1) HP Switch config below 2) Fortinet Policy in attached image

Right now, we are a flat network of roughly 320 wireless devices, and about 100 wired devices. We have a FortiGate 300C firewall with a single internet connection, and a single internal ( connection with an HP zl 5406 hanging off the FG.

Part of my summer plans is to segment off traffic into VLANS, so I am messing around with configuring that now. But, I have an extremely weird issue that I cannot figure out, and Fortinet is blaming on the HP switch.

Flat/Default Vlan 1 Network: Vlan 20:

I have my workstation on the default Vlan. I have a laptop plugged into an untagged port for Vlan 20, and it is obtaining an IP from DHCP just as it should, from the proper scope. On the laptop, I have 4 infinite pings going. (Google DNS), (FortiGate firewall), (DHCP Server), and (My workstation). On my workstation, I have one going for the IP of the laptop (

Google/Firewall/DHCP will be going great on the laptop, but my workstation cannot ping the laptop (Times out), but randomly, for 5-10 minutes, the Firewall will time out (But DHCP/Google keeps going) and on my workstation, the ping to the laptop will kick off like it is supposed to. Then out of nowhere, it goes back to the original performance. The way I have the policy on the firewall configured, neither of them are functioning properly. They should both be able to communicate both ways.

This has been driving me nuts for weeks. Captured packets on the FG from the laptop. When Google/Gateway/DHCP are pinging properly, the source shows as the MAC address of the laptop. When it is failing, the source is the MAC address of the switch. This has baffled me and Fortinet support.

One thing I figured out today is when I go on the HP switch and "clear arp" while Google/Gateway/DHCP are working, it will cause the firewall ping to time out and the ping from my workstation to the laptop will start working temporarily.

Now for some curveballs/other info:

1) This is my second attempt at this Vlan. I originally tried configuring Vlan 200 and it function similarily, but when the firewall would time out, so would the Google ping. Now, It is only the firewall.

2) I have a Vlan 30 that has my office printer on it. It functions just fine and acts nothing like this.

3) Enabled STP today and made no change.

4) Enabled IGMP today and made no change.

5) When my workstation can ping the laptop. in the Vlan, the laptops cannot ping the firewall. When my workstation cannot ping the laptops, the laptops CAN ping the firewall.

HP Config:

Laptop is port F1. Firewall is A1. Servers are B1-B16. Printer on Vlan 30 is C1.

