HPE Community
LAN Routing
1819807 Members
3002 Online
109607 Solutions
New Discussion юеВ

HP Switch L3 - connected to fortigate 100D

 
it89
Occasional Visitor

тАО06-20-2017 06:07 AM

тАО06-20-2017 06:07 AM

HP Switch L3 - connected to fortigate 100D

Hello everyone,

I'm setting my network with differents vlans. All vlans are routed in diferent L3 switch in core level but vlan 131 is routed in my firewall (Fortigate 100D).

I can ping my switch core from the fortigate but I can't ping my fortigate (VLAN 131 IP) from my switch.

They are connected like:

Fortigate ---- Physical Interf ------------- (Interface untagged vlan 1 , tagged vlan 131)  HP Switch

                        Vlan Interface

and this is my configuration from HP switch:

; J9726A Configuration Editor;
; Ver #06:0c.18.f3.ff.35.0d:26

hostname "HOTOR01-L3"
module 1 type j9726a

trunk 17-18 trk4 trunk
ip route 0.0.0.0 0.0.0.0 192.168.3.5
ip route 192.168.131.0 255.255.255.240 192.168.131.5
ip routing


interface 3
   name "Vers_Fortigate100D_192.168.3.5"
   exit

vlan 1
   no untagged 1
   untagged 2-16,A1-A2,B1-B2,Trk1-Trk4
   ip address 192.168.3.25 255.255.255.0
   exit
vlan 131
   tagged 3,Trk4
   ip address 192.168.131.10 255.255.255.240
   exit
spanning-tree Trk1 priority 4
spanning-tree Trk2 priority 4
spanning-tree Trk3 priority 4
spanning-tree Trk4 priority 4

Thanks in advance! :)

 

0 Kudos
3 REPLIES 3
Vince-Whirlwind
Honored Contributor

тАО06-20-2017 05:01 PM

тАО06-20-2017 05:01 PM

Re: HP Switch L3 - connected to fortigate 100D

Your routing is confused - your HP already has in interface in the 192.168.128.0/20 subnet so why do you have a routing statement? Also, your routing statement doesn't make sense - there's no such thing as 192.168.131.0/20.

Maybe go back to the drawing board and try to explain what you are trying to achieve?

Start with
-why you want to trunk 2 VLANs to your firewall
-what your hosts on VLAN1 are using as their default gateway address
-what your hosts on VLAN131 are using as their default GW address
-what IP addressing and routing is configured on the FW
-why is the default route on the HP pointing at the FW VLAN1 IP address (if that's what 192.168.3.5 is.)

0 Kudos
it89
Occasional Visitor

тАО06-21-2017 05:52 AM

тАО06-21-2017 05:52 AM

Re: HP Switch L3 - connected to fortigate 100D

Firstly, thanks for your reply,

Sorry for the missconfiguration before, I tried to change the IP (not real IP or Vlan in the script showed) and I think that I made the mistakes doing that.

The thing is, that I'm try to segmenter my network. There's a VLAN (131) that I need to isolate. Devices on it just can comunicate to a server in other network (that's a policy in my firewall), so I decided to have the fortigate VLAN interface as a default gateway.

In the actual configuration, HP switch does all routing (he's the default gateway for all vlans except vlan 131) for all the other vlans in my net and it goes to the fortigate for internet traffic. So, I need a trunk between them for get my VLAN 131 to the firewall.

Here is my HP configuration:

!Internet route (to the fortigate)

ip route 0.0.0.0 0.0.0.0 192.168.31.5

interface 3
   name "Vers_Fortigate192.168.31.5"
   exit

vlan 1
   no untagged 1
   untagged 2-16,A1-A2,B1-B2,Trk1-Trk4
   ip address 192.168.31.254 255.255.255.0
   exit

vlan 131

name VLAN_T
   tagged 3,Trk4
   ip address 192.168.131.14 255.255.255.240
   exit

Since I have in my firewall interface 1 (interface connected to the switch HP) configured as 802.1q if I ping the IP in the VLAN 131 it should answer (but it doesn't). In the other hand if I configure the IP in the HP I can do ping from the fortigate to it but not from the HP.

Here is my sh ip route:

Destination        Gateway         VLAN Type      Sub-Type   Metric     Dist.
  ------------------ --------------- ---- --------- ---------- ---------- -----
  0.0.0.0/0          192.168.31.5    1    static               1          1
 
  192.168.131.0/28   VLAN_T        131  connected            1          0

Here is my firewall configuration for the interface and routing table:

config system interface

edit "lan"
        set vdom "root"
        set ip 192.168.31.5 255.255.255.0
        set allowaccess ping https http fgfm capwap
        set type hard-switch
        set device-identification enable
        set fortiheartbeat enable
        set snmp-index 11

edit "Vlan_131"
        set vdom "root"
        set ip 192.168.131.5 255.255.255.240
        set allowaccess ping https ssh snmp fgfm capwap
        set role lan
        set snmp-index 16
        set interface "lan"
        set vlanid 131
    next

config system virtual-switch
    edit "lan"
        set physical-switch "sw0"
        config port
            edit "port1"
            next
            edit "port2"
            next
            edit "port3"
            next
            edit "port4"
            next
            edit "port5"
            next
            edit "port6"
            next
            edit "port7"
            next
            edit "port8"
            next
            edit "port9"
            next
            edit "port10"
            next
            edit "port11"
            next
            edit "port12"
            next
            edit "port13"
            next
            edit "port14"
            next
            edit "port15"
            next
        end
    next
end

Thanks in advance

 

0 Kudos
Vince-Whirlwind
Honored Contributor

тАО06-21-2017 04:47 PM

тАО06-21-2017 04:47 PM

Re: HP Switch L3 - connected to fortigate 100D

OK, that makes sense, you have added a VLAN but it is effectively in a different zone because you want the FW to control inter-VLAN routing between the rest of your network and the new VLAN.

That being the case, you need to get rid of the VLAN131 interface IP address off the HP switch - if it's not doing the routing for VLAN131 then it shouldn't have an IP address. 
- a ping from a VLAN1 host to a VLAN131 host is going to be routed to VLAN131 by the HP. The reply will go to the FW. The FW should be pretty unhappy with obvious asymmetric routing.
- a ping from a VLAN131 host to a VLAN1 host will go to the FW, but the reply will be routed directly by the HP. Again, asymmetrical and not good.

I'm assuming your devices on VLAN131 are therefore using 192.168.131.5 as their default gateway, of course...

On the HP end you appear to have VLAN131 trunked to the firewall OK.

I can't see anything in the FW config you provided that indicates you have VLAN131 trunked to the HP.

I would say you need to check two things
- are your VLAN131 hosts actually on VLAN131? I see you have VLAN131 applied to only two places: tagged on the trunk to the FW, and tagged on an aggregated link called Trk4.
- Is your FW correctly configured to tag frames on the interface that is patched to the HP?

You don't specifiy what it is that you are pinging from.
One test is to have an IP address (temporarily) on your HP VLAN131 interface and make sure a host in VLAN131 can ping that IP address. If that ping is not successful then you need to investigate what is the other end of Trk4.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.