Duplicate a working Cisco Router config on a FortiSwitch 424E-Fiber

jroy777 · ‎04-30-2024

We have a working Cisco router doing bgp to AWS Direct Connect. What is the correct way to create the layer 3 interfaces (Direct-Connect, inside and dmz/uat) and the required Vlan 2900 with correct dot1Q encapsulation. Do I create on a sub interface like with Cisco? See Cisco settings below. See attached drawing.

I am assuming just plugging in existing HPE switch to interface assigned on FortiSwitch for "DMZ/UAT" and for "Inside" but how do I create the interfaces correctly on FortiSwitch? IP's should be assigned to layer 3 but "router" does not give the options I think I should see.

Here are Cisco settings:

interface TenGigabitEthernet0/0/0.2900 (This is a sub interface)
description "Direct Connect to Amazon VPC or Transit Gateway on AWS Cloud"
encapsulation dot1Q 2900
ip address 169.254.38.182 255.255.255.252

interface TenGigabitEthernet0/0/1 (Physical interface)
description "Prod DBNET access"
ip address 192.168.51.249 255.255.254.0
no ip proxy-arp
ip nbar protocol-discovery

router bgp 64514 (my ASN)
bgp log-neighbor-changes
neighbor 169.254.38.181 remote-as 64513 (remote ASN)
neighbor 169.254.38.181 password *******
!
address-family ipv4
network 169.254.38.180 mask 255.255.255.252
network 192.168.50.0 mask 255.255.254.0
network 10.10.2.0 mask 255.255.255.0
network 10.1.0.0 mask 255.255.254.0
neighbor 169.254.38.181 activate
exit-address-family

Here are FortiSwitch settings I have applied or compiled so far:

AWS-DC-Megaport # show system interface
name Name.
internal static 192.168.50.41 255.255.254.0 up physical
mgmt dhcp 0.0.0.0 0.0.0.0 up physical
uat static 10.10.2.4 255.255.255.0 up vlan

How do I configure DMZ/UAT to use same interface (diff vlan) on fortiswitch?

config router bgp
set as 64514
set router-id 192.168.50.41

config neighbor
edit "<IPv4_or_IPv6 address>" (should this be 169.254.38.182?)
set remote-as 64513

end

UPDATED DRAWING!!!!!

jroy777 · ‎05-03-2024

What are your thoughts?

jroy777 · ‎05-03-2024

Here are all changes compared to previous config.

config switch global

set access-vlan-mode legacy

set auto-fortilink-discovery disable

set auto-isl enable

snip

set cdp-status disable

set description "To DBNET10G-03 Port 37 | inside"

set dmi-status global

set flapguard disabled

set flow-control disable

set fortilink-p2p disable

set l2-learning enabled

set lldp-profile "default-auto-isl"

set lldp-status tx-rx

set loopback disable

set max-frame-size 9216

set speed 10000full

set status up

set storm-control-mode global

set cdp-status disable

set description "To DMZ10G-02 Port 35 | dmz"

set dmi-status global

set flapguard disabled

set flow-control disable

set fortilink-p2p disable

set l2-learning enabled

set lldp-profile "default-auto-isl"

set lldp-status tx-rx

set loopback disable

set max-frame-size 9216

set speed 10000full

set status up

set storm-control-mode global

set cdp-status disable

set description "To DMZ10G-02 Port 37 | UAT"

set dmi-status global

set flapguard disabled

set flow-control disable

set fortilink-p2p disable

set l2-learning enabled

set lldp-profile "default-auto-isl"

set lldp-status tx-rx

set loopback disable

set max-frame-size 9216

set speed 10000full

set status up

set storm-control-mode global

set cdp-status disable

set description "To AWS Direct Connect Vlan 2900"

set dmi-status global

set flapguard disabled

set flow-control disable

set fortilink-p2p disable

set l2-learning enabled

set lldp-profile "default-auto-isl"

set lldp-status tx-rx

set loopback disable

set max-frame-size 9216

set speed 10000full

set status up

set storm-control-mode global

set description ''

config switch vlan

edit 35

set private-vlan disable

set lan-segment disable

set description "UAT Vlan35 Interface on FortiSwitch port 27"

set learning enable

set learning-limit 0

set rspan-mode disable

set igmp-snooping disable

set dhcp-snooping disable

set dhcp6-snooping disable

set access-vlan disable

set assignment-priority 128

unset policer

unset cos-queue

set private-vlan disable

set lan-segment disable

set description "AWS-DC-FortiSW Port 28"

