Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Peter_Pokorny
New Contributor

Mgmt interface with inter-vlan access

New to FortiGate firewalls here and have a general grasp on networking, so keep that in mind here haha. Below is sanitized info on the problem.

 

So we have a new 100F we are testing with, running 6.4.2. We have a fairly simple network with an HP 5412zl2 acting as the core with IP routing enabled, numerous VLAN's as needed. We have a dedicated Management network already that is used for numerous other devices that is confirmed working (VLAN 200). Currently, client devices reside in something like a VLAN 100 and are untagged by default. No trusted hosts are configured at this time.

 

I set up the FGT first on the mgmt interface on an untagged interface on the core. The core and the FGT can ping each other fine, as long as the core pings from a source of VLAN 200. Machines in VLAN 100 cannot ping the FGT, but can ping a machine that is also untagged in VLAN 200, and vice versa. The machine in VLAN 200 that is untagged can access the FGT just fine and can ping machines in VLAN 100. When I create a static route to VLAN 100 to use the VLAN 200 gateway, then machines in VLAN 100 can access the FGT fine. The issue I have with that, from my understanding, is that this will cause problems when I create a trunk port to the core for general use across all VLAN's (100, 101, etc...) because all traffic destined for VLAN 100 will use the Mgmt interface instead of that trunk interface.

 

Is there something I am missing here? Maybe misunderstanding how this works? 

4 REPLIES 4
Toshi_Esumi
Esteemed Contributor III

As you can find in many docs, FGT's mgmt ports should not carry user traffic. I don't know the default mgmt port config on 100F because I don't have any of those, it might be configured as "dedicated-to management", which would isolate it from the general routing-table. Also hardware acceleration can't happen to traffic on mgmt ports.

What you should do is to have one cable coming from the switch's VLAN 100 access port connected to the mgmt port. Then another cable(s in case LAG) to connect to the other regular port(s) and put all other VLANs, trunked, for all user traffic.

Peter_Pokorny

I checked the dedicated-to management section of the config and see that the status is set to disabled currently.

 

So for your suggestion, I'm giving the Mgmt interface a VLAN 200 address (say, 192.168.200.10), but plugging that into an untagged VLAN 100 port?

Toshi_Esumi
Esteemed Contributor III

Sorry, opposite. VLAN 200 was your management VLAN, right? Then VLAN 200 access port goes into mgmt port.

jay4jay
New Contributor

i am also new and we got a 100F but i just cant seem to make vlan work on this thing.

 

Fortigate 100F with vlan setup connected to a TPLINK TL-SG1016DE with vlan 802.1q enabled but no client connected to the switch can pick up any ip address

Labels
Top Kudoed Authors