Skip to main content
iamabes
iamabes
New Member
January 1, 2021
Solved

Multiple VLAN Trunking causing 100% CPU spike on 60E

  • January 1, 2021
  • 1 reply
  • 11068 views

I'm hoping someone will be able to offer me some advice please, I have an issue configuring VLAN trunking, which when I enable the config I think should work, the CPU runs up to 100% on my Fortigate 60E and the device becomes unresponsive.

 

Very Basic topology looks like this:

Wired Users --> Zyxel GS1900-48HP --> Fortigate 60E --> Internet

Wireless Users connect first to a Cisco WAP121, which is connected to the Zyxel switch above.

 

Current setup (Fortigate 60E):

I have created a Hardware Switch called 'Inter-VLAN' in the Network | Interfaces section, and added interfaces 2 to 7 as members. 

I then created six VLAN sub-interfaces under the 'Inter-VLAN' switch, with VLAN IDs 20, 30, 40, 50, 60, and 70.  Each with it's own subnet, DHCP server, and DNS server.

 

Current setup (Zyxel GS1900-48HP):

Access ports are configured with the appropriate PVIDs, and are marked as 'un-tagged' on the appropriate VLAN ID.

Port 11 is configured as a Trunk, has a PVID of 1, is un-tagged for VLAN1, and tagged for VLANs 20, 30, 40, 50, 60 and 70.

Port 11 connects to interface 2 on the Fortigate 60E.

 

The current setup described above works, all end points are receiving their appropriate addresses from their respective DHCP servers, and are connecting through the SD-WAN to the internet correctly, all IPv4 policies are working as they should.

 

The problem occurs when I try to balance out the load of traffic from the Zyxel to the Fortigate by configuring additional trunk ports.  For example, if I configure port 13 on the Zyxel in the exact same way as port 11 (the current trunk), and connect to port 3 on the Fortigate, everything stops working.  The fortigate becomes unresponsive almost immediately, no internet access, and I can't access the Zyxel switch either.

 

I have tried many combinations of PVID assignment, VLAN tagging, and it seems no matter what I try, I keep getting the same result.  

 

Does anyone have any thoughts , questions or suggestions?

 

Thank you for your patience on this, I am migrating to this solution having previously used a Cisco 897VA (which incidentally had one VLAN assigned per physical port, and the Zyxel connected to it with dedicated trunk ports each tagged for a single VLAN).

    Best answer by bmduncan34

    I'll bet you've introduced a loop in your network.  I've seen that in my own environment and cpu on the gate going to 100% is one indicator of that.  Are you certain you aren't introducing a spanning tree problem with port 13?

    1 reply

    bmduncan34
    bmduncan34Answer
    New Member
    January 2, 2021

    I'll bet you've introduced a loop in your network.  I've seen that in my own environment and cpu on the gate going to 100% is one indicator of that.  Are you certain you aren't introducing a spanning tree problem with port 13?

    emnoc
    emnoc
    New Member
    January 2, 2021

    yes I have to agree. Not quite understanding what he means by balancing out traffic either.

     

     

    Ken Felix

    iamabes
    iamabesAuthor
    New Member
    January 2, 2021

    Thanks guys, yes I see that it is very likely that I have created a loop.  @emnoc - apologies for the ambiguous language around balancing out traffic, I was referring to achieving a load balancing effect by using multiple trunk ports on the Zyxel to route vlan traffic to the fortigate, as opposed to routing all traffic through a single port.  In my previous configuration where I had a Cisco 897 in place, each VLAN was tagged to an individual port on the switch (6 ports in total), which then connected to a corresponding port on the Cisco.  

     

    I am able to enable either Loop Guard, or STP on the Zyxel switch.  Would you suggest enabling STP?

     

    Do you have any suggestions on how I should tag the traffic on the trunk ports on the Zyxel?  I was thinking I would remove the un-tagged vlan1 and tagged vlan 60 from port 11, then add tagged vlan 60 to port 13 with nothing else tagged or un-tagged on that port.

    Terms & ConditionsAccessibility statement