Explorer II

Question

Duplicate a working Cisco Router config on a FortiSwitch 424E-Fiber

Forum|Forum|2 years ago
April 30, 2024
6 replies
10054 views

We have a working Cisco router doing bgp to AWS Direct Connect. What is the correct way to create the layer 3 interfaces (Direct-Connect, inside and dmz/uat) and the required Vlan 2900 with correct dot1Q encapsulation. Do I create on a sub interface like with Cisco? See Cisco settings below. See attached drawing.

I am assuming just plugging in existing HPE switch to interface assigned on FortiSwitch for "DMZ/UAT" and for "Inside" but how do I create the interfaces correctly on FortiSwitch? IP's should be assigned to layer 3 but "router" does not give the options I think I should see.

Here are Cisco settings:

interface TenGigabitEthernet0/0/0.2900 (This is a sub interface)
description "Direct Connect to Amazon VPC or Transit Gateway on AWS Cloud"
encapsulation dot1Q 2900
ip address 169.254.38.182 255.255.255.252

interface TenGigabitEthernet0/0/1 (Physical interface)
description "Prod DBNET access"
ip address 192.168.51.249 255.255.254.0
no ip proxy-arp
ip nbar protocol-discovery

router bgp 64514 (my ASN)
bgp log-neighbor-changes
neighbor 169.254.38.181 remote-as 64513 (remote ASN)
neighbor 169.254.38.181 password *******
!
address-family ipv4
network 169.254.38.180 mask 255.255.255.252
network 192.168.50.0 mask 255.255.254.0
network 10.10.2.0 mask 255.255.255.0
network 10.1.0.0 mask 255.255.254.0
neighbor 169.254.38.181 activate
exit-address-family

Here are FortiSwitch settings I have applied or compiled so far:

AWS-DC-Megaport # show system interface
name Name.
internal static 192.168.50.41 255.255.254.0 up physical
mgmt dhcp 0.0.0.0 0.0.0.0 up physical
uat static 10.10.2.4 255.255.255.0 up vlan

How do I configure DMZ/UAT to use same interface (diff vlan) on fortiswitch?

config router bgp
set as 64514
set router-id 192.168.50.41

config neighbor
edit "<IPv4_or_IPv6 address>" (should this be 169.254.38.182?)
set remote-as 64513

end

UPDATED DRAWING!!!!!

FortiSwitch

jroy777Author

Explorer II

OK, can someone tell me which is the correct type of interface to use? A RVI or a SVI. I need to make sure BGP works

I want to convert this cisco router interface config and bgp settings below to our new FortiSwitch 424e Anyone can offer a solution?

interface TenGigabitEthernet0/0/0.2900
description "Direct Connect to Amazon VPC or Transit Gateway on AWS Cloud"
encapsulation dot1Q 2900
ip address 169.254.38.182 255.255.255.252
!
router bgp 64514
bgp log-neighbor-changes
neighbor 169.254.38.181 remote-as 64513
neighbor 169.254.38.181 password zNG9HzGKJyWPq5MB4VWE
!
address-family ipv4
network 169.254.38.180 mask 255.255.255.252
network 192.168.50.0 mask 255.255.254.0
neighbor 169.254.38.181 activate
exit-address-family

Routed VLAN interfaces

A routed VLAN interface (RVI) is a physical port or trunk interface that supports layer-3 routing protocols. When the physical port or trunk is administratively down, the RVI for that physical port or trunk goes down as well. All RVIs use the same VLAN, 4095.

RVIs support ECMP, VRF, multiple IP addresses, IPv4 addresses, IPv6 addresses, BFD, VRRP, DHCP server, DHCP relay, RIP, OSPF, ISIS, BGP, and PIM.

Layer-2 protocols and most switch interface features are disabled on RVIs.

https://docs.fortinet.com/document/fortiswitch/7.4.3/fortiswitchos-administration-guide/22391/routed-vlan-interfaces

Switch virtual interfaces

A switch virtual interface (SVI) is a logical interface that is associated with a VLAN and supports routing and switching protocols.

You can assign an IP address to the SVI to enable routing between VLANs. For example, SVIs can route between two different VLANs connected to a switch (no need to connect through a layer-3 router).

https://docs.fortinet.com/document/fortiswitch/7.4.3/fortiswitchos-administration-guide/626301/switch-virtual-interfaces

jroy777Author

Explorer II

OK, I did this (from the docs) and have a RVI

Create a system interface. Set the IP address and netmask, set the interface type to physical, and then assign the layer-2 interface.

config system interface

edit <new_interface_name>

set ip <IP_address_and_netmask>

set type physical

set l2-interface <existing_interface_name>

next

end

Does this look correct?
edit "AWS-DC-L3"
set mode static
set dhcp-relay-service disable
set ip 169.254.38.182 255.255.255.252
unset allowaccess
set bfd disable
set bfd-desired-min-tx 250
set bfd-detect-mult 3
set bfd-required-min-rx 250
set icmp-redirect enable
set status up
set type physical
set l2-interface "port28"
set description ''
set alias ''
set vrrp-virtual-mac disable
set secondary-IP disable
set snmp-index 35

jroy777Author

Explorer II

Does anyone know default encapsulation mode on FortiSwitch interfaces?
I need 802.1q

Toshi_Esumi

SuperUser

I think .1Q only. That's why you can't find the command to select the encapsulation.

Toshi

Toshi_Esumi

SuperUser

And you're setting it up as "standalone" with L3 features that require licenses, which I've never done myself, so I can't comment on them specifically. But I can tell the concept of L2/L3 configuration mainly viewed from L2 side and up.

