Wired Intelligent Edge

 View Only
last person joined: 3 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Aruba 2930f with Fortigate

This thread has been viewed 3 times

  • 1.  Aruba 2930f with Fortigate

    Posted May 04, 2021 10:19 AM

    Hi,

    I have a legacy Aruba 2930F with several VLANs and routing. As ACLs get more and more complicated, we decided to buy a Fortigate and use it for routing and setup ACLs between VLANs.

    I'd like to to introduce the least changes as posible, leaving the same gateway for every VLAN, transferring these gateways IPs to the Fortigate, removing routing and use Fortigate for this.

    Does this make sense for you? Any tip? I'm pretty newbie on Aruba's side, but strong on the Fortigate site.

    Thanks for your help,

    Iñaki

     


    #fortigate
    #2930F


  • 2.  RE: Aruba 2930f with Fortigate

    Posted May 04, 2021 10:20 AM

    vsf
    enable domain 1
    member 1
    type "JL253A" mac-address 3821c7-295180
    priority 128
    link 1 1/25-1/26
    link 1 name "I-Link1_1"
    link 2 name "I-Link1_2"
    exit
    member 2
    type "JL253A" mac-address 3821c7-29a100
    priority 128
    link 1 2/25-2/26
    link 1 name "I-Link2_1"
    link 2 name "I-Link2_2"
    exit
    port-speed 10g
    exit
    console idle-timeout 3600
    trunk 2/1 trk1 trunk
    timesync ntp
    ntp unicast
    ntp server 147.156.7.50
    ntp enable
    time timezone 60
    web-management idle-timeout 6000
    ip access-list extended "acl20"
    5 permit tcp 192.168.21.1 0.0.1.255 192.168.40.1 0.0.0.255 established
    15 deny ip 192.168.21.1 0.0.1.255 192.168.40.1 0.0.0.255
    100 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
    exit
    ip access-list extended "acl30"
    3 permit udp 192.168.30.105 0.0.0.0 192.168.1.15 0.0.0.0
    4 permit udp 192.168.30.105 0.0.0.0 192.168.1.16 0.0.0.0
    11 permit icmp 192.168.30.105 0.0.0.0 192.168.1.15 0.0.0.0 0
    12 permit icmp 192.168.30.105 0.0.0.0 192.168.1.16 0.0.0.0 0
    50 deny ip 192.168.30.1 0.0.0.255 192.168.1.1 0.0.0.255
    60 deny ip 192.168.30.1 0.0.0.255 192.168.20.1 0.0.1.255
    70 deny ip 192.168.30.1 0.0.0.255 192.168.40.1 0.0.0.255
    80 deny ip 192.168.30.1 0.0.0.255 10.5.50.1 0.0.0.255
    100 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
    exit
    ip access-list extended "acl50"
    20 deny ip 10.5.50.1 0.0.0.255 192.168.1.1 0.0.0.255
    30 deny ip 10.5.50.1 0.0.0.255 192.168.21.1 0.0.1.255
    40 deny ip 10.5.50.1 0.0.0.255 192.168.40.1 0.0.0.255
    50 deny ip 10.5.50.1 0.0.0.255 192.168.30.1 0.0.0.255
    100 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
    exit
    ip default-gateway 192.168.1.254
    ip timep manual 192.168.1.109
    ip route 0.0.0.0 0.0.0.0 192.168.1.254
    ip routing
    interface 1/3
    name "vnic1 ESXI01"
    exit
    interface 1/23
    lacp key 10
    lacp active
    exit
    interface 1/24
    lacp active
    exit
    interface 1/28
    name "vnic3 ESX01"
    exit
    interface 2/23
    lacp key 10
    lacp passive
    exit
    interface 2/24
    lacp active
    exit
    snmp-server community "public" unrestricted
    vlan 1
    name "DEFAULT_VLAN"
    no untagged 1/2,1/6-1/7,1/13,1/20,1/27,2/2,2/7,2/9,2/11,2/15-2/20
    untagged 1/1,1/3-1/5,1/8-1/12,1/14-1/19,1/21-1/24,1/28,2/3-2/6,2/8,2/10,2/12-2/14,2/21-2/24,2/27-2/28,Trk1
    ip address 192.168.1.1 255.255.255.0
    ip helper-address 192.168.1.109
    ipv6 enable
    ipv6 address autoconfig
    exit
    vlan 20
    name "OFICINA"
    untagged 1/2,1/6,1/20,2/2,2/11,2/15-2/20
    tagged 1/1,1/3-1/4,1/8,1/13-1/16,1/23-1/24,1/28,2/3-2/4,2/8,2/23-2/24,2/27-2/28,Trk1
    ip access-group "acl20" in
    ip address 192.168.21.1 255.255.254.0
    ip helper-address 192.168.1.109
    ipv6 enable
    ipv6 address autoconfig
    exit
    vlan 30
    name "PLANTA"
    untagged 1/7,1/13,2/7,2/9
    tagged 1/1,1/3-1/4,1/8,1/15,1/23,1/28,2/3-2/4,2/8,2/23-2/24,2/27-2/28,Trk1
    ip access-group "acl30" in
    ip address 192.168.30.1 255.255.255.0
    ip helper-address 192.168.1.109
    ipv6 enable
    ipv6 address autoconfig
    exit
    vlan 40
    name "BACKUP"
    untagged 1/27
    tagged 1/1,1/3-1/4,1/15,1/23,1/28,2/3-2/4,2/23,2/27-2/28,Trk1
    ip address 192.168.40.1 255.255.255.0
    ip helper-address 192.168.1.109
    exit
    vlan 50
    name "INVITADOS"
    tagged 1/1,1/8,1/13-1/16,1/23-1/24,2/8,2/23-2/24,2/27-2/28,Trk1
    ip access-group "acl50" in
    ip address 10.5.50.1 255.255.255.0
    dhcp-server
    exit
    spanning-tree Trk1 priority 4
    no tftp server
    no autorun
    no dhcp config-file-update
    no dhcp image-file-update
    dhcp-server pool "INVITADOS"
    default-router "10.5.50.1"
    dns-server "8.8.8.8,8.8.4.4"
    network 10.5.50.0 255.255.255.0
    range 10.5.50.10 10.5.50.250
    exit
    dhcp-server enable
    password manager



  • 3.  RE: Aruba 2930f with Fortigate

    EMPLOYEE
    Posted May 07, 2021 11:34 AM

    Hello,

    What exactly chnage in the config?

    The gateway or you are chnaging rules as well?

    Changing in rule depends on the customer requirements.

    Thanks!



  • 4.  RE: Aruba 2930f with Fortigate

    Posted May 10, 2021 04:07 AM

    I didn't change anything yet. That was what I wanted to know.



  • 5.  RE: Aruba 2930f with Fortigate

    EMPLOYEE
    Posted May 12, 2021 02:55 AM

    Hello,

     

    This request needs intervention of support.

     

    We request you to log a case on HPE Support Center portal for further resolution using the link: https://support.hpe.com/hpesc/public/home/

     

    Thanks!