Re: Issue with routing to website

lquinn · ‎08-20-2020

Hi all,

I'm having an issue with a few users who need access to a URL. Basically I have a PC on a vlan with an ip address of 10.55.102.44. They need access to a site with an ip 169.254.9.53. The traffic isn't getting as far as our firewall to allow access to this website so our problem is with routing.

So I can't ping the ip address from the PC.

When I do a tracert to it, it gets to the gateway of the vlan, 10.55.102.254, but no further.

I added a route on the PC as follows:

169.254.0.0 255.255.255.0 10.55.102.254 10.55.102.44

Still doesn't know where to go. Do I need to add something on my core switch to route this traffic to the firewall as it just doesn't seem to know where to go.

Georg Pauwen · ‎08-20-2020

Hello,

what does the topology look like ? Post a schematic drawing, as well as the running configs of all devices involved...

Seb Rupik · ‎08-20-2020

Hi there,

Are you sure about that IP address? 169.254.0.0/16 is an unallocated address space and is used by a host to configure an interface in the absence of DHCP.

The prefix is therefore considered a BOGON and there is a good chance your core router or firewall will have an ACL which will drop this traffic.

cheers,

Seb.

lquinn · ‎08-20-2020

Thanks for the replies.

@Seb Rupik , I think what you have said is the problem but unfortunately the ip addressing of this is out of my control. We are a gov agency and we use a gov VPN for connecting to internet. Our Gov link is divided up into different VLANs. We have a services vlan for email and internet access and we have this vlan for InterAgency traffic. The subnet used for this vlan is 169.254.0.0/16. I can ping the network interface assigned for this vlan which is 169.254.9.66.

H:\>ping 169.254.9.66

Pinging 169.254.9.66 with 32 bytes of data:
Reply from 169.254.9.66: bytes=32 time=1ms TTL=254
Reply from 169.254.9.66: bytes=32 time=1ms TTL=254
Reply from 169.254.9.66: bytes=32 time=1ms TTL=254
Reply from 169.254.9.66: bytes=32 time=1ms TTL=254

Ping statistics for 169.254.9.66:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms

H:\>tracert 169.254.9.66

Tracing route to 169.254.9.66 over a maximum of 30 hops

1 2 ms 2 ms 3 ms 10.55.102.254
2 1 ms 1 ms 1 ms 169.254.9.66

Trace complete.

I can see on our core switch that there is a route set to point to the firewall:

ip route 169.254.0.0 255.255.192.0 10.55.1.1

If I do show ip route I see the following:

169.254.0.0/18 is subnetted, 1 subnets
S 169.254.0.0 [1/0] via 10.55.1.1

Georg Pauwen · ‎08-20-2020

You need to give us more information about your topology. What devices are between the core switch and the firewall ? Post, at the very least, the running config of the core switch. Can you ping the firewall from the core switch ?

lquinn · ‎08-20-2020

The topology is as follows:
Fortigate Firewall connected to Cisco 4550 core switch. Cisco 3850 switch stacks connected to Core Switch. PC connected to 3850 switch stack.

On Core switch the vlan that the pc is connected to is:

interface Vlan102
description ### IT Data VLAN to replace 10.55.3.x###
ip address 10.55.102.254 255.255.255.0
ip helper-address 10.55.2.50
ip helper-address 10.55.1.126
ip helper-address 10.55.1.121
ip helper-address 10.55.214.121
ip pim sparse-dense-mode
arp timeout 180

the ip routing table on the c1ore switch is as follows:
ip route 0.0.0.0 0.0.0.0 10.55.1.1
ip route 10.10.10.0 255.255.255.248 10.10.10.90
ip route 10.10.10.8 255.255.255.248 10.55.0.100
ip route 10.10.10.32 255.255.255.248 10.10.10.90
ip route 10.10.10.40 255.255.255.248 10.10.10.90
ip route 10.10.10.48 255.255.255.248 10.10.10.90
ip route 10.10.10.56 255.255.255.248 10.10.10.90
ip route 10.10.10.64 255.255.255.248 10.10.10.90
ip route 10.10.10.72 255.255.255.248 10.10.10.89
ip route 10.10.10.80 255.255.255.248 10.10.10.90
ip route 10.10.10.96 255.255.255.248 10.10.10.89
ip route 10.55.10.247 255.255.255.255 10.55.1.1
ip route 10.55.10.248 255.255.255.255 10.55.1.1
ip route 10.55.10.249 255.255.255.255 10.55.1.1
ip route 10.55.10.250 255.255.255.255 10.55.1.1
ip route 10.55.10.251 255.255.255.255 10.55.1.1
ip route 10.55.10.252 255.255.255.255 10.55.1.1
ip route 10.55.10.254 255.255.255.255 10.55.1.1
ip route 169.254.0.0 255.255.192.0 10.55.1.

Georg Pauwen · ‎08-20-2020

Hello,

does the core switch have an interface in the 10.55.1.0/24 range ? There must be a common subnet between the firewall and the core switch. Can you ping the IP address of (assuming it exists) interface of the Vlan (or physical interface) that is directly connected to the firewall ?

lquinn · ‎08-25-2020

The core switch and firewall are both in Vlan 1. the PCs that will need access to this site are in vlans 94,95,96,98,99,102.

Core switch config is as follows:

Current configuration : 36510 bytes
!
! Last configuration change at 11:49:10 DST Thu Aug 20 2020 by lquinn
! NVRAM config last updated at 11:49:13 DST Thu Aug 20 2020 by lquinn
!
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
service compress-config
service sequence-numbers
!
hostname BH_4500X_CoreStack
!
boot-start-marker
boot system bootflash:cat4500e-universalk9.SPA.03.08.08.E.152-4.E8.bin
boot-end-marker
!
!
vrf definition mgmtVrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 75000 informational
logging console notifications
enable secret 5 $1$v4WE$mSGWbBGfnSrR7fEd2kTAv1
!
username teis privilege 15 secret 5 $1$THKd$9LMLIHkXx6eoA0pObdRDH0
username Me@thF@llbck privilege 15 secret 5 $1$Ven7$hCzAe.4vUhefH7BABnvci1
aaa new-model
!
!
aaa group server radius IAS
server name Radius1
server name Radius2
!
aaa authentication login default group IAS local
aaa authentication login CON local
!
!
!
!
!
!
aaa session-id common
clock timezone gmt 0 0
clock summer-time DST recurring last Sun Mar 2:00 last Sun Oct 2:00
!
switch virtual domain 100
switch mode virtual
mac-address use-virtual
!
!
!
!
!
!
!
!
!
!
no ip source-route
no ip gratuitous-arps
!
ip multicast-routing
no ip domain-lookup
ip domain-name meathcoco.lgov
no ip bootp server
!
!
login block-for 120 attempts 3 within 120
login on-failure log every 100
login on-success log every 100
!
shutdown vlan 93
!
flow monitor MEATH_CO_CO
!
!
!
errdisable recovery cause psecure-violation
errdisable recovery interval 1800
power redundancy-mode redundant
!
mac access-list extended VSL-BPDU
permit any 0180.c200.0000 0000.0000.0003
mac access-list extended VSL-CDP
permit any host 0100.0ccc.cccc
mac access-list extended VSL-DOT1x
permit any any 0x888E
mac access-list extended VSL-GARP
permit any host 0180.c200.0020
mac access-list extended VSL-LLDP
permit any host 0180.c200.000e
mac access-list extended VSL-MGMT
permit any 0022.bdcd.d200 0000.0000.00ff
permit 0022.bdcd.d200 0000.0000.00ff any
mac access-list extended VSL-SSTP
permit any host 0100.0ccc.cccd
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1-20,22-93,100-193,200-4094 priority 28672
spanning-tree vlan 21,94-99,194-199 priority 24576
!
redundancy
mode sso
!
vlan internal allocation policy ascending
lldp run
cdp timer 5
!
!
class-map match-any VSL-MGMT-PACKETS
match access-group name VSL-MGMT
class-map match-all AutoQos-4.0-Scavenger-Classify
match access-group name AutoQos-4.0-ACL-Scavenger
class-map match-any VSL-DATA-PACKETS
match any
class-map match-all AutoQos-4.0-Signaling-Classify
match access-group name AutoQos-4.0-ACL-Signaling
class-map match-any VSL-L2-CONTROL-PACKETS
match access-group name VSL-DOT1x
match access-group name VSL-BPDU
match access-group name VSL-CDP
match access-group name VSL-LLDP
match access-group name VSL-SSTP
match access-group name VSL-GARP
class-map match-any AutoQos-4.0-Priority-Queue
match cos 5
match dscp ef
match dscp cs5
match dscp cs4
class-map match-any VSL-L3-CONTROL-PACKETS
match access-group name VSL-IPV4-ROUTING
match access-group name VSL-BFD
match access-group name VSL-DHCP-CLIENT-TO-SERVER
match access-group name VSL-DHCP-SERVER-TO-CLIENT
match access-group name VSL-DHCP-SERVER-TO-SERVER
match access-group name VSL-IPV6-ROUTING
class-map match-all AutoQos-4.0-VoIP-Data-Cos
match cos 5
class-map match-any AutoQos-4.0-Multimedia-Stream-Queue
match dscp af31
match dscp af32
match dscp af33
class-map match-all AutoQos-4.0-Network-Mgmt
match dscp cs2
class-map match-any VSL-MULTIMEDIA-TRAFFIC
match dscp af41
match dscp af42
match dscp af43
match dscp af31
match dscp af32
match dscp af33
match dscp af21
match dscp af22
match dscp af23
class-map match-all AutoQos-4.0-VoIP-Signal-Cos
match cos 3
class-map match-any AutoQos-4.0-Multimedia-Conf-Queue
match cos 4
match dscp af41
match dscp af42
match dscp af43
match access-group name AutoQos-4.0-ACL-Multimedia-Conf
class-map match-any AutoQos-4.0-Transaction-Data
match dscp af21
match dscp af22
match dscp af23
class-map match-all AutoQos-4.0-Network-Ctrl
match dscp cs7
class-map match-all AutoQos-4.0-Scavenger
match dscp cs1
class-map match-all AutoQos-4.0-Default-Classify
match access-group name AutoQos-4.0-ACL-Default
class-map match-any AutoQos-4.0-Signaling
match dscp cs3
match cos 3
class-map match-any AutoQos-4.0-Bulk-Data-Queue
match cos 1
match dscp af11
match dscp af12
match dscp af13
match access-group name AutoQos-4.0-ACL-Bulk-Data
class-map match-all AutoQos-4.0-Transaction-Classify
match access-group name AutoQos-4.0-ACL-Transactional-Data
class-map match-any VSL-VOICE-VIDEO-TRAFFIC
match dscp ef
match dscp cs4
match dscp cs5
class-map match-all MAN_VoIP_Bearer
match ip dscp ef
class-map match-any MAN_VoIP_Signal
match ip dscp cs3
match ip dscp af31
class-map match-all AutoQos-4.0-Broadcast-Vid
match dscp cs5
class-map match-any AutoQos-4.0-Bulk-Data
match dscp af11
match dscp af12
match dscp af13
class-map match-all AutoQos-4.0-VoIP-Video-Cos
match cos 4
class-map match-any AutoQos-4.0-Scavenger-Queue
match dscp cs1
match cos 1
match access-group name AutoQos-4.0-ACL-Scavenger
class-map match-any AutoQos-4.0-VoIP
match dscp ef
match cos 5
class-map match-any AutoQos-4.0-Multimedia-Conf
match dscp af41
match dscp af42
match dscp af43
class-map match-any AutoQos-4.0-Control-Mgmt-Queue
match cos 3
match dscp cs7
match dscp cs6
match dscp cs3
match dscp cs2
match access-group name AutoQos-4.0-ACL-Signaling
class-map match-all AutoQos-4.0-Bulk-Data-Classify
match access-group name AutoQos-4.0-ACL-Bulk-Data
