Category Archives: FortiWLC

FortiWLC – VLAN Pooling

VLAN Pooling

To reduce big broadcast or risking a chance of running out of address space, you can now enable VLAN pooling in an ESS profile.

VLAN pooling essentially allows administrators to create a named alias using a subset of VLANs thereby creating a pool of address. By enabling VLAN pool, you can now associate a client/device to a specific VLAN. This allows you to effectively manage your network by monitoring appropriate or specific VLANs pools.

Features
  • You can associate up to 16 VLANs to a pool.
  • You can create a maximum of 64 VLAN Pools.
  • You can specify the maximum number of clients that can be associated to a VLAN.
  • The client/device behaviour does not change after it is associates to a VLAN in a pool. If a VLAN is removed from a VLAN pool, clients/devices connected to the VLAN will continue to be associated to the VLAN. However, if the clients disconnect and reconnect the VLAN will change.

VLAN Pooling

Configuration
Using WebUI
Using CLI
  1. Configure VLAN default(config)# vlan vlan10 tag 10 default(config‐vlan)# ip address 10.0.0.222 255.255.255.0 default(config‐vlan)# ip default‐gateway 10.0.0.1

VLAN Pooling

default(config‐vlan)# exit default(config)# exit default# sh vlan vlan10

VLAN Configuration

VLAN Name                             : vlan10

Tag                                   : 10

Ethernet Interface Index              : 1 IP Address                            : 10.0.0.222 Netmask                               : 255.255.255.0

IP Address of the Default Gateway     : 10.0.0.1

Override Default DHCP Server Flag     : off DHCP Server IP Address                : 0.0.0.0

DHCP Relay Pass‐Through               : on

Owner                                 : controller

Maximum number of clients             : 253 2. Configure VLAN Pool default(config)# vlan‐pool vlangroup default(config‐vpool)# tag‐list 10,36 default(config‐vpool)# exit default(config)# exit default# sh vlan‐pool

VLAN Pool Name           Vlan Pool Tag List vlangroup                10,36

VLAN Pool Configuration(1 entry)

 

FortiWLC – More About VLANs

More About VLANs

FortiWLC (SD) provides commands for configuring both virtual LAN (VLANs) and Generic Routing Encapsulation (GRE) tunnels to facilitate the separation of traffic using logical rather than physical constraints. As an alternative to VLANs, GRE Tunneling can be configured on the either Ethernet interface, as described in Configure GRE Tunnels in the Security chapter. VLANs and GRE tunnels can coexist within any given network, logically segmenting traffic by organization or function. In this way, all systems used by a given organization can be interconnected, independent of physical location. This has the benefit of limiting the broadcast domain and increasing security.

VLANs, when used in conjunction with multiple ESSIDs, as discussed in Chapter , “,” allow you to support multiple wireless networks on a single access point. You can create a one-toone mapping of ESSID to VLAN or map multiple ESSIDs to one VLAN.

Customized security configuration by VLAN is also supported. By assigning a VLAN a Security Profile, you can fine-tune the security requirements based on the use of the VLAN (see Chapter , “,” for details).

Dynamic VLAN support in Bridge mode

FortiWLC – Delete a VLAN

Delete a VLAN

You cannot delete a VLAN if it is currently assigned to an ESSID (see Chapter , “” on page 137). You cannot delete a VLAN created by E(z)RF Network Server; that must be done from Network Server. To delete a VLAN created on a controller, use the following command in global configuration mode:

no vlan name

For example, to delete the VLAN name vlan1, enter the following:

controller (config)# no vlan vlan1 controller (config)#

FortiWLC – VLAN Tagging in Bridge Mode for Wired Ports

VLAN Tagging in Bridge Mode for Wired Ports

You can enable VLAN tagging for wired ports in bridged mode. VLAN tagging for wired ports provide four VLAN policies:

  • No VLAN
  • Static VLAN: VLAN tag shall be configured for a valid range of 0-4094.
Configuring VLAN Tagging
Using CLI

In the port profile configuration, use the following commands to specify the policy and the VLAN tag.

  • default (config-port-profile)# port-ap-vlan-policy
  • default(config-port-profile)# port-ap-vlan-tag

VLAN Tagging in Bridge Mode for Wired Ports

FortiWLC – Bridged APs in a VLAN

Bridged APs in a VLAN

When creating an ESS, AP400/AP822/AP832, FAP-U421EV, FAP-U423EV and AP1000 can be configured to bridge the traffic to the Ethernet interface. This is called bridged VLAN dataplane mode (per ESSID); it is also sometimes known as Remote AP mode. These two AP models also have the capability to tag the Ethernet frames when egressing the port, using 802.1Q VLAN tags, and setting the 802.1p priority bit. Bridging is configured setting the Dataplane Mode parameter in the ESS profile to Bridged (default is Tunneled).

