1390

May 19th, 2022 17:00

Setup a DMZ and cannot ping default gateway and Layer 2 switch

Hello, I am hoping someone can please help me. I am trying to setup a DMZ network. My setup is as follows,

2 x clustered fortigate 300e firewalls

2 x stacked Dell core switches S4048-ON in Layer 2 mode

2 x VMWare 6.7 ESXi hosts

I have created the DMZ zone on the fortigates and set the IP to 192.168.30.1 on this interface on port 6.

I have created vlan 30 on the Dell switches. 

I have created port-channel 30 which is connected directly to my 2 x ESXi hosts.

I have created a vSwitch in vCenter for the port-channel 30 uplinks and I have assigned vlan 30 to this vSwitch. The VM I am testing with has this new vSwitch added and I have statically set the IP on this to 192.168.30.10/24 with default gateway of 192.168.30.1 (which is the interface on port 6 on the fortigate firewall)

I am thinking that the issue is on the switch and before I travel to the datacentre to break the port-channel I thought I would post here on this community in case I have missed something. Any help from anyone would be greatly appreciated.

Here is how I have setup my ports, port-channel and vlan on the switch.

interface Vlan 30
description *** uplinks to ESXi's to vmnic0 ***
no ip address
tagged TenGigabitEthernet 1/17
tagged TenGigabitEthernet 2/17
tagged Port-channel 30
no shutdown

interface Port-channel 30
description "ESXI-01 and ESXI-02 Port Channel for the DMZ network"
no ip address
portmode hybrid
switchport
no shutdown

interface TenGigabitEthernet 1/17
description *** vlan 30 DMZ uplink to esxi-01 on vmnic0 ***
no ip address
portmode hybrid
switchport
no shutdown

interface TenGigabitEthernet 1/18
description *** uplink to Fortigate port 6 ***
no ip address
portmode hybrid
switchport
no shutdown

Points to add. The ESXi hosts are directly connected to the dell core switches. The Dell core switches are directly connected to the fortigate firewalls.

I have inherited this environment. I have setup VMWare environments in the past and connected them to layer 3 Dell switches and never had a problem. I would set an IP on the vlan, connect my hosts to this and then add a static route to point the vlan to the interface on the firewall port that is connected too. This is my first attempt at a config using layer 2. 

Port information for TE1/17 and TE2/17 which is my uplinks from the Dell switches to my 2 x ESXi hosts, they are tagged in another vlan (vlan 100)

As it stands when I try to ping 192.168.30.1 from my VM which has IP 192.168.30.10 it times out. I have enabled ping on the DMZ zone I setup on the fortigates. Thank you for any assistance.

 

May 23rd, 2022 18:00

I have resolved my issue. It was not ACL's but in fact it was my vSwitch that was the issue. I found this on VMWare's website. Its not really a Dell switch issue however I will post this here in case it helps someone out there in the community.

When I added my vSwitch I had assigned the vlan ID as 30 however....

External Switch Tagging (EST)

  • All VLAN tagging of packets is performed on the physical switch.
  • ESXi/ESX host network adapters are connected to access ports on the physical switch.
  • The portgroups connected to the virtual switch must have their VLAN ID set to 0

so i changed the vlan ID on the new DMZ vSwitch to 0 and VOILA, it pings. Case closed.

Moderator

 • 

4K Posts

May 20th, 2022 00:00

Hi @bmac0002001_2022,

 

I'm not an expert in networking, but I did spoke to my co-worker who is. I showed him the switch configuration and it seems to be correct. He pointed out, it could an issue with the vSwitch settings that we are unsure of. I'm unsure if you have a server which has Windows installed, you can rule out vSwitch configuration, maybe that can narrow down the root cause. Ultimately, if you have warranty contract on the switch, do give the support a call to confirm the deployment configuration and connectivity is correct.

