Firewall with multiple VLANs
Recently we bought a new firewall fortinet 100D to secure our company network.Our network is 192.168.101.0/24
now our network is flat network and we would like to implement VLAN also.
we have one unit Cisco 3750 switch ,now we already configure. firewall LAN port using 192.168.101.1/24 and connected to switch port directly and working without any issue.
question:
1.If we configure create the subinterface 10(Management),20(Server),
*All the traffic must visible in our firewall.
2.Our DHCP server is running inside the hyper-v and now the switch port i configure LACP with switch port mode access to allow VLAN 1 only.Do i need to configure to trunk and native VLANs ?if native VLANs is require which VLANs should i configure ?
3.How to migrate all my server to VLANs 10 without downtime ?
4.What is the purpose of management VLANs i put it there just research online many people are design in this way.
5.How to configure the switch port which is user connected ?now all the user arw connect thier PCs via Cisco IP Phone ?
now our network is flat network and we would like to implement VLAN also.
we have one unit Cisco 3750 switch ,now we already configure. firewall LAN port using 192.168.101.1/24 and connected to switch port directly and working without any issue.
question:
1.If we configure create the subinterface 10(Management),20(Server),
*All the traffic must visible in our firewall.
2.Our DHCP server is running inside the hyper-v and now the switch port i configure LACP with switch port mode access to allow VLAN 1 only.Do i need to configure to trunk and native VLANs ?if native VLANs is require which VLANs should i configure ?
3.How to migrate all my server to VLANs 10 without downtime ?
4.What is the purpose of management VLANs i put it there just research online many people are design in this way.
5.How to configure the switch port which is user connected ?now all the user arw connect thier PCs via Cisco IP Phone ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi bud,
You can do everything in a granular way.
1- Let the switch 3750 do the routing. Meaning create all the vlans 10,20,30,40 and 50 voice into the switch and later give those vlan a unique port.
2- Let the switch be the default gateway to each vlans.
example:
vlan 10 = 192.168.1.1
vlan 20 = 192.168.2.1
vlan 30 = 192.168.3.1
I'm sure you get the point.
3- Create an up link from the switch to the firewall Layer 3. Give one Ip address to one port of the switch and one IP address to the lan of the firewall.
4- Create a default route from the switch to the firewall like this route 0.0.0.0 0.0.0.0 10.0.0.1 "where 10.0.0.1 is the ip address for the router. and 10.0.0.2 is the Ip address you have gave to the switch.
In your firewall nat all your ip addresses or you can summarize them combining one subnet to be natted.
Managment Vlan is dedicated to manage all the devices in your organization, thus regular vlans like 10,20 and so forth wont have access to ssh, telnet etc.
Once you get the Idea you should be good.
You can do everything in a granular way.
1- Let the switch 3750 do the routing. Meaning create all the vlans 10,20,30,40 and 50 voice into the switch and later give those vlan a unique port.
2- Let the switch be the default gateway to each vlans.
example:
vlan 10 = 192.168.1.1
vlan 20 = 192.168.2.1
vlan 30 = 192.168.3.1
I'm sure you get the point.
3- Create an up link from the switch to the firewall Layer 3. Give one Ip address to one port of the switch and one IP address to the lan of the firewall.
4- Create a default route from the switch to the firewall like this route 0.0.0.0 0.0.0.0 10.0.0.1 "where 10.0.0.1 is the ip address for the router. and 10.0.0.2 is the Ip address you have gave to the switch.
In your firewall nat all your ip addresses or you can summarize them combining one subnet to be natted.
Managment Vlan is dedicated to manage all the devices in your organization, thus regular vlans like 10,20 and so forth wont have access to ssh, telnet etc.
Once you get the Idea you should be good.
There are many good articles on basic networking here on site .... written by our folks
Just search
Networks
Network design
Network security
Here is an example
https://www.experts-exchange.com/articles/22179/Network-Ports-what-they-are-and-they-work.html
Just search
Networks
Network design
Network security
Here is an example
https://www.experts-exchange.com/articles/22179/Network-Ports-what-they-are-and-they-work.html
Access ports ... on switch ...connect to end user devices .... think printer and desktop and phone
...these are untagged when the traffic hits the first switch
Trunk ports ....on switch ....connect switches to switches or other network devices
They normally carry tagged traffic ( vlan tagged) but could carry untagged traffic that usually ends up in a default vLan ... often vlan 1
Routers and firewall can handle the vlan traffic ...whether Layer2 ( think MAC addrsss)
Or Layer3 ( think IP addressed traffic)
Some of the Hybrids Juniper SRX and Paloalto and fortinet ....act as Security (firewall) Router and switch all in one device
That being said these days most companies small and midsize have 2 vLans....data and Voice/video
Of course you can have more and are adding another layer of complexity to your network and it’s troubleshooting when things go sideways...they always do......
Sometimes management traffic is separated as a security measure
Often as a dedicated ip and limited access to said IP
Rarely as a dedicated vlan
That being said all these chanGes are possible...but based on the entry level questions
I would recommend some advanced/expert level assistance in the setup
And finally the KISS principle....reminds us to keep it super simple.....
That is a proven fact in networking
All of this is my humble opinion ... I’m sure someone might recommend more is better ..,but after 20+ yrs doing this and teaching the worlds largest networks......I stand by the simple reminder