Solved: Re: Routing between VLAN and Firewall - SG300

VKStephanie · ‎09-25-2017

Hello Everyone,

We want to have multiple SSIDs for different sections of the company, each on their own VLAN. So far, I have each of these up and running. However, on one half of the building, users can't get a DHCP address from the main switch where the pools. So I created a secondary pool for a different block of addresses for that side of the building. Great - everywhere I am getting an IP from DHCP from whatever switch is closest of the two that have the pools. But, there seems to be something wrong with the routing. On the main switch (which is directly connected to the firewall), if I get a DHCP address from that, I can get out to the internet. But on the other side of the building, if I get a DHCP address from that secondary block of addresses, the routing doesn't appear to work.

The static routes in the switches say "Directly Connected "so I can't mess with them at all; They're automatically put in. The route in the firewall is correct and has the entire subnet routed: for example, 10.10.40.0. The first block works in the main swtich : 10.10.40.1-100; but not the second switch, 10.10.40.101-200.

I thought about putting in a new route or something... but nothing seems to work. It's worth noting that the primary pools are on a switch that is directly and separately connected to the firewall. The rest of the network is connected to the firewall directly. Users are connected to each switch.

Switch w/ Primary Pools --- firewall --- Switch 2 --- Switch w/Secondary pools --- switch 4

| |

Router WLC

|

ISP

Seb Rupik · ‎09-25-2017

You need to extend the Layer2 boundary of VLAN40 around the firewall, trunking it between switch1 and switch2. This would fix your overall DHCP issue.

What does the switchport configuration of the ports connecting the firewall on switches 1 and 2 look like?

What model is the firewall, can it operate at Layer2?

cheers,

Seb.

View solution in original post

Seb Rupik · ‎09-25-2017

Hi there,

I assume on the switches which have the DHCP pools, both are in mode router?

Can you provide the routing tables for all your switches and firewall?

cheers,

Seb.

VKStephanie · ‎09-25-2017

Thank you for your reply, Seb!

They are in layer 3 mode.

The fw one was sanitized a bit. I can see the route is using the primary and not the secondary pool IP at all... is there a way to point both to the firewall? Or point .14 to the .11?

Swith with Secondary Pool (10.10.110.14):

Maximum Parallel Paths: 1 (1 after reset)
IP Forwarding: enabled
Codes: > - best, C - connected, S - static


S   0.0.0.0/0 [1/1] via 10.10.110.253, 01:40:36, vlan 1                    
C   10.10.40.0/24 is directly connected, vlan 40                           
C   10.10.41.0/24 is directly connected, vlan 41                           
C   10.10.42.0/24 is directly connected, vlan 42                           
C   10.10.43.0/24 is directly connected, vlan 43                           
C   10.10.44.0/24 is directly connected, vlan 44                           
C   10.10.45.0/24 is directly connected, vlan 45                                                    
C   10.10.110.0/24 is directly connected, vlan 1

Switch with Primary Pool (10.10.110.11):

Maximum Parallel Paths: 1 (1 after reset)
IP Forwarding: enabled
Codes: > - best, C - connected, S - static


S   0.0.0.0/0 [1/100] via 10.10.110.253, 97:44:25, vlan 1                  
C   10.10.40.0/24 is directly connected, vlan 40                           
C   10.10.41.0/24 is directly connected, vlan 41                           
C   10.10.42.0/24 is directly connected, vlan 42                           
C   10.10.43.0/24 is directly connected, vlan 43                           
C   10.10.44.0/24 is directly connected, vlan 44                           
C   10.10.45.0/24 is directly connected, vlan 45                                      
C   10.10.110.0/24 is directly connected, vlan 1

Switch 2 from diagram (10.10.110.9):

Maximum Parallel Paths: 1 (1 after reset)
IP Forwarding: enabled
Codes: > - best, C - connected, S - static


S   0.0.0.0/0 [1/100] via 10.10.110.253, 73:52:43, vlan 1                  
C   10.10.40.0/24 is directly connected, vlan 40                           
C   10.10.41.0/24 is directly connected, vlan 41                           
C   10.10.42.0/24 is directly connected, vlan 42                           
C   10.10.43.0/24 is directly connected, vlan 43                           
C   10.10.44.0/24 is directly connected, vlan 44                           
C   10.10.45.0/24 is directly connected, vlan 45                                          
C   10.10.110.0/24 is directly connected, vlan 1

Switch 4 from diagram (10.10.110.15):

Maximum Parallel Paths: 1 (1 after reset)
IP Forwarding: enabled
Codes: > - best, C - connected, S - static


S   0.0.0.0/0 [1/100] via 10.10.110.253, 72:19:15, vlan 1                  
C   10.10.40.0/24 is directly connected, vlan 40                           
C   10.10.41.0/24 is directly connected, vlan 41                           
C   10.10.42.0/24 is directly connected, vlan 42                           
C   10.10.43.0/24 is directly connected, vlan 43                           
C   10.10.44.0/24 is directly connected, vlan 44                           
C   10.10.45.0/24 is directly connected, vlan 45                           
C   10.10.110.0/24 is directly connected, vlan 1