You already figured out L3 interfaces need to be configured under "config system interface". But probably never imagined those L3 VLAN interfaces have to be sub-interfaces of "internal" special L3 interface if you haven't dealt with any FortiGates before.

Then to connect L2 VLANs at physical ports to those L3 VLAN interfaces, you have to include those VLANs as allowed-vlans on the L2 special interface "internal" under "config switch interface". It might be hard to understand but I depicted this command line structure in below.

But beyond this, especially L3 features like BGP, you'll soon realize you likely need to refer to FortiGate(FGT) documentation since those features must have been "imported/ported" from FGT's software.

And you likely need to open a ticket at TAC to get help or figure them out by yourself by referring to FGT's documentation. I had to figure out above almost all by myself recently to utilize FSWs as L2 switches. But in my case, I have some experiences with FGTs.

Toshi

Toshi_Esumi

SuperUser

If you attach a text file it seems to import the content and shows up. Same goes with image files.

Toshi_Esumi

SuperUser

You're using RVI "AWS-DC-L3" specifing l2-interface as "port28". Again, I don't have a device supporting FTNT RVI so I'm not sure how it's working with your config.
But other part, port26 = VLAN 2, port27 = VLAN 35, and those associated L3 interface are correctly configured and should be working as you expect. The key is allowed-vlans 2,35 on "internal" switch interface, and native-vlan1 on the same switch interface to bind to "internal" L3 interface.

Only thing I would suggest is:
config switch global

set auto-fortilink-discovery disable
end

In case like yours the fortilink to a FGT is not utilized.

Toshi

jroy777Author

Explorer II

I cannot see neighbor, what do you recommend?

AWS-DC-Megaport # get router info bgp neighbors
BGP neighbor is 169.254.38.181, remote AS 64513, local AS 64514, external link
BGP version 4, remote router ID 0.0.0.0, local router ID 192.168.50.41
BGP state = Active
Last read 1d19h29m, Last write never
Hold time is 180, keepalive interval is 60 seconds
Graceful restart information:
    Local GR Mode: Helper*
    Remote GR Mode: NotApplicable
    R bit: False
    Timers:
      Configured Restart Time(sec): 120
      Received Restart Time(sec): 0
Message statistics:
    Inq depth is 0
    Outq depth is 0
                         Sent       Rcvd
    Opens:                  0          0
    Notifications:          0          0
    Updates:                0          0
    Keepalives:             0          0
    Route Refresh:          0          0
    Capability:             0          0
    Total:                  0          0
Minimum time between advertisement runs is 30 seconds

For address family: IPv4 Unicast
Not part of any update group
Community attribute sent to this neighbor(all)
Inbound updates discarded due to missing policy
Outbound updates discarded due to missing policy
0 accepted prefixes

For address family: IPv6 Unicast
Not part of any update group
Community attribute sent to this neighbor(all)
Inbound updates discarded due to missing policy
Outbound updates discarded due to missing policy
0 accepted prefixes

Connections established 0; dropped 0
Last reset 1d19h29m, Waiting for peer OPEN
BGP Connect Retry Timer in Seconds: 120
Next connect timer due in 51 seconds
Read thread: off Write thread: off FD used: -1

Toshi_Esumi

SuperUser

Are you able to ping the peer IP? You should be able to if RVI is working. If not, you probably need to open a ticket at TAC to get it looked into. I would guess not much people in this forum are familiar with RVI config on FSWs.
If you want you can try SVI instead, just like those VLAN2 and 35.

Toshi

Toshi_Esumi

SuperUser

First please don't do "show full" but just "show". The most important part what you changed from the default setting are buried in all unimportant default values. So very hard to see what exactly you configured.

Second, I'm assuming you can now ping the peer IP. Correct? I see some traffic flowing on port28 above. Then do you see the neighbor still down in "get router info bgp sum"?
Sniff on port28 with below commands:

config switch interface   edit "port28"     set packet-sampler enabled     set packet-sample-rate 1   next end

Then, when you sniff the port, the interface name you need to specify is NOT "port1", "port2"... but "sp1", "sp2" ... instead. And you can use filters, so looks like below:

# diag sniffer packet sp28 'tcp and port 179'

Toshi

jroy777Author

Explorer II

Thanks for all your help Toshi, I really appreciate your time. There is no separate show config command, here are my choices:

AWS-DC-Megaport # show ?
log log
router router
switch switch
switch-controller switch-controller
system system
user user
full-configuration show full configuration

AWS-DC-Megaport #

In the above post of config, I snipped out all the extra ports and interfaces and only put in the relevant data that actually shows changed from the default config.

We move the cable back to the Cisco for now so I cannot test again till Monday. I never received a response to my ping. I have ping enabled on all my interfaces. The only interface that is not working is the

SVI vlan 2900
our bgp AS 64514
our IP 169.254.38.182/30

the neighbor bgp AS 64513
the neighbor IP 169.254.38.181/30
the vlan we connect to each other on is Vlan 2900

Our networks that should be sent with BGP
192.168.50.0/23
10.1.0.0/23
10.10.2.0/24

Toshi_Esumi

SuperUser

no "?". just "show" then Enter. That should work at the top. Also each like "config system interface" and "config switch interface", you can use "show" then enter. It will show only that section.

How about sniffing result when you ping the other end? You need to have two SSH/console sessions though.

Toshi

jroy777Author

Explorer II

Latest drawing with Cisco re-included. Those in yellow are NOT working
FortiSwitch-AWS-DC-Router-Needs-Vlan-portion-Diagram.png

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded