Skip to main content
Shiraz
Shiraz
New Member
January 26, 2021
Question

we have 12 departments and wants to separate each dep and i am using One VLan, One network

  • January 26, 2021
  • 2 replies
  • 3605 views

Hi,

 

We are using fortigate firewall 101E and cisco switch with One vlan one Network 192.168.x.x

I want to segregate each department for exp: Our one department PC/Printer/Laptop can not communicate with other department PC/Laptop/Printer.

 

It's possible to work it.

    2 replies

    Fullmoon
    Fullmoon
    New Member
    January 26, 2021

    for me 2 possible options on how to achieve your target.

    1. create vlans on your cisco switch if capable, or,

    2. since FGT 100E supports 200 interfaces, you can configured those ports as routed or independed ports and assigned diff subnets on each interfaces. Firewall policy will dictates outgoing traffic at the same time port to port communication

    sw2090
    SuperUser
    sw2090
    SuperUser
    January 27, 2021

    if you do not want or cannot create more vlans or/and subnets you can only use ip-ranges. You would then have to make sure that the devices of each departmend stay in their range (e.g. dhcp reservations) and then use the range as destination/target in policies to allow or not allow traffic like you want to.

     

    However I would recommend using more vlans and subnets for this. Makes life easier ;)

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    January 28, 2021

    For a secure network, you cannot use IP ranges to segment a LAN. I'd just confgure an 'interesting' IP statically on my device and grant myself priviledges.

    VLANs can only communicate through routers. As long as I have no access to these, the VLAN keeps me limited.

    emnoc
    emnoc
    New Member
    January 28, 2021

    yes. agreed

     

    If you want communication and physical separation,  do not use the cisco router L3, span the vlans to the FGT and let the default-gateway be in the FGT and let the firewall control the traffic

     

    Defined your vlan and networks and set policy for what & where you need traffic

     

    e.g

     

    config system interface edit "vlan1" set vdom "root" set device-identification enable set role lan set snmp-index 19 set interface "port1" set vlanid 1

    set ip 10.10.1.0/24

    next

    edit "vlan2" set vdom "root" set device-identification enable set role lan set snmp-index 20 set interface "port1" set vlanid 2

    set ip 10.10.2.1/24

    next

    edit "vlan3" set vdom "root" set device-identification enable set role lan set snmp-index 21 set interface "port1" set vlanid 3

    set ip 10.10.3.1/24

    next

    and so on 

     

    address groups

    config firewall address

       

    edit "NET_10.10.1.0"  set subnet 10.10.1.0/24 next

    edit "NET_10.10.2.0"  set subnet 10.10.2.0/24 next

    edit "NET_10.10.3.0"  set subnet 10.10.3.0/24 next

    adn so on 

     

     

    Then build policies

     

    Ken Felix

    '

     

    Terms & ConditionsAccessibility statement