01-23-2024 10:35 AM - last edited on 01-24-2024 03:56 AM by Translator
Hi everyone and thanks in advance for any help. Im making a demo network and have this core switch connected to a fortigate on one side and an access switch on another. I am having connectivity issues so im trying pings. the default gateway is the fortigate with ip 10.3.0.1/30 on a point to point link from the core on te1/1/1. it is directly connected and the default route is set. I cannot ping from g1/0/48(has ip 10.3.0.10/30 and is connected to 10.3.0.9) to the gateway. here is my config and routing table. i tried to clean out the unconfigured ports to unclutter it.
CHQCOREDEMO-1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 10.3.0.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.3.0.1
10.0.0.0/8 is variably subnetted, 9 subnets, 3 masks
C 10.3.0.0/30 is directly connected, TenGigabitEthernet1/1/1
L 10.3.0.2/32 is directly connected, TenGigabitEthernet1/1/1
C 10.3.0.4/30 is directly connected, TenGigabitEthernet1/1/2
L 10.3.0.6/32 is directly connected, TenGigabitEthernet1/1/2
C 10.3.0.8/30 is directly connected, GigabitEthernet1/0/48
L 10.3.0.10/32 is directly connected, GigabitEthernet1/0/48
S 10.3.10.0/24 [1/0] via 10.3.0.9
S 10.3.110.0/24 [1/0] via 10.3.0.9
S 10.3.150.0/24 [1/0] via 10.3.0.9
Building configuration...
Current configuration : 3213 bytes
!
! Last configuration change at 23:18:41 UTC Mon Jan 2 2006
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CHQCOREDEMO-1
!
boot-start-marker
boot-end-marker
!
!
username whatever privilege 15 secret X.X.X
no aaa new-model
switch 1 provision ws-c3750x-48p
system mtu routing 1500
!
!
!
!
ip routing
!
!
ip domain-name vhr.demo
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
no ip route-cache
shutdown
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/48
description Link to Access Switch
no switchport
ip address 10.3.0.10 255.255.255.252
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
description Link to Fortigate
no switchport
ip address 10.3.0.2 255.255.255.252
!
interface TenGigabitEthernet1/1/2
description Link to Fortigate
no switchport
ip address 10.3.0.6 255.255.255.252
!
interface Vlan1
no ip address
shutdown
!
interface Vlan250
ip address 10.30.250.1 255.255.255.0
!
ip forward-protocol nd
!
ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.3.0.1
ip route 10.3.10.0 255.255.255.0 10.3.0.9
ip route 10.3.110.0 255.255.255.0 10.3.0.9
ip route 10.3.150.0 255.255.255.0 10.3.0.9
!
!
!
!
line con 0
line vty 0 4
login local
transport input ssh
line vty 5 15
login local
transport input ssh
!
!
end
CHQCOREDEMO-1#ping 10.3.0.1 source g1/0/48
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.0.1, timeout is 2 seconds:
Packet sent with a source address of 10.3.0.10
.....
Success rate is 0 percent (0/5)
CHQCOREDEMO-1#
Solved! Go to Solution.
01-23-2024 11:20 AM
The Access SW send packet to Core and Core use defualt to forward traffic tp forti'
Now retrun packet
Forti need route for any subnet not direct connect'
Do you see route of access SW in forti ?
I dont need access SW config the issue in forti side
MHM
01-23-2024 10:48 AM
Core SW connect to forti FW via two interface
Can you ping direct connect IP of forti from Core SW using ping (and specific source interface)?
MHM
01-23-2024 10:52 AM - edited 01-23-2024 10:53 AM
Sorry I think I understand so correct me if im not following. I can ping the 10.3.0.1 ip if i do not specify a port, if i use g1/0/48 as the source it does not work. I will use the second interface as a failover with a larger AD.
01-23-2024 10:57 AM
You have defualt and static route toward same forti fw.
Config only defualt route and check
MHM
01-23-2024 11:00 AM - last edited on 01-24-2024 04:04 AM by Translator
I dont understand what you mean. I only configured a
static route
ip route 0.0.0.0 0.0.0.0 10.3.0.1
at least i think so
01-23-2024 11:03 AM - last edited on 01-24-2024 04:06 AM by Translator
ip route 0.0.0.0 0.0.0.0 10.3.0.1
ip route 10.3.10.0 255.255.255.0 10.3.0.9
ip route 10.3.110.0 255.255.255.0 10.3.0.9
ip route 10.3.150.0 255.255.255.0 10.3.0.9
All this route toward forti FW?
MHM
01-23-2024 11:07 AM - last edited on 01-24-2024 04:07 AM by Translator
no, the ones going toward 10.3.0.9 are going to a distribution switch, subnets for userports(10) voice (110) and printers(150)on port g1/0/48.
i just tried adding
ip route 0.0.0.0 0.0.0.0 10.3.0.5 100
but it did not fix anything
the two ports on the fg are 10.3.0.1/30 and 10.3.0.5/30
I was originally trying to ping from the 10.3.10.0/24 subnet and it gets to 10.3.0.10(second hop) but does not make it from that port any farther
01-23-2024 11:11 AM - last edited on 01-24-2024 04:07 AM by Translator
interface TenGigabitEthernet1/1/1
description Link to Fortigate
no switchport
ip address 10.3.0.2 255.255.255.252
!
interface TenGigabitEthernet1/1/2
description Link to Fortigate
no switchport
ip address 10.3.0.6 255.255.255.252
!
I see description and assume two link to forti
Anyway
You need route in Forti toward core for subnet in access SW
MHM
01-23-2024 11:16 AM - edited 01-23-2024 11:18 AM
I am not sure i understand. I can ping the interface on fw from switch but not from a specific port on the switch. how does a route help? shouldnt it just answer back on the port it received and the switch is connected to that port? would it help to see the config of the access switch? I have never used a layer 3 switch before so I am not sure how everything works.
01-23-2024 11:20 AM
The Access SW send packet to Core and Core use defualt to forward traffic tp forti'
Now retrun packet
Forti need route for any subnet not direct connect'
Do you see route of access SW in forti ?
I dont need access SW config the issue in forti side
MHM
01-23-2024 11:33 AM
You are a legend sir. Thank you so much
01-23-2024 11:24 AM - edited 01-23-2024 11:24 AM
Hello @tatgauthier
On Fortigate do
get router info rouring table details 10.3.0.10
Does the Fortigate has got ip route towards this IP ?
If not, you need a static route on this Firewall with next hop 10.3.0.2
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide