Forgot password?
 Register now

Welcome to use this form to feedback your problems with Ruijie Community

The category of your feedback

Your Feedback

Your Email address (optional):

[Resolved]: How to get Inter-Vlan working in Layer 3 & 2 switches (even the Firewall Gateway was down/disconnected) Reply

Jim Khor

Level 1

[Resolved]: How to get Inter-Vlan working in Layer 3 & 2 switches (even the Firewall Gateway was down/disconnected)
2400 17 2024-4-7 18:58:09
Original
Edited by Jim Khor at 2024-4-21 19:43

Hi, I have a Fortinet FortiGate Firewall with configured as only Gateway for muliple VLANs (to uplink Internet Access for Ruijie Switch).
VLAN0 (Default): Gateway = 192.168.11.1
VLAN10: Gateway = 192.168.10.1
VLAN100: Gateway = 192.168.100.1
VLAN200: Gateway = 192.168.200.1
VLAN250: Gateway = 192.168.250.1
And the Ruijie L3 Switch (Model: RG-CS83-24GT4XS) has the same VLANs with DHCP management
VLAN1 (Default): Gateway = 192.168.11.2
VLAN10: Gateway = 192.168.10.9
VLAN100: Gateway = 192.168.100.2
VLAN200: Gateway = 192.168.200.2
VLAN250: Gateway = 192.168.250.2
Everything work smoothly in above configuration, however I noticed the Inter-VLAN will stop working when the UpLink port from FortiGate firewall was disconnected...
Is there anyway to get Inter-VLAN continue working even if the Firewall was down (Internet disconnected) and have to be restarted.
The purpose is to ensure the internal network operation running as usual without interruption from Firewall itself.
Thanks.
Other

Other
0 2024-4-7 20:26:12 View all replies
Can I know the address of the default router in the switch DHCP pool? Is it the address of the firewall?
If so, all Inter-Vlan traffic passes through the firewall. When the firewall is disconnected, the access is unavailable.
You can try to change the default router to the address of the CS switch and test again.

0 2024-4-7 21:18:47 View all replies
Edited by Jim Khor at 2024-4-18 14:40

GTAC-Micca replied at 2024-4-7 20:26
Can I know the address of the default router in the switch DHCP pool? Is it the address of the firew ...
Hi Micca,
Sorry for correction

And the Ruijie L3 Switch (Model: RG-CS83-24GT4XS) has the same VLANs with DHCP management
VLAN1 (Default):
DHCP Server = 192.168.11.2; Gateway = 192.168.11.1

VLAN10:
DHCP Server = 192.168.10.9; Gateway = 192.168.10.1

VLAN100:
DHCP Server = 192.168.100.2; Gateway = 192.168.100.1

VLAN200:
DHCP Server = 192.168.200.2; Gateway = 192.168.200.1

VLAN250:
DHCP Server = 192.168.250.2; Gateway = 192.168.250.1

For your information, the Firewall only has VLAN and IP (DHCP disabled), and the Firewall IP address is 192.168.11.1
I check the Switch Web Console and found this "ip route 0.0.0.0 0.0.0.0 192.168.11.1"
You can refer the images for details.




Thanks.

0 2024-4-8 16:32:44 View all replies
Jim Khor replied at 2024-4-7 21:18
GTAC-Micca replied at 2024-4-7 20:26
Can I know the address of the default router in the switch DHCP ...

May you try to change the gateway address here to the address of the CS switch and test again? Not use firewall address here.





0 2024-4-8 16:37:40 View all replies
GTAC-Micca replied at 2024-4-8 16:32
May you try to change the gateway address here to the address of the CS switch and test again? Not ...

Dear Micca,

I have already tried yesterday, but unfortunately doesn't work.

0 2024-4-8 19:54:40 View all replies
Jim Khor replied at 2024-4-8 16:37
Dear Micca,

I have already tried yesterday, but unfortunately doesn't work.

Did the user get the address after you changed it? That is, has the user's gateway address changed?

0 2024-4-8 22:15:06 View all replies
Edited by Jim Khor at 2024-4-9 02:34

GTAC-Micca replied at 2024-4-8 19:54
Did the user get the address after you changed it? That is, has the user's gateway address changed ...
After changing Gateway to VLAN ip itself,
That mean the both DHCP n Gateway are same IP address.
Users are able to get the IP address altogether with Gateway and DHCP address.
Inter-Vlan managed to work, but No Internet Access for the IP (except VLAN1 Network) even the FW uplink connected to Layer 3 switch

0 2024-4-15 15:41:20 View all replies
Jim Khor replied at 2024-4-8 22:15
GTAC-Micca replied at 2024-4-8 19:54
Did the user get the address after you changed it? That is, has ...

Dear Jim Khor,

Regarding this issue, could you also provide us with a topology of the network including firewall and core switch here ?

If permitted, you can resort to SVI to realize inter vlan when firewall down.

What is an SVI in Networking? Difference Between SVI and VLAN - Ruijie Networks
RD,

David

0 2024-4-15 16:46:58 View all replies
Edited by Jim Khor at 2024-4-15 16:51

GTAC-David replied at 2024-4-15 15:41
Dear Jim Khor,

Regarding this issue, could you also provide us with a topology of the network inc ...
Dear David,
For your reference.





Thank you.

0 2024-4-15 20:22:11 View all replies
Jim Khor replied at 2024-4-15 16:46
GTAC-David replied at 2024-4-15 15:41
Dear Jim Khor,

Thank you so much for sharing your topology. Can you share with us the configuration after changing the gateway address? Both switch and firewall please.

0 2024-4-16 16:41:08 View all replies
GTAC-Micca replied at 2024-4-15 20:22
Thank you so much for sharing your topology. Can you share with us the configuration after changin ...

