New Member

Question

FG 1000c and Trunking to Cisco Switch

Forum|Forum|11 years ago
July 31, 2014
8 replies
22510 views

Hi, Has anyone experience getting a FG to trunk with a Cisco switch? I can bring up the trunk but im not learning a MAC address on either side of the trunk link and the interface counters are at 0 for input on both sides. Patrick

emnoc

New Member

Qs: Are the vlans created Are the vlans active when execution of show span interface gi x/x what do you see what' s the fortigate 802.1q configuration what' s the show interface gi x.x trunk status

pj255Author

New Member

Hi, Appreciate your help. I hope the below is useful. I did previously have native VLAN configured as 1 on the switch side...just tried changing to VLAN 75 - no joy. Qs: Are the vlans created Are the vlans active Yes both VLAN' s are active on the Cisco switch Both have also been created as sub-interfaces on the FG when execution of show span interface gi x/x what do you see The ports are forwarding for both VLAN' s Switch#show spanning-tree interface Fa0/1 Vlan Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- VLAN0055 Desg FWD 19 128.1 P2p VLAN0075 Desg FWD 19 128.1 P2p Switch# what' s the fortigate 802.1q configuration How do I check this? what' s the show interface gi x.x trunk status Switch#show int Fa0/1 trunk Port Mode Encapsulation Status Native vlan Fa0/1 on 802.1q trunking 75 Port Vlans allowed on trunk Fa0/1 55,75 Port Vlans allowed and active in management domain Fa0/1 55,75 Port Vlans in spanning tree forwarding state and not pruned Fa0/1 55,75 Switch# Switch# Switch#show int Fa0/1 status Port Name Status Vlan Duplex Speed Type Fa0/1 connected trunk full 100 10/100BaseTX Switch# Switch# Switch# Switch#show run int Fa0/1 Building configuration... Current configuration : 188 bytes ! interface FastEthernet0/1 switchport trunk encapsulation dot1q switchport trunk native vlan 75 switchport trunk allowed vlan 55,75 switchport mode trunk speed 100 duplex full end Switch# Switch

emnoc

New Member

Okay that switch side looks good. I' m assuming you have the sub-interfaces configured in a fashion like this; [( assuming port1 is parent interface )] config sys interface edit port1 set vdom " root" set ip 1.1.75.1 255.255.254.0 set alias " native" set allow ssh ping https next edit " subvlan55-intf8021q" set vdom " root" set ip 1.1.55.1 255.255.254.0 set alias " vlansub55" set vlanid 55 set allow ssh ping https next Execute a diag sys vlan list when you are finish and a get sys interface I hope that helps

pj255Author

New Member

Your help is greatly appreciated! I think my issue might be with my FG config or the VLAN. I created it with the gui and it doesnt seem to sit directly under the physical interface config. I am testing using Port 11 as my L2 trunk. I have attached the output from the commands and a snippet from the configuration file

Da83466.txt

pj255Author

New Member

Attachment

He97169.txt

emnoc

New Member

Oky that looks good actually. What i would do is remove the Layer2 switchport stuff and rebuild it . config term ! we default the port default interface FastEthernet0/1 ! ! we rebuild it interface FastEthernet0/1 shut description TO FGT port 11 switchport switchport trunk encapsulation dot1q no switchport trunk native vlan 75 ( we will remove this from the new cfg ) switchport trunk allowed vlan 55,75 switchport mode trunk speed 100 duplex full no shut end ! ! And then on the fortigate execute a ping on each 3 interfaces ( port11 and the 2 subinterfaces ) [e.g] execute ping 192.168.55.1 execute ping 192.168.75.1 execute ping 192.168.100.1 and then monitor for layer2 fdb and mac_address learned on vlan1 , vlan55 and 75 for port fas 0/1 [e.g] show mac add int fas 0/1 That would confirm the 802.1q tags and native are working.

emnoc

New Member

btw I forgot to add the vlan listing and the hex decimal is the vlan id UK-RL-N0-FG01 (test) # diagnose sys vlan list total vlan malloc times=5 list vlan info port11 TEST-VL75-SVI vid=004b port11 TEST-VL55-SVI vid=0037 port23 PCI-Vlan350 vid=015e 0x4b = 75 0x37 = 55 So that looks good :) What version of fortios are you running? I had a problem with a late 1000A that needed upgrade for 802.1q sub-intf to work. I don' t believe this is a problem here tho. Ken

pj255Author

New Member

Hi Ken, Ah interesting one on the VLAN ID - I did not know the vid acted as a HEX representation of the VLAN ID - a new trick learned ;-) We' re running version 5.0 on the 1000C. Here' s the full build number: Version: FortiGate-1000C v5.0,build3608,140409 (GA Patch 7) I tried the ping but no luck - the pings time out? Could the pings be unsuccessful due to a routing issue? Either way I would still expect an ARP message of sort would populate the other devices CAM table with the other sides MAC address. Is there a command to check the FG interface for a MAC learned ?

