06-09-2021 12:47 PM
Hi,
I'm connecting a brand new out of the box Fortigate 60F to the N2K FEX in our ACI mini lab and after configuring the port in APIC it goes into an 'bpdu-guard-err-disable' state.
I know that FEX has bpdu guard on by default and you cannot disable it which is fine.
I'm confused as to why this is happening when I'm connecting a firewall that is in NAT (routed) mode and won't be sending any bpdu's. It's an eth port that I'm connecting from the firewall to the FEX to setup a management connection.
I'm getting a green link light on the FEX when patching but after configuring the port in APIC and creating a static access port in the EPG it puts the port into an error state.
Solved! Go to Solution.
06-11-2021 03:07 AM
I figured it out. The problem wasn't on the ACI side.
On a Fortigate 60F interfaces 1-5 are configured into virtual switch called 'Internal'. This must have been sending BPDUs towards the FEX. Once I disabled the virtual switch everything worked.
06-09-2021 01:03 PM
Not sure May FortiGate try to negotiate, since port is port-fast, try make a trunk port with the only VLAN allowed seeing if that fixes the issue?
example :
interface Ethernet100/1/1
switchport mode trunk
switchport trunk allowed vlan 1000
06-09-2021 01:36 PM
I've just noticed when looking at the port on CLI that it's saying 'switchport trunk' even though when configuring I'm selecting 'Access (802.1p)'.
Is there a reason as to why the FEX port would stay as a trunk port? I need it to behave like a regular access port.
06-09-2021 01:42 PM
In that case, remove the cable, default the port, make it as access port,
there may be some config before (not sure)
can you post show run interface ether x/x/x also show interface ethe x/x/x
06-09-2021 01:52 PM
No ports are in use on the FEX currently. When looking at the FEX on the inventory tab in APIC I can see that every port is in an oper mode of trunk.
I'm not on site at the moment so cannot remove cables. Earlier I did try different ports on the FEX and the same happened.
leaf 101
interface ethernet 101/1/20
# policy-group UKGRNLFS101_IPG
switchport trunk native vlan 2000 tenant GG-Tenant application GG-App-Profile epg Client
exit
exit
06-09-2021 10:08 PM - edited 06-11-2021 05:09 AM
"Access (802.1p)" means that the interface is trunk, and the vlan you configured will be the untagged/native vlan. What you see is expected behavior.
Regarding the BPDU guard feature, this is enabled by default on FEX ports and cannot be removed.
It could be possible that what you are seeing is not because of BPDUs but because of MCP. Is your Forti connected to multiple interfaces of ACI?
Can you also share the following command from the leaf where FEX and err-disabled interface is located:
show mcp internal info global show mcp internal info interface eth X/Y/Z
Stay safe,
Sergiu
06-11-2021 03:07 AM
I figured it out. The problem wasn't on the ACI side.
On a Fortigate 60F interfaces 1-5 are configured into virtual switch called 'Internal'. This must have been sending BPDUs towards the FEX. Once I disabled the virtual switch everything worked.
06-11-2021 04:37 AM
"Access (802.1p)"
@Sergiu.Daniluk - missed this information on high level look - yes agreed.
@dontsellmydata - Good iwas guessing it was from Fotigate, but we do not know physical side how they are connected. so i was suggesting different option, glad all good at end sorted. nice to know.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide