We have a working Cisco router doing bgp to AWS Direct Connect. What is the correct way to create the layer 3 interfaces (Direct-Connect, inside and dmz/uat) and the required Vlan 2900 with correct dot1Q encapsulation. Do I create on a sub interface like with Cisco? See Cisco settings below. See attached drawing.
I am assuming just plugging in existing HPE switch to interface assigned on FortiSwitch for "DMZ/UAT" and for "Inside" but how do I create the interfaces correctly on FortiSwitch? IP's should be assigned to layer 3 but "router" does not give the options I think I should see.
Here are Cisco settings:
interface TenGigabitEthernet0/0/0.2900 (This is a sub interface)
description "Direct Connect to Amazon VPC or Transit Gateway on AWS Cloud"
encapsulation dot1Q 2900
ip address 169.254.38.182 255.255.255.252
interface TenGigabitEthernet0/0/1 (Physical interface)
description "Prod DBNET access"
ip address 192.168.51.249 255.255.254.0
no ip proxy-arp
ip nbar protocol-discovery
router bgp 64514 (my ASN)
bgp log-neighbor-changes
neighbor 169.254.38.181 remote-as 64513 (remote ASN)
neighbor 169.254.38.181 password *******
!
address-family ipv4
network 169.254.38.180 mask 255.255.255.252
network 192.168.50.0 mask 255.255.254.0
network 10.10.2.0 mask 255.255.255.0
network 10.1.0.0 mask 255.255.254.0
neighbor 169.254.38.181 activate
exit-address-family
Here are FortiSwitch settings I have applied or compiled so far:
AWS-DC-Megaport # show system interface
name Name.
internal static 192.168.50.41 255.255.254.0 up physical
mgmt dhcp 0.0.0.0 0.0.0.0 up physical
uat static 10.10.2.4 255.255.255.0 up vlan
How do I configure DMZ/UAT to use same interface (diff vlan) on fortiswitch?
config router bgp
set as 64514
set router-id 192.168.50.41
config neighbor
edit "<IPv4_or_IPv6 address>" (should this be 169.254.38.182?)
set remote-as 64513
end
UPDATED DRAWING!!!!!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 05-06-2024 02:29 PM Edited on 05-06-2024 03:55 PM
OK, went thru a bunch of example scenarios and been testing all day. Used examples from Cisco Forums, Fortinet Forums and even with ChatGPT for the FortiSwitch BGP and have decided to keep the Cisco because it works with BGP. Now we connected the FortiSwitch to it on it's "Lan" side. So now I need to know how to trunk a Cisco 10G interface to a FortiSwitch. We decided to keep the FortiSwitch in the picture because we can separate vlans out to 10G interfaces.
So port 28 to Cisco, it should carry all vlans we define (1,1?,35). I reset the FortiSwitch back to factory and set just an IP and hostname and I can now reach it and the ASR thru it.
Now I need to get these two other vlans to talk to the switch but here's the issue.
This is a separate switch stack
"Inside" or Lan Database network (DBNET) = Native Vlan1
It has other vlans but we do not need them at the moment
These is ALSO a separate switch stack
DMZ network = ALSO Native Vlan1
UAT network = Vlan 35
If I assigned a unused Vlan to the fortiswitch port that is connected to the DMZ switch stack, wouldn't it pass the traffic?
Thanks for looking and all your time on this.
Open a ticket at TAC to tell exactly what you want with the FSW and let the TAC person to get in with a remote session to configure it and test.
You keep changing the design. I don't want to waste your time any more.
Toshi
I am so sorry I wasted your time. Thank you very much for all your support, it is GREATLY Appreciated.
Latest drawing with Cisco re-included. Those in yellow are NOT working
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.