The trouble with RJ-45 physical ports is that just from looking at them it’s hard to see any difference between them. Compare two Ethernet ports on any network device. Without knowing the specs of the device and of each interface in particular, can you tell which ones can handle 40GB of traffic and which ones top out at 10 MB? Chances are that not all of the Ethernet ports, despite their appearance, will have the same capabilities. Different ports can have different roles and therefore different requirements. Some may be designed for high levels of bandwidth, and be capable of transferring Gigabytes of traffic in a second. Others are designed for more limited traffic as they are only expected to communicate with one or two computers at a time. The Console and Management ports are examples of this.
It’s a practical reality of business that when building a device of any kind a company will not spend the extra expense of installing a high performance component where that performance isn’t needed. This is why you don’t by a Ferrari to use as a golf cart.
I will admit that there are some dedicated System Administrators that don’t use a device until they have practically memorized the hardware manual that comes with them, and these people can tell you all sorts of minutia about every aspect of any device in their network. I’m not quite that dedicated to that particular aspect of the profession. Once I’m sure that the device is the applicable one for the task, I work on the assumption that the label associated with any given port will indicate its best use. It’s also easier to figure out which cables go where.
Whether you call it a rule of thumb or best practices, I find I’m usually safe if I make the following assumptions:
- Numbered ports are for high traffic connections. If the other end of the Ethernet cable is going to a network device or server these are the ports to use.
- DMZ ports are similar to numbered ports. The label is really there to differentiate between the inside of your network where the servers that are accessible from the Internet go as opposed the LAN where the Internet should not be accessing.
- WAN ports may or may not be as suitable for high levels of traffic as the ISP may be a limiting factor on how much traffic is likely to be going through. You may or may not have noticed that the bigger enterprise class FortiGates, that are likely to be used where the ISP connections are capable of large amounts of bandwidth, tend not to have ports labeled as WAN1 and WAN2, just numbered ports. It’s the smaller devices that are designed for small and midsize offices, and lower bandwidth ISPs that have labels indicating which ports to use for the WAN connection.
- Ports labelled MGMT are for administrative connections. These ports are intended to be dedicated for use by System administrators. Even if you have a configuration that changes a lot, this is not going to require a lot of bandwidth. In fact, these ports are designed as endpoint nodes where there is normally no need for traffic coming into this port to go out another port. The only reason that they even show up in the Interface configuration is because the same security measures that are used to control pass through traffic can be used to limit access to just the System Administrators.
- CONSOLE ports are a whole different thing entirely and can’t be used for anything other than a console cable with an Ethernet connector, so don’t even try.
It’s the old story of using the right tool for the right job. Use the different Ethernet ports in their intended roles and everything should run smoothly.
The post Not all Ethernet interfaces are equal appeared first on Fortinet Cookbook.