I am trying to configure our core Cisco 9300 to pass vlan traffic to Standalone Fortiswitch FS-224E. I have a ticket opened with both Cisco and Fortinet and have had both engineers on the phone but we were not able to get it to work. Does anyone have this kind of setup that is working properly? Also, do I have to setup a different port to manage the fortiswitch? I have set a static ip to the internal interface but once I trunk the port on the cisco side i lose management and cannot ping the ip or get to the gui, I have cisco port 36 trunked and goes to directly to fortiswitch port 1 (I've tried trunking and tried without trunking set allow vlans and nothing works), I set a static route. Not sure what I'm missing but support has been no help on the Forti side. Have verified the trunk works on the cisco with another cisco trunked and vlans and traffic do work,
This is my Cisco Interface
interface GigabitEthernet1/0/36
description uplink to Fortiswitch
switchport trunk allowed vlan 100,200
switchport mode trunk
switchport nonegotiate
I have test this trunk to another Cisco and the vlans do pass.
Fortiswitch I've configured port 1 2 ways,
edit port1
set allowed-vlans 1,100,200
and I've also configured a trunk and added port 1 neither work.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello, I tried this but it didn't work for me. Do I need to move the ethernet cable from port 1 to mgmt?
You never answered this question I repeadedly asked. What is the management VLAN interface on the C9300, that should have 10.76.something confgiured. Can you share the interface config on C9300 side?
Toshi
Management VLAN 100 on Cisco ip 10.76.x.1
I assume the subnet mask is /24. Then can you now get "show switch interface port1", which should have VLAN 100 in allowed-vlan? Or, you still don't see "port1" in "show switch interface"?
Toshi
Correct /24, this is what I pulled:
S224ENTF23006427 # show switch interface port1
config switch interface
edit "port1"
set allowed-vlans 1,100,200
set stp-state disabled
set auto-discovery-fortilink enable
set snmp-index 1
next
end
S224ENTF23006427 #
S224ENTF23006427 # show switch interface
config switch interface
edit "port1"
set allowed-vlans 1,100,200
set stp-state disabled
set auto-discovery-fortilink enable
set snmp-index 1
next
edit "port2"
set native-vlan 100
set allowed-vlans 100
set auto-discovery-fortilink enable
set snmp-index 2
next
edit "port3"
set native-vlan 100
set allowed-vlans 100
set auto-discovery-fortilink enable
set snmp-index 3
next
edit "port4"
set native-vlan 100
set allowed-vlans 100
set auto-discovery-fortilink enable
set snmp-index 4
next
edit "port5"
set native-vlan 100
set allowed-vlans 100
set auto-discovery-fortilink enable
set snmp-index 5
next
edit "port6"
set native-vlan 100
set allowed-vlans 100
set auto-discovery-fortilink enable
set snmp-index 6
next
edit "port7"
set native-vlan 100
set allowed-vlans 100
set auto-discovery-fortilink enable
set snmp-index 7
next
edit "port8"
set native-vlan 100
set allowed-vlans 100
set auto-discovery-fortilink enable
set snmp-index 8
next
edit "port9"
set native-vlan 100
set allowed-vlans 100
set auto-discovery-fortilink enable
set snmp-index 9
next
edit "port10"
set native-vlan 100
set allowed-vlans 100
set auto-discovery-fortilink enable
set snmp-index 10
next
edit "port11"
set native-vlan 100
set allowed-vlans 100
set auto-discovery-fortilink enable
set snmp-index 11
next
edit "port12"
set native-vlan 100
set allowed-vlans 100
set auto-discovery-fortilink enable
set snmp-index 12
next
edit "port13"
set native-vlan 100
set allowed-vlans 100
set auto-discovery-fortilink enable
set snmp-index 13
next
edit "port14"
set native-vlan 100
set allowed-vlans 100
set auto-discovery-fortilink enable
set snmp-index 14
next
edit "port15"
set native-vlan 100
set allowed-vlans 100
set auto-discovery-fortilink enable
set snmp-index 15
next
edit "port16"
set native-vlan 100
set allowed-vlans 100
set auto-discovery-fortilink enable
