Wired Intelligent Edge

Good evening,
  I am very sorry bringing this here but I am new to this and have tried a lot of Youtube videos and trawled through Fortinet threads and Aruba ones here (as well as Spiceworks) to try and find some pointers.
Fortigate switch
I have an interface on the Fortigate with an interface address of 10.10.1.1/24 and DHCP of 10.10.1.2/24
I've added a VLAN to it with an interface address of 10.10.10.1/24 and DHCP of 10.10.10.2/24.  the VLAN ID is 10.

Aruba 2530 switch
I've factory reset an Aruba 2530 and connected the Aruba switch port 50 to my Fortigate interface with the VLAN.  Any ethernet device I plug in to any port 1-48 gets a 10.10.1.x address and can access the internet.
Using the Aruba web GUI I've created a matching VLAN with ID 10.  I've tagged ports 13, 14 and port 50 on VLAN 10.  I've set the default gateway for the VLAN to 10.10.10.1 and left IP configuration as disabled.  
I untagged ports 13 and 14 from the default VLAN.

If I plug something in to port 13 or 14 it still gets a 10.10.1.x address and not a 10.10.10.x address.  I'm not sure how to pass through the DHCP or what to do on the Aruba VLAN for DHCP.

Has anyone any ideas? 
thank you
Paul

------------------------------
Paul McGrath
------------------------------

Hello Paul, given what you said your FortiGate 600D firewall is acting as IPv4 Router (for VLAN 1 Subnet 10.10.1.0/24 SVI 10.10.1.1/32 and VLAN 10 Subnet 10.10.10.0/24 SVI 10.10.10.1/32) and DHCP Server with Pools on both VLANs.

Being the Aruba 2530 just a Layer 2 switch you correctly uplinked one of its ports - the port 50 - to the FortiGate 600D designated LAN side interface and configured that port to be untagged member of VLAN 1 and tagged member of VLAN 10.

The Aruba 2530 has been set with a free IP Address on VLAN 10 (as example 10.10.10.254)? I ask because you said you set the Default Gateway of the switch to 10.10.10.1 (the FortiGate 600D IP Address on VLAN 10).

Technically speaking the only thing you need to do is to configure some ports as untagged on VLAN 1 only (Access ports on VLAN 1) and some other as untagged on VLAN 10 (Access ports on VLAN 10) and then connect one host on a VLAN 1 Access port and one other host on a VLAN 10 Access port. Each hosts should receive its IP Address by the DHCP (FortiGate 600D) within its VLAN id and should also be able (with the properly set DHCP IP Address or via manually set static IP Address) to ping its respective VLAN's SVI IP Address (FortiGate 600D), ping each others if the firewall permits that (Access Policies).

You can do that?

------------------------------
Davide Poletto
------------------------------

Original Message:
Sent: Sep 07, 2021 01:29 PM
From: Paul McGrath
Subject: Fortinet 600D VLAN not working on Aruba 2530 - how to?

Good evening,
  I am very sorry bringing this here but I am new to this and have tried a lot of Youtube videos and trawled through Fortinet threads and Aruba ones here (as well as Spiceworks) to try and find some pointers.
Fortigate switch
I have an interface on the Fortigate with an interface address of 10.10.1.1/24 and DHCP of 10.10.1.2/24
I've added a VLAN to it with an interface address of 10.10.10.1/24 and DHCP of 10.10.10.2/24.  the VLAN ID is 10.

Aruba 2530 switch
I've factory reset an Aruba 2530 and connected the Aruba switch port 50 to my Fortigate interface with the VLAN.  Any ethernet device I plug in to any port 1-48 gets a 10.10.1.x address and can access the internet.
Using the Aruba web GUI I've created a matching VLAN with ID 10.  I've tagged ports 13, 14 and port 50 on VLAN 10.  I've set the default gateway for the VLAN to 10.10.10.1 and left IP configuration as disabled.  
I untagged ports 13 and 14 from the default VLAN.

If I plug something in to port 13 or 14 it still gets a 10.10.1.x address and not a 10.10.10.x address.  I'm not sure how to pass through the DHCP or what to do on the Aruba VLAN for DHCP.

