Duplicate a working Cisco Router config on a FortiSwitch 424E-Fiber

jroy777 · ‎04-30-2024

We have a working Cisco router doing bgp to AWS Direct Connect. What is the correct way to create the layer 3 interfaces (Direct-Connect, inside and dmz/uat) and the required Vlan 2900 with correct dot1Q encapsulation. Do I create on a sub interface like with Cisco? See Cisco settings below. See attached drawing.

I am assuming just plugging in existing HPE switch to interface assigned on FortiSwitch for "DMZ/UAT" and for "Inside" but how do I create the interfaces correctly on FortiSwitch? IP's should be assigned to layer 3 but "router" does not give the options I think I should see.

Here are Cisco settings:

interface TenGigabitEthernet0/0/0.2900 (This is a sub interface)
description "Direct Connect to Amazon VPC or Transit Gateway on AWS Cloud"
encapsulation dot1Q 2900
ip address 169.254.38.182 255.255.255.252

interface TenGigabitEthernet0/0/1 (Physical interface)
description "Prod DBNET access"
ip address 192.168.51.249 255.255.254.0
no ip proxy-arp
ip nbar protocol-discovery

router bgp 64514 (my ASN)
bgp log-neighbor-changes
neighbor 169.254.38.181 remote-as 64513 (remote ASN)
neighbor 169.254.38.181 password *******
!
address-family ipv4
network 169.254.38.180 mask 255.255.255.252
network 192.168.50.0 mask 255.255.254.0
network 10.10.2.0 mask 255.255.255.0
network 10.1.0.0 mask 255.255.254.0
neighbor 169.254.38.181 activate
exit-address-family

Here are FortiSwitch settings I have applied or compiled so far:

AWS-DC-Megaport # show system interface
name Name.
internal static 192.168.50.41 255.255.254.0 up physical
mgmt dhcp 0.0.0.0 0.0.0.0 up physical
uat static 10.10.2.4 255.255.255.0 up vlan

How do I configure DMZ/UAT to use same interface (diff vlan) on fortiswitch?

config router bgp
set as 64514
set router-id 192.168.50.41

config neighbor
edit "<IPv4_or_IPv6 address>" (should this be 169.254.38.182?)
set remote-as 64513

end

UPDATED DRAWING!!!!!

jroy777 · ‎05-06-2024

OK, went thru a bunch of example scenarios and been testing all day. Used examples from Cisco Forums, Fortinet Forums and even with ChatGPT for the FortiSwitch BGP and have decided to keep the Cisco because it works with BGP. Now we connected the FortiSwitch to it on it's "Lan" side. So now I need to know how to trunk a Cisco 10G interface to a FortiSwitch. We decided to keep the FortiSwitch in the picture because we can separate vlans out to 10G interfaces.

So port 28 to Cisco, it should carry all vlans we define (1,1?,35). I reset the FortiSwitch back to factory and set just an IP and hostname and I can now reach it and the ASR thru it.

Now I need to get these two other vlans to talk to the switch but here's the issue.

This is a separate switch stack
"Inside" or Lan Database network (DBNET) = Native Vlan1

It has other vlans but we do not need them at the moment

These is ALSO a separate switch stack
DMZ network = ALSO Native Vlan1
UAT network = Vlan 35

If I assigned a unused Vlan to the fortiswitch port that is connected to the DMZ switch stack, wouldn't it pass the traffic?

Thanks for looking and all your time on this.

Toshi_Esumi · ‎05-06-2024

Open a ticket at TAC to tell exactly what you want with the FSW and let the TAC person to get in with a remote session to configure it and test.
You keep changing the design. I don't want to waste your time any more.

Toshi

jroy777 · ‎05-07-2024

I am so sorry I wasted your time. Thank you very much for all your support, it is GREATLY Appreciated.

jroy777 · ‎05-06-2024

Latest drawing with Cisco re-included. Those in yellow are NOT working