Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[mahazara]

Hello All
I am hoping someone can help me, I am trying to get some Idea about how to do VLAN in the DGS-1100-24 Smart Switch.
Below is my setup
Router - Fortinet (VLAN sub-interface from Physical Interface option) - Router connects to Port 24 of the DGS Switch
Server - Provides DNS, DHCP to admin network (192.168.1.1/24, VLAN4) - server connected to port 23 of the DGS Switch
Security Camera - Connected to port 1 of the DGS switch

Router LAN port has sub interface with Vlan option. I create a sub interface network under the physical interface  in the Fortinate switch with IP range 192.168.2.1/24 with VLAN 2, I enable DNS & DHCP for this range (for the security network)

How can I now segregate the security network from the Admin Network using either port based or 801.QS VLAN?

Do I create Access port or trunk port ? what are the settings I need to do in the switch?

Please help someone, I am not able to figure this out and its driving me crazy...

[PacketTracer]

Hi,

• In your DGS activate 802.1Q VLAN.
• Configure port 24 of your DGS as a VLAN trunk port (sending/receiving frames tagged 4 and 2).
• Configure the Fortinet subinterface for your admin network (192.168.1.0/24) to send and receive frames tagged with VID 4
• Configure the Fortinet subinterface for your security network (192.168.2.0/24) to send and receive frames tagged with VID 2
• Configure DGS port 23 as access port (sending/receiving untagged frames) for VID 4
• Configure DGS port 1 as access port (sending/receiving untagged frames) for VID 2
• Configure your Fortinet firewall to block any traffic between networks 192.168.1.0/24 and 192.168.2.0/24

What is left unclear is which DNS/DHCP server you will use for your security network: The one you use for the admin network (and that resides in the admin network at 192.168.1.1) or another one (DHCP/DNS server function inside your Fortinet firwall, restricted to the subinterface 192.168.2.1)?

Only in the first case you would have to activate the BOOTP/DHCP relay function on subinterface 192.168.2.1 and relay DHCP to 192.168.1.1. In addition to make DNS work for network 192.168.2.0 you would have to setup an ALLOW rule within your firewall for UDP traffic from network 192.168.2.0/24 (any source port) to host 192.168.1.1 port 53.

PT
 

 

[mahazara]

Hi PT
Thanks for your response.
Here are some further info. hope you can help.

I activate 802.1Q VLAN in DGS
I connect my Fortinet Physical Port 1 to DGS Port 24 (Fortinet Physical port couldn't find Vlan Option) (Fortinet physical interface address - 192.168.1.1/24)
I create sub interface in Fortinet with Vlan 2 (I create DNS,DHCP for this sub interface from Fortinet), I create firewall rule for this sub interface to allow all traffic to WAN port of Fortinet   
I connect my home server (DNS,DHCP) to DGS Port 23.
I connect my security system to DGS port 1.

In the above setup,
I keep the port 24 of DGS in Hybrid mode
I make the port 1 of the DGS access mode with untagged or tagged, but my security system fail to receive IP lease from Fortinet.
This is where I am stuck at the moment.


************************** Ideally What I am trying to do is******************************
VLAN 2 – Security System (Occupy 4 Switch Ports)

VLAN 3 – Guest WIFI , I will have a Guest SSID that will connect to this VLAN, This SSID is shared by 2 AP. (Occupies 2 Switch Port) But Both of these switch port must also carry VLAN 3 as Admin Network (192.168.1.x/24) traffic will connect to a SSID that’s associated to VLAN 4, and Guest WIFI Network (192.168.3.x/24) traffic will connect to VlAN3 to direct internet - for this I can create another sub interface under the same physical interface (fortunate physical port 1) 

VLAN 4 – LOCAL LAN, LOCAL Server (DNS,DHCP), Local WIFI (Admin Network) 
VLAN 2 - Will get DNS, DHCP from Fortinet
VLAN 3 - Will get DNS, DHCP from Fortinet,   
VLAN 4 – Must get DHCP/DNS from my Local Server in VLAN4
VLAN 4 - Can a specific device in VLAN for me associated to a Management VLAN, ie: VLAN 1 so that device can access everything for management reason?
**************************************************************************
 

[PacketTracer]

Hi,

I connect my Fortinet Physical Port 1 to DGS Port 24 (Fortinet Physical port couldn't find Vlan Option) (Fortinet physical interface address - 192.168.1.1/24)
...
I keep the port 24 of DGS in Hybrid mode

Choosing this configuration (which is in contrast to my suggestion to use 2 subinterfaces at your Fortinet and leave Fortinet Physical Port 1 unconfigured for IP), please ensure that hybrid mode for DGS port 24 is configured as follows: L2 Features > VLAN > VLAN Interface > VLAN Detail (for selected port 24):

VLAN Mode: Hybrid
Native VLAN: 4
Hybrid Untagged VLAN: 4
Hyprid Tagged VLAN: 2

Alternatively (and this is what I would prefer) according to my suggestion do not configure IP for the physical port 1 of your Fortinet firewall. Instead create a second subinterface and configure this subinterface for your admin network (192.168.1.1/24) to send and receive frames tagged with VID 4.

If you follow this alternative, configure port 24 of your DGS to be in Trunk mode with Action=Tagged and Allowed VLAN Range=2,4.

DGS port 1 should be set to VLAN Mode "Access" with "Acceptable Frame" set to "Untagged only" and the VID set to 2.
DGS port 23 should be set to VLAN Mode "Access" with "Acceptable Frame" set to "Untagged only" and the VID set to 4.

