Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
3x-t
New Contributor II

Trunk VLAN

I have three VLANs on one physical interface... Management (10), Workstations (20), and Servers (30).

on that physical interface, I have Cisco 3750G-12S as distribution switch, and after that client switches.

On distribution switch, on all ports I have the next configuration:
switchport trunk encapsulation dot1q
switchport trunk native vlan 301
switchport trunk allowed vlan 10,20,30
switchport mode trunk'=

 

interface Vlan10
description Management
ip address 192.168.1.2 255.255.255.0
no ip redirects
no ip unreachables

 

interface Vlan20
ip address 192.168.2.2 255.255.255.0
no ip redirects

 

interface Vlan30
ip address 192.168.3.2 255.255.255.0

from the distribution switch, I can ping any gateway on the FortiGate (policy ok, address ok,etc).

On the client switch 2960X-48TD-L

 

interface GigabitEthernet1/0/49
switchport trunk allowed vlan 10,20,30
switchport trunk native vlan 301
switchport mode trunk

 

interface Vlan10
description Management
ip address 192.168.1.3 255.255.255.0
no ip redirects
no ip unreachables
no ip route-cache cef

interface Vlan20
no ip address

interface Vlan30
description Servers
no ip address

From this switch, I can't ping anything besides the Management port.

Two questions:

- Is my configuration ok so that I don't need an IP address for each VLAN (except VLAN 10 - Management) on each switch except on the distribution switch? - If yes, what did I do wrong so that I cant ping other VLANs from the client switch?
- If my DHCP server is on the VLAN 30, can I just make dhcp-relay <IP add of the server> on the VLAN 20, or do I have to move the Server under the same VLAN? I wanted to split Servers from workstations in different VLANs but now I'm not sure if that was a good idea

Thank you in advance!

6 REPLIES 6
kangpaidjo
New Contributor

 

vlan.jpg

 

Configure Fortigate

ip address LAN 10.10.7.2/255.255.255.252

static routing 192.168.0.0/16 gateway 10.10.7.1

 

 

Distribution Switch

interface Vlan10
description Management
ip address 192.168.1.2 255.255.255.0
no ip redirects
no ip unreachables

 

interface Vlan20
ip address 192.168.2.2 255.255.255.0
no ip redirects

 

interface Vlan30
ip address 192.168.3.2 255.255.255.0

 

Interface vlan40

description TO_FORTINET

ip address 10.10.7.1 255.255.255.252

 

interface vlan100

description TRUNK

ip address 192.168.99.254 255.255.255.0

 

ip route 0.0.0.0 0.0.0.0 10.10.7.2 10

 

interface gi1/0/24

description TO_SWITCH_CLIENT

switchport trunk native vlan100

switchport mode trunk

 

interface Gi1/0/1

desc TO_FORTIGATE

switchport trunk native vlan 40

switchport mode trunk

 

then copy vlan.dat to the switch client, after copy to client restart your switch

switch Client

 

interface gi1/0/24

desc TO_SWITCH_DISTRIBUTION

switchport trunk native vlan100

switchport mode trunk

 

interface Gi1/0/1

switchport access vlan 10

switchport mode access

 

interface Gi1/0/2

switchport access vlan 20

switchport mode access

 

interface vlan100

desc TRUNK

ip address 192.168.99.253 255.255.255.0

 

 

CMIIW

3x-t
New Contributor II

Actually, this was a very simple problem and had nothing with the network. After I installed Windows Server and configured DHCP there, I forgot to activate that scope so there was my scope with "Inactive"...
This took me one whole day to "repair".

Thank you!

GRacine
New Contributor

I'm new with Fortinet Forigate product, please could you let me see the configuration you has on the Fortigate, I' can't set the Fortigate side. I'm havving probleme with thw way Fortigate deals with trunks and vlans
 
I'm new to Fortinet Forigate product, please could you let me see the configuration you has on the Fortigate, I' can't set the Fortigate side. I'm having problems with the way Fortigate deals with trunks and vlans.
Thanks for any helps !
DPadula
Staff
Staff

Have you setup the default gateway on the client switch?

GRacine
New Contributor

My setup is relatively simple. I only have one Cisco 2950 switch connected to the Fortigate, and it has a trunk link.

At this moment, I do not have access to the switch, I will probably go on site tomorrow to configure the VLAN access that I would like to make pass thru a VLAN 903.

I could not configure the native Vlan on the internal4 of the Fortigate and not able to "set trunk enable"

Thanks

DPadula

Hi GRacine,
Fortigate is not similar to Cisco. Once you add a vlan under a physical interface the physical interface become trunk, you don't need to type anything like "set trunk enable". 

Here is a link that explain that: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-create-a-VLAN-tagged-interface-802-...

 

Regards

DPadula

Labels
Top Kudoed Authors