Looking for lan/vlan help

[ccices]

Ok.. I think I get it.
So, when i first set up the Fortigate and used the Wizard, I created the subnet that I then added the switch and access points to.
Now I am adding 3 seperate subnet interfaces in the fortigate for each of the areas
On the switch, I would only have ports tagged to the vlan that I need it to communicate with. So since I want wireless access, the 2 ports where the AP plug into would be tagged in each VLAN that needs to use the AP. Within the AP I can tag each SSID I create to only work with that specific VLAN.

I would take a separate port from the fortigate to each VLAN I build (or could I tag the one port for all VLANS?)

I would set firewall ans security rules and policy in the fortigate for each VLAN.

Now, if I could only upload a beer...

 

[abailey]

Ok.. I think I get it.
So, when i first set up the Fortigate and used the Wizard, I created the subnet that I then added the switch and access points to.
Now I am adding 3 seperate subnet interfaces in the fortigate for each of the areas
On the switch, I would only have ports tagged to the vlan that I need it to communicate with. So since I want wireless access, the 2 ports where the AP plug into would be tagged in each VLAN that needs to use the AP. Within the AP I can tag each SSID I create to only work with that specific VLAN.

I would take a separate port from the fortigate to each VLAN I build (or could I tag the one port for all VLANS?)

I would set firewall ans security rules and policy in the fortigate for each VLAN.

Now, if I could only upload a beer...

I am not sure if you are saying the correct thing. The only tagged ports you should have on the switch are ports where you need to send multiple VLANs down one cable. An example of this would be your AP's if you want multiple VLAN's serviced by a single AP. In that scenario you would make the port that the AP is plugged into a tagged member of any VLAN you want it to support. Then on the AP itself you will need to define those VLAN's (using the same VLAN number you used in the switch) and then assign them to SSID's. All computers and other devices should be an untagged member of whatever VLAN you want them in. Now you asked about the firewall. The easiest way to set it up is probably to use different interfaces for different VLAN's. You can, however, send all VLAN's to one interface. On the switch you would do the same thing you did for the AP's. The port you will use to uplink to the firewall needs to be a tagged member of any VLAN you want to send to the router. The tricky part comes in the router. Here you must set up virtual interfaces for each subnet on the one port you are connecting back to the switch. If you know how to do that then you could use just one connection on the router to service all the VLAN's.

PS: I forgot. If you do use separate interfaces on the router for each VLAN then it would be easiest to make the switch port connecting to each router port, an untagged member of its VLAN. Since you would only be sending one VLAN down each port there is no need to make it a tagged port (since a router is VLAN aware you could make it a tagged port but then you may have to define that VLAN in the router which is just extra work if you don't have to).

 

[funkahdafi]

Correct.

You are using the word "tagging" wrong You do NOT want any of your ports to be tagged. Just as Abailey said. Also SSIDs cannot be tagged at all. If you see the term tag/tagging on your switch config, don't enable it. It will break things in your setup.