Creating a new VLAN

Creating a new VLAN takes four steps:

  1. Configure the firewall (FortiGate)
  2. Configure the core switch (HP Procurve)
  3. Configure the edge switches (HP Procurve)
  4. Configure the end devices

We will need to allow the VLAN access out to WAN. This involves 1) Creating a new interface, and 2) Creating policies for the new VLAN.

Creating a new interface

  1. Go to System–>Network–>Interafaces and click Create New.
  2. Create an Interface Name.
  3. Set the Type to VLAN.
  4. Select the physical port the VLAN will be on from the Interface drop-down menu (the physical interface on which to attach the VLAN).
  5. Set the VLAN ID.
  6. Select Manual Addressing mode and enter the IP and Netmask.
  7. Choose which Administrative Access methods to allow.
  8. Enable the DHCP Server and set the starting and ending IPs for the DHCP scope(s).
  9. Set the Netmask, Default Gateway and DNS Server (generally using the System DNS is fine).
  10. Configure any additional settings as needed and select OK.

To verify the interface has been created, go back to System–>Network–>Interafaces and select the blue arrow to expand the physical port and the VLAN should be displayed.

Creating a policy to allow VLAN traffic out to WAN

Follow the steps in Creating Security Policies to create policies to allow traffic from the new VLAN to the Internet.

On the core switch we will need to create the new VLAN and create a Policy Based Routing (PBR) policy to set the default gateway for the VLAN.

Create the VLAN on the core switch

Run the following commands on the switch.

  1. vlan <vlan ID> name <vlan name> - Create the VLAN and set its ID and name.
  2. vlan <vlan ID> ip address <ip address> <netmask> - Set the IP address for the switch on the new VLAN.
  3. show vlan custom id:3, name:10, ipconfig:10, ipaddr:16, ipmask:16 - Verify it is created successfully.
  4. Untag the VLAN on the end device ports and tag it on uplink ports.

Create a PBR policy to set default gateway

A PBR policy will be used to configure the default gateway (default next hop) for all traffic coming from the VLAN. To do this, we will create a class containing the traffic from the VLAN's subnet and then create the PBR policy and apply it to the VLAN. Run the following commands.

  1. class ipv4 <class name> - Create the class and give it a name (in this example we use IPv4).
  2. match ip <subnet ip> <subnet broadcast address> 0.0.0.0 255.255.255.255 - Set the subnet the class applies to (the prompt should look like (config-class)#).
  3. show class ipv4 <class name> - Verify the class is correct.
  4. exit - Exit the class configuration:
  5. policy pbr <policy name> - Create the PBR policy and name it.
  6. class ipv4 <class name> - Assign the new class to the PBR policy (the prompt should look like (policy-pbr)#).
  7. action ip default-next-hop <ip address> - Set the default gateway to point to the VLAN's interface on the firewall.
  8. Return to config by running exit twice.
  9. vlan <vlan ID> service-policy <policy name> in - Assign the PBR policy to the VLAN.

Verify the policy has been configured correctly by running: #show policy vlan all

See Create a new Policy Based Routing Policy for more information on configuring PBR.

On all switches other than the core routing switch, all that needs to be done is to create the VLAN and tag/untag the correct ports.

Run the following command to create the VLAN: #vlan <vlan ID> name <vlan name>

Then, tag the VLAN on any uplink ports and untag it on ports with end devices connected.

Once the VLAN has been created and configured on the firewall and switches, devices that use DHCP can be rebooted to get the new IP information. If the device has a static IP, manually change the IP information on it to match the new subnet.

  • switches/create_new_vlan.txt
  • Last modified: 2019/04/01 00:25
  • by ericclaus