set learning enable

set learning-limit 0

set rspan-mode disable

set igmp-snooping disable

set dhcp-snooping disable

set dhcp6-snooping disable

set access-vlan disable

set assignment-priority 128

unset policer

unset cos-queue

set private-vlan disable

set lan-segment disable

set description "DMZ FortiSwitch port 26 using vlan 2 on switch but vlan 1"

set learning enable

set learning-limit 0

set rspan-mode disable

set igmp-snooping disable

set dhcp-snooping disable

set dhcp6-snooping disable

set access-vlan disable

set assignment-priority 128

unset policer

unset cos-queue

snip

set description ''

set native-vlan 1

unset allowed-vlans

unset untagged-vlans

set discard-mode none

set dhcp-snooping untrusted

set dhcp-snoop-learning-limit-check disable

set dhcp-snoop-option82-trust disable

set arp-inspection-trust untrusted

set stp-state disabled

set stp-loop-protection disabled

set stp-root-guard disabled

set stp-bpdu-guard disabled

set loop-guard disabled

set edge-port enabled

set rpvst-port disabled

set ip-source-guard disable

set auto-discovery-fortilink-packet-interval 5

set private-vlan disable

set igmp-snooping-flood-reports disable

set mcast-snooping-flood-traffic disable

set packet-sampler disabled

set sflow-counter-interval 0

set snmp-index 25

config port-security

set port-security-mode none

end

config qnq

set status disable

set stp-qnq-admin enable

end

set vlan-mapping-miss-drop disable

set vlan-tpid "default"

set trust-dot1p-map ''

set trust-ip-dscp-map ''

set qos-policy "default"

set ptp-policy "default"

set ptp-status enable

set learning-limit 0

set sticky-mac disable

set log-mac-event disable

set nac disable

set description ''

set native-vlan 2

unset allowed-vlans

unset untagged-vlans

set discard-mode none

set dhcp-snooping untrusted

set dhcp-snoop-learning-limit-check disable

set dhcp-snoop-option82-trust disable

set arp-inspection-trust untrusted

set stp-state enabled

set stp-loop-protection disabled

set stp-root-guard disabled

set stp-bpdu-guard disabled

set loop-guard disabled

set edge-port enabled

set rpvst-port disabled

set ip-source-guard disable

set auto-discovery-fortilink-packet-interval 5

set private-vlan disable

set igmp-snooping-flood-reports disable

set mcast-snooping-flood-traffic disable

set packet-sampler disabled

set sflow-counter-interval 0

set snmp-index 26

config port-security

set port-security-mode none

end

config qnq

set status disable

set stp-qnq-admin enable

end

set vlan-mapping-miss-drop disable

set vlan-tpid "default"

set trust-dot1p-map ''

set trust-ip-dscp-map ''

set qos-policy "default"

set ptp-policy "default"

set ptp-status enable

set learning-limit 0

set sticky-mac disable

set log-mac-event disable

set nac disable

set description ''

set native-vlan 35

unset allowed-vlans

unset untagged-vlans

set discard-mode none

set dhcp-snooping untrusted

set dhcp-snoop-learning-limit-check disable

set dhcp-snoop-option82-trust disable

set arp-inspection-trust untrusted

set stp-state disabled

set stp-loop-protection disabled

set stp-root-guard disabled

set stp-bpdu-guard disabled

set loop-guard disabled

set edge-port enabled

set rpvst-port disabled

set ip-source-guard disable

set auto-discovery-fortilink-packet-interval 5

set private-vlan disable

set igmp-snooping-flood-reports disable

set mcast-snooping-flood-traffic disable

set packet-sampler disabled

set sflow-counter-interval 0

set snmp-index 27

config port-security

set port-security-mode none

end

config qnq

set status disable

set stp-qnq-admin enable

end

set vlan-mapping-miss-drop disable

set vlan-tpid "default"

set trust-dot1p-map ''

set trust-ip-dscp-map ''

set qos-policy "default"

set ptp-policy "default"

set ptp-status enable

set learning-limit 0

set sticky-mac disable

set log-mac-event disable

set nac disable

set description ''

set native-vlan 2900

unset allowed-vlans

unset untagged-vlans

set discard-mode none

set dhcp-snooping untrusted

set dhcp-snoop-learning-limit-check disable

set dhcp-snoop-option82-trust disable

set arp-inspection-trust untrusted

set stp-state enabled

set stp-loop-protection disabled

set stp-root-guard disabled

set stp-bpdu-guard disabled

set loop-guard disabled

set edge-port enabled

set rpvst-port disabled

set ip-source-guard disable

set auto-discovery-fortilink-packet-interval 5

set private-vlan disable

set igmp-snooping-flood-reports disable

set mcast-snooping-flood-traffic disable

set packet-sampler disabled

set sflow-counter-interval 0

set snmp-index 28

config port-security

set port-security-mode none

end

config qnq

set status disable

set stp-qnq-admin enable

end

set vlan-mapping-miss-drop disable

set vlan-tpid "default"

