Fortinet Document Library

Version:


Table of Contents

New Features

7.0.0
Download PDF
Copy Link

NAC LAN segments 7.0.1

When NAC mode is configured on a port, the link of a switch port goes down and then up by default, which restarts the DHCP process for that device. When a link goes down, the NAC devices are cleared from all switch ports by default. Bouncing the switch port and restarting DHCP changes the IP addresses of hosts and invalidates firewall sessions. Starting in FortiOS 7.0.1, you can avoid these problems by assigning each VLAN to a separate LAN segment.

LAN segments prevent the IP addresses of hosts from changing but still provide physical isolation. For example, the following figure shows how four LAN segments have been assigned to four separate VLANs:

The switch controls traffic between LAN segments. Enable Block Intra-VLAN Traffic in the GUI or use the set switch-controller-access-vlan command to allow or prevent traffic between hosts in a LAN segment.

Tooltip
  • An RSPAN VLAN interface cannot be a member of a LAN segment group.
  • IGMP snooping is not supported with LAN segments.

LAN segments require the following:

  • FortiGate devices running FortiOS 7.0.1 or higher with managed FortiSwitch units running FortiSwitchOS 7.0.1 or higher.
  • To see which FortiSwitch models support this feature, refer to the FortiSwitch feature matrix.
To use LAN segments:
  • Configure FortiSwitch VLANs without layer-3 properties (unset the IP address, set the access mode to static, unset allowaccess, and disable the DHCP server).
  • Optionally, enable Block Intra-VLAN Traffic.
  • Enable LAN segments.
  • Specify the NAC LAN interface.
  • Specify which VLANs belong to that LAN segment.
Caution

Do not make changes after assigning a VLAN to a LAN segment. Changing VLANs assigned to LAN segments might have unexpected results.

To configure LAN segments on a global level:

config switch-controller fortilink-settings

edit <name_of_this_FortiLink_configuration>

config nac-ports

set lan-segment {enabled | disabled}

set nac-lan-interfaces <string>

set nac-segment-vlans <VLAN_interface_name>

end

next

end

For example:

config switch-controller fortilink-settings

edit "port20"

config nac-ports

set onboarding-vlan "onboarding"

set lan-segment enabled

set nac-lan-interface "nac_segment"

set nac-segment-vlans "voice" "video"

end

next

end

Example of using LAN segments with NAC

In this example, devices are initially placed in the onboarding VLAN and receive IP addresses from the nac_segment DHCP server. Ports connected to the devices are configured with the NAC access mode. NAC policies are used to identify devices by OS and place them into the appropriate VLAN segment and dynamic firewall address. Firewall policies match traffic from the nac_segment interface by the dynamic firewall address and apply the appropriate security profiles to each.

  1. Configure the FortiSwitch VLANs for Office 1 and Office 2.

     

    config system interface

    edit "Office2"

    set vdom "root"

    set device-identification enable

    set role lan

    set snmp-index 33

    set color 10

    set interface "fortilink"

    set vlanid 2000

    next

    edit "Office1"

    set vdom "root"

    set device-identification enable

    set role lan

    set snmp-index 34

    set color 5

    set interface "fortilink"

    set vlanid 2001

    next

    end

     

  2. The following is the configuration for the nac_segment interface and its corresponding DHCP server settings. These settings are the default.

     

    config system interface

    edit "nac_segment"

    set vdom "root"

    set ip 10.255.13.1 255.255.255.0

    set description "NAC Segment VLAN"

    set alias "nac_segment.fortilink"

    set device-identification enable

    set snmp-index 32

    set switch-controller-feature nac-segment

    set interface "fortilink"

    set vlanid 4088

    next

    end

    config system dhcp server

    edit 5

    set lease-time 300

    set dns-service default

    set default-gateway 10.255.13.1

    set netmask 255.255.255.0

    set interface "nac_segment"

    config ip-range

    edit 1

    set start-ip 10.255.13.2

    set end-ip 10.255.13.254

    next

    end

    set timezone-option default

    next

    end

     

  3. Add the Office 1 VLAN and Office 2 VLAN to the LAN segment VLANs.

     

    config switch-controller fortilink-settings

    edit "fortilink"

    config nac-ports

    set onboarding-vlan "onboarding"

    set lan-segment enabled

    set nac-lan-interface "nac_segment"

    set nac-segment-vlans "voice" "video" "Office2" "Office1"

    end

    next

    end

     

  4. Configure the NAC policy for devices in Office 1 and Office 2.

     

    If you configure the NAC policy from the GUI, you can create the office2_device and office1_device dynamic firewall addresses inline. However, if you create the NAC policy from the CLI, first create the firewall addresses and then create the MAC policy and NAC policies.

