Hello everybody,
Currently I have a plan to segment the network and would like to get some guides for few things.
Currently we have following VLANs:
Now in Clients VLAN we have following devices: Workstations, Notebooks, Printers, IoT
The plan is the following:
Now the question is the following:
As I already know I can't create new VLANs until I reduce the original VLAN_Clients from /16 to /22.
Can this make the problems since Printers already have static IP address in original /16 network with 10.10.255.x ?
Also I would need to create new policies, address object etc.
Static routes from other location to this can stay the same since its a 10.10.0.0/16 and then the router will always hit it.
Any advice is helpful.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello
You may proceed as follows:
Hello @AEK ,
Thank you, I thought to go in similar path.
Only difference is that I have 2 Core switches in MC-LAG and 3 Access Switches. So I will not connect each VLAN directly to the FortiGate Interface.
They will be connected to the Access Switches and I will just change the VLAN for the required switch port for each device.
Only pain is to go trough all network cables and check what is connected where. Hopefully we already have a nice plan for that.
I'm not sure only if I can create VLANs without setting the IP address. Or I can set some dummy IP address just so that I can create policies etc.
Hello
Yes you need to check every switch port.
When you create the VLANs you can leave it without IP or you can use dummy IP. Maybe using dummy IP is a bit better.
In all cases you need to write a good and detailed action plan and rollback plan.
This will happen in the upcoming weekend so I have time to get as detailed as I can.
Already created excel sheet's with new policies for each VLAN.
And prepared a doc with the steps which I need to take.
Thank you for the help
Hi @Infotech22,
We have the following segmentation in place, all in 10.n.n.n ranges.
Site, Service(vlan).
Logically, that translates to IP ranges: 10.[SITEID].[VLAN].0/subnet
So you can make sites like:
0: Hosting1
1: Hosting 2
11: Site1
12: Site2
etc..
VLANs like:
10-19: HighTrusted internal services (Domain joined stuff, etc)
20-29: LowTrusted internal devices (IoT, Printers, CCTV,... )
30-39: VoIP stuff
40-49: Low trust external stuff (CTS etc)
xx: In-Band management of network devices (switches, UPS,
xxx: IPTV Multicast stream (if used)
Defining trust zones, makes it easy to group VLAN's and handle it easier in interface zones and policies.
You then get ip's like:
10.0.10.xxx: Servers in hosting..
10.11.10.xx: Trusted devices on site 1
10.12.31.xx: VoIP devices on site 2
Even if you only have one site now, if you suddently need a new site, you have the logic in place.
And - trust me - looking at logs and Analyzer data makes it soooo easy to spot where the traffic comes from and to.
Tip1: If you need ranges larger than /24, don't use the next vlan, since that vlan's IP's will be part of the former /23 vlan's range.
Tip2: Don't use 192.168.n.n ranges, for VLAN's you like to route internally, since many ISP's use those for peoples home-networks.
You can use those ranges for guest-related wifi, if needed. We use that for none-site-specific hospitality wifi networks.
Hope it helps,
Hello @Jakob-AHHG,
Thank you for a comprehensive answer.
We have multiple sites and have something similar but not as granular as you guys do.
For is we have .10, .20, .30 and .40 for the locations we have
Example:
1. 10.(10).0.0/16 is for Austria
2. 10.(20).0.0/16 is for Serbia etc..
It's the same for the Servers VLAN
Now I did some subnetting and will follow the same principle for VLANs for all our sites.
Example: 10.10.255.0/24 are printers in Vienna. 10.20.255.0/24 will be printers in Serbia..
At the moment we have 192.168.10(.20).0/24 for the Servers and we didn't experience any routing problems
That also sounds fine.
If you have FortiGates on all sites, with SD-WAN VPN (or the like) routing between sites, you have easy routing with BGP between sites.
We do that, but most sites are on direct-connected fibre (no VPN), only BGP between FG's.
Regarding 192.168.n.n: If you do find it in the future, make a new VLAN in hosting and migrate to new range. As long as clients points to hostnames, it's easy(er) to change IP-ranges.. ;)
192.168.0.0-192.168.2.0 rnages are often used by ISP's.
Hello,
As we understood you have already working Vlan subnets which needs to be modified .
Best way is to create Vlan but do not assign IP for the moment (put unused dummy ip).
However as you mentioned you already have static addresses on Printer and other devices.
For those devices it would require downtime as they are already setup with a particular subnet mask.
Also you need to make sure about your static Bindings , so better you do it in downtime .
Thank you.
Regards,
Prince
Hello @princes,
Yes, already have working VLANs. For the printers we will do it in non-working hours.
Luckily weekends are non-working days so we have all the time we need :)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1670 | |
1082 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.