A reminder – The importance of network segmentation

Early in my Fortinet support career I deployed wireless 221B FAPs. When they were deployed I chose to leave them in the client VLAN while tunneling traffic to the Fortigate management devices. This seemed to give a decent amount of segmentation between the wireless traffic and client LAN traffic.

This setup functioned well for many years. I had thought many times about moving the actual AP management traffic to a separate VLAN but put it off as everything was working well, until a recent upgrade.

The 221B FAPS that had been running well were coming to the end of support with the new FortiOS 7.x software line so we decided to upgrade to something newer. . After upgrading to 7.2.5 on the firewall and plugging in a 231G FAP our VOIP phones were continually going offline and rebooting.  They would run for 5-10 minutes then reboot and sometimes reconnect.

At first I thought the firewall upgrade caused some changes between Fortilink and the LLDP profiles that were being used for the VOIP connections. I worked with multiple Fortinet TAC teams to resolve the issue with no luck. We could not find anything that pointed to the issue we were having. After many hours we narrowed it down to what seemed like traffic being generated by the 231G’s kicking the Avaya phones offline causing reboots and intermittent call issues.

Finally I realized the simplest and best solution was to properly segment the FAP’s to their own network like I should have from the beginning. After many days of support and troubleshooting segmentation resolved the issue in a matter of minutes and fixed a problem that should not have occured.  Everything is working now and we can investigate what traffic is causing the issues with the Avaya phone.

Reminder to self always segment and follow best practices.

Leave a comment

Your email address will not be published. Required fields are marked *