AnsweredHot!I can't connect HP vlan to Fortigate

Page: 12 > Showing page 1 of 2
Author
yonibar81
Bronze Member
  • Total Posts : 21
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/12/01 10:15:57
  • Status: offline
2017/03/03 04:26:46 (permalink)
0

I can't connect HP vlan to Fortigate

Hello
i have fortigate 80c and hp switch 1910.
my network (internal 1 ) working with 172.26.30.254/255.255.255.0.
now i created on hp switch vlan 100 with interface 172.26.0.1/255.255.0.0.
how can i connect vlan 100 to my fortigate ?
 
 
 
 
 
 
 

Attached Image(s)

#1
MikePruett
Platinum Member
  • Total Posts : 677
  • Scores: 17
  • Reward points: 0
  • Joined: 2014/01/08 19:39:40
  • Location: Montgomery, Al
  • Status: offline
Re: I can't connect HP vlan to Fortigate 2017/03/03 06:58:06 (permalink) ☼ Best Answerby yonibar81 2017/03/05 06:06:38
0
You need to select that port that you have connected to the switch (under network interfaces) then click "new" and go to vlan.
 
The Gate won't listen to a vlan using just the port being connected unless it is the default vlan of the switch. Since 100 isn't, you need to have a vlan100 configured on the physical interface of the Gate as well (which means you will get a drop down on internal1 for vlan100).
post edited by MikePruett - 2017/03/03 06:59:09

Mike Pruett
Fortinet GURU
#2
ede_pfau
Expert Member
  • Total Posts : 6023
  • Scores: 480
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: online
Re: I can't connect HP vlan to Fortigate 2017/03/03 07:50:36 (permalink)
0
Could you please explain why you define overlapping address ranges?
You won't be able to configure that on the FGT, and for good reasons.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#3
yonibar81
Bronze Member
  • Total Posts : 21
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/12/01 10:15:57
  • Status: offline
Re: I can't connect HP vlan to Fortigate 2017/03/05 06:07:51 (permalink)
0

 
 
i did it but i do not ping to firewall 172.26.30.254.
see my rules on attached

Attached Image(s)

#4
yonibar81
Bronze Member
  • Total Posts : 21
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/12/01 10:15:57
  • Status: offline
Re: I can't connect HP vlan to Fortigate 2017/03/05 10:26:02 (permalink)
0
i created vlan on hp switch and i want to connect to FW
#5
dennisv
New Member
  • Total Posts : 11
  • Scores: -1
  • Reward points: 0
  • Joined: 2017/03/14 08:31:55
  • Status: offline
Re: I can't connect HP vlan to Fortigate 2017/03/16 08:58:15 (permalink)
0
There are two ways of connecting the HP switch to the Fortigate with VLANS.
1) Put the switch port on vlan 100 in untagged mode.
You do not need to configure a sub-interface on the Fortigate.
The IP adres of the Fortigate should be in the same range as the IP adress on the vlan 100.
(example fortigate 192.168.100.1/23 , switch 192.168.100.2/24)
 
2) Put the switch port on vlan 100 in tagged mode
Create a sub-interface on the physical port you are connecting the switch
Set the ip adress in the same range as the IP adress of the switch in vlan 100
(example fortigate 192.168.100.1/23 , switch 192.168.100.2/24)
 
In both cases make sure the management access of the interface is set to ping.
This will allow ping to the Fortigate without any additional policy.
 
 
#6
azwanarif
Bronze Member
  • Total Posts : 26
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/01/14 03:31:48
  • Status: offline
Re: I can't connect HP vlan to Fortigate 2019/07/09 18:48:02 (permalink)
0
Hi All,
I know this is old post, recently we deploy fortigate to customer which still using the same HP switch and encounter the same issue.
I have follow the steps and work successfully. However I would like to know why we need to tagged the switch  in order to connect with fortigate which for HP all end devices required to use untagged port?. Thanks
#7
sw2090
Gold Member
  • Total Posts : 370
  • Scores: 21
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: I can't connect HP vlan to Fortigate 2019/07/09 23:33:03 (permalink)
0
unfortunately 1) is wrong Dennisv!
Untagged on the switch means all packets will be tagged with vid 100 regardless which vid they had originally. 
Since the FortiGate only knows untagged vlans you will still have to create a vlan interface plus policies in this case on your Fortigate!
 
azwanarif: if you haven't connected the hp switch directly to the FortiGate you will have to make sure that vid 100 gets past all switches/routers between and reach the fgt. 
And unless you have policies you might only be able to pigj the ip of the virtual vlan interface.
 
