Fortigate 100D 5.6
I have LAN (VLAN1) and VOICE (VLAN2). VLAN1 is assigned to ports 1-14. Vlan2 is assigned to ports 15-16.
VLAN1: 192.168.1.1/24 DHCP Enabled 192.168.1.80 - 192.168.1.254
VLAN2: 192.168.0.1/24 DHCP Enabled 192.168.0.50 - 192.168.0.254
Port 15 is mirrored from Port 16. Nothing connected currently.
Port 16 is connected to it's own switch and devices.
Port 1 is connected to it's own switch and devices.
They are only linked by the firewall. The switches are not cross connected.
Somehow, PC's on VLAN1 have pulled an IP from VLAN2. I can't get them to drop this IP and it still works, as in they can traverse the network and get to the internet. I have tried unplugging their cables, Windows Troubleshoot and Repair, ip config /release and then renewing. Nothing works. I can tone down the connection and they are plugged into VLAN1.
Am I missing something? I should note, this is a fresh Fortigate 100D as the previous one bit the dust and had to be replaced.
Fortigate 100D 5.6
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Do some pcap and find the DHCP server and see if any DHCP rogue server? Also double check the server mac-address in the layer2 forwarding table
PCNSE
NSE
StrongSwan
Do you have security policies allowing traffic between the vlans?
Is there a route between the vlans or are they both in a zone which allows intra-zone routing?
You should probably double-check your vlan settings on the FGT and your switch as well. It could be that you just allowed both vlans through by accident.
Do some pcap and find the DHCP server and see if any DHCP rogue server? Also double check the server mac-address in the layer2 forwarding table
PCNSE
NSE
StrongSwan
Do you have security policies allowing traffic between the vlans?
Is there a route between the vlans or are they both in a zone which allows intra-zone routing?
You should probably double-check your vlan settings on the FGT and your switch as well. It could be that you just allowed both vlans through by accident.
tanr wrote:I have inter vlan communication enabled via policy. I had this on the previous fortigate unit, but this DHCP cross over never happened. I'll switch it over to a route after hours and see what happens.Do you have security policies allowing traffic between the vlans?
Is there a route between the vlans or are they both in a zone which allows intra-zone routing?
You should probably double-check your vlan settings on the FGT and your switch as well. It could be that you just allowed both vlans through by accident.
Fortigate 100D 5.6
I just realized you assumed I had created vlans and zones. I didn't do that. I simply added subnet to hardware switches. Then added a policy allowing traffic between the two.
So I have created a new policy denying DHCP requests from VLAN2 to VLAN1 subnet. Hopefully that cures it.
Fortigate 100D 5.6
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.