VLAN Problem

Author
Gushim
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/11/07 19:37:37
  • Status: offline
2019/11/07 22:19:29 (permalink)
0

VLAN Problem

Dear all  friends,
 
I have topology like this (on attach)
 
 
Fortinet:
I already create subinterface on port 1 (this is connect to port 1 switch), create vlan 10,20,30 and assign ip address per vlan
VLAN 10: 192.168.10.1/24
VLAN 20: 192.168.20.1/24
VLAN 30 : 192.168.30.1/24
VLAN 10 & 20 : DHCP
SWitch
I already create trunk on port 1 to port 1 fortinet with native vlan 20
already create trunk on port 2 to access point with native vlan 20
already create access mode on port connect to pc with vlan id 10 and 30
already assign ip vlan 20 192.168.20.2/24
 
The problem:
  • From switch cannot ping to ip 192.168.20.1 (fortiner ip vlan 20)
  • wifi cannot connect to cloud manage (on access point already create vlan 20)
  • User with wifi access cannot get ip from each vlan dhcp
 
Previously i use cisco router for trunk assign use encapsulation .1q but on fortinet, i dont know how to assign that.
 
Any idea for this solution? appreciate for answer.
 
Thanks
 
post edited by Gushim - 2019/11/08 01:24:53

Attached Image(s)

#1

2 Replies Related Threads

    sw2090
    Gold Member
    • Total Posts : 468
    • Scores: 23
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: VLAN Problem 2019/11/08 02:45:36 (permalink)
    0
    Basically the Fortigate only handles tagged vlan traffic. This means you have to make sure that traffic that reaches the FGT on Port1 is tagged with the correct vlan tag. FGT has to have policies for the vlan traffic then of course.
    Vlan tagging can either be done on the cisco, the Wifi AP or on the client (wich at least on windows is rather difficult and on embedded devices mostly not possible at all [Execpt from Wifi APs  or Routers/Switches])
     
    To check what happens to the traffic on the Fortigate I'd suggest using the flow trace debug on FGT Commandline:
     
     diag debug enable
     diag debug flow filter clear
     diag debug flow filter <fliter> (run diag debug flow filter ? to see the list of avialable filters or use it without param to see the current setting)
     diag debug flow trace start <numberofpackets>
     
    this will show you what the FGT does with the traffic.
     
    hth
    Sebastian
    #2
    Toshi Esumi
    Expert Member
    • Total Posts : 1747
    • Scores: 143
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: VLAN Problem 2019/11/08 09:17:01 (permalink)
    0
    I would suggest not to make VLAN20 as native vlan on the catalyst. For those access-point or other device ports that you want to or need to connect to VLAN20 with untagged interface, you should use access port. Then you can pass tagged VLAN20 over the trunk port 1 to the FGT. Since Catalyst's native vlan is system-wide and can't be changed per port, you might run into different problems or limit your ability to do more complicated setup.
    If you are sure you wouldn't need to change change native VLAN20 in foreseeable future, you can move the interface config from VLAN20 to the port1 (remove then reconfigure) so that the FGT can talk to Catalyst native-vlan 20 without tags.
     
    #3
    Jump to:
    © 2019 APG vNext Commercial Version 5.5