Skip to main content
muellerr64
muellerr64
New Member
October 30, 2015
Question

Cisco to Fortigate 100D Trunk allowing vlan traffic

  • October 30, 2015
  • 2 replies
  • 21226 views

Hi,

 

I'm trying to understand how to replace an Cisco ASA with a Fortigate 100D running 5.0. Our core swtiches route all 169.212.x.x traffic to the 169.212.1.1 interface on an ASA via a trunk allowing vlan 212 traffic.

 

169.212.1.1 is the gateway for all 169.212.x.x devices.

 

The Cisco route and interface are defined as follows:

 

ip route 169.212.0.0 255.255.0.0 169.212.1.1

 

interface GigabitEthernet0/42

description Trunk to ASA

switchport trunk encapsulation dot1q

switchport trunk allow vlan 212

switchport mode trunk

 

Is this the correct way to setup the interfaces on the 100D for so it can become the gateway for 169.212.0.0 traffic on vlan 212?

 

config system interface

  edit "internal7"

   set vdom "root"

   set vlanforward enable

   set type physical

   set snmp-index 12

  next

 

  edit "VL212"

   set vdom "root"

   set ip 169.212.1.1 255.255.0.0

   set allowaccess ping

   set snmp-index 20

   set interface "internal7"

   set vlanid 212

  next

end

 

How do I create a trunk on internal7 that will allow vlan 212 to come from the Cisco 0/42 interface?

 

ron

2 replies

ede_pfau
SuperUser
ede_pfau
SuperUser
October 30, 2015

Well, you just did. It's called "VL212".

IMHO it's not a 'trunk' as it carries just one VLAN but nevertheless it should work like it is.

Do you see traffic coming in? Going out?

Do you have a policy from "VL212" to "wan" to allow internet facing traffic? Or any other policy to reach other ports?

emnoc
emnoc
New Member
October 30, 2015

A trunk port can carry one or more vlan tags. What you could do is diag sniffer  the vlan-subinterface or the cisco port but the cfgs you have looks good btw.

 

To confirm the switch side of things I would validate the fortigate layer2 interface is learned and in vlan212 for that fortigate

 

e.g

 

show mac address  dyn int gi 0/42

 

should show a layer2 mac of a frortigate for  vlan id 212 on gi 0/42. If that's good,  than double check what Ede post on  proper fw-policies.

 

 

Ken

 

muellerr64
muellerr64Author
New Member
October 30, 2015

I made a mistake in typing the address above...we route to the physical lan interface (169.210.1.1) on the ASA, then flow traffic to the 169.212 network via rules.  The ASA has another physical 169.212.1.1 interface trunked back to a Cisco switch which distributes the 169.212 traffic to servers on vlan tagged interfaces.

 

So I should have typed...

Our core swtiches route all 169.212.x.x traffic to the 169.210.1.1 (lan) interface on an ASA via a trunk allowing all vlan traffic.

169.212.1.1 is the gateway for all 169.212.x.x devices, that sits on the ASA.   The Cisco route and interface are defined as follows:   ip route 169.212.0.0 255.255.0.0 169.210.1.1

 

 

So in an attempt to mimic the ASA with the fortigate I did the following...

 

on the Fortigate

 

config system interface   edit "internal7"    set vdom "root"    set vlanforward enable    set type physical    set snmp-index 12   next     edit "VL212"    set vdom "root"    set ip 169.212.1.1 255.255.0.0    set allowaccess ping    set snmp-index 20    set interface "internal7"    set vlanid 212   next

 

 edit "internal1"    set vdom "root"    set type physical    set snmp-index 20   next

 

  edit "internal2"    set vdom "root"    set type physical    set snmp-index 21   next

 

edit "lan"         set vdom "root"         set ip 169.210.10.200 255.255.0.0         set allowaccess ping https ssh telnet          set vlanforward enable         set type switch         set sflow-sampler enable         set sample-rate 512         set polling-interval 30         set device-identification enable         set listen-forticlient-connection enable         set snmp-index 27     next

 

end

 

config system switch-interface     edit "lan"         set vdom "root"         set member "internal1" "internal2"     next end

 

I connected the trunk port (the one that was going to the 169.210.1.1 on the ASA) to the lan interface on the fortigate (169.210.10.200).  I can ping 169.210.10.200 from anywhere.

 

I defined a firewall object for the address range 169.212.0.0-169.212.255.255 (V212)

I setup policies on the fortigate to allow all traffic from lan to VL212 and VL212 to lan

 

I can only ping 169.212.1.1 from the CLI.

 

The Cisco sees the lan mac address of the Fortigate but cannot ping the 169.212.1.1 

 

What am I missing?

Terms & ConditionsAccessibility statement