Ruijie Community

Title: [Resolved]: How to get Inter-Vlan working in Layer 3 & 2 switches (even the Firewall Gateway was down/disconnected) [Print this page]

Author: it@peacepack.co    Time: 2024-4-7 18:58
Title: [Resolved]: How to get Inter-Vlan working in Layer 3 & 2 switches (even the Firewall Gateway was down/disconnected)
Edited by Jim Khor at 2024-4-21 19:43

Hi, I have a Fortinet FortiGate Firewall with configured as only Gateway for muliple VLANs (to uplink Internet Access for Ruijie Switch).
VLAN0 (Default): Gateway = 192.168.11.1
VLAN10: Gateway = 192.168.10.1
VLAN100: Gateway = 192.168.100.1
VLAN200: Gateway = 192.168.200.1
VLAN250: Gateway = 192.168.250.1
And the Ruijie L3 Switch (Model: RG-CS83-24GT4XS) has the same VLANs with DHCP management
VLAN1 (Default): Gateway = 192.168.11.2
VLAN10: Gateway = 192.168.10.9
VLAN100: Gateway = 192.168.100.2
VLAN200: Gateway = 192.168.200.2
VLAN250: Gateway = 192.168.250.2
Everything work smoothly in above configuration, however I noticed the Inter-VLAN will stop working when the UpLink port from FortiGate firewall was disconnected...
Is there anyway to get Inter-VLAN continue working even if the Firewall was down (Internet disconnected) and have to be restarted.
The purpose is to ensure the internal network operation running as usual without interruption from Firewall itself.
Thanks.

Author: guominxiang@rui    Time: 2024-4-7 20:26
Can I know the address of the default router in the switch DHCP pool? Is it the address of the firewall?
If so, all Inter-Vlan traffic passes through the firewall. When the firewall is disconnected, the access is unavailable.
You can try to change the default router to the address of the CS switch and test again.

Author: it@peacepack.co    Time: 2024-4-7 21:18
Edited by Jim Khor at 2024-4-18 14:40

GTAC-Micca replied at 2024-4-7 20:26
Can I know the address of the default router in the switch DHCP pool? Is it the address of the firew ...
Hi Micca,
Sorry for correction

And the Ruijie L3 Switch (Model: RG-CS83-24GT4XS) has the same VLANs with DHCP management
VLAN1 (Default):
DHCP Server = 192.168.11.2; Gateway = 192.168.11.1

VLAN10:
DHCP Server = 192.168.10.9; Gateway = 192.168.10.1

VLAN100:
DHCP Server = 192.168.100.2; Gateway = 192.168.100.1

VLAN200:
DHCP Server = 192.168.200.2; Gateway = 192.168.200.1

VLAN250:
DHCP Server = 192.168.250.2; Gateway = 192.168.250.1

For your information, the Firewall only has VLAN and IP (DHCP disabled), and the Firewall IP address is 192.168.11.1
I check the Switch Web Console and found this "ip route 0.0.0.0 0.0.0.0 192.168.11.1"
You can refer the images for details.




Thanks.

Author: guominxiang@rui    Time: 2024-4-8 16:32
Jim Khor replied at 2024-4-7 21:18
GTAC-Micca replied at 2024-4-7 20:26
Can I know the address of the default router in the switch DHCP ...

May you try to change the gateway address here to the address of the CS switch and test again? Not use firewall address here.






Author: it@peacepack.co    Time: 2024-4-8 16:37
GTAC-Micca replied at 2024-4-8 16:32
May you try to change the gateway address here to the address of the CS switch and test again? Not ...

Dear Micca,

I have already tried yesterday, but unfortunately doesn't work.

Author: guominxiang@rui    Time: 2024-4-8 19:54
Jim Khor replied at 2024-4-8 16:37
Dear Micca,

I have already tried yesterday, but unfortunately doesn't work.

Did the user get the address after you changed it? That is, has the user's gateway address changed?


Author: it@peacepack.co    Time: 2024-4-8 22:15
Edited by Jim Khor at 2024-4-9 02:34

GTAC-Micca replied at 2024-4-8 19:54
Did the user get the address after you changed it? That is, has the user's gateway address changed ...
After changing Gateway to VLAN ip itself,
That mean the both DHCP n Gateway are same IP address.
Users are able to get the IP address altogether with Gateway and DHCP address.
Inter-Vlan managed to work, but No Internet Access for the IP (except VLAN1 Network) even the FW uplink connected to Layer 3 switch

Author: taizhaolong@rui    Time: 2024-4-15 15:41
Jim Khor replied at 2024-4-8 22:15
GTAC-Micca replied at 2024-4-8 19:54
Did the user get the address after you changed it? That is, has ...

Dear Jim Khor,

Regarding this issue, could you also provide us with a topology of the network including firewall and core switch here ?

If permitted, you can resort to SVI to realize inter vlan when firewall down.

What is an SVI in Networking? Difference Between SVI and VLAN - Ruijie Networks
RD,

David


Author: it@peacepack.co    Time: 2024-4-15 16:46
Edited by Jim Khor at 2024-4-15 16:51

GTAC-David replied at 2024-4-15 15:41
Dear Jim Khor,

Regarding this issue, could you also provide us with a topology of the network inc ...
Dear David,
For your reference.





Thank you.

Author: guominxiang@rui    Time: 2024-4-15 20:22
Jim Khor replied at 2024-4-15 16:46
GTAC-David replied at 2024-4-15 15:41
Dear Jim Khor,

Thank you so much for sharing your topology. Can you share with us the configuration after changing the gateway address? Both switch and firewall please.


