Your Trunk recommendation worked. We found an issue with the native vlan (vlan1) confusing the traffic on both switch stacks so had to change vlan on Fortiswitch for interface connected to 5700 for both DMZ and UAT environments. I am not completely clear WHY it is working but, It Works! Thanks for all your help! IT is GREATLY appreciated!
Original Message:
Sent: 5/16/2024 4:13:00 AM
From: IanNightingale
Subject: RE: HPE5700 JG898A uplink to FortiSwitch 424
Hi, it is really difficult to troubleshoot issues remotely as I don't fully understand the setup. So here are some generic statements that might help.
Firstly, I recommend that between switches you always have trunk interfaces where all the traffic is tagged. On Comware that is where you have the "trunk port permit vlan ...." statement but no pvid statement.
Only have untagged traffic on access ports (directly connecting to end devices). This makes things consistent and team members will know what to expect/design. It avoids an untaged vlan12 passing into vlan13 because the two ends of a link have a mismatch of untagged/pvid configs.
Hybrid port should not be used between switches. Think of them as dynamic vlan ports. It is used for edge ports where you might change the vlan of traffic going out said interface based on radius authentication of the connected device/user. For connecting switches or routers together always use trunk ports.
So your Cisco router is by default tagged traffic because of the sub interface 0/0/1.35
Fortiswitch has tagged traffic on port28:
edit "port28"
set allowed-vlans 1,4,35
After that I'm lost. I can see the description on the HP switch states it links to port27 but that has config on the post of:
edit "port27"
set native-vlan 35
set snmp-index 27
Which is untagged vlan35 (native) but the interface on the HP itself has vlan35 as tagged.
I would first test that the FS switch can see/ping the Cisco. Then I would configure each end of the link between FS and HP switches to have tagged traffic with all needed vlans tagged. Something like:
edit "port28"
set allowed-vlans 1,4,35
edit "port27"
set allowed-vlans 1,4,35
interface Ten-GigabitEthernet2/0/37
description UAT Link to AWS-DC-FortiSwitch 424E-Fiber port 27 Ten-GigabitEthernet2/0/37
port link-type trunk
port trunk permit vlan vlan 35 4
Then check if the MAC address of the router of FS switch appears on the HP switch. Do not proceed to test end to end (e.g. a device off the HP switch) until the HP switch itself can see the right MAC addresses on the right VLANs.
Original Message:
Sent: May 14, 2024 07:59 PM
From: jerryroy1
Subject: HPE5700 JG898A uplink to FortiSwitch 424
OK, The trunk was unsuccessful and we believe because both switch stacks (DBNET) and (DMZNET) have a Vlan1 and it gets confused in the FS. How I got around the HP DMZ vlan1 was by placing a random vlan (vlan4) on the FortiSwitch (FS going forward) port 26 that is connected to DMZ Switch stack, the port on HP is set as access port. I have been unsuccessful in getting vlan 35 to pass any traffic.
I was thinking of abandoning the splitting of the vlans on the FS (DMZ stack vlan 1 and vlan 35) What should the HP config be set to? Trunk or Hybrid. I need to make vlan1 on DMZ is not being tagged as vlan1.
Cisco still:
interface TenGigabitEthernet0/0/1
description "Prod DBNET access"
ip address 192.168.51.249 255.255.254.0
no ip proxy-arp
ip nbar protocol-discovery
!
interface TenGigabitEthernet0/0/1.4
encapsulation dot1Q 4
ip address 10.1.0.4 255.255.254.0
!
interface TenGigabitEthernet0/0/1.35
encapsulation dot1Q 35
ip address 10.10.2.4 255.255.255.0
HP5700
FS
config switch vlan
edit 1
set description "dbnet"
next
edit 4
set description "dmz"
next
edit 35
set description "UAT"
next
end
config switch interface
edit "port25"
set snmp-index 25
next
edit "port26"
set native-vlan 4
set allowed-vlans 4,35
set snmp-index 26
next
edit "port27"
set packet-sampler enabled
set packet-sample-rate 1
set snmp-index 27
next
edit "port28"
set allowed-vlans 4,35
set edge-port disabled
set snmp-index 28
next
edit "internal"
set allowed-vlans 1,4,35
set stp-state disabled
set snmp-index 29
next
config system interface
edit "internal"
set ip 192.168.50.41 255.255.254.0
set allowaccess ping https ssh
set type physical
set alias "internal"
set snmp-index 30
next
edit "uat"
set ip 10.10.2.7 255.255.255.0
set allowaccess ping http ssh
set alias "UAT"
set snmp-index 32
set vlanid 35
set interface "internal"
next
Thanks for Looking!
