Skip to main content
jerryroy1
jerryroy1
New Member
October 4, 2020
Question

Fortigate 100D and Cisco Vlan config - DHCP Failure

  • October 4, 2020
  • 1 reply
  • 5579 views

Can someone tell me if this is correct? I am trying to obtain an IP address from a Fortigate 100D configured as a dhcp server that is connected to a linksys dumb switch that is now in turn connected to a 2960 Cisco switch. I can get an IP on laptop if I plug directly into the dumb switch that is also plugged in the "LAN" port of the Fortigate without issue. As soon as I introduce the 2960, I am unable to obtain an IP from the Fortigate. I have created a temporary IP subnet on port 16 so I can test my trunking and switch config and see why not working. But if I plug both Fortigate and a Laptop into my 2960 I never get an IP from the Fortigate. I have an existing VLAN1 for a Church and an existing VLAN1 for a Christian School and want to allow both Church and school to use the AP's around the campus that connects to their own unique vlan. I have created a vlan 20 and originally assigned it to LAN interface of the Fortigate and like I said, It never worked. I am 99% sure the config is correct because I can ping thru the entire network on the 2 vlans to the IP assigned to the AP in the Gym (See attached drawing) 

Here is the Cisco side:

(uplink plugged in here) ! interface FastEthernet0/24 switchport access vlan 20 switchport trunk allowed vlan 20

 

(Laptop for test plugged into here) ! interface FastEthernet0/13 switchport access vlan 20 switchport mode access end

Here is the Fortigate side:

This interface should be in Vlan 20

next edit "port16" set vdom "root" set type physical set snmp-index 12 next

edit "Vlan_20" set vdom "root" set ip 192.168.20.1 255.255.255.0 set allowaccess ping https ssh fgfm capwap set snmp-index 13 set interface "port16" set vlanid 20 next

Also, 

This interface should be in Vlan 1

edit "dmz" set vdom "root" set ip 192.168.2.3 255.255.255.0 set allowaccess ping https ssh fgfm set type physical set snmp-index 4

 

https://photos.app.goo.gl/hzJBG4yxoZvSbVbm6

    1 reply

    lobstercreed
    lobstercreed
    New Member
    October 4, 2020

    Let me give you a quick response rather than a thorough one, because I think you may have a key misconception about VLAN interfaces and FortiGates.  If that turns out not to be the case then maybe we can revisit the details of this.

     

    The config you have on your FortiGate for port16 makes that a trunk with whatever is the "native" or access VLAN dumping out on port16 itself, and then VLAN 20 being tagged going in and out of that interface (plus any other VLANs you happen to add to port16).  The problem is your unmanaged switch can only operate with untagged frames, so it is not capable of tagging traffic into port16 with the appropriate VLAN tag.

     

    So if you remove the following config altogether and treat port16 as your VLAN 20 interface, I think you'll achieve what you wanted to:

    edit "Vlan_20" set vdom "root" set ip 192.168.20.1 255.255.255.0 set allowaccess ping https ssh fgfm capwap set snmp-index 13 set interface "port16" set vlanid 20 next

    sw2090
    SuperUser
    sw2090
    SuperUser
    October 5, 2020

    to add: i you do it the way lobstercreed wrote you have to make sure that the cisco coming behind the dumb switch is takeing care for correct vlan tagging on the port the dumb switch is connected to it. Otherwise you will never reach vlan20 from there or the FGT from out of vlan20...

    Terms & ConditionsAccessibility statement