Author: it@peacepack.co    Time: 2024-4-16 16:41
GTAC-Micca replied at 2024-4-15 20:22
Thank you so much for sharing your topology. Can you share with us the configuration after changin ...

Dear Micca,

For your reference.







Author: guominxiang@rui    Time: 2024-4-16 17:59
Jim Khor replied at 2024-4-16 16:41
Dear Micca,

For your reference.
Hello Jim Khor,
I‘m sorry that we can't provide a specific solution for you based on current information.
Can you help to check the following aspects:
If the issue is still exist after, please help to collect the "show run" result of CS switch and talk with me again (If you are concerned about the security of your device configuration, you can share it with me email address: guominxiang@ruijie.com.cn). I would be glad to help you in Community.
Best Regards,
Micca

Author: it@peacepack.co    Time: 2024-4-17 12:10
GTAC-Micca replied at 2024-4-16 17:59
Jim Khor replied at 2024-4-16 16:41
Dear Micca,

Dear Micca,

Thank you for reply.

I have sent you the screenshot and "show run" config file in your email.
Please have a look.

Author: guominxiang@rui    Time: 2024-4-17 14:23
Jim Khor replied at 2024-4-17 12:10
Dear Micca,

Thank you for reply.
Hi/Hello Jim Khor,
I have received your email and checked it.
Please kindly refer to these commands and try to add them on your device.
Ruijie(config)#ip route 0.0.0.0 0.0.0.0 192.168.11.1
Ruijie(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.1
Ruijie(config)#ip route 0.0.0.0 0.0.0.0 192.168.100.1
Ruijie(config)#ip route 0.0.0.0 0.0.0.0 192.168.200.1
Ruijie(config)#ip route 0.0.0.0 0.0.0.0 192.168.250.1
If the issue is still exist after, you can also try to add the Administrative Distance:
Ruijie(config)#ip route 0.0.0.0 0.0.0.0 192.168.11.1 10     ---->if the destination address is any, it will forward to 192.168.11.1, the administrative Distance is 10 (the default administrative distance is 1. The smaller, the better)
For other routes, you can also add different Administrative Distance priorities in the format of this command
If the issue is still exist, please help to collect the result of  "show run" and your test screenshot and talk with me again(If you are concerned about the security of your device configuration, you can share it with me email address: guominxiang@ruijie.com.cn). I would be glad to help you in Community.

Author: it@peacepack.co    Time: 2024-4-18 13:52
Edited by Jim Khor at 2024-4-18 14:15

GTAC-Micca replied at 2024-4-17 14:23
Jim Khor replied at 2024-4-17 12:10
Dear Micca,

Dear Micca,
After try, the suggested command only works to grant Internet access if no additional ip route added.

For example:
ip route 0.0.0.0 0.0.0.0 192.168.11.1 > for VLAN1 (Default)
ip route 0.0.0.0 0.0.0.0 192.168.10.1 > for VLAN10

Tested PCs (Manually Configured, to avoid existing network disruption):
VLAN1:
IP: 192.168.11.34, Subnet Mask: 255.255.255.0, Gateway: 192.168.11.2, DNS Server 8.8.8.8 and 8.8.4.4

VLAN 10:
IP: 192.168.10.5, Subnet Mask: 255.255.255.0, Gateway: 192.168.10.9 (not 192.168.10.2, typo error last time), DNS Server 8.8.8.8 and 8.8.4.4

From the above setting, the PC in VLAN10 will be able to PING 8.8.8.8 and grant Internet access, however it may cause the VLAN1 PC unable to PING 8.8.8.8 (or any) and Internet connectivity will become slower and not consistent if compared to only 1 "ip route 0.0.0.0 0.0.0.0 192.168.11.1" in the console. (when perform speedtest.net test, finding server will take longer time than usual)

For the "Administrative Distance" configuration, the VLANs network unable to get grant Internet Access and PING command not working.




Is there any possibility to get all VLANs automatically get their IP Route instead of just insert command and let system to choose/prioritise
without any conflict? such as add IP ROUTE command in the VLAN interface?


Author: guominxiang@rui    Time: 2024-4-18 14:43
Jim Khor replied at 2024-4-18 13:52
GTAC-Micca replied at 2024-4-17 14:23
Jim Khor replied at 2024-4-17 12:10
Dear Micca,

Hello Jim Khor,
As for this issue, I need to double check with my senior and the R&D team. It may take some time to double check with our R&D team. I will reply to the result here and inform you by email. Please pay attention.

Author: guominxiang@rui    Time: 2024-4-18 15:13
GTAC-Micca replied at 2024-4-18 14:43
Hello Jim Khor,
As for this issue, I need to double check with my senior and the R&D team. It may ...

Hello Jim Khor,


After our discussion, please check the following aspects:


1. If the user gateway needs to be configured on the firewall, you need ask the firewall engineer to check whether there are any special configurations or functions on the firewall that prevent users from communicating between vlans.
2. If the user gateway needs to be configured on the SC switch, you need to ask the firewall engineer to check whether there are backroute routes on the firewall to each network segment of the CS switch.

If you have any other questions, please feel free to contact me and I will be happy to help you on the community.


Author: it@peacepack.co    Time: 2024-4-21 19:42
GTAC-Micca replied at 2024-4-18 15:13
Hello Jim Khor,

Dear Micca,

Noted with your suggestion.
I've liaise with my Firewall vendor and the IP Routing was eventually done.

Thank you.





Welcome to Ruijie Community (https://community.ruijienetworks.com/) Powered by Discuz! X3.2