Has anyone any ideas? 
thank you
Paul

------------------------------
Paul McGrath
------------------------------

Hi Davide,
  thank you for your detailed reply.  so basically my problem was my mis-understanding of the tagging terminology.  I was tagging ports that I wanted in the VLANs instead of untagging!  I posted a message on Spiceworks earlier today and someone came back with a message which was similar to yours which basically told me to 'untag' :-)

The main area was the uplink port tagging so I now have port 50 untagged for (default) VLAN1 and tagged for VLAN10 and VLAN20.  Works great :-)

Now I have everything working as I want.

Thanks again

------------------------------
Paul McGrath
------------------------------

Original Message:
Sent: Sep 08, 2021 03:11 PM
From: Davide Poletto
Subject: Fortinet 600D VLAN not working on Aruba 2530 - how to?

Hello Paul, given what you said your FortiGate 600D firewall is acting as IPv4 Router (for VLAN 1 Subnet 10.10.1.0/24 SVI 10.10.1.1/32 and VLAN 10 Subnet 10.10.10.0/24 SVI 10.10.10.1/32) and DHCP Server with Pools on both VLANs.

Being the Aruba 2530 just a Layer 2 switch you correctly uplinked one of its ports - the port 50 - to the FortiGate 600D designated LAN side interface and configured that port to be untagged member of VLAN 1 and tagged member of VLAN 10.

The Aruba 2530 has been set with a free IP Address on VLAN 10 (as example 10.10.10.254)? I ask because you said you set the Default Gateway of the switch to 10.10.10.1 (the FortiGate 600D IP Address on VLAN 10).

Technically speaking the only thing you need to do is to configure some ports as untagged on VLAN 1 only (Access ports on VLAN 1) and some other as untagged on VLAN 10 (Access ports on VLAN 10) and then connect one host on a VLAN 1 Access port and one other host on a VLAN 10 Access port. Each hosts should receive its IP Address by the DHCP (FortiGate 600D) within its VLAN id and should also be able (with the properly set DHCP IP Address or via manually set static IP Address) to ping its respective VLAN's SVI IP Address (FortiGate 600D), ping each others if the firewall permits that (Access Policies).

You can do that?

------------------------------
Davide Poletto

Original Message:
Sent: Sep 07, 2021 01:29 PM
From: Paul McGrath
Subject: Fortinet 600D VLAN not working on Aruba 2530 - how to?

Good evening,
  I am very sorry bringing this here but I am new to this and have tried a lot of Youtube videos and trawled through Fortinet threads and Aruba ones here (as well as Spiceworks) to try and find some pointers.
Fortigate switch
I have an interface on the Fortigate with an interface address of 10.10.1.1/24 and DHCP of 10.10.1.2/24
I've added a VLAN to it with an interface address of 10.10.10.1/24 and DHCP of 10.10.10.2/24.  the VLAN ID is 10.

Aruba 2530 switch
I've factory reset an Aruba 2530 and connected the Aruba switch port 50 to my Fortigate interface with the VLAN.  Any ethernet device I plug in to any port 1-48 gets a 10.10.1.x address and can access the internet.
Using the Aruba web GUI I've created a matching VLAN with ID 10.  I've tagged ports 13, 14 and port 50 on VLAN 10.  I've set the default gateway for the VLAN to 10.10.10.1 and left IP configuration as disabled.  
I untagged ports 13 and 14 from the default VLAN.

If I plug something in to port 13 or 14 it still gets a 10.10.1.x address and not a 10.10.10.x address.  I'm not sure how to pass through the DHCP or what to do on the Aruba VLAN for DHCP.

Has anyone any ideas? 
thank you
Paul

------------------------------
Paul McGrath
------------------------------

Hi Paul, I'm glad you were able to fix so easily (indeed it was pretty simple in the end).

A nice ArubaOS-Switch CLI command (often forgotten) to troubleshoot potential VLAN membership issues is the show vlan port ethernet <port-id> detail which help to see the physical/logical port VLANs memberships (it's valid also for Links Aggregation = Port Trunking in legacy HP ProVision / current ArubaOS-Switch operating systems' jargons).

