Routing – Fortinet 200D: how to implement VLAN, inter-VLAN routing, and DHCP relay

dhcpfortigatefortinetroutingvlan

Here are the steps I configured so far:

General configuration steps

The following steps provide an overview of configuring and testing the
hardware used in this example. For best results in this configuration,
follow the procedures in the order given. Also, note that if you
perform any additional actions between procedures, your configuration
may have different results.

Configure the FortiGate unit
• Configure the external interface
• Add two VLAN subinterfaces to the internal network interface
• Add firewall addresses and address ranges for the internal and external networks
• Add security policies to allow: (this is technically for inter-vlan routing)
• the VLAN networks to access each other
• the VLAN networks to access the external network.

Configure the VLAN switch

Also created the trunk on the switch that connects to the LAN interface of the Fortinet, made a switchport access and assigned switchport access VLAN to it. Still not working as designed?

Best Answer

On the FGT this looks OK. However, you don't detail the config on the uplink switch nor its model.

It's essential that you mirror the FGT's VLAN configuration on the switch. An access switchport may not support multiple tagged VLANs - you need to configure a VLAN trunk with (at most) one VLAN untagged (native) and all others tagged.

My personal recommendation for the Fortigate is to run all VLANs tagged - this simplifies later changes and produces clean interface statistics (the physical interface for the untagged VLAN also counts tagged frames).

Related Solutions

Vlan – Setting up PIM Sparse mode

My questions are:

Should we setup on our core network switch OSPF with a router ID of 1.1.1.1 and then not set any OSPF settings on any other switch?

OSPF is not necessary for this implementation.

Would PIM Sparse Mode only need to be enabled on the core switches or on all of the switches in the network?

Pim-SM needs to be enabled on each L3 interface on which you want to allow the multicast traffic. For example, if you wish to contain the traffic to Vlans 15 and 14, you would have to do the following on your core:

configure
ip multicast
ip igmp
ip pim sparse
interface vlan 14
ip igmp
ip pim
interface vlan 15
ip igmp
ip pim
exit

If you want the traffic to traverse all Vlans, then you will need the appropriate interface configuration under each Vlan. Your L2 switches will need IGMP snooping turned on (ideally on all interfaces via the global configuration).

configure
ip igmp snooping 
bridge multicast filtering

For a very basic multicast setup like this, these should be the only features that you would need.

VLAN membership – Tagged and Untagged

Here's one way to think about it:

A port with more than one VLAN associated with it is called a Trunk. A Trunk can have exactly ONE untagged vlan (also called the Native VLAN), and one or more Tagged VLANS. If you set a VLAN to be untagged on a port, there is no PVID associated with it; there is no PVID field in the Ethernet frame.

If a trunk port is configured with VLAN1 untagged, and VLAN 2 tagged, then all devices that use untagged frames (PCs etc) will communicate on VLAN 1 and be blissfully unaware of any other VLANs. If a device can tag frames with a PVID =2, then it can communicate on VLAN 2.

Best Answer

Related Solutions

Vlan – Setting up PIM Sparse mode

VLAN membership – Tagged and Untagged

Related Topic