Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: FG 1000c and Trunking to Cisco Switch
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FG 1000c and Trunking to Cisco Switch
Hi,
Has anyone experience getting a FG to trunk with a Cisco switch?
I can bring up the trunk but im not learning a MAC address on either side of the trunk link and the interface counters are at 0 for input on both sides.
Patrick
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
- « Previous
-
- 1
- 2
- Next »
16 REPLIES 16
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Think I just stumbled across the solution... i found an execute command and wham the mac appeared on the switch for that VLAN
UK-RL-N0-FG01 (test) #
UK-RL-N0-FG01 (test) # diagnose switch-controller kick vdom 8 75 11 d4a0.2af1.af01
can not kick client of vdom vdom from test
Then on the switch:
Switch#
Switch#show mac add int Fa0/1
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
75 0009.0f09.0006 DYNAMIC Fa0/1 seq_no:0
Total Mac Addresses for this criterion: 1
Switch#
Switch#
Il try the other VLAN now also
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe not ...just a co-incidence.....
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried the ping but no luck - the pings time out? Could the pings be unsuccessful due to a routing issue? Either way I would still expect an ARP message of sort would populate the other devices CAM table with the other sides MAC address. Is there a command to check the FG interface for a MAC learned ?Will you mean learned, so this would ip arp diag ip arp list No back to your problem(s), on the interface do you see any packets inbound on fas0/1 show interface fas 0/1 | inc input if you have " zero" packets input, than you have a link or hardware issues on the fortigate. If you suspect the fortigate this is what I' ve done in my own 1000A when we had problems Build a new vdom ( test2 ) select a unused port , crafted new subinterfaces for that vdom test2, but select a new unused ip_address ( you have to select a new name for the sub-intf btw ) 1st; Using port13 on your FGT would look like this; edit " port13" set vdom " test2" set mode static set ip 192.168.100.253 255.255.255.252 set allowaccess ping next edit " TEST2-VL55-SVI" set ip 192.168.55.253 255.255.255.0 set allowaccess ping set vdom test2 set interface " port13" set vlanid 55 next edit " TEST2-VL75-SVI" set ip 192.168.75.253 255.255.255.0 set allowaccess ping set vdom test2 set interface " port13" set vlanid 75 next 2nd; Cable & wire the port 11< to > 13 back-2-back. 3rd; execute ping from 192.168.55.253 to 254 and so on for the vlan tag and the then the parent 192.168.100.253/254, 4th; you can even diag sniffer the parent ports 11/13 or sub-interfaces to see if traffic is actually moving Give that a try if you can and let us know. Also it would not hurt to change ports on the cisco switch if you later think it' s the switch.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i can see some input packets on the switchport so im pretty sure the Fortinet and switchport are okay. To be sure I have a second test switch setup which im going to use to test.
So far though no joy getting the mac address for VLAN 55 on the first test switch. Also even though I can see the mac for VLAN 75 - I cannot ping the SVI. Is there anything that needs to be configured? I was hoping to test it all on one switch and then use VRRP for HA between the Active and Standby FG
Il try setting up port 13 and looping it back on port 11 as a test as suggested
Switch#show int fa0/1 | in input
input flow-control is off, output flow-control is unsupported
Last input never, output 00:00:01, output hang never
5 minute input rate 0 bits/sec, 0 packets/sec
7 packets input, 152576 bytes, 0 no buffer
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 1 multicast, 0 pause input
0 input packets with dribble condition detected
Switch#
Switch#show mac add int fa0/1
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
75 0009.0f09.0006 DYNAMIC Fa0/1 seq_no:0
Total Mac Addresses for this criterion: 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay so if you have input packets and mac_addr for one vlan, I would double check the vlan cfg on the vlanid55.
You say you can' t ping the SVI interface ? I' m assuming vlan75?
1: is the SVI admin up ( most cisco switch places this in a admin-down on creation )
2: is the mask and ip_address correct
3: is ping allowed on the FGT set allow ping
Any one of the above 3 might be the problem for icmp pings
2nd, why do you want to run VRRP on a FGT. I personally would NOT do that and just run the HA as A-P unless you have a real validate reason for VRRP. I' ve only used VRRP once and that was with a non-Fortigate device for HA redundancy.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2nd point - you' re right...no need for VRRP. I have inherited these FW' s and they' re deployed with FGCP already. So no need for VRRP.
In terms of the SVI. I want the switch to remain as L2 only for VLAN 55 and 75 with the FG terminating the SVI. So the FG will act as the L2/L3 boundary. Is there additional config needed on the FG to create the VLAN SVI on the FG?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ken thanks for your help - it seems a requirement is to have an SVI on both the FG subinterface AND on the Cisco switch. So two SVI' s really - it now works.
For note i also had to create the addresses and add a policy.
Thanks for your help
Patrick
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,746 -
FortiClient
1,775 -
5.2
801 -
FortiManager
736 -
5.4
639 -
FortiAnalyzer
563 -
FortiSwitch
476 -
FortiAP
474 -
FortiClient EMS
436 -
6.0
416 -
5.6
362 -
FortiMail
321 -
6.2
251 -
SSL-VPN
249 -
FortiAuthenticator v5.5
234 -
IPsec
212 -
FortiWeb
206 -
5.0
196 -
FortiNAC
191 -
FortiGuard
139 -
6.4
128 -
SD-WAN
117 -
FortiAuthenticator
106 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
84 -
Customer Service
80 -
Wireless Controller
80 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
Fortivoice
54 -
FortiADC
54 -
vlan
53 -
FortiEDR
52 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiGate-VM
18 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
FortiSoar
15 -
OSPF
15 -
System settings
15 -
FortiGate v5.0
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1733 | |
| 1106 | |
| 752 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.