class-map match-any AutoQos-4.0-Trans-Data-Queue
match cos 2
match dscp af21
match dscp af22
match dscp af23
match access-group name AutoQos-4.0-ACL-Transactional-Data
class-map match-any AutoQos-4.0-Multimedia-Stream
match dscp af31
match dscp af32
match dscp af33
class-map match-any AutoQos-4.0-VoIP-Data
match dscp ef
match cos 5
class-map match-all AutoQos-4.0-Internetwork-Ctrl
match dscp cs6
class-map match-any VSL-SIGNALING-NETWORK-MGMT
match dscp cs2
match dscp cs3
match dscp cs6
match dscp cs7
class-map match-all AutoQos-4.0-Realtime-Interact
match dscp cs4
class-map match-all AutoQos-4.0-Multimedia-Conf-Classify
match access-group name AutoQos-4.0-ACL-Multimedia-Conf
class-map match-any AutoQos-4.0-VoIP-Signal
match dscp cs3
match cos 3
!
policy-map MAN_Traffic
description 1GB Buvinda House - NavanTC GN Vodafone GCN connection
class MAN_VoIP_Signal
bandwidth 256
class MAN_VoIP_Bearer
class class-default
policy-map AutoQos-4.0-Output-Policy
class AutoQos-4.0-Scavenger-Queue
bandwidth remaining percent 1
class AutoQos-4.0-Priority-Queue
priority
police cir percent 30 bc 33 ms
class AutoQos-4.0-Control-Mgmt-Queue
bandwidth remaining percent 10
class AutoQos-4.0-Multimedia-Conf-Queue
bandwidth remaining percent 10
class AutoQos-4.0-Multimedia-Stream-Queue
bandwidth remaining percent 10
class AutoQos-4.0-Trans-Data-Queue
bandwidth remaining percent 10
dbl
class AutoQos-4.0-Bulk-Data-Queue
bandwidth remaining percent 4
dbl
class class-default
bandwidth remaining percent 25
dbl
policy-map VSL-Queuing-Policy
class VSL-MGMT-PACKETS
bandwidth percent 5
class VSL-L2-CONTROL-PACKETS
bandwidth percent 5
class VSL-L3-CONTROL-PACKETS
bandwidth percent 5
class VSL-VOICE-VIDEO-TRAFFIC
bandwidth percent 30
class VSL-SIGNALING-NETWORK-MGMT
bandwidth percent 10
class VSL-MULTIMEDIA-TRAFFIC
bandwidth percent 20
class VSL-DATA-PACKETS
bandwidth percent 20
class class-default
bandwidth percent 5
policy-map AutoQos-4.0-Input-Policy
class AutoQos-4.0-VoIP
class AutoQos-4.0-Broadcast-Vid
class AutoQos-4.0-Realtime-Interact
class AutoQos-4.0-Network-Ctrl
class AutoQos-4.0-Internetwork-Ctrl
class AutoQos-4.0-Signaling
class AutoQos-4.0-Network-Mgmt
class AutoQos-4.0-Multimedia-Conf
class AutoQos-4.0-Multimedia-Stream
class AutoQos-4.0-Transaction-Data
class AutoQos-4.0-Bulk-Data
class AutoQos-4.0-Scavenger
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
description ###Backup Tunnel Source to Area Offices###
ip address 10.55.10.253 255.255.255.255
!
interface Port-channel62
description ###4500 stacking###
switchport
switchport mode trunk
switchport nonegotiate
switch virtual link 2
!
interface Port-channel63
description ###4500 stacking###
switchport
switchport mode trunk
switchport nonegotiate
switch virtual link 1
!
interface Port-channel95
description ###To BH_CommsG_EdgeStack1###
switchport
switchport mode trunk
spanning-tree guard root
!
interface Port-channel96
description ###To BH_CommsG_EdgeStack2###
switchport
switchport mode trunk
switchport nonegotiate
!
interface Port-channel97
description ###To BH_Comms1_EdgeStack1###
switchport
switchport mode trunk
switchport nonegotiate
!
interface Port-channel98
description ###To BH_Comms1_EdgeStack2###
switchport
switchport mode trunk
switchport nonegotiate
!
interface Port-channel99
description ###To BH_Comms1_SvrStack1###
switchport
switchport mode trunk
switchport nonegotiate
!
interface Port-channel192
description ###To BH_Comms1_DMZStack1###
switchport
switchport trunk allowed vlan 600
switchport mode trunk
switchport nonegotiate
!
interface Port-channel255
description ###GN L2 Link to Innovation House###
switchport
switchport trunk allowed vlan 1,23-26,192,200,214,215,221,222,500,555,600,601
switchport trunk allowed vlan add 999
switchport mode trunk
switchport nonegotiate
!
interface Tunnel32
description -----Backup tunnel to Navan TC-----
ip address 10.55.10.161 255.255.255.252
ip mtu 1400
ip ospf message-digest-key 1 md5 7 06254E654F1E363616271448
ip ospf cost 9999
tunnel source Loopback0
tunnel destination 10.55.10.247
!
interface Tunnel33
description -----Backup tunnel to Kells OSS----
ip address 10.55.10.146 255.255.255.252
ip mtu 1400
ip ospf message-digest-key 1 md5 7 106D485D06472D241F342C68
ip ospf cost 9999
tunnel source Loopback0
tunnel destination 10.55.10.251
!
interface Tunnel34
description -----Backup tunnel to Trim TC-----
ip address 10.55.10.138 255.255.255.252
ip tcp adjust-mss 1452
ip ospf message-digest-key 1 md5 7 06254E654F1E363616271448
ip ospf cost 9999
shutdown
tunnel source Loopback0
tunnel destination 10.55.10.252
!
interface Tunnel40
description -----Backup tunnel to Duleek OSS-----
ip address 10.55.10.154 255.255.255.252
ip mtu 1400
ip ospf message-digest-key 1 md5 7 06254E654F1E363616271448
ip ospf cost 9999
tunnel source Loopback0
tunnel destination 10.55.10.250
!
interface Tunnel41
description -----Backup tunnel to Dunshaughlin Civic Office-----
ip address 10.55.10.150 255.255.255.252
ip mtu 1400
ip ospf message-digest-key 1 md5 7 06254E654F1E363616271448
ip ospf cost 9999
tunnel source Loopback0
tunnel destination 10.55.10.249
!
interface Tunnel83
description -----Backup tunnel to Enterprise Centre-----
ip address 10.55.10.157 255.255.255.252
ip mtu 1400
ip ospf message-digest-key 1 md5 7 00275242070B34291C114A0D
ip ospf cost 9999
shutdown
tunnel source Loopback0
tunnel destination 10.55.10.248
!
interface FastEthernet1
vrf forwarding mgmtVrf
no ip address
speed auto
duplex auto
!
interface TenGigabitEthernet1/1/1