Set any other port you want to use for your security network the same way as DGS port 1.
Set any other port you want exclusively use for your admin network the same way as DGS port 23.
Configure the two ports connected to your access points to be in Trunk Mode with Action=Tagged and Allowed VLAN Range=3,4.
Modify the configuration of port 24 of your DGS to be in Trunk mode with Action=Tagged and Allowed VLAN Range=2,3,4.
Create a third subinterface for your Fortinet phyical interface 1 and configure this subinterface for your guest network (192.168.3.1/24) to send and receive frames tagged with VID 3.

VLAN 4 - Can a specific device in VLAN for me associated to a Management VLAN, ie: VLAN 1 so that device can access everything for management reason?

You could choose a device that supports both Wifi and wired network using Wifi to connect to VLAN 4 and using a NIC to connect to VLAN 1 (ie: any default DGS port assigned to VLAN 1). Or you use a device that supports VLAN trunks for a NIC (Linux or with Windows, if the NIC driver supports it), that you connect to a DGS port set to mode Trunk with Action=Tagged and Allowed VLAN Range=1,4.

Or you choose to change the default management VLAN for your DGS to be 4 instead of 1 (this way allowing any device within your admin VLAN 4 to access the DGS management interface). But be careful: If you change the management vlan of your switch, you also must assign it a management address out of range 192.168.1.0/24, otherwise you will lose the management access to your switch if you do things in the wrong sequence (and you have to reset it to fabric defaults for recovery). See the manual what the correct procedure is for changing the switch's management vlan and address.

Finally (and I would prefer this) you could also generate a fourth subinterface for your Fortinet physical port 1, assign it an IP address out of the range of the DGS management VLAN 1 and configure it to send and receive frames tagged with VLAN 1. In addition modify the configuration of port 24 of your DGS to be in Trunk mode with Action=Tagged and Allowed VLAN Range=1,2,3,4. The last step is a Fortinet firewall rule that only allows a specific admin device in VLAN 4 (your management device 192.168.1.x) to access the DGS management address in VLAN 1. To make it perfect you should remove any unused DGS port from VLAN 1 to prevent any unauthorized access to vlan 1 by any device plugged to a free port.

PT

[mahazara]

Fantastic PT
I will give it a try and let you know soon!! really appreciate it!!

[mahazara]

Hi PT
Do I disable the Port based VLAN & Enable 802.1Q VLAN option on to implement your proposed solution?
Or do I implement your proposed solution under Port Based VLAN Setting?

[PacketTracer]

Hi,

Do I disable the Port based VLAN & Enable 802.1Q VLAN option on to implement your proposed solution?

--> Yes

Or do I implement your proposed solution under Port Based VLAN Setting?

--> No

PT

[mahazara]

Also, my settings in my DGS are slightly different. ie
Vlan Mode: Trunk
Acceptable Frames: Tagged Only or Untagged Only or Admit All
Ingress Checking: Enable or Disable
Action: All or Add or Remove
Allowed VLAN Range: Vlan Number
So for Port 24 which is my Fortinet Router, you suggested below
" Modify the configuration of port 24 of your DGS to be in Trunk mode with Action=Tagged and Allowed VLAN Range=2,3,4."
to implement your proposal, do I choose the settings this way?  Vlan Mode: Trunk > Acceptable Frame: Tagged Only > Ingress Check (Yes or no?) > Action Add > VLAN number 2,3,4 ?

Hope I am making sense?

[PacketTracer]

Hi,

So for Port 24 which is my Fortinet Router, you suggested below
" Modify the configuration of port 24 of your DGS to be in Trunk mode with Action=Tagged and Allowed VLAN Range=2,3,4."
to implement your proposal, do I choose the settings this way?  Vlan Mode: Trunk > Acceptable Frame: Tagged Only > Ingress Check (Yes or no?) > Action Add > VLAN number 2,3,4 ?

Hope I am making sense?

Yes, that looks quite reasonable. Sorry, that I cannot be more precise, because I have no experience with your device and the specific semantics behind the configuration settings of its GUI. My suggestion is based on my general knowledge about VLANs and subinterfaces which results from my experience with Cisco devices, hence like you I can no more do than read your device's manual and hope to interpret the meanings of the settings in the right way. While I'm quite sure, that my suggested solution will work, it's another challenge to translate it to the specific settings inside both your Fortinet firewall (which I have no experience with either) and your DGS switch.

PT

[PacketTracer]

Hi,

perhaps another hint: Start with the following two steps:

- Disable "Port-based VLAN": L2 Features > VLAN > Port-based VLAN: VLAN State = Disabled + Apply
- Enable "802.1Q VLAN": L2 Features > VLAN > 802.1Q VLAN: Set "VID List" = 2-4 + Apply

To be honest: The manual is not really helpful here!

How are subinterfaces created with your Fortinet firewall? Does it use the method to assign a ".n" to an interface called e.g. eth1, hence you can form subinterfaces eth1.1, eth1.2, eth1.3 and so on? And does the addional number identify the VLAN id to be used for the subinterface, hence you should form subinterfaces eth1.2, eth1.3 and eth1.4?

PT

[FurryNutz]

Any status on this? 

Also, my settings in my DGS are slightly different. ie
Vlan Mode: Trunk
Acceptable Frames: Tagged Only or Untagged Only or Admit All
Ingress Checking: Enable or Disable
Action: All or Add or Remove
Allowed VLAN Range: Vlan Number
So for Port 24 which is my Fortinet Router, you suggested below
" Modify the configuration of port 24 of your DGS to be in Trunk mode with Action=Tagged and Allowed VLAN Range=2,3,4."
to implement your proposal, do I choose the settings this way?  Vlan Mode: Trunk > Acceptable Frame: Tagged Only > Ingress Check (Yes or no?) > Action Add > VLAN number 2,3,4 ?

Hope I am making sense?