; J8697A Configuration Editor; Created on release #K.15.08.0013
; Ver #02:1b.ef:f6
hostname "SGS-MDF-SW01"
module 1 type j9534a
module 2 type j9536a
module 3 type j9534a
module 4 type j9536a
module 6 type j9536a
cdp mode pass-through
timesync sntp
sntp unicast
sntp 30
sntp server priority 1
time daylight-time-rule continental-us-and-canada
time timezone -360
ip route
ip routing
snmp-server contact "Brandon" location "Middle School - 1st Floor - MDF"
vlan 1
   name "DEFAULT_VLAN"
   no untagged C1,F1
   untagged A1-A24,B1-B22,C2-C24,D1-D22,F2-F22
   ip address
   ip igmp
vlan 20
   name "Phones"
   untagged F1
   tagged A1,B1-B16
   ip address
   ip helper-address
vlan 30
   name "Printers"
   untagged C1
   tagged A1,B1-16
   ip address
   ip helper-address
vlan 40
   name "LS_Lan"
   ip address
   ip helper-address
vlan 50
   name "MS_LAN"
   ip address
   ip helper-address
vlan 60
   name "Wireless"
   ip address
   ip helper-address
vlan 80
   name "Imaging"
   ip address
   ip helper-address
  • 31
  • 4
  • tagged = trunk ports (a port that needs to carry multiple VLANs' traffic), or nodes that speak VLAN, untagged = nodes that don't speak VLAN. For instance, untagged would be pretty much anything. tagged only would be network infrastructure (including other switches, virtual switches, etc), but might exclude firewalls. TheCleaner's design makes sense. Go back to the drawing board a bit and redesign. Inter-subnet routing (aka "routing" :) ) may be supported by your layer 3 switch, or is by the router within the Fortigate. Note that VLANs are not used for security isolation. Hope this helps – mbrownnyc Apr 17 '13 at 14:36
  • What stinks is the 5406 is being used in my live environment. I guess my new plan will be to move everything off of that switch back to some temporary ones since I am a flat network right now anyway. It sounds like the best approach is to setup a new /30 interface on the firewall and dedicate the 5406 to that for now. Going to leave the servers in the subnet (but probably change to another Vlan) because that will be harder to change the IPs of all servers. What Vlan should tagged (switches) ports be in? Default Vlan? – Brandon Apr 17 '13 at 23:38
  • That's not exactly what needs to happen. Tagged membership should occur for trunk ports, for all VLAN traffic which the trunk port should carry. You probably don't need to tag trunk ports (it's automatic). Look into trunk ports a bit more. Also, you don't necessarily need to isolate everything off. You should be able to test with just spare untagged VLAN ports... try hooking up nodes that you can ping (for instance) on each of the VLANs. Remove the complexity of the firewall for now (as it has its own policy set). I did this testing here when rolling out isolation. – mbrownnyc Apr 18 '13 at 13:03
  • Also, feel free to attach [a Gliffy diagram](http://www.gliffy.com/) of your goal to your original post. And if you don't have one, grab a copy of Visio. – mbrownnyc Apr 18 '13 at 13:06
  • This is what I am working towards: http://i.imgur.com/YYfjdeV.png - This is where I am at: http://i.imgur.com/hRW1Ih7.png I have plenty of untagged ports to play with. I will forgo the /30 idea for the firewall. I think I understand the basic tagged vs untagged, but I don't understand how the firewall should be labeled. When it is not referenced in Vlan 20/30, all traffic just stops except for inter-vlan traffic. It was recommended to setup a static route in the firewall to allow traffic back to the switch, but that didn't do anything. – Brandon Apr 18 '13 at 19:46
  • Consider a VLAN to be like a virtual switch. To inter-physical-switch a virtual switch, you use trunk ports. So... mark your firewall as an untagged access port, anything on VLAN1 (tagged or untagged) on should be able to hit it. Does it not? – mbrownnyc Apr 19 '13 at 10:49
  • Correct. The firewall is untagged in Vlan 1 and my live network is every device on Vlan 1, and it works. What I cannot understand/figure out, is why the device on Vlan 30 can ping the firewall, but my workstation (On Vlan 1) cannot ping the device. Then, after several minutes, it will be the opposite. The device cannot ping the firewall, but my workstation can now ping the device. The connection between Vlan 20 and 30 never seems to break. But connection between Vlan 1 and those two is flaky at best. – Brandon Apr 19 '13 at 13:37
  • Are your workstation and your firewall on the same physical switch? You engineered ahead of yourself. Slowly go back and test each link in the chain. – mbrownnyc Apr 19 '13 at 13:41
  • Yes ... everything being tested/used is directly connected to the 5406. I've tried starting from scratch several times now and have ended up in the same scenario. I'm guessing I just need to narrow it down to one Vlan and get that working, since connection between the 2 is what it should be. – Brandon Apr 19 '13 at 14:08
  • It makes little to no sense that packets to and from untagged access ports, within the same VLAN, within the same switch, are being dropped at seemingly random intervals. What does your STP config look like? – mbrownnyc Apr 19 '13 at 15:18
  • I enabled spanning-tree and that is about it. No change. – Brandon Apr 19 '13 at 16:04
  • So I figured it out. So when the firewall was originally setup in August, they asked about configuring VLANs and I gave them a list of the couple that I knew I'd be messing with. I watched how they did it and copied them. Apparently, with my lack of knowledge at this level of networking, NONE of the configuring needed to happen on the firewall for Vlans. I was on this track before when I realized disabling policies was not effecting traffic, but didn't take it a step further. I deleted all configurations for Vlan 20 and added a static route back to the switch and VIOLA! Vlan 20 is normal! – Brandon Apr 19 '13 at 16:13
  • Great man! The VLAN config on the Fortigate tags the headers. If you "VLAN tagged" the switch port connected to the Fortigate interface, it would have allowed the "VLAN tagged" traffic to pass. – mbrownnyc Apr 19 '13 at 18:24

2 Answers2


I'm not an HP guy, but why do you need "tagged A1, B1-B16" in vlan 20 or 30?

Since it seems you are allowing inter-vlan routing with "ip routing" command, you shouldn't need tagged ports in those VLANs at all.

The flow should go:

VLAN 20 ---> pings ---> routes inter-vlan to default route of VLAN 20 ---> pings ---> routes inter-vlan on switch to vlan 30 VLAN 20 ---> pings ---> routes inter-vlan to vlan 1

Ideal really though should be to move the firewall into its own /30 VLAN or similar. That would make sure intra-vlan broadcast traffic isn't sent to the LAN port on the firewall. Probably not a big deal for your, but still. It also helps with segmenting and a clean design. Same thing for the "servers"...segment them away from VLAN 1 as well if possible...or keep the servers there, and move the clients out of VLAN 1 if that's easier on you.

Let me know if that helps...I can revise my answer based on your responses, but that's all I notice based on the config you posted.

  • 32,352
  • 26
  • 126
  • 188
  • I am I still a newbie to the whole Vlan concept. I tried typing out my understanding of tagged vs untagged and it didn't read so well. To make it brief, I know that when A1, B1-B16 (Firewall, Servers) is not tagged in either Vlan, external access from the Vlan is lost. Communication between Vlan 20 and 30 still works, but they cannot ping the firewall or any server in Vlan 1. This is very much so a work in progress, and I agree about the servers needing to be on another Vlan, though I just haven't made it that far, yet. – Brandon Apr 16 '13 at 18:21

All configuration of Vlans on the firewall needed to be removed. Only needed to add a static route for each vlan subnet that pointed back to the switch.

Mission accomplished. I might have a drink now.

  • 31
  • 4