Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jroy777
New Contributor III

Created on ‎04-30-2024 06:09 AM Edited on ‎05-01-2024 07:00 PM

Duplicate a working Cisco Router config on a FortiSwitch 424E-Fiber

We have a working Cisco router doing bgp to AWS Direct Connect. What is the correct way to create the layer 3 interfaces (Direct-Connect, inside and dmz/uat) and the required Vlan 2900 with correct dot1Q encapsulation. Do I create on a sub interface like with Cisco? See Cisco settings below. See attached drawing.

I am assuming just plugging in existing HPE switch to interface assigned on FortiSwitch for "DMZ/UAT" and for "Inside" but how do I create the interfaces correctly on FortiSwitch? IP's should be assigned to layer 3 but "router" does not give the options I think I should see.

Here are Cisco settings:

 

interface TenGigabitEthernet0/0/0.2900 (This is a sub interface)
description "Direct Connect to Amazon VPC or Transit Gateway on AWS Cloud"
encapsulation dot1Q 2900
ip address 169.254.38.182 255.255.255.252

interface TenGigabitEthernet0/0/1 (Physical interface)
description "Prod DBNET access"
ip address 192.168.51.249 255.255.254.0
no ip proxy-arp
ip nbar protocol-discovery


router bgp 64514 (my ASN)
bgp log-neighbor-changes
neighbor 169.254.38.181 remote-as 64513 (remote ASN)
neighbor 169.254.38.181 password *******
!
address-family ipv4
network 169.254.38.180 mask 255.255.255.252
network 192.168.50.0 mask 255.255.254.0
network 10.10.2.0 mask 255.255.255.0
network 10.1.0.0 mask 255.255.254.0
neighbor 169.254.38.181 activate
exit-address-family

 

Here are FortiSwitch settings I have applied or compiled so far:

AWS-DC-Megaport # show system interface
name Name.
internal static 192.168.50.41 255.255.254.0 up physical
mgmt dhcp 0.0.0.0 0.0.0.0 up physical
uat static 10.10.2.4 255.255.255.0 up vlan

How do I configure DMZ/UAT to use same interface (diff vlan) on fortiswitch?

config router bgp
set as 64514
set router-id 192.168.50.41

config neighbor
edit "<IPv4_or_IPv6 address>" (should this be 169.254.38.182?)
set remote-as 64513

end

UPDATED DRAWING!!!!!
FortiSwitch-AWS-DC-vlan-Diagram.png






Labels:
4575
0 Kudos
33 REPLIES 33
jroy777
New Contributor III
In response to jroy777

Created on ‎05-03-2024 01:15 PM

What are your thoughts?

 



Screenshot 2024-05-03 130821.pngScreenshot 2024-05-03 131110.pngScreenshot 2024-05-03 131311.pngScreenshot 2024-05-03 131422.png

1191
0 Kudos
jroy777
New Contributor III
In response to jroy777

Created on ‎05-03-2024 01:40 PM Edited on ‎05-03-2024 01:41 PM

Here are all changes compared to previous config.

config switch global
    set access-vlan-mode legacy
    set auto-fortilink-discovery disable
    set auto-isl enable
 