Dear Micca,

For your reference.






0 2024-4-16 17:59:26 View all replies
Jim Khor replied at 2024-4-16 16:41
Dear Micca,

For your reference.
Hello Jim Khor,
I‘m sorry that we can't provide a specific solution for you based on current information.
Can you help to check the following aspects:
  • traceroute 8.8.8.8 when you connect the firewall, then please share the screenshot with us. We want to check the route
  • show ip route > check this commands on switch if traceroute stop at switch
If the issue is still exist after, please help to collect the "show run" result of CS switch and talk with me again (If you are concerned about the security of your device configuration, you can share it with me email address: guominxiang@ruijie.com.cn). I would be glad to help you in Community.
Best Regards,
Micca

0 2024-4-17 12:10:05 View all replies
GTAC-Micca replied at 2024-4-16 17:59
Jim Khor replied at 2024-4-16 16:41
Dear Micca,

Dear Micca,

Thank you for reply.

I have sent you the screenshot and "show run" config file in your email.
Please have a look.

0 2024-4-17 14:23:44 View all replies
Jim Khor replied at 2024-4-17 12:10
Dear Micca,

Thank you for reply.
Hi/Hello Jim Khor,
I have received your email and checked it.
Please kindly refer to these commands and try to add them on your device.
Ruijie(config)#ip route 0.0.0.0 0.0.0.0 192.168.11.1
Ruijie(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.1
Ruijie(config)#ip route 0.0.0.0 0.0.0.0 192.168.100.1
Ruijie(config)#ip route 0.0.0.0 0.0.0.0 192.168.200.1
Ruijie(config)#ip route 0.0.0.0 0.0.0.0 192.168.250.1
If the issue is still exist after, you can also try to add the Administrative Distance:
Ruijie(config)#ip route 0.0.0.0 0.0.0.0 192.168.11.1 10     ---->if the destination address is any, it will forward to 192.168.11.1, the administrative Distance is 10 (the default administrative distance is 1. The smaller, the better)
For other routes, you can also add different Administrative Distance priorities in the format of this command
If the issue is still exist, please help to collect the result of  "show run" and your test screenshot and talk with me again(If you are concerned about the security of your device configuration, you can share it with me email address: guominxiang@ruijie.com.cn). I would be glad to help you in Community.

0 2024-4-18 13:52:38 View all replies
Edited by Jim Khor at 2024-4-18 14:15

GTAC-Micca replied at 2024-4-17 14:23
Jim Khor replied at 2024-4-17 12:10
Dear Micca,

Dear Micca,
After try, the suggested command only works to grant Internet access if no additional ip route added.

For example:
ip route 0.0.0.0 0.0.0.0 192.168.11.1 > for VLAN1 (Default)
ip route 0.0.0.0 0.0.0.0 192.168.10.1 > for VLAN10

Tested PCs (Manually Configured, to avoid existing network disruption):
VLAN1:
IP: 192.168.11.34, Subnet Mask: 255.255.255.0, Gateway: 192.168.11.2, DNS Server 8.8.8.8 and 8.8.4.4

VLAN 10:
IP: 192.168.10.5, Subnet Mask: 255.255.255.0, Gateway: 192.168.10.9 (not 192.168.10.2, typo error last time), DNS Server 8.8.8.8 and 8.8.4.4

From the above setting, the PC in VLAN10 will be able to PING 8.8.8.8 and grant Internet access, however it may cause the VLAN1 PC unable to PING 8.8.8.8 (or any) and Internet connectivity will become slower and not consistent if compared to only 1 "ip route 0.0.0.0 0.0.0.0 192.168.11.1" in the console. (when perform speedtest.net test, finding server will take longer time than usual)

For the "Administrative Distance" configuration, the VLANs network unable to get grant Internet Access and PING command not working.




Is there any possibility to get all VLANs automatically get their IP Route instead of just insert command and let system to choose/prioritise
without any conflict? such as add IP ROUTE command in the VLAN interface?

0 2024-4-18 14:43:02 View all replies
Jim Khor replied at 2024-4-18 13:52
GTAC-Micca replied at 2024-4-17 14:23
Jim Khor replied at 2024-4-17 12:10
Dear Micca,

Hello Jim Khor,
As for this issue, I need to double check with my senior and the R&D team. It may take some time to double check with our R&D team. I will reply to the result here and inform you by email. Please pay attention.

0 2024-4-18 15:13:48 View all replies
GTAC-Micca replied at 2024-4-18 14:43
Hello Jim Khor,
As for this issue, I need to double check with my senior and the R&D team. It may ...

Hello Jim Khor,


After our discussion, please check the following aspects:


1. If the user gateway needs to be configured on the firewall, you need ask the firewall engineer to check whether there are any special configurations or functions on the firewall that prevent users from communicating between vlans.
2. If the user gateway needs to be configured on the SC switch, you need to ask the firewall engineer to check whether there are backroute routes on the firewall to each network segment of the CS switch.

If you have any other questions, please feel free to contact me and I will be happy to help you on the community.

0 2024-4-21 19:42:53 View all replies

Dear Micca,

Noted with your suggestion.
I've liaise with my Firewall vendor and the IP Routing was eventually done.

Thank you.

Related Posts
Product Model

Share this topic to

Cancel

This site contains user submitted content, comments and opinions and is for informational purposes only. Ruijie may provide or recommend responses as a possible solution based on the information provided; every potential issue may involve several factors not detailed in the conversations captured in an electronic forum and Ruijie can therefore provide no guarantee as to the efficacy of any proposed solutions on the community forums. Ruijie disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Ruijie Community Terms of Use.

More ways to get help: Visit Support Videos, call us via Service Hotline, Facebook or Live Chat.

©2000-2023 Ruijie Networks Co,Ltd