Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
d3xmeister1
New Contributor

Created on ‎03-14-2025 09:10 AM

How to configure and use diferent vlan's and have them not communicating with each other ?

Hi, I have a simple setup right now, with a Fortigate 600E on Floor 2, and a Cisco SG350 10G besides this, and I also have another Cisco SG350 10G on Floor 1. Each floor also have a storage server.

Workstations from Floor 1 and Floor 2 are connected to the respective floor Cisco swich, and the Fortigate has X1 interface for internet in, and x2 interface to connect to the Floor 2 switch. The Fortigate is the router and dhcp server.

 

But now the bosses want Floor 1 and Floor 2 to be completely separate, and only share the x1 internet connection (which should be also be filtered to only allow certain internet destinations) but worksations from Floor 1 cannot "see" workstations from Floor 2, and viceversa.

 

Can you guide me how to setup something like that, preferably from the GUI of the Fortigate 600E ?

I assume I will setup different VLAN's on each switch, with Trunk configured to communicate between them, but then what should I setup on the Fortigate ?

 

Thank you 

Labels:
98
0 Kudos
3 REPLIES 3
d3xmeister1
New Contributor

Created on ‎03-14-2025 09:14 AM

More about the internet, one Floor should have restricted internet, as in only allow the use of webmail on a webmail address but nothing else, while the other Floor should have no such restrictions for internet

93
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎03-15-2025 04:37 AM

Hi

In your case, as the hosts are grouped in floors, I think the quickest and simplest solution is to connect each Cisco switch to a different port of the FortiGate.

Then create 2 firewall rules as follow:

Rule 1 (restricted):

  • Source intf: portX
  • Dest intf: WAN
  • Source: All
  • Dest: IP or FQDN address object that identifies your Webmail location
  • Service: HTTP, HTTPS
  • Security profiles: Use defaults

Rule 2 (unrestricted):

  • Source intf: portY
  • Dest intf: WAN
  • Source: All
  • Dest: All
  • Service: All
  • Security profiles: Use defaults

Hope it helps.

AEK
AEK
52
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎03-15-2025 12:30 PM

If those SG350s are configured as just L2 switches, it's very simple.
1. Draw a diagram to have the connection from FGT to F2 SW, from F2 SW to F1 SW, then add both VLAN paths from the FGT to F2 SW as well as FGT to F1 SW via F2 SW.
2. configure two VLAN sub-interfaces on the physical interface of FGT-F2 SW at the FGT, with two different subnets.
3. configure F2 SW to "pass" the F1 SW VLAN from the port from FGT and the port to F1 SW, in addition to accepting the F2 SW VLAN
4. configure F1 SW port connected to F2 SW to accept the VLAN coming in.
5. configure proper sets of policies for F1-VLAN -> X1 and F2-VLAN -> X1 independently. 

As long as switches are L2 switch, they wouldn't be able to talk each others without coming through the FGT so if you don't create a policy for that at the FGT, they're never able to talk.
Once you drew the diagram, the steps above would become very obvious.

Toshi

26
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.