Skip to main content
rmetzger
Staff
rmetzger
Staff
December 22, 2009

Technical Note : passing VTP or CDP packets through a FortiGate in Transparent mode

  • December 22, 2009
  • 0 replies
  • 13318 views

Description
In order to pass CDP(*) or VTP(*) packets through a FortiGate in Transparent mode, the parameter stpforward must be applied on the port configuration.
VTP and CDP packets are sent to the destination MAC address 01-00-0C-CC-CC-CC

(*)  VTP : Cisco VLAN Trunk Protocol     -    CDP : Cisco Discovery Protocol
Solution
The example below will allow CDP and VTP packets to be sent from port3 up to the Remote unit, through two VDOMs, via one physical port and three port aggregations.

The following diagram illustrates this example :

rmetzger_FD31618_CDP_VTP .jpg

Port and Port aggregation configuration :


config system interface
    edit "port1"
        set vdom "VD1"
    next
    edit "port2"
        set vdom "VD1"
    next
    edit "port3"
        set vdom "VD1"
        set stpforward enable
    next
    edit "port5"
        set vdom "VD3"
    next
    edit "port6"
        set vdom "VD3"
    next
    edit "port17"
        set vdom "VD2"
    next
    edit "port18"
        set vdom "VD2"
    next
    edit "port19"
        set vdom "VD2"
    next
    edit "port20"
        set vdom "VD2"
    next
        edit "LACP_VD2_IN"
        set vdom "VD2"
        set stpforward enable
        set type aggregate
            set member "port17" "port18"            
    next
    edit "LACP_VD2_OUT"
        set vdom "VD2"
        set stpforward enable
        set type aggregate
            set member "port19" "port20"            
    next
    edit "LACP_VD1"
        set vdom "VD1"
        set stpforward enable
        set type aggregate
            set member "port1" "port2"            
    next
end



Notes:

  • When using aggregation, the stpforward setting needs to be applied only on the port aggregation level, not on the physical port
  • This will also forward regular Spanning Tree BPDUs


Verification with a sniffer trace :

FGT# diagnose sniffer packet any "" 4


41.365434 port3 in llc unnumbered, ui, flags [command], length 72
41.365437 LACP_VD1 out llc unnumbered, ui, flags [command], length 72
41.365439 port2 out llc unnumbered, ui, flags [command], length 72
41.365479 LACP_VD2_IN in llc unnumbered, ui, flags [command], length 72
41.365482 LACP_VD2_OUT out llc unnumbered, ui, flags [command], length 72
41.365484 port19 out llc unnumbered, ui, flags [command], length 72


See above the CDP packet flow from port3, LACP_VD1 (port2), LACP_VD2_IN, LACP_VD2_OUT (port19)


Note: the following sniffer trace command will filter only CDP or VTP packets :

FGT# diagnose sniffer packet port_name "ether host 01-00-0C-CC-CC-CC"


     

 

Terms & ConditionsAccessibility statement