Solved: Re: Fortigate200E-Cisco 3850 Switch -LACP

machine23 · ‎03-22-2020

Hi all ,

The 200E does not appear to have the Hardware switch option like the 100E's on which I was able to just allocate an internal ip (hardware switch) and I can get access to the switch without any more configurations.
I need an internal network from the 200E to the Cisco core switch.

I have managed to get the link up via LACP-but packets are not flowing :

FORTIGATE-INT-CONFIG: - Just a matter of creating an 802.3ad aggregate type of swicth.

set vdom "root"
set ip 192.168.14.4 255.255.254.0
set allowaccess ping https http
set type aggregate
set member "port1"
set device-identification enable
set role lan
set snmp-index 25

-LACP default is active /Tried l2forward enable /tried lacp speed slow.

CISCO CONFIG:

interface Port-channel 30
switchport trunk allowed vlan x,x,x
switchport mode trunk

interface GigabitEthernet1/0/12
switchport trunk allowed vlan x,x,x
switchport mode trunk
channel-group 30 mode active

Link is up on both sides but no traffic flow /no ping .. anything iam missing .. do i need route on the core swicth ? Drew up a quick pic just for a bit of clarity.

ngkin2010 · ‎03-22-2020

Hi,

As you are creating layer 3 LACP on Fortigate which is untagged, you should configure "switchport mode access" at Cisco side.

interface Port-channel 30
switchport access vlan x
switchport mode access

 
interface GigabitEthernet1/0/12
switchport trunk allowed vlan x
switchport mode access
channel-group 30 mode active

If you have multiple VLANs span on FortiGate, you should modify the FortiGate's interface configure to be VLAN capable:

edit PortChannel
 set vdom "root"
 set type aggregate
 set member "port1"
next

edit VLAN_X
  set vdom root
  set mode vlan
  set vlanid x  << the vlanid >>
  set interface PortChannel
  set ip 192.168.14.4 255.255.254.0
  set allowaccess ping https http
next

View solution in original post

ngkin2010 · ‎03-22-2020

Hi,

As you are creating layer 3 LACP on Fortigate which is untagged, you should configure "switchport mode access" at Cisco side.

interface Port-channel 30
switchport access vlan x
switchport mode access

 
interface GigabitEthernet1/0/12
switchport trunk allowed vlan x
switchport mode access
channel-group 30 mode active

If you have multiple VLANs span on FortiGate, you should modify the FortiGate's interface configure to be VLAN capable:

edit PortChannel
 set vdom "root"
 set type aggregate
 set member "port1"
next

edit VLAN_X
  set vdom root
  set mode vlan
  set vlanid x  << the vlanid >>
  set interface PortChannel
  set ip 192.168.14.4 255.255.254.0
  set allowaccess ping https http
next

machine23 · ‎03-22-2020

Ahh i understood my mistake thanks a lot :) .. that is now connecting and I can access 1 VLAN , so if i need to access the other 2 VLANS on the cisco sw ? whats is the best way? is it better to create a vlan swicth on the fortigate like you mentioned?

interface Port-channel 30
switchport access vlan x - we have 2 more vlans on the swicth that needs connecting 
switchport mode access

ngkin2010 · ‎03-22-2020

Hi,

If you need inter-vlan routing, you have to plan & decide the network design. Here is an example for your reference:

You put VLAN10, 20, 30's gateways on FortiGate, such that all inter-vlan traffic are protected by Firewall.

configure system interface
   edit VLAN10
       set vdom root
       set mode vlan
       set vlanid 10
       set interface PortChannel
       set allowaccess ping
       set ip 192.168.10.1/24
  next
   edit VLAN20
       set vdom root
       set mode vlan
       set vlanid 20
       set interface PortChannel
       set allowaccess ping
       set ip 192.168.20.1/24
  next
   edit VLAN30
       set vdom root
       set mode vlan
       set vlanid 30
       set interface PortChannel
       set allowaccess ping
       set ip 192.168.30.1/24
  next
end

interface Port-channel 30
switchport trunk allow vlan 10,20,30
switchport mode trunk

 
interface GigabitEthernet1/0/12
switchport trunk allow vlan 10,20,30
switchport mode trunk
channel-group 30 mode active