snip
 
    next
    edit "port25"
        set cdp-status disable
        set description "To DBNET10G-03 Port 37 | inside"
        set dmi-status global
        set flapguard disabled
        set flow-control disable
        set fortilink-p2p disable
        set l2-learning enabled
        set lldp-profile "default-auto-isl"
        set lldp-status tx-rx
        set loopback disable
        set max-frame-size 9216
        set speed 10000full
        set status up
        set storm-control-mode global
    next
    edit "port26"
        set cdp-status disable
        set description "To DMZ10G-02 Port 35 | dmz"
        set dmi-status global
        set flapguard disabled
        set flow-control disable
        set fortilink-p2p disable
        set l2-learning enabled
        set lldp-profile "default-auto-isl"
        set lldp-status tx-rx
        set loopback disable
        set max-frame-size 9216
        set speed 10000full
        set status up
        set storm-control-mode global
    next
    edit "port27"
        set cdp-status disable
        set description "To DMZ10G-02 Port 37 | UAT"
        set dmi-status global
        set flapguard disabled
        set flow-control disable
        set fortilink-p2p disable
        set l2-learning enabled
        set lldp-profile "default-auto-isl"
        set lldp-status tx-rx
        set loopback disable
        set max-frame-size 9216
        set speed 10000full
        set status up
        set storm-control-mode global
    next
    edit "port28"
        set cdp-status disable
        set description "To AWS Direct Connect Vlan 2900"
        set dmi-status global
        set flapguard disabled
        set flow-control disable
        set fortilink-p2p disable
        set l2-learning enabled
        set lldp-profile "default-auto-isl"
        set lldp-status tx-rx
        set loopback disable
        set max-frame-size 9216
        set speed 10000full
        set status up
        set storm-control-mode global
    next
    edit "internal"
        set description ''
    next
end
config switch vlan
    edit 35
        set private-vlan disable
        set lan-segment disable
        set description "UAT Vlan35 Interface on FortiSwitch port 27"
        set learning enable
        set learning-limit 0
        set rspan-mode disable
        set igmp-snooping disable
        set dhcp-snooping disable
        set dhcp6-snooping disable
        set access-vlan disable
        set assignment-priority 128
        unset policer
        unset cos-queue
    next
    edit 2900
        set private-vlan disable
        set lan-segment disable
        set description "AWS-DC-FortiSW Port 28"
        set learning enable
        set learning-limit 0
        set rspan-mode disable
        set igmp-snooping disable
        set dhcp-snooping disable
        set dhcp6-snooping disable
        set access-vlan disable
        set assignment-priority 128
        unset policer
        unset cos-queue
    next
    edit 2
        set private-vlan disable
        set lan-segment disable
        set description "DMZ FortiSwitch port 26 using vlan 2 on switch but vlan 1"
        set learning enable
        set learning-limit 0
        set rspan-mode disable
        set igmp-snooping disable
        set dhcp-snooping disable
        set dhcp6-snooping disable
        set access-vlan disable
        set assignment-priority 128
        unset policer
        unset cos-queue
    next
end
 
