Layer 2 Network - Vlans - Fortinet FortiNac BFN620 Installation Manual

Layer 2 Network - VLANs

VLANs are the basic networking construct used to limit network access. When you implement
network access control, include at least one non-production VLAN. In the Configuration Wizard
this is the Isolation VLAN. If there is the need to separate clients based on state, such as known
vs. unknown or out-of-compliance, configure multiple VLANs. In the Configuration Wizard these
additional VLANS are the Registration, Remediation, Dead End, VPN, Authentication, Isolation,
and Access Point Management VLANs.
If you intend to use FortiNac only to monitor network access, configuring VLANs is not
necessary. If in the future you choose to control access to the network, re-run the Configuration
Wizard to configure VLANs at that time.
If you do not configure VLANs at this time, click Next on the Isolation, Registration, Remediation,
Dead End, VPN, Authentication and Access Point Management screens. Proceed to Layer 2
Network - Summary on page 27.
Note: The Configuration Wizard dynamically writes all files configured on the FortiNac Control
Server to the FortiNac Application Server. No direct configuration of the FortiNac Application
Server is required after the initial basic network setup is completed.
VLAN Type
Layer 2 Isolation
Layer 2 Registration
Layer 2 Remediation
Layer 2 Dead End
Layer 2 Virtual Private
Network
Layer 2 Authentication
Layer 2 Access Point
Management
Table 11: Layer 2 VLAN Types
Definition
Isolates all clients connecting to the network and redirects them to the
appropriate isolation web pages. In the Isolation VLAN the state of the client,
such as known vs. unknown or out-of-compliance, determines the access
control information presented to the client via the web browser or persistent
agent. If you use this VLAN type, the configuration of the other VLAN types is
optional. You can use the Isolation VLAN with Registration, Remediation,
Dead End, VPN, Authentication, or Access Point Management VLANs as
another non-production network.
Isolates unregistered clients from the production network during client
registration.
Isolates clients from the production network who pose a security risk because
they failed a policy scan.
Isolates disabled clients with limited or no network connectivity from the
production network.
Used for clients who connect to the network through VPN services.
Isolates registered clients from the Production network during user
authentication.
Used for clients that connect through devices managed by Access Point
Management. You can manage clients connected to hubs or simple access
points by using DHCP as a means to control or restrict client access. Once
you have completed your configuration and started FortiNac, access Help for
additional information about the Access Point Management Plugin.
Layer 2 Network - VLANs
21