- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DHCP crossing over VLANs
Fortigate 100D 5.6
I have LAN (VLAN1) and VOICE (VLAN2). VLAN1 is assigned to ports 1-14. Vlan2 is assigned to ports 15-16.
VLAN1: 192.168.1.1/24 DHCP Enabled 192.168.1.80 - 192.168.1.254
VLAN2: 192.168.0.1/24 DHCP Enabled 192.168.0.50 - 192.168.0.254
Port 15 is mirrored from Port 16. Nothing connected currently.
Port 16 is connected to it's own switch and devices.
Port 1 is connected to it's own switch and devices.
They are only linked by the firewall. The switches are not cross connected.
Somehow, PC's on VLAN1 have pulled an IP from VLAN2. I can't get them to drop this IP and it still works, as in they can traverse the network and get to the internet. I have tried unplugging their cables, Windows Troubleshoot and Repair, ip config /release and then renewing. Nothing works. I can tone down the connection and they are plugged into VLAN1.
Am I missing something? I should note, this is a fresh Fortigate 100D as the previous one bit the dust and had to be replaced.
Fortigate 100D 5.6
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do some pcap and find the DHCP server and see if any DHCP rogue server? Also double check the server mac-address in the layer2 forwarding table
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have security policies allowing traffic between the vlans?
Is there a route between the vlans or are they both in a zone which allows intra-zone routing?
You should probably double-check your vlan settings on the FGT and your switch as well. It could be that you just allowed both vlans through by accident.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do some pcap and find the DHCP server and see if any DHCP rogue server? Also double check the server mac-address in the layer2 forwarding table
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have security policies allowing traffic between the vlans?
Is there a route between the vlans or are they both in a zone which allows intra-zone routing?
You should probably double-check your vlan settings on the FGT and your switch as well. It could be that you just allowed both vlans through by accident.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tanr wrote:I have inter vlan communication enabled via policy. I had this on the previous fortigate unit, but this DHCP cross over never happened. I'll switch it over to a route after hours and see what happens.Do you have security policies allowing traffic between the vlans?
Is there a route between the vlans or are they both in a zone which allows intra-zone routing?
You should probably double-check your vlan settings on the FGT and your switch as well. It could be that you just allowed both vlans through by accident.
Fortigate 100D 5.6
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just realized you assumed I had created vlans and zones. I didn't do that. I simply added subnet to hardware switches. Then added a policy allowing traffic between the two.
So I have created a new policy denying DHCP requests from VLAN2 to VLAN1 subnet. Hopefully that cures it.
Fortigate 100D 5.6