snip
 
    next
    edit "port25"
        set description ''
        set native-vlan 1
        unset allowed-vlans
        unset untagged-vlans
        set discard-mode none
        set dhcp-snooping untrusted
        set dhcp-snoop-learning-limit-check disable
        set dhcp-snoop-option82-trust disable
        set arp-inspection-trust untrusted
        set stp-state disabled
        set stp-loop-protection disabled
        set stp-root-guard disabled
        set stp-bpdu-guard disabled
        set loop-guard disabled
        set edge-port enabled
        set rpvst-port disabled
        set ip-source-guard disable
        set auto-discovery-fortilink-packet-interval 5
        set private-vlan disable
        set igmp-snooping-flood-reports disable
        set mcast-snooping-flood-traffic disable
        set packet-sampler disabled
        set sflow-counter-interval 0
        set snmp-index 25
        config port-security
            set port-security-mode none
        end
        config qnq
            set status disable
            set stp-qnq-admin enable
        end
        set vlan-mapping-miss-drop disable
        set vlan-tpid "default"
        set trust-dot1p-map ''
        set trust-ip-dscp-map ''
        set qos-policy "default"
        set ptp-policy "default"
        set ptp-status enable
        set learning-limit 0
        set sticky-mac disable
        set log-mac-event disable
        set nac disable
    next
    edit "port26"
        set description ''
        set native-vlan 2
        unset allowed-vlans
        unset untagged-vlans
        set discard-mode none
        set dhcp-snooping untrusted
        set dhcp-snoop-learning-limit-check disable
        set dhcp-snoop-option82-trust disable
        set arp-inspection-trust untrusted
        set stp-state enabled
        set stp-loop-protection disabled
        set stp-root-guard disabled
        set stp-bpdu-guard disabled
        set loop-guard disabled
        set edge-port enabled
        set rpvst-port disabled
        set ip-source-guard disable
        set auto-discovery-fortilink-packet-interval 5
        set private-vlan disable
        set igmp-snooping-flood-reports disable
        set mcast-snooping-flood-traffic disable
        set packet-sampler disabled
        set sflow-counter-interval 0
        set snmp-index 26
        config port-security
            set port-security-mode none
        end
        config qnq
            set status disable
            set stp-qnq-admin enable
        end
        set vlan-mapping-miss-drop disable
        set vlan-tpid "default"
        set trust-dot1p-map ''
        set trust-ip-dscp-map ''
        set qos-policy "default"
        set ptp-policy "default"
        set ptp-status enable
        set learning-limit 0
        set sticky-mac disable
        set log-mac-event disable
        set nac disable
    next
    edit "port27"
        set description ''
        set native-vlan 35
        unset allowed-vlans
        unset untagged-vlans
        set discard-mode none
        set dhcp-snooping untrusted
        set dhcp-snoop-learning-limit-check disable
        set dhcp-snoop-option82-trust disable
        set arp-inspection-trust untrusted
        set stp-state disabled
        set stp-loop-protection disabled
        set stp-root-guard disabled
        set stp-bpdu-guard disabled
        set loop-guard disabled
        set edge-port enabled
        set rpvst-port disabled
        set ip-source-guard disable
        set auto-discovery-fortilink-packet-interval 5
        set private-vlan disable
        set igmp-snooping-flood-reports disable
        set mcast-snooping-flood-traffic disable
        set packet-sampler disabled
        set sflow-counter-interval 0
        set snmp-index 27
        config port-security
            set port-security-mode none
        end
        config qnq
            set status disable
            set stp-qnq-admin enable
        end
        set vlan-mapping-miss-drop disable
        set vlan-tpid "default"
        set trust-dot1p-map ''
        set trust-ip-dscp-map ''
        set qos-policy "default"
        set ptp-policy "default"
        set ptp-status enable
        set learning-limit 0
        set sticky-mac disable
        set log-mac-event disable
        set nac disable
    next
    edit "port28"
        set description ''
        set native-vlan 2900
        unset allowed-vlans
        unset untagged-vlans
        set discard-mode none
        set dhcp-snooping untrusted
        set dhcp-snoop-learning-limit-check disable
        set dhcp-snoop-option82-trust disable
        set arp-inspection-trust untrusted
        set stp-state enabled
        set stp-loop-protection disabled
        set stp-root-guard disabled
        set stp-bpdu-guard disabled
        set loop-guard disabled
        set edge-port enabled
        set rpvst-port disabled
        set ip-source-guard disable
        set auto-discovery-fortilink-packet-interval 5
        set private-vlan disable
        set igmp-snooping-flood-reports disable
        set mcast-snooping-flood-traffic disable
        set packet-sampler disabled
        set sflow-counter-interval 0
        set snmp-index 28
        config port-security
            set port-security-mode none
        end
        config qnq
            set status disable
            set stp-qnq-admin enable
        end
        set vlan-mapping-miss-drop disable
        set vlan-tpid "default"
        set trust-dot1p-map ''
        set trust-ip-dscp-map ''
        set qos-policy "default"
        set ptp-policy "default"
        set ptp-status disable
        set learning-limit 0
        set sticky-mac disable
        set log-mac-event disable
        set nac disable
    next
    edit "internal"
        set description ''
        set native-vlan 1
        set allowed-vlans 2,35,2900
        unset untagged-vlans
        set discard-mode none
        set stp-state disabled
        set stp-loop-protection disabled
        set stp-root-guard disabled
        set stp-bpdu-guard disabled
        set loop-guard disabled
        set edge-port enabled
        set rpvst-port disabled
        set auto-discovery-fortilink-packet-interval 5
        set private-vlan disable
        set igmp-snooping-flood-reports disable
        set mcast-snooping-flood-traffic disable
        set packet-sampler disabled
        set sflow-counter-interval 0
        set snmp-index 29
        set vlan-tpid "default"
        set trust-dot1p-map ''
        set trust-ip-dscp-map ''
        set nac disable
    next
end
 
