I can't connect HP vlan to Fortigate

yonibar81 · ‎03-03-2017

Hello

i have fortigate 80c and hp switch 1910.

my network (internal 1 ) working with 172.26.30.254/255.255.255.0.

now i created on hp switch vlan 100 with interface 172.26.0.1/255.255.0.0.

how can i connect vlan 100 to my fortigate ?

MikePruett · ‎03-03-2017

You need to select that port that you have connected to the switch (under network interfaces) then click "new" and go to vlan.

The Gate won't listen to a vlan using just the port being connected unless it is the default vlan of the switch. Since 100 isn't, you need to have a vlan100 configured on the physical interface of the Gate as well (which means you will get a drop down on internal1 for vlan100).

Mike Pruett

Fortinet GURU | Fortinet Training Videos

View solution in original post

dennisv · ‎07-10-2019

The options you have for setting port to untag/tag is determined by the switch model. HPe currently has several switch models and OS'ses (Commware,ProVision/Aruba,Aruba CX and some) that all vary in these possibilities.

On all (HPe) managed switches you will need to set a port in a vlan, either tagged or untagged or combined.

There is indeed no such thing as to remove the vlan entirely from a switch port as vlan tagging will always be used inside the switch and it needs to know which vlan that is.

But that doesn't matter for the clients. They get tagged or untagged frame based on the switch port setting.

Some vendors will place ports that do not specify a vlan into the default vlan, which usually is vlan 1 , but some can be altered.

As mentioned, PVID does nothing with tagged frames (not packets) , only untagged frames are affected by PVID.

The PVID sets the vlanid (or VID if you like).

Tagged frames remain their vlanid as long as they are not intervlan routed or rewritten.

If there is an option for a PVID the untagged frame will get the vlanid set in the PVID.

If there is no option for a PVID the untagged frame will get the vlanid set in the untagged vlan.

The HP switch might not have the PVID option, thus the vlanid of the incoming frames will be set to the same vlan as specified as the untagged vlan on that switch port.

So yes , on ingress the HP switch will keep the vlanid when the frame is tagged and set the vlanid if the frame is untagged.

In general a switch port can and will have 1 untagged vlan only and the rest is tagged.

Some vendors can set multiple untag vlans on the same port, which can be referred as vlan header stripping.

Usually for monitoring/tapping purpose, but that's out of the scope here.

Consultant @ Exclusive Networks BV

Datacenter Networking and Security

NSE4 6.0

Fortinet, HPe/Aruba, Arista, Juniper and many more

sw2090 · ‎07-10-2019

I have to correct myself: FGT only know tagged. They will not touch the VID in a packet and they will only accept packets with the right vid on a vlan interface

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

dennisv · ‎07-10-2019

Natively the interfaces on a Fortigate are untagged. Once you create sub/vlan interfaces these need a vlanid which is the vlan tag that will be accepted accept and send out.

Actually you are always creating combined/hybrid ports as you can not remove the native interface.

If you have no use for the native interface (aka untagged) you can set it to static ip 0.0.0.0/0.0.0.0 (ipv6 ::0)) or and disable all management. Avoid setting it to dhcp/pppoe to keep logs clean.

Do not disable the native interface itself as this will shut down the actual port.

Consultant @ Exclusive Networks BV

Datacenter Networking and Security

NSE4 6.0

Fortinet, HPe/Aruba, Arista, Juniper and many more

azwanarif · ‎07-10-2019

sw2090 wrote:
I have to correct myself: FGT only know tagged. They will not touch the VID in a packet and they will only accept packets with the right vid on a vlan interface

Thanks everyone for the info sharing,

Below is the current working HP Procurve configuration which required ethernet port to set as tagged for client vlan that connected to the HP switch to connect with gateway and other vlan beside than trunk port (Trk1) on 23-24.

I have tried with untagged port configuration the client is unreachable either from FortiGate or other vlan.

rwpatterson · ‎07-10-2019

VLANs 10 and 102 need to be defined on the uplink port to the HP from the Fortigate. VLAN 1 is native so nothing needs be done on the Fortigate. Additionally, policies need to be put in place since you now have created virtual interfaces. Any traffic passing between interfaces on a Fortigate needs a policy for traffic to be allowed.

I'm not HP lingual. What VLANs are allowed on the trunk ports?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

dennisv · ‎07-10-2019

@azwanarif

This seems an odd configuration.

Usually clients are connected to untagged ports unless they are made vlan aware.

For example with iDRAC, if you specify inside iDRAC it should use vlan X side it will become tagged.

Connection between switches and/or the fortigate can be tagged.

In your example a combination/hybrid is used for this.

Can you answer these questions :

What is the client vlan ?

On which port do you have the fortigate connected ?

Can you share the system interfaces section of the fortigate ?

(You can remove the IP adresses if needed for privacy)

@rwpatterson

A Trunk in HP is an Etherchannel in Cisco, so it is just the binding of the interfaces.

Unlike a trunk in Cisco where all vlans are allowed unless pruned, with HP you specifically allow vlans on the trunk.

In fortigate vlan 1 is not native, vlan 0 actually is. But vlan 0 is only used for untagged interfaces.

vlan 0 cannot be used for vlan interfaces.

In HP vlan 1 is default, not persee native as you can change the native vlan.

Consultant @ Exclusive Networks BV

Datacenter Networking and Security

NSE4 6.0

Fortinet, HPe/Aruba, Arista, Juniper and many more

rwpatterson · ‎07-10-2019

Not disputing what a trunk is, only trying to see where the VLANs are defined on ports 23 and 24. They aren't explicitly shown in the above configuration.

...or is trk1 the sum of all VLANs that have 'trk1' in them?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

azwanarif · ‎07-10-2019

Hi @dennisv

Hp switch is connected directly to Fortigate port 1 (Hardware switch) and using Zone to combine all VLAN with "Block intra-zone traffic" disable to reduce multi policy between Vlan.

VLAN 1 is connected to physical port 1 using IP 10.101.1.254 as gateway, client (iDRAC) is not configured with any Vlan except for IP and gateway using Vlan 10 subnet

Hi @rwpatterson

both port 23-24 is bind to trunk group "Trk1" and tagged to vlan 10 & 102

Current FGT Config:

dennisv · ‎07-11-2019

@rwpatterson

In HP Provision (Procurve/Aruba) you don't have to specify the vlans on the ports themselves, only on the combined Trk interface.

@azwanarif

I think I know how you setup the Fortigate to the Switch, but I don't know enough to verify.

((

My thoughts :

I think you are using 2 cables to connect the Fortigate to the HP switch.

Port 1 of the Fortigate is connected to Port 21 (or 22) on the HP switch

This is the untagged network 10.101.1.x/24

Port 2 of the Fortigate is connected to Port 1 (or 2,3,4..18) on the HP switch

This is the tagged VLAN10 network 10.101.10.x/24

There are no other cables connected from the Fortigate to the HP switch

I hope you do not use Trk1 to connect to the Fortigate port 1 and 2 , this will cause problems.

The clients are configured to use vlan10 and should be connected to port 1-18 on the HP switch

))

Can you please tell me how the Fortigate is physically connected to the HP Switch ?

Please use : Fortigate port X = HP switch port Y

Thank you :)

Consultant @ Exclusive Networks BV

Datacenter Networking and Security

NSE4 6.0

Fortinet, HPe/Aruba, Arista, Juniper and many more

rwpatterson · ‎07-11-2019

Agreed, if you are not aggregating ports 1 & 2 on the Fortigate, then port 2 being connected will cause issues.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com