We have a working Cisco router doing bgp to AWS Direct Connect. What is the correct way to create the layer 3 interfaces (Direct-Connect, inside and dmz/uat) and the required Vlan 2900 with correct dot1Q encapsulation. Do I create on a sub interface like with Cisco? See Cisco settings below. See attached drawing.
I am assuming just plugging in existing HPE switch to interface assigned on FortiSwitch for "DMZ/UAT" and for "Inside" but how do I create the interfaces correctly on FortiSwitch? IP's should be assigned to layer 3 but "router" does not give the options I think I should see.
Here are Cisco settings:
interface TenGigabitEthernet0/0/0.2900 (This is a sub interface)
description "Direct Connect to Amazon VPC or Transit Gateway on AWS Cloud"
encapsulation dot1Q 2900
ip address 169.254.38.182 255.255.255.252
interface TenGigabitEthernet0/0/1 (Physical interface)
description "Prod DBNET access"
ip address 192.168.51.249 255.255.254.0
no ip proxy-arp
ip nbar protocol-discovery
router bgp 64514 (my ASN)
bgp log-neighbor-changes
neighbor 169.254.38.181 remote-as 64513 (remote ASN)
neighbor 169.254.38.181 password *******
!
address-family ipv4
network 169.254.38.180 mask 255.255.255.252
network 192.168.50.0 mask 255.255.254.0
network 10.10.2.0 mask 255.255.255.0
network 10.1.0.0 mask 255.255.254.0
neighbor 169.254.38.181 activate
exit-address-family
Here are FortiSwitch settings I have applied or compiled so far:
AWS-DC-Megaport # show system interface
name Name.
internal static 192.168.50.41 255.255.254.0 up physical
mgmt dhcp 0.0.0.0 0.0.0.0 up physical
uat static 10.10.2.4 255.255.255.0 up vlan
How do I configure DMZ/UAT to use same interface (diff vlan) on fortiswitch?
config router bgp
set as 64514
set router-id 192.168.50.41
config neighbor
edit "<IPv4_or_IPv6 address>" (should this be 169.254.38.182?)
set remote-as 64513
end
UPDATED DRAWING!!!!!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I can't tell the difference between them because the smaller models I have don't support RVI.There might be some capability/configuration differences when it's used in L3 features like BGP. You'll probably find it yourself when you use it.
Toshi
If you attach a text file it seems to import the content and shows up. Same goes with image files.
You're using RVI "AWS-DC-L3" specifing l2-interface as "port28". Again, I don't have a device supporting FTNT RVI so I'm not sure how it's working with your config.
But other part, port26 = VLAN 2, port27 = VLAN 35, and those associated L3 interface are correctly configured and should be working as you expect. The key is allowed-vlans 2,35 on "internal" switch interface, and native-vlan1 on the same switch interface to bind to "internal" L3 interface.
Only thing I would suggest is:
config switch global
set auto-fortilink-discovery disable
end
In case like yours the fortilink to a FGT is not utilized.
Toshi
I cannot see neighbor, what do you recommend?
AWS-DC-Megaport # get router info bgp neighbors
BGP neighbor is 169.254.38.181, remote AS 64513, local AS 64514, external link
BGP version 4, remote router ID 0.0.0.0, local router ID 192.168.50.41
BGP state = Active
Last read 1d19h29m, Last write never
Hold time is 180, keepalive interval is 60 seconds
Graceful restart information:
Local GR Mode: Helper*
Remote GR Mode: NotApplicable
R bit: False
Timers:
Configured Restart Time(sec): 120
Received Restart Time(sec): 0
Message statistics:
Inq depth is 0
Outq depth is 0
Sent Rcvd
Opens: 0 0
Notifications: 0 0
Updates: 0 0
Keepalives: 0 0
Route Refresh: 0 0
Capability: 0 0
Total: 0 0
Minimum time between advertisement runs is 30 seconds
For address family: IPv4 Unicast
Not part of any update group
Community attribute sent to this neighbor(all)
Inbound updates discarded due to missing policy
Outbound updates discarded due to missing policy
0 accepted prefixes
For address family: IPv6 Unicast
Not part of any update group
Community attribute sent to this neighbor(all)
Inbound updates discarded due to missing policy
Outbound updates discarded due to missing policy
0 accepted prefixes
Connections established 0; dropped 0
Last reset 1d19h29m, Waiting for peer OPEN
BGP Connect Retry Timer in Seconds: 120
Next connect timer due in 51 seconds
Read thread: off Write thread: off FD used: -1
Are you able to ping the peer IP? You should be able to if RVI is working. If not, you probably need to open a ticket at TAC to get it looked into. I would guess not much people in this forum are familiar with RVI config on FSWs.
If you want you can try SVI instead, just like those VLAN2 and 35.
Toshi
Created on 05-03-2024 12:24 PM Edited on 05-03-2024 12:25 PM
Nope, was unable to ping peer. My thoughts exactly, switching to SVI
How can I easily remove RVI?
Of course I don't know but based on the admin guide, it's only in "config system interface".
https://docs.fortinet.com/document/fortiswitch/7.2.7/administration-guide/22391/routed-vlan-interfac...
So I would assume you just need to remove it from there. However, I saw you have related config under "config switch vlan" as well. I would remove that too.
By the way, in the doc it says RVI's VLAN ID is always 4095.
Toshi
I saw that, OK, so how would I set authentication for BGP? I don't see here in DOCS https://docs.fortinet.com/document/fortiswitch/7.4.3/fortiswitchos-administration-guide/939732/confi...
As I said initially, try looking for L3/BGP config guide in FGT's docs. Most unlikely FTNT dpulicated the all routing protocol part of docs to FSW's documentation.
https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/216371/bgp-neighbor-password
If "set password ?" gives you an error inside of "config neighbor" it might not be supported on FSWs.
Toshi
ChatGPT gave us "set password" and I applied but still down. :)
Trying to remove RVI via GUI and they don't have Delete?????
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1645 | |
1070 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.