We use HP Switches and Dell Switches here with FortiGates and several Vlan (Tagged as  well as untagged on the switch and it works fine this way.
#8
dennisv
New Member
  • Total Posts : 11
  • Scores: -1
  • Reward points: 0
  • Joined: 2017/03/14 08:31:55
  • Status: offline
Re: I can't connect HP vlan to Fortigate 2019/07/10 01:59:00 (permalink)
0
" Untagged on the switch means all packets will be tagged with vid 100 regardless which vid they had originally. "
Yes and No ....
When an untagged ethernet frame enters the switch the PVID / Private VLAN ID set on the switch port determines the vlan that the switch will place onto the ethernet frame inside the switch.
When an ethernet frame exist the switch the mode set on the switch port determines if the vlan tag should be removed yes or no , aka (keep) tag or untag.
 
When placing the switch port to the mode untag, the client device does not get a vlan tagged ethernet frame. (Else we would need al devces to understand vlan tagging.)
 
Inside the switch ALL frames are tagged by either the PVID or the vlan tag itself.
Outside the switch is determined by the setting of the switch port.
 
Per switch port you usually have three options
untagged only
tagged only
combined (hybrid / ....)
 
The PVID determines what the switch should do with incoming untagged frames. Even is the port is set to tagged only.
Depending on the switch you might need to set the switch port to both vlan X untagged and PVID X  to the same value. Remember PVID is in, untag is out. These are normally the same else you would end up with some funky behaviour.
Usually when you specify a switchport to be untagged only the PVID of that port automatically gets set to the same value, but you might want to check that as these can differ !
 
For tagged only you do not specify the untagged vlan , but you might/optionally need to specificy a PVID anyway.
A common practice I use for tagged only ports is to set a PVID that is bogus (example 999) and not use that for any actual vlan. Any untagged ethernet frame entering this switch port will get a vlan tag 999 when entering the switch.
But if there are no ports with tag or untag vlan tag 999, this ethernet frame will never exit the switch and gets dropped.
 
You can combine one untagged vlan with multiple tagged vlans, which is often called a hybrid port.
For the tagged vlans you don't need to do anything special, just set them to tagged. This will make the switch port accept and send frames according to these vlans with the vlan tag intact when exiting the switch.
The untagged vlan you want to use on this combined port should be set to the same untagged and PVID as mentioned with the untagged only port.
 
For an untagged only connection between the fortigate and the switch you do not have to create vlan/sub interfaces on the fortigate. The fortigate is basically the same as any other client.
 
For a tagged only connection between the fortigate and the switch you will have to create vlan/sub interface on the fortigate with the correct vlan id. You can create multiple vlan/sub interfaces with different tagged vlan ids.
 
For a combined/ybrid connection between the fortigate and the switch you can use both the native interface, with the switch port set to the proper PVID and untag vlan, and vlan/sub interfaces for the different tagged vlan ids.
 
I hope this has cleared things up :)
 
TLDR:
switch PVID determines tagging of untagged frames entering the switch.
switch PVID should normally be set to switch port vlan untag.
switch port vlan untag , frames exiting switch will have vlan tag removed, use native interface on fortigate
switch port vlan tag, frames exiting switch will have vlan tag , use vlan/sub interfaces on fortigate
switch port hybrid, mix these up
ktnxbye =)
post edited by dennisv - 2019/07/10 02:00:23
#9
sw2090
Gold Member
  • Total Posts : 370
  • Scores: 21
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: I can't connect HP vlan to Fortigate 2019/07/10 02:16:37 (permalink)
0
generally yes.
But we're talking of HP Switches here. HP Firmware requires you to have one (and only one) vlan set to be untagged on every port. It does not allow any port without vlan.
HP Firmware will keep the vid that comes with the packet on a port as long as the port is tagged in the vlan. If not it will rewrite the vid to the untagged one.
#10
dennisv
New Member
  • Total Posts : 11
  • Scores: -1
  • Reward points: 0
  • Joined: 2017/03/14 08:31:55
  • Status: offline
Re: I can't connect HP vlan to Fortigate 2019/07/10 03:02:05 (permalink)
0
The options you have for setting port to untag/tag is determined by the switch model. HPe currently has several switch models and OS'ses (Commware,ProVision/Aruba,Aruba CX and some) that all vary in these possibilities.
On all (HPe) managed switches you will need to set a port in a vlan, either tagged or untagged or combined.
There is indeed no such thing as to remove the vlan entirely from a switch port as vlan tagging will always be used inside the switch and it needs to know which vlan that is.
But that doesn't matter for the clients. They get tagged or untagged frame based on the switch port setting.
Some vendors will place ports that do not specify a vlan into the default vlan, which usually is vlan 1 , but some can be altered.
 
As mentioned, PVID does nothing with tagged frames (not packets) , only untagged frames are affected by PVID.
The PVID sets the vlanid (or VID if you like).
Tagged frames remain their vlanid as long as they are not intervlan routed or rewritten.
 
If there is an option for a PVID the untagged frame will get the vlanid set in the PVID.
If there is no option for a PVID the untagged frame will get the vlanid set in the untagged vlan.
The HP switch might not have the PVID option, thus the vlanid of the incoming frames will be set to the same vlan as specified as the untagged vlan on that switch port.
So yes , on ingress the HP switch will keep the vlanid when the frame is tagged and set the vlanid if the frame is untagged.
 
In general a switch port can and will have 1 untagged vlan only and the rest is tagged.
Some vendors can set multiple untag vlans on the same port, which can be referred as vlan header stripping.
Usually for monitoring/tapping purpose, but that's out of the scope here.
#11
sw2090
Gold Member
  • Total Posts : 370
  • Scores: 21
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: I can't connect HP vlan to Fortigate 2019/07/10 03:06:05 (permalink)
0
I have to correct myself: FGT only know tagged. They will not touch the VID in a packet and they will only accept packets with the right vid on a vlan interface
#12
dennisv
New Member
  • Total Posts : 11
  • Scores: -1
  • Reward points: 0
  • Joined: 2017/03/14 08:31:55
  • Status: offline
Re: I can't connect HP vlan to Fortigate 2019/07/10 03:22:09 (permalink)
0
Natively the interfaces on a Fortigate are untagged. Once you create sub/vlan interfaces these need a vlanid which is the vlan tag that will be accepted accept and send out.
Actually you are always creating combined/hybrid ports as you can not remove the native interface.
If you have no use for the native interface (aka untagged) you can set it to static ip 0.0.0.0/0.0.0.0 (ipv6 ::0)) or and disable all management. Avoid setting it to dhcp/pppoe to keep logs clean.
Do not disable the native interface itself as this will shut down the actual port.
 
 
 
#13
azwanarif
Bronze Member
  • Total Posts : 26
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/01/14 03:31:48
  • Status: offline
Re: I can't connect HP vlan to Fortigate 2019/07/10 07:14:47 (permalink)
0
 
sw2090
I have to correct myself: FGT only know tagged. They will not touch the VID in a packet and they will only accept packets with the right vid on a vlan interface


 
Thanks everyone for the info sharing,
 
Below is the current working HP Procurve configuration which required ethernet port to set as tagged for client vlan that connected to the HP switch to connect with gateway and other vlan beside than trunk port (Trk1) on 23-24.
 
I have tried with untagged port configuration the client is unreachable either from FortiGate or other vlan.
 

post edited by azwanarif - 2019/07/10 07:18:52

Attached Image(s)

#14
rwpatterson
Expert Member
  • Total Posts : 8404
  • Scores: 195
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: offline
Re: I can't connect HP vlan to Fortigate 2019/07/10 08:47:26 (permalink)
0
VLANs 10 and 102 need to be defined on the uplink port to the HP from the Fortigate. VLAN 1 is native so nothing needs be done on the Fortigate. Additionally, policies need to be put in place since you now have created virtual interfaces. Any traffic passing between interfaces on a Fortigate needs a policy for traffic to be allowed.
 
I'm not HP lingual. What VLANs are allowed on the trunk ports?
post edited by rwpatterson - 2019/07/10 08:50:37

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

-4.3.19-b0694
FWF60B
FWF80CM (4)
FWF81CM (2)
 
#15
dennisv
New Member
  • Total Posts : 11
  • Scores: -1
  • Reward points: 0
  • Joined: 2017/03/14 08:31:55
  • Status: offline
Re: I can't connect HP vlan to Fortigate 2019/07/10 11:01:38 (permalink)
0
@azwanarif
This seems an odd configuration.
Usually clients are connected to untagged ports unless they are made vlan aware.
For example with iDRAC, if you specify inside iDRAC it should use vlan X side it will become tagged.
 
Connection between switches and/or the fortigate can be tagged.
In your example a combination/hybrid is used for this.
 
