Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tk34
New Contributor

DHCP crossing over VLANs

Fortigate 100D 5.6

I have LAN (VLAN1) and VOICE (VLAN2). VLAN1 is assigned to ports 1-14. Vlan2 is assigned to ports 15-16.

VLAN1: 192.168.1.1/24 DHCP Enabled 192.168.1.80 - 192.168.1.254

VLAN2: 192.168.0.1/24 DHCP Enabled 192.168.0.50 - 192.168.0.254

 

Port 15 is mirrored from Port 16. Nothing connected currently.

Port 16 is connected to it's own switch and devices.

Port 1 is connected to it's own switch and devices.

They are only linked by the firewall. The switches are not cross connected.

 

Somehow, PC's on VLAN1 have pulled an IP from VLAN2. I can't get them to drop this IP and it still works, as in they can traverse the network and get to the internet. I have tried unplugging their cables, Windows Troubleshoot and Repair, ip config /release and then renewing. Nothing works. I can tone down the connection and they are plugged into VLAN1.

 

Am I missing something? I should note, this is a fresh Fortigate 100D as the previous one bit the dust and had to be replaced.

Fortigate 100D 5.6

Fortigate 100D 5.6
2 Solutions
emnoc
Esteemed Contributor III

Do some pcap  and  find the DHCP server and see if any    DHCP rogue server? Also double check the  server mac-address in the layer2  forwarding table

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
tanr
Valued Contributor II

Do you have security policies allowing traffic between the vlans? 

 

Is there a route between the vlans or are they both in a zone which allows intra-zone routing?

 

You should probably double-check your vlan settings on the FGT and your switch as well.  It could be that you just allowed both vlans through by accident.

View solution in original post

4 REPLIES 4
emnoc
Esteemed Contributor III

Do some pcap  and  find the DHCP server and see if any    DHCP rogue server? Also double check the  server mac-address in the layer2  forwarding table

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
tanr
Valued Contributor II

Do you have security policies allowing traffic between the vlans? 

 

Is there a route between the vlans or are they both in a zone which allows intra-zone routing?

 

You should probably double-check your vlan settings on the FGT and your switch as well.  It could be that you just allowed both vlans through by accident.

tk34
New Contributor

tanr wrote:

Do you have security policies allowing traffic between the vlans? 

 

Is there a route between the vlans or are they both in a zone which allows intra-zone routing?

 

You should probably double-check your vlan settings on the FGT and your switch as well.  It could be that you just allowed both vlans through by accident.

I have inter vlan communication enabled via policy. I had this on the previous fortigate unit, but this DHCP cross over never happened. I'll switch it over to a route after hours and see what happens.

Fortigate 100D 5.6

Fortigate 100D 5.6
tk34
New Contributor

I just realized you assumed I had created vlans and zones. I didn't do that. I simply added subnet to hardware switches. Then added a policy allowing traffic between the two.

 

So I have created a new policy denying DHCP requests from VLAN2 to VLAN1 subnet. Hopefully that cures it.

Fortigate 100D 5.6

Fortigate 100D 5.6
Labels
Top Kudoed Authors