Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: VLAN to VLAN?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VLAN to VLAN?
Good afternoon. I have stated before that I do not proclaim to be a firewall expert. I have a Fortigate 110C that I am trying to give all users on a different VLAN have access to ONE address on another VLAN.
I have searched through my documentation and have not found answers on how to do this. I have created 2 polices that allow for all addresses on one VLAN to have access to the one address on the other VLAN and vise-verse.
What am I missing in this procedure? Any thoughts or recommendations?
Thanks in advance Peeps.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Each vlan interface looks like another layer3 interface. So what is your problem and have you validate the policies are correct?
If you assigned a unique l3 subnet on each vlan interface, enable 802.1q on the switchport and have the users in the appropiate vlans, they they should beable to communicate.
diag debug flow is your friend, but I would 1st check layer2 and ensure clients in vlan xyz , can at least ping gateway ip_address of the fgt in vlan xyz and same for clients in vlan abc , can ping their respective gateway of the FGT in vlan abc.
note: rule out the lower layers before moving on.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc, Thanks for the reply. Sadly, I have to say that at the moment, I do not know the difference between level3 interface vs. a level2 or 1? Either way, I am trying to find whre the 802.1q enabling feature is. Is this done through the Network menu? I am going to investigate what you have written better tonight when I can look some definitions up and what not...so thank you for your reply.
I am not 100% I have the policies correct, but I am 80% sure. I say this, because I am not experienced enough to be confident in what I am doing.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
L3 = layer3 ( ip routing )
L2 = layer2
802.1q is a layer2 protocol and once you build the vlan' d subinterfaces you assigned layer3 information to them. The switchport that your on, need 802.1q enable and the appropiate vlans created
Here' s a FGT with a few layer3 subinterfaces built for port2
edit " PV_NET01"
set vdom " root"
set ip 10.200.210.1 255.255.254.0
set allowaccess ping https ssh
set description " misc network #1"
config ipv6
set ip6-address 2001:xx:xxa:4::1/64
set ip6-allowaccess ping https ssh
end
set interface " port2"
set vlanid 50
next
edit " PV_NET02"
set vdom " root"
set ip 10.200.211.1 255.255.254.0
set allowaccess ping https ssh
set description " misc network #2"
config ipv6
set ip6-address 2001:xx:xxa:5::1/64
set ip6-allowaccess ping https ssh
end
set interface " port2"
set vlanid 51
next
The Port 2 is set up for trunking on the switch side of things;
eg ( using the nexus we are plugged on )
interface Ethernet1/30
description mia-dc firewall fgt#1 port2
switchport mode trunk
switchport trunk native vlan 999
switchport trunk allowed vlan 50,51
logging event port link-status
udld aggressive
Once you build the 802.1q subinterfaces on the FGT and then allowed vlan 802.1q on the physical switchpoprts. You apply L3 fwpolicy just like any other interface.
btw: I like to use names on my subinterfaces or make references to the vlan;
e.g I could have written it like;
re' s a FGT with a few layer3 subinterfaces built for port2
edit " vlan50"
set vdom " root"
set ip 10.200.210.1 255.255.254.0
set allowaccess ping https ssh
set description " misc network #1"
config ipv6
set ip6-address 2001:xx:xxa:4::1/64
set ip6-allowaccess ping https ssh
end
set interface " port2"
set vlanid 50
next
edit " vlan51"
set vdom " root"
set ip 10.200.211.1 255.255.254.0
set allowaccess ping https ssh
set description " misc network #2"
config ipv6
set ip6-address 2001:xx:xxa:5::1/64
set ip6-allowaccess ping https ssh
end
set interface " port2"
set vlanid 51
next
etc.....
I hope that make better sense and clears up the picture.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc,
I am just now getting back to trying to resolve this problem. The nature of my business has not allowed for me to focus on this at the moment..
So now, I am back. As I read through the CLI config, I realized that you are possibly using the unit in switch mode.
I am currently using the unit in interface mode.
Am I just misunderstanding?
Thanks,
J
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear all,
i have issue with VLAN,
i have blade switch connected to cisco catalyst switch 2970,and this switch(2970)connected to fortigate 310-b with 2 ports, with blade switch i setup port connected to Cisco switch as trunk,what should i do in cisco switch and in FG that connected to cisco switch with 2 ports..?
Regards
Osaid suliebi
Network Administrator
Palestine Exchange
Osaid suliebi Network Administrator Palestine Exchange
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
looks like you are in interface mode..
Where are your VLANs connected? (Which Port? Where do the Users/VLANs reside - on a other switch?
Which VLANs should communicate?
" Normally" :
Userports are on a seperate VLAN aware switch (Cisco, Alcatel, HP, you name it).
- You connect one Uplink from the switch to the fortigate and tag (802.1q) all Vlans you want to have run through the fortigate-
- create VLAN Subinterface on the port of the Fortigate, that connects the above tagged port (for each Network->Interface->Create New on the corresponding HW Interface. VLAN ID is the VLAN Number)
- Have each VLAN Interface with an IP Adress from the VLAN (ideally make it the default Gateway for the subnet, otherwise have routes for the other subnets on each Client)
- Create Policys
VLAN1 Source IP: IP Network of VLAN1 -> VLAN 10 (Special IP)
VLAN2 Source IP: IP Network of VLAN2 -> VLAN 10 (Special IP)
VLAN3 Source IP: IP Network of VLAN3 -> VLAN 10 (Special IP)
...
You do only need the way Back (VLAN 10 -> VLAN 1-X) when you have connections build up from the Special IP.
You could probably use the any interface (Any -> Special IP), but i dislike that.
hth
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,746 -
FortiClient
1,775 -
5.2
801 -
FortiManager
736 -
5.4
639 -
FortiAnalyzer
563 -
FortiSwitch
476 -
FortiAP
474 -
FortiClient EMS
436 -
6.0
416 -
5.6
362 -
FortiMail
321 -
6.2
251 -
SSL-VPN
249 -
FortiAuthenticator v5.5
234 -
IPsec
212 -
FortiWeb
206 -
5.0
196 -
FortiNAC
191 -
FortiGuard
139 -
6.4
128 -
SD-WAN
117 -
FortiAuthenticator
106 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
84 -
Customer Service
80 -
Wireless Controller
80 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
Fortivoice
54 -
FortiADC
54 -
vlan
53 -
FortiEDR
52 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiGate-VM
18 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
FortiSoar
15 -
OSPF
15 -
System settings
15 -
FortiGate v5.0
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1733 | |
| 1106 | |
| 752 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.