I am trying to configure our core Cisco 9300 to pass vlan traffic to Standalone Fortiswitch FS-224E. I have a ticket opened with both Cisco and Fortinet and have had both engineers on the phone but we were not able to get it to work. Does anyone have this kind of setup that is working properly? Also, do I have to setup a different port to manage the fortiswitch? I have set a static ip to the internal interface but once I trunk the port on the cisco side i lose management and cannot ping the ip or get to the gui, I have cisco port 36 trunked and goes to directly to fortiswitch port 1 (I've tried trunking and tried without trunking set allow vlans and nothing works), I set a static route. Not sure what I'm missing but support has been no help on the Forti side. Have verified the trunk works on the cisco with another cisco trunked and vlans and traffic do work,
This is my Cisco Interface
interface GigabitEthernet1/0/36
description uplink to Fortiswitch
switchport trunk allowed vlan 100,200
switchport mode trunk
switchport nonegotiate
I have test this trunk to another Cisco and the vlans do pass.
Fortiswitch I've configured port 1 2 ways,
edit port1
set allowed-vlans 1,100,200
and I've also configured a trunk and added port 1 neither work.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
It's a surprise either TAC can't figure out. Which one is your management vlan, 100 or 200?
And link lights are green on both sides, right? Means L1 is up.
Then show us below on the 224E:
- show switch physical-port port1
- show switch interface port1
- show system interface "management_interface_name"
224E should have a dedicated MGMT port with 192.168.1.99/24 by default. So either you need to use different subnet for your management interface or unconfigure the IP on "mgmt" interface.
Toshi
Hello, thanks for your reply, yes I'm having issues with TAC they are both basically pointing fingers and I'm having a hard time getting them both on the same call now. I do see the management port I don't have anything connected to it, do i have to run a second ethernet cable to that port in order to get to the gui? I actually configured everything on port 1, created the vlans to match the cisco vlans and added ports to the vlans in the forti. The ip I configured to internal, the mgmt port is still dhcp but it's not picking up a dhcp address.
- show switch physical-port port1
S224ENTF23006427 # show switch physical-port port1
config switch physical-port
edit "port1"
set lldp-profile "default-auto-isl"
set speed auto
next
end
- show switch interface port1
show switch interface port1
entry is not found in table
Command fail. Return code 1
Created on 04-18-2024 05:02 PM Edited on 04-18-2024 05:02 PM
Wait a minute. Do you happened to be one of them who got confused by FSW's terminology "trunk", and configured it without knowing it's actually LAG/802.3ad?
If so, you need to unconfigure the "trunk" on the 224E. It's not a VLAN trunk.
Toshi
Tac configured it both ways with and without the trunk. we removed trunk on port 1 and just set it to allow vlans and that didnt work. i can try it again though. for the mgmt port do i need to run a ethernet cable to port 1 and another to mgmt?
There needs to be "edit port1" in "config switch interface". You might need to start over from the default.
Toshi
Created on 04-18-2024 05:15 PM Edited on 04-18-2024 05:16 PM
And if you want to use an inband management interface outside of 192.168.1.0/24 on the mgmt interface, you can leave the mgmt as is. You just need to create a new managment interface in "config system interface". However, there is a special interface called "internal" exists all models it's probably easier/better to use that interface and set your management IP, then set the VLAN ID as native-vlan in "config switch interface" -> "edit internal".
Toshi
any chance i can get a step by step on how to create an interface and add ro vlan? im new at this forti stuff. i would like to keep the address i have on the internal interface of 10.76.x.205 its supposed to get internet from vlan100 on the cisco which is trunked and allowed on the cisco side.
Created on 04-18-2024 05:25 PM Edited on 04-18-2024 05:34 PM
Almost nothing like "step-by-step" from FTNT for standalone mode. I had to figure these out by myself by reading through the admin guide.
You just need to understand those three components of the config I asked at the original post.
L3 level: config system interface
L2 level: config switch interface
L1-2 level: config switch physical-port
Toshi
Created on 04-18-2024 07:44 PM Edited on 04-18-2024 07:47 PM
I found my previous post earlier this year for the second half of the config you need: management interface and IP. I was using a separate "mgmt999" interface from the "internal" interface partly because it was a model without a dedicated MGMT interface. But you can do either way.
https://community.fortinet.com/t5/Support-Forum/Internal-Interface-Configuration-Issues-on-Standalon...
The key is whichever method you use, you need to set the management VLAN ID as allowed-vlan at "internal" L2 interface config because that's the L2 GW/special interface to connect to L3 management interface. Unfortunately it was not described anywhere in FTNT doc at least at that time.
config switch interface
edit "internal"
set allowed-vlans 999
set stp-state disabled
next
end
For the rest, you just need to make sure port1 is passing the management VLAN either 100 or 200 from the C9300 side.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.