Bikram Bhujel

🏢 Enterprise Network Infrastructure Upgrade
CIMMYT Nepal Office, Khumaltar

From a flat unmanaged network to a fully segmented enterprise-grade dual-VLAN architecture using existing hardware with zero budget.

📅 March 2026 📍 Khumaltar, Lalitpur, Nepal 🔧 FortiGate + Cisco ✍️ Bikram Bhujel ⏱️ 5 Days

6× Faster WiFi Speed

13 Devices Configured

0৳ Hardware Budget

01

Project Overview

The CIMMYT Nepal Office in Khumaltar, Lalitpur was running on a completely flat network with no VLANs, no segmentation and no guest isolation. All staff devices, guest WiFi and printers were sharing the same broadcast domain with zero security boundaries between them.

The goal was straightforward: upgrade the entire network to a properly segmented, enterprise-grade architecture. The interesting constraint was that no new hardware could be purchased. Everything had to be done with what was already sitting in the server rack.

💡 Key insight: The dramatic performance improvement you will see below came entirely from reconfiguration, not new equipment. The same firewall, switches and access points delivered 6x faster WiFi simply through proper design.

02

How It Unfolded

March 20, 2026

FortiGate 91G Reconfiguration

Started with a clean slate. Configured VLAN20 for corporate traffic and VLAN999 for guest, set up DHCP pools for both networks, configured SD-WAN with the Worldlink ISP connection and wrote all firewall policies from scratch.

March 20 to 21

Switch Infrastructure

All three Cisco Catalyst 2960-X switches were pulled from the rack and physically cleaned. The level of dust and rodent activity found inside was significant. After cleaning all three were reconfigured with proper VLAN trunk and access port design.

March 21, 2026

Wireless Deployment

All eight Cisco AIR-CAP2702I access points configured in autonomous mode. CIM-WiFi moved to 5GHz exclusively and cim-guest assigned to 2.4GHz. Channels planned using a 1, 6, 11 rotation across adjacent APs. First speedtest: 41.8 Mbps.

March 22 to 24

FortiAP 231F Integration

Integrating the FortiAP 231F into FortiGate management turned into a multi-day troubleshooting exercise. The AP was still registered to FortiEdge Cloud, CAPWAP was not enabled on the right interface and the native VLAN behaviour required some creative thinking. More on this below.

March 25, 2026

Documentation in NetBox

Full network documented in NetBox IPAM covering all devices, VLANs, prefixes, interfaces and IP addresses. The entire network is now properly recorded for future reference.

03

Before and After

❌ Before

Network DesignFlat / No VLANs

WiFi Download~7 Mbps avg

Jitter15 to 57 ms

Guest IsolationNone

WiFi Band2.4GHz congested

Channel PlanningNot optimized

Switch ConditionHeavily dusty

Server RackDisorganized

✅ After

Network DesignDual VLAN

WiFi Download41.8 Mbps

Jitter1 ms

Guest IsolationComplete

WiFi Band5GHz dedicated

Channel Planning1/6/11 rotated

Switch ConditionCleaned

Server RackOrganized

04

Hardware Involved

Every device below was already present in the office. Nothing was purchased new. Each one was reconfigured from scratch.

🔥

Fortinet FortiGate 91G

Internet gateway, VLAN routing, SD-WAN
Firewall policies and FortiAP controller

🔀

Cisco Catalyst 2960-X (×3)

48-port PoE switches
Core switch plus two access switches

📡

Cisco AIR-CAP2702I (×8)

Autonomous mode, dual radio
CIM-WiFi on 5GHz, cim-guest on 2.4GHz

📶

Fortinet FortiAP 231F

Managed by FortiGate via CAPWAP
Dedicated coverage for CCR area

05

Network Design

The topology follows a daisy-chain design with the FortiGate at the top and three switches cascading below it. Two VLANs carry all traffic with strict firewall policies controlling what can communicate with what.

ISP (Worldlink 50Mbps Dedicated) └── FortiGate 91G [Gateway and Firewall] └── Core Switch [48-port PoE] ├── Access Switch 2 [Office area] ├── Access Switch 3 [Office area] └── AP Trunk Ports [VLAN20 + VLAN999, native VLAN20]

🏢 VLAN 20 — Corporate

Subnetx.x.x.0/23

DHCP Poolx.x.x.50 onwards

SSIDCIM-WiFi

Band5GHz dedicated

PurposeStaff devices only

👥 VLAN 999 — Guest

Subnetx.x.x.0/24

DHCP Poolx.x.x.10 to .200

SSIDcim-guest

Band2.4GHz dedicated

PurposeVisitors only

06

FortiGate Configuration Highlights

A couple of things worth noting from the FortiGate side. SD-WAN must be configured before any firewall policies that reference it, otherwise FortiOS throws a node_check_object error. Also, VLAN IDs are immutable after creation — to change one you delete the interface and start over.

