Fortinet black logo

Administration Guide

Network access/VLANs

Copy Link
Copy Doc ID dc02a854-ab11-11ea-8b7d-00505692583a:824306
Download PDF

Network access/VLANs

Use this option to modify device and model values and to display the current and default network access assignments stored in the FortiNAC model of that device. Network access could be through VLANs/Roles, CLI configurations, or VPN groups, depending on the device type. In the following discussion, the term VLANs refers to any of the network access types.

  • The current VLANs are read from the device in the following situations:
  • When you click Read VLANs in VLAN Summary view of the device.
  • When the first trap (link up, link down, or cold start) is received after the device is added to the Topology.
  • When the first trap (link up, link down or cold start) is received after regaining contact with the device.
  • When the first trap (link up, link down, or cold start) is received after starting up FortiNAC.
Note

If you have not yet supplied the telnet or SSH parameters, FortiNAC can not retrieve the VLANs.

The VLANs option allows you to force a read of the current values from the device, edit the model’s current values, and modify the default VLAN values.

The modified default values are stored in the FortiNAC database but do not perform a write memory to the boot configuration for switch vendors whose switches support running and boot configurations.

Note

The FortiNAC default VLAN is the VLAN that the port is switched to for normal network access. To set the default VLAN globally for all ports on this device, go to model configuration. See Model configuration for more information. To set different default VLANS for individual ports, use Edit Default on this window.

Network access summary displays the VLAN information for the device. Each port on the device is listed with its current and default VLAN value.

  1. Click Network Devices > Topology.
  2. Expand the Container where the device is located.
  3. Right-click the device and select Network Access/VLANs.
  4. Click Read VLANs to get the current and default VLAN values on the device.

Modify current device VLANs

Use this feature to set the VLANs for the device through the FortiNAC UI instead of the command line interface.

  1. Click Network Devices > Topology.
  2. Expand the Container where the device is located.
  3. Right-click on the device and select Network Access/VLANs.
  4. Click Edit Current to modify the values on the device.
  5. Enter the VLAN value for one or more ports.
  6. Click Apply.

The values are written to the device as the current value.

Modify default device VLANs

Use this feature to modify the default VLANs for the device model in the FortiNAC database.

  1. Click Network Devices > Topology.
  2. Expand the Container where the device is located.
  3. Right-click on the device and select Network Access/VLANs.
  4. Click Edit Default to modify the default VLAN values on the device.
  5. Enter the VLAN value for one or more ports.
  6. Click Apply.

The values are written to the database model as the default values.

VLAN switching

At times it may be necessary to disable VLAN switching for a specific device until the updated device information is entered/changed in FortiNAC. VLAN usage by the FortiNAC appliance and the device will be out of sync when:

  • An administrator discovers/adds a device to the Topology in the admin UI but does not perform a model configuration to specify the VLANs to be used.
  • After the device has already been added to Topology and configured with specific VLANs, an administrator changes the VLANs on the device itself and does not change the configuration on the FortiNAC appliance to reflect those changes
Disable VLAN switching

VLAN switching is set to enabled by default. FortiNAC uses the default VLAN information for the device when a host connects. To prevent a host from being automatically switched from the new VLAN to the old VLAN during network upgrades, VLAN switching may be disabled. Once the updated information is entered or changed in FortiNAC and the VLAN information has been verified for the device, enable VLAN switching again.

  1. Click Network Devices > Topology.
  2. Expand the container where the device is located.
  3. Click on the device to select it.
  4. Right-click on the device and select Properties.
  5. In the VLAN Switching field, select the Disable radio button.
  6. Click Apply, then close the Properties window.
Verify the default VLAN
  1. Click Network Devices > Topology.
  2. Expand the container where the device is located.
  3. Click on the device to select it
  4. Right-click on the device and select Network Access/VLANs.
  5. The Network Access Summary window is displayed.
  6. Verify that the switch/port has the correct default VLAN information.

    Note

    If the default VLAN has been changed on the switch/ports, the VLAN default settings on the Summary window must be changed as well.

  7. Make any changes as needed to the default VLAN settings for each port and click Apply.
  8. Click Refresh on the browser to refresh the view.
  9. Verify that the switch/port has the correct default VLAN information.
  10. Close the Summary window.
Enable VLAN switching

When all the changes to the device have been completed, enable the VLAN switching on the device.

  1. Click Network Devices > Topology.
  2. Expand the container where the device is located.
  3. Click on the device to select it.
  4. Right-click on the device and select Properties.
  5. In the VLAN Switching field, select the Enable radio button.
  6. Click Apply, then close the Properties window.
Review the model configuration
  1. Click Network Devices > Topology.
  2. Expand the container where the device is located.
  3. Click on the device to select it.
  4. Right-click on the device and select the Device Name > Model Configuration. This shows the current configuration from within FortiNAC.
  5. Compare the VLAN settings to those read from the device. If there is no value for Default, hosts get the default specified by the device. In some instances, there may be more than one production default. Also compare the other VLAN settings to the current VLANs read off of the device.
  6. Modify the model configuration, as necessary. Set a value for each of the VLANs you want to use. If hosts who are not at risk should get a specific default VLAN, set that value here.
  7. Apply your edits and exit model configuration.
  8. Select the device, and right-click. Select Resync Interfaces to apply the model configuration to the ports on the device.