description ###To BH_CommsG_EdgeStack1###
switchport mode trunk
channel-group 95 mode active
!
interface TenGigabitEthernet1/1/2
description ###To BH_CommsG_EdgeStack2###
switchport mode trunk
switchport nonegotiate
channel-group 96 mode active
!
interface TenGigabitEthernet1/1/3
description ###To BH_Comms1_EdgeStack1###
switchport mode trunk
switchport nonegotiate
channel-group 97 mode active
!
interface TenGigabitEthernet1/1/4
description ###To BH_Comms1_EdgeStack2###
switchport mode trunk
switchport nonegotiate
channel-group 98 mode active
!
interface TenGigabitEthernet1/1/5
description ###To BH_Comms1_SvrStack1###
switchport mode trunk
switchport nonegotiate
channel-group 99 mode active
!
interface TenGigabitEthernet1/1/6
!
interface TenGigabitEthernet1/1/7
no switchport
ip address 10.55.240.101 255.255.255.252
ip mtu 1420
ip tcp adjust-mss 1390
!
interface TenGigabitEthernet1/1/8
shutdown
!
interface TenGigabitEthernet1/1/9
description ###Sigma - Cairn Hill to Farganstown
switchport mode trunk
!
interface TenGigabitEthernet1/1/10
description ###Link to Prod-esxi-01 for Languardian monitoring###
switchport mode access
!
interface TenGigabitEthernet1/1/11
description ###temp vMotion link to IH###
switchport access vlan 601
switchport mode access
!
interface TenGigabitEthernet1/1/12
!
interface TenGigabitEthernet1/1/13
description ###GN L2 Link to Innovation House###
switchport trunk allowed vlan 1,23-26,192,200,214,215,221,222,500,555,600,601
switchport trunk allowed vlan add 999
switchport mode trunk
switchport nonegotiate
channel-group 255 mode active
!
interface TenGigabitEthernet1/1/14
description ###VSS Keepalive###
switchport mode trunk
switchport nonegotiate
dual-active fast-hello
!
interface TenGigabitEthernet1/1/15
description ###VSL link###
switchport mode trunk
switchport nonegotiate
no cdp enable
no lldp transmit
no lldp receive
channel-group 63 mode on
service-policy output VSL-Queuing-Policy
!
interface TenGigabitEthernet1/1/16
description ###VSL link###
switchport mode trunk
switchport nonegotiate
no cdp enable
no lldp transmit
no lldp receive
channel-group 63 mode on
service-policy output VSL-Queuing-Policy
!
interface TenGigabitEthernet1/2/1
description ###Voice Gateway 1 Gig 0/0###
switchport access vlan 211
switchport mode access
!
interface TenGigabitEthernet1/2/2
description ### Fortigate Firewall1 inside Nic###
switchport trunk allowed vlan 1,23-26
switchport mode trunk
!
interface TenGigabitEthernet1/2/3
description ###SIGMA - to Cairn Hill to Farganstown & Firestation###
switchport mode trunk
!
interface TenGigabitEthernet1/2/4
description ###SIGMA 200Mb - to Mt Oriel###
switchport mode trunk
bandwidth 1638400
!
interface TenGigabitEthernet1/2/5
description *** GN Vodafone GCN 1GB Connection to NavanTC ***
switchport trunk allowed vlan 932
switchport mode trunk
!
interface TenGigabitEthernet1/2/6
description ###To BH_Comms1_DMZStack1###
switchport trunk allowed vlan 600
switchport mode trunk
switchport nonegotiate
channel-group 192 mode active
!
interface TenGigabitEthernet1/2/7
description ### Sigma management int to IDU to Mt Oriel ###
switchport access vlan 500
switchport mode access
speed 100
!
interface TenGigabitEthernet1/2/8
description ###ASA F/W DMZ Traffic###
switchport access vlan 600
switchport mode access
!
interface TenGigabitEthernet2/1/1
description ###To BH_CommsG_EdgeStack1###
switchport mode trunk
channel-group 95 mode active
!
interface TenGigabitEthernet2/1/2
description ###To BH_CommsG_EdgeStack2###
switchport mode trunk
switchport nonegotiate
channel-group 96 mode active
!
interface TenGigabitEthernet2/1/3
description ###To BH_Comms1_EdgeStack1###
switchport mode trunk
switchport nonegotiate
channel-group 97 mode active
!
interface TenGigabitEthernet2/1/4
description ###To BH_Comms1_EdgeStack2###
switchport mode trunk
switchport nonegotiate
channel-group 98 mode active
!
interface TenGigabitEthernet2/1/5
description ###To BH_Comms1_SvrStack1###
switchport mode trunk
switchport nonegotiate
channel-group 99 mode active
!
interface TenGigabitEthernet2/1/6
!
interface TenGigabitEthernet2/1/7
!
interface TenGigabitEthernet2/1/8
!
interface TenGigabitEthernet2/1/9
!
interface TenGigabitEthernet2/1/10
!
interface TenGigabitEthernet2/1/11
!
interface TenGigabitEthernet2/1/12
!
interface TenGigabitEthernet2/1/13
description ###GN L2 Link to Innovation House###
switchport trunk allowed vlan 1,23-26,192,200,214,215,221,222,500,555,600,601
switchport trunk allowed vlan add 999
switchport mode trunk
switchport nonegotiate
channel-group 255 mode active
!
interface TenGigabitEthernet2/1/14
description ###VSS Keepalive###
switchport mode trunk
switchport nonegotiate
dual-active fast-hello
!
interface TenGigabitEthernet2/1/15
description ###VSL link###
switchport mode trunk
switchport nonegotiate
no cdp enable
no lldp transmit
no lldp receive
channel-group 62 mode on
service-policy output VSL-Queuing-Policy
!
interface TenGigabitEthernet2/1/16
description ###VSL link###
switchport mode trunk
switchport nonegotiate
no cdp enable
no lldp transmit
no lldp receive
channel-group 62 mode on
service-policy output VSL-Queuing-Policy
!
interface TenGigabitEthernet2/2/1
description ###Navan_4331_VGW2###
switchport access vlan 202
switchport mode access
!
interface TenGigabitEthernet2/2/2
description ###Fortigate Firewall2 inside Nic###
switchport trunk allowed vlan 1,23-26
switchport mode trunk
!
interface TenGigabitEthernet2/2/3
!
interface TenGigabitEthernet2/2/4
description ###Eir eLine 50Mb to AshbourneCO###
switchport mode trunk
!
interface TenGigabitEthernet2/2/5
!
interface TenGigabitEthernet2/2/6
description ###To BH_Comms1_DMZStack1###
switchport trunk allowed vlan 600
switchport mode trunk
switchport nonegotiate
channel-group 192 mode active
!
interface TenGigabitEthernet2/2/7
!
interface TenGigabitEthernet2/2/8
description ###Fortigate Firewall2 DMZ Traffic###
switchport access vlan 600
switchport mode access
!
interface Vlan1
ip address 10.55.0.101 255.255.248.0
ip access-group tv_out_out out
ip pim sparse-dense-mode
standby 55 ip 10.55.1.21
standby 55 timers 1 3
standby 55 priority 200
standby 55 preempt
standby 55 authentication itpwd
ip ospf message-digest-key 1 md5 7 112A584114423423171A2D67
ip ospf priority 255
arp timeout 180
!
interface Vlan21
description ###Buvinda House Print Subnet###
ip address 10.55.21.254 255.255.255.0
ip helper-address 10.55.2.50
ip helper-address 10.55.1.126
ip pim sparse-dense-mode
!
interface Vlan91
description *** Exchange 2013 Replication VLAN Production Site ***
ip address 10.55.91.1 255.255.255.248
!
interface Vlan93
description *** VMWare vSwitch for Exc 2010 DAG replication ***
ip address 10.55.93.1 255.255.255.248
shutdown
!
interface Vlan94
description ###Data Wifi Clients Ground Floor###
ip address 10.55.94.254 255.255.255.0
ip helper-address 10.55.2.50
ip helper-address 10.55.1.126
ip pim sparse-dense-mode
arp timeout 180
!
interface Vlan95
description ###BH_CommsG_EdgeStack1 Data VLAN###
ip address 10.55.95.254 255.255.255.0
ip helper-address 10.55.2.50
ip helper-address 10.55.1.126
ip pim sparse-dense-mode
arp timeout 180
!
interface Vlan96
description ###BH_CommsG_EdgeStack2 Data VLAN###
ip address 10.55.96.254 255.255.255.0
ip access-group tv_in_in in
ip helper-address 10.55.2.50
ip helper-address 10.55.1.126
ip pim sparse-dense-mode
arp timeout 180
!
interface Vlan97
description ###BH_Comms1_EdgeStack1 Data VLAN###
ip address 10.55.97.254 255.255.255.0
ip helper-address 10.55.2.50
ip helper-address 10.55.1.126
ip pim sparse-dense-mode
arp timeout 180
!
interface Vlan98
description ###BH_Comms1_EdgeStack2 Data VLAN###
ip address 10.55.98.254 255.255.255.0
ip helper-address 10.55.2.50
ip helper-address 10.55.1.126
ip pim sparse-dense-mode
arp timeout 180
!
interface Vlan99
description ###Data Wifi Clients 1st Floor###
ip address 10.55.99.254 255.255.255.0
ip helper-address 10.55.2.50
ip helper-address 10.55.1.126
ip pim sparse-dense-mode
arp timeout 180
!
interface Vlan102
description ### IT Data VLAN to replace 10.55.3.x###
ip address 10.55.102.254 255.255.255.0
ip helper-address 10.55.2.50
ip helper-address 10.55.1.126
ip helper-address 10.55.1.121
ip helper-address 10.55.214.121
ip pim sparse-dense-mode
arp timeout 180
!
interface Vlan120
description ###Wifi Management Network###
ip address 10.55.120.254 255.255.255.0
ip helper-address 10.55.2.50
ip helper-address 10.55.1.126
ip pim sparse-dense-mode
!
interface Vlan121
description ###Buvinda House Network Devices###
ip address 10.55.121.254 255.255.255.0
ip helper-address 10.55.2.50
ip helper-address 10.55.1.126
ip pim sparse-dense-mode
arp timeout 180
!
interface Vlan122
description ###Digital signage Head End & TV end points###
ip address 10.55.122.254 255.255.255.0
ip helper-address 10.55.2.50
ip helper-address 10.55.1.126
ip pim sparse-dense-mode
arp timeout 180
!
interface Vlan123
description ###Buvinda House Visa Machines###
ip address 10.55.123.14 255.255.255.240
ip helper-address 10.55.2.50
ip helper-address 10.55.1.126
ip pim sparse-dense-mode
arp timeout 180
!
interface Vlan194
description ###Voice Wifi Clients Ground Floor###
ip address 10.55.194.254 255.255.255.0
ip helper-address 10.55.2.50
ip helper-address 10.55.1.126
ip pim sparse-dense-mode
!
interface Vlan195
description ###BH_CommsG_EdgeStack1 Voice VLAN###
ip address 10.55.195.254 255.255.255.0
ip helper-address 10.55.2.50
ip helper-address 10.55.1.126
!
interface Vlan196
description ###BH_CommsG_EdgeStack2 Voice VLAN###
ip address 10.55.196.254 255.255.255.0
ip helper-address 10.55.2.50
ip helper-address 10.55.1.126
!
interface Vlan197
description ###BH_Comms1_EdgeStack1 Voice VLAN###
ip address 10.55.197.254 255.255.255.0
ip helper-address 10.55.2.50
ip helper-address 10.55.1.126
!
interface Vlan198
description ###BH_Comms1_EdgeStack2 Voice VLAN###
ip address 10.55.198.254 255.255.255.0
ip helper-address 10.55.2.50
ip helper-address 10.55.1.126
!
interface Vlan199
description ###Voice Wifi Clients 1st Floor###
ip address 10.55.199.254 255.255.255.0
ip helper-address 10.55.2.50
ip helper-address 10.55.1.126
ip pim sparse-dense-mode
!
interface Vlan200
description CallManager Primary Vlan
ip address 10.55.200.1 255.255.255.128
!
interface Vlan202
description Navan_4331_VGW2 9032200 first interface subnet
ip address 10.55.200.145 255.255.255.240
ip ospf message-digest-key 1 md5 7 112A584114423423171A2D67
!
interface Vlan211
description Navan_4331_VGW 9032100 first interface subnet
ip address 10.55.210.129 255.255.255.240
ip ospf message-digest-key 1 md5 7 112A584114423423171A2D67
!
interface Vlan214
description ### Production Servers Vlan ###
ip address 10.55.214.254 255.255.255.0
ip helper-address 10.55.2.50
ip helper-address 10.55.1.126
ip pim sparse-dense-mode
!
interface Vlan221
description ### Production Management VLAN ###
ip address 10.55.22.126 255.255.255.128
ip helper-address 10.55.1.126
ip helper-address 10.55.2.50
ip pim sparse-dense-mode
!
interface Vlan500
description Sigma Wireless Mgt