snip
 
 
    edit "AWS-DC"
        set mode static
        set dhcp-relay-service disable
        set ip 169.254.38.182 255.255.255.252
        set allowaccess ping https ssh
        set bfd disable
        set bfd-desired-min-tx 250
        set bfd-detect-mult 3
        set bfd-required-min-rx 250
        set icmp-redirect enable
        set status up
        set type vlan
        set description ''
        set alias "AWS-DC"
        set vrrp-virtual-mac disable
        set secondary-IP disable
        set snmp-index 33
        config ipv6
            set ip6-address ::/0
            set ip6-mode static
            unset ip6-allowaccess
            set autoconf disable
            set ip6-unknown-mcast-to-cpu disable
            set dhcp6-information-request disable
            set ip6-send-adv disable
            set vrrp-virtual-mac6 disable
            set vrip6_link_local ::
        end
        set vlanid 2900
        set interface "internal"
    next
end
 
snip
 
config router bgp
    set as 64514
    set router-id 192.168.50.41
    set keepalive-timer 60
    set holdtime-timer 180
    set always-compare-med disable
    set bestpath-as-path-ignore disable
    set bestpath-cmp-confed-aspath disable
    set bestpath-cmp-routerid disable
    set bestpath-med-confed disable
    set bestpath-med-missing-as-worst disable
    set client-to-client-reflection enable
    set dampening disable
    set deterministic-med disable
    set fast-external-failover enable
    set log-neighbour-changes enable
    set cluster-id 0.0.0.0
    set confederation-identifier 0
    set default-local-preference 100
    set scan-time 60
    set maximum-paths-ebgp 1
    set bestpath-aspath-multipath-relax disable
    set maximum-paths-ibgp 1
    set distance-external 20
    set distance-internal 200
    set distance-local 200
    set ebgp-requires-policy enable
    set graceful-stalepath-time 360
    set route-reflector-allow-outbound-policy disable
    config neighbor
        edit "169.254.38.181"
            set advertisement-interval 30
            set allowas-in-enable disable
            set allowas-in-enable-evpn disable
            set allowas-in-enable6 disable
            set enforce-first-as disable
            unset attribute-unchanged
            unset attribute-unchanged-evpn
            unset attribute-unchanged6
            set activate enable
            set activate6 enable
            set activate-evpn disable
            set bfd disable
            set capability-dynamic disable
            set capability-orf none
            set capability-orf6 none
            set capability-default-originate disable
            set capability-default-originate6 disable
            set dont-capability-negotiate disable
            set ebgp-enforce-multihop disable
            set next-hop-self disable
            set next-hop-self6 disable
            set override-capability disable
            set passive disable
            set remove-private-as disable
            set remove-private-as6 disable
            set route-server-client disable
            set route-server-client6 disable
            set shutdown disable
            set soft-reconfiguration disable
            set soft-reconfiguration-evpn disable
            set soft-reconfiguration6 disable
            set as-override disable
            set as-override6 disable
            set strict-capability-match disable
            set description ''
            set distribute-list-in ''
            set distribute-list-in6 ''
            set distribute-list-out ''
            set distribute-list-out6 ''
            set filter-list-in ''
            set filter-list-in6 ''
            set filter-list-out ''
            set filter-list-out6 ''
            set interface ''
            set maximum-prefix 0
            set maximum-prefix6 0
            set prefix-list-in ''
            set prefix-list-in6 ''
            set prefix-list-out ''
            set prefix-list-out6 ''
            set remote-as 64513
            set route-map-in ''
            set route-map-in-evpn ''
            set route-map-in6 ''
            set route-map-out ''
            set route-map-out-evpn ''
            set route-map-out6 ''
            set send-community both
            set send-community6 both
            set keep-alive-timer 4294967295
            set holdtime-timer 4294967295
            set connect-timer 4294967295
            set unsuppress-map ''
            set unsuppress-map6 ''
            set update-source ''
            set weight 4294967295
            set password "xxxxxxxx"
        next
    end
    config redistribute "connected"
        set status disable
        set route-map ''
    end
    config redistribute "static"
        set status disable
        set route-map ''
    end
    config redistribute "ospf"
        set status disable
        set route-map ''
    end
    config redistribute "rip"
        set status disable
        set route-map ''
    end
    config redistribute "isis"
        set status disable
        set route-map ''
    end
    config redistribute6 "connected"
        set status disable
        set route-map ''
    end
    config redistribute6 "static"
        set status disable
        set route-map ''
    end
    config redistribute6 "ospf"
        set status disable
        set route-map ''
    end
    config redistribute6 "rip"
        set status disable
        set route-map ''
    end
    config redistribute6 "isis"
        set status disable
        set route-map ''
    end
end
 
1182
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎05-03-2024 03:01 PM Edited on ‎05-03-2024 03:02 PM

First please don't do "show full" but just "show". The most important part what you changed from the default setting are buried in all unimportant default values. So very hard to see what exactly you configured.

