Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Silver
New Contributor

Integrate Cisco Switch Layer 3 3750 with fortigate

Dear All, Can someone help me about this issue plz. - On my network i am using vlan. i have a core cisco switch layer 3 and all the access layer switch connected to the core. - intervlan routing is been done on the core Layer 3 switch. My target is not to do again intervlan routing on fortigate i just want to place my fortigate as gateway for internet etc and the core switch connected to fortigate internal port. please note that a default route configure on the core layer 3 switch pointing to fortigate firewall internal ip address. can you help me how to make this work thanks in advance
8 REPLIES 8
emnoc
Esteemed Contributor III

1st nice layout diagram , a picture says a thousand words What I would do and have done this in the setup you provided, enable ospf on all layer3 interfaces of the 3750 config t router ospf 10 network 0.0.0.0 255.255.255.255 area 0 passive default no passive " interface connected to FGT 802.1Q tag SVI or gi x/x/x " end Keep your static route on the cisco pointing to the firewall Put this connection as a layer3 or layer2 switchport with a SVI and connect the FGT to a port for the layer3 uplink. You could or could not enable 802.1q on that connection if you want. if you don' t see your network growing in the future, than just configured this connection as layer3 point and with no tagging and make it a /30 between FGT+Cisco No on the FGT, you will learn any and all subnets within the vlans for local access networks. Apply your fwpolicies for traffic in/out Done :) note: if that' s not clear, I could draw it out with the cisco and fgt config details

PCNSE 

NSE 

StrongSwan  

Silver
New Contributor

Dear Friend, Thanks you very much for you reply. look right now i am doing the test in LAB before implement this to live system. i have try first configure intervlan routing on the fortigate itself and not to the core layer 3 switch its working even internet connection and vlan are able to communicate. when i done intervlan routing on the core layer 3 then nothing is working on vlan communication passing via the switch and no internet access nothing. before i come to ask help on the forum i have tried some test still nothing work. the following configuration i done and tested still no solution. - i have configure vlan on the core switch. - i have configure a default route on the layer 3 switch pointing to firewall interface. - i configure a vlan 1 assigned and ip address example 192.168.1.1/24 and configured ip address on fortigate internal interface 192.168.1.2/24 and the interface connected to fortigate as trunk still not working - from switch i can ping fortigate ip address 192.168.1.2 on the fortigate i have even configure static route for all the vlan subnet and next hope switch ip 192.168.1.1 still nothing work. i would really appreciate if you can provide me the full config for both switch and fortigate. i do not understand why i would need ospf plz thanks awaiting you reply
rwpatterson
Valued Contributor III

Basically, there are 2 ways to get this done: 1) Set up the routing on the Cisco, use OSPF to have all the devices get the routes, and use a transit LAN between the Cisco and FGT. Only the Internet bound traffic will pass down to the FGT, easing congestion. 2) Set up a trunk port between the L3 switch and the FGT, pass all the VLANs across it, and set up the routing and policies on the FGT. This one is less desirable (to me at least) because traffic that doesn' t need to touch the FGT passes up and down the trunk just to stay on the inside.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