# VLAN interface for corporate network config system interface edit "VLAN20_Internal" set interface lan set type vlan set vlanid 20 set ip x.x.x.1 255.255.254.0 set allowaccess ping https ssh fabric next end

# Three policies cover all traffic scenarios # Policy 3: Guest internet access srcintf "VLAN999" dstintf "virtual-wan-link" action accept nat enable # Policy 4: Guest to corporate — hard deny srcintf "VLAN999" dstintf "VLAN20_Internal" action deny # Policy 5: Staff internet access srcintf "VLAN20_Internal" dstintf "virtual-wan-link" action accept nat enable

07

Wireless Network Setup

Moving CIM-WiFi to 5GHz was the single biggest factor in the speed improvement. The 5GHz band is faster and far less congested in an office environment. Eight access points were spread across the building with 2.4GHz channels carefully planned to use only non-overlapping channels rotating across 1, 6 and 11 so adjacent APs never interfere with each other.

AP-01

Static IP

2.4G Ch 1

AP-02

Static IP

2.4G Ch 6

AP-03

Static IP

2.4G Ch 11

AP-04

Static IP

2.4G Ch 1

AP-05

Static IP

2.4G Ch 6

AP-06

Static IP

2.4G Ch 11

AP-07

Static IP

2.4G Ch 1

AP-08

Static IP

2.4G Ch 6

📡 The FortiAP 231F covers the CCR area which had weak signal from the Cisco APs. It is managed directly by the FortiGate. Both SSIDs work in Bridge mode — CIM-WiFi uses VLAN ID 0 (untagged, routes via native VLAN to corporate) and cim-guest uses VLAN 999 tagged.

08

Challenges Worth Sharing

Problem

FortiAP CIM-WiFi Had No DHCP

Setting Optional VLAN ID to 20 on the Bridge mode SSID was not giving IP addresses to clients connecting to CIM-WiFi on the FortiAP.

Solution

Set VLAN ID to 0

VLAN ID 0 sends traffic untagged. The switch native VLAN routes untagged traffic to the corporate VLAN interface on FortiGate. DHCP works perfectly.

Problem

FortiAP Not Appearing in FortiGate

The FortiAP 231F was getting an IP and could ping the FortiGate but would not show up in Managed FortiAPs no matter what was tried.

Solution

Enable Security Fabric Connection

Since FortiOS 6.2, CAPWAP is grouped under Security Fabric Connection in the interface administrative access settings. Enabling this on the management VLAN interface fixed it immediately.

Problem

FortiAP Still Talking to FortiEdge Cloud

Even after pointing the FortiAP at the local FortiGate IP it kept trying to reach the cloud controller it was previously registered to.

Solution

Undeploy from FortiEdge Cloud First

The AP must be released from the FortiEdge Cloud portal before it will accept a local controller. Once undeployed it connected to the FortiGate within minutes.

Problem

FortiOS VLAN ID Cannot Be Changed

Attempted to modify an existing VLAN interface to change the VLAN ID. FortiOS does not allow this operation in place.

Solution

Delete and Recreate

The only way to change a VLAN ID in FortiOS is to delete the interface and create a new one. All firewall policies referencing it must be removed first.

09

What I Learned

💡 Native VLAN and FortiAP Bridge Mode

When a Cisco switch trunk port has a native VLAN configured, any traffic tagged with that same VLAN ID gets the tag stripped before leaving the port. This catches people out with FortiAP. The fix is counterintuitive set the SSID Optional VLAN ID to 0 instead of the VLAN number and the untagged traffic flows exactly where you need it.

💡 Performance Is About Design, Not Hardware

The jump from 7 Mbps average to 41.8 Mbps on the same access points came from three things: moving corporate WiFi to the 5GHz band, planning 2.4GHz channels using only the three non-overlapping channels and fixing the VLAN trunk configuration on the switches. No hardware replaced. Proper configuration is everything.

💡 SD-WAN Must Come Before Firewall Policies

If you try to create a firewall policy referencing virtual-wan-link before the SD-WAN zone is configured, FortiOS throws a node_check_object error. Always configure SD-WAN first then build firewall policies on top of it.

10

Final Results

Every test passed. The network is stable, fast and properly segmented. Staff on CIM-WiFi cannot reach the guest network and guests cannot reach any corporate resource. The FortiAP covers the previously weak CCR area and everything is documented in NetBox.

Test Performed	Result
FortiGate internet connectivity	✅ Passed
Wired PCs on all three switches	✅ Passed
CIM-WiFi on Cisco APs	✅ Passed — 41.8 Mbps / 1ms jitter
CIM-WiFi on FortiAP 231F	✅ Passed
cim-guest on Cisco APs	✅ Passed
cim-guest on FortiAP 231F	✅ Passed
Guest to corporate isolation	✅ Passed — completely blocked
All 8 Cisco APs reachable	✅ Passed
NetBox documentation	✅ Complete

FortiGate Cisco FortiAP VLAN Network Upgrade Nepal CIMMYT NetBox SD-WAN WiFi IT Infrastructure