Cisco Trunk port to Fortiswitch

jmart1191 · ‎04-18-2024

I am trying to configure our core Cisco 9300 to pass vlan traffic to Standalone Fortiswitch FS-224E. I have a ticket opened with both Cisco and Fortinet and have had both engineers on the phone but we were not able to get it to work. Does anyone have this kind of setup that is working properly? Also, do I have to setup a different port to manage the fortiswitch? I have set a static ip to the internal interface but once I trunk the port on the cisco side i lose management and cannot ping the ip or get to the gui, I have cisco port 36 trunked and goes to directly to fortiswitch port 1 (I've tried trunking and tried without trunking set allow vlans and nothing works), I set a static route. Not sure what I'm missing but support has been no help on the Forti side. Have verified the trunk works on the cisco with another cisco trunked and vlans and traffic do work,

This is my Cisco Interface

interface GigabitEthernet1/0/36
description uplink to Fortiswitch
switchport trunk allowed vlan 100,200
switchport mode trunk
switchport nonegotiate

I have test this trunk to another Cisco and the vlans do pass.

Fortiswitch I've configured port 1 2 ways,

edit port1

set allowed-vlans 1,100,200

and I've also configured a trunk and added port 1 neither work.

Toshi_Esumi · ‎04-18-2024

It's a surprise either TAC can't figure out. Which one is your management vlan, 100 or 200?
And link lights are green on both sides, right? Means L1 is up.
Then show us below on the 224E:
- show switch physical-port port1
- show switch interface port1
- show system interface "management_interface_name"

224E should have a dedicated MGMT port with 192.168.1.99/24 by default. So either you need to use different subnet for your management interface or unconfigure the IP on "mgmt" interface.

Toshi

jmart1191 · ‎04-18-2024

Hello, thanks for your reply, yes I'm having issues with TAC they are both basically pointing fingers and I'm having a hard time getting them both on the same call now. I do see the management port I don't have anything connected to it, do i have to run a second ethernet cable to that port in order to get to the gui? I actually configured everything on port 1, created the vlans to match the cisco vlans and added ports to the vlans in the forti. The ip I configured to internal, the mgmt port is still dhcp but it's not picking up a dhcp address.

- show switch physical-port port1

S224ENTF23006427 # show switch physical-port port1

config switch physical-port

edit "port1"

set lldp-profile "default-auto-isl"

set speed auto

- show switch interface port1

show switch interface port1

entry is not found in table

Command fail. Return code 1

Toshi_Esumi · ‎04-18-2024

Wait a minute. Do you happened to be one of them who got confused by FSW's terminology "trunk", and configured it without knowing it's actually LAG/802.3ad?
If so, you need to unconfigure the "trunk" on the 224E. It's not a VLAN trunk.

Toshi

jmart1191 · ‎04-18-2024

Tac configured it both ways with and without the trunk. we removed trunk on port 1 and just set it to allow vlans and that didnt work. i can try it again though. for the mgmt port do i need to run a ethernet cable to port 1 and another to mgmt?

Toshi_Esumi · ‎04-18-2024

There needs to be "edit port1" in "config switch interface". You might need to start over from the default.

Toshi

Toshi_Esumi · ‎04-18-2024

And if you want to use an inband management interface outside of 192.168.1.0/24 on the mgmt interface, you can leave the mgmt as is. You just need to create a new managment interface in "config system interface". However, there is a special interface called "internal" exists all models it's probably easier/better to use that interface and set your management IP, then set the VLAN ID as native-vlan in "config switch interface" -> "edit internal".

Toshi

jmart1191 · ‎04-18-2024

any chance i can get a step by step on how to create an interface and add ro vlan? im new at this forti stuff. i would like to keep the address i have on the internal interface of 10.76.x.205 its supposed to get internet from vlan100 on the cisco which is trunked and allowed on the cisco side.

Toshi_Esumi · ‎04-18-2024

Almost nothing like "step-by-step" from FTNT for standalone mode. I had to figure these out by myself by reading through the admin guide.
You just need to understand those three components of the config I asked at the original post.
L3 level: config system interface
L2 level: config switch interface
L1-2 level: config switch physical-port

Toshi

Toshi_Esumi · ‎04-18-2024

I found my previous post earlier this year for the second half of the config you need: management interface and IP. I was using a separate "mgmt999" interface from the "internal" interface partly because it was a model without a dedicated MGMT interface. But you can do either way.
https://community.fortinet.com/t5/Support-Forum/Internal-Interface-Configuration-Issues-on-Standalon...

The key is whichever method you use, you need to set the management VLAN ID as allowed-vlan at "internal" L2 interface config because that's the L2 GW/special interface to connect to L3 management interface. Unfortunately it was not described anywhere in FTNT doc at least at that time.

config switch interface
edit "internal"
set allowed-vlans 999
set stp-state disabled
next
end

For the rest, you just need to make sure port1 is passing the management VLAN either 100 or 200 from the C9300 side.

Toshi