ip address 10.10.10.91 255.255.255.248
!
interface Vlan932
description Vlan 932 to NavanTC for OSPF traffic
ip address 10.55.240.26 255.255.255.252
ip mtu 1460
ip pim sparse-dense-mode
ip tcp adjust-mss 1200
ip ospf network point-to-point
!
interface Vlan933
description Vlan 933 to Kells for OSPF traffic
ip address 10.55.240.17 255.255.255.252
ip mtu 1490
ip pim sparse-dense-mode
ip tcp adjust-mss 1440
ip ospf message-digest-key 1 md5 7 141443180F54
ip ospf network point-to-point
!
interface Vlan934
description Vlan 934 to Trim for OSPF traffic
ip address 10.55.240.9 255.255.255.252
ip mtu 1495
ip pim sparse-dense-mode
ip tcp adjust-mss 1420
ip ospf message-digest-key 1 md5 7 06254E654F1E363616271448
ip ospf network point-to-point
!
interface Vlan936
description Vlan 936 to Ferganstown for OSPF traffic
ip address 10.55.240.1 255.255.255.252
ip pim sparse-dense-mode
ip tcp adjust-mss 1420
ip ospf message-digest-key 1 md5 7 06254E654F1E363616271448
ip ospf network point-to-point
!
interface Vlan940
description Vlan 940 to Duleek for OSPF traffic
bandwidth 50000
ip address 10.55.240.14 255.255.255.252
ip pim sparse-dense-mode
ip tcp adjust-mss 1420
ip ospf message-digest-key 1 md5 7 072C60084D59262A04220D4F
ip ospf network point-to-point
!
interface Vlan941
description Vlan 941 to Dunshaughlin for OSPF traffic
ip address 10.55.240.5 255.255.255.252
ip pim sparse-dense-mode
ip tcp adjust-mss 1420
ip ospf message-digest-key 1 md5 7 0225451F0856300E5F7E0F5A
ip ospf network point-to-point
!
interface Vlan942
description Vlan 942 to Ashbourne for OSPF traffic
bandwidth 50000
ip address 10.55.240.41 255.255.255.252
ip pim sparse-dense-mode
ip tcp adjust-mss 1420
ip ospf network point-to-point
!
interface Vlan948
description ## Vlan 948 to Navan FS for OSPF traffic ##
bandwidth 50000
ip address 10.55.240.49 255.255.255.252
ip pim sparse-dense-mode
ip tcp adjust-mss 1420
ip ospf message-digest-key 1 md5 7 0225451F0856300E5F7E0F5A
ip ospf network point-to-point
!
interface Vlan970
description Vlan 970 to Dunshaughlin Water Tower for office devices
ip address 10.55.70.209 255.255.255.240
ip helper-address 10.55.214.202
ip pim sparse-dense-mode
ip tcp adjust-mss 1420
ip ospf message-digest-key 1 md5 7 112A584114423423171A2D6768
ip ospf network point-to-point
!
interface Vlan983
no ip address
ip tcp adjust-mss 1420
shutdown
!
interface Vlan999
description ###Management VLAN###
ip address 10.55.250.101 255.255.255.0
arp timeout 180
!
router ospf 1
router-id 10.55.0.101
nsf
area 0 authentication message-digest
area 33 authentication message-digest
area 34 authentication message-digest
area 36 authentication message-digest
area 40 authentication message-digest
area 41 authentication message-digest
area 48 authentication message-digest
area 83 authentication message-digest
passive-interface Vlan21
passive-interface Vlan91
passive-interface Vlan94
passive-interface Vlan95
passive-interface Vlan96
passive-interface Vlan97
passive-interface Vlan98
passive-interface Vlan99
passive-interface Vlan102
passive-interface Vlan120
passive-interface Vlan121
passive-interface Vlan122
passive-interface Vlan194
passive-interface Vlan195
passive-interface Vlan196
passive-interface Vlan197
passive-interface Vlan198
passive-interface Vlan199
passive-interface Vlan200
passive-interface Vlan999
network 10.55.0.101 0.0.0.0 area 0
network 10.55.10.136 0.0.0.3 area 34
network 10.55.10.144 0.0.0.3 area 33
network 10.55.10.148 0.0.0.3 area 41
network 10.55.10.152 0.0.0.3 area 40
network 10.55.10.156 0.0.0.3 area 83
network 10.55.10.160 0.0.0.3 area 32
network 10.55.10.253 0.0.0.0 area 0
network 10.55.21.254 0.0.0.0 area 0
network 10.55.22.0 0.0.0.127 area 221
network 10.55.70.209 0.0.0.0 area 970
network 10.55.91.1 0.0.0.0 area 0
network 10.55.94.254 0.0.0.0 area 0
network 10.55.95.254 0.0.0.0 area 0
network 10.55.96.254 0.0.0.0 area 0
network 10.55.97.254 0.0.0.0 area 0
network 10.55.98.254 0.0.0.0 area 0
network 10.55.99.254 0.0.0.0 area 0
network 10.55.102.254 0.0.0.0 area 0
network 10.55.120.254 0.0.0.0 area 0
network 10.55.121.254 0.0.0.0 area 0
network 10.55.122.254 0.0.0.0 area 0
network 10.55.194.254 0.0.0.0 area 0
network 10.55.195.254 0.0.0.0 area 0
network 10.55.196.254 0.0.0.0 area 0
network 10.55.197.254 0.0.0.0 area 0
network 10.55.198.254 0.0.0.0 area 0
network 10.55.199.254 0.0.0.0 area 0
network 10.55.200.0 0.0.0.127 area 0
network 10.55.200.129 0.0.0.0 area 0
network 10.55.200.145 0.0.0.0 area 0
network 10.55.210.129 0.0.0.0 area 0
network 10.55.214.0 0.0.0.255 area 214
network 10.55.240.1 0.0.0.0 area 36
network 10.55.240.5 0.0.0.0 area 41
network 10.55.240.9 0.0.0.0 area 34
network 10.55.240.14 0.0.0.0 area 40
network 10.55.240.12 0.0.0.3 area 40
network 10.55.240.17 0.0.0.0 area 33
network 10.55.240.26 0.0.0.0 area 32
network 10.55.240.41 0.0.0.0 area 42
network 10.55.240.49 0.0.0.0 area 48
network 10.55.250.254 0.0.0.0 area 0
!
ip access-list log-update threshold 1
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.55.1.1
ip route 10.10.10.0 255.255.255.248 10.10.10.90
ip route 10.10.10.8 255.255.255.248 10.55.0.100
ip route 10.10.10.32 255.255.255.248 10.10.10.90
ip route 10.10.10.40 255.255.255.248 10.10.10.90
ip route 10.10.10.48 255.255.255.248 10.10.10.90
ip route 10.10.10.56 255.255.255.248 10.10.10.90
ip route 10.10.10.64 255.255.255.248 10.10.10.90
ip route 10.10.10.72 255.255.255.248 10.10.10.89
ip route 10.10.10.80 255.255.255.248 10.10.10.90
ip route 10.10.10.96 255.255.255.248 10.10.10.89
ip route 10.55.10.247 255.255.255.255 10.55.1.1