set trust-dot1p-map ''

set trust-ip-dscp-map ''

set qos-policy "default"

set ptp-policy "default"

set ptp-status disable

set learning-limit 0

set sticky-mac disable

set log-mac-event disable

set nac disable

set description ''

set native-vlan 1

set allowed-vlans 2,35,2900

unset untagged-vlans

set discard-mode none

set stp-state disabled

set stp-loop-protection disabled

set stp-root-guard disabled

set stp-bpdu-guard disabled

set loop-guard disabled

set edge-port enabled

set rpvst-port disabled

set auto-discovery-fortilink-packet-interval 5

set private-vlan disable

set igmp-snooping-flood-reports disable

set mcast-snooping-flood-traffic disable

set packet-sampler disabled

set sflow-counter-interval 0

set snmp-index 29

set vlan-tpid "default"

set trust-dot1p-map ''

set trust-ip-dscp-map ''

set nac disable

snip

edit "AWS-DC"

set mode static

set dhcp-relay-service disable

set ip 169.254.38.182 255.255.255.252

set allowaccess ping https ssh

set bfd disable

set bfd-desired-min-tx 250

set bfd-detect-mult 3

set bfd-required-min-rx 250

set icmp-redirect enable

set status up

set type vlan

set description ''

set alias "AWS-DC"

set vrrp-virtual-mac disable

set secondary-IP disable

set snmp-index 33

config ipv6

set ip6-address ::/0

set ip6-mode static

unset ip6-allowaccess

set autoconf disable

set ip6-unknown-mcast-to-cpu disable

set dhcp6-information-request disable

set ip6-send-adv disable

set vrrp-virtual-mac6 disable

set vrip6_link_local ::

end

set vlanid 2900

set interface "internal"

snip

config router bgp

set as 64514

set router-id 192.168.50.41

set keepalive-timer 60

set holdtime-timer 180

set always-compare-med disable

set bestpath-as-path-ignore disable

set bestpath-cmp-confed-aspath disable

set bestpath-cmp-routerid disable

set bestpath-med-confed disable

set bestpath-med-missing-as-worst disable

set client-to-client-reflection enable

set dampening disable

set deterministic-med disable

set fast-external-failover enable

set log-neighbour-changes enable

set cluster-id 0.0.0.0

set confederation-identifier 0

set default-local-preference 100

set scan-time 60

set maximum-paths-ebgp 1

set bestpath-aspath-multipath-relax disable

set maximum-paths-ibgp 1

set distance-external 20

set distance-internal 200

set distance-local 200

set ebgp-requires-policy enable

set graceful-stalepath-time 360

set route-reflector-allow-outbound-policy disable

config neighbor

edit "169.254.38.181"

set advertisement-interval 30

set allowas-in-enable disable

set allowas-in-enable-evpn disable

set allowas-in-enable6 disable

set enforce-first-as disable

unset attribute-unchanged

unset attribute-unchanged-evpn

unset attribute-unchanged6

set activate enable

set activate6 enable

set activate-evpn disable

set bfd disable

set capability-dynamic disable

set capability-orf none

set capability-orf6 none

set capability-default-originate disable

set capability-default-originate6 disable

set dont-capability-negotiate disable

set ebgp-enforce-multihop disable

set next-hop-self disable

set next-hop-self6 disable

set override-capability disable

set passive disable

set remove-private-as disable

set remove-private-as6 disable

set route-server-client disable

set route-server-client6 disable

set shutdown disable

set soft-reconfiguration disable

set soft-reconfiguration-evpn disable

set soft-reconfiguration6 disable

set as-override disable

set as-override6 disable

set strict-capability-match disable

set description ''

set distribute-list-in ''

set distribute-list-in6 ''

set distribute-list-out ''

set distribute-list-out6 ''

set filter-list-in ''

set filter-list-in6 ''

set filter-list-out ''

set filter-list-out6 ''

set interface ''

set maximum-prefix 0

set maximum-prefix6 0

set prefix-list-in ''

set prefix-list-in6 ''

set prefix-list-out ''

set prefix-list-out6 ''

