Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Infotech22
Contributor

Network Segmentation - VLAN Plan

Hello everybody,

Currently I have a plan to segment the network and would like to get some guides for few things. 

Currently we have following VLANs:

  • VLAN_Clients = 10.10.0.0/16
  • VLAN_Servers = 192.168.10.0/24

Now in Clients VLAN we have following devices: Workstations, Notebooks, Printers, IoT

The plan is the following:

  • Reduce the Clients VLAN (Workstations, Notebooks) to 10.10.0.0/22
  • Create new VLANs for Printers, IoT
    • Printers - 10.10.255.0/24
    • IoT - 10.10.10.0/24

 

Now the question is the following:

  • How to do the change as smooth as possible?

As I already know I can't create new VLANs until I reduce the original VLAN_Clients from /16 to /22.

Can this make the problems since Printers already have static IP address in original /16 network with 10.10.255.x ?

Also I would need to create new policies, address object etc.

Static routes from other location to this can stay the same since its a 10.10.0.0/16 and then the router will always hit it.

Any advice is helpful. 

 

10 REPLIES 10
AEK
Honored Contributor II

Hello

You may proceed as follows:

  • Prepare the interfaces and SSIDs at firewall level, without setting IP at the moment 
  • Prepare the firewall policies for the new segments
  • Schedule a 1h downtime
  • Change the FG interface of client VLAN from /16 to /22
  • Change it's DHCP range
  • Run DHCP refresh on all your clients so they change their mask to /22
  • Configure IP on the FG interfaces of IoT and printers
  • Move IoT and printers to the new VLAN and/or SSID
  • Perform all validation tests (ping, print, ...etc)
  • Rollback in case of failure
AEK
AEK
Infotech22

Hello @AEK ,

Thank you, I thought to go in similar path.

Only difference is that I have 2 Core switches in MC-LAG and 3 Access Switches. So I will not connect each VLAN directly to the FortiGate Interface.
They will be connected to the Access Switches and I will just change the VLAN for the required switch port for each device.

Only pain is to go trough all network cables and check what is connected where. Hopefully we already have a nice plan for that. 

I'm not sure only if I can create VLANs without setting the IP address. Or I can set some dummy IP address just so that I can create policies etc.

AEK
Honored Contributor II

Hello

Yes you need to check every switch port.

When you create the VLANs you can leave it without IP or you can use dummy IP. Maybe using dummy IP is a bit better.

In all cases you need to write a good and detailed action plan and rollback plan.

AEK
AEK
Infotech22

This will happen in the upcoming weekend so I have time to get as detailed as I can.
Already created excel sheet's with new policies for each VLAN. 
And prepared a doc with the steps which I need to take.

Thank you for the help

Jakob-AHHG
Contributor II

Hi @Infotech22,

 

We have the following segmentation in place, all in 10.n.n.n ranges.

 

Site, Service(vlan).

Logically, that translates to IP ranges: 10.[SITEID].[VLAN].0/subnet

 

So you can make sites like:

0: Hosting1

1: Hosting 2

 

11: Site1

12: Site2

etc..

 

VLANs like:

10-19: HighTrusted internal services (Domain joined stuff, etc)

20-29: LowTrusted internal devices (IoT, Printers, CCTV,... )

30-39: VoIP stuff

40-49: Low trust external stuff (CTS etc)

xx: In-Band management of network devices (switches, UPS, 

 

xxx: IPTV Multicast stream (if used)

 

Defining trust zones, makes it easy to group VLAN's and handle it easier in interface zones and policies.

 

You then get ip's like:

10.0.10.xxx: Servers in hosting..

10.11.10.xx: Trusted devices on site 1

10.12.31.xx: VoIP devices on site 2

 

Even if you only have one site now, if you suddently need a new site, you have the logic in place.

And - trust me - looking at logs and Analyzer data makes it soooo easy to spot where the traffic comes from and to.

Tip1: If you need ranges larger than /24, don't use the next vlan, since that vlan's IP's will be part of the former /23 vlan's range.

Tip2: Don't use 192.168.n.n ranges, for VLAN's you like to route internally, since many ISP's use those for peoples home-networks.
You can use those ranges for guest-related wifi, if needed. We use that for none-site-specific hospitality wifi networks.

 

Hope it helps,

Jakob Peterhänsel,
IT System Admin,
Arp-Hansen Hotrel Group A/S, Copenhagen, DK
Jakob Peterhänsel,IT System Admin,Arp-Hansen Hotrel Group A/S, Copenhagen, DK
Infotech22

Hello @Jakob-AHHG,

Thank you for a comprehensive answer.
We have multiple sites and have something similar but not as granular as you guys do.

For is we have .10, .20, .30 and .40 for the locations we have
Example:
1. 10.(10).0.0/16 is for Austria
2. 10.(20).0.0/16 is for Serbia etc..

It's the same for the Servers VLAN

Now I did some subnetting and will follow the same principle for VLANs for all our sites.

Example: 10.10.255.0/24 are printers in Vienna. 10.20.255.0/24 will be printers in Serbia..
At the moment we have 192.168.10(.20).0/24 for the Servers and we didn't experience any routing problems
 

Jakob-AHHG

That also sounds fine.
If you have FortiGates on all sites, with SD-WAN VPN (or the like) routing between sites, you have easy routing with BGP between sites.
We do that, but most sites are on direct-connected fibre (no VPN), only BGP between FG's.

Regarding 192.168.n.n: If you do find it in the future, make a new VLAN in hosting and migrate to new range. As long as clients points to hostnames, it's easy(er) to change IP-ranges.. ;) 

192.168.0.0-192.168.2.0 rnages are often used by ISP's.

Jakob Peterhänsel,
IT System Admin,
Arp-Hansen Hotrel Group A/S, Copenhagen, DK
Jakob Peterhänsel,IT System Admin,Arp-Hansen Hotrel Group A/S, Copenhagen, DK
princes
Staff
Staff

Hello,

 

As we understood you have already working Vlan subnets which needs to be modified .

Best way is to create Vlan but do not assign IP for the moment (put unused dummy ip).

 

However as you mentioned you already have static addresses on Printer and other devices.

For those devices it would require downtime as they are already setup with a particular subnet mask.

Also you need to make sure about your static Bindings , so better you do it in downtime .

Thank you.

Regards,

Prince

Infotech22

Hello @princes,

Yes, already have working VLANs. For the printers we will do it in non-working hours.

Luckily weekends are non-working days so we have all the time we need :)

Labels
Top Kudoed Authors