Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jase888
New Contributor

Possible to VLAN without Fortigate Managed Switch? Is my solution ok?

Is it possible to have VLANs on the Fortigate 60E without a Foritgate Managed Switch? I currently only have a few unmanaged switches but need 3 networks on the firewall to be completely separate.

 

One method I have found seems to work but not sure if this is secure or correct is to create 3 new interfaces and assign different network addresses/subnet and then assign different ports to each. Then plug an unmanaged switch into each port and then you have 3 seperate networks. I have tested this and theres no pinging between networks and seems fine but wanted opinions?

 

Also I did see I could create a VLAN interface on ports but wasnt sure if this would work without the Fortigate Switch?

1 Solution
sw2090
Honored Contributor

Just basically for understanding: 

 

you do not need to have FortiNet Switches. Vlans are common use and will work with other brands too.

I use FortiGates with HP Switches and vlans work fine here.

 

You just  have to have a managed switch (unmanaged ones are not vlan capable but also will not touch the vlan tag in your packets). If you have unmanaged switches then the devices connected to those switches will have to take care for the vlans. The FortiGate can only handle packets that are tagged in a vlan (or are not tagged in any) and it will only let out packets tagged over the vlan interface.

 

I recommend the use of managed switches because way not every device can handle vlan tagging. This is definitely the easier way :)

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
4 REPLIES 4
ede_pfau
Esteemed Contributor III

VLANs are not a security feature. A VLAN isolates broadcast traffic from other networks on the same wire, possibly conserving bandwidth.

Yes, you can create a lot of networks and (virtual) firewall ports using VLANs on a FGT. This is convenient if you need more ports than available physically.

 

Your problem begins when the VLAN (tagged) traffic leaves the FGT. The next switch must be VLAN capable, that is, able to collect switch ports into a VLAN broadcast domain, able to read the VLAN tag etc. IMHO there are 'semi-managed' switches which are VLAN capable for only a few bucks (Netgear metal boxes for instance).

If you create a VLAN you would want to pass the traffic all through your network either to the gateway or the hosts. If the FGT is your gateway, your switches need to support VLANs so that tagged traffic can reach the hosts. Hosts (PCs) usually are not VLAN capable; a switch port declared as 'VLAN access port' would be part of the VLAN but remove the VLAN tag on egress to the host.

 

But this all is basic networking stuff and better explained elsewhere on the net. Answering your question, yes, you can create VLANs on the FGT and handle them with 3rd party switches.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
jase888

Ok thanks for the reply i'll look further into VLAN explanations, I have a basic understanding but not sued them for a long time.

 

However my main question is without a VLAN compatible switch is my other method for splitting the traffic suitable?

 

[ol]
  • Create an interface (Example: Network1)
  • Assign a port  (Internal4)
  • Setup Network Address  (192.168.10.1/255.255.255.0)
  • Create IPv4 Policy for traffic[/ol]

     

    Then repeat these steps for the other 2 networks we have obiously chanigng ports, network address, etc and then plugging unmanaged switches into each of these. As they arent officially VLANs they dont need VLAN compatible switchs. But is there some drawback to this method?

     

  • rwpatterson
    Valued Contributor III

    The far end switches cannot be connected together in any way, otherwise the VLAN traffic could mix. As long as this is followed then this is possible. Confusing in the long run, but 100% possible.

    Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
    sw2090
    Honored Contributor

    Just basically for understanding: 

     

    you do not need to have FortiNet Switches. Vlans are common use and will work with other brands too.

    I use FortiGates with HP Switches and vlans work fine here.

     

    You just  have to have a managed switch (unmanaged ones are not vlan capable but also will not touch the vlan tag in your packets). If you have unmanaged switches then the devices connected to those switches will have to take care for the vlans. The FortiGate can only handle packets that are tagged in a vlan (or are not tagged in any) and it will only let out packets tagged over the vlan interface.

     

    I recommend the use of managed switches because way not every device can handle vlan tagging. This is definitely the easier way :)

    -- 

    "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

    -- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
    Labels
    Top Kudoed Authors