Skip to main content
tk34
tk34
New Member
October 15, 2018
Solved

DHCP crossing over VLANs

  • October 15, 2018
  • 1 reply
  • 7486 views

Fortigate 100D 5.6

I have LAN (VLAN1) and VOICE (VLAN2). VLAN1 is assigned to ports 1-14. Vlan2 is assigned to ports 15-16.

VLAN1: 192.168.1.1/24 DHCP Enabled 192.168.1.80 - 192.168.1.254

VLAN2: 192.168.0.1/24 DHCP Enabled 192.168.0.50 - 192.168.0.254

 

Port 15 is mirrored from Port 16. Nothing connected currently.

Port 16 is connected to it's own switch and devices.

Port 1 is connected to it's own switch and devices.

They are only linked by the firewall. The switches are not cross connected.

 

Somehow, PC's on VLAN1 have pulled an IP from VLAN2. I can't get them to drop this IP and it still works, as in they can traverse the network and get to the internet. I have tried unplugging their cables, Windows Troubleshoot and Repair, ip config /release and then renewing. Nothing works. I can tone down the connection and they are plugged into VLAN1.

 

Am I missing something? I should note, this is a fresh Fortigate 100D as the previous one bit the dust and had to be replaced.

Best answer by emnoc

Do some pcap  and  find the DHCP server and see if any    DHCP rogue server? Also double check the  server mac-address in the layer2  forwarding table

 

1 reply

emnoc
emnocAnswer
New Member
October 15, 2018

Do some pcap  and  find the DHCP server and see if any    DHCP rogue server? Also double check the  server mac-address in the layer2  forwarding table

 

tanr
tanr
New Member
October 15, 2018

Do you have security policies allowing traffic between the vlans? 

 

Is there a route between the vlans or are they both in a zone which allows intra-zone routing?

 

You should probably double-check your vlan settings on the FGT and your switch as well.  It could be that you just allowed both vlans through by accident.

tk34
tk34Author
New Member
October 15, 2018

tanr wrote:

Do you have security policies allowing traffic between the vlans? 

 

Is there a route between the vlans or are they both in a zone which allows intra-zone routing?

 

You should probably double-check your vlan settings on the FGT and your switch as well.  It could be that you just allowed both vlans through by accident.

I have inter vlan communication enabled via policy. I had this on the previous fortigate unit, but this DHCP cross over never happened. I'll switch it over to a route after hours and see what happens.

Terms & ConditionsAccessibility statement