Can someone tell me if this is correct? I am trying to obtain an IP address from a Fortigate 100D configured as a dhcp server that is connected to a linksys dumb switch that is now in turn connected to a 2960 Cisco switch. I can get an IP on laptop if I plug directly into the dumb switch that is also plugged in the "LAN" port of the Fortigate without issue. As soon as I introduce the 2960, I am unable to obtain an IP from the Fortigate. I have created a temporary IP subnet on port 16 so I can test my trunking and switch config and see why not working. But if I plug both Fortigate and a Laptop into my 2960 I never get an IP from the Fortigate. I have an existing VLAN1 for a Church and an existing VLAN1 for a Christian School and want to allow both Church and school to use the AP's around the campus that connects to their own unique vlan. I have created a vlan 20 and originally assigned it to LAN interface of the Fortigate and like I said, It never worked. I am 99% sure the config is correct because I can ping thru the entire network on the 2 vlans to the IP assigned to the AP in the Gym (See attached drawing)
Here is the Cisco side:
(uplink plugged in here) ! interface FastEthernet0/24 switchport access vlan 20 switchport trunk allowed vlan 20
(Laptop for test plugged into here) ! interface FastEthernet0/13 switchport access vlan 20 switchport mode access end
Here is the Fortigate side:
This interface should be in Vlan 20
next edit "port16" set vdom "root" set type physical set snmp-index 12 next
edit "Vlan_20" set vdom "root" set ip 192.168.20.1 255.255.255.0 set allowaccess ping https ssh fgfm capwap set snmp-index 13 set interface "port16" set vlanid 20 next
Also,
This interface should be in Vlan 1
edit "dmz" set vdom "root" set ip 192.168.2.3 255.255.255.0 set allowaccess ping https ssh fgfm set type physical set snmp-index 4
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Let me give you a quick response rather than a thorough one, because I think you may have a key misconception about VLAN interfaces and FortiGates. If that turns out not to be the case then maybe we can revisit the details of this.
The config you have on your FortiGate for port16 makes that a trunk with whatever is the "native" or access VLAN dumping out on port16 itself, and then VLAN 20 being tagged going in and out of that interface (plus any other VLANs you happen to add to port16). The problem is your unmanaged switch can only operate with untagged frames, so it is not capable of tagging traffic into port16 with the appropriate VLAN tag.
So if you remove the following config altogether and treat port16 as your VLAN 20 interface, I think you'll achieve what you wanted to:
edit "Vlan_20" set vdom "root" set ip 192.168.20.1 255.255.255.0 set allowaccess ping https ssh fgfm capwap set snmp-index 13 set interface "port16" set vlanid 20 next
to add: i you do it the way lobstercreed wrote you have to make sure that the cisco coming behind the dumb switch is takeing care for correct vlan tagging on the port the dumb switch is connected to it. Otherwise you will never reach vlan20 from there or the FGT from out of vlan20...
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.