     

    config firewall address

    edit "office2_device"

    set type dynamic

    set sub-type swc-tag

    set color 19

    next

    edit "office1_device"

    set type dynamic

    set sub-type swc-tag

    set color 10

    next

    end

     

    config switch-controller mac-policy

    edit "Office2_FAP"

    set fortilink "fortilink"

    set vlan "Office2"

    next

    edit "Office2_PC"

    set fortilink "fortilink"

    set vlan "Office2"

    next

    edit "Office1_PC"

    set fortilink "fortilink"

    set vlan "Office1"

    next

    end

     

    config user nac-policy

    edit "OFFICE2_FAP"

    set hw-vendor "Fortinet"

    set family "FortiAP"

    set os "FortiAP OS"

    set switch-fortilink "fortilink"

    set switch-scope "S248EPTF18001384"

    set switch-mac-policy "Office2_FAP"

    set firewall-address "office2_device"

    next

    edit "OFFICE2_PC"

    set os "Linux"

    set switch-fortilink "fortilink"

    set switch-scope "S248EPTF18001384"

    set switch-mac-policy "Office2_PC"

    set firewall-address "office2_device"

    next

    edit "OFFICE1_PC"

    set hw-vendor "VMware"

    set switch-fortilink "fortilink"

    set switch-scope "S524DN4K16000116"

    set switch-mac-policy "Office1_PC"

    set firewall-address "office1_device"

    next

    end

     

  5. Configure the firewall policy for devices in Office 1 or Office 2.

     

    The source of all traffic is nac_segment, but the traffic is filtered on the srcaddr by the dynamic firewall address previously assigned by the NAC policies.

     

    config firewall policy

    edit 5

    set name "Office1_Device"

    set uuid d3e2bbdc-d9c1-51eb-dbd3-cb534366b58d

    set srcintf "nac_segment"

    set dstintf "port1"

    set action accept

    set srcaddr "office1_device"

    set dstaddr "all"

    set schedule "always"

    set service "ALL"

    set ssl-ssh-profile "certificate-inspection"

    set logtraffic all

    set nat enable

    next

    edit 4

    set name "Office2_Device"

    set uuid a724c2fc-d9c1-51eb-e8d8-a501419308b3

    set srcintf "nac_segment"

    set dstintf "port1"

    set action accept

    set srcaddr "office2_device"

    set dstaddr "all"

    set schedule "always"

    set service "ALL_ICMP" "FTP" "FTP_GET" "FTP_PUT" "HTTP" "HTTPS" "TFTP"

    set ssl-ssh-profile "certificate-inspection"

    set logtraffic all

    set nat enable

    next

    edit 3

    set name "All_devices"

    set uuid 0accfbae-d9c1-51eb-b0bf-2ba0b00647c0

    set srcintf "nac_segment"

    set dstintf "port1"

    set action accept

    set srcaddr "all"

    set dstaddr "all"

    set schedule "always"

    set service "ALL"

    set utm-status enable

    set ssl-ssh-profile "certificate-inspection"

    set av-profile "default"

    set webfilter-profile "default"

    set dnsfilter-profile "default"

    set ips-sensor "default"

    set application-list "default"

    set logtraffic all

    set nat enable

    next

    end

     

  6. Place the ports in NAC mode.

     

    config switch-controller managed-switch

    edit "S524DN4K16000116"

    config ports

    edit "port7"

    set vlan "onboarding"

    set allowed-vlans "quarantine" "nac_segment"

    set untagged-vlans "quarantine" "nac_segment"

    set access-mode nac

    next

    end

    next

    edit "S248EPTF18001384"

    config ports

    edit "port1"

    set vlan "onboarding"

    set allowed-vlans "quarantine" "nac_segment"

    set untagged-vlans "quarantine" "nac_segment"

    set access-mode nac

    next

    edit "port6"

    set vlan "onboarding"

    set allowed-vlans "quarantine" "nac_segment"

    set untagged-vlans "quarantine" "nac_segment"

    set access-mode nac

    next

    end

    next

    end

NAC LAN segments 7.0.1

When NAC mode is configured on a port, the link of a switch port goes down and then up by default, which restarts the DHCP process for that device. When a link goes down, the NAC devices are cleared from all switch ports by default. Bouncing the switch port and restarting DHCP changes the IP addresses of hosts and invalidates firewall sessions. Starting in FortiOS 7.0.1, you can avoid these problems by assigning each VLAN to a separate LAN segment.