Jerry
Jerry Roy, Sr. Network Engineer
BirchStreet Systems
(562) 305-9545 | jroy@birchstreet.net
www.birchstreet.net | Blog | Twitter | Facebook | LinkedIn
Watch how HHM saves using BirchStreet
"Where no counsel, the people fall; But in the multitude of counselors there is safety."
Original Message:
Sent: 5/14/2024 4:20:00 PM
From: IanNightingale
Subject: RE: HPE5700 JG898A uplink to FortiSwitch 424
Hi, I would be careful about pinging a laptop because some have a firewall that prevents that. Always start troubleshooting at layer 1 (link up?) and then layer2 (is MAC address on the attached switch?).
Next is arp entry there?
If your laptop is plugged into port 1 I would expect connectivity. If not, use:
Display int brief | include UP
Display mac-add
Display arp
Original Message:
Sent: 5/14/2024 2:41:00 PM
From: jerryroy1
Subject: RE: HPE5700 JG898A uplink to FortiSwitch 424
This look right? I am trying to ping from the switch to a laptop that is in vlan35 subnet and no response. Is it sourcing from the switch IP?
Original Message:
Sent: May 14, 2024 04:50 AM
From: IanNightingale
Subject: HPE5700 JG898A uplink to FortiSwitch 424
Hi, if my reading of this is right you want port 27 on the Fortiswitch to talk to port 37 on the HP. The Fortiswitch has vlan35 native on that port.
Here is an example config that would work for that port:
interface Ten-GigabitEthernet2/0/37
description UAT Link to AWS-DC-FortiSwitch 424E-Fiber port 27 Ten-GigabitEthernet2/0/37
port link-type trunk
port trunk permit vlan 35
port trunk pvid vlan 35
For any other port that you want to configure use the same template with the permit vlan line having every vlan you want on it and the the pvid line having just the one that should be native/untagged.
Original Message:
Sent: May 13, 2024 09:34 PM
From: jerryroy1
Subject: HPE5700 JG898A uplink to FortiSwitch 424
We have a switch stack of 4 HPE5700 and I am unable to figure out how to get it to talk a New Fortiswitch 424e. If I configure one way, I can get the HP and the FortiSwitch to ping each other on a vlan35 interface that I have assigned an IP on each, but I cannot ping further upstream to a Cisco router with an Ip also in vlan 35. If I reconfigure fortiswitch, it will talk to cisco but not to HP5700 any longer. I don't understand what I am doing wrong.
The HP switch stack has a native vlan1 and a vlan 35. I only want the vlan 35 to talk to the fortiswitch. Do I make the uplink port on the HP as native for vlan35? Should it be access, trunk or hybrid? Here is what I have it set as now. I can ping between Cisco and Fortinet but never reach HP switch vlan35. As a side note, the FortiSwitch has 4 10G ports and I want to use them all. One for AWS side with BGP (Working) One for DBNET (Inside - working) One for DMZ (Working) but UAT (In yellow - Not working)
HP Switch Config:
interface Ten-GigabitEthernet2/0/37
description UAT Link to AWS-DC-FortiSwitch 424E-Fiber port 27 Ten-GigabitEthernet2/0/37
port link-type hybrid
port hybrid vlan 35 tagged
port hybrid vlan 1 untagged
Do I set the FortiSwitch port as vlan 35 as well?
FortiSwitch Config:
config switch vlan
edit 1
set description "dbnet"
next
edit 4
set description "dmz"
next
edit 35
set description "UAT"
next
config switch interface
next
edit "port25"
set snmp-index 25
next
edit "port26"
set native-vlan 4
set snmp-index 26
next
edit "port27"
set native-vlan 35
set snmp-index 27
next
edit "port28"
set allowed-vlans 1,4,35
set edge-port disabled
set snmp-index 28
next
edit "internal"
set allowed-vlans 1,4,35
set stp-state disabled
set snmp-index 29
next
config system interface
edit "uat"
set ip 10.10.2.7 255.255.254.0
set allowaccess ping http ssh
set alias "UAT"
set vlanid 35
set interface "internal"
next
Cisco config
interface TenGigabitEthernet0/0/1.35
encapsulation dot1Q 35
ip address 10.10.2.4 255.255.255.0