ip route 10.55.10.248 255.255.255.255 10.55.1.1
ip route 10.55.10.249 255.255.255.255 10.55.1.1
ip route 10.55.10.250 255.255.255.255 10.55.1.1
ip route 10.55.10.251 255.255.255.255 10.55.1.1
ip route 10.55.10.252 255.255.255.255 10.55.1.1
ip route 10.55.10.254 255.255.255.255 10.55.1.1
ip route 169.254.0.0 255.255.192.0 10.55.1.1
ip ssh version 1
!
ip access-list standard ADMIN_ACCESS
permit 10.55.0.0 0.0.255.255
remark *** Access list controlling who is allowed Telnet/SSH to the Device
ip access-list standard SNMP_ACCESS
ip access-list standard SNMP_receivers
permit 10.55.214.167
remark *** BH-ITSVR, LQUINN & temp Eircom Eng SNMP traps ***
permit 10.55.214.61
permit 10.55.214.48
remark *** BH-ITSVR, cisco_smart_collector, LQUINN & temp Eircom Eng SNMP traps
!
ip access-list extended AutoQos-4.0-ACL-Bulk-Data
permit tcp any any eq ftp
permit tcp any any eq ftp-data
permit tcp any any eq 22
permit tcp any any eq smtp
permit tcp any any eq 465
permit tcp any any eq 143
permit tcp any any eq 993
permit tcp any any eq pop3
permit tcp any any eq 995
permit tcp any any eq 1914
ip access-list extended AutoQos-4.0-ACL-Default
permit ip any any
ip access-list extended AutoQos-4.0-ACL-Multimedia-Conf
permit udp any any range 16384 32767
ip access-list extended AutoQos-4.0-ACL-Scavenger
permit tcp any any eq 1214
permit udp any any eq 1214
permit tcp any any range 2300 2400
permit udp any any range 2300 2400
permit tcp any any eq 3689
permit udp any any eq 3689
permit tcp any any range 6881 6999
permit tcp any any eq 11999
permit tcp any any range 28800 29100
ip access-list extended AutoQos-4.0-ACL-Signaling
permit tcp any any range 2000 2002
permit tcp any any range 5060 5061
permit udp any any range 5060 5061
ip access-list extended AutoQos-4.0-ACL-Transactional-Data
permit tcp any any eq 443
permit tcp any any eq 1521
permit udp any any eq 1521
permit tcp any any eq 1526
permit udp any any eq 1526
permit tcp any any eq 1575
permit udp any any eq 1575
permit tcp any any eq 1630
permit udp any any eq 1630
ip access-list extended BLOCK-MGCP-SCCP
deny tcp 10.55.19.0 0.0.0.255 eq 2000 10.55.200.0 0.0.0.127
deny tcp 10.55.19.0 0.0.0.255 eq 2000 10.55.210.0 0.0.0.127
deny tcp 10.55.19.0 0.0.0.255 range 1718 1720 10.55.200.0 0.0.0.127
deny tcp 10.55.19.0 0.0.0.255 range 1718 1720 10.55.210.0 0.0.0.127
deny udp 10.55.19.0 0.0.0.255 range 1718 1720 10.55.200.0 0.0.0.127
deny udp 10.55.19.0 0.0.0.255 range 1718 1720 10.55.210.0 0.0.0.127
deny tcp 10.55.19.0 0.0.0.255 range 2747 2748 10.55.200.0 0.0.0.127
deny tcp 10.55.19.0 0.0.0.255 range 2747 2748 10.55.210.0 0.0.0.127
deny udp 10.55.19.0 0.0.0.255 eq 5960 10.55.200.0 0.0.0.127
deny udp 10.55.19.0 0.0.0.255 eq 5960 10.55.210.0 0.0.0.127
deny tcp 10.55.9.0 0.0.0.255 eq 2000 10.55.200.0 0.0.0.127
deny tcp 10.55.9.0 0.0.0.255 eq 2000 10.55.210.0 0.0.0.127
deny tcp 10.55.9.0 0.0.0.255 range 1718 1720 10.55.200.0 0.0.0.127
deny tcp 10.55.9.0 0.0.0.255 range 1718 1720 10.55.210.0 0.0.0.127
deny tcp 10.55.9.0 0.0.0.255 range 2747 2748 10.55.200.0 0.0.0.127
deny tcp 10.55.9.0 0.0.0.255 range 2747 2748 10.55.210.0 0.0.0.127
deny udp 10.55.9.0 0.0.0.255 eq 5960 10.55.200.0 0.0.0.127
deny udp 10.55.9.0 0.0.0.255 eq 596 10.55.210.0 0.0.0.127
deny udp any host 10.55.200.10 log
deny udp any host 10.55.210.10 log
deny tcp any host 10.55.210.10 log
deny tcp any host 10.55.200.10 log
permit icmp any any
permit ip any any
ip access-list extended VSL-BFD
permit udp any any eq 3784
ip access-list extended VSL-DHCP-CLIENT-TO-SERVER
permit udp any eq bootpc any eq bootps
ip access-list extended VSL-DHCP-SERVER-TO-CLIENT
permit udp any eq bootps any eq bootpc
ip access-list extended VSL-DHCP-SERVER-TO-SERVER
permit udp any eq bootps any eq bootps
ip access-list extended VSL-IPV4-ROUTING
permit ip any 224.0.0.0 0.0.0.255
ip access-list extended tv_combined
permit ip host 10.55.96.10 host 10.55.214.48
permit ip host 10.55.214.48 host 10.55.96.10
ip access-list extended tv_in_in
permit ip any any
permit ip host 10.55.96.10 host 10.55.214.48 log
ip access-list extended tv_in_out
permit ip any any
permit ip host 10.55.214.48 host 10.55.96.10 log
ip access-list extended tv_out_in
permit ip any any
permit ip host 10.55.214.48 host 10.55.96.10 log
ip access-list extended tv_out_out
permit ip any any
permit ip host 10.55.96.10 host 10.55.214.48 log
!
ip radius source-interface Vlan1
logging trap notifications
logging facility syslog
logging source-interface Vlan999
logging host 10.55.22.41
!
snmp-server community lx3942 RW
snmp-server community public RO
snmp-server community ReadWhatsUp RO
snmp-server community WriteWhatsUp RW
snmp-server community MCC_SNMP RW SNMP_receivers
snmp-server community SmartCollector RO
snmp-server location *** Buvinda House ***
snmp-server contact *** Liz Casey 046-9097334 ***
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps entity
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps ipsla
snmp-server enable traps config
snmp-server enable traps syslog
!
radius-server retransmit 0
radius-server deadtime 1
radius-server key 7 012126000A1E533C765E1F074C57181D4F
!
radius server Radius1
address ipv4 10.55.1.126 auth-port 1645 acct-port 1646
key 7 012126000A1E533C765E1F074C57181D4F
!
radius server Radius2
address ipv4 10.55.2.50 auth-port 1645 acct-port 1646
key 7 012126000A1E533C765E1F074C57181D4F
!
!
!
ipv6 access-list VSL-IPV6-ROUTING
permit ipv6 any FF02::/124
banner login ^CC
************************************************************************