You can also "transport" the VLAN 1 as tagged over the uplink from Aruba 2530 port 50 to FortiGate 600D designated LAN port BUT that will require to have the VLAN 1 tagged on the firewall side too, in any case it's good that your network works now as you expected.

------------------------------
Davide Poletto
------------------------------

Original Message:
Sent: Sep 08, 2021 04:41 PM
From: Paul McGrath
Subject: Fortinet 600D VLAN not working on Aruba 2530 - how to?

Hi Davide,
  thank you for your detailed reply.  so basically my problem was my mis-understanding of the tagging terminology.  I was tagging ports that I wanted in the VLANs instead of untagging!  I posted a message on Spiceworks earlier today and someone came back with a message which was similar to yours which basically told me to 'untag' :-)

The main area was the uplink port tagging so I now have port 50 untagged for (default) VLAN1 and tagged for VLAN10 and VLAN20.  Works great :-)

Now I have everything working as I want.

Thanks again

------------------------------
Paul McGrath

Original Message:
Sent: Sep 08, 2021 03:11 PM
From: Davide Poletto
Subject: Fortinet 600D VLAN not working on Aruba 2530 - how to?

Hello Paul, given what you said your FortiGate 600D firewall is acting as IPv4 Router (for VLAN 1 Subnet 10.10.1.0/24 SVI 10.10.1.1/32 and VLAN 10 Subnet 10.10.10.0/24 SVI 10.10.10.1/32) and DHCP Server with Pools on both VLANs.

Being the Aruba 2530 just a Layer 2 switch you correctly uplinked one of its ports - the port 50 - to the FortiGate 600D designated LAN side interface and configured that port to be untagged member of VLAN 1 and tagged member of VLAN 10.

The Aruba 2530 has been set with a free IP Address on VLAN 10 (as example 10.10.10.254)? I ask because you said you set the Default Gateway of the switch to 10.10.10.1 (the FortiGate 600D IP Address on VLAN 10).

Technically speaking the only thing you need to do is to configure some ports as untagged on VLAN 1 only (Access ports on VLAN 1) and some other as untagged on VLAN 10 (Access ports on VLAN 10) and then connect one host on a VLAN 1 Access port and one other host on a VLAN 10 Access port. Each hosts should receive its IP Address by the DHCP (FortiGate 600D) within its VLAN id and should also be able (with the properly set DHCP IP Address or via manually set static IP Address) to ping its respective VLAN's SVI IP Address (FortiGate 600D), ping each others if the firewall permits that (Access Policies).

You can do that?

------------------------------
Davide Poletto

Original Message:
Sent: Sep 07, 2021 01:29 PM
From: Paul McGrath
Subject: Fortinet 600D VLAN not working on Aruba 2530 - how to?

Good evening,
  I am very sorry bringing this here but I am new to this and have tried a lot of Youtube videos and trawled through Fortinet threads and Aruba ones here (as well as Spiceworks) to try and find some pointers.
Fortigate switch
I have an interface on the Fortigate with an interface address of 10.10.1.1/24 and DHCP of 10.10.1.2/24
I've added a VLAN to it with an interface address of 10.10.10.1/24 and DHCP of 10.10.10.2/24.  the VLAN ID is 10.

Aruba 2530 switch
I've factory reset an Aruba 2530 and connected the Aruba switch port 50 to my Fortigate interface with the VLAN.  Any ethernet device I plug in to any port 1-48 gets a 10.10.1.x address and can access the internet.
Using the Aruba web GUI I've created a matching VLAN with ID 10.  I've tagged ports 13, 14 and port 50 on VLAN 10.  I've set the default gateway for the VLAN to 10.10.10.1 and left IP configuration as disabled.  
I untagged ports 13 and 14 from the default VLAN.

If I plug something in to port 13 or 14 it still gets a 10.10.1.x address and not a 10.10.10.x address.  I'm not sure how to pass through the DHCP or what to do on the Aruba VLAN for DHCP.

Has anyone any ideas? 
thank you
Paul

------------------------------
Paul McGrath
------------------------------