Network planning for multiple device types

Forum|Forum|8 years ago
November 3, 2017
1 reply
4668 views

Hello,

We are trying to create a device type based network addressing for our network.

For example (limits may change);

[ul]

192.168.0.1 to 192.168.0.20 network equipments (fortiaps, fortigate ...) *fixed ips[/ul][ul]

192.168.0.21 to 192.168.0.50 servers, cameras and so on *fixed ips[/ul][ul]

192.168.0.51 to 192.168.0.70 printers and so on *fixed ips[/ul][ul]

192.168.0.71 to 192.168.0.100 reserved (fixed ip special purpose computers) *fixed ips[/ul][ul]

192.168.0.101 to 192.168.0.254 computers / users dhcp[/ul]

We can use a dhcp range of 192.168.0.101 to 192.168.0.254 but is it possible to prevent devices to use other ip ranges like 192.168.0.51 to 192.168.0.70 ?

Several examples;

[ul]

we want to limit access to a special printer.

we want to block access from dhcp range to ip cameras.

we want to be sure that no one is abusing dhcp, special ips and so on.[/ul]

What will be correct method for dealing these issues ?

Thanks

5.4

Toshi_Esumi

SuperUser

The first idea came up to my mind is separating those by subnets instead of ip-range, like 192.168.0.0/27, 192.168.0.32/27,... then assign vlan to each and configure on the FG. Then connect at least one port to your switch on which you need to configure a trunk port for FG connection and each vlan access ports to the ones connected to the devices. I'm assuming you have a switch that is capable for these.

Then the rest is just a set of policies you need to configure allow or deny access from one interface to another.

fortibeyAuthor

New Member

toshiesumi wrote:
The first idea came up to my mind is separating those by subnets instead of ip-range, like 192.168.0.0/27, 192.168.0.32/27,... then assign vlan to each and configure on the FG. Then connect at least one port to your switch on which you need to configure a trunk port for FG connection and each vlan access ports to the ones connected to the devices. I'm assuming you have a switch that is capable for these.
Then the rest is just a set of policies you need to configure allow or deny access from one interface to another.

Thank you very much for the response.

The problem is, our switches are not smart (tplink sg1024) so as far as i know i can not use vlans.

Btw, we have 3 switches in our network with the same configuration.

Fortigate connected to only first switch via a single port.

Toshi_Esumi

SuperUser

If the switches are not capable handling vlans, regardless how great/expensive your FW or router is, there is no way to block traffic between ports on the same switch because they're on a same broadcast domain and no physical separation either.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded