I have three VLANs on one physical interface... Management (10), Workstations (20), and Servers (30).
on that physical interface, I have Cisco 3750G-12S as distribution switch, and after that client switches.
On distribution switch, on all ports I have the next configuration:
switchport trunk encapsulation dot1q
switchport trunk native vlan 301
switchport trunk allowed vlan 10,20,30
switchport mode trunk'=
interface Vlan10
description Management
ip address 192.168.1.2 255.255.255.0
no ip redirects
no ip unreachables
interface Vlan20
ip address 192.168.2.2 255.255.255.0
no ip redirects
interface Vlan30
ip address 192.168.3.2 255.255.255.0
from the distribution switch, I can ping any gateway on the FortiGate (policy ok, address ok,etc).
On the client switch 2960X-48TD-L
interface GigabitEthernet1/0/49
switchport trunk allowed vlan 10,20,30
switchport trunk native vlan 301
switchport mode trunk
interface Vlan10
description Management
ip address 192.168.1.3 255.255.255.0
no ip redirects
no ip unreachables
no ip route-cache cef
interface Vlan20
no ip address
interface Vlan30
description Servers
no ip address
From this switch, I can't ping anything besides the Management port.
Two questions:
- Is my configuration ok so that I don't need an IP address for each VLAN (except VLAN 10 - Management) on each switch except on the distribution switch? - If yes, what did I do wrong so that I cant ping other VLANs from the client switch?
- If my DHCP server is on the VLAN 30, can I just make dhcp-relay <IP add of the server> on the VLAN 20, or do I have to move the Server under the same VLAN? I wanted to split Servers from workstations in different VLANs but now I'm not sure if that was a good idea
Thank you in advance!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Configure Fortigate
ip address LAN 10.10.7.2/255.255.255.252
static routing 192.168.0.0/16 gateway 10.10.7.1
Distribution Switch
interface Vlan10
description Management
ip address 192.168.1.2 255.255.255.0
no ip redirects
no ip unreachables
interface Vlan20
ip address 192.168.2.2 255.255.255.0
no ip redirects
interface Vlan30
ip address 192.168.3.2 255.255.255.0
Interface vlan40
description TO_FORTINET
ip address 10.10.7.1 255.255.255.252
interface vlan100
description TRUNK
ip address 192.168.99.254 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.10.7.2 10
interface gi1/0/24
description TO_SWITCH_CLIENT
switchport trunk native vlan100
switchport mode trunk
interface Gi1/0/1
desc TO_FORTIGATE
switchport trunk native vlan 40
switchport mode trunk
then copy vlan.dat to the switch client, after copy to client restart your switch
switch Client
interface gi1/0/24
desc TO_SWITCH_DISTRIBUTION
switchport trunk native vlan100
switchport mode trunk
interface Gi1/0/1
switchport access vlan 10
switchport mode access
interface Gi1/0/2
switchport access vlan 20
switchport mode access
interface vlan100
desc TRUNK
ip address 192.168.99.253 255.255.255.0
CMIIW
Actually, this was a very simple problem and had nothing with the network. After I installed Windows Server and configured DHCP there, I forgot to activate that scope so there was my scope with "Inactive"...
This took me one whole day to "repair".
Thank you!
Have you setup the default gateway on the client switch?
My setup is relatively simple. I only have one Cisco 2950 switch connected to the Fortigate, and it has a trunk link.
At this moment, I do not have access to the switch, I will probably go on site tomorrow to configure the VLAN access that I would like to make pass thru a VLAN 903.
I could not configure the native Vlan on the internal4 of the Fortigate and not able to "set trunk enable"
Thanks
Hi GRacine,
Fortigate is not similar to Cisco. Once you add a vlan under a physical interface the physical interface become trunk, you don't need to type anything like "set trunk enable".
Here is a link that explain that: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-create-a-VLAN-tagged-interface-802-...
Regards
DPadula
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.