LAN Routing
cancel
Showing results for 
Search instead for 
Did you mean: 

Re: change IP route from fortigate to new ISP

 
SOLVED
Go to solution
Highlighted
Occasional Contributor

change IP route from fortigate to new ISP

We are moving to a new ISP and plan to decom our fortigate.

On Hp core switch, we have vlans setup

vlan 1 default vlan     10.84.128.1   255.255.248.0

vlan 10 internet           10.110.213.18    255.255.25.248.0   ----I need to change this to 10.84.128.4 (new firewall)

vlan 20 server switch  

vlan 30 wireless domain

vlan 40 wireless guest

 

When I add a new static ip route 0.0.0.0/0 10.84.128.4 it is added to vlan 1,

I need this to be on vlan 10, the firewall port is A24 and is in vlan 1 (no untagged)

Any help will be appreciated

 

9 REPLIES 9
Highlighted
HPE Pro

Re: change IP route from fortigate to new ISP

Hi,

Can you explain issue in detail, are you changing VLNA 10 IP to VLAN 1?

Thanks!

I am an HPE Employee

Accept or Kudo

Highlighted
HPE Pro

Re: change IP route from fortigate to new ISP

Hi @adeplast !

First you need to change VLAN 10 ip - it must be from the same subnet with your firewall, only then the outgoing interface of the static route will be VLAN 10. Now your firewall 10.84.128.4 is in the range of subnet of VLAN 1, therefore the outgoing interface of the static route is VLAN 1.

 

 

I am an HPE employee

Accept or Kudo

Highlighted
Occasional Contributor

Re: change IP route from fortigate to new ISP

No, I assigned  Vlan 10 a different IP of 10.84.128.5 255.255.255.248

Vlan 1 is 10.84.128.1 255.255.248.0

Highlighted
Occasional Contributor

Re: change IP route from fortigate to new ISP

I assigned  Vlan 10 a different IP of 10.84.128.5 255.255.255.248 but still no joy.

static was still in Vlan 1 so had to revert back

Highlighted
HPE Pro

Re: change IP route from fortigate to new ISP

I understand it, but here is the thing - if you want VLAN 10 to face your firewall (e.g. VLAN 10 to be outfoing L3 interface for your static route) it MUST be in 110.84.128.0 255.255.248.0 subnet. I already explained it in my previous message - if your static route uses as next-hop 10.84.128.4 address, the outgoing L3 interface will be the L3 interface in the same subnet. Adjacent L3 devices (Firewall and routing switch) should be connected by interfaces from the same IP subnet, this is the rule you cannot override, this is from "Networking 101" course  

 

I am an HPE employee

Accept or Kudo

Highlighted
Occasional Contributor

Re: change IP route from fortigate to new ISP

@ Ivan_B many thanks.

Just to be clear, is this a typo (110.84.128.0 )

(I understand it, but here is the thing - if you want VLAN 10 to face your firewall (e.g. VLAN 10 to be outfoing L3 interface for your static route) it MUST be in 110.84.128.0 255.255.248.0 subnet)

HP-Core-Switch(config)# vlan 10

HP-Core-Switch(vlan-10)#    name "internet"

HP-Core-Switch(vlan-10)#    untagged A13,A24

HP-Core-Switch(vlan-10)#    tagged B7,C1,C10,Trk1-Trk6

HP-Core-Switch(vlan-10)#    ip address 10.110.213.18 255.255.255.248   -----1p address 10.84.128.4 255.255.248 should fix it?

The IP address (or subnet) 10.110.213.18/29 already exists.

HP-Core-Switch(vlan-10)#    exit

 
Highlighted
HPE Pro

Re: change IP route from fortigate to new ISP

If your firewall is 10.84.128.4 and IF subnet on the firewall is set to 255.255.255.248, then you can assign any IP to VLAN 10 interface from the range 10.84.128.1 - 10.84.128.6 except 10.84.128.4

"The IP address (or subnet) 10.110.213.18/29 already exists." means that you have other VLAN with this subnet assigned. Which won't work, in one routing table you can have only one L3 interface with particular subnet. You need to rework your IP subnetting scheme if you really need to connect VLAN 10 to the firewall. Either change subnet on the firewall or align your IP configuration on the switch according firewall's settings.

 

 

I am an HPE employee

Accept or Kudo

Highlighted
Frequent Visitor
Solution

Re: change IP route from fortigate to new ISP

vlan 1 default vlan  10.84.128.1   255.255.248.0

Network: 10.84.128.0/21

First available host address: 10.84.128.1

Last available host: 10.84.135.254

Broadcast address: 10.84.135.255

Next network: 10.84.136.0/21

 

vlan 10 internet           10.110.213.18    255.255.25.248.0   ----I need to change this to 10.84.128.4 (new firewall)

network: 10.110.208.0/21

First available host address: 10.84.208.1

Last available host: 10.84.215.254

Broadcast address: 10.84.215.255

Next network: 10.84.216.0/21

 

If you add an IP of any host range in those neworks it will be part of that "vlan" network.

Highlighted
Occasional Contributor

Re: change IP route from fortigate to new ISP

Thanks

We ended up replicating the old firewall to the new one. The ISP did all the work.