Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Infotech22
Contributor

Network Segmentation - VLAN Plan

Hello everybody,

Currently I have a plan to segment the network and would like to get some guides for few things. 

Currently we have following VLANs:

  • VLAN_Clients = 10.10.0.0/16
  • VLAN_Servers = 192.168.10.0/24

Now in Clients VLAN we have following devices: Workstations, Notebooks, Printers, IoT

The plan is the following:

  • Reduce the Clients VLAN (Workstations, Notebooks) to 10.10.0.0/22
  • Create new VLANs for Printers, IoT
    • Printers - 10.10.255.0/24
    • IoT - 10.10.10.0/24

 

Now the question is the following:

  • How to do the change as smooth as possible?

As I already know I can't create new VLANs until I reduce the original VLAN_Clients from /16 to /22.

Can this make the problems since Printers already have static IP address in original /16 network with 10.10.255.x ?

Also I would need to create new policies, address object etc.

Static routes from other location to this can stay the same since its a 10.10.0.0/16 and then the router will always hit it.

Any advice is helpful. 

 

10 REPLIES 10
Christian_89
Contributor III

Your plan to restructure your network into more granular VLANs is a sound strategy for improving network management, security, and performance. Here's a step-by-step approach to make the transition as smooth as possible:

1. **Planning and Documentation**:
- Begin by documenting your current network structure, including all devices, their roles, and IP addresses.
- Plan your new VLAN structure meticulously, including the purpose of each VLAN, the range of IP addresses, and the necessary policies and security measures.

2. **Pre-Configuration Steps**:
- Before making changes, ensure that you have a full backup of your current network configuration.
- Notify all users about the planned changes and potential downtimes.

3. **Creating New VLANs**:
- Initially, create the new VLANs (for Printers and IoT) in your network switches without altering the existing VLAN_Clients.
- Configure the IP ranges for the new VLANs as planned (10.10.255.0/24 for Printers and 10.10.10.0/24 for IoT).

4. **Reconfiguring the Client VLAN**:
- Adjust the subnet mask of VLAN_Clients from /16 to /22. This change will need to be done on your DHCP server, routers, and any statically assigned devices.
- Make sure to update the DHCP scope to reflect the new subnet mask.

5. **Migrating Devices**:
- For Printers:
- Since printers are often assigned static IP addresses, you will need to reconfigure each printer’s network settings to the new IP range and VLAN.
- This step can be time-consuming but is crucial for avoiding IP conflicts.
- For IoT Devices:
- If these devices receive their IP addresses via DHCP, ensure your DHCP server is set up to serve the new VLAN with the appropriate address range.
- Manually reassign static IP addresses if necessary.

6. **Testing and Validation**:
- After reconfiguring, test each VLAN to ensure devices are communicating correctly.
- Verify that network policies and security measures are functioning as intended.

7. **Updating Network Policies and Routes**:
- Update your firewall rules, ACLs (Access Control Lists), and other network policies to reflect the new VLAN configurations.
- As for the static routes, you're correct that routes to 10.10.0.0/16 will still capture traffic destined for your new subnets due to the nature of route summarization. However, you might need to adjust any policies or rules that are specific to subnet addresses.

8. **Monitoring and Troubleshooting**:
- After implementation, monitor the network closely for any unusual activity or performance issues.
- Be prepared to troubleshoot issues related to the new VLAN configurations, such as connectivity problems or misconfigured devices.

9. **Communication**:
- Keep stakeholders updated on the progress and any issues encountered during the transition.
- Provide support and instructions for users as needed, especially if network changes affect their daily operations.

Remember, significant network changes like this can often lead to unexpected issues, so it's important to have a rollback plan in case things don't go as expected. Additionally, carrying out these changes during off-peak hours can minimize the impact on your organization.

Labels
Top Kudoed Authors