- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Internal Interface Configuration / Issues on Stand...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Created on
09-12-2023
04:59 PM
Edited on
02-26-2024
06:58 AM
By
Kate_M
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Internal Interface Configuration / Issues on Standalone Switch
I am trying to use the internal management interface on a standalone FortiSwitch. How would I configure this for a static IP?
The basic scenario is a FortiSwitch connected to a Cisco switch acting as the Core. VLAN 1 is native on the uplinks, VLAN 15 is user, VLAN 20 is phone, and VLAN 10 for the management IP. All of the gateways live on the Core.
As per the documentation, it looks like you need to add a VLAN interface and select the internal interface as the device. This would be done after setting the internal interface's IP.
Not sure what the exact purpose of the VLAN interface is, except maybe to point a its IP as the next hop for a static route off the core. When I try to create one without an ip (0.0.0.0 0.0.0.0) it gives an error. I am also given an error if I try to make the native VLAN of the internal interface the same as the VLAN interface.
I have attempted setting it up just like the physical mgmt interface would be, with an ip and static route (and no vlan interface), but I got nothing.
Unfortunately, the documentation doesn't give an example of these nor explains the reason why to configure certain things.
I'm sure there's a fairly simple answer to this.
I typically use the physical management port, but in this case it is not an option (due to number of drops to core). The only way I could use it would be to connect the management port into one of the ports on the switch.
Thank you.
Solved! Go to Solution.
Labels:
- Labels:
-
FortiSwitch
-
Interface
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I went through this process a couple of month ago. It's slightly different between "dedicated MGMT port" models and "no dedicated MGMT port" models. Only because the default 192.168.1.99/24 is configure on the "mgmt" physical interface for the "MGMT" models.
You can do either way 1) make existing "internal" as VLAN 10, or 2) create a new VLAN 10 mgmt interface on top of internal.
For 1) you need to make the native-vlan for internal to 10 at "config switch interface", while the IP is configured at "config sys interface".
For 2) create a vlan mgmt interface with the IP specifying the interface as "internal" as well as VLAN ID 10 at "config sys interface". But don't forget to set VLAN 10 in allowed-vlan on "internal" at "config switch interface" because all VLAN L3 interfaces are built on top of "internal" interface.
Then you want to set the default route with "set device VLAN10" so the it would be reachable from outside, like Cisco SWs and GW.
Unless you configure these all via console, like I did, you need to keep the orignal 192.168.1.99 to be able to get to. I think that's why the manual was written that way.
Below is my example for FS-108F (non-MGMT model).
config system interface
edit "internal" <--- I didn't touch/change this part to keep the default access
set mode dhcp
set allowaccess ping https ssh
set type physical
set secondary-IP enable
set defaultgw enable
config secondaryip
edit 1
set ip 192.168.1.99 255.255.255.0
set allowaccess ping https ssh
next
end
next
edit "mgmt999"
set ip 10.255.255.4 255.255.255.240
set allowaccess ping https ssh
set vlanid 999
set interface "internal"
next
end
config switch interface
edit "internal"
set allowed-vlans 999
set stp-state disabled
next
end
config router static
edit 1
set device "mgmt999"
set dst 0.0.0.0 0.0.0.0
set gateway 10.255.255.1
next
end
Toshi
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I went through this process a couple of month ago. It's slightly different between "dedicated MGMT port" models and "no dedicated MGMT port" models. Only because the default 192.168.1.99/24 is configure on the "mgmt" physical interface for the "MGMT" models.
You can do either way 1) make existing "internal" as VLAN 10, or 2) create a new VLAN 10 mgmt interface on top of internal.
For 1) you need to make the native-vlan for internal to 10 at "config switch interface", while the IP is configured at "config sys interface".
For 2) create a vlan mgmt interface with the IP specifying the interface as "internal" as well as VLAN ID 10 at "config sys interface". But don't forget to set VLAN 10 in allowed-vlan on "internal" at "config switch interface" because all VLAN L3 interfaces are built on top of "internal" interface.
Then you want to set the default route with "set device VLAN10" so the it would be reachable from outside, like Cisco SWs and GW.
Unless you configure these all via console, like I did, you need to keep the orignal 192.168.1.99 to be able to get to. I think that's why the manual was written that way.
Below is my example for FS-108F (non-MGMT model).
config system interface
edit "internal" <--- I didn't touch/change this part to keep the default access
set mode dhcp
set allowaccess ping https ssh
set type physical
set secondary-IP enable
set defaultgw enable
config secondaryip
edit 1
set ip 192.168.1.99 255.255.255.0
set allowaccess ping https ssh
next
end
next
edit "mgmt999"
set ip 10.255.255.4 255.255.255.240
set allowaccess ping https ssh
set vlanid 999
set interface "internal"
next
end
config switch interface
edit "internal"
set allowed-vlans 999
set stp-state disabled
next
end
config router static
edit 1
set device "mgmt999"
set dst 0.0.0.0 0.0.0.0
set gateway 10.255.255.1
next
end
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After I tried what you said and it did not work, I looked at the gateway and realized it was configured with the wrong subnet mask. In fact, every single management IP was configured incorrect *(from before my time) because no one ever went back and checked the subnet mask on the gateway.
Thanks for the response.
Related Posts
- Fortigates with PPPoE WAN suddenly need... 293 Views
- Cisco Trunk port to Fortiswitch 902 Views
- FortiManager Import Configuration Address Object interface... 135 Views
- Migration of NAT/PAT rules from a... 243 Views
- Routing Issue on FortiGate 7.2.8 284 Views
Labels
-
FortiGate
6,528 -
FortiClient
1,303 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
59 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.