LAN segments prevent the IP addresses of hosts from changing but still provide physical isolation. For example, the following figure shows how four LAN segments have been assigned to four separate VLANs:

The switch controls traffic between LAN segments. Enable Block Intra-VLAN Traffic in the GUI or use the set switch-controller-access-vlan command to allow or prevent traffic between hosts in a LAN segment.

Tooltip
  • An RSPAN VLAN interface cannot be a member of a LAN segment group.
  • IGMP snooping is not supported with LAN segments.

LAN segments require the following:

  • FortiGate devices running FortiOS 7.0.1 or higher with managed FortiSwitch units running FortiSwitchOS 7.0.1 or higher.
  • To see which FortiSwitch models support this feature, refer to the FortiSwitch feature matrix.
To use LAN segments:
  • Configure FortiSwitch VLANs without layer-3 properties (unset the IP address, set the access mode to static, unset allowaccess, and disable the DHCP server).
  • Optionally, enable Block Intra-VLAN Traffic.
  • Enable LAN segments.
  • Specify the NAC LAN interface.
  • Specify which VLANs belong to that LAN segment.
Caution

Do not make changes after assigning a VLAN to a LAN segment. Changing VLANs assigned to LAN segments might have unexpected results.

To configure LAN segments on a global level:

config switch-controller fortilink-settings

edit <name_of_this_FortiLink_configuration>

config nac-ports

set lan-segment {enabled | disabled}

set nac-lan-interfaces <string>

set nac-segment-vlans <VLAN_interface_name>

end

next

end

For example:

config switch-controller fortilink-settings

edit "port20"

config nac-ports

set onboarding-vlan "onboarding"

set lan-segment enabled

set nac-lan-interface "nac_segment"

set nac-segment-vlans "voice" "video"

end

next

end

Example of using LAN segments with NAC

In this example, devices are initially placed in the onboarding VLAN and receive IP addresses from the nac_segment DHCP server. Ports connected to the devices are configured with the NAC access mode. NAC policies are used to identify devices by OS and place them into the appropriate VLAN segment and dynamic firewall address. Firewall policies match traffic from the nac_segment interface by the dynamic firewall address and apply the appropriate security profiles to each.

  1. Configure the FortiSwitch VLANs for Office 1 and Office 2.

     

    config system interface

    edit "Office2"

    set vdom "root"

    set device-identification enable

    set role lan

    set snmp-index 33

    set color 10

    set interface "fortilink"

    set vlanid 2000

    next

    edit "Office1"

    set vdom "root"

    set device-identification enable

    set role lan

    set snmp-index 34

    set color 5

    set interface "fortilink"

    set vlanid 2001

    next

    end

     

  2. The following is the configuration for the nac_segment interface and its corresponding DHCP server settings. These settings are the default.

     

    config system interface

    edit "nac_segment"

    set vdom "root"

    set ip 10.255.13.1 255.255.255.0

    set description "NAC Segment VLAN"

    set alias "nac_segment.fortilink"

    set device-identification enable

    set snmp-index 32

    set switch-controller-feature nac-segment

    set interface "fortilink"

    set vlanid 4088

    next

    end

    config system dhcp server

    edit 5

    set lease-time 300

    set dns-service default

    set default-gateway 10.255.13.1

    set netmask 255.255.255.0

    set interface "nac_segment"

    config ip-range

    edit 1

    set start-ip 10.255.13.2

    set end-ip 10.255.13.254

    next

    end

    set timezone-option default

    next

    end

     

  3. Add the Office 1 VLAN and Office 2 VLAN to the LAN segment VLANs.

     

    config switch-controller fortilink-settings

    edit "fortilink"

    config nac-ports

    set onboarding-vlan "onboarding"

    set lan-segment enabled

    set nac-lan-interface "nac_segment"

    set nac-segment-vlans "voice" "video" "Office2" "Office1"

    end

    next

    end

     

  4. Configure the NAC policy for devices in Office 1 and Office 2.

     

    If you configure the NAC policy from the GUI, you can create the office2_device and office1_device dynamic firewall addresses inline. However, if you create the NAC policy from the CLI, first create the firewall addresses and then create the MAC policy and NAC policies.

