We have a working Cisco router doing bgp to AWS Direct Connect. What is the correct way to create the layer 3 interfaces (Direct-Connect, inside and dmz/uat) and the required Vlan 2900 with correct dot1Q encapsulation. Do I create on a sub interface like with Cisco? See Cisco settings below. See attached drawing.
I am assuming just plugging in existing HPE switch to interface assigned on FortiSwitch for "DMZ/UAT" and for "Inside" but how do I create the interfaces correctly on FortiSwitch? IP's should be assigned to layer 3 but "router" does not give the options I think I should see.
Here are Cisco settings:
interface TenGigabitEthernet0/0/0.2900 (This is a sub interface)
description "Direct Connect to Amazon VPC or Transit Gateway on AWS Cloud"
encapsulation dot1Q 2900
ip address 169.254.38.182 255.255.255.252
interface TenGigabitEthernet0/0/1 (Physical interface)
description "Prod DBNET access"
ip address 192.168.51.249 255.255.254.0
no ip proxy-arp
ip nbar protocol-discovery
router bgp 64514 (my ASN)
bgp log-neighbor-changes
neighbor 169.254.38.181 remote-as 64513 (remote ASN)
neighbor 169.254.38.181 password *******
!
address-family ipv4
network 169.254.38.180 mask 255.255.255.252
network 192.168.50.0 mask 255.255.254.0
network 10.10.2.0 mask 255.255.255.0
network 10.1.0.0 mask 255.255.254.0
neighbor 169.254.38.181 activate
exit-address-family
Here are FortiSwitch settings I have applied or compiled so far:
AWS-DC-Megaport # show system interface
name Name.
internal static 192.168.50.41 255.255.254.0 up physical
mgmt dhcp 0.0.0.0 0.0.0.0 up physical
uat static 10.10.2.4 255.255.255.0 up vlan
How do I configure DMZ/UAT to use same interface (diff vlan) on fortiswitch?
config router bgp
set as 64514
set router-id 192.168.50.41
config neighbor
edit "<IPv4_or_IPv6 address>" (should this be 169.254.38.182?)
set remote-as 64513
end
UPDATED DRAWING!!!!!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
What are your thoughts?
Created on 05-03-2024 01:40 PM Edited on 05-03-2024 01:41 PM
First please don't do "show full" but just "show". The most important part what you changed from the default setting are buried in all unimportant default values. So very hard to see what exactly you configured.
Second, I'm assuming you can now ping the peer IP. Correct? I see some traffic flowing on port28 above. Then do you see the neighbor still down in "get router info bgp sum"?
Sniff on port28 with below commands:
config switch interface edit "port28" set packet-sampler enabled set packet-sample-rate 1 next end
Then, when you sniff the port, the interface name you need to specify is NOT "port1", "port2"... but "sp1", "sp2" ... instead. And you can use filters, so looks like below:
# diag sniffer packet sp28 'tcp and port 179'
Toshi
Created on 05-03-2024 03:59 PM Edited on 05-03-2024 04:00 PM
Thanks for all your help Toshi, I really appreciate your time. There is no separate show config command, here are my choices:
AWS-DC-Megaport # show ?
log log
router router
switch switch
switch-controller switch-controller
system system
user user
full-configuration show full configuration
AWS-DC-Megaport #
In the above post of config, I snipped out all the extra ports and interfaces and only put in the relevant data that actually shows changed from the default config.
We move the cable back to the Cisco for now so I cannot test again till Monday. I never received a response to my ping. I have ping enabled on all my interfaces. The only interface that is not working is the
SVI vlan 2900
our bgp AS 64514
our IP 169.254.38.182/30
the neighbor bgp AS 64513
the neighbor IP 169.254.38.181/30
the vlan we connect to each other on is Vlan 2900
Our networks that should be sent with BGP
192.168.50.0/23
10.1.0.0/23
10.10.2.0/24
Created on 05-03-2024 04:05 PM Edited on 05-03-2024 04:06 PM
no "?". just "show" then Enter. That should work at the top. Also each like "config system interface" and "config switch interface", you can use "show" then enter. It will show only that section.
How about sniffing result when you ping the other end? You need to have two SSH/console sessions though.
Toshi
Also does the /30 subnet show up in the routing-table?
"get router info routing-table all"
Yes they are all there:
AWS-DC-Megaport # "get router info routing-table all"
Unknown action 0
AWS-DC-Megaport # get router info routing-table all
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, T - Table, F - PBR,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup, ^ - HW install failed
t - trapped, o - offload failure
VRF default:
C>* 10.1.0.0/23 is directly connected, dmz, 2d23h38m
C>* 10.10.2.0/24 is directly connected, uat, 3d21h26m
C>* 169.254.38.180/30 is directly connected, AWS-DC, 04:30:45
C>* 192.168.50.0/23 is directly connected, internal, 4d03h57m
AWS-DC-Megaport #
Also, the "show" command is something that I just figured out. Thanks!
I still can't believe you can't ping the BGP peer IP. You will see once you sniffed at port28, but are you sure the peer expected untagged VLAN 2900 frames, which you configured on the FSW side?
Toshi
Created on 05-06-2024 06:43 AM Edited on 05-06-2024 06:44 AM
Untagged? Vlan 2900 should be tagged. Where do you see they are untagged? Those routes listed here are my directly connected subnets. I am advertising the /30 in my config.
config switch interface
edit "port28"
set description ''
set native-vlan 2900
<snip>
In your post above. Do "unset native-vlan" or "set native-vlan 1", then "set allowed-vlans 2900" at the port28.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1561 | |
1034 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.