Skip to main content
dbrady
dbrady
New Member
January 8, 2018
Question

Routing Issue between Fortigate 100E and Cisco 3650

  • January 8, 2018
  • 2 replies
  • 24114 views

Hey guys,

 

I'm hoping someone can help me. I have recently replaced unmagged switches with a Cisco 3650 switch and setup inter-vlan routing. I have created 4 vlans to segregate the network (vlan10 management, vlan20 servers, vlan30 end user device, vlan40 WiFi AP).

 

I have connected the fortigate (v5.4.5,build6225) to the switch (trunk port) and created the vlans on the fortigate interface connected to the switch. I have setup a default route on the switch to point traffic to the FW (IP in vlan10). the switch can ping all vlan interfaces on the FW but an end user device can't ping the FW. A work around to was enable Asymmetric routing but I understand this to be a test not a workaround.

 

As all traffic from the switch is going over vlan10 I have created the neccesary ipv4 policys to allow this traffic.

 

Can anyone shed some light where I am going wrong please? Attached is the topology.

 

    2 replies

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    January 9, 2018

    hi,

     

    if I don't read your post but only look at the schematics I'd say you don't run a VLAN trunk from the switch to the FGT. So no wonder traffic from the other VLANs doesn't make it to there.

    Have a look at the current Routing Table on the FGT; "get route info rout all" in the CLI, or Routing > Monitor in the GUI. The FGT should have routes for all VLANs.

    The FGT will silently drop traffic it does not have a route for - anti-spoofing. For example, incoming traffic from VLAN40 would be dropped unless there is a route back to where this traffic originated. This can be an explicit route, or the default route.

    dbrady
    dbradyAuthor
    New Member
    January 9, 2018

    Hi Ede,

     

    Thank you for your reply. I have been thinking about how I have setup this up and i'm thinking of changing it.

     

    Configure the switchport that connects to the FGT as a routed port and give it an IP address on the same subnet as the FW. Create a default route on the switch to the FW and create static routes on the FGT for each VLAN on the switch. This seems like a simplier setup?

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    January 9, 2018

    Sure, this should work as well. You wouldn't need to create VLAN ports on the FGT but...you will have all traffic on that wire, no separation. Creating policies between subnets will work but features involving ports will not, like DHCP servers.

     

    Actually, creating that port as a trunk port for all VLANs should work as well and would not mean much more config on the FGT. But more control, IF you need it.

    pyy
    pyy
    New Member
    January 11, 2018

    which is the default gateway for the devices L3 Switch or FG? if L3 then why you have subif on the FG If just create policies for the intervlan communication or a zone

    Anurag_Goyal
    Anurag_Goyal
    New Member
    January 12, 2018

    Default gatway for L3 is FG, and yes it for inter vlan communication.

    Terms & ConditionsAccessibility statement