Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Gushim
New Contributor

VLAN Problem

Dear all  friends,

 

I have topology like this (on attach)

 

 

Fortinet:

I already create subinterface on port 1 (this is connect to port 1 switch), create vlan 10,20,30 and assign ip address per vlan

VLAN 10: 192.168.10.1/24

VLAN 20: 192.168.20.1/24

VLAN 30 : 192.168.30.1/24

VLAN 10 & 20 : DHCP

SWitch

I already create trunk on port 1 to port 1 fortinet with native vlan 20

already create trunk on port 2 to access point with native vlan 20

already create access mode on port connect to pc with vlan id 10 and 30

already assign ip vlan 20 192.168.20.2/24

 

The problem:

[ul]
  • From switch cannot ping to ip 192.168.20.1 (fortiner ip vlan 20)
  • wifi cannot connect to cloud manage (on access point already create vlan 20)
  • User with wifi access cannot get ip from each vlan dhcp[/ul]

     

    Previously i use cisco router for trunk assign use encapsulation .1q but on fortinet, i dont know how to assign that.

     

    Any idea for this solution? appreciate for answer.

     

    Thanks

     

  • 3 REPLIES 3
    sw2090
    SuperUser
    SuperUser

    Basically the Fortigate only handles tagged vlan traffic. This means you have to make sure that traffic that reaches the FGT on Port1 is tagged with the correct vlan tag. FGT has to have policies for the vlan traffic then of course.

    Vlan tagging can either be done on the cisco, the Wifi AP or on the client (wich at least on windows is rather difficult and on embedded devices mostly not possible at all [Execpt from Wifi APs  or Routers/Switches])

     

    To check what happens to the traffic on the Fortigate I'd suggest using the flow trace debug on FGT Commandline:

     

     diag debug enable

     diag debug flow filter clear

     diag debug flow filter <fliter> (run diag debug flow filter ? to see the list of avialable filters or use it without param to see the current setting)

     diag debug flow trace start <numberofpackets>

     

    this will show you what the FGT does with the traffic.

     

    hth

    Sebastian

    -- 

    "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

    -- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
    Toshi_Esumi
    SuperUser
    SuperUser

    I would suggest not to make VLAN20 as native vlan on the catalyst. For those access-point or other device ports that you want to or need to connect to VLAN20 with untagged interface, you should use access port. Then you can pass tagged VLAN20 over the trunk port 1 to the FGT. Since Catalyst's native vlan is system-wide and can't be changed per port, you might run into different problems or limit your ability to do more complicated setup.

    If you are sure you wouldn't need to change change native VLAN20 in foreseeable future, you can move the interface config from VLAN20 to the port1 (remove then reconfigure) so that the FGT can talk to Catalyst native-vlan 20 without tags.

     

    Gushim
    New Contributor

    Dear all,

    Thank you for the reply, all answer very apprecaite, now  everything working as i need, i configure ip address on port 1 and subinterface like the schema, and i configure port 1 connect to port 1 fortinet with native vlan so all device (switch, wifi) get ip address from port 1 and other port with vlan 20 got ip from subinterface.

     

    Thanks

    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors