Routing Issue between Fortigate 100E and Cisco 3650

dbrady · ‎01-08-2018

Hey guys,

I'm hoping someone can help me. I have recently replaced unmagged switches with a Cisco 3650 switch and setup inter-vlan routing. I have created 4 vlans to segregate the network (vlan10 management, vlan20 servers, vlan30 end user device, vlan40 WiFi AP).

I have connected the fortigate (v5.4.5,build6225) to the switch (trunk port) and created the vlans on the fortigate interface connected to the switch. I have setup a default route on the switch to point traffic to the FW (IP in vlan10). the switch can ping all vlan interfaces on the FW but an end user device can't ping the FW. A work around to was enable Asymmetric routing but I understand this to be a test not a workaround.

As all traffic from the switch is going over vlan10 I have created the neccesary ipv4 policys to allow this traffic.

Can anyone shed some light where I am going wrong please? Attached is the topology.

ede_pfau · ‎01-09-2018

hi,

if I don't read your post but only look at the schematics I'd say you don't run a VLAN trunk from the switch to the FGT. So no wonder traffic from the other VLANs doesn't make it to there.

Have a look at the current Routing Table on the FGT; "get route info rout all" in the CLI, or Routing > Monitor in the GUI. The FGT should have routes for all VLANs.

The FGT will silently drop traffic it does not have a route for - anti-spoofing. For example, incoming traffic from VLAN40 would be dropped unless there is a route back to where this traffic originated. This can be an explicit route, or the default route.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

dbrady · ‎01-09-2018

Hi Ede,

Thank you for your reply. I have been thinking about how I have setup this up and i'm thinking of changing it.

Configure the switchport that connects to the FGT as a routed port and give it an IP address on the same subnet as the FW. Create a default route on the switch to the FW and create static routes on the FGT for each VLAN on the switch. This seems like a simplier setup?

ede_pfau · ‎01-09-2018

Sure, this should work as well. You wouldn't need to create VLAN ports on the FGT but...you will have all traffic on that wire, no separation. Creating policies between subnets will work but features involving ports will not, like DHCP servers.

Actually, creating that port as a trunk port for all VLANs should work as well and would not mean much more config on the FGT. But more control, IF you need it.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

dbrady · ‎01-09-2018

Yes, I think thats what i want to steer away from as its causing issues with my routing. At the moment I have a default route on my switch point traffic to the FW so all traffic is going over VLAN10.

At the moment i have asymmetric routing enabled so LAN traffic is working but as soon as I disable this routing fails.

Anurag_Goyal · ‎01-09-2018

i had this kind of experience with FGT 300C to Cisco 3650 and Ruckus 1100.

You need to create sub-interface (vlan_interface) under internal ports & define the Vlan ID to the same.

Example:

internal 1--- Sub_interface vlan_id 10----define the ip of interface vlan10 (if you have configure in cisco switch your int vlan 10 and assigned ip is 192.168.10.1/24, you can assign 192.168.10.x/24 to fortigate sub interface.

Do the same as for all remain vlans.

Connect your switch port's assigned vlan interface with Fortigate's vlan assigned interface.

Nothing else.

Anurag Goyal

dbrady · ‎01-09-2018

Hi Anurag,

Thank you for your reply.

So in your example, i would associate each VLAN its own interface on the switch and FGT. On the switch port assign it an access port to the desired VLAN?

I would not need to put in any default routes on the switch? I also take it i would need to amend my IPv4 Policys to reflect the additional ports created?

Anurag_Goyal · ‎01-09-2018

yes, exactly!!!!

if you don't want to consume 4 ports of switch and FGT, you can use only one port of FGT and create sub interface to it, assign vlan ID.

After that you need to create the policies for appropriate vlan interface communication.

Anurag Goyal

dbrady · ‎01-09-2018

Hey guys - I have made the following changes. Disabled asymmetric routing on FGT Removed ALL VLANS from the FGT. Removed all physical ports from the LAN interface apart from port1. Configured LAN interface to 10.0.200.1 (FW IP address) and disabled STP. Configured the switchport as an access port on VLAN10 and removed STP. Connected FGT to switchport Put a default route on the switch 0.0.0.0 0.0.0.0 10.0.200.1 Put static routes on FGT 10.0.3.0/24 (VLAN30) via LAN (10.0.200.10 gateway which is the int VLAN10 on switch) Put static routes on FGT 10.0.5.0/24 (VLAN40) via LAN (10.0.200.10 gateway which is the int VLAN10 on switch) Put static routes on FGT 10.0.0.0/24 (VLAN20) via LAN (10.0.200.10 gateway which is the int VLAN10 on switch) Amended all IPv4 policy to use LAN int So far everything looks good. Would you say this is a good way to setup the routing?

ede_pfau · ‎01-09-2018

yep, but halfways only...where are the VLANs on the switch? Why don't you declare the switchport which connects to the FGT as a VLAN trunk and run all 4 VLANs over it?

Ede

"Kernel panic: Aiee, killing interrupt handler!"