- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Network Segmentation - VLAN Plan
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Network Segmentation - VLAN Plan
Hello everybody,
Currently I have a plan to segment the network and would like to get some guides for few things.
Currently we have following VLANs:
- VLAN_Clients = 10.10.0.0/16
- VLAN_Servers = 192.168.10.0/24
Now in Clients VLAN we have following devices: Workstations, Notebooks, Printers, IoT
The plan is the following:
- Reduce the Clients VLAN (Workstations, Notebooks) to 10.10.0.0/22
- Create new VLANs for Printers, IoT
- Printers - 10.10.255.0/24
- IoT - 10.10.10.0/24
Now the question is the following:
- How to do the change as smooth as possible?
As I already know I can't create new VLANs until I reduce the original VLAN_Clients from /16 to /22.
Can this make the problems since Printers already have static IP address in original /16 network with 10.10.255.x ?
Also I would need to create new policies, address object etc.
Static routes from other location to this can stay the same since its a 10.10.0.0/16 and then the router will always hit it.
Any advice is helpful.
Labels:
- Labels:
-
FortiGate
- « Previous
-
- 1
- 2
- Next »
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your plan to restructure your network into more granular VLANs is a sound strategy for improving network management, security, and performance. Here's a step-by-step approach to make the transition as smooth as possible:
1. **Planning and Documentation**:
- Begin by documenting your current network structure, including all devices, their roles, and IP addresses.
- Plan your new VLAN structure meticulously, including the purpose of each VLAN, the range of IP addresses, and the necessary policies and security measures.
2. **Pre-Configuration Steps**:
- Before making changes, ensure that you have a full backup of your current network configuration.
- Notify all users about the planned changes and potential downtimes.
3. **Creating New VLANs**:
- Initially, create the new VLANs (for Printers and IoT) in your network switches without altering the existing VLAN_Clients.
- Configure the IP ranges for the new VLANs as planned (10.10.255.0/24 for Printers and 10.10.10.0/24 for IoT).
4. **Reconfiguring the Client VLAN**:
- Adjust the subnet mask of VLAN_Clients from /16 to /22. This change will need to be done on your DHCP server, routers, and any statically assigned devices.
- Make sure to update the DHCP scope to reflect the new subnet mask.
5. **Migrating Devices**:
- For Printers:
- Since printers are often assigned static IP addresses, you will need to reconfigure each printer’s network settings to the new IP range and VLAN.
- This step can be time-consuming but is crucial for avoiding IP conflicts.
- For IoT Devices:
- If these devices receive their IP addresses via DHCP, ensure your DHCP server is set up to serve the new VLAN with the appropriate address range.
- Manually reassign static IP addresses if necessary.
6. **Testing and Validation**:
- After reconfiguring, test each VLAN to ensure devices are communicating correctly.
- Verify that network policies and security measures are functioning as intended.
7. **Updating Network Policies and Routes**:
- Update your firewall rules, ACLs (Access Control Lists), and other network policies to reflect the new VLAN configurations.
- As for the static routes, you're correct that routes to 10.10.0.0/16 will still capture traffic destined for your new subnets due to the nature of route summarization. However, you might need to adjust any policies or rules that are specific to subnet addresses.
8. **Monitoring and Troubleshooting**:
- After implementation, monitor the network closely for any unusual activity or performance issues.
- Be prepared to troubleshoot issues related to the new VLAN configurations, such as connectivity problems or misconfigured devices.
9. **Communication**:
- Keep stakeholders updated on the progress and any issues encountered during the transition.
- Provide support and instructions for users as needed, especially if network changes affect their daily operations.
Remember, significant network changes like this can often lead to unexpected issues, so it's important to have a rollback plan in case things don't go as expected. Additionally, carrying out these changes during off-peak hours can minimize the impact on your organization.
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Wireless NAC limitations with FortiGate 40F... 133 Views
- How to define Gateway on WAN... 473 Views
- are excessive tcp reset errors related... 368 Views
- enroll fortigate firewall into for PAM... 310 Views
- SSL DPI analysis before implementing 282 Views
Labels
-
FortiGate
7,131 -
FortiClient
1,405 -
5.2
801 -
5.4
639 -
FortiManager
618 -
FortiAnalyzer
453 -
6.0
416 -
FortiAP
373 -
FortiSwitch
369 -
5.6
362 -
FortiClient EMS
290 -
FortiMail
280 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
6.4
128 -
FortiNAC
126 -
FortiGuard
115 -
IPsec
107 -
SSL-VPN
102 -
FortiGateCloud
96 -
FortiSIEM
92 -
FortiCloud Products
88 -
FortiToken
76 -
Customer Service
71 -
Wireless Controller
64 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
48 -
FortiADC
45 -
FortiEDR
44 -
Fortivoice
44 -
FortiDNS
39 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
FortiExtender
34 -
FortiSandbox
33 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
FortiPortal
18 -
LDAP
18 -
Interface
18 -
FortiSwitch v6.2
17 -
VDOM
17 -
Routing
16 -
FortiMonitor
15 -
Authentication
15 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
NAT
13 -
RADIUS
12 -
FortiCASB
12 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSL SSH inspection
10 -
SSO
10 -
FortiRecorder
10 -
Application control
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
FortiGate v4.0 MR3
8 -
OSPF
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Web application firewall profile
7 -
4.0
7 -
Admin
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
FortiAP profile
6 -
IPS signature
5 -
Packet capture
5 -
Automation
5 -
DNS Filter
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiCache
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Web rating
4 -
Fabric connector
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
FortiToken Cloud
3 -
Fortinet Engage Partner Program
3 -
Traffic shaping profile
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1059 | |
| 882 | |
| 523 | |
| 441 | |
| 147 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.