emnoc
Esteemed Contributor III

OSPF would make life easier and since the FGT would need to know about the routes internally. So instead of adding static routes, picking them up with a dynamic-routing protocol protocols would be smarter and easier. If your networks are consecutive and contigous , you might be able to summarize and just pass a summary to the upstream FGT. Here' s a snippet of what I would do; config sys interface edit " intf-3750p1" set vdom " root" set ip 10.18.0.2 255.255.255.252 set allowaccess ping https ssh set alias " 2cisco " set interface " port2" set vlanid 100 next and routing config router ospf config area edit 0.0.0.0 set authentication md5 next end config ospf-interface edit " outside-interface-ospf" set authentication md5 set cost 10 set interface " intf-3750p1" set md5-key 1 " ospfkey123dmd5" next end set router-id 10.18.0.2 end and for the cisco using a L2-SVI port ( switchport ) + trunking config t ! interface GigabitEthernet 1/0/1 switchport trunk encap dot1q switchport mode trunk switchport trunk allow vlan 100 no ip address snmp trap link-status load 30 no cdp ! ! ! interface Vlan100 description /2-FGT port2 /ospf area 0 neighbor / static router to next-hop / ip address 10.18.0.1 255.255.255.252 ip ospf message-digest-key 1 md5 ospfkey123dmd5 ! router ospf 10 router-id 10.18.0.1 network 0.0.0.0 255.255.255.255 area 0 pass default no passive vlan 100 area 0 authentication message-digest ! ! ! ip route 0.0.0.0 0.0.0.0 10.18.0.2 name 2fgt-appliance ! end and if you want to do it non-802.1q ( not recommended ) config t int gi 1/0/1 no switchport ip address 10.18.0.1 255.255.255.252 snmp trap link-status load 30 no cdp router ospf 10 router-id 10.18.0.1 network 0.0.0.0 255.255.255.255 area 0 pass default no passive gi 1/0/1 ! end and on the FGT you tied the port#2 to be edit " port2" set vdom " root" set ip 10.18.0.2 255.255.255.252 set allowaccess ping https ssh set alias " 2cisco" next With the 3750 and stacking options, you could built some what of a redundant core with LACP between the ( FGTs) to the 2x stacked-switches. I' ve built hundreds of these setups using FGT/ASA and cisco 3750G or Es in a redundant stack and then we tied the access floors and idfs to the stack with lacp bundles for redundant connections. With 2 FGT and 2 stacked-swicthes, you have a redundant core And then on the 3750s for inter-vlans on the switch ( core ) int vlan 101 description floor #1 ip address 10.101.0.1 255.255.254.0 int vlan 102 description floor #2 ip address 10.102.0.1 255.255.254.0 int vlan 103 description floor #1 ip address 10.103.0.1 255.255.254.0 and so on for example. Intervlan traffic stays local to the cisco and traffic to external destination goes out thru firewall.

PCNSE 

NSE 

StrongSwan  

Silver
New Contributor

Thanks a lot for your reply. but in morning i make it work my friend. but i did not use ospf. only static route
Dom5
New Contributor

Hello Silver,

 

I am configuring one like you but I cannot make it work as well. 

 

what is the Foritgate mode (interface or switch mode)? What is the port configuration on the core which connect to Fortigate? 

 

For example - I have a core switch port is G0/1. Do I need to change this port to layer 3 port on the core switch?

 

 

thanks. 

Sabri
New Contributor

Hello SIlver,

Request to you please share the steps how you done it.

mariopugliese
New Contributor II

You do not have to change your core switchport in a layer3 port.

You can create a dedicated Vlan and SVI (switch virtual interface). Just define a small network (/29 by example)

 

conf t

  vlan 99

  name Cisco_to_FortiGate

int vlan 99

  description To_Fortigate

  ip address 192.168.99.1/29

 

! 192.168.99.1 will be your next-hop for your LAN networks on the FortiGate


int gi0/0 <= interface used for the Fortigate connection

  switchport trunk encaps dot1q

  switchport trunk allowed vlan 99

  switchport mode trunk

 

ip route 0.0.0.0 0.0.0.0 192.168.99.6

 

! 192.168.99.6 will be configured on the FortiGate side

 

You will find some interesting informations about the VLAN tagged interface creation here:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-create-a-VLAN-tagged-interface-802-...

 

System => Network => Create New

Type is Vlan

Select your FortiGate interface connected to your switch

VLAN ID: 99 in this example

IP/NETWORK: Manual / 192.168.99.6/29

Administrative access: PING  (you can also add HTTPS and SSH if you want to manage your firewall using this interface)

 

Don't forget to add your LAN network static routes. In my example, your next-hop will be 192.168.99.1

This link could be useful: https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/626338/adding-a-static-route

 

The only thing left to do is to create a filtering policy to allow internet output.

 

Keep in mind in this topology, your intervlan trafic will not be protected by your firewall.

I have a slight preference for using layer 2 switches only and configuring layer 3 on the firewall.