Creating VLANs, Router and Switch Configuration

M

mda

2[H]4U
Joined
Mar 23, 2011
Messages
2,207
Hi All,
I have a basic understanding of networking concepts (OSI layers, etc), and read up on VLANs in order to setup the VLANs in our organization.

First things first, I'd like to put wireless guest clients on a separate VLAN

Equipment on hand
Fortigate Router/Firewall
Cisco SG300 core switch
Unifi Access Points

Current Setup
Everything is on a single /24 network, untagged and without VLANs at all.
Fortigate - no VLAN configured, everything is on the 'internal'/management network.
Cisco SG300 - while this is running in L3 mode, nothing is configured with regards to VLAN.
Unifi APs - connected to ports on the SG300; have 2 SSIDs presently configured but are essentially on the same subnet. One SSID ideally for internal, authorized clients - other for guests whom Id like on the separate VLAN
Unifi Controller

What I'd like to do:
  1. Create VLAN 1 on Fortigate
  2. Setup DHCP for VLAN 1 on Fortigate
  3. Setup SG300 to properly recognize untagged packets (the main, original organization) and packets with VLAN1 (guest network)
  4. Put guest network on VLAN 1 (this is the easiest to do, done on the Unifi controller)
  5. Have existing computers connect to the untagged, original /24 network, as well as those who connect to the proper non-guest network.
I have already created (not sure if I have set this up properly) VLAN 1 and the DHCP for VLAN 1 on the fortigate on the same interfaces as the main network, but am unsure how to configure the SG300 so that only clients connecting via the guest network will be routed properly to the new DHCP/subnet

Is there any end-to-end tutorial on configuring VLANs I could read up on? The tutorials I see mostly deal with single devices but don't really talk about how to have the switch properly talk to the router, and to the APs in particular.

I hope I haven't left out any other necessary information needed to help set this thing up.

In my screenshot - 10.10.1.0/24 - Original network; 10.11.1.0/24 - VLAN created for guest clients.

Thanks!
 

Attachments

  • FG.JPG
    FG.JPG
    47 KB · Views: 0
I don't know about the Fortigate or Cisco's small business lines (i.e., your SG switch), but for many devices (e.g., Cisco IOS) VLAN 1 is already the default (even if VLANs are "off") for untagged packets. I'd recommend using some other number. If I'm dealing with basic setups (and not worried about lining up/nesting subnets/supernets) I like to number the VLAN after the third octet of the IPv4 network address (e.g., subnet 192.168.10.0/24 would be on VLAN 10).

Since the switch is L3-capable there's two ways you can set things up. Either have the switch perform all routing and firewalling between the various subnets, or leave those tasks to the router. I'd lean towards the latter, if only for simplicity's sake (should be less to config on the switch) and because it doesn't appear there will be much cross-subnet talk anyways.

When dealing with VLANs there are two types of ports: access and trunk. Access ports are where you connect your end nodes (desktops, etc.). Each is typically assigned to a specific VLAN. Trunk ports are used to connect network devices (routers, switches) together. Each trunk port is configured to accept/forward multiple VLANs (and sometimes untagged packets). A trunk is what you want to set up between your switch and router. You'll also need to set up trunks between the switch and APs to support multiple SSIDs with unique VLANs.

FWIW, I don't like untagged subnets/segments. If I'm doing VLANs its all-in. I'd recommend moving all nodes onto a VLAN when you feel comfortable with them. Were it me to start I'd do something like:
VLAN 10: wired systems
VLAN 20: authorized wireless clients (e.g., company laptops)
VLAN 25: guest wireless

If you wanted to get more complex later and add some isolation you could add more VLANs, e.g.:
VLAN 50: services (e.g., internal file servers)
VLAN 55: printers
VLAN 99: admin network (e.g., router, switch, Ubiquiti controller and APs, etc.)
 
  • Like
Reactions: mda
like this
Ideally I'd like to migrate the untagged main network to a VLAN as well. If I were starting from scratch (or if I have a small network), this is what I'd do as well.

I'm unsure, however of how the rest of the network will react (IPSEC with 2 different sites, etc).

I'll look into setting trunks up between the router and the switch, as well as the switch to the APs.

Thanks!
 
