Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
qqh452821000
New Contributor

Created on ‎12-19-2018 05:08 PM

FortiGate use sub-vlan how to communicate with PC

Hello everyone

 

I have a question about fortigate use sub-vlan how to communicate with switch

I use EVE-LAB doing some test.

Here is my topo

 

 

and here are my switch G0/4 conf:

switchport trunk encapsulation dot1q switchport trunk native vlan 999 switchport mode trunk

 

PC1 ip address is 192.168.1.1/24

PC2 ip address is 192.168.2.1/24

 

PC1 should have been able to ping 192.168.1.254

PC2 should have been able to ping 192.168.2.254

 

But I use EVE-LAB, it is timeout . 

 

Is it something wrong with my configuration?

 

There is another question, Is it need to configure switchport trunk native vlan 999 on switch?

Does the fortigate vlan 1 have a tag?

 

Any body have any thought?

 

Best Regards,

Tim

Preview file
45 KB
Labels:
7048
0 Kudos
1 Solution
Toshi_Esumi
SuperUser
SuperUser
In response to qqh452821000

Created on ‎12-20-2018 10:38 PM

If they're in FGT's arp table, you should be able to ping PCs from FGT. Have you tried? If this works, only other possibility is "trusthost" config in admin users is prohibiting from pinged. Include 192.168.1.0/24 and 2.0/24.

 

As I wrote first, untagged interface is the "port3" parent interface. You need to configure 1.254 on it without Vlan1 subinterface.

View solution in original post

4543
0 Kudos
7 REPLIES 7
Toshi_Esumi
SuperUser
SuperUser

Created on ‎12-20-2018 08:53 AM

On fortigate "VLAN1" is tagged. On Cisco Vlan1 is default native-vlan for all ports and untagged. You need to configure 192.168.1.254/24 on port3 parent interface.

Is the second vlan 999 as in the switch config or 119 as in the image?

4485
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎12-20-2018 09:55 AM

Sorry, I misread "native vlan" config. Then it's up to the port config for the PC1 and PC2. Did you configure those access ports vlan 1 and 119 respectively? And verify those VLANs are included on G0/4 with show int trunk.

 

4485
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎12-20-2018 10:01 AM

Or, the new VLAN subinterfaces are not configured to allow pinging (set allowaccess ping) on the FGT.

4485
0 Kudos
qqh452821000
New Contributor
In response to Toshi_Esumi

Created on ‎12-20-2018 07:39 PM

Thank you for your reply.

I already allowaccess ping on fortigate. 

It had PC1 and PC2 's arp when I  clicked command "get system arp" on fortigate

But the PC just can's ping fortigate's IP.

4485
0 Kudos
qqh452821000
New Contributor
In response to Toshi_Esumi

Created on ‎12-20-2018 08:15 PM

Thank you for you reply.

Do you know fortigate how to untag vlan 1's tag ?

thank you 

4485
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to qqh452821000

Created on ‎12-20-2018 10:38 PM

If they're in FGT's arp table, you should be able to ping PCs from FGT. Have you tried? If this works, only other possibility is "trusthost" config in admin users is prohibiting from pinged. Include 192.168.1.0/24 and 2.0/24.

 

As I wrote first, untagged interface is the "port3" parent interface. You need to configure 1.254 on it without Vlan1 subinterface.

4544
0 Kudos
qqh452821000
New Contributor
In response to Toshi_Esumi

Created on ‎12-20-2018 10:47 PM

Thank you Toshi.

yeah.it is the ""trust host" prohibiting from pinged. I already fixed it.

I know how to configure untagged interface finally , I will try it later

 thank you again...

4485
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.