set remote-as 64513

set route-map-in ''

set route-map-in-evpn ''

set route-map-in6 ''

set route-map-out ''

set route-map-out-evpn ''

set route-map-out6 ''

set send-community both

set send-community6 both

set keep-alive-timer 4294967295

set holdtime-timer 4294967295

set connect-timer 4294967295

set unsuppress-map ''

set unsuppress-map6 ''

set update-source ''

set weight 4294967295

set password "xxxxxxxx"

config redistribute "connected"

set status disable

set route-map ''

end

config redistribute "static"

set status disable

set route-map ''

end

config redistribute "ospf"

set status disable

set route-map ''

end

config redistribute "rip"

set status disable

set route-map ''

end

config redistribute "isis"

set status disable

set route-map ''

end

config redistribute6 "connected"

set status disable

set route-map ''

end

config redistribute6 "static"

set status disable

set route-map ''

end

config redistribute6 "ospf"

set status disable

set route-map ''

end

config redistribute6 "rip"

set status disable

set route-map ''

end

config redistribute6 "isis"

set status disable

set route-map ''

end

Toshi_Esumi · ‎05-03-2024

First please don't do "show full" but just "show". The most important part what you changed from the default setting are buried in all unimportant default values. So very hard to see what exactly you configured.

Second, I'm assuming you can now ping the peer IP. Correct? I see some traffic flowing on port28 above. Then do you see the neighbor still down in "get router info bgp sum"?
Sniff on port28 with below commands:

config switch interface
  edit "port28"
    set packet-sampler enabled
    set packet-sample-rate 1
  next
end

Then, when you sniff the port, the interface name you need to specify is NOT "port1", "port2"... but "sp1", "sp2" ... instead. And you can use filters, so looks like below:

# diag sniffer packet sp28 'tcp and port 179'

Toshi

jroy777 · ‎05-03-2024

Thanks for all your help Toshi, I really appreciate your time. There is no separate show config command, here are my choices:

AWS-DC-Megaport # show ?
log log
router router
switch switch
switch-controller switch-controller
system system
user user
full-configuration show full configuration

AWS-DC-Megaport #

In the above post of config, I snipped out all the extra ports and interfaces and only put in the relevant data that actually shows changed from the default config.

We move the cable back to the Cisco for now so I cannot test again till Monday. I never received a response to my ping. I have ping enabled on all my interfaces. The only interface that is not working is the

SVI vlan 2900
our bgp AS 64514
our IP 169.254.38.182/30

the neighbor bgp AS 64513
the neighbor IP 169.254.38.181/30
the vlan we connect to each other on is Vlan 2900

Our networks that should be sent with BGP
192.168.50.0/23
10.1.0.0/23
10.10.2.0/24

Toshi_Esumi · ‎05-03-2024

no "?". just "show" then Enter. That should work at the top. Also each like "config system interface" and "config switch interface", you can use "show" then enter. It will show only that section.

How about sniffing result when you ping the other end? You need to have two SSH/console sessions though.

Toshi

Toshi_Esumi · ‎05-03-2024

Also does the /30 subnet show up in the routing-table?
"get router info routing-table all"

jroy777 · ‎05-03-2024

Yes they are all there:

AWS-DC-Megaport # "get router info routing-table all"
Unknown action 0

AWS-DC-Megaport # get router info routing-table all
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, T - Table, F - PBR,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup, ^ - HW install failed
t - trapped, o - offload failure

VRF default:
C>* 10.1.0.0/23 is directly connected, dmz, 2d23h38m
C>* 10.10.2.0/24 is directly connected, uat, 3d21h26m
C>* 169.254.38.180/30 is directly connected, AWS-DC, 04:30:45
C>* 192.168.50.0/23 is directly connected, internal, 4d03h57m

AWS-DC-Megaport #

Also, the "show" command is something that I just figured out. Thanks!

Toshi_Esumi · ‎05-04-2024

I still can't believe you can't ping the BGP peer IP. You will see once you sniffed at port28, but are you sure the peer expected untagged VLAN 2900 frames, which you configured on the FSW side?

Toshi

jroy777 · ‎05-06-2024

Untagged? Vlan 2900 should be tagged. Where do you see they are untagged? Those routes listed here are my directly connected subnets. I am advertising the /30 in my config.

Toshi_Esumi · ‎05-06-2024

config switch interface
   edit "port28"
    set description ''
    set native-vlan 2900
<snip>

In your post above. Do "unset native-vlan" or "set native-vlan 1", then "set allowed-vlans 2900" at the port28.

Toshi