FW Routes:

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

       O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default

 

S*      0.0.0.0/0 [10/0] via <public IP>, wan1

                  [10/0] via <public IP>, wan2, [10/0]

S       10.10.40.0/24 [10/0] via 10.10.110.11, internal

S       10.10.41.0/24 [10/0] via 10.10.110.11, internal

S       10.10.42.0/24 [10/0] via 10.10.110.11, internal

S       10.10.43.0/24 [10/0] via 10.10.110.11, internal

S       10.10.44.0/24 [10/0] via 10.10.110.11, internal

S       10.10.45.0/24 [10/0] via 10.10.110.11, internal

C       10.10.110.0/24 is directly connected, internal

C       <public IP> is directly connected, wan1

C       <backup public IP> is directly connected, wan2

Seb Rupik · ‎09-25-2017

You need to extend the Layer2 boundary of VLAN40 around the firewall, trunking it between switch1 and switch2. This would fix your overall DHCP issue.

What does the switchport configuration of the ports connecting the firewall on switches 1 and 2 look like?

What model is the firewall, can it operate at Layer2?

cheers,

Seb.

VKStephanie · ‎09-25-2017

I think I see the issue. This first port, 44, need to be trunked to allow traffic from the VLANs 40-45, right? I'll give that a try now. .. but if that's the case, why don't my other VLANs (cleared from the configs below for clarity) need to be on that trunk? For example, I have another vlan 150 that's for wired in connections on that Switch2....and that works.. .but as you can see, it is not in the allowed vlans for the port leading to the firewall.

The firewall is a Fortinet 90D.

port from Switch 2 (.9) to FW:

Switch2#sh int sw gig 44
Added by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN, T-Guest VLAN, V-Voice VLAN
Port : gi44
Port Mode: Access 
Gvrp Status: disabled
Ingress Filtering: true
Acceptable Frame Type: admitAll
Ingress UnTagged VLAN ( NATIVE ): 1
 
Port is member in: 
 
Vlan               Name               Egress rule     Added by     
---- -------------------------------- ----------- ---------------- 
 1                  1                  Untagged          V         

 
Forbidden VLANS: 
Vlan               Name               
---- --------------------------------

interface gigabitethernet44
 loopback-detection enable
 description Firewall
 storm-control broadcast enable
 storm-control include-multicast unknown-unicast
 switchport mode access

Port connecting switch 1 with primary pool to FW:

Switch1#show int sw gig 1                         
Added by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN, T-Guest VLAN, V-Voice VLAN
Port : gi1
Port Mode: Trunk
Gvrp Status: disabled
Ingress Filtering: true
Acceptable Frame Type: admitAll
Ingress UnTagged VLAN ( NATIVE ): 1
 
Port is member in: 
 
Vlan               Name               Egress rule     Added by     
---- -------------------------------- ----------- ---------------- 
 1                  1                  Untagged          V         
 40            GUEST_VLAN40             Tagged           S         
 41           SerDel_VLAN41             Tagged           S         
 42             COL_VLAN42              Tagged           S         
 43             DEV_VLAN43              Tagged           S         
 44           misc_VLAN44            Tagged           S         
 45            Sales_VLAN45             Tagged           S

interface gigabitethernet1
 loopback-detection enable
 description Firewall
 no snmp trap link-status
 storm-control broadcast enable
 storm-control include-multicast unknown-unicast
 switchport trunk allowed vlan add 40-45

VKStephanie · ‎09-25-2017

So adding the vlans to that port 44 seems to have resolved the routing and DHCP issue (Huzzah!)... but now it takes quite a while - almost 30 seconds in some cases, for a user to authenticate before being assigned an IP. Is there a way to speed this up? On the old network, authentication is nearly instant. We're using the same auth server in both instances.

Seb Rupik · ‎09-25-2017

If switch1 and switch3 are now sharing the same L2 domain for VLAN40, then it probably doesn't help that you are running it with two DHCP pools. Disable the pool on switch3 and see if devices connected at the side of the network are getting leases from switch1.

VKStephanie · ‎09-25-2017

Yes, they are! I've removed the secondary DHCP pools and all is working as planned. Thank you so much!! You've been a real help.

Seb Rupik · ‎09-25-2017

OK, good to hear :)

Seb Rupik · ‎09-25-2017

Its won't do any good trunking more VLANs from switch2 to the firewall if its receving interface is not configured for VLAN tagged traffic.

My guess if that your firewall just has routed interfaces. You need to move your cabling around so that switch1 and switch2 are directly attached with all necessary VLANs trunked between them. Connect the FW to either switch1 or switch2 and trunk to it only the VLANs that is the gateway for.

This should resolve your routing issues.

cheers,

Seb.