Hi guys first time posting, I have an odd issue thats throwing me off. I have inherited a network and recently have been working to replace our out of support SG300s with 124F's as well as implement HA architecture. Recently I replaced a SG300 with a pair of 124Fs with a trunk between them.
The topology is something like this.
Stacked Aruba Switches (VL3 tagged trunk) <-> 124F Switches *new (VL3 tagged trunk) Egress to internal is a VL3 Access port <----- External Network | Internal Network ----> egress to DMZ is a VL3 access port Cisco SG300 Default VLan 3 egress to internal 124F is VL3 Access <-> FG80F.
Everything within the DMZ can communicate with itself as well everything within the internal network can communicate with themselves and the gateway on the 80F. The problem is that the external half of the vlan and the internal half are not communicating between each other. Interestingly bypassing the 124F switch on the internal half of the network vlan allows all traffic to work as expected IE devices attached to the Aruba switch can reach the gateway and everything internally.
As an FYI I am distinguishing the two sides of the network as external and internal as just a naming convention as it delineates the problem areas but really doesn't mean anything. Also keep in mind I inherited most of this network so suggestions are welcome but the design isn't mine.
Please let me know if any of you have run into something like this before or have some idea what may be causing it i've scratched my head at this for a few days and am really not getting it.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Based on your description, it sounds like there may be an issue with VLAN tagging or configuration on the 124F switches. Here are a few things you can check:
1. Verify VLAN configuration: Make sure that the VLANs are configured correctly on both the 124F switches and the FG80F firewall. Specifically, make sure that the VLAN IDs and tagging are consistent across all devices.
2. Check trunk configuration: Ensure that the trunk port between the 124F switches is configured correctly and that the VLANs are allowed to pass through the trunk.
3. Verify access port configuration: Make sure that the access ports on the 124F switches are configured correctly for the appropriate VLANs. Double-check the VLAN IDs and tagging to ensure that they match the rest of the network.
4. Check for VLAN mismatches: It's possible that there is a VLAN mismatch somewhere in the network that is causing the issue. Check all devices to ensure that the VLAN IDs and tagging are consistent.
5. Check firewall rules: Make sure that the firewall rules on the FG80F are configured correctly to allow traffic to pass between the internal and external VLANs.
6. Verify connectivity: Use a tool like ping or traceroute to verify connectivity between devices on the internal and external VLANs. This can help you identify where the issue may be occurring.
Thanks for the reply, I have double checked all of the VLan tagging but everything appears correct. Again and interestingly both sides of the network work perfectly fine independently just not attached together. For example the 80F <-> 124F <-> SG300 connection works just fine by itself. As well traffic on the other side 124F <-> Aruba can communicate fine. When you build the whole thing out 80F <-> 124F <-> SG300 <-> 124F <-> Aruba the traffic on the external side looses connection to the gateway interface on the 80F. Removing the 124F from the equation on the internal side remedies this. It is as if the SG300 and 124F are not sharing their respective network attached devices etc.
Thanks again,
If you can put a network diagram it will be very helpful to find which segment is failing. When troubleshooting switch deployment is necessary to focus on MAC address learning on all the VLANs for all the switches in the L2 domain, STP also doesn't like multi vendor :) Are both FSW in standalone mode?
The learned mac address in FSW can be checked using this command:
# diagnose switch mac-address list | grep -i mac
It will show the port and the VLAN where it's learned
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1660 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.