Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jroy777
New Contributor II

Created on ‎04-30-2024 06:09 AM Edited on ‎05-01-2024 07:00 PM

Duplicate a working Cisco Router config on a FortiSwitch 424E-Fiber

We have a working Cisco router doing bgp to AWS Direct Connect. What is the correct way to create the layer 3 interfaces (Direct-Connect, inside and dmz/uat) and the required Vlan 2900 with correct dot1Q encapsulation. Do I create on a sub interface like with Cisco? See Cisco settings below. See attached drawing.

I am assuming just plugging in existing HPE switch to interface assigned on FortiSwitch for "DMZ/UAT" and for "Inside" but how do I create the interfaces correctly on FortiSwitch? IP's should be assigned to layer 3 but "router" does not give the options I think I should see.

Here are Cisco settings:

 

interface TenGigabitEthernet0/0/0.2900 (This is a sub interface)
description "Direct Connect to Amazon VPC or Transit Gateway on AWS Cloud"
encapsulation dot1Q 2900
ip address 169.254.38.182 255.255.255.252

interface TenGigabitEthernet0/0/1 (Physical interface)
description "Prod DBNET access"
ip address 192.168.51.249 255.255.254.0
no ip proxy-arp
ip nbar protocol-discovery


router bgp 64514 (my ASN)
bgp log-neighbor-changes
neighbor 169.254.38.181 remote-as 64513 (remote ASN)
neighbor 169.254.38.181 password *******
!
address-family ipv4
network 169.254.38.180 mask 255.255.255.252
network 192.168.50.0 mask 255.255.254.0
network 10.10.2.0 mask 255.255.255.0
network 10.1.0.0 mask 255.255.254.0
neighbor 169.254.38.181 activate
exit-address-family

 

Here are FortiSwitch settings I have applied or compiled so far:

AWS-DC-Megaport # show system interface
name Name.
internal static 192.168.50.41 255.255.254.0 up physical
mgmt dhcp 0.0.0.0 0.0.0.0 up physical
uat static 10.10.2.4 255.255.255.0 up vlan

How do I configure DMZ/UAT to use same interface (diff vlan) on fortiswitch?

config router bgp
set as 64514
set router-id 192.168.50.41

config neighbor
edit "<IPv4_or_IPv6 address>" (should this be 169.254.38.182?)
set remote-as 64513

end

UPDATED DRAWING!!!!!
FortiSwitch-AWS-DC-vlan-Diagram.png






Labels:
1697
0 Kudos
33 REPLIES 33
Toshi_Esumi
SuperUser
SuperUser
In response to jroy777

Created on ‎05-02-2024 11:35 AM

I can't tell the difference between them because the smaller models I have don't support RVI.There might be some capability/configuration differences when it's used in L3 features like BGP. You'll probably find it yourself when you use it.

Toshi

364
Toshi_Esumi
SuperUser
SuperUser

Created on ‎05-02-2024 12:35 PM

If you attach a text file it seems to import the content and shows up. Same goes with image files.

356
Toshi_Esumi
SuperUser
SuperUser

Created on ‎05-02-2024 09:45 PM

You're using RVI "AWS-DC-L3" specifing l2-interface as "port28". Again, I don't have a device supporting FTNT RVI so I'm not sure how it's working with your config.
But other part, port26 = VLAN 2, port27 = VLAN 35, and those associated L3 interface are correctly configured and should be working as you expect. The key is allowed-vlans 2,35 on "internal" switch interface, and native-vlan1 on the same switch interface to bind to "internal" L3 interface.

Only thing I would suggest is:
config switch global

  set auto-fortilink-discovery disable
end

In case like yours the fortilink to a FGT is not utilized.


Toshi

321
jroy777
New Contributor II
In response to Toshi_Esumi

Created on ‎05-03-2024 11:29 AM

I cannot see neighbor, what do you recommend?

AWS-DC-Megaport # get router info bgp neighbors
BGP neighbor is 169.254.38.181, remote AS 64513, local AS 64514, external link
  BGP version 4, remote router ID 0.0.0.0, local router ID 192.168.50.41
  BGP state = Active
  Last read 1d19h29m, Last write never
  Hold time is 180, keepalive interval is 60 seconds
  Graceful restart information:
    Local GR Mode: Helper*
    Remote GR Mode: NotApplicable
    R bit: False
    Timers:
      Configured Restart Time(sec): 120
      Received Restart Time(sec): 0
  Message statistics:
    Inq depth is 0
    Outq depth is 0
                         Sent       Rcvd
    Opens:                  0          0
    Notifications:          0          0
    Updates:                0          0
    Keepalives:             0          0
    Route Refresh:          0          0
    Capability:             0          0
    Total:                  0          0
  Minimum time between advertisement runs is 30 seconds

 

For address family: IPv4 Unicast
  Not part of any update group
  Community attribute sent to this neighbor(all)
  Inbound updates discarded due to missing policy
  Outbound updates discarded due to missing policy
  0 accepted prefixes

 

For address family: IPv6 Unicast
  Not part of any update group
  Community attribute sent to this neighbor(all)
  Inbound updates discarded due to missing policy
  Outbound updates discarded due to missing policy
  0 accepted prefixes

 

  Connections established 0; dropped 0
  Last reset 1d19h29m,  Waiting for peer OPEN
BGP Connect Retry Timer in Seconds: 120
Next connect timer due in 51 seconds
Read thread: off  Write thread: off  FD used: -1

302
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to jroy777

Created on ‎05-03-2024 11:38 AM

Are you able to ping the peer IP? You should be able to if RVI is working. If not, you probably need to open a ticket at TAC to get it looked into. I would guess not much people in this forum are familiar with RVI config on FSWs.
If you want you can try SVI instead, just like those VLAN2 and 35.

Toshi

299
0 Kudos
jroy777
New Contributor II
In response to Toshi_Esumi

Created on ‎05-03-2024 12:24 PM Edited on ‎05-03-2024 12:25 PM

Nope, was unable to ping peer. My thoughts exactly, switching to SVI
How can I easily remove RVI?

293
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to jroy777

Created on ‎05-03-2024 12:38 PM

Of course I don't know but based on the admin guide, it's only in "config system interface".
https://docs.fortinet.com/document/fortiswitch/7.2.7/administration-guide/22391/routed-vlan-interfac...

So I would assume you just need to remove it from there. However, I saw you have related config under "config switch vlan" as well. I would remove that too.
By the way, in the doc it says RVI's VLAN ID is always 4095.

Toshi

288
0 Kudos
jroy777
New Contributor II
In response to Toshi_Esumi

Created on ‎05-03-2024 12:42 PM

I saw that, OK, so how would I set authentication for BGP? I don't see here in DOCS https://docs.fortinet.com/document/fortiswitch/7.4.3/fortiswitchos-administration-guide/939732/confi...

 

285
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to jroy777

Created on ‎05-03-2024 12:53 PM

As I said initially, try looking for L3/BGP config guide in FGT's docs. Most unlikely FTNT dpulicated the all routing protocol part of docs to FSW's documentation.
https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/216371/bgp-neighbor-password

If "set password ?" gives you an error inside of "config neighbor" it might not be supported on FSWs.

 

Toshi

283
0 Kudos
jroy777
New Contributor II
In response to Toshi_Esumi

Created on ‎05-03-2024 01:04 PM

ChatGPT gave us "set password" and I applied but still down. :)

Trying to remove RVI via GUI and they don't have Delete?????

277
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.