NOTICE TO USERS.

Unauthorized access prohibited. Authorized access only.

Disconnect IMMEDIATELY if you are not an authorized user!

THIS IS A PRIVATE COMPUTER SYSTEM. It is for authorized use only.
Users (authorized or unauthorized) have no explicit or implicit
expectation of privacy.

Any or all uses of this system and all files on this system may
be intercepted, monitored, recorded, copied, audited, inspected,
and disclosed to authorized site and law enforcement personnel,
as well as authorized officials of other agencies, both domestic
and foreign. By using this system, the user consents to such
interception, monitoring, recording, copying, auditing, inspection,
and disclosure at the discretion of authorized site personnel.

Unauthorized or improper use of this system may result in
administrative disciplinary action and civil and criminal penalties.
By continuing to use this system you indicate your awareness of and
consent to these terms and conditions of use. LOG OFF IMMEDIATELY
if you do not agree to the conditions stated in this warning.

*************************************************************************
^C
!
line con 0
exec-timeout 9 0
privilege level 0
logging synchronous
login authentication CON
stopbits 1
line vty 0 4
access-class ADMIN_ACCESS in
exec-timeout 9 0
privilege level 0
logging synchronous
length 0
transport input telnet ssh
transport output telnet ssh
line vty 5 15
access-class ADMIN_ACCESS in
exec-timeout 9 0
privilege level 0
logging synchronous
transport input ssh
transport output none
!
!
monitor session 1 source vlan 1 - 999
monitor session 1 destination interface Te1/1/10
monitor session 1 filter packet-type good rx
!
module provision switch 1
chassis-type 70 base-mac 003A.7DF0.0AC0
slot 1 slot-type 401 base-mac 003A.7DF0.0AC0
slot 2 slot-type 400 base-mac 5C83.8FF5.9968
!
module provision switch 2
chassis-type 70 base-mac 003A.7DF0.31C0
slot 1 slot-type 401 base-mac 003A.7DF0.31C0
slot 2 slot-type 400 base-mac 881D.FC5E.B748

!

ntp master 1
ntp update-calendar
ntp server 10.55.214.201 prefer
ntp server 10.55.2.50
!
end

BH_4500X_CoreStack#exit

Georg Pauwen · ‎08-25-2020

Hello,

the routing seems to be okay:

ip route 169.254.0.0 255.255.192.0 10.55.1.1

Can you ping actual website ? I would suggest to check with the firewall admin to see if HTTP/HTTPS between your networks is allowed, and what the routing on the firewall looks like...

Richard Burts · ‎08-26-2020

What can you tell us about this server with a 169.254 address. What kind of server is it? Is this server run by your agency and is located somewhere in your network? Is this server run by a related agency and is located in their network which is reached by a private communications link (or perhaps via vpn)? Or is this server located somewhere that requires Internet access to reach it?

HTH

Rick

emrassist1 · ‎01-17-2022

Hello Experts, I'm facing the same problems like this in my EMR e-scribe website. Can anyone be here to solve my issues?

Thanks In advance

Best Regards: Olivia Sophie

Georg Pauwen · ‎01-17-2022

Hello,

post your running configuration, as well as a schematic drawing of your topology.

paul driver · ‎01-17-2022

Hello

@lquinn wrote:

Fortigate Firewall connected to Cisco 4550 core switch
The core switch and firewall are both in Vlan 1

The traffic isn't getting as far as our firewall

ip route 0.0.0.0 0.0.0.0 10.55.1.1
ip route 169.254.0.0 255.255.192.0 10.55.1.1

The specific static route for 169.254.0.0/26 you have applied has the same next-hop as your static default route so it isn't really applicable.

You say the Firewall/core switch are both attached to vlan 1 but traffic from vlan 102 for 169.254.0.0/26 isn't reaching the FW,

Are our confirming traffic is not even reaching the FW or it might be but it is but you cannot validate this yourself?

The above seems to suggest there is nothing to impede traffic between FW/Core for vlan 102 and that the fw is receiving traffic but its getting denied and dropped.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul