Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pj255
New Contributor

FG 1000c and Trunking to Cisco Switch

Hi, Has anyone experience getting a FG to trunk with a Cisco switch? I can bring up the trunk but im not learning a MAC address on either side of the trunk link and the interface counters are at 0 for input on both sides. Patrick
16 REPLIES 16
emnoc
Esteemed Contributor III

Qs: Are the vlans created Are the vlans active when execution of show span interface gi x/x what do you see what' s the fortigate 802.1q configuration what' s the show interface gi x.x trunk status

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
pj255
New Contributor

Hi, Appreciate your help. I hope the below is useful. I did previously have native VLAN configured as 1 on the switch side...just tried changing to VLAN 75 - no joy. Qs: Are the vlans created Are the vlans active Yes both VLAN' s are active on the Cisco switch Both have also been created as sub-interfaces on the FG when execution of show span interface gi x/x what do you see The ports are forwarding for both VLAN' s Switch#show spanning-tree interface Fa0/1 Vlan Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- VLAN0055 Desg FWD 19 128.1 P2p VLAN0075 Desg FWD 19 128.1 P2p Switch# what' s the fortigate 802.1q configuration How do I check this? what' s the show interface gi x.x trunk status Switch#show int Fa0/1 trunk Port Mode Encapsulation Status Native vlan Fa0/1 on 802.1q trunking 75 Port Vlans allowed on trunk Fa0/1 55,75 Port Vlans allowed and active in management domain Fa0/1 55,75 Port Vlans in spanning tree forwarding state and not pruned Fa0/1 55,75 Switch# Switch# Switch#show int Fa0/1 status Port Name Status Vlan Duplex Speed Type Fa0/1 connected trunk full 100 10/100BaseTX Switch# Switch# Switch# Switch#show run int Fa0/1 Building configuration... Current configuration : 188 bytes ! interface FastEthernet0/1 switchport trunk encapsulation dot1q switchport trunk native vlan 75 switchport trunk allowed vlan 55,75 switchport mode trunk speed 100 duplex full end Switch# Switch
emnoc
Esteemed Contributor III

Okay that switch side looks good. I' m assuming you have the sub-interfaces configured in a fashion like this; [( assuming port1 is parent interface )] config sys interface edit port1 set vdom " root" set ip 1.1.75.1 255.255.254.0 set alias " native" set allow ssh ping https next edit " subvlan55-intf8021q" set vdom " root" set ip 1.1.55.1 255.255.254.0 set alias " vlansub55" set vlanid 55 set allow ssh ping https next Execute a diag sys vlan list when you are finish and a get sys interface I hope that helps

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
pj255
New Contributor

Your help is greatly appreciated! I think my issue might be with my FG config or the VLAN. I created it with the gui and it doesnt seem to sit directly under the physical interface config. I am testing using Port 11 as my L2 trunk. I have attached the output from the commands and a snippet from the configuration file
pj255
New Contributor

Attachment
pj255
New Contributor

vlan list attachment
emnoc
Esteemed Contributor III

Oky that looks good actually. What i would do is remove the Layer2 switchport stuff and rebuild it . config term ! we default the port default interface FastEthernet0/1 ! ! we rebuild it interface FastEthernet0/1 shut description TO FGT port 11 switchport switchport trunk encapsulation dot1q no switchport trunk native vlan 75 ( we will remove this from the new cfg ) switchport trunk allowed vlan 55,75 switchport mode trunk speed 100 duplex full no shut end ! ! And then on the fortigate execute a ping on each 3 interfaces ( port11 and the 2 subinterfaces ) [e.g] execute ping 192.168.55.1 execute ping 192.168.75.1 execute ping 192.168.100.1 and then monitor for layer2 fdb and mac_address learned on vlan1 , vlan55 and 75 for port fas 0/1 [e.g] show mac add int fas 0/1 That would confirm the 802.1q tags and native are working.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
emnoc
Esteemed Contributor III

btw I forgot to add the vlan listing and the hex decimal is the vlan id UK-RL-N0-FG01 (test) # diagnose sys vlan list total vlan malloc times=5 list vlan info port11 TEST-VL75-SVI vid=004b port11 TEST-VL55-SVI vid=0037 port23 PCI-Vlan350 vid=015e 0x4b = 75 0x37 = 55 So that looks good :) What version of fortios are you running? I had a problem with a late 1000A that needed upgrade for 802.1q sub-intf to work. I don' t believe this is a problem here tho. Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
pj255
New Contributor

Hi Ken, Ah interesting one on the VLAN ID - I did not know the vid acted as a HEX representation of the VLAN ID - a new trick learned ;-) We' re running version 5.0 on the 1000C. Here' s the full build number: Version: FortiGate-1000C v5.0,build3608,140409 (GA Patch 7) I tried the ping but no luck - the pings time out? Could the pings be unsuccessful due to a routing issue? Either way I would still expect an ARP message of sort would populate the other devices CAM table with the other sides MAC address. Is there a command to check the FG interface for a MAC learned ?
Labels
Top Kudoed Authors