Hot!Fortigate 100D and Cisco Vlan config - DHCP Failure

Author
jerryroy1
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/01/11 18:36:56
  • Status: offline
2020/10/03 20:56:34 (permalink)
0

Fortigate 100D and Cisco Vlan config - DHCP Failure

Can someone tell me if this is correct? I am trying to obtain an IP address from a Fortigate 100D configured as a dhcp server that is connected to a linksys dumb switch that is now in turn connected to a 2960 Cisco switch. I can get an IP on laptop if I plug directly into the dumb switch that is also plugged in the "LAN" port of the Fortigate without issue. As soon as I introduce the 2960, I am unable to obtain an IP from the Fortigate. I have created a temporary IP subnet on port 16 so I can test my trunking and switch config and see why not working. But if I plug both Fortigate and a Laptop into my 2960 I never get an IP from the Fortigate.

I have an existing VLAN1 for a Church and an existing VLAN1 for a Christian School and want to allow both Church and school to use the AP's around the campus that connects to their own unique vlan. I have created a vlan 20 and originally assigned it to LAN interface of the Fortigate and like I said, It never worked. I am 99% sure the config is correct because I can ping thru the entire network on the 2 vlans to the IP assigned to the AP in the Gym (See attached drawing) 

Here is the Cisco side:

(uplink plugged in here)
!
interface FastEthernet0/24
switchport access vlan 20
switchport trunk allowed vlan 20
 
(Laptop for test plugged into here)
!
interface FastEthernet0/13
switchport access vlan 20
switchport mode access
end
Here is the Fortigate side:


This interface should be in Vlan 20

next
edit "port16"
set vdom "root"
set type physical
set snmp-index 12
next

edit "Vlan_20"
set vdom "root"
set ip 192.168.20.1 255.255.255.0
set allowaccess ping https ssh fgfm capwap
set snmp-index 13
set interface "port16"
set vlanid 20
next

Also, 
This interface should be in Vlan 1
edit "dmz"
set vdom "root"
set ip 192.168.2.3 255.255.255.0
set allowaccess ping https ssh fgfm
set type physical
set snmp-index 4
 
https://photos.app.goo.gl/hzJBG4yxoZvSbVbm6
post edited by jerryroy1 - 2020/10/04 09:56:55

Attached Image(s)

#1

2 Replies Related Threads

    lobstercreed
    Platinum Member
    • Total Posts : 315
    • Scores: 37
    • Reward points: 0
    • Joined: 2018/11/28 14:57:58
    • Location: Sedalia, MO
    • Status: offline
    Re: Fortigate 100D and Cisco Vlan config - DHCP Failure 2020/10/04 13:37:49 (permalink)
    0
    Let me give you a quick response rather than a thorough one, because I think you may have a key misconception about VLAN interfaces and FortiGates.  If that turns out not to be the case then maybe we can revisit the details of this.
     
    The config you have on your FortiGate for port16 makes that a trunk with whatever is the "native" or access VLAN dumping out on port16 itself, and then VLAN 20 being tagged going in and out of that interface (plus any other VLANs you happen to add to port16).  The problem is your unmanaged switch can only operate with untagged frames, so it is not capable of tagging traffic into port16 with the appropriate VLAN tag.
     
    So if you remove the following config altogether and treat port16 as your VLAN 20 interface, I think you'll achieve what you wanted to:
    edit "Vlan_20"
    set vdom "root"
    set ip 192.168.20.1 255.255.255.0
    set allowaccess ping https ssh fgfm capwap
    set snmp-index 13
    set interface "port16"
    set vlanid 20
    next
    #2
    sw2090
    Expert Member
    • Total Posts : 783
    • Scores: 58
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: Fortigate 100D and Cisco Vlan config - DHCP Failure 2020/10/05 06:48:47 (permalink)
    0
    to add: i you do it the way lobstercreed wrote you have to make sure that the cisco coming behind the dumb switch is takeing care for correct vlan tagging on the port the dumb switch is connected to it. Otherwise you will never reach vlan20 from there or the FGT from out of vlan20...
    #3
    Jump to:
    © 2020 APG vNext Commercial Version 5.5