Hot!Possible to VLAN without Fortigate Managed Switch? Is my solution ok?

Author
jase888
Bronze Member
  • Total Posts : 25
  • Scores: 2
  • Reward points: 0
  • Joined: 2018/10/04 01:58:11
  • Status: offline
2019/01/10 01:28:05 (permalink)
0

Possible to VLAN without Fortigate Managed Switch? Is my solution ok?

Is it possible to have VLANs on the Fortigate 60E without a Foritgate Managed Switch? I currently only have a few unmanaged switches but need 3 networks on the firewall to be completely separate.
 
One method I have found seems to work but not sure if this is secure or correct is to create 3 new interfaces and assign different network addresses/subnet and then assign different ports to each. Then plug an unmanaged switch into each port and then you have 3 seperate networks. I have tested this and theres no pinging between networks and seems fine but wanted opinions?
 
Also I did see I could create a VLAN interface on ports but wasnt sure if this would work without the Fortigate Switch?
#1

4 Replies Related Threads

    ede_pfau
    Expert Member
    • Total Posts : 5829
    • Scores: 423
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Possible to VLAN without Fortigate Managed Switch? Is my solution ok? 2019/01/10 06:29:47 (permalink)
    0
    VLANs are not a security feature. A VLAN isolates broadcast traffic from other networks on the same wire, possibly conserving bandwidth.
    Yes, you can create a lot of networks and (virtual) firewall ports using VLANs on a FGT. This is convenient if you need more ports than available physically.
     
    Your problem begins when the VLAN (tagged) traffic leaves the FGT. The next switch must be VLAN capable, that is, able to collect switch ports into a VLAN broadcast domain, able to read the VLAN tag etc. IMHO there are 'semi-managed' switches which are VLAN capable for only a few bucks (Netgear metal boxes for instance).
    If you create a VLAN you would want to pass the traffic all through your network either to the gateway or the hosts. If the FGT is your gateway, your switches need to support VLANs so that tagged traffic can reach the hosts. Hosts (PCs) usually are not VLAN capable; a switch port declared as 'VLAN access port' would be part of the VLAN but remove the VLAN tag on egress to the host.
     
    But this all is basic networking stuff and better explained elsewhere on the net. Answering your question, yes, you can create VLANs on the FGT and handle them with 3rd party switches.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #2
    jase888
    Bronze Member
    • Total Posts : 25
    • Scores: 2
    • Reward points: 0
    • Joined: 2018/10/04 01:58:11
    • Status: offline
    Re: Possible to VLAN without Fortigate Managed Switch? Is my solution ok? 2019/01/10 06:38:35 (permalink)
    0
    Ok thanks for the reply i'll look further into VLAN explanations, I have a basic understanding but not sued them for a long time.
     
    However my main question is without a VLAN compatible switch is my other method for splitting the traffic suitable?
     
    1. Create an interface (Example: Network1)
    2. Assign a port  (Internal4)
    3. Setup Network Address  (192.168.10.1/255.255.255.0)
    4. Create IPv4 Policy for traffic
     
    Then repeat these steps for the other 2 networks we have obiously chanigng ports, network address, etc and then plugging unmanaged switches into each of these. As they arent officially VLANs they dont need VLAN compatible switchs. But is there some drawback to this method?
     
    #3
    rwpatterson
    Expert Member
    • Total Posts : 8331
    • Scores: 189
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: offline
    Re: Possible to VLAN without Fortigate Managed Switch? Is my solution ok? 2019/01/10 07:27:46 (permalink)
    5 (1)
    The far end switches cannot be connected together in any way, otherwise the VLAN traffic could mix. As long as this is followed then this is possible. Confusing in the long run, but 100% possible.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #4
    sw2090
    Gold Member
    • Total Posts : 257
    • Scores: 10
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: Possible to VLAN without Fortigate Managed Switch? Is my solution ok? 2019/01/15 04:53:13 (permalink)
    5 (1)
    Just basically for understanding: 
     
    you do not need to have FortiNet Switches. Vlans are common use and will work with other brands too.
    I use FortiGates with HP Switches and vlans work fine here.
     
    You just  have to have a managed switch (unmanaged ones are not vlan capable but also will not touch the vlan tag in your packets). If you have unmanaged switches then the devices connected to those switches will have to take care for the vlans. The FortiGate can only handle packets that are tagged in a vlan (or are not tagged in any) and it will only let out packets tagged over the vlan interface.
     
    I recommend the use of managed switches because way not every device can handle vlan tagging. This is definitely the easier way :)
    #5
    Jump to:
    © 2019 APG vNext Commercial Version 5.5