set snmp-index 16
next
edit "port17"
set native-vlan 200
set allowed-vlans 200
set auto-discovery-fortilink enable
set snmp-index 17
next
edit "port18"
set native-vlan 200
set allowed-vlans 200
set auto-discovery-fortilink enable
set snmp-index 18
next
edit "port19"
set native-vlan 200
set allowed-vlans 200
set auto-discovery-fortilink enable
set snmp-index 19
next
edit "port20"
set native-vlan 200
set allowed-vlans 200
set auto-discovery-fortilink enable
set snmp-index 20
next
edit "port21"
set native-vlan 200
set allowed-vlans 200
set auto-discovery-fortilink enable
set snmp-index 21
next
edit "port22"
set native-vlan 200
set allowed-vlans 200
set auto-discovery-fortilink enable
set snmp-index 22
next
edit "port23"
set native-vlan 200
set allowed-vlans 200
set auto-discovery-fortilink enable
set snmp-index 23
next
edit "port24"
set native-vlan 200
set allowed-vlans 200
set auto-discovery-fortilink enable
set snmp-index 24
next
edit "port25"
set auto-discovery-fortilink enable
set snmp-index 25
next
edit "port26"
set auto-discovery-fortilink enable
set snmp-index 26
next
edit "port27"
set auto-discovery-fortilink enable
set snmp-index 27
next
edit "port28"
set auto-discovery-fortilink enable
set snmp-index 28
next
edit "internal"
set allowed-vlans 1,100,200
set stp-state disabled
set snmp-index 29
next
end
For native-vlan for each port, you don't have to include it in allowed-vlan. For port1, you don't see the native-vlan because it has the default native-vlan ID=1. Take the '1' out of allowed-vlan and leave only 100 and 200 there.
For "internal", it's depending on what you configured in "config system interface" for your managment VLAN interface with 10.76.x.205/24. If you configured like
config system interface
edit "mgmt100"
set ip 10.76.x.205 255.255.255.0
set allowaccess ping https ssh
set vlanid 100
set interface "internal"
next
end
The "internal" switch config should be like
config switch interface
edit "internal"
set allowed-vlan 100
set stp-state disabled
next
end
However, if you modified existing "internal" L3/system interface to have 10.76.x.205, you need to configure the switch interface like below:
config switch interface
edit "internal"
set native-vlan 100
set stp-state disabled
next
end
Can you show "show system interface"?
Toshi
S224ENTF23006427 # sho system int
config system interface
edit "mgmt"
set mode dhcp
set allowaccess ping https ssh
set type physical
set secondary-IP enable
set snmp-index 33
set defaultgw enable
config secondaryip
edit 1
set ip 192.168.1.99 255.255.255.0
set allowaccess ping https ssh
next
end
next
edit "internal"
set ip 10.76.x.205 255.255.255.0
set allowaccess ping https ssh
set type physical
set snmp-index 32
next
Ok, then you have to set like below:
config switch interface
edit "internal"
set native-vlan 100
set stp-state disabled
next
end
Then it should be pingable from C9300.
Toshi
Still doesn't work.
First, run packet sniffer on port1 at the FS224E with below to confirm you get ping packets from C9300 and the FSW is not responding. Below is an example on my 224D.
config switch interface edit "port1" set packet-sampler enabled set packet-sample-rate 1 next end
S224DFTF20003039 # diag sniffer packet sp1 interfaces=[sp1] filters=[none] pcap_lookupnet: sp1: no IPv4 address assigned 0.659036 802.1Q vlan#10 P0 -- 192.168.10.10 -> 192.168.10.1: icmp: echo request 0.662266 802.1Q vlan#10 P0 -- 192.168.10.1 -> 192.168.10.10: icmp: echo reply 0.784650 802.1Q vlan#10 P0 -- 192.168.10.10.57248 -> 96.45.46.46.53: udp 55 0.974101 802.1Q vlan#10 P0 -- 192.168.10.10.54210 -> 96.45.46.46.53: udp 44 0.989666 802.1Q vlan#10 P0 -- 192.168.10.10.62179 -> 96.45.46.46.53: udp 50 1.686050 802.1Q vlan#10 P0 -- 192.168.10.10 -> 192.168.10.1: icmp: echo request 1.692256 802.1Q vlan#10 P0 -- 192.168.10.1 -> 192.168.10.10: icmp: echo reply
When you ping from C9300 to the 224E's management IP do you see anything with vlan#100?
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.