Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tbar1704
New Contributor II

Created on ‎10-16-2023 08:40 AM Edited on ‎02-26-2024 06:48 AM By Community Manager

InterVlan Routing - Not all VLAN Interfaces are on the Fortigate

I created my first VLAN Interface on the Fortigate, under the LAN port that goes to our core switch. The LAN port to the HP Switch is a Trunk port and the new VLAN is permitted on the trunk port.

 

For now all the other VLAN interfaces are on the Layer 3 Core Switch

 

I cant ping the new VLAN's interface from the Core switch directly or by one of the resources I have on the new VLAN connected to the Core switch

Labels:
2287
0 Kudos
1 Solution
Toshi_Esumi
SuperUser
SuperUser
In response to tbar1704

Created on ‎10-17-2023 10:42 AM Edited on ‎10-17-2023 10:43 AM

You should ask the HPE community why it's not working.

Creating a L3 interface wouldn't change the fact L2 is not passing through. Also it would break your design to set the FGT as a GW for VLAN 210. Because now the core switch knows the IPs in VLAN 210 exist within the switch. If other subnets/VLANs send packet toward VLAN 210, it's not going to bother sending them to the FGT but just directly sends to the destination devices.

 

Toshi

View solution in original post

1986
23 REPLIES 23
ebilcari
Staff
Staff

Created on ‎10-16-2023 08:47 AM

If the point to point interfaces can ping each other, make sure to include routes (static or a routing protocol) on both FGT and the L3 Switch for the respective subnets.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
989
tbar1704
New Contributor II
In response to ebilcari

Created on ‎10-16-2023 08:55 AM

I have a static route on the Layer 3 Core switch that looks like:

  ip route-static 0.0.0.0 0.0.0.0 10.255.254.254

 

where 10.255.254.254 is the IP for the LAN interface on the FG

985
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to tbar1704

Created on ‎10-16-2023 09:00 AM Edited on ‎10-16-2023 09:07 AM

Does the L3 switch have the same VLAN with an IP like 10.255.254.253 configured? Otherwise it wouldn't route.

 

Toshi

981
tbar1704
New Contributor II
In response to Toshi_Esumi

Created on ‎10-16-2023 09:57 AM

The L3 switch does have a VLAN Interface configured for the 10.255.254.0 subnet (10.255.254.1). The L3 switch does not have a VLAN Interface configured for the new VLAN but it does have a VLAN Interface.

952
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to tbar1704

Created on ‎10-16-2023 10:05 AM Edited on ‎10-16-2023 10:10 AM

So you're saying the 10.255.254.0/24 is non-tagged interface on both sides (or native vlan on the SW).

I would sniff on the interface if any packets come in or go out when you sends packet from either side. I'm assuming you have a pair of policies between the non-tagged interface and the new VLAN subinterface on the FGT. Otherwise nothing would go accross between two interface(subinterface)s.

 

  • parent (non-tagged) interface -> VLAN subinterface
  • VLAN subinterface -> parent (non-tagged) interface

 

 

Toshi

947
tbar1704
New Contributor II
In response to Toshi_Esumi

Created on ‎10-16-2023 10:31 AM

10.255.254.0 is the Native VLAN on the switch port

 

I added theses rules

Name                                 From           To                Source   Dest   Service
VLAN 210 - Out to LAN     VLAN 210   LAN             All           All      All
VLAN 210 - In from LAN   LAN             VLAN 210   All            All      All

 

I can now ping the new VLAN Interface from the Core switch (10.1.210.1) but I'm unable to ping resources on the VLAN from the Core switch or the Firewall

 

Do I need a VLAN Interface on the Core switch too?

939
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to tbar1704

Created on ‎10-16-2023 10:36 AM

Where is the "resources" connected to? Directly to the FGT? You said that VLAN doesn't exist on the core switch, right?

937
tbar1704
New Contributor II
In response to Toshi_Esumi

Created on ‎10-16-2023 10:40 AM

The resources are downstream off the core switch on the new VLAN. The resources are on different distribution switches connected to the core switch and are all able to see each other. So the VLAN exists on the Core switch

 

I have no VLAN Interface for the new VLAN on the Core switch

935
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to tbar1704

Created on ‎10-16-2023 10:47 AM

it's confusing me. You said you could ping from the core SW(10.1.210.1). Isn't it on the VLAN 210, and its the L3 interface?

931
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.