Currently our Fortigate is connected to an Access Port on our Core Switch tagged with VLAN 4000. The Core Switch has all our Virtual Interferfaces configured on it with no restrictions on what VLANs can see/access other VLANs.
The core switch has a static route "ip route-static 0.0.0.0 0.0.0.0 10.255.254.254" where 10.255.254.254 is the IP Address of the Fortgate port (Port 4) connected to the Access Port on the Core Switch
The ultimate goal is to move all Virtual Interfaces to the Fortigate se we can start doing segementation.
For now I just want to add a new VLAN/VLAN Interface to the Fortigate so I can segment that.
- I created the new VLAN / VLAN Interface under Port 4 on the Fortigate (VLAN 210)
- I created a new trunk port on the Core Switch that looks like this
interface GigabitEthernet4/0/24
port link-mode bridge
description Trunk to Firewall LAN
port link-type trunk
port trunk permit vlan 210 4000
When I move the LAN connection from Port 4 on the Fortigate from the Access Port on the Core Switch to the new trunk port on the Core Switch the LAN loses all connectivity to the Fortigate. I'm assuming it has something to do with the trunk port I created but I don't know what I'm missing
Thank you
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
The VLAN 4000 is NOT a tagged interface on the fortigate port4 because the switch port is "access". The switch was stripping the tag for VLAN 4000 traffic before sending to the FGT.
With the new trunk port, the VLAN 4000 is now tagged, which the FGT port4 doesn't have the VLAN interface configured.
Two options.
Option1: This is what @spoojary is assuming. If the switch supports native VLAN per port, you can set the new trunk port's native VLAN to 4000.
Option2: Rip the L3 config from port4 and create a new VLAN 4000 subinterface on the FGT then put it on the port4. To do this you likely need to remove all policies and other config referring port4, then recreating them with the new VLAN 4000's name.
Toshi
Created on 10-11-2023 10:52 AM Edited on 10-11-2023 10:53 AM
You can't use the alias at any part of config or command lines. It's only for GUI view.
Also, this proves this interface is NOT VLAN tagged. The switch side needed to be native VLAN to communicate.
There might have been ARP issues when you moved the cable to the new port on the switch preventing communication. You might need to clear ARP table on both switch and FGT.
FGT's command line is "exe clear sys arp table". Be aware it clears everything.
Toshi
My switch port config looks like this:
# interface GigabitEthernet4/0/23 port link-mode bridge description Trunk to Firewall LAN port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 210 port trunk pvid vlan 4000 #
I moved the cable from the access port on the switch to port 4/0/23. I ran "reset arp all" on the switch and "exe clear sys arp table" on the Fortigate and it's still not working.
I apprceiate all the help you've provided thus far, thank you
Did you see anything in "diag sniffer packet port4" when you moved the cable?
Toshi
Roch-FW-Primary # exe clear sys arp table
Roch-FW-Primary # diag sniffer packet port4
interfaces=[port4]
filters=[none]
0.763675 802.1Q vlan#210 P7
0.779229 arp who-has 10.255.254.1 tell 10.255.254.254
0.779300 arp who-has 10.255.254.1 tell 10.255.254.254
1.779231 arp who-has 10.255.254.1 tell 10.255.254.254
2.779225 arp who-has 10.255.254.1 tell 10.255.254.254
2.779298 arp who-has 10.255.254.1 tell 10.255.254.254
3.263594 802.1Q vlan#210 P7
3.779221 arp who-has 10.255.254.1 tell 10.255.254.254
4.779223 arp who-has 10.255.254.1 tell 10.255.254.254
4.779291 arp who-has 10.255.254.1 tell 10.255.254.254
5.761801 802.1Q vlan#210 P7
5.779221 arp who-has 10.255.254.1 tell 10.255.254.254
6.784164 arp who-has 10.255.254.1 tell 10.255.254.254
7.779225 arp who-has 10.255.254.1 tell 10.255.254.254
8.261011 802.1Q vlan#210 P7
8.779223 arp who-has 10.255.254.1 tell 10.255.254.254
9.779225 arp who-has 10.255.254.1 tell 10.255.254.254
9.779294 arp who-has 10.255.254.1 tell 10.255.254.254
10.293732 802.1Q vlan#210 P0
10.293745 802.1Q vlan#210 P0
10.293880 802.1Q vlan#210 P0
10.779225 arp who-has 10.255.254.1 tell 10.255.254.254
10.945418 802.1Q vlan#210 P7
11.779229 arp who-has 10.255.254.1 tell 10.255.254.254
11.779297 arp who-has 10.255.254.1 tell 10.255.254.254
12.753715 lldp 317 chassis 4 b8:af:67:3d:7a:d0 port 5 'GigabitEthernet4/0/23' ttl 120 system 'A7506-CORE-SW1'
12.779221 arp who-has 10.255.254.1 tell 10.255.254.254
13.438654 802.1Q vlan#210 P7
13.779225 arp who-has 10.255.254.1 tell 10.255.254.254
13.779296 arp who-has 10.255.254.1 tell 10.255.254.254
14.754983 802.1Q vlan#210 P0
14.779227 arp who-has 10.255.254.1 tell 10.255.254.254
15.769191 802.1Q vlan#210 P0
15.783459 arp who-has 10.255.254.1 tell 10.255.254.254
15.943486 802.1Q vlan#210 P7
16.768650 802.1Q vlan#210 P0
16.789222 arp who-has 10.255.254.1 tell 10.255.254.254
17.789221 arp who-has 10.255.254.1 tell 10.255.254.254
18.436935 802.1Q vlan#210 P7
18.779226 arp who-has 10.255.254.1 tell 10.255.254.254
18.779292 arp who-has 10.255.254.1 tell 10.255.254.254
18.783380 802.1Q vlan#210 P0
18.783396 802.1Q vlan#210 P0
19.779229 arp who-has 10.255.254.1 tell 10.255.254.254
20.779227 arp who-has 10.255.254.1 tell 10.255.254.254
20.779295 arp who-has 10.255.254.1 tell 10.255.254.254
20.941989 802.1Q vlan#210 P7
21.779223 arp who-has 10.255.254.1 tell 10.255.254.254
22.779229 arp who-has 10.255.254.1 tell 10.255.254.254
22.779309 arp who-has 10.255.254.1 tell 10.255.254.254
22.781731 802.1Q vlan#210 P0
22.781805 802.1Q vlan#210 P0
23.434774 802.1Q vlan#210 P7
23.779222 arp who-has 10.255.254.1 tell 10.255.254.254
24.779227 arp who-has 10.255.254.1 tell 10.255.254.254
24.779293 arp who-has 10.255.254.1 tell 10.255.254.254
25.789227 arp who-has 10.255.254.1 tell 10.255.254.254
25.939280 802.1Q vlan#210 P7
26.796537 802.1Q vlan#210 P0
26.799224 arp who-has 10.255.254.1 tell 10.255.254.254
26.799294 arp who-has 10.255.254.1 tell 10.255.254.254
So your FGT is trying to get MAC address of 10.255.254.1 by sending ARP request "who-has 10.255.254.1...." but never get response back from the host. There must be disconnection on the switch side.
Meanwhile the VLAN 210 traffic is tagged and passing through this port4.
You need to check the switch side and need to get support from the switch provider if you can't figure out why the native VLAN 4000 doesn't connect to access ports of the VLAN and/or the other trunk port that has the tagged VLAN attached.
The FGT is acting as expected.
Toshi
This part is beyond this forum/community, but looks like your switch is one of HPE/Aruba's (Compare). It might need the VLAN 4000 in permit vlan list when you make it as a native vlan according to this conversation in HPE community.
https://community.hpe.com/t5/comware-based/config-native-vlan-on-4500/td-p/2318055
Toshi
@Toshi_Esumi - Thank you for your help and going beyond the Fortigate to help with the resolution. Making VLAN 4000 the Native VLAN (PVID) on the new trunk port and adding "port trunk permit vlan 4000" solved the problem.
I appreciate you and your help and thank you again!!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1660 | |
1073 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.