Static route using discontinuous subnet mask

Dopin · ‎05-07-2015

Hi

Does anyone knows if FortiOS support discontinuous subnet mask like 10.0.128.0/255.0.255.0? Our networking team make use of discontinuous mask since our Cisco switch support it but I can't find any information about the FortiOS documentation.

Thanks

Dominic

emnoc · ‎05-07-2015

10.0.128.0/255.0.255.0

The above would be a invalid mask in cisco IOS. Can you care to explain what your talking about? Is this maybe a confusion with ACL mask/wildcards. I think your confusing ACLs and routes.

PCNSE

NSE

StrongSwan

View solution in original post

emnoc · ‎05-07-2015

10.0.128.0/255.0.255.0

The above would be a invalid mask in cisco IOS. Can you care to explain what your talking about? Is this maybe a confusion with ACL mask/wildcards. I think your confusing ACLs and routes.

PCNSE

NSE

StrongSwan

Dopin · ‎05-11-2015

You're right. My networking guy confused me about using discoutinuous mask. He was talking about ACL and not route. So here is exactly why I was asking that question at first. We have multiple distribution and each of them is using /16 subnet (ex, Dist A = 10.1.0.0/16 Dist B = 10.2.0.0/16). They are part of the default routing instance in cisco switch wich is connected to the inside interface of our Fortigate. Each of those distribution have a reserved subnet for servers (ex, Dist A = 10.1.240.0/20 Dist B = 10.2.240.0/20) which is part of a distinct routing instance (VRF2) in our cisco switch which is connected to the server interface of our Fortigate. Is there a way to create a single static route to point all those subnet to the server interface? That's why I talked about using discontinuous mask.

Dominic

emnoc · ‎05-11-2015

Okay I don't quite understand, the /20s you listed are included in DIST-A and DISt-B, if they are not reachable via the same gateway just place the most specific entry/next-hop for these server instance.

If you could draft a topology map, please do so. Keep one thought in mind tho;

"you can't over-lap interfaces addresses in the same VDOM"

E.g

config sys int

edit port 1

set ip 10.1.0.1/16

set vdom root

next

edit port 2

set ip 10.1.11.1/30

set vdom root

end

PCNSE

NSE

StrongSwan

Dopin · ‎05-11-2015

Dopin · ‎05-11-2015

Here is my topologie

Thank's for your help

Dominic

emnoc · ‎05-11-2015

I don't what your question is now. Your network topology looks ...well great.

You can't really summarize the /18s and larger. In your case the 10.0.0.0/14 would catch all on the left side and then your server distribution & with the 3x /20s is all that you need. You can't install a variable mask for these networks if that was your original question.

Ideally, I would have done some thing like install the server-farm networks in let's say a 10.4.0.0/16 & skip the discontiguous setup that you have all together. It's like you have to go to a ARIN or equal to justify the utilizations ;) > Just something to think about.

But like I said earlier. It (network) looks great and simple.

PCNSE

NSE

StrongSwan

Static route using discontinuous subnet mask

Nominate a Forum Post for Knowledge Article Creation