May 22nd, 2022 19:00

Thank you for your reply. I have doubled checked my vSwitch config and cannot find any miss configuration. I have added the vSwitch with the 2 x VMNIC0 adapters from both my ESXi hosts, they're showing as up and connected, I have assigned vlan ID 60 to this vSwitch. its set to route based on orginating virtual port. I tried changing this to route based on IP hash but same issue, cannot ping the default gateway

May 22nd, 2022 23:00

is there anything else I could be looking at or consider on the switch to try and get this working? I'm starting to bang my head against a wall. 

Here is some more information. 

show interface switchport te1/17

Description: *** vlan 30 DMZ uplink to esxi-01 vmnic0 ***
802.1QTagged: Hybrid
Vlan membership:
Q Vlans
U 1
T 30,100

Native VlanId: 1.

show vlan

30 Active "*** FTP DMZ Network ***" T Po30()
T Te 1/17
T Te 2/17

show interfaces port-channel 30
Port-channel 30 is up, line protocol is down(minimum links not up)
Description: "ESXI-01 and ESXI-02 Port Channel DMZ network"
Hardware address is 68:4f:XX, Current address is 68:4f:

Interface index is 12583xx
Minimum number of links to bring Port-channel up is 1
Internet address is not set
Mode of IPv4 Address Assignment : NONE
DHCP Client-ID :684xxxx
MTU 1554 bytes, IP MTU 1500 bytes
LineSpeed auto
Members in this channel:
ARP type: ARPA, ARP Timeout 04:00:00
Queueing strategy: fifo
Input Statistics:
0 packets, 0 bytes
0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts
0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts
0 Multicasts, 0 Broadcasts, 0 Unicasts
0 runts, 0 giants, 0 throttles
0 CRC, 0 overrun, 0 discarded
Output Statistics:
0 packets, 0 bytes, 0 underruns
0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts
0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts
0 Multicasts, 0 Broadcasts, 0 Unicasts
0 throttles, 0 discarded, 0 collisions, 0 wreddrops
Rate info (interval 299 seconds):
Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate
Output 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate
Time since last interface status change: 6d4h36m

Moderator

 • 

4K Posts

May 23rd, 2022 02:00

Hi @bmac0002001_2022,

 

Mind to check the port channel 30 if there is any physical port assigned to it? 

 

https://dell.to/3sPw8dU

May 23rd, 2022 03:00

interface Vlan 30
description "*** DMZ Network ***"
no ip address
tagged TenGigabitEthernet 1/17
tagged TenGigabitEthernet 2/17
tagged Port-channel 30
no shutdown

interface Port-channel 30
description "ESXI-01 and ESXI-02 Port Channel DMZ network"
no ip address
portmode hybrid
switchport
no shutdown

It has 2 physical ports assigned to it, TE1/17 and TE2/17. Thanks

Moderator

 • 

2.9K Posts

May 23rd, 2022 04:00

Hi, after reading the thread, I wondered if ACLs might be denying it somehow. Access Control Lists side can be controlled, maybe a filter has been applied before. I'm just brainstorming. https://dell.to/3GbgXBt

May 23rd, 2022 15:00

Thank you for you replies, I really do appreciate any assistance. Here is the ACLs. 

Do I need to explicitly add a rule to permit vlan 30 on 192.168.30.0/24. 

ip access-list extended RESTRICT_GUEST
seq 5 permit tcp any host 10.0.0.4X eq 68
seq 6 permit udp any host 10.0.0.4X eq 67
seq 10 permit tcp any host 10.1.0.X eq 68
seq 11 permit udp any host 10.1.0.X eq 67
seq 15 deny ip any 10.0.0.0/8
seq 20 deny ip any 172.16.0.0/12
seq 25 deny ip any 192.168.0.0/16
seq 30 permit ip any any
!
ip access-list extended Monitoring_Access
seq 10 permit ip 172.26.172.0/24 host 10.254.1X.X

No Events found!

Top