I had a thread on here a few months ago where I was looking to do close to the same, after adding a L3 "Lite" switch to my network. I don't know much about your router, but on mine there was a section to set up interfaces, and a VLAN section under that. There i was able to set up which port I expected the VLAN to be coming in on (i.e. port 3), and what the VLAN tag would be (i.e. VLAN 4). For me, I had multiple VLANs coming in through Port 3, so i set up each under port 3 (i.e. VLAN 5,6). I then set up address pools and a DHCP Server for each of the VLANs. This let me put all of the IOT devices on their own network (i.e. 192.168.1.0/24), my stuff on its own network, and my kids' stuff on its own network. I also set up a firewall rule to drop any cross network communications.
I set up the switch to have all of the VLANs "tagged" on the port that led to the router (i.e. the trunk), so that the tags would be passed through to the router. I also tagged the port leading to the AP (just one for me) with all of the VLANs. I think the idea would be to tag any ports that have VLAN aware devices on them (so if you had a PC plugged directly into the switch, you would want the port it connected via to be untagged, since it would not be able to understand the VLAN tagging).
From there, as long as each SSID is tagged with the correct VLAN on the AP, you should be good.
Eventually I may move to putting more processing on the Switch, but right now my setup works and is pretty uncomplicated. If i want to change the VLAN ID, I just update ID on AP and in the interfaces section of my router and it flows from there.
 
  • Like
Reactions: mda
like this
Thanks. Will need to go through documentation so I don't have to redo everything from scratch, since I have an untagged network currently running.
 
This is how you should do it without impacting your current production network:
  • Keep the untagged VLAN how it is for your current network
  • Create a new VLAN on the SG300 switch for the guest VLAN
  • Configure the interfaces connected to your APs as trunks
  • Create an additional SSID on your wireless controller for the guest wifi traffic. Tag this SSID for the guest VLAN ID
  • On the Fortigate configure a L3 interface with an IP on the guest VLAN subnet and connect it into an access port on your SG300 switch for this VLAN
  • Configure the DHCP so that the default gateway of the guest VLAN is the IP address of the L3 interface on your Fortigate
  • Configure DHCP for the guest VLAN so that it is using an external DNS source like OpenDNS or Quad9
  • If the guest VLAN needs resources on your existing production LAN (I would advise against this) then you'd need to create access rule policies on your Fortigate to permit this traffic from the guest VLAN interface to the production network interface.
With this configuration all traffic flowing in and out of the guest network must necessarily flow through your Fortigate firewall. Putting the guest traffic on another VLAN and then connecting that VLAN to an interface on the firewall is effectively the same as having a completely separate switch to another separate interface on the firewall from the rest of your production.
 
  • Like
Reactions: mda
like this
Great! Thanks!

In this case, I'm keeping the VLAN separate from the existing production LAN. This is for guests, and perhaps depending on management decision, employees' personal devices as well.

EDIT:

Got this working within the hour. Didn't think it would be as easy as it would. The GUI of the switch generally jived with what has been posted on here.

A quick overview of my settings:
VLAN1 - Untagged
VLAN50 - Tagged
AP - on VLAN50

Assigned VLAN50 to whatever ports are connected to the AP

Thanks to everyone again!

Some related questions -- if I have switches anywhere in between my managed L3 switch, the AP, and the fortigate:

1. Fortigate -> L3 Switch -> Unmanaged switch ->AP
2. Fortigate -> Unmanaged Switch -> L3 Switch -> AP
Will any of these configurations work?

3. Fortigate -> L3 Switch -> L3 Switch -> AP
In this case, I will need to recreate all the VLANs on all the switches, and add the VLANs to the right ports, right?



EDIT2: For #1 and #2, the answer is no, based on research.
 
Last edited:
For best practices, you want infrastructure like APs on their own dedicated VLAN and not on your normal data traffic VLANs.

So for example:

VLAN1 - Untagged
VLAN2 - AP VLAN
VLAN50 - Guest VLAN

Then assign a static IP address to your APs on VLAN2 - this way when you see traffic from these IP addresses in your network you know exactly what the devices are (unless there are rogues - you could also not have a DHCP server on this VLAN).

Of the options you proposed, #1 definitely won't work because you need a managed switch to create a tagged interface between the AP and switch if you want to have the data traffic of devices connected to an SSID to be on a different VLAN than the AP itself or other SSIDs belong to. But, you've only really laid out a topology rather than specific configurations. I would recommend not having any unmanaged switches in your network if you can help it. Realistically, you'd use a L3 switch and connect that to your Fortigate. This switch will do all the inter-VLAN routing for your production VLANs, since they will generally all be trusted. If you wanted to firewall any traffic between these VLANs, then you'd use a trunk (tagged) interface up to the Fortigate and tag all VLANs and create sub-interfaces on the Fortigate for each of the tagged VLANs.

Then from here, you'd have a PoE switch to connect all your APs, and each port that has an AP connected to it would be a trunk so the switch interfaces are VLAN aware of the tagged frames that are sent from the APs. A layer 3 switch is actually not even a requirement in any of these configurations - you just need a managed switch to create trunks/tagged interfaces.
 
mda said:
Great! Thanks!

In this case, I'm keeping the VLAN separate from the existing production LAN. This is for guests, and perhaps depending on management decision, employees' personal devices as well.

EDIT:

Got this working within the hour. Didn't think it would be as easy as it would. The GUI of the switch generally jived with what has been posted on here.

A quick overview of my settings:
VLAN1 - Untagged
VLAN50 - Tagged
AP - on VLAN50

Assigned VLAN50 to whatever ports are connected to the AP

Thanks to everyone again!

Some related questions -- if I have switches anywhere in between my managed L3 switch, the AP, and the fortigate:

1. Fortigate -> L3 Switch -> Unmanaged switch ->AP
2. Fortigate -> Unmanaged Switch -> L3 Switch -> AP
Will any of these configurations work?

3. Fortigate -> L3 Switch -> L3 Switch -> AP
In this case, I will need to recreate all the VLANs on all the switches, and add the VLANs to the right ports, right?

EDIT2: For #1 and #2, the answer is no, based on research.
Click to expand...

Just to test my understanding for VLANs..... I think #1 and #2 COULD work, depending on the use case.

#1, if all of your traffic coming from the Unmanaged switch should be on a single VLAN, then you can force the L3 Switch to tag any packets coming through whichever port that unmanaged switch is connected to, as that VLAN. You would not be able to separate out the traffic coming from the unmanaged switch, but if you do not care, then this should work fine.

#2, I believe could also work, as long as your L3 switch is handling all of the routing/DHCP work, and only needs to connect to the router to access the internet. I am a bit fuzzy on this one, as I have yet to try to tackle having an L3 switch perform the routing/dhcp pieces. The actual router/firewall would be oblivious to VLAN, which is fine because the switch is handling that. You could still connect PCs that you do not want on any VLAN to the unmanaged switch, and they should work fine. Personally, i would connect the both the unmanaged switch and managed switch to the router, directly, as the unmanaged switch between the router and L3 switch doesnt really provide any value.
 
The unmanaged switch would drop any tagged frames since it is not dot1q aware. So the topology with the unmanaged switch connected to the OPs APs wouldn't work since he needs to tag traffic on the Guest SSID to be on a different VLAN.
 
ThatITGuy said:
Just to test my understanding for VLANs..... I think #1 and #2 COULD work, depending on the use case.

#1, if all of your traffic coming from the Unmanaged switch should be on a single VLAN, then you can force the L3 Switch to tag any packets coming through whichever port that unmanaged switch is connected to, as that VLAN. You would not be able to separate out the traffic coming from the unmanaged switch, but if you do not care, then this should work fine.
Click to expand...

Depending on use case this COULD work....but here is the only Use case it will work under...and that is if you don't care about tagging your AP SSID with VLAN traffic....for example you have an AP in a conference room....and you have an Untagged Guest SSID on that AP. You configure the port of the L3 switch as VLAN <XX> access port then any traffic coming into that port will be tagged as that VLAN and handed off to the router as such. The only devices aware of the VLANs are the router and L3 switch. If you are trying to have different SSID with different VLANS than this set up will NOT work, as any traffic traversing an unmanaged switch is going to remove the tags
 
Unifi APs can tag VLAN per SSID. You can run an unmanaged switch between your PC and managed switch, and your traffic can still be tagged, just keep in mind everything on the unmanaged switch is going to be on the same VLAN. I have configured Layer 3 on that specific switch with VLANs before. The main thing is just configuring the default gateway for each subnet on your firewall. The speed benefit can be great, and you take stress off the firewall.

If you need to see a Layer 3 config for the SG300, I can send you one. Let me know.
 
FNtastic said:
Unifi APs can tag VLAN per SSID. You can run an unmanaged switch between your PC and managed switch, and your traffic can still be tagged, just keep in mind everything on the unmanaged switch is going to be on the same VLAN. I have configured Layer 3 on that specific switch with VLANs before. The main thing is just configuring the default gateway for each subnet on your firewall. The speed benefit can be great, and you take stress off the firewall.

If you need to see a Layer 3 config for the SG300, I can send you one. Let me know.
Click to expand...

This is highly dependent on the switch while many unmanaged switches will just forward tagged through some will strip the tags, and others may just think it's malformed packets and drop them all together.
 
You must log in or register to reply here.
Back
Top