     

    config firewall address

    edit "office2_device"

    set type dynamic

    set sub-type swc-tag

    set color 19

    next

    edit "office1_device"

    set type dynamic

    set sub-type swc-tag

    set color 10

    next

    end

     

    config switch-controller mac-policy

    edit "Office2_FAP"

    set fortilink "fortilink"

    set vlan "Office2"

    next

    edit "Office2_PC"

    set fortilink "fortilink"

    set vlan "Office2"

    next

    edit "Office1_PC"

    set fortilink "fortilink"

    set vlan "Office1"

    next

    end

     

    config user nac-policy

    edit "OFFICE2_FAP"

    set hw-vendor "Fortinet"

    set family "FortiAP"

    set os "FortiAP OS"

    set switch-fortilink "fortilink"

    set switch-scope "S248EPTF18001384"

    set switch-mac-policy "Office2_FAP"

    set firewall-address "office2_device"

    next

    edit "OFFICE2_PC"

    set os "Linux"

    set switch-fortilink "fortilink"

    set switch-scope "S248EPTF18001384"

    set switch-mac-policy "Office2_PC"

    set firewall-address "office2_device"

    next

    edit "OFFICE1_PC"

    set hw-vendor "VMware"

    set switch-fortilink "fortilink"

    set switch-scope "S524DN4K16000116"

    set switch-mac-policy "Office1_PC"

    set firewall-address "office1_device"

    next

    end

     

  5. Configure the firewall policy for devices in Office 1 or Office 2.

     

    The source of all traffic is nac_segment, but the traffic is filtered on the srcaddr by the dynamic firewall address previously assigned by the NAC policies.

     

    config firewall policy

    edit 5

    set name "Office1_Device"

    set uuid d3e2bbdc-d9c1-51eb-dbd3-cb534366b58d

    set srcintf "nac_segment"

    set dstintf "port1"

    set action accept

    set srcaddr "office1_device"

    set dstaddr "all"

    set schedule "always"

    set service "ALL"

    set ssl-ssh-profile "certificate-inspection"

    set logtraffic all

    set nat enable

    next

    edit 4

    set name "Office2_Device"

    set uuid a724c2fc-d9c1-51eb-e8d8-a501419308b3

    set srcintf "nac_segment"

    set dstintf "port1"

    set action accept

    set srcaddr "office2_device"

    set dstaddr "all"

    set schedule "always"

    set service "ALL_ICMP" "FTP" "FTP_GET" "FTP_PUT" "HTTP" "HTTPS" "TFTP"

    set ssl-ssh-profile "certificate-inspection"

    set logtraffic all

    set nat enable

    next

    edit 3

    set name "All_devices"

    set uuid 0accfbae-d9c1-51eb-b0bf-2ba0b00647c0

    set srcintf "nac_segment"

    set dstintf "port1"

    set action accept

    set srcaddr "all"

    set dstaddr "all"

    set schedule "always"

    set service "ALL"

    set utm-status enable

    set ssl-ssh-profile "certificate-inspection"

    set av-profile "default"

    set webfilter-profile "default"

    set dnsfilter-profile "default"

    set ips-sensor "default"

    set application-list "default"

    set logtraffic all

    set nat enable

    next

    end

     

  6. Place the ports in NAC mode.

     

    config switch-controller managed-switch

    edit "S524DN4K16000116"

    config ports

    edit "port7"

    set vlan "onboarding"

    set allowed-vlans "quarantine" "nac_segment"

    set untagged-vlans "quarantine" "nac_segment"

    set access-mode nac

    next

    end

    next

    edit "S248EPTF18001384"

    config ports

    edit "port1"

    set vlan "onboarding"

    set allowed-vlans "quarantine" "nac_segment"

    set untagged-vlans "quarantine" "nac_segment"

    set access-mode nac

    next

    edit "port6"

    set vlan "onboarding"

    set allowed-vlans "quarantine" "nac_segment"

    set untagged-vlans "quarantine" "nac_segment"

    set access-mode nac

    next

    end

    next

    end