Can you answer these questions :
What is the client vlan ?
On which port do you have the fortigate connected ?
Can you share the system interfaces section of the fortigate ?
(You can remove the IP adresses if needed for privacy)
 
@rwpatterson
A Trunk in HP is an Etherchannel in Cisco, so it is just the binding of the interfaces.
Unlike a trunk in Cisco where all vlans are allowed unless pruned, with HP you specifically allow vlans on the trunk.
In fortigate vlan 1 is not native, vlan 0 actually is. But vlan 0 is only used for untagged interfaces.
vlan 0 cannot be used for vlan interfaces.
In HP vlan 1 is default, not persee native as you can change the native vlan.
post edited by dennisv - 2019/07/10 11:06:31

Consultant @ Exclusive Networks BV
Datacenter Networking and Security
NSE4 6.0
Fortinet, HPe/Aruba, Arista, Juniper and many more
#16
rwpatterson
Expert Member
  • Total Posts : 8404
  • Scores: 195
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: offline
Re: I can't connect HP vlan to Fortigate 2019/07/10 11:52:44 (permalink)
0
Not disputing what a trunk is, only trying to see where the VLANs are defined on ports 23 and 24. They aren't explicitly shown in the above configuration.
 
...or is trk1 the sum of all VLANs that have 'trk1' in them?
post edited by rwpatterson - 2019/07/10 11:55:20

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

-4.3.19-b0694
FWF60B
FWF80CM (4)
FWF81CM (2)
 
#17
rwpatterson
Expert Member
  • Total Posts : 8404
  • Scores: 195
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: offline
Re: I can't connect HP vlan to Fortigate 2019/07/10 12:01:45 (permalink)
0
azwanarif
Thanks everyone for the info sharing,
 
Below is the current working HP Procurve configuration which required ethernet port to set as tagged for client vlan that connected to the HP switch to connect with gateway and other vlan beside than trunk port (Trk1) on 23-24.
 
I have tried with untagged port configuration the client is unreachable either from FortiGate or other vlan.
 



All access port: ports to PCs, printers, etc. should be untagged unless there is a specific reason to add the tag. This requires additional configuration on the workstation end. Your ports 1-18, and 19-20 are tagged in the configuration. That more than likely won't work unless there is a dumb device (Q-tag unaware switch/hub) in the middle that is dropping the tags.

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

-4.3.19-b0694
FWF60B
FWF80CM (4)
FWF81CM (2)
 
#18
azwanarif
Bronze Member
  • Total Posts : 26
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/01/14 03:31:48
  • Status: offline
Re: I can't connect HP vlan to Fortigate 2019/07/10 15:13:47 (permalink)
0
Hi @dennisv
Hp switch is connected directly to Fortigate port 1 (Hardware switch) and using Zone to combine all VLAN with "Block intra-zone traffic" disable to reduce multi policy between Vlan.
 
VLAN 1 is connected to physical port 1 using IP 10.101.1.254 as gateway, client (iDRAC) is not configured with any Vlan except for IP and gateway using Vlan 10 subnet
 
Hi @rwpatterson
both port 23-24 is bind to trunk group "Trk1" and tagged to vlan 10 & 102
 
Current FGT Config:

 
 

Attached Image(s)

#19
dennisv
New Member
  • Total Posts : 11
  • Scores: -1
  • Reward points: 0
  • Joined: 2017/03/14 08:31:55
  • Status: offline
Re: I can't connect HP vlan to Fortigate 2019/07/11 01:00:20 (permalink)
0
@rwpatterson
In HP Provision (Procurve/Aruba) you don't have to specify the vlans on the ports themselves, only on the combined Trk interface.
 
@azwanarif
I think I know how you setup the Fortigate to the Switch, but I don't know enough to verify.
((
  My thoughts :
  I think you are using 2 cables to connect the Fortigate to the HP switch.
  Port 1 of the Fortigate is connected to Port 21 (or 22) on the HP switch
     This is the untagged network 10.101.1.x/24
  Port 2 of the Fortigate is connected to Port 1 (or 2,3,4..18) on the HP switch
     This is the tagged VLAN10 network 10.101.10.x/24
  There are no other cables connected from the Fortigate to the HP switch
  I hope you do not use Trk1 to connect to the Fortigate port 1 and 2 , this will cause problems.
  The clients are configured to use vlan10 and should be connected to port 1-18 on the HP switch
))
 
Can you please tell me how the Fortigate is physically connected to the HP Switch ?
Please use : Fortigate port X = HP switch port Y
Thank you :)

Consultant @ Exclusive Networks BV
Datacenter Networking and Security
NSE4 6.0
Fortinet, HPe/Aruba, Arista, Juniper and many more
#20
Page: 12 > Showing page 1 of 2
Jump to:
© 2019 APG vNext Commercial Version 5.5