Re: Intervlan Routing

ipo.peniel_rg · ‎05-30-2023

Hi All,

I have a scenario that i have tried dealing with with but out of reach. This is my situation:

I manage an autonomous system-HQ with different physical branches with their own subnet with its own DNS/DHCP. So that means each site has its own vlan for Voice and DATA. On my Core SWX at the HQ, I have a vlan for firewall. I only access straight from the coreswitch-set static IP on my Laptop. Now, i am trying to move from the HQ to one of the branch. The QH to Branch is on a P2P fiber link and has RP of EIGRP.

ANY IDEA ON HOW I CAN REACH THE FIREWALL FROM THE BRANCH?

M02@rt37 · ‎05-30-2023

Hello @ipo.peniel_rg,

Setting up a VPN tunnel or configuring site-to-site routing are common approaches to establish connectivity and allow access to devices like the firewall located at the headquarters from branch locations. These solutions provide secure and controlled access to resources across different networks.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

ipo.peniel_rg · ‎05-30-2023

Thank you So much. Do you know of any guides/setup examples i can use? This would greatly assist.

thank you.

M02@rt37 · ‎05-30-2023

@ipo.peniel_rg,

What is your Firewall ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

ipo.peniel_rg · ‎05-31-2023

Fortigate 200E

Flavio Miranda · ‎05-31-2023

Hi

If I undertood correctlly you do have connectivity between branch and HQ, right?

But, you access the firewall today by connecting the laptop to the core using static IP address? And you want to do the same while you are at the branch? Is that?

Why dont you propagate the firewall's network or IP on the EIGRP toward branch?

Or create a static route on branch poiting to HQ? I suppose the core in HQ can reach the firewall's vlan, right?

ipo.peniel_rg · ‎05-31-2023

Your understanding is correct. From the HQ to the Branch routing protocol is EIGRP. I can ping the HQ firewall VLAN gateway but not Firewall IP address nor can i access the firewall. Everything is fine at the HQ.

Can you assist with some steps/guide in configs? I would appreciate this.

Giuseppe Larosa · ‎06-01-2023

Hello @ipo.peniel_rg ,

>> From the HQ to the Branch routing protocol is EIGRP. I can ping the HQ firewall VLAN gateway but not Firewall IP address nor can i access the firewall.

You have a Fortigate 200E firewall you need to configure a static route on it for the Branch LAN IP subnet with next-hop = gateway = the HQ firewall VLAN gateway.

In addition to the routing part , being a Firewall you may need to update the firewall rules to allow ping to be successful and other settings to be able to access the Firewall admin GUI from a PC in the branch LAN subnet.

Hope to help

Giuseppe

Flavio Miranda · ‎06-01-2023

Got it. If you are able to reach the firewall gateway´s but not the firewall, it means the firewall does not know how to reply to Branch.

You need to add route on the firewall and allow the Branch network on the file rules.

What firewall is it?

MHM Cisco World · ‎05-31-2023

the inter-vlan is end in each
FW of HQ
Router in branch
VLANx-R(branch)----P2P----->FW(HQ)-VLANy
herer there is no inter-vlan between VLANx and VLANy
what you need here is make sure that the FW know VLANx through the p2p link
and Router know the VLANy through p2p link

Joseph W. Doherty · ‎05-31-2023

Several approaches come to mind, but choosing one depends on WHY you access the FW as you describe.

Basically, this form of access might range from incompetent network design to for "security".

ipo.peniel_rg · ‎05-31-2023

please share your thoughts.

Joseph W. Doherty · ‎06-01-2023

My thoughts?

I'm unfamiliar with a Fortigate, but I've also been thinking much along the lines of @Giuseppe Larosa reply. I.e. FW might need a route statement, gateway statement or, if possible, join your EIGRP. This so that the FW can get beyond its VLAN.

But, I'm also thinking it's possible FW VLAN transit access might be blocked by an ACL.

From all you described, it sounds like topology is in place for you to be able to access FW from other than direct connection to the FW VLAN, but since you cannot, normal causes would be missing "routing" info or intentional security blocking.

What's still a bit unclear is how you obtain access now. When you use your static IP, do you need to connect to a specific switch port, or ports, too?