Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tbar1704
New Contributor II

Created on ‎10-16-2023 08:40 AM Edited on ‎02-26-2024 06:48 AM By Community Manager

InterVlan Routing - Not all VLAN Interfaces are on the Fortigate

I created my first VLAN Interface on the Fortigate, under the LAN port that goes to our core switch. The LAN port to the HP Switch is a Trunk port and the new VLAN is permitted on the trunk port.

 

For now all the other VLAN interfaces are on the Layer 3 Core Switch

 

I cant ping the new VLAN's interface from the Core switch directly or by one of the resources I have on the new VLAN connected to the Core switch

Labels:
2471
0 Kudos
1 Solution
Toshi_Esumi
SuperUser
SuperUser
In response to tbar1704

Created on ‎10-17-2023 10:42 AM Edited on ‎10-17-2023 10:43 AM

You should ask the HPE community why it's not working.

Creating a L3 interface wouldn't change the fact L2 is not passing through. Also it would break your design to set the FGT as a GW for VLAN 210. Because now the core switch knows the IPs in VLAN 210 exist within the switch. If other subnets/VLANs send packet toward VLAN 210, it's not going to bother sending them to the FGT but just directly sends to the destination devices.

 

Toshi

View solution in original post

2170
23 REPLIES 23
tbar1704
New Contributor II
In response to Toshi_Esumi

Created on ‎10-16-2023 10:53 AM Edited on ‎10-16-2023 10:54 AM

Sorry for the confusion

I created the VLAN Interface on the FG using the IP Address 10.1.210.1

 

From the Core switch console I can ping the VLAN interface that exists on FG but I'm unable to ping any resources on the 10.1.210.0 subnet. Also, none of those resources can ping the 10.1.210.1 IP

895
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎10-16-2023 11:06 AM Edited on ‎10-16-2023 11:06 AM

Let's put aside the issue pinging from the SW itself. So you're saying you can't ping from like 10.1.210.2/24 device connected to the SW to 10.1.210.1 on the FGT VLAN interface, and the FGT can't ping 10.1.210.2 either. Right?

 

I think the problem is on the SW side but to make sure, just sniff packets on VLAN 210 interface at the FGT while you're pining from the 10.1.210.2 device to 10.1.210.1. If you don't see nothing coming in, the SW is not forwarding the VLAN traffic.
To test opposite direction, you need have two sessions, or one SSL and another console, then sniff it while pinging 10.1.210.2. You should see the ping/ICMP requests go out but you might not see responses coming back.

 

Toshi

 

Toshi

893
Toshi_Esumi
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎10-16-2023 11:13 AM Edited on ‎10-16-2023 11:14 AM

Oh, by the way, recently(last week) we had a thread about a VLAN connection issue with HPE/Comware switch. It turned out it was a switch native vlan config issue that the native vlan is needed to be included in permit vlan list on the trunk port.

You're sure about your switch trunk port vlan config, right? HPE has multiple SW platforms with different OS so depending on the model you have the problem above might not apply.

889
Toshi_Esumi
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎10-16-2023 11:17 AM

Probably that's not a matter because VLAN 210 is NOT a native VLAN in your case. Sorry. Just ignore my comment above.

888
ebilcari
Staff
Staff
In response to tbar1704

Created on ‎10-16-2023 09:06 AM

First try to ping the next hop (10.255.254.254) from the switch, if that is reachable than you have to add a static route also from the FGT to the new subnet you created on the switch. Make sure to also create a firewall policy on the FGT to allow the traffic.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
934
tbar1704
New Contributor II
In response to ebilcari

Created on ‎10-16-2023 09:58 AM

The new subnet (VLAN) is on the FG not the switch

911
0 Kudos
ebilcari
Staff
Staff
In response to tbar1704

Created on ‎10-17-2023 04:49 AM

I would suggest to draw a schema of the physical and logical interfaces and the subnets that you want to route, right now it's a bit confusing what you are trying to achieve (routing via next hop, spanning VLAN from SW to FGT or a mix of it)

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
804
tbar1704
New Contributor II
In response to ebilcari

Created on ‎10-17-2023 05:38 AM Edited on ‎10-17-2023 05:38 AM

I think what I'm missing is a static route on the switch....

 

VLAN 210.JPG

798
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to tbar1704

Created on ‎10-17-2023 08:23 AM Edited on ‎10-17-2023 08:23 AM

@tbar1704I didn't realize it was you again for the same switch I commented last week. As I said yesterday, when you sniff on the "VLAN 210" subinterface, and you see it's sending the packets from 10.1.210.1 to those "resources" in the same VLAN on the switch, there is a disconnection on the switch between the trunk port 4/0/23 and those VLAN 210 access ports (I'm assuming). 

 

Toshi

784
tbar1704
New Contributor II
In response to Toshi_Esumi

Created on ‎10-17-2023 08:40 AM

@Toshi_Esumi  - Yes, it's me again/still. Adding the Native VLAN 4000 to the trunk port 4/0/23 fixed my first issue, now I've moved on and I am stuck again.

 

I believe the issue is on the switch side. From the switch console I can ping the VLAN 210 Interface (10.1.210.1) but not from any resources in VLAN 210.

 

I'm assuming I need a static route 10.1.210.0 255.255.255.0 10.1.210.1. However, I already have a static route that says 0.0.0.0 0 10.255.254.254.

 

Is there a method to order the static routes so not everything uses 0.0.0.0 0 10.255.254.254?

780
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.