Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: FortiAP With Cisco Switch
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiAP With Cisco Switch
Hi, Having a little difficulty with this, I have a FortiAP plugged into a CISCO 3750, port is trunked with native VLAN 50 , LLDP is enabled. Cisco is connected to another Cisco 9K , vlan 50 trunked and LLDP enabled there also. Fortigate (7.0.14) has a Layer 3 Aggregate inteface connected to the Cisco 9K, no issues there.
In order to get the AP MGMT, I created an SVI 50, with DHCP etc, and put it behind the Agg Layer 3, this is where I think there is a problem, I allow ALL traffic for now, but the AP will not come online, simply says "no LLDP neighbours found"
if I do "diagnose lldprx neighhour" you can see the Cisco 9K, and the Cisco 9K can see the 3750 as an LLDP neighbour, so not sure why the AP cannot get to the SVI on the Fortigate, I did notice on the SVI you cannot set "recieve LLDP" or "Transmit LLDP" the option isnt there..
I have enabled security fabric, you can see the AP MAC on the cisco switches on VLAN 152..any suggestions where I have made a silly mistake??
THankyou
Solved! Go to Solution.
Labels:
- Labels:
-
FortiAP
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok I missed one post when I went to grab food for lunch. So the SW 9K is not extending the VLAN ID 50 from the FGT toward the FAP? Then DHCP on the FGT would never work for the FAP. It has to be on the same L2 network. You have to set DHCP server on the switch where FAP is connected to it via L2 network.
24 REPLIES 24
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By the way, any FGTs don't support SVI. The vlan interface you configured on LAG interface to the 9K SW is just a subinterface of the LAG. Similar to the good old Cisco 25xx/26xx routers subinterfaces.
To verify L2 connectivity between the FGT to the switches, you can configure L3 interface on SVI (this is an SVI) on those switch then test with ping each other. If those works through the FGT-9K-3750, L2 connectivity should be there. Then needs to suspect the FAP side.
I'm assuming you're using the default config on the FAP so it's trying to pull IP via DHCP over the L2 network you just confirmed.
You can set up a mirror port on the 3750 to sniff what's going on between the FAP and the 3750.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have created an SVI with an IP in the same range, and no ping is not working, which is bizarre as there is a path all the way through! if I take off the SVI the switch can reach the L3 interface on the Fortigate by using its MGMT ip! so im lost now!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you see those ping packets coming from the switch and arriving at the VLAN interface on the FGT in "diag sniffer packet <the_vlan_interface>"?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bizzarelly no! but it does ping from the switch! most odd
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you saying ping from SW to FGT works, but opposite direction doesn't work? Or somehow both directions started working?
I would still make sure those packets with "diag sniffer" on the vlan interface. Then check the FAP port with mirroring.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The switch itself (mgmt ip) can ping the Fortigate interface that does the DHCP for the APs, but an SVI on the same subnet as the Fortigate interface cannot. i cannot see any icmp traffic on the fortigate interface
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
please share us the VLAN subinterface config on the FGT in CLI under "config system interface" then "edit <vlan_interface_name>", and then "show".
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
config system interface
edit "FortiAP-MGMT"
set vdom "root"
set ip 10.10.50.1 255.255.255.0
set allowaccess ping https ssh snmp http fabric
set device-identification enable
set role lan
set snmp-index 40
set auto-auth-extension-device enable
set interface "INSIDE"
set vlanid 50
next
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then when you run "diag sniffer packet FortiAP-MGMT 'net 10.10.50.0/24' 4 0 l" (the last letter is lower-case_'L') then pinged 10.10.50.1 from the switch SVI, you didn't see anything in the sniffing?
And then you opened another session for SSH and run "exe ping 10.10.50.x" (SW SVI's IP), you didn't see anything in the sniffing?
Toshi
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- FortiAP solid orange power LED 128 Views
- FortiAP-231G intermittently goes offline. 130 Views
- FG 81E - SD-wan rule with... 222 Views
- FortiSwitch peer-consistency-check peer-config "NOT-FOUND" 114 Views
- FortiAP and Dell Switch 173 Views
Labels
-
FortiGate
8,403 -
FortiClient
1,699 -
5.2
801 -
FortiManager
708 -
5.4
639 -
FortiAnalyzer
540 -
FortiSwitch
456 -
FortiAP
452 -
6.0
416 -
FortiClient EMS
401 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
210 -
5.0
196 -
FortiWeb
196 -
IPsec
183 -
FortiNAC
173 -
FortiGuard
133 -
6.4
128 -
SD-WAN
107 -
FortiSIEM
100 -
FortiGateCloud
100 -
FortiCloud Products
95 -
FortiToken
89 -
FortiAuthenticator
82 -
Customer Service
77 -
Wireless Controller
76 -
Firewall policy
69 -
4.0MR3
64 -
FortiProxy
57 -
FortiADC
53 -
High Availability
51 -
Fortivoice
50 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
LDAP
38 -
BGP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Authentication
31 -
Interface
31 -
SSO
30 -
NAT
30 -
RADIUS
28 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Logging
24 -
Application control
24 -
Web profile
23 -
Virtual IP
22 -
FortiPAM
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
System settings
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Traffic shaping policy
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiCarrier
6 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1641 | |
| 1069 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.