ip x.y.z.a/prefix set interface "lan_aggregate" set vlanid 30 next edit "iot" set vdom "whatever" set ip x.y.z.a/prefix set interface "lan_aggregate" set vlanid 40 next next I'd recommend using a separate VDOM for your home stuff, and then create additional VDOMs for lab interactivity. You can route between VDOMs easily using dynamic routing protocols to save headache/time with intervdom links. Good luck! |
|
|
[#12]
Originally Posted By ssteph: I'd recommend using a separate VDOM for your home stuff, and then create additional VDOMs for lab interactivity. You can route between VDOMs easily using dynamic routing protocols to save headache/time with intervdom links. Good luck! View Quote Good stuff, thanks. And this is entirely on the lab side, the actual wife-side internet is quietly served by a Netgear Orbi mesh. Boring and reliable. |
|
God's children are not for sale.
|
[#13]
Originally Posted By MMcCall: Good stuff, thanks. And this is entirely on the lab side, the actual wife-side internet is quietly served by a Netgear Orbi mesh. Boring and reliable. View Quote I actually advocate for pushing the wife/family onto your enterprise-lite grade deployment there, if only for the additional pressure that it provides to "Get it right -- the first time, every time." Somehow, my wife knows exactly when I'll be doing any kind of maintenance -- firmware updates, some topology shifts, whatever.. and just when I think I'm (self) cleared hot to proceed, "Honey, is the internet down?" "You gotta be kidding me.. you were out in the back yard in the garden watering, and somehow you chose right now to use your laptop?" I should hire her as NOC personnel to monitor complex subsystems -- she could wake up from a dead sleep if the internet isn't working. No idea how she does it -- I have active monitoring in place for such events and she beats it every time. |
|
|
[Last Edit: MMcCall]
[#14]
Originally Posted By ssteph: I actually advocate for pushing the wife/family onto your enterprise-lite grade deployment there, if only for the additional pressure that it provides to "Get it right -- the first time, every time." View Quote I see the logic, but I like having the ability to work on things as I have time, tear hardware apart, etc. and come back to it whenever. It's my project car, not her DD |
|
God's children are not for sale.
|
[#15]
True future proofing would be using a single mode fiber jumper between each device and using the modules called for by the manufacturer (or at least coded alternatives from a vendor such as FS). This way when you update to hardware that supports 25G, 40G or 100G you just swap out your transceivers. If you need to focus on minimizing latency (really shouldn't really run into this in a homelab type environment) then you would want to run DACs specifically but for most homelab type applications the propagation difference between fiber and DAC is minimal.
|
|
"Have you heard of the Gospel according to NIMS?" - Some EMC...Probably
|
[#16]
Thanks for the line on fs.com
I've never heard of this company...but some of their products look very cool And the price points are cool...gonna do some more research on their lineup |
|
|
[Last Edit: Rebel31]
[#17]
Originally Posted By ezli: Thanks for the line on fs.com I've never heard of this company...but some of their products look very cool And the price points are cool...gonna do some more research on their lineup View Quote Besides them I am also a big fan of Infinite Cables. They are also very price competitive. Almost all of my Cat 6 cables have come from them. Their slim patch cables are also very nice for rack use. Edit- Also with Infinite Cables the length does not include the plug. I got some Monoprice 6" slim patch cables and was surprised they really mean 6" including the plugs. 6" between the plugs is what Infinite does and allows a little more versatility going between something like a switch and patch panel. |
|
I'm not the one REEING, motherfucker! -FCSD2162
|
Sign up for the ARFCOM weekly newsletter and be entered to win a free ARFCOM membership. One new winner* is announced every week!
You will receive an email every Friday morning featuring the latest chatter from the hottest topics, breaking news surrounding legislation, as well as exclusive deals only available to ARFCOM email subscribers.
AR15.COM is the world's largest firearm community and is a gathering place for firearm enthusiasts of all types.
From hunters and military members, to competition shooters and general firearm enthusiasts, we welcome anyone who values and respects the way of the firearm.
Subscribe to our monthly Newsletter to receive firearm news, product discounts from your favorite Industry Partners, and more.
Copyright © 1996-2024 AR15.COM LLC. All Rights Reserved.
Any use of this content without express written consent is prohibited.
AR15.Com reserves the right to overwrite or replace any affiliate, commercial, or monetizable links, posted by users, with our own.