is 169.222 and 169.223 a typo?  The networks are 169.212 and 169.213.

ron

Hello

Apologies Rolf not got my glasses on!

res

Paul

thats funny, I do that alot myself...thanks

Thanks Paul,

I'll give it a try, but wont this configuration bypass the Fortigate if its interfaces are not the default route for the devices?  

How can all the 212 and 213 network traffic be forced to go through the Fortigate interfaces so it can manage the connection policy (this can talk to that over this port...)?

ron

Yes it will bypass the firewalls.

So if the firewall setup is legacy and you don't need to firewall the vlans from each other Paul's suggestion is a good one.

If you need to firewall between them then you shouldn't do it.

You do have asymmetric traffic paths in your setup but I'm not sure that is causing the issue.

Jon

Yes, I need the firewall to control traffic flows via the Fortigate policies.

I thought I tried a configuration similar to his suggestion and saw that the Fortigate was bypassed.

How does one find/resolve 'asymetric traffic paths'...(I think I get the concept, but I need to google it to figure out what you are talking about).

I think I understand that the root cause is that the 3750 dosnt know how to get to 169.212.40.1 or 169.213.40.1 (show ip route - neither network shows up); but what I dont understand are all the possible reasons/remedies.

If the trunk ports to the Fortigate were connected directly to the 3750 and not have to travel through the 3650 switch would that simplify the paths?

ron

I am assuming for the non firewalled servers their default gateway is the 3750 ?

The pings from the switch will always use the default route.

The switch can't use the statics for the specific subnets because it has no interfaces in the same IP subnets as the next hop IPs so they are never used.

You would have to set the next hop IP to be the same as the default route next hop but there is no point because you have a default route.

The asymmetric path comes in because the firewall has an interface in the same IP subnet as the non firewalled servers so assume one of those servers pings a server in vlan 212 -

server ->  3750 -> firewall ->server (vlan 212)

but the return path is -

server (vlan 212) -> firewall -> server

notice that for the return traffic it does not go via the 3750 because the firewall has an interface in that IP subnet so it simply sends the traffic direct.

Again that is assuming the non firewalled servers have their default gateway set to the SVI on the 3750.

The way to fix it is to use a different IP subnet to connect the 3750 to the firewall so that traffic to and from the non firewalled servers has to follow the same path both ways.

However I am not saying this is your problem because it may well not be.

Jon

Hello

Okay given that topology - All the routing between these vlans should go via the FW and I dont think you even need ip routing enabled on the 3750 or the two statics for vlan 212,213, just s DG point to pointing to the ip of the fortigate Port 1, unelss you need to point egress traffci to the wan?

So I think something is a miss?

But please confirm:
3750 -
i dont see it the L3 interface of vlan 210 - is this a SVI on this switch?
Does this have a trunk connected to the 3650

3650 -

3 trunks
1)   Connecting 3750
2/3) Connecting to the fortigate two subinterfaces?
no ip routing
no default-gateway

Servers
default-gateways of their relative L3 vlan interface


Wan
How are you getting out on the wan?

res
Paul

Hi,

169.210.0.0/16 is actually VLAN 1 (lan) on the 3750

3750

no ip source-routing

ip routing

ip default-gateway 169.210.10.2 << lan interface on Fortigate

ip classless

interface Vlan 1

ip address 169.210.20.3 255.255.0.0 

3650

Trunk from 3750 to 3650 all vlan

Trunk from 3650 to Fortigate allow vlan 212

Trunk from 3650 to Fortigate allow vlan 213

no ip routing

interface Vlan 1

ip address 169.210.20.5 255.255.0.0

ip default-gateway 169.210.20.3  <<< this may be a issue but that's that way it was

ip classless

Servers

all 169.210.0.0/16 - Lan have a default gateway of 169.210.20.3 (3750)

all 169.212.0.0/16 - VLAN212 have a default gateway of 169.212.40.1 (fortigate)

all 169.213.0.0/16 - VLAN213 have a default gateway of 169.213.40.1 (fortigate)

The wan comes in on another 3650 as VLAN 1000 (there are a set of 2 ports in vlan1000 one to the telco device and one to the Fortigate wan interface), so all wan traffic should go through the Fortigate.  There is another two interface ether-channel/trunk (all vlan) that goes back to the 3750.

The 3650 with VLAN 1000 looks like this

interface VLAN 1

ip address 169.210.20.4 255.255.0.0

ip default-gateway 169.210.20.3 << back to the 3750

ip classeless

The Fortigate has a static route

0.0.0.0 0.0.0.0 back to the telco gateway

I kinda see the reason not to route anything, as the Fortigate should take care of traffice flows.  So, given the answers to your questions...is that still a good idea to kill the routing alltogether?

Thanks for the advice so far, starting to make more sense; not all there yet, but I'm starting to understand the issue.

ron

As far as I can tell it is not a problem with any of your route statements.

Note that you keep referring to the "ip default-gateway .." command on the 3750 but that isn't used if the switch is routing.

What is used is the default route and you have that setup so your 3750 knows how to route to the firewalled vlans.

In terms of whether to route everthing on the firewall, that is really up to you.

There is no reason why you cannot route some vlans on the firewall and others on the switch and it should work.

It depends on what you are trying to achieve.

Jon