Hi Everyone! Good day! I was trying to work with this scenario and anyone could help me if this is possible? See attached test.jpg. I have a FortiGate, a core switch, distribution switch and client pc. The goal is that FortiGate must act as the DHCP server of all the VLANS (10,20,30). I've already tried to create vlans on the FortiGate (same vlans from the core switch) and enabled dhcp. I already tried to allow all vlans from the core switch (trunk) going to the firewall. The result, the test client in vlan 30 can obtain IP from the firewall, but cannot access internet even firewall policy was already configured on the firewall (virtual interface (vlan30) to WAN)). Best Regards, Kulas
Solved! Go to Solution.
My personal preference is to make the core switch as L2 switch for those three vlans, which eliminate one hop and DHCP relays to mainteain. I don't see any benefit "routing" through the switch instead of "switching", while the FGT is still take care of most necessary work. For management, the core switch still have vlan1 to get in.
The problem seems like the GW for all clients in three vlans are on the L3 core switch, which the FGT has direct L2 connection to all clients (that's how they get DHCP IPs). This means outgoing packets comes in vlan1 interface at the FGT, while returning/incoming packets are going out to each vlan10, 20, 30 interface from the FGT: asymmetric route -> drop. You need to move the GWs to the FGT on each vlan interface.
Thank you toshiesumi. If doing so, does ip routing on the core switch would still work? or Do I need to add intervlan policies on the fortigate?
If you move the SVI's to the Fortigate then the core will not be doing any routing anymore.
Hi Kulas,
This configuration should work. I'm using a similar config, but not with a Cisco switch , but with a Pfsense router
Caveats: Fortigate doesn;t support multi DHCP scope on 1 interface from GUI. You enable the first DHCP scope on the fortigate PHYSICAL interface , eg 192.168.1.1 , then the rest of the DHCP scope are configured from CLI.
Cisco switch must have DHCP Helper enabled on each SVI pointing to your Fortigate interface, e.g. 192.168.1.254.
Switch(config)# interface vlan 10 Switch(config-if)# ip address 192.168.10.1 255.255.255.0 Switch(config-if)# ip helper-address 192.168.1.254 Switch(config-if)# exit
Yes, you need to add static routing to Fortigate so it will know how to reach the VLANs - via 192.168.1.1.
I really like this setup as I have to configure only one DHCP server and I have 2 locations with a single internet breakout.
Please paste Fortigate interface config here or see my example:
CLI on fortigate and type :
Config system dhcp server
show
Then you will see the list of DHCP servers configured; see which numbers has that one on the trunk interface
e.g. - if it's on port 2 - you will have something like
(server) # show
config system dhcp server
edit 1
set dns-service default
set default-gateway 192.168.1.254
set netmask 255.255.255.0
set interface "port2"
config ip-range
edit 1
set start-ip 192.168.1.2
set end-ip 192.168.1.250
next
end
set timezone-option default
next
edit 2
set dns-service default
set default-gateway 10.0.10.1
set netmask 255.255.255.0
set interface "port2"de
config ip-range
edit 1
set start-ip 10.0.10.10
set end-ip 10.0.10.100
next
end
next
end
Regards,
Adi
My personal preference is to make the core switch as L2 switch for those three vlans, which eliminate one hop and DHCP relays to mainteain. I don't see any benefit "routing" through the switch instead of "switching", while the FGT is still take care of most necessary work. For management, the core switch still have vlan1 to get in.
Hi Kulas,
Let's assume you connect the HP L3 port1 switch to Fortigate on port1.
On Fortigate Port 1 interface - you configured it as LAN , enable DHCP from GUI and configure scope as you need : 192.168.1.0/24 , fortigate 192.168.1.254 and DNS.
On L3 switch Port1 - this one will be an ACCESS port , NO VLANs on this interconnect port.
Search on HP admin manual how to enable DHCP relay on each VLAN interface - this should point to Fortigate port1 IP address.
Don't forget to add static routes on Fortigate to learn path to VLANs via HP L3 switch IP address : 192.168.1.1 on port1 interface.
Fortinet KB. https://kb.fortinet.com/kb/documentLink.do?externalID=FD33842
Adi
@ Toshi
I also prefer to design small network design as you have mentioned - all the VLAN;s connected on the Fortigate , but in larger networks you can have bottlenecks when you send on a single 1Gb link user traffic, wifi traffic, server traffic, iSCSI traffic etc.
I came up to this solution as I had to connect a remote site using LoS radio link and that remote location also had a couple of subnets - corporate lan, guest wifi, dmz and I said to have a easier DHCP and DNS management from one console - Fortigate 80E.
Kind regards, Adi
Hi Adi,
I am currently using HP Procurve as L3 switch. Just to clarify, I still need to configure VLANs on the FortiGate and I will just configure 2 separate DHCP pool from the CLI from the commands you've provided. is that right? I will try your configuration to my lab environment and will give you feedback afterwards.
Regards,
Kulas
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.