Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jmart1191
New Contributor II

Created on ‎04-18-2024 12:04 PM

Cisco Trunk port to Fortiswitch

I am trying to configure our core Cisco 9300 to pass vlan traffic to Standalone Fortiswitch FS-224E. I have a ticket opened with both Cisco and Fortinet and have had both engineers on the phone but we were not able to get it to work. Does anyone have this kind of setup that is working properly? Also, do I have to setup a different port to manage the fortiswitch? I have set a static ip to the internal interface but once I trunk the port on the cisco side i lose management and cannot ping the ip or get to the gui, I have cisco port 36 trunked and goes to directly to  fortiswitch port 1 (I've tried trunking and tried without trunking set allow vlans and nothing works), I set a static route. Not sure what I'm missing but support has been no help on the Forti side. Have verified the trunk works on the cisco with another cisco trunked and vlans and traffic do work,

 

This is my Cisco Interface

interface GigabitEthernet1/0/36
description uplink to Fortiswitch
switchport trunk allowed vlan 100,200
switchport mode trunk
switchport nonegotiate

 

I have test this trunk to another Cisco and the vlans do pass.

 

Fortiswitch I've configured port 1 2 ways,

 

edit port1

set allowed-vlans 1,100,200

 

and I've also configured a trunk and added port 1 neither work.

 

 

Labels:
1298
0 Kudos
36 REPLIES 36
jmart1191
New Contributor II
In response to Toshi_Esumi

Created on ‎04-19-2024 07:03 AM

Hello, I tried this but it didn't work for me. Do I need to move the ethernet cable from port 1 to mgmt?

356
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to jmart1191

Created on ‎04-19-2024 07:38 AM

You never answered this question I repeadedly asked. What is the management VLAN interface on the C9300, that should have 10.76.something confgiured. Can you share the interface config on C9300 side?

Toshi

350
jmart1191
New Contributor II
In response to Toshi_Esumi

Created on ‎04-19-2024 08:02 AM

Management VLAN 100 on Cisco ip 10.76.x.1

347
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to jmart1191

Created on ‎04-19-2024 08:24 AM

I assume the subnet mask is /24. Then can you now get "show switch interface port1", which should have VLAN 100 in allowed-vlan? Or, you still don't see "port1" in "show switch interface"?

Toshi

339
jmart1191
New Contributor II
In response to Toshi_Esumi

Created on ‎04-19-2024 08:27 AM

Correct /24, this is what I pulled: 

 

S224ENTF23006427 # show switch interface port1
config switch interface
edit "port1"
set allowed-vlans 1,100,200
set stp-state disabled
set auto-discovery-fortilink enable
set snmp-index 1
next
end

S224ENTF23006427 #
S224ENTF23006427 # show switch interface
config switch interface
edit "port1"
set allowed-vlans 1,100,200
set stp-state disabled
set auto-discovery-fortilink enable
set snmp-index 1
next
edit "port2"
set native-vlan 100
set allowed-vlans 100
set auto-discovery-fortilink enable
set snmp-index 2
next
edit "port3"
set native-vlan 100
set allowed-vlans 100
set auto-discovery-fortilink enable
set snmp-index 3
next
edit "port4"
set native-vlan 100
set allowed-vlans 100
set auto-discovery-fortilink enable
set snmp-index 4
next
edit "port5"
set native-vlan 100
set allowed-vlans 100
set auto-discovery-fortilink enable
set snmp-index 5
next
edit "port6"
set native-vlan 100
set allowed-vlans 100
set auto-discovery-fortilink enable
set snmp-index 6
next
edit "port7"
set native-vlan 100
set allowed-vlans 100
set auto-discovery-fortilink enable
set snmp-index 7
next
edit "port8"
set native-vlan 100
set allowed-vlans 100
set auto-discovery-fortilink enable
set snmp-index 8
next
edit "port9"
set native-vlan 100
set allowed-vlans 100
set auto-discovery-fortilink enable
set snmp-index 9
next
edit "port10"
set native-vlan 100
set allowed-vlans 100
set auto-discovery-fortilink enable
set snmp-index 10
next
edit "port11"
set native-vlan 100
set allowed-vlans 100
set auto-discovery-fortilink enable
set snmp-index 11
next
edit "port12"
set native-vlan 100
set allowed-vlans 100
set auto-discovery-fortilink enable
set snmp-index 12
next
edit "port13"
set native-vlan 100
set allowed-vlans 100
set auto-discovery-fortilink enable
set snmp-index 13
next
edit "port14"
set native-vlan 100
set allowed-vlans 100
set auto-discovery-fortilink enable
set snmp-index 14
next
edit "port15"
set native-vlan 100
set allowed-vlans 100
set auto-discovery-fortilink enable
set snmp-index 15
next
edit "port16"
set native-vlan 100
set allowed-vlans 100
set auto-discovery-fortilink enable
set snmp-index 16
next
edit "port17"
set native-vlan 200
set allowed-vlans 200
set auto-discovery-fortilink enable
set snmp-index 17
next
edit "port18"
set native-vlan 200
set allowed-vlans 200
set auto-discovery-fortilink enable
set snmp-index 18
next
edit "port19"
set native-vlan 200
set allowed-vlans 200
set auto-discovery-fortilink enable
set snmp-index 19
next
edit "port20"
set native-vlan 200
set allowed-vlans 200
set auto-discovery-fortilink enable
set snmp-index 20
next
edit "port21"
set native-vlan 200
set allowed-vlans 200
set auto-discovery-fortilink enable
set snmp-index 21
next
edit "port22"
set native-vlan 200
set allowed-vlans 200
set auto-discovery-fortilink enable
set snmp-index 22
next
edit "port23"
set native-vlan 200
set allowed-vlans 200
set auto-discovery-fortilink enable
set snmp-index 23
next
edit "port24"
set native-vlan 200
set allowed-vlans 200
set auto-discovery-fortilink enable
set snmp-index 24
next
edit "port25"
set auto-discovery-fortilink enable
set snmp-index 25
next
edit "port26"
set auto-discovery-fortilink enable
set snmp-index 26
next
edit "port27"
set auto-discovery-fortilink enable
set snmp-index 27
next
edit "port28"
set auto-discovery-fortilink enable
set snmp-index 28
next
edit "internal"
set allowed-vlans 1,100,200
set stp-state disabled
set snmp-index 29
next
end

