Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CodeTron
New Contributor

VLAN access from a different switch

Hi,

 

I have two switches, SW1 for internal LAN, SW2 for Guest

I want to setup management ports for both switches on VLAN 99 (10.10.99.0/24)

SW1 is directly connected to FG90E port that has the VLAN 99 configured on, I can reach the management IP of SW1 from the internal LAN (10.10.20.0/24) with no problems ( the needed polices are created to establish the connection)

SW2 is directly connected to another separated port on the FG90E with a different subnet (192.168.0.0/24) no VLANs are configured on this switch all ports are in access mode.

Now, I want to be able to access the management ip of SW2 which is on subnet (10.10.99.0/24) from the internal lan (10.10.20.0/24) 

how can I establish this connection?

 

Thank you in advance 

 

1 Solution
sw2090
Honored Contributor

well you moved yourself into a dead end I think. You use the same management vlan (99) with the same subnet on both switches but they connect to your fgt on diffrent physical interfaces.

You cannot set up the same vid and/or subnet on two different interfaces on your FGT. 

This would only work if the two interfaces are either a switch or a trunk.

 

We achieve this the following way:

 

all our switches are in the same management vlan and they all are connected together so there is redundant networking between them using spanning tree and lacp. 

Then the core switch connects to a pysical interface on the Fortigate that is a vlan trunk (i.e. has all our vids tagged on it) and there is policies for the subnet access on the vlans (or a zone that has them all if it is the same for all).

All other subnets we have are vlans then and they are tagged/untagged or not at all at port(s) on switches. This works fine and subnets are still seperated completely. 

 

It would also work if you put the two physical ports into a switch so they share the subnet(s) and vlan(s).


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

2 REPLIES 2
Anonymous
Not applicable

Hello @CodeTron ,

 

Thank you for posting on Fortinet Community Forum.

 

Are you be able to provide a network diagram?

Are you able to ping the management IP of switch2 from the internal LAN machine?

Thanks,

sw2090
Honored Contributor

well you moved yourself into a dead end I think. You use the same management vlan (99) with the same subnet on both switches but they connect to your fgt on diffrent physical interfaces.

You cannot set up the same vid and/or subnet on two different interfaces on your FGT. 

This would only work if the two interfaces are either a switch or a trunk.

 

We achieve this the following way:

 

all our switches are in the same management vlan and they all are connected together so there is redundant networking between them using spanning tree and lacp. 

Then the core switch connects to a pysical interface on the Fortigate that is a vlan trunk (i.e. has all our vids tagged on it) and there is policies for the subnet access on the vlans (or a zone that has them all if it is the same for all).

All other subnets we have are vlans then and they are tagged/untagged or not at all at port(s) on switches. This works fine and subnets are still seperated completely. 

 

It would also work if you put the two physical ports into a switch so they share the subnet(s) and vlan(s).


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams