I am new to Fortinet but I have a strong Cisco background. We are looking at replacing our Cisco 891W with a Fortigate 60D. I am working in a lab trying to get the device configured. In Cisco I can set the DHCP on the VLAN and all devices being tagged for that VLAN can gets its IP from the VLAN DHCP, this does not seem to work on the 60D. I have attached a screenshot of the interfaces. When the DHCP is configured on the interface I can get an IP on a connected PC but the VLAN tag is not added to the packets. When I configure the DHCP on the VLAN the PC cannot get an IP. I can see the DHCP request from the PC, using WireShark, and the 60D shows the DHCP request on it, but the DHCP packet is not tagged with the VLAN and there is no IP return. Looking at the picture of the interfaces, I have attached, it shows that the Voice VLAN is a subinterface to the internal2 interface. Should the DHCP packet get the VLAN tag added to it since the PC is connected to the internal2 port?
I am assuming that the 60D works like Cisco in that it tags all the traffic on internal2 port with the voice VLAN. Have I missed something?
Thank You,
David
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Wifi clients pull an IP (broadcast DHCP request) via SSID on vlan 100 or 200, while your DHCP is configured on the softswitch interface, which is non-tagged. You have to have DHCP server configure on each vlan 100 and 200 subinterfaces to provide IPs to the clients.
AP's management IPs are separated from SSIDs. That's why your APs currently get an IP from the DHCP you configured on non-tagged interface as well as the controller. You want to keep it as is while each SSID need to be on different subnets/DHCP servers because they're on different vlan interfaces.
Wifi clients pull an IP (broadcast DHCP request) via SSID on vlan 100 or 200, while your DHCP is configured on the softswitch interface, which is non-tagged. You have to have DHCP server configure on each vlan 100 and 200 subinterfaces to provide IPs to the clients.
Hi,
Thank you for your answer , i figured it has to work that way - having DHCP servers inside vlan's
But there is a catch,
My AP's need to , IDEALLY, be in the same subnet with the wifi controller ( I'm using Ruckus ZoneDirector with Ruckus R310 APs - otherwise I would have to port_forward between subnets) in order to have functional management communication at AP-Controller level
As posted before the wifi controller is also part of the defined soft-switch with a statically allocated IP address inside the subnet set on the interface and outside the DHCP pool I'm using.
Since my AP's would be on different subnets ,while having DHCP servers on each individual VLAN, how can I assure AP's will still be communicating with the WiFi controller ?
AP's and WiFi controller use default VLAN_ID=1 ( that can be changed ) .
Possible solutions :
1.
Having another VLAN interface with another DHCP server only for AP's management and trunking that interface to all switches where AP's are connected means all AP's will be in same subnet with the controller (being able to pull IP adresses from the newly created VLAN interface DHCP server) and will be using defined VLAN_ID for management
2. Extracting the WiFi controller from the existing soft-switch and move it to an individual interface. The interface will also have DHCP enable . Create individual zones between each existing VLAN interface and the newly created interface ( where WiFi controller resides ) and uncheck 'Block intra-zone traffic' . This means that no additional policies have to be created ? In this case AP's will be in a subnet and the WiFi controller will be in another subnet , creating Zones routes traffic between the two ?
If you see any other solution please suggest
Thank you for your advice an reply,
Dragos
AP's management IPs are separated from SSIDs. That's why your APs currently get an IP from the DHCP you configured on non-tagged interface as well as the controller. You want to keep it as is while each SSID need to be on different subnets/DHCP servers because they're on different vlan interfaces.
Hello,
Everything works now.
Thank you
Document
Well I'm a bit new to the FortiGate and VLan part. I have a FortiWifi FW-90D-POE in a residential area. It currently works perfectly.
To improve the performance of my network I am placing a Linux Server that has several services separated by Docker, and they recommended that I restructure my network using VLAN since I separate my network by interface.
I don't use Managed Switch anywhere on my network, so I understand I have the same problem as ddemland. When I put DHCP in the VLAN it does not assign me ip and when I put DHCP in the interface it does not tag the packets to the VLAN.
I hope you can help me. And I am sorry if it is not understood well I unfortunately do not speak English so it is translated with the google translator.
If you have any suggestions regarding my project, it is totally welcome. Thank you.
As the image shows, what I try to do is assign a VLan to interface 8, but just like this, it doesn't assign me ip.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.