I am pretty new to  setting up VLANS and I am needing to setup some on one of my networks. Here is what I have come up with so far.

Total of 6 VLANS



Services  VLAN 2 (Shared resources, Printers, File, Print and Data servers)

Staff       VLAN 3 

Student      VLAN 4 

Guest         VLAN 5

I am using a Fortigate for Firewall and some routing but I would rather the switches handle all the routing between VLANS. I do not want any of the VLANS to talk to each other with the exception of staff and student talking to services. We are Windows environment using Windows DHCP and DNS for clients. 

My question is what would be the best way of handling this?

Do I Trunk the server ports and the Fortigate ports?

How to I keep Staff, Student talking only to services and not each other?

The guest VLAN is for Internet only, that one I my just Trunk to the Fortigate and let it handle it since I do not want it talking to anything but the the Fortigate.

Could I put another Trunk for the Fortigate into the services VLAN for Internet access?

A lot of questions, I know, but I would rather get them all out there instead of making this a long drawn thread.



Hi Kenny,

depending on the amound of traffic / needed throughput it might be better/easier to let FortiGate handle the routing between the VLANs as it is easier to implement new policies for access between the vlans. In this case the switch does not need any IP-Addresses in the VLANs (except one for Management). 

If you still want to do it via the switch, you have to do the following:

  • You need one central switch that acts as the router
  • Remove the IP-Address for Guest VLAN from this central switch. Move this VLAN + IP-Address to the fortigate. (by doing this, Guest VLAN is separated from the other VLANs)
  • Enable ipforwarding on Services, Staff and Student and configure the IP-Addresses that you mentioned above
  • Configure DHCP-Relay (How To: How to Configure Bootprelay (DHCP Relay/IP-Helper) in EXOS | Extreme Portal (
  • Create a new VLAN to connect the switch to the fortigate (e.g.
  • On the Switch create a default route to the fortigate via this new VLAN (e.g. configure iproute add default
  • On the fortigate create a route for Student, Services and Staff subnet. Next-Hop: Switch IP-Address of this new VLAN (e.g. Route to via
  • Create a ACL on the switch that denies traffic between Staff and Student VLAN (How To: How to create and apply an ACL in EXOS | Extreme Portal (

This is it (very) basically. If you have any further questions, feel free to ask.

Best regards

I decided to let the Fortigate handle the routing and it is working out pretty good so far. I do have another question. I have a couple of Enterasys D series switches as well as a one C series. Is there any issue with VLANS going between the Extreme switches and the Enterasys switches?

Good to hear!

No there are no issues. Tagged-Frames can be switches between EXOS and EOS devices without problems. If you use STP there might be some things to consider.