Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
The_Nude_Deer
Contributor

FortiAP With Cisco Switch

Hi, Having a little difficulty with this, I have a FortiAP plugged into a CISCO 3750, port is trunked with native VLAN 50 , LLDP is enabled. Cisco is connected to another Cisco 9K , vlan 50 trunked and LLDP enabled there also. Fortigate (7.0.14) has a Layer 3 Aggregate inteface connected to the Cisco 9K, no issues there.

 

In order to get the AP MGMT, I created an SVI 50, with DHCP etc, and put it behind the Agg Layer 3, this is where I think there is a problem, I allow ALL traffic for now, but the AP will not come online, simply says "no LLDP neighbours found"

 

if I do "diagnose lldprx neighhour" you can see the Cisco 9K, and the Cisco 9K can see the 3750 as an LLDP neighbour, so not sure why the AP cannot get to the SVI on the Fortigate, I did notice on the SVI you cannot set "recieve LLDP" or "Transmit LLDP" the option isnt there..

 

I have enabled security fabric, you can see the AP MAC on the cisco switches on VLAN 152..any suggestions where I have made a silly mistake??

THankyou

1 Solution
Toshi_Esumi
Esteemed Contributor III

Ok I missed one post when I went to grab food for lunch. So the SW 9K is not extending the VLAN ID 50 from the FGT toward the FAP? Then DHCP on the FGT would never work for the FAP. It has to be on the same L2 network. You have to set DHCP server on the switch where FAP is connected to it via L2 network.

View solution in original post

24 REPLIES 24
Toshi_Esumi
Esteemed Contributor III

By the way, any FGTs don't support SVI. The vlan interface you configured on LAG interface to the 9K SW is just a subinterface of the LAG. Similar to the good old Cisco 25xx/26xx routers subinterfaces.

To verify L2 connectivity between the FGT to the switches, you can configure L3 interface on SVI (this is an SVI) on those switch then test with ping each other. If those works through the FGT-9K-3750, L2 connectivity should be there. Then needs to suspect the FAP side.

I'm assuming you're using the default config on the FAP so it's trying to pull IP via DHCP over the L2 network you just confirmed.
You can set up a mirror port on the 3750 to sniff what's going on between the FAP and the 3750.

 

Toshi

The_Nude_Deer
Contributor

I have created an SVI with an IP in the same range, and no ping is not working, which is bizarre as there is a path all the way through! if I take off the SVI the switch can reach the L3 interface on the Fortigate by using its MGMT ip! so im lost now!

Toshi_Esumi
Esteemed Contributor III

Did you see those ping packets coming from the switch and arriving at the VLAN interface on the FGT in "diag sniffer packet <the_vlan_interface>"?

The_Nude_Deer
Contributor

bizzarelly no! but it does ping from the switch! most odd

Toshi_Esumi
Esteemed Contributor III

Are you saying ping from SW to FGT works, but opposite direction doesn't work? Or somehow both directions started working?
I would still make sure those packets with "diag sniffer" on the vlan interface. Then check the FAP port with mirroring.

 

Toshi

The_Nude_Deer

The switch itself (mgmt ip) can ping the Fortigate interface that does the DHCP for the APs, but an SVI on the same subnet as the Fortigate interface cannot. i cannot see any icmp traffic on the fortigate interface

Toshi_Esumi
Esteemed Contributor III

please share us the VLAN subinterface config on the FGT in CLI under "config system interface" then "edit <vlan_interface_name>", and then "show".

The_Nude_Deer

config system interface
edit "FortiAP-MGMT"
set vdom "root"
set ip 10.10.50.1 255.255.255.0
set allowaccess ping https ssh snmp http fabric
set device-identification enable
set role lan
set snmp-index 40
set auto-auth-extension-device enable
set interface "INSIDE"
set vlanid 50
next
end

Toshi_Esumi
Esteemed Contributor III

Then when you run "diag sniffer packet FortiAP-MGMT 'net 10.10.50.0/24' 4 0 l" (the last letter is lower-case_'L') then pinged 10.10.50.1 from the switch SVI, you didn't see anything in the sniffing?

And then you opened another session for SSH and run "exe ping 10.10.50.x" (SW SVI's IP), you didn't see anything in the sniffing?

 

Toshi

Labels
Top Kudoed Authors