Multi VDOM VLAN Trunking with Fortigate 50b

Roman_Gelfand · ‎06-17-2010

I have setup vlan trunking between fortigate firewall, internal interface, and catalyst 2950. On the trunk, I am working with two interfaces. One is physical interface attached to root vdom running in transparent mode. The other is vlan 550 attached xyz vdom running in NAT mode. Considering that physical interface is native default vlan 1, can this configuration work? If not, why and would creating another vlan attaching it root vdom, instead of physical interface, would do the job? The interface definition of 2950 is as follows. int fa 0/15 switchport mode trunk int fa 0/2 switchport access vlan 730 int fa 0/4 Thanks in advance

Remi_FTNT · ‎06-17-2010

Hi Roman, As you said, a Fortigate physical interface does not tag packets , tagging only occurs on VLAN interfaces. The important is that the remote interface has also a " native vlan" , so does not tag the frames destined to the physical interface' s broadcast domain, then it should be fine. Hope that will help. Remi.

Remi Metzger - PS Consultant EMEA

emnoc · ‎06-17-2010

The native is whatever vlan that' s assigned to the switch port. You can validate that witha " show int x/x switchport " command on the cisco. X/X in the port(s) Can you post snippet of the fortigate config ( config sys int > show ) , so that way we can have an ideal of what your doing ? Since you mention 2 interfaces, I' m guessing one is not-802.1q and the other is?

PCNSE

NSE

StrongSwan

Roman_Gelfand · ‎06-17-2010

Below, are the results of both commads you had mentioned. I am guessing that this trunk port knows nothing about the vlan id 730. If so, I don' t understand why this is so as I executed this command " switchport trunk allowed vlan all" . Perhaps, fortigate trunk setup is not correct. haf#sh interface fastEthernet 0/17 switchport Name: Fa0/17 Switchport: Enabled Administrative Mode: trunk Operational Mode: down Administrative Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Protected: false config system interface edit " internal" set vdom " root" set allowaccess ping https ssh http set type physical next edit " wan1" set vdom " root" set allowaccess ping https ssh set type physical next edit " wan2" set vdom " NATTED" set ip xx.xx.xxx.254 255.255.255.255 set allowaccess ping https ssh http set type physical set alias " Home" next edit " modem" set vdom " root" next edit " ssl.NATTED" set vdom " NATTED" set type tunnel --More-- next edit " Lan" set vdom " NATTED" set ip 192.168.9.3 255.255.255.0 set allowaccess ping https ssh http set interface " internal" set vlanid 730 next end < Since you mention 2 interfaces, I' m guessing one is not-802.1q and the other is? If you mean by not-802.1q untagged then based on the previous post, yes.

emnoc · ‎06-18-2010

Will the trunk config looks great on the FGT. I do have one more question that might not be obvious, is the switch configured for vlan id 730? Can you get the " show run int fas0/17" and then followed by a " show vlan id 730 " and finally a " show span vlan 730" Spanning-tree should be active for vlan 730 and on fas0/17 interface. If it' s not, then that port is not configured, or is down or vlan 730 is not applyed to fas0/17.

PCNSE

NSE

StrongSwan

Roman_Gelfand · ‎06-18-2010

K... It turns out this configuration worked all along. My workstation' s network configurations were incorrect. Thanks for your help

Multi VDOM VLAN Trunking with Fortigate 50b

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website