Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tk34
New Contributor

Created on ‎10-15-2018 10:28 AM

DHCP crossing over VLANs

Fortigate 100D 5.6

I have LAN (VLAN1) and VOICE (VLAN2). VLAN1 is assigned to ports 1-14. Vlan2 is assigned to ports 15-16.

VLAN1: 192.168.1.1/24 DHCP Enabled 192.168.1.80 - 192.168.1.254

VLAN2: 192.168.0.1/24 DHCP Enabled 192.168.0.50 - 192.168.0.254

 

Port 15 is mirrored from Port 16. Nothing connected currently.

Port 16 is connected to it's own switch and devices.

Port 1 is connected to it's own switch and devices.

They are only linked by the firewall. The switches are not cross connected.

 

Somehow, PC's on VLAN1 have pulled an IP from VLAN2. I can't get them to drop this IP and it still works, as in they can traverse the network and get to the internet. I have tried unplugging their cables, Windows Troubleshoot and Repair, ip config /release and then renewing. Nothing works. I can tone down the connection and they are plugged into VLAN1.

 

Am I missing something? I should note, this is a fresh Fortigate 100D as the previous one bit the dust and had to be replaced.

Fortigate 100D 5.6

4673
0 Kudos
2 Solutions
emnoc
Esteemed Contributor III

Created on ‎10-15-2018 10:36 AM

Do some pcap  and  find the DHCP server and see if any    DHCP rogue server? Also double check the  server mac-address in the layer2  forwarding table

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

1701
0 Kudos
tanr
Valued Contributor II
In response to emnoc

Created on ‎10-15-2018 10:58 AM

Do you have security policies allowing traffic between the vlans? 

 

Is there a route between the vlans or are they both in a zone which allows intra-zone routing?

 

You should probably double-check your vlan settings on the FGT and your switch as well.  It could be that you just allowed both vlans through by accident.

View solution in original post

1701
0 Kudos
4 REPLIES 4
emnoc
Esteemed Contributor III

Created on ‎10-15-2018 10:36 AM

Do some pcap  and  find the DHCP server and see if any    DHCP rogue server? Also double check the  server mac-address in the layer2  forwarding table

 

PCNSE 

NSE 

StrongSwan  

1702
0 Kudos
tanr
Valued Contributor II
In response to emnoc

Created on ‎10-15-2018 10:58 AM

Do you have security policies allowing traffic between the vlans? 

 

Is there a route between the vlans or are they both in a zone which allows intra-zone routing?

 

You should probably double-check your vlan settings on the FGT and your switch as well.  It could be that you just allowed both vlans through by accident.

1702
0 Kudos
tk34
New Contributor
In response to tanr

Created on ‎10-15-2018 11:37 AM

tanr wrote:

Do you have security policies allowing traffic between the vlans? 

 

Is there a route between the vlans or are they both in a zone which allows intra-zone routing?

 

You should probably double-check your vlan settings on the FGT and your switch as well.  It could be that you just allowed both vlans through by accident.

I have inter vlan communication enabled via policy. I had this on the previous fortigate unit, but this DHCP cross over never happened. I'll switch it over to a route after hours and see what happens.

Fortigate 100D 5.6

1680
0 Kudos
tk34
New Contributor
In response to tk34

Created on ‎10-15-2018 07:37 PM

I just realized you assumed I had created vlans and zones. I didn't do that. I simply added subnet to hardware switches. Then added a policy allowing traffic between the two.

 

So I have created a new policy denying DHCP requests from VLAN2 to VLAN1 subnet. Hopefully that cures it.

Fortigate 100D 5.6

1680
0 Kudos
Labels
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.