If you gateways for VLAN20, VLAN30 are on Cisco Switch (e.g. SVI), you will need to create a transit network between FortiGate and Cisco Switch, and as well as routing between them. For example:

configure system interface
   edit VLAN10
       set vdom root
       set mode vlan
       set vlanid 10
       set interface PortChannel
       set allowaccess ping
       set ip 192.168.10.1/24
  next
  edit Transit-subnet
      set vdom root
       set mode vlan
       set vlanid 99
       set interface PortChannel
       set allowaccess ping
       set ip 192.168.99.1/30
end
config router static
  edit 1
     set dst 192.168.20.0/24
     set dev Transit-subnet
     set gateway 192.168.99.2
  next
  edit 2
     set dst 192.168.30.0/24
     set dev Transit-subnet
     set gateway 192.168.99.2
  next
end

ip routing
vlan 20,30,99

interface VLAN99
   ip address 192.168.99.2 255.255.255.252

ip route 192.168.10.0 255.255.255.0 192.168.99.1

interface VLAN20
   ip address 192.168.20.1 255.255.255.0

interface VLAN30
   ip address 192.168.30.1 255.255.255.0

interface Port-channel 30
switchport trunk allow vlan 10,99
switchport mode trunk

 
interface GigabitEthernet1/0/12
switchport trunk allow vlan 10,99
switchport mode trunk
channel-group 30 mode active

So it's all basically depend on your network design.

machine23 · ‎03-23-2020

Thanks a lot for your explanation ,The fortigate isnt letting me add the transit-subnet but with the configuration below Iam able to get ping/traffic. But lets say iam on a client machine which is on vlan20 I cannot ping the fortigate vlan 10 addresses.

do i need any more configuration to allow traffic between vlans?

configure system interface
   edit VLAN10
       set vdom root
       set mode vlan
       set vlanid 10
       set interface PortChannel
       set allowaccess ping
       set ip 192.168.10.1/24
  next
   edit VLAN20
       set vdom root
       set mode vlan
       set vlanid 20
       set interface PortChannel
       set allowaccess ping
       set ip 192.168.20.1/24
  next
   edit VLAN30
       set vdom root
       set mode vlan
       set vlanid 30
       set interface PortChannel
       set allowaccess ping
       set ip 192.168.30.1/24
  next
end

interface Port-channel 30
switchport trunk allow vlan 10,20,30
switchport mode trunk

 
interface GigabitEthernet1/0/12
switchport trunk allow vlan 10,20,30
switchport mode trunk
channel-group 30 mode active

ngkin2010 · ‎03-23-2020

Hi,

With the given configuration, you decided the gateway (for VLAN 10,20,30) are at the FortiGate.
So, I assume your client at different VLAN will have the default gateway as follow:

VLAN10 : 192.168.10.1/24
VLAN20 : 192.168.20.1/24
VLAN30 : 192.168.30.1/24

If your default gateway on your machine (PC) is configured correctly, the inter-VLAN traffic will pass through the FortiGate. You will need to configure firewall policy to allow such connection. Did you configure policy on FortiGate? Here is an example to allow 192.168.10.0/24 to ping 192.168.20.0/24 & 192.168.30.0/24.

configure firewall address
edit 192.168.10.0/24
   set subnet 192.168.10.0/24
next
edit 192.168.20.0/24
   set subnet 192.168.20.0/24
next
edit 192.168.30.0/24
   set subnet 192.168.30.0/24
next
end


configure firewall policy
edit 0
   set srcintf VLAN10
   set dstintf VLAN20 VLAN30
   set srcaddr 192.168.10.0/24
   set dstaddr 192.168.20.0/24 192.168.30.0/24
   set service ALL_ICMP
   set schedule always
   set action accept
next
end

You may want to configure FortiGate via HTTPS GUI, which is more user-friendly.

machine23 · ‎03-23-2020

Hi that’s config did not work when I added a static route on the fortigate to the other vlans with gateway 0.0.0.0/0 it all works ... your help is much appreciated as we are racing towards helping people from home before the lock down in UK thanks again

ngkin2010 · ‎03-23-2020

Glad that you have found the way to make it work.

Stay healthy :)

machine23 · ‎03-31-2020

Thanks again and stay safe :)