pj255Author

New Member

Think I just stumbled across the solution... i found an execute command and wham the mac appeared on the switch for that VLAN UK-RL-N0-FG01 (test) # UK-RL-N0-FG01 (test) # diagnose switch-controller kick vdom 8 75 11 d4a0.2af1.af01 can not kick client of vdom vdom from test Then on the switch: Switch# Switch#show mac add int Fa0/1 Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- 75 0009.0f09.0006 DYNAMIC Fa0/1 seq_no:0 Total Mac Addresses for this criterion: 1 Switch# Switch# Il try the other VLAN now also

pj255Author

New Member

Maybe not ...just a co-incidence.....

emnoc

New Member

I tried the ping but no luck - the pings time out? Could the pings be unsuccessful due to a routing issue? Either way I would still expect an ARP message of sort would populate the other devices CAM table with the other sides MAC address. Is there a command to check the FG interface for a MAC learned ?

Will you mean learned, so this would ip arp diag ip arp list No back to your problem(s), on the interface do you see any packets inbound on fas0/1 show interface fas 0/1 | inc input if you have " zero" packets input, than you have a link or hardware issues on the fortigate. If you suspect the fortigate this is what I' ve done in my own 1000A when we had problems Build a new vdom ( test2 ) select a unused port , crafted new subinterfaces for that vdom test2, but select a new unused ip_address ( you have to select a new name for the sub-intf btw ) 1st; Using port13 on your FGT would look like this; edit " port13" set vdom " test2" set mode static set ip 192.168.100.253 255.255.255.252 set allowaccess ping next edit " TEST2-VL55-SVI" set ip 192.168.55.253 255.255.255.0 set allowaccess ping set vdom test2 set interface " port13" set vlanid 55 next edit " TEST2-VL75-SVI" set ip 192.168.75.253 255.255.255.0 set allowaccess ping set vdom test2 set interface " port13" set vlanid 75 next 2nd; Cable & wire the port 11< to > 13 back-2-back. 3rd; execute ping from 192.168.55.253 to 254 and so on for the vlan tag and the then the parent 192.168.100.253/254, 4th; you can even diag sniffer the parent ports 11/13 or sub-interfaces to see if traffic is actually moving Give that a try if you can and let us know. Also it would not hurt to change ports on the cisco switch if you later think it' s the switch.

pj255Author

New Member

i can see some input packets on the switchport so im pretty sure the Fortinet and switchport are okay. To be sure I have a second test switch setup which im going to use to test. So far though no joy getting the mac address for VLAN 55 on the first test switch. Also even though I can see the mac for VLAN 75 - I cannot ping the SVI. Is there anything that needs to be configured? I was hoping to test it all on one switch and then use VRRP for HA between the Active and Standby FG Il try setting up port 13 and looping it back on port 11 as a test as suggested Switch#show int fa0/1 | in input input flow-control is off, output flow-control is unsupported Last input never, output 00:00:01, output hang never 5 minute input rate 0 bits/sec, 0 packets/sec 7 packets input, 152576 bytes, 0 no buffer 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 1 multicast, 0 pause input 0 input packets with dribble condition detected Switch# Switch#show mac add int fa0/1 Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- 75 0009.0f09.0006 DYNAMIC Fa0/1 seq_no:0 Total Mac Addresses for this criterion: 1

emnoc

New Member

Okay so if you have input packets and mac_addr for one vlan, I would double check the vlan cfg on the vlanid55. You say you can' t ping the SVI interface ? I' m assuming vlan75? 1: is the SVI admin up ( most cisco switch places this in a admin-down on creation ) 2: is the mask and ip_address correct 3: is ping allowed on the FGT set allow ping Any one of the above 3 might be the problem for icmp pings 2nd, why do you want to run VRRP on a FGT. I personally would NOT do that and just run the HA as A-P unless you have a real validate reason for VRRP. I' ve only used VRRP once and that was with a non-Fortigate device for HA redundancy.

pj255Author

New Member

2nd point - you' re right...no need for VRRP. I have inherited these FW' s and they' re deployed with FGCP already. So no need for VRRP. In terms of the SVI. I want the switch to remain as L2 only for VLAN 55 and 75 with the FG terminating the SVI. So the FG will act as the L2/L3 boundary. Is there additional config needed on the FG to create the VLAN SVI on the FG?

pj255Author

New Member

Ken thanks for your help - it seems a requirement is to have an SVI on both the FG subinterface AND on the Cisco switch. So two SVI' s really - it now works. For note i also had to create the addresses and add a policy. Thanks for your help Patrick

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded