Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
riteshpv
Staff
Staff

Created on ‎11-29-2022 06:07 AM

Article Id 231324

Technical Tip: Unable to ping/SSH between direct connected FortiSwitch on same VLAN

Description This article describes how to process if FortiSwitches are unable to ping each other on the same VLAN when the VLAN is allowed between the switches.
Scope FortiSwitch v6.4.x / v 7.0.x / 7.2.x
Solution

One of the possible causes of this behavior is that the subnet is not added to the trusted host

 

- Consider the following topology:

 

riteshpv_0-1669728854522.jpeg

 

- Consider 2 VLAN - vlan4 and VLAN 6 tagged between FortiSwitch.

- Each FortiSwitch has an l3 interface for both VLAN.

 

Fortiswitch1 # show system interface

 

# config system interface

   edit "4"

        set ip 4.4.4.1 255.255.255.0

        set allowaccess ping ssh

        set vlanid 4

        set interface "internal"

    next

end

   edit "6"

        set ip 6.6.6.1 255.255.255.0

        set allowaccess ping ssh

        set vlanid 6

        set interface "internal"

    next

end

 

Fortiswitch2 # show system interface

 

# config system interface

   edit "4"

        set ip 4.4.4. 2255.255.255.0

        set allowaccess ping ssh

        set vlanid 4

        set interface "internal"

    next

end

   edit "6"

        set ip 6.6.6.2 255.255.255.0

        set allowaccess ping ssh

        set vlanid 6

        set interface "internal"

    next

end

 

- Consider it is possible to ping/SSH between VLAN 6 but unable to ping/SSH between VLAN 4 interface of the FortiSwitch.

- Check the system admin config on both FortiSwitch:

 

# show system admin

 

# config system admin

    edit "admin"

        set trusthost1 6.6.6.0 255.255.255.0

        set accprofile "super_admin"

    next

 

From the above config VLAN 6 subnet is added as a trusted host on the FortiSwitch.

 

Resolution.

 

To resolve the issue, it is possible to use any one of the solutions:

 

Option 1:

It is possible to add the subnet to the trust host list of FortiSwitch system admin.  

Once the subnet is added to the trust host list of the system admin, it is possible to ping/SSH the newly added subnet IP (in this case VLAN 4).

With this config, it is possible to ping/SSH FortiSwitch on both subnets.

 

# show system  admin

 

# config system admin

    edit "admin"

        set trusthost1 6.6.6.0 255.255.255.0

        set trusthost2 4.4.4.0 255.255.255.0

        set accprofile "super_admin"

    next

end

 

Option2:

To only ping working with the new subnet and not SSH, create a new system admin without any subnet added in the trust host list as shown below.

So with this config, the client can ping and SSH between VLAN 6 but from VLAN 4 only ping will work.

 

# config system admin

    edit "admin"

        set trusthost1 6.6.6.0 255.255.255.0

        set accprofile "super_admin"

    next

    edit "test"

        set accprofile "super_admin"

    next

end

 

Note.

The ping test is done only between FortiSwitch on the same VLAN and not inter VLAN.
766
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.