Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
yonibar81
New Contributor

I can't connect HP vlan to Fortigate

Hello

i have fortigate 80c and hp switch 1910.

my network (internal 1 ) working with 172.26.30.254/255.255.255.0.

now i created on hp switch vlan 100 with interface 172.26.0.1/255.255.0.0.

how can i connect vlan 100 to my fortigate ?

 

 

 

 

 

 

 

1 Solution
MikePruett
Valued Contributor

You need to select that port that you have connected to the switch (under network interfaces) then click "new" and go to vlan.

 

The Gate won't listen to a vlan using just the port being connected unless it is the default vlan of the switch. Since 100 isn't, you need to have a vlan100 configured on the physical interface of the Gate as well (which means you will get a drop down on internal1 for vlan100).

View solution in original post

Mike Pruett Fortinet GURU | Fortinet Training Videos
24 REPLIES 24
MikePruett
Valued Contributor

You need to select that port that you have connected to the switch (under network interfaces) then click "new" and go to vlan.

 

The Gate won't listen to a vlan using just the port being connected unless it is the default vlan of the switch. Since 100 isn't, you need to have a vlan100 configured on the physical interface of the Gate as well (which means you will get a drop down on internal1 for vlan100).

Mike Pruett Fortinet GURU | Fortinet Training Videos
ede_pfau
Esteemed Contributor III

Could you please explain why you define overlapping address ranges?

You won't be able to configure that on the FGT, and for good reasons.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
yonibar81

i created vlan on hp switch and i want to connect to FW

yonibar81
New Contributor

 

 

i did it but i do not ping to firewall 172.26.30.254.

see my rules on attached

dennisv
New Contributor III

There are two ways of connecting the HP switch to the Fortigate with VLANS.

1) Put the switch port on vlan 100 in untagged mode.

You do not need to configure a sub-interface on the Fortigate.

The IP adres of the Fortigate should be in the same range as the IP adress on the vlan 100.

(example fortigate 192.168.100.1/23 , switch 192.168.100.2/24)

 

2) Put the switch port on vlan 100 in tagged mode

Create a sub-interface on the physical port you are connecting the switch

Set the ip adress in the same range as the IP adress of the switch in vlan 100

(example fortigate 192.168.100.1/23 , switch 192.168.100.2/24)

 

In both cases make sure the management access of the interface is set to ping.

This will allow ping to the Fortigate without any additional policy.

 

 

Consultant @ Exclusive Networks BV

Datacenter Networking and Security

NSE4 6.0

Fortinet, HPe/Aruba, Arista, Juniper and many more

Consultant @ Exclusive Networks BV Datacenter Networking and Security NSE4 6.0 Fortinet, HPe/Aruba, Arista, Juniper and many more
azwanarif

Hi All,

I know this is old post, recently we deploy fortigate to customer which still using the same HP switch and encounter the same issue.

I have follow the steps and work successfully. However I would like to know why we need to tagged the switch  in order to connect with fortigate which for HP all end devices required to use untagged port?. Thanks

sw2090
Honored Contributor

unfortunately 1) is wrong Dennisv!

Untagged on the switch means all packets will be tagged with vid 100 regardless which vid they had originally. 

Since the FortiGate only knows untagged vlans you will still have to create a vlan interface plus policies in this case on your Fortigate!

 

azwanarif: if you haven't connected the hp switch directly to the FortiGate you will have to make sure that vid 100 gets past all switches/routers between and reach the fgt. 

And unless you have policies you might only be able to pigj the ip of the virtual vlan interface.

 

We use HP Switches and Dell Switches here with FortiGates and several Vlan (Tagged as  well as untagged on the switch and it works fine this way.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
dennisv
New Contributor III

" Untagged on the switch means all packets will be tagged with vid 100 regardless which vid they had originally. "

Yes and No ....

When an untagged ethernet frame enters the switch the PVID / Private VLAN ID set on the switch port determines the vlan that the switch will place onto the ethernet frame inside the switch.

When an ethernet frame exist the switch the mode set on the switch port determines if the vlan tag should be removed yes or no , aka (keep) tag or untag.

 

When placing the switch port to the mode untag, the client device does not get a vlan tagged ethernet frame. (Else we would need al devces to understand vlan tagging.)

 

Inside the switch ALL frames are tagged by either the PVID or the vlan tag itself.

Outside the switch is determined by the setting of the switch port.

 

Per switch port you usually have three options

untagged only

tagged only

combined (hybrid / ....)

 

The PVID determines what the switch should do with incoming untagged frames. Even is the port is set to tagged only.

Depending on the switch you might need to set the switch port to both vlan X untagged and PVID X  to the same value. Remember PVID is in, untag is out. These are normally the same else you would end up with some funky behaviour.

Usually when you specify a switchport to be untagged only the PVID of that port automatically gets set to the same value, but you might want to check that as these can differ !

 

For tagged only you do not specify the untagged vlan , but you might/optionally need to specificy a PVID anyway.

A common practice I use for tagged only ports is to set a PVID that is bogus (example 999) and not use that for any actual vlan. Any untagged ethernet frame entering this switch port will get a vlan tag 999 when entering the switch.

But if there are no ports with tag or untag vlan tag 999, this ethernet frame will never exit the switch and gets dropped.

 

You can combine one untagged vlan with multiple tagged vlans, which is often called a hybrid port.

For the tagged vlans you don't need to do anything special, just set them to tagged. This will make the switch port accept and send frames according to these vlans with the vlan tag intact when exiting the switch.

The untagged vlan you want to use on this combined port should be set to the same untagged and PVID as mentioned with the untagged only port.

 

For an untagged only connection between the fortigate and the switch you do not have to create vlan/sub interfaces on the fortigate. The fortigate is basically the same as any other client.

 

For a tagged only connection between the fortigate and the switch you will have to create vlan/sub interface on the fortigate with the correct vlan id. You can create multiple vlan/sub interfaces with different tagged vlan ids.

 

For a combined/ybrid connection between the fortigate and the switch you can use both the native interface, with the switch port set to the proper PVID and untag vlan, and vlan/sub interfaces for the different tagged vlan ids.

 

I hope this has cleared things up :)

 

TLDR:

switch PVID determines tagging of untagged frames entering the switch.

switch PVID should normally be set to switch port vlan untag.

switch port vlan untag , frames exiting switch will have vlan tag removed, use native interface on fortigate

switch port vlan tag, frames exiting switch will have vlan tag , use vlan/sub interfaces on fortigate

switch port hybrid, mix these up

ktnxbye =)

Consultant @ Exclusive Networks BV

Datacenter Networking and Security

NSE4 6.0

Fortinet, HPe/Aruba, Arista, Juniper and many more

Consultant @ Exclusive Networks BV Datacenter Networking and Security NSE4 6.0 Fortinet, HPe/Aruba, Arista, Juniper and many more
sw2090
Honored Contributor

generally yes.

But we're talking of HP Switches here. HP Firmware requires you to have one (and only one) vlan set to be untagged on every port. It does not allow any port without vlan.

HP Firmware will keep the vid that comes with the packet on a port as long as the port is tagged in the vlan. If not it will rewrite the vid to the untagged one.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Labels
Top Kudoed Authors