 

Second, I'm assuming you can now ping the peer IP. Correct? I see some traffic flowing on port28 above. Then do you see the neighbor still down in "get router info bgp sum"?
Sniff on port28 with below commands:

config switch interface
  edit "port28"
    set packet-sampler enabled
    set packet-sample-rate 1
  next
end

Then, when you sniff the port, the interface name you need to specify is NOT "port1", "port2"... but "sp1", "sp2" ... instead. And you can use filters, so looks like below:

# diag sniffer packet sp28 'tcp and port 179'

Toshi



1174
0 Kudos
jroy777
New Contributor III
In response to Toshi_Esumi

Created on ‎05-03-2024 03:59 PM Edited on ‎05-03-2024 04:00 PM

Thanks for all your help Toshi, I really appreciate your time. There is no separate show config command, here are my choices:

AWS-DC-Megaport # show ?
log log
router router
switch switch
switch-controller switch-controller
system system
user user
full-configuration show full configuration

AWS-DC-Megaport #

In the above post of config, I snipped out all the extra ports and interfaces and only put in the relevant data that actually shows changed from the default config.

We move the cable back to the Cisco for now so I cannot test again till Monday. I never received a response to my ping. I have ping enabled on all my interfaces. The only interface that is not working is the

SVI vlan 2900
our bgp AS 64514
our IP 169.254.38.182/30

the neighbor bgp AS 64513
the neighbor IP 169.254.38.181/30
the vlan we connect to each other on is Vlan 2900

Our networks that should be sent with BGP
192.168.50.0/23
10.1.0.0/23
10.10.2.0/24




1167
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to jroy777

Created on ‎05-03-2024 04:05 PM Edited on ‎05-03-2024 04:06 PM

no "?". just "show" then Enter. That should work at the top. Also each like "config system interface" and "config switch interface", you can use "show" then enter. It will show only that section.

How about sniffing result when you ping the other end? You need to have two SSH/console sessions though.

Toshi

1164
Toshi_Esumi
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎05-03-2024 04:20 PM

Also does the /30 subnet show up in the routing-table?
"get router info routing-table all"

1163
0 Kudos
jroy777
New Contributor III
In response to Toshi_Esumi

Created on ‎05-03-2024 05:01 PM

Yes they are all there:

AWS-DC-Megaport # "get router info routing-table all"
Unknown action 0

AWS-DC-Megaport # get router info routing-table all
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, T - Table, F - PBR,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup, ^ - HW install failed
t - trapped, o - offload failure

VRF default:
C>* 10.1.0.0/23 is directly connected, dmz, 2d23h38m
C>* 10.10.2.0/24 is directly connected, uat, 3d21h26m
C>* 169.254.38.180/30 is directly connected, AWS-DC, 04:30:45
C>* 192.168.50.0/23 is directly connected, internal, 4d03h57m

AWS-DC-Megaport #

 

Also, the "show" command is something that I just figured out. Thanks!


1160
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to jroy777

Created on ‎05-04-2024 10:26 AM

I still can't believe you can't ping the BGP peer IP. You will see once you sniffed at port28, but are you sure the peer expected untagged VLAN 2900 frames, which you configured on the FSW side?

Toshi

1091
0 Kudos
jroy777
New Contributor III
In response to Toshi_Esumi

Created on ‎05-06-2024 06:43 AM Edited on ‎05-06-2024 06:44 AM

Untagged? Vlan 2900 should be tagged. Where do you see they are untagged? Those routes listed here are my directly connected subnets. I am advertising the /30 in my config.

1041
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to jroy777

Created on ‎05-06-2024 12:03 PM

config switch interface
   edit "port28"
    set description ''
    set native-vlan 2900
<snip>

In your post above. Do "unset native-vlan" or "set native-vlan 1", then "set allowed-vlans 2900" at the port28.

Toshi

1025
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.