Fortigate 110c and HP Procurve Layer 3
I have a network with 5 VLANs. Vlan 1 is configured for one of the ethernets on the fortigate(port7). The other 4 Vlans or sub interfaces to the port 7. This is a new client and they were having problems with their voice(Internal Lync server). After a network study, we found that all routing was taking place on the fortigate instead of the layer 3 switches(HP). So, the gateway on every vlan was to port 7 for vlan 1 and the sub interfaces for the other vlans. I have vlan tagging turned on for both the Fortinet as well as the hp. The problem with the fortigate being the router is we have all the VLAN routing happening on the fortigate 100mb port. It is maxed at 97%. This is a huge problem. So, we wanted to make it so that all the inter vlan routing took place on the hp layer 3 switch instead. It works fine for VLAN 1. However, for all other vlans, I can’t get traffic to get out on the internet. I worked with support until 1230 AM today with no luck. They had no clue. They tried to tell me to have multiple default routes on my HP Core switch. You can’t have multiple default routes. So, they were clueless. So, I am trying to figure out a solution here. Anybody deal with this?
ASKER
OSPF is disabled on fortigate.
VLAN 1 on HP - 10.0.0.1 - VLAN 1 on Fortinet - 10.0.0.254(Default gateway for clients on vlan is 10.0.0.1)
Default route on hp 0.0.0.0/0 10.0.0.254
VLAN 20 on HP - 10.0.10.1 - VLAN 20 on Fortinet - 10.0.10.254 - If my clients point to .254 for gateway, all works. If I point to HP on .1, it doesn't work. However, I can ping to other vlans, just can't get on the web. So the HP is routing correctly
Fortigate routing table has tables such as 10.0.10.0/24 directly connected
VLAN 1 on HP - 10.0.0.1 - VLAN 1 on Fortinet - 10.0.0.254(Default gateway for clients on vlan is 10.0.0.1)
Default route on hp 0.0.0.0/0 10.0.0.254
VLAN 20 on HP - 10.0.10.1 - VLAN 20 on Fortinet - 10.0.10.254 - If my clients point to .254 for gateway, all works. If I point to HP on .1, it doesn't work. However, I can ping to other vlans, just can't get on the web. So the HP is routing correctly
Fortigate routing table has tables such as 10.0.10.0/24 directly connected
I would remove 10.0.10.254 from the FortiGate and put a routing rule 10.0.0.0/8 10.0.0.1
I have a fair amount of networks, my firewall routing table looks like this
Any going to all private addresses go to 10.200.0.1 (the IP of my HP L3 switch)
Any going to any go to <my next hop router address>
i have no clients on the 10.200.0.1 range it is presented as a vlan untagged going to my firewall and my firewall has only one address for all traffic (LAN side) 10.200.0.2 my HP's default is 0.0.0.0 0.0.0.0 10.200.0.2
I have a fair amount of networks, my firewall routing table looks like this
Any going to all private addresses go to 10.200.0.1 (the IP of my HP L3 switch)
Any going to any go to <my next hop router address>
i have no clients on the 10.200.0.1 range it is presented as a vlan untagged going to my firewall and my firewall has only one address for all traffic (LAN side) 10.200.0.2 my HP's default is 0.0.0.0 0.0.0.0 10.200.0.2
ASKER
So, right now I have a ton of rules on the fortinet. It allows vlan 1 to get to 10 and things like that. When my HP will do the routing, I basically have to ignore the rules on the fortinet and create ACLs on the HP? Would that be a correct assumption?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. I will give this a try
good luck if no joy i'll be here :)
well providing things are still quite my end lol
well providing things are still quite my end lol
could you post your routing table from your HP?
also have you got OSPF disabled on the Fortigate and static routing tables in there?
let say
vlan 2 is 192.168.2.1 255.255.255.252 is on the HP and 192.168.2.2 255.255.255.252 is on port 7 of the Fortigate
vlan 10 in 192.168.3.0 255.255.255.0 in on the HP then the fortigate needs to say in its routing table
192.168.3.0/24 192.168.2.1 (next hop router, its been a while it might require just the interface like a PC so it might be 192.168.2.2)