- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: VLAN to VLAN?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VLAN to VLAN?
Good afternoon. I have stated before that I do not proclaim to be a firewall expert. I have a Fortigate 110C that I am trying to give all users on a different VLAN have access to ONE address on another VLAN.
I have searched through my documentation and have not found answers on how to do this. I have created 2 polices that allow for all addresses on one VLAN to have access to the one address on the other VLAN and vise-verse.
What am I missing in this procedure? Any thoughts or recommendations?
Thanks in advance Peeps.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Each vlan interface looks like another layer3 interface. So what is your problem and have you validate the policies are correct?
If you assigned a unique l3 subnet on each vlan interface, enable 802.1q on the switchport and have the users in the appropiate vlans, they they should beable to communicate.
diag debug flow is your friend, but I would 1st check layer2 and ensure clients in vlan xyz , can at least ping gateway ip_address of the fgt in vlan xyz and same for clients in vlan abc , can ping their respective gateway of the FGT in vlan abc.
note: rule out the lower layers before moving on.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc, Thanks for the reply. Sadly, I have to say that at the moment, I do not know the difference between level3 interface vs. a level2 or 1? Either way, I am trying to find whre the 802.1q enabling feature is. Is this done through the Network menu? I am going to investigate what you have written better tonight when I can look some definitions up and what not...so thank you for your reply.
I am not 100% I have the policies correct, but I am 80% sure. I say this, because I am not experienced enough to be confident in what I am doing.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
L3 = layer3 ( ip routing )
L2 = layer2
802.1q is a layer2 protocol and once you build the vlan' d subinterfaces you assigned layer3 information to them. The switchport that your on, need 802.1q enable and the appropiate vlans created
Here' s a FGT with a few layer3 subinterfaces built for port2
edit " PV_NET01"
set vdom " root"
set ip 10.200.210.1 255.255.254.0
set allowaccess ping https ssh
set description " misc network #1"
config ipv6
set ip6-address 2001:xx:xxa:4::1/64
set ip6-allowaccess ping https ssh
end
set interface " port2"
set vlanid 50
next
edit " PV_NET02"
set vdom " root"
set ip 10.200.211.1 255.255.254.0
set allowaccess ping https ssh
set description " misc network #2"
config ipv6
set ip6-address 2001:xx:xxa:5::1/64
set ip6-allowaccess ping https ssh
end
set interface " port2"
set vlanid 51
next
The Port 2 is set up for trunking on the switch side of things;
eg ( using the nexus we are plugged on )
interface Ethernet1/30
description mia-dc firewall fgt#1 port2
switchport mode trunk
switchport trunk native vlan 999
switchport trunk allowed vlan 50,51
logging event port link-status
udld aggressive
Once you build the 802.1q subinterfaces on the FGT and then allowed vlan 802.1q on the physical switchpoprts. You apply L3 fwpolicy just like any other interface.
btw: I like to use names on my subinterfaces or make references to the vlan;
e.g I could have written it like;
re' s a FGT with a few layer3 subinterfaces built for port2
edit " vlan50"
set vdom " root"
set ip 10.200.210.1 255.255.254.0
set allowaccess ping https ssh
set description " misc network #1"
config ipv6
set ip6-address 2001:xx:xxa:4::1/64
set ip6-allowaccess ping https ssh
end
set interface " port2"
set vlanid 50
next
edit " vlan51"
set vdom " root"
set ip 10.200.211.1 255.255.254.0
set allowaccess ping https ssh
set description " misc network #2"
config ipv6
set ip6-address 2001:xx:xxa:5::1/64
set ip6-allowaccess ping https ssh
end
set interface " port2"
set vlanid 51
next
etc.....
I hope that make better sense and clears up the picture.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc,
I am just now getting back to trying to resolve this problem. The nature of my business has not allowed for me to focus on this at the moment..
So now, I am back. As I read through the CLI config, I realized that you are possibly using the unit in switch mode.
I am currently using the unit in interface mode.
Am I just misunderstanding?
Thanks,
J
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear all,
i have issue with VLAN,
i have blade switch connected to cisco catalyst switch 2970,and this switch(2970)connected to fortigate 310-b with 2 ports, with blade switch i setup port connected to Cisco switch as trunk,what should i do in cisco switch and in FG that connected to cisco switch with 2 ports..?
Regards
Osaid suliebi
Network Administrator
Palestine Exchange
Osaid suliebi Network Administrator Palestine Exchange
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
looks like you are in interface mode..
Where are your VLANs connected? (Which Port? Where do the Users/VLANs reside - on a other switch?
Which VLANs should communicate?
" Normally" :
Userports are on a seperate VLAN aware switch (Cisco, Alcatel, HP, you name it).
- You connect one Uplink from the switch to the fortigate and tag (802.1q) all Vlans you want to have run through the fortigate-
- create VLAN Subinterface on the port of the Fortigate, that connects the above tagged port (for each Network->Interface->Create New on the corresponding HW Interface. VLAN ID is the VLAN Number)
- Have each VLAN Interface with an IP Adress from the VLAN (ideally make it the default Gateway for the subnet, otherwise have routes for the other subnets on each Client)
- Create Policys
VLAN1 Source IP: IP Network of VLAN1 -> VLAN 10 (Special IP)
VLAN2 Source IP: IP Network of VLAN2 -> VLAN 10 (Special IP)
VLAN3 Source IP: IP Network of VLAN3 -> VLAN 10 (Special IP)
...
You do only need the way Back (VLAN 10 -> VLAN 1-X) when you have connections build up from the Special IP.
You could probably use the any interface (Any -> Special IP), but i dislike that.
hth
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- FortiGate to Cisco Setup 108 Views
- APIPA for some users 86 Views
- FortiNAC to send the Cisco radius... 130 Views
- Connect new FortiSwitches to Fortigate through... 126 Views
- GRE tunnel issues getting to websites 154 Views
Labels
-
FortiGate
7,229 -
FortiClient
1,427 -
5.2
801 -
5.4
639 -
FortiManager
626 -
FortiAnalyzer
465 -
6.0
416 -
FortiAP
378 -
FortiSwitch
376 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
282 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
178 -
FortiNAC
130 -
6.4
128 -
FortiGuard
117 -
IPsec
111 -
SSL-VPN
110 -
FortiGateCloud
97 -
FortiSIEM
95 -
FortiCloud Products
90 -
FortiToken
77 -
Customer Service
71 -
Wireless Controller
66 -
4.0MR3
64 -
SD-WAN
51 -
FortiProxy
49 -
FortiEDR
46 -
FortiADC
45 -
Fortivoice
44 -
FortiDNS
40 -
FortiGate v5.4
36 -
FortiSandbox
36 -
FortiExtender
35 -
FortiAuthenticator
35 -
Firewall policy
35 -
VLAN
32 -
FortiSwitch v6.4
32 -
High Availability
32 -
DNS
25 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
FortiConverter
23 -
LDAP
22 -
Certificate
21 -
BGP
21 -
SAML
20 -
FortiGate v5.2
20 -
Interface
20 -
FortiPortal
18 -
Routing
18 -
FortiSwitch v6.2
17 -
Authentication
17 -
VDOM
17 -
FortiLink
16 -
FortiMonitor
15 -
RADIUS
15 -
NAT
15 -
FortiGate v5.0
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
SSL SSH inspection
13 -
Virtual IP
12 -
FortiCASB
12 -
Web profile
11 -
Traffic shaping
11 -
Application control
11 -
SSO
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
IP address management - IPAM
9 -
FortiManager v5.0
9 -
OSPF
9 -
4.0MR2
9 -
WAN optimization
9 -
RMA Information and Announcements
8 -
FortiSOAR
8 -
Proxy policy
8 -
FortiAnalyzer v5.0
8 -
FortiBridge
8 -
SNMP
8 -
FortiGate v4.0 MR3
8 -
Web application firewall profile
7 -
Security profile
7 -
FortiAP profile
7 -
Automation
7 -
4.0
7 -
Admin
7 -
Static route
6 -
Traffic shaping policy
6 -
trunk
6 -
IPS signature
5 -
Packet capture
5 -
Port policy
5 -
Antivirus profile
5 -
System settings
5 -
DNS Filter
5 -
FortiCache
5 -
FortiTester
5 -
FortiManager v4.0
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Traffic shaping profile
4 -
FortiPAM
4 -
Fortinet Engage Partner Program
4 -
FortiCarrier
4 -
3.6
4 -
FortiScan
4 -
DLP sensor
4 -
DoS policy
4 -
Email filter profile
3 -
Fabric connector
3 -
NAC policy
3 -
Users
3 -
Multicast routing
3 -
FortiToken Cloud
3 -
Application signature
3 -
DLP Dictionary
3 -
FortiDB
3 -
DLP profile
3 -
FortiInsight
2 -
Netflow
2 -
Protocol option
2 -
Zone
2 -
FortiNDR
2 -
FortiAI
2 -
FortiHypervisor
2 -
Schedule
2 -
Authentication rule and scheme
2 -
Explicit proxy
2 -
Internet Service Database
2 -
VoIP profile
2 -
4.0MR1
1 -
File filter
1 -
RIP
1 -
Multicast policy
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
TACACS
1 -
Replacement messages
1 -
FortiManager-VM
1 -
SDN connector
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1089 | |
| 892 | |
| 535 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.