Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MontanaMike
New Contributor III

MGMT Interface on "Internal"

Stupid question that I've been beating my head against.  My new FS (1048E running v6.4.2) has a dedicated mgmt interface but I don't want to use it and would rather have mgmt allowed on any interface that is up/connected to the network and essentially has a management IP address assigned globally.  On my old switches I'd assign an IP address to a VLAN and allow mgmt protocols.  Pretty simple.  I've followed the instructions in the admin guide for both "models with dedicated" and models without but am stumbling at the part where after configuring the "internal" interface (ip address, allowed access, etc) it wants me to "create a new interface to be used for management" and assign an address to it...which it won't allow because the mgmt address is in use by the "internal" interface.

 

config system interface      edit internal          set ip 172.16.1.50/24          set allowaccess ping https ssh          set type physical          set secondary-IP enable               config secondaryip                   edit <id>                       set ip <IP_address_and_netmask>                       set allowaccess <access_types>                  next             end

        next edit MGMT1          set ip 172.16.1.50/24          set allowaccess ping https ssh          set interface internal          set vlanid 1          set secondary-IP enable                config secondaryip                edit <id>                set ip <IP_address_and_netmask>               set allowaccess <access_types>        end  end

that results in the obvious error of a duplicate IP.  I can't seem to turn it up unless it's on the dedicated mgmt port which I don't want. Any suggestions would be appreciated.

-Mike

10 REPLIES 10
brycemd
Contributor II

Create a new interface and assign to the VLAN you want it on:

 

edit 1

set ip x.x.x.x

set allowaccess https ping

set vlanid x

MontanaMike
New Contributor III

brycemd wrote:

Create a new interface and assign to the VLAN you want it on:

 

edit 1

set ip x.x.x.x

set allowaccess https ping

set vlanid x

 

I've done that and still nothing assuming the new interface has the IP I want to use for the mgmt interface. FS1 # config system interface FS1 (interface) # edit name    Name. internal   static   0.0.0.0 0.0.0.0  up   physical mgmt   static   0.0.0.0 0.0.0.0  up   physical netmgmt   static   172.16.1.50 255.255.255.0  up   vlan

-Mike

brycemd

Not really sure, that's what I always do and I've never had an issue with it.

 

Are you attempting to access from same VLAN? Maybe missing a gateway?

 

I guess can you show the config for netmgmt

MontanaMike
New Contributor III

I do have a default static route set with the device as "any" (or unset in the cli).  Didn't seem to make a difference if I force it to "internal" or "netmgmt".

 

config router static     edit 1         set bfd disable         set blackhole disable         set comment ''         set device ''         set distance 10         set dst 0.0.0.0 0.0.0.0         set dynamic-gateway disable         set gateway 172.16.1.1         set status enable     next end

 

Here is the full config for "netmgmt"

    edit "netmgmt"         set mode static         set dhcp-relay-service disable         set ip 172.16.1.50 255.255.255.0         set allowaccess ping https ssh         set bfd disable         set bfd-desired-min-tx 250         set bfd-detect-mult 3         set bfd-required-min-rx 250         set icmp-redirect enable         set src-check disable         set status up         set type vlan         set description ''         set alias ''         set vrrp-virtual-mac disable         set secondary-IP disable         set snmp-index 56             config ipv6                 set ip6-address ::/0                 set ip6-mode static                 unset ip6-allowaccess                 set autoconf disable                 set ip6-unknown-mcast-to-cpu disable                 set dhcp6-information-request disable                 set ip6-send-adv disable                 set vrrp-virtual-mac6 disable                 set vrip6_link_local ::             end         set vlanid 1         set interface "internal"     next

-Mike

brycemd

Assuming VLAN 1 is the VLAN for 172.16.1.x, it looks correct to me.

 

You can try setting as DHCP on netmgmt to see if it has full network communication(If there is a DHCP server for the VLAN). It's ability to get DHCP or not should at least point you in the right direction.

MontanaMike
New Contributor III

I'm starting to think it's the physical connection to my network.  I have the 1048E set up temporarily in my office with a fiber-to-copper converter connected to port1 on the switch.  I get link lights (with matching transceivers) and the wall jack/port back to my network is set properly but no apparent connectivity if when I try to set up the switch to manage through any ethernet port.  When I plug the wall jack via copper in to the native rj45 mgmt interface on the switch and configure it back to default, it works.

 

I'm going to round up another fiber to copper converter and test again with it.

-Mike

SecurityPlus

Have you been able to resolve this issue yet.
MontanaMike

SecurityPlus wrote:
Have you been able to resolve this issue yet.
No, not yet.  I ordered a replacement fiber to copper converter and it should be getting here today.  I connect it to port 1 on the 1048e and make the config changes and see what happens.

-Mike

MontanaMike

all is working as normal.  Not sure if it was the media converter or something else.  Interesting to note that the 1048E worked with just applying the IP address (in this case 172.16.1.50) to the "internal" interface and allowing access protocols.  The two 448Ds I also just received worked with adding a new interface and assigning their respective IPs plus the vlanid to the interface.

-Mike