Configure and Deploy a VLAN

 

In Tunneled mode, all traffic in an ESS is sent from the AP to the controller, and then forwarded from there. This is configured on a per ESS profile basis. In Bridged mode, client traffic is sent out to the local switch. Fortinet control and coordination traffic is still sent between the AP and the controller.

Remote AP400s can use VLANs with FortiWLC (SD) 4.0 and later. When configuring an ESS, the Dataplane Mode setting selects the type of AP/Controller configuration:

Bridged VLANs support:

  • Non-Virtual Cell
  • Virtual Port
  • RADIUS profile for Mac Filtering/1x/WPA/WPA2
  • Standard DSCP/802.1q to AC mapping defined in WMM
  • RADIUS profile for Mac Filtering/1x/WPA/WPA2
  • RADIUS assigned VLANs (even with 802.1x)
  • QoS Rules

See the ESSID chapters in this guide for more information on configuring an ESSID.

FortiWLC – Configure and Deploy a VLAN

Configure and Deploy a VLAN

VLANs can be configured/owned either by E(z)RF Network Manager or by a controller. You can tell where a profile was configured by checking the read-only field Owner; the Owner is either nms-server or controller.

In order to map an ESSID to a VLAN, the VLAN must first be configured. To create a VLAN from the CLI, use the command vlan name tag id. The name can be up to 16 alphanumeric characters long and the tag id between 1 and 4,094.

For example, to create a VLAN named guest with a tag number of 1, enter the following in global configuration mode:

controller (config)# vlan guest tag 1 controller (config‐vlan)#

As shown by the change in the prompt above, you have entered VLAN configuration mode, where you can assign the VLAN interface IP address, default gateway, DHCP Pass-through or optional DHCP server (if specified, this DHCP server overrides the controller DHCP server configuration).

In the following example, the following parameters are set:

  • VLAN interface IP address: 10.1.1.2 with a subnet mask of 255.255.255.0
  • Default gateway: 10.1.1.1
  • DHCP server: 10.1.1.254

controller (config‐vlan)# ip address 10.1.1.2 255.255.255.0 controller (config‐vlan)# ip default-gateway 10.1.1.1 controller (config‐vlan)# ip dhcp-server 10.1.1.254 controller (config‐vlan)# exit controller (config)#

To create a VLAN from the GUI, click Config > Wired > VLAN > Add.

FortiWLC – Configuring VLANs

Configuring VLANs

A virtual local area network (VLAN) is a broadcast domain that can span across wired or wireless LAN segments. Each VLAN is a separate logical network. Several VLANs can coexist within any given network, logically segmenting traffic by organization or function. In this way, all systems used by a given organization can be interconnected independent of physical location. This has the benefit of limiting the broadcast domain and increasing security. VLANs can be configured in software, which enhances their flexibility. VLANs operate at the data link layer (OSI Layer 2), however, they are often configured to map directly to an IP network, or subnet, at the network layer (OSI Layer 3). You can create up to 512 VLANs.

IEEE 802.1Q is the predominant protocol used to tag traffic with VLAN identifiers. VLAN1 is called the default or native VLAN. It cannot be deleted, and all traffic on it is untagged. A trunk port is a network connection that aggregates multiple VLANs or tags, and is typically used between two switches or between a switch and a router. VLAN membership can be portbased, MAC-based, protocol-based, or authentication-based when used in conjunction with the 802.1x protocol. Used in conjunction with multiple ESSIDs, VLANs support multiple wireless networks on a single Access Point using either a one-to-one mapping of ESSID to VLAN, or mapping multiple ESSIDs to one VLAN. By assigning a security profile to a VLAN, the security requirements can be fine-tuned based on the use of the VLAN, providing wire-like security or better on a wireless network.

VLAN assignment is done for RADIUS-based MAC filtering and authentication. VLAN assignment is not done in Captive Portal Authentication by any of the returned attributes. Because VLANs rely on a remote switch that must be configured to support trunking, also refer to the Fortinet Wi-Fi Technology Note WF107, “VLAN Configuration and Deployment.” This document contains the recommended configuration for switches as well as a comprehensive description of VLAN configuration and deployment.