Problem with VLAN routing

  • 0
  • 1
  • Problem
  • Updated 3 years ago
  • Solved
Hi all,

I try to set up a x450-G2-24t with XOS 16.1.1.4 as a router for clients that want to access a specific host at 10.12.0.241 in a /24 net. Clients are in a 172.30.x.x/16 net.

I configured the vlans (vlan tag 100 and vlan tag 10) and enabled ipforwarding globally and for the vlans. what is working so far is pinging the switch ip in the 10.12.0.x lan from the 172.30.x.x switch ip. what also works is pinging the 10.12.0.241 host ip from the 10.12.x.x switch ip.

But when trying to ping the host ip from the 172.30.x.x switch ip i get no answer.

so what did i miss? do i have to add some specific routing?

thankful for any tips!

Peter 
Photo of Peter Kulmbrein

Peter Kulmbrein

  • 1,178 Points 1k badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 12,850 Points 10k badge 2x thumb
Do the hosts have their gateway configured?
Photo of Kawawa

Kawawa, GTAC

  • 3,272 Points 3k badge 2x thumb

Hi Peter, above is my understanding of what you're describing.  Please correct me if I am wrong.
  1. You have defined two VLANs in the X450-G2
  2. You have configured each VLAN with a IP and enabled ipforwarding
  3. Host A can ping the VLAN interface IP addresses, however not Host B
If the above is what your topology looks like, it should work fine.  Check the FDB on each VLAN to see if the MAC of the hosts has been learnt.  I quickly set this up to double check, and the initial pings did not work until I had made an attempt to ping from each host.  Once the MACs had been learnt, on each VLAN, the link worked just fine.

However, if the above is not your actual topology and you have multiple physical devices, you'll need to define routes that tell the IP interfaces on one host how to get the IPs on the other.
Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
Hi,

do you have any route on the 10.12.0.241 host to the 172.30.x.x/16 network ?

For example:

host 10.12.0.241 <---> 10.12.0.1/24 (switch) 172.30.0.1/16 ---- network 172.30.x.x/16

You must add a route to the 172.30.x.x/16 via 10.12.0.1 on the host  10.12.0.241
or you can set on the host a default gateway 10.12.0.1

--
Jarek
Photo of Kawawa

Kawawa, GTAC

  • 3,270 Points 3k badge 2x thumb
If he's using the same switch, EXOS won't allow him to add a static or default route from 1 VLAN interface to another subnet, as that is made possible via the directly attached routed automatically added once the L3 interface becomes active.  Static routes can only be set when the gateway is a next hop device
Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
I wrote about the host 10.12.0.241 not the switch.
If you do not have any route to 172.30.x.x/16 network it will not work.
Photo of Peter Kulmbrein

Peter Kulmbrein

  • 1,178 Points 1k badge 2x thumb
Hi,

Thanks so far for the infos!

What i got working now is pinging the Host on 10.12.0.x from my Switch1 also from the 172.30.x.x ip address. i got that working with entering a route at the host for the 172.30.x.x net with SwitchA as Gateway.

One thing is still missing:

I try to do the same from SwitchB that is configured sameway than SwitchA and connected through a trunk where all vlans are tagged. i can also ping switchA 10.12.0.x interface from the 172.30.x.x interface but not the host.

should not switchA do the routing to SwitchB for the icmp answers?
Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
Do you mean that you have the same config in both switches or SwicthA is the router and SwitchB is only L2 ?

Can you show simple diagram network ?



--
Jarek
Photo of Peter Kulmbrein

Peter Kulmbrein

  • 1,178 Points 1k badge 2x thumb
Hi 

diagram enclosed ;-)
what i need to achieve is reaching a website hosted at HostA from Hostb

just tell me if you need some more infos!
Photo of Kawawa

Kawawa, GTAC

  • 3,270 Points 3k badge 2x thumb
Based on the diagram you have provided, you've told hosts in the 10.12.0.0/24 network now to reach hosts in the 172.30.0.0/16 network. but you haven't done the same for the opposite.  Therefore, if you ran a capture on the port going to 172.30.1.1, you should be able to see the Echo requests going towards host B, but the Echo replies not being returned.
Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
If host B want to talk with host A and a default gateway is 172.30.1.1 , you should add on host B a static route to 10.12.0.0/24 via 172.30.1.234


--
Jarek
(Edited)
Photo of Peter Kulmbrein

Peter Kulmbrein

  • 1,178 Points 1k badge 2x thumb
you are right - what i forgot to mention is that I setup a route at the Fortigate C60 Office for 10.12.0.0/24 - GW:10.12.0.244.

but it seems as my x450 doesnt forward anything - when i try to reach HostA vom the x440 (tested with ping 10.12.0.241 from 172.30.1.239) i get no answer; if i try to reach 10.12.0.244 from 172.30.1.239 that works...

same thing when i try to reach 172.30.1.1 from HostA no answer with ping, if i try to ping it from the x450 ok

i will have a close look on the clientside once again

Peter
Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
Do you have 2 vlans on fortigate 100 and 10?
And one another question, do you really need a mask /16 ?
This is a lot of hosts in one vlan.

And last, the fortigate act as a gateway or as a switch ?
--
Jarek
(Edited)
Photo of Drew C.

Drew C., Community Manager

  • 38,610 Points 20k badge 2x thumb
Hi Peter, any luck getting this resolved?
Photo of Peter Kulmbrein

Peter Kulmbrein

  • 1,178 Points 1k badge 2x thumb
Hi,

Sorry to get back a bit later but finally i got the infos you asked for:

they only have one untagged physical interface running on the forti - i asked to setup vlan interfaces now

the /16 net was already setup so I have to take it as it is ;-)
the fortigate acts as a gateway

now im waiting for feedback if enabling the vlan interfaces on the forti did help!

thx so far!
Peter