Switch that allows to configure a subnet per port?

The answer to this question depends slightly on what you really want to accomplish.  Switches support connectivity in various ways.
A good reference is:
http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_1-2/switch_evolution.html

So, you can set up as many subnets as you like to work through a simple switch and it will work.  This is somewhat like using VLANs but not entirely of course.
The question is: "How much separation between subnets is necessary?"
A simple switch provides separation by virtue of the IP addresses and broadcast domains being efferent.  
VLANs provide separation at the switch port level.
In either case, you need a router that will interconnect the subnets.  Perhaps your TMG Server will perform that routing function and perhaps you need a router in the network - depending on your objectives.

It doesn't seem to me to make much sense to have a switch where "each port has its own subnet".  If it did, what would it talk to (within the switch)?

I would just buy a layer 3 switch which supports intervlan routing.

TMG doesn't have to support VLANs if I understand your question correctly.

If the all the vlans are okay to communicate each other, then use large subnet instead of vlans like /16.

well i dont want any of the ports to see eachother, thats why we have been using vlans so far. each port is its own vlan. and each vlan is assigned its own subnet  so like

port 1 = vlan1 (10.10.101.1)
port 2 = vlan2 (10.10.102.1)

all ports go to port 48 then our fortinet takes over and translates vlans to subnets. but i cant do that on my tmg server so i am trying to find a solution for this. Because it is very important that none of the ports can see eachother

With respect, I don't think you're understanding the concept of VLANs.

Are you saying that you want each PC to be completely separated from the others and that you want the TMG to be able to provide internet access for each one?

We have 100 vlans. Right now each vlan is attached to only 1 port at a time. so port1 = vlan 1. it has its own subnet.

This is because we have about 100 tenants and ofcourse none of the tenants are allowed to see each other for security purposes.

Right now our fortinet assigns a subnet to each vlan and routes it to the internet port we want.

But we want to take the fortinet out of the loop and run it through a TMG instead.

But since TMG does not support vlan tagging so we cant tell TMG that vlan1 is subnet 10.10.101.1 as an example, i am thinking i will have to run the traffic throught the fortinet and convert the vlans to virtual ips and then have the tmg on the other side as a gateway..

With all due respect I dont think you understand the question. I dont think a switch exist that does what i want

Also,

But since TMG does not support vlan tagging so we cant tell TMG that vlan1 is subnet 10.10.101.1 as an example, i am thinking i will have to run the traffic throught the fortinet and convert the vlans to virtual ips and then have the tmg on the other side as a gateway..

The TMG has no concept of VLANs, but the OS does.  You just need a NIC/driver that supports VLANs.  TMG deals with NICs perfectly.

So, in answer to your question, now that you've explained your requirement properly...

You need a switch which supports Private VLANs.  Your TMG server connects to the switch and has ONE subnet only.  The type of port you would configure for the TMG is a promiscuous port.

Each host uses an IP address on the same subnet, but the switch blocks all hosts from seeing each-other while still being able to route out of the TMG using a single interface/VLAN/subnet/whatever you want to call it.  The ports that hosts connect to are called isolated ports.

I've requested that this question be deleted for the following reason:

I did not get the results I was looking for

I really cant waste any more time on this conversation with you. If you have read what I wrote you would see countless times I say that we are running VLANS as we speak.

Your implementation is poor.  You've not used the correct equipment to do what you need.  That's simple enough.

I'm trying to help and you're being rude.  Therefore it is me who is wasting time - not you.

Answer is provided.

I just happened to read the comments since I posted here.

tim, i'm not sure why you got mad in the first place and i saw the same topic in different location.  

craig spent good time trying to help you out and I totally agree that he DID provide an answer for you.

Private VLAN capable switch is what you need and it is designed for that purpose.

We are all trying to help each other here so let's cool it down.

@Infamus - thanks buddy :-)

moderator, please move this points to craigbeck as he provided the answer.

moderator,

please move this points to craigbeck as he provided the answer.

tim,
We are all here to help and in order to provide the best solution, we first need to understand what the question is and what needs to be achieved.  That is like 90% of the problem solving process.

It is most likely when you ask a question, you might think your question explains the whole senario because you are the one who knows the setup.  As for the most part, we are new to how your environment is set up and trying to learn so we can help.  Not every network is setup the same way so it is quite difficult to understand the individual settings and that is why we are asking questions and sometimes to provide diagrams to understand yours better.

As for standing up for craig, I don't even know him except he commented on my questions a few times but never even communicated with him.

My comments are extremely as third person point of view and I noticed that he was trying to provide with the solution as much as he can.

I just think there's a misunderstanding and it should easily be avoided if you step back and put yourself on the position who is trying to help but not quite understand what the question is about.

And for the solution, according to what you described above, craig's recommendation is the solution for sure and he deserved to get the credit.

Thanks.

Infamus, just so we are clear I gave you the point because you are right, I need a Layer 3 switch. Just bought 2

Infamus, just so we are clear I gave you the point because you are right, I need a Layer 3 switch. Just bought 2

...and if you bought a L3 switch which can't do PVLANs you'll be taking them back to the shop!

If you think about the solution you're going to attempt to install now, you're still going to need a TMG or similar in order to do the NAT/Internet part in a secure fashion.  The L3 switch will add no value whatsoever.  You might as well use a standard L2 switch which supports PVLANs.  Job done.

I think it's time to end your 10 year account which you've abused for the most part.  You've not added any value to the site whatsoever judging on your past record - answering your own questions with silly comments, etc...

Infamus answered this question. I needed a layer 3 switch. Craig did nothing but cause trouble and I really don't see why he is awarded points for his crazy behavior. Please give points back to infamus that understood my question. And diverseit I completely agree with you. Should not turn out like this. But I still really don't see why Craig would be in any position to tell anyone how they should use their account. I have been a 10 year member and have gotten ee more than a thousand members because I have always liked the site. Sadly this will not happen any more. "And now of course Craig will come with a lame post like "good"" but we all know that it is not good business. I have requested deletion of my account because I will not be part of something like this anymore. Has been fun ee. Take care. And thanks to all the members that has really been a help

I understand you're upset, Tim, but please hear me out and don't take these comments the wrong way - I am being completely sincere now.

The OP asked:

Hi Guys,

I have a Netgear FSM7226RS that supports vlan tagging per port.

But I am setting up an TMG server and it does not allow VLAN support.

Can I get a switch that supports that you can configure each port with its own subnet.

So
Port1 = 10.10.101.1/255
Port2 = 10.10.102.1/255

etc?

You were practically asking for a Layer3 switch without knowing what it was called, or if such a thing even existed.  I made the comment regarding my not thinking you understood VLANs properly not to insult you but rather I said it respectfully as your question says to me that you aren't proposing to implement the solution in the most effective manner or that you understand the concept of Layer2 vs Layer3.

In your other question which is related to this one (https://www.experts-exchange.com/questions/28293575/VLAN-and-Microsoft-TMG-2010.html) you asked:

Hey guys, I am trying to replace our broken forginet router with a Microsoft TMG, but I cant see anywhere how to setup vlan tagging, we have 2 switches with about 100 vlans behind the fortinet.

Can I not use the TMG to control VLAN behavior?

That didn't explain the multi-tenant scenario or the requirement to block inter-client traffic either.  I had read the question several times but you didn't include the vital part which suggested that the clients shouldn't be able to see eachother.  That was what was missing from my understanding, so if it appeared that I didn't grasp what you were asking it was genuinely for a good reason.  Had you explained the client isolation requirement at the beginning I would not have suggested using a Layer3 switch in that question.  I would have immediately advised you to use a standard Layer2 switch which supports PVLANs.

Therefore, Infamus' post which also suggested purchasing a Layer3 switch is not the answer and will not provide the solution.

What you need is a layer-2 switch which supports private VLANs.  This will allow you to use one single VLAN/subnet and the TMG in an External firewall configuration with complete success.  It will also greatly simplify the network as you'll only have to deal with one subnet for all clients and no routing whatsoever.  A Layer3 switch would allow all clients to 'see' eachother as inter-VLAN routing would be possible.  This is not desired and is not the answer.

Here are some brief guides regarding PVLANs and how they work...

http://blog.ciscoinferno.net/multiple-tenant-same-switch-private-vlans

http://www.networkpcworld.com/understanding-private-vlans-primary-promiscuous-and-secodary-isolated-or-community-vlans/

http://www.sysxperts.com/vmware/virtual-networking/private-vlans


I tell you what, Tim... If you do change your mind and decide to stay with EE, let us know how you get on, and if you need a hand I will be more than happy to give you any assistance you need.  I'm here to help, in my own free time, because I like to do it - not because I want to argue all day.  I get enough of that at work :-)