- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to configure and use diferent vlan's and have them not communicating with each other ?
Hi, I have a simple setup right now, with a Fortigate 600E on Floor 2, and a Cisco SG350 10G besides this, and I also have another Cisco SG350 10G on Floor 1. Each floor also have a storage server.
Workstations from Floor 1 and Floor 2 are connected to the respective floor Cisco swich, and the Fortigate has X1 interface for internet in, and x2 interface to connect to the Floor 2 switch. The Fortigate is the router and dhcp server.
But now the bosses want Floor 1 and Floor 2 to be completely separate, and only share the x1 internet connection (which should be also be filtered to only allow certain internet destinations) but worksations from Floor 1 cannot "see" workstations from Floor 2, and viceversa.
Can you guide me how to setup something like that, preferably from the GUI of the Fortigate 600E ?
I assume I will setup different VLAN's on each switch, with Trunk configured to communicate between them, but then what should I setup on the Fortigate ?
Thank you
- Labels:
-
VLAN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
More about the internet, one Floor should have restricted internet, as in only allow the use of webmail on a webmail address but nothing else, while the other Floor should have no such restrictions for internet
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
In your case, as the hosts are grouped in floors, I think the quickest and simplest solution is to connect each Cisco switch to a different port of the FortiGate.
Then create 2 firewall rules as follow:
Rule 1 (restricted):
- Source intf: portX
- Dest intf: WAN
- Source: All
- Dest: IP or FQDN address object that identifies your Webmail location
- Service: HTTP, HTTPS
- Security profiles: Use defaults
Rule 2 (unrestricted):
- Source intf: portY
- Dest intf: WAN
- Source: All
- Dest: All
- Service: All
- Security profiles: Use defaults
Hope it helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If those SG350s are configured as just L2 switches, it's very simple.
1. Draw a diagram to have the connection from FGT to F2 SW, from F2 SW to F1 SW, then add both VLAN paths from the FGT to F2 SW as well as FGT to F1 SW via F2 SW.
2. configure two VLAN sub-interfaces on the physical interface of FGT-F2 SW at the FGT, with two different subnets.
3. configure F2 SW to "pass" the F1 SW VLAN from the port from FGT and the port to F1 SW, in addition to accepting the F2 SW VLAN
4. configure F1 SW port connected to F2 SW to accept the VLAN coming in.
5. configure proper sets of policies for F1-VLAN -> X1 and F2-VLAN -> X1 independently.
As long as switches are L2 switch, they wouldn't be able to talk each others without coming through the FGT so if you don't create a policy for that at the FGT, they're never able to talk.
Once you drew the diagram, the steps above would become very obvious.
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I should have mentioned that the Floor 2 switch is connected to the Floor 1 switch and cannot physically be connected directly into the FGT.
So AEK solution won't work
Toshi_Esumi, these are just L2 switches, will try to configure what you described and report back if it'll work.
Thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is how to configure VLANs on FortiGate 600E and Cisco SG350 switches to keep floors separate
Step 1 Define VLANs on FortiGate 600E
Since FortiGate is the router and DHCP server, VLAN interfaces need to be configured
1 Log in to FortiGate GUI
2 Go to Network then Interfaces
3 Click Create New then Interface
4 Configure VLAN for Floor 1
- Name VLAN Floor1
- Interface X2 or the interface connecting to Floor 2 switch
- Type VLAN
- VLAN ID 10 example
- IP Netmask 192 168 10 1 and 24
- DHCP Server Enable
- DHCP Range 192 168 10 10 to 192 168 10 200
- DNS Use FortiGate or specify a preferred DNS
5 Click OK
6 Repeat the steps for VLAN for Floor 2
- Name VLAN Floor2
- Interface X2
- Type VLAN
- VLAN ID 20
- IP Netmask 192 168 20 1 and 24
- DHCP Server Enable
- DHCP Range 192 168 20 10 to 192 168 20 200
7 Click OK
Step 2 Configure VLANs on Cisco SG350 Switches
Each floor has its own Cisco SG350 switch, VLANs must be assigned and trunk ports configured
1 Log in to the Cisco SG350 switch Web GUI for Floor 1
2 Go to VLAN Management then VLAN Settings
3 Click Add and create
- VLAN ID 10
- Name Floor1
4 Click Apply
5 Repeat the process for Floor 2 switch
- VLAN ID 20
- Name Floor2
Step 2 Assign VLANs to Ports
1 Go to VLAN Management then Port to VLAN
2 Assign workstation ports to Access Mode
- Floor 1 Workstation Ports VLAN 10 Access
- Floor 2 Workstation Ports VLAN 20 Access
3 Assign the uplink port to FortiGate X2 as Trunk Mode
- Port connected to FortiGate Trunk
- Allowed VLANs 10 and 20
4 Connect the two Cisco SG350 switches together
- Choose one uplink port on each switch
- Set it as a trunk port carrying VLANs 10 and 20
- Enable Tagged VLANs for 10 and 20 on this port
Step 3 Configure Firewall Rules on FortiGate
To block communication between VLANs but allow internet access, firewall policies need to be created
1 Go to Policy and Objects then IPv4 Policy
2 Click Create New
Step 3 Block Inter VLAN Communication
1 Name Block Floor1 to Floor2
2 Incoming Interface VLAN Floor1
3 Outgoing Interface VLAN Floor2
4 Source All
5 Destination All
6 Action Deny
7 Click OK
8 Repeat the same rule but switch the incoming and outgoing interfaces
Step 3 Allow Internet Access for VLANs
1 Name Allow Floor1 Internet
2 Incoming Interface VLAN Floor1
3 Outgoing Interface WAN X1
4 Source All
5 Destination All
6 Action Accept
7 Enable NAT
8 Click OK
9 Repeat the rule for VLAN Floor2
Step 4 Apply Web Filtering and Internet Restrictions
If internet access needs to be restricted to specific websites, web filtering can be used
1 Go to Security Profiles then Web Filter
2 Create a new profile
- Enable Web Filtering
- Block specific categories or URLs
- Click Apply
3 Go to Policy and Objects then IPv4 Policy
4 Edit the Allow Floor1 Internet rule
- Enable Web Filter and select the created profile
- Click OK
5 Repeat for the Allow Floor2 Internet rule
Final Setup Overview
VLANs are configured separately on FortiGate and Cisco SG350 switches
Trunk ports are used to pass VLANs between FortiGate and switches
Firewall rules prevent VLANs from communicating while allowing internet access
Web filtering is applied to restrict access to certain websites
Testing
Check if VLANs are isolated
- Try to ping a workstation on VLAN 10 from VLAN 20
- The ping should fail
Check internet access
- Workstations should access the internet but follow filtering rules
Verify VLAN assignments
- Run show vlan on the Cisco SG350 to confirm VLAN configurations
Conclusion
VLAN 10 and VLAN 20 cannot communicate with each other
Both VLANs share the same internet connection
Internet access is filtered based on policies
Let me know if adjustments are needed