Network access/VLANs

Use this option to modify device and model values and to display the current and default network access assignments stored in the FortiNAC model of that device. Network access could be through VLANs/Roles, CLI configurations, or VPN groups, depending on the device type. In the following discussion, the term VLANs refers to any of the network access types.

  • The current VLANs are read from the device in the following situations:
  • When you click Read VLANs in VLAN Summary view of the device.
  • When the first trap (link up, link down, or cold start) is received after the device is added to the Topology.
  • When the first trap (link up, link down or cold start) is received after regaining contact with the device.
  • When the first trap (link up, link down, or cold start) is received after starting up FortiNAC.
Note

If you have not yet supplied the telnet or SSH parameters, FortiNAC can not retrieve the VLANs.

The VLANs option allows you to force a read of the current values from the device, edit the model’s current values, and modify the default VLAN values.

The modified default values are stored in the FortiNAC database but do not perform a write memory to the boot configuration for switch vendors whose switches support running and boot configurations.

Note

The FortiNAC default VLAN is the VLAN that the port is switched to for normal network access. To set the default VLAN globally for all ports on this device, go to model configuration. See Model configuration for more information. To set different default VLANS for individual ports, use Edit Default on this window.

Network access summary displays the VLAN information for the device. Each port on the device is listed with its current and default VLAN value.

  1. Click Network Devices > Topology.
  2. Expand the Container where the device is located.
  3. Right-click the device and select Network Access/VLANs.
  4. Click Read VLANs to get the current and default VLAN values on the device.

Modify current device VLANs

Use this feature to set the VLANs for the device through the FortiNAC UI instead of the command line interface.

  1. Click Network Devices > Topology.
  2. Expand the Container where the device is located.
  3. Right-click on the device and select Network Access/VLANs.
  4. Click Edit Current to modify the values on the device.
  5. Enter the VLAN value for one or more ports.
  6. Click Apply.

The values are written to the device as the current value.

Modify default device VLANs

Use this feature to modify the default VLANs for the device model in the FortiNAC database.

  1. Click Network Devices > Topology.
  2. Expand the Container where the device is located.
  3. Right-click on the device and select Network Access/VLANs.
  4. Click Edit Default to modify the default VLAN values on the device.
  5. Enter the VLAN value for one or more ports.
  6. Click Apply.

The values are written to the database model as the default values.

VLAN switching

At times it may be necessary to disable VLAN switching for a specific device until the updated device information is entered/changed in FortiNAC. VLAN usage by the FortiNAC appliance and the device will be out of sync when:

  • An administrator discovers/adds a device to the Topology in the admin UI but does not perform a model configuration to specify the VLANs to be used.
  • After the device has already been added to Topology and configured with specific VLANs, an administrator changes the VLANs on the device itself and does not change the configuration on the FortiNAC appliance to reflect those changes
Disable VLAN switching

VLAN switching is set to enabled by default. FortiNAC uses the default VLAN information for the device when a host connects. To prevent a host from being automatically switched from the new VLAN to the old VLAN during network upgrades, VLAN switching may be disabled. Once the updated information is entered or changed in FortiNAC and the VLAN information has been verified for the device, enable VLAN switching again.

  1. Click Network Devices > Topology.
  2. Expand the container where the device is located.
  3. Click on the device to select it.
  4. Right-click on the device and select Properties.
  5. In the VLAN Switching field, select the Disable radio button.
  6. Click Apply, then close the Properties window.
Verify the default VLAN
  1. Click Network Devices > Topology.
  2. Expand the container where the device is located.
  3. Click on the device to select it
  4. Right-click on the device and select Network Access/VLANs.
  5. The Network Access Summary window is displayed.
  6. Verify that the switch/port has the correct default VLAN information.

    Note

    If the default VLAN has been changed on the switch/ports, the VLAN default settings on the Summary window must be changed as well.

  7. Make any changes as needed to the default VLAN settings for each port and click Apply.
  8. Click Refresh on the browser to refresh the view.
  9. Verify that the switch/port has the correct default VLAN information.
  10. Close the Summary window.
Enable VLAN switching

When all the changes to the device have been completed, enable the VLAN switching on the device.

  1. Click Network Devices > Topology.
  2. Expand the container where the device is located.
  3. Click on the device to select it.
  4. Right-click on the device and select Properties.
  5. In the VLAN Switching field, select the Enable radio button.
  6. Click Apply, then close the Properties window.
Review the model configuration
  1. Click Network Devices > Topology.
  2. Expand the container where the device is located.
  3. Click on the device to select it.
  4. Right-click on the device and select the Device Name > Model Configuration. This shows the current configuration from within FortiNAC.
  5. Compare the VLAN settings to those read from the device. If there is no value for Default, hosts get the default specified by the device. In some instances, there may be more than one production default. Also compare the other VLAN settings to the current VLANs read off of the device.
  6. Modify the model configuration, as necessary. Set a value for each of the VLANs you want to use. If hosts who are not at risk should get a specific default VLAN, set that value here.
  7. Apply your edits and exit model configuration.
  8. Select the device, and right-click. Select Resync Interfaces to apply the model configuration to the ports on the device.