Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aoakley
New Contributor

Assistance in moving to new network topology

Hi Fortinet Community!,

 

I have a client whose network I managed from overseas. We are undertaking a restructuring of the current network design to increase scalability and security for the future. I have not had any experience configuring this using Fortinet ecosystem, so I had some questions (bottom of post) for the community about my configuration/process. 

 

Current Fortinet topology

 

1x Fortigate 60F (7.0.3)

4x Fortiswitch 124E (7.0.1) (stacked)

1x Unmanaged POE switch 

 

Current Network topology: Everything resides on a 10.0.0.0/24

 

New Network Configuration

 

Fortigate Internal Network (VLAN 1) - ???

VLAN 10 = Static (Servers[vSphere]/Printers/Network Devices)- 10.0.0.0/24

VLAN 20 = VOIP  - 10.0.1.0/24

VLAN 30 = Internal Devices (Computers/Laptops/Cell/Wifi) - 10.1.0.0/22

VLAN 40 = Guest Wifi - 10.2.0.0/22

 

VLAN 10,20,30 to allow inter-vlan routing

VLAN 40 - Int access only

 

 

Questions to the community:

  1. Not sure how to deal with moving the current ‘internal’ fortigate network of 10.0.0.0/24 to VLAN 10. I see 2 scenarios:
    1. Move all static devices over to a new network for VLAN 10 (Change all IPs). Leave 60F as only device on internal network  (10.0.0.0/24)
    2. Leave all static devices on internal network (i.e. forget about VLAN 10)  and just setup policies accordingly. Are there downsides to this? Best practices etc?
  2. How do I ensure I do not loose connectivity to Fortigate from overseas.
    1. WAN setup is not changing, so I should be able to access via external ip at all times

 

Network Change-Over Plan

  1. Configure VLANS using FortiSwitch VLAN management on Fortigate
  2. Assign VLANS as ‘Native VLAN’ to respective ports
    1. Create trunk to vSphere ports (except VLAN 40)
    2. Tag VLAN 20 to unmanaged POE switch 
    3. Tag VLAN 10 (if used) for printer ports
    4. Tag VLAN 30 for WAP ports
  3. Create policies to allow inter-vlan routing
  4. Setup DHCP relay for VOIP and Internal Devices on VLAN interface pointing new DHCP scope on windows.
    1. Configure WAPs with new INT and Guest networks
    2. Reboot Phones and PCs to make sure they are getting new IPs
  5. Test routing between networks and enterprise services (email/web services etc)
1 REPLY 1
AlexC-FTNT
Staff
Staff

I don't think it's  a matter of best practices, more a matter of choice - if you want to move the devices assigned static IPs or not. From a security perspective, it would be better to isolate them in their corresponding VLAN.

And as long as you don't change settings on the WAN interface (your access interface) access from WAN should not be cut.


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
Labels
Top Kudoed Authors