Technical Tip: Leverage LLDP to Simplify Security Fabric Negotiation
Description
This article describes how FortiOS 6.2 enables LLDP reception on WAN interfaces, and prompts FortiGates that are joining the Security Fabric if the upstream FortiGate asks.
-If an interface's role is undefined, LLDP reception and transmission inherit settings from the VDOM.
-If an interface's role is WAN, LLDP reception is enabled.
-If an interface's role is LAN, LLDP transmission is enabled.
Solution
To configure LLDP reception and join a Security Fabric:
1) Go to Network -> Interfaces.
2) Configure an interface:
-If the interface's role is undefined, under Administrative Access, set Receive LLDP and Transmit LLDP to Use VDOM Setting.
Using the CLI:
Using the CLI:
This article describes how FortiOS 6.2 enables LLDP reception on WAN interfaces, and prompts FortiGates that are joining the Security Fabric if the upstream FortiGate asks.
-If an interface's role is undefined, LLDP reception and transmission inherit settings from the VDOM.
-If an interface's role is WAN, LLDP reception is enabled.
-If an interface's role is LAN, LLDP transmission is enabled.
When a FortiGate B's WAN interface detects that FortiGate A's LAN interface is immediately upstream (through the default gateway), and FortiGate A has Security Fabric enabled, FortiGate B will show a notification on the GUI asking to join the Security Fabric.
Solution
To configure LLDP reception and join a Security Fabric:
1) Go to Network -> Interfaces.
2) Configure an interface:
-If the interface's role is undefined, under Administrative Access, set Receive LLDP and Transmit LLDP to Use VDOM Setting.
#config system interface-If the interface's role is WAN, under Administrative Access, set Receive LLDP to Enable and Transmit LLDP to Use VDOM Setting.
edit "port3"
set lldp-reception vdom
set lldp-transmission vdom
set role undefined
...
next
end
#config system interface-If the interface's role is LAN, under Administrative Access, set Receive LLDP to Use VDOM Setting and Transmit LLDP to Enable.
edit "wan1"
set lldp-reception enable
set lldp-transmission vdom
set role wan
...
next
end
Using the CLI:
A notification will be shown on FortiGate B.#config system interface
edit "port2"
set lldp-reception vdom
set lldp-transmission enable
set role lan
...
nextend
Click Apply to save the settings.
Using the CLI:
#config system csf
set status enable
set upstream-ip 10.2.200.1
end