- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to configure and use diferent vlan's and have them not communicating with each other ?
Hi, I have a simple setup right now, with a Fortigate 600E on Floor 2, and a Cisco SG350 10G besides this, and I also have another Cisco SG350 10G on Floor 1. Each floor also have a storage server.
Workstations from Floor 1 and Floor 2 are connected to the respective floor Cisco swich, and the Fortigate has X1 interface for internet in, and x2 interface to connect to the Floor 2 switch. The Fortigate is the router and dhcp server.
But now the bosses want Floor 1 and Floor 2 to be completely separate, and only share the x1 internet connection (which should be also be filtered to only allow certain internet destinations) but worksations from Floor 1 cannot "see" workstations from Floor 2, and viceversa.
Can you guide me how to setup something like that, preferably from the GUI of the Fortigate 600E ?
I assume I will setup different VLAN's on each switch, with Trunk configured to communicate between them, but then what should I setup on the Fortigate ?
Thank you
- Labels:
-
VLAN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
More about the internet, one Floor should have restricted internet, as in only allow the use of webmail on a webmail address but nothing else, while the other Floor should have no such restrictions for internet
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
In your case, as the hosts are grouped in floors, I think the quickest and simplest solution is to connect each Cisco switch to a different port of the FortiGate.
Then create 2 firewall rules as follow:
Rule 1 (restricted):
- Source intf: portX
- Dest intf: WAN
- Source: All
- Dest: IP or FQDN address object that identifies your Webmail location
- Service: HTTP, HTTPS
- Security profiles: Use defaults
Rule 2 (unrestricted):
- Source intf: portY
- Dest intf: WAN
- Source: All
- Dest: All
- Service: All
- Security profiles: Use defaults
Hope it helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If those SG350s are configured as just L2 switches, it's very simple.
1. Draw a diagram to have the connection from FGT to F2 SW, from F2 SW to F1 SW, then add both VLAN paths from the FGT to F2 SW as well as FGT to F1 SW via F2 SW.
2. configure two VLAN sub-interfaces on the physical interface of FGT-F2 SW at the FGT, with two different subnets.
3. configure F2 SW to "pass" the F1 SW VLAN from the port from FGT and the port to F1 SW, in addition to accepting the F2 SW VLAN
4. configure F1 SW port connected to F2 SW to accept the VLAN coming in.
5. configure proper sets of policies for F1-VLAN -> X1 and F2-VLAN -> X1 independently.
As long as switches are L2 switch, they wouldn't be able to talk each others without coming through the FGT so if you don't create a policy for that at the FGT, they're never able to talk.
Once you drew the diagram, the steps above would become very obvious.
Toshi