336
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to jmart1191

Created on ‎04-19-2024 08:52 AM

For native-vlan for each port, you don't have to include it in allowed-vlan. For port1, you don't see the native-vlan because it has the default native-vlan ID=1. Take the '1' out of allowed-vlan and leave only 100 and 200 there.

For "internal", it's depending on what you configured in "config system interface" for your managment VLAN interface with 10.76.x.205/24. If you configured like

config system interface

  edit "mgmt100"

    set ip 10.76.x.205 255.255.255.0

    set allowaccess ping https ssh
    set vlanid 100
    set interface "internal"
  next
end

The "internal" switch config should be like

config switch interface
  edit "internal"
    set allowed-vlan 100

    set stp-state disabled
  next

end

However, if you modified existing "internal" L3/system interface to have 10.76.x.205, you need to configure the switch interface like below:

config switch interface
  edit "internal"
    set native-vlan 100

    set stp-state disabled
  next

end

Can you show "show system interface"?

Toshi

333
jmart1191
New Contributor II
In response to Toshi_Esumi

Created on ‎04-19-2024 11:39 AM

S224ENTF23006427 # sho system int
config system interface
edit "mgmt"
set mode dhcp
set allowaccess ping https ssh
set type physical
set secondary-IP enable
set snmp-index 33
set defaultgw enable
config secondaryip
edit 1
set ip 192.168.1.99 255.255.255.0
set allowaccess ping https ssh
next
end
next
edit "internal"
set ip 10.76.x.205 255.255.255.0
set allowaccess ping https ssh
set type physical
set snmp-index 32
next

305
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to jmart1191

Created on ‎04-19-2024 12:37 PM

Ok, then you have to set like below:

config switch interface
  edit "internal"
    set native-vlan 100

    set stp-state disabled
  next

end

Then it should be pingable from C9300.

 
Toshi

292
jmart1191
New Contributor II
In response to Toshi_Esumi

Created on ‎04-22-2024 11:04 AM

Still doesn't work.

192
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to jmart1191

Created on ‎04-22-2024 02:46 PM

First, run packet sniffer on port1 at the FS224E with below to confirm you get ping packets from C9300 and the FSW is not responding. Below is an example on my 224D.

config switch interface
  edit "port1"
    set packet-sampler enabled
    set packet-sample-rate 1
  next
end
S224DFTF20003039 # diag sniffer packet sp1
interfaces=[sp1]
filters=[none]
pcap_lookupnet: sp1: no IPv4 address assigned
0.659036 802.1Q vlan#10 P0 -- 192.168.10.10 -> 192.168.10.1: icmp: echo request
0.662266 802.1Q vlan#10 P0 -- 192.168.10.1 -> 192.168.10.10: icmp: echo reply
0.784650 802.1Q vlan#10 P0 -- 192.168.10.10.57248 -> 96.45.46.46.53: udp 55
0.974101 802.1Q vlan#10 P0 -- 192.168.10.10.54210 -> 96.45.46.46.53: udp 44
0.989666 802.1Q vlan#10 P0 -- 192.168.10.10.62179 -> 96.45.46.46.53: udp 50
1.686050 802.1Q vlan#10 P0 -- 192.168.10.10 -> 192.168.10.1: icmp: echo request
1.692256 802.1Q vlan#10 P0 -- 192.168.10.1 -> 192.168.10.10: icmp: echo reply


When you ping from C9300 to the 224E's management IP do you see anything with vlan#100?

Toshi

176
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.