03-22-2020 03:46 AM
Hi all ,
The 200E does not appear to have the Hardware switch option like the 100E's on which I was able to just allocate an internal ip (hardware switch) and I can get access to the switch without any more configurations.
I need an internal network from the 200E to the Cisco core switch.
I have managed to get the link up via LACP-but packets are not flowing :
FORTIGATE-INT-CONFIG: - Just a matter of creating an 802.3ad aggregate type of swicth.
set vdom "root"
set ip 192.168.14.4 255.255.254.0
set allowaccess ping https http
set type aggregate
set member "port1"
set device-identification enable
set role lan
set snmp-index 25
-LACP default is active /Tried l2forward enable /tried lacp speed slow.
CISCO CONFIG:
interface Port-channel 30
switchport trunk allowed vlan x,x,x
switchport mode trunk
interface GigabitEthernet1/0/12
switchport trunk allowed vlan x,x,x
switchport mode trunk
channel-group 30 mode active
Link is up on both sides but no traffic flow /no ping .. anything iam missing .. do i need route on the core swicth ? Drew up a quick pic just for a bit of clarity.
Solved! Go to Solution.
03-22-2020 06:27 AM - edited 03-22-2020 06:35 AM
Hi,
As you are creating layer 3 LACP on Fortigate which is untagged, you should configure "switchport mode access" at Cisco side.
interface Port-channel 30 switchport access vlan x switchport mode access interface GigabitEthernet1/0/12 switchport trunk allowed vlan x switchport mode access channel-group 30 mode active
If you have multiple VLANs span on FortiGate, you should modify the FortiGate's interface configure to be VLAN capable:
edit PortChannel set vdom "root" set type aggregate set member "port1" next edit VLAN_X set vdom root set mode vlan set vlanid x << the vlanid >> set interface PortChannel set ip 192.168.14.4 255.255.254.0 set allowaccess ping https http next
03-22-2020 06:27 AM - edited 03-22-2020 06:35 AM
Hi,
As you are creating layer 3 LACP on Fortigate which is untagged, you should configure "switchport mode access" at Cisco side.
interface Port-channel 30 switchport access vlan x switchport mode access interface GigabitEthernet1/0/12 switchport trunk allowed vlan x switchport mode access channel-group 30 mode active
If you have multiple VLANs span on FortiGate, you should modify the FortiGate's interface configure to be VLAN capable:
edit PortChannel set vdom "root" set type aggregate set member "port1" next edit VLAN_X set vdom root set mode vlan set vlanid x << the vlanid >> set interface PortChannel set ip 192.168.14.4 255.255.254.0 set allowaccess ping https http next
03-22-2020 12:12 PM
Ahh i understood my mistake thanks a lot :) .. that is now connecting and I can access 1 VLAN , so if i need to access the other 2 VLANS on the cisco sw ? whats is the best way? is it better to create a vlan swicth on the fortigate like you mentioned?
interface Port-channel 30 switchport access vlan x - we have 2 more vlans on the swicth that needs connecting switchport mode access
03-22-2020 06:58 PM - edited 03-22-2020 09:38 PM
Hi,
If you need inter-vlan routing, you have to plan & decide the network design. Here is an example for your reference:
You put VLAN10, 20, 30's gateways on FortiGate, such that all inter-vlan traffic are protected by Firewall.
configure system interface edit VLAN10 set vdom root set mode vlan set vlanid 10 set interface PortChannel set allowaccess ping set ip 192.168.10.1/24 next edit VLAN20 set vdom root set mode vlan set vlanid 20 set interface PortChannel set allowaccess ping set ip 192.168.20.1/24 next edit VLAN30 set vdom root set mode vlan set vlanid 30 set interface PortChannel set allowaccess ping set ip 192.168.30.1/24 next end
interface Port-channel 30 switchport trunk allow vlan 10,20,30 switchport mode trunk interface GigabitEthernet1/0/12 switchport trunk allow vlan 10,20,30 switchport mode trunk channel-group 30 mode active
If you gateways for VLAN20, VLAN30 are on Cisco Switch (e.g. SVI), you will need to create a transit network between FortiGate and Cisco Switch, and as well as routing between them. For example:
configure system interface edit VLAN10 set vdom root set mode vlan set vlanid 10 set interface PortChannel set allowaccess ping set ip 192.168.10.1/24 next edit Transit-subnet set vdom root set mode vlan set vlanid 99 set interface PortChannel set allowaccess ping set ip 192.168.99.1/30 end config router static edit 1 set dst 192.168.20.0/24 set dev Transit-subnet set gateway 192.168.99.2 next edit 2 set dst 192.168.30.0/24 set dev Transit-subnet set gateway 192.168.99.2 next end
ip routing vlan 20,30,99 interface VLAN99 ip address 192.168.99.2 255.255.255.252 ip route 192.168.10.0 255.255.255.0 192.168.99.1 interface VLAN20 ip address 192.168.20.1 255.255.255.0 interface VLAN30 ip address 192.168.30.1 255.255.255.0 interface Port-channel 30 switchport trunk allow vlan 10,99 switchport mode trunk interface GigabitEthernet1/0/12 switchport trunk allow vlan 10,99 switchport mode trunk channel-group 30 mode active
So it's all basically depend on your network design.
03-23-2020 01:35 AM - edited 03-23-2020 01:43 AM
Thanks a lot for your explanation ,The fortigate isnt letting me add the transit-subnet but with the configuration below Iam able to get ping/traffic. But lets say iam on a client machine which is on vlan20 I cannot ping the fortigate vlan 10 addresses.
do i need any more configuration to allow traffic between vlans?
configure system interface edit VLAN10 set vdom root set mode vlan set vlanid 10 set interface PortChannel set allowaccess ping set ip 192.168.10.1/24 next edit VLAN20 set vdom root set mode vlan set vlanid 20 set interface PortChannel set allowaccess ping set ip 192.168.20.1/24 next edit VLAN30 set vdom root set mode vlan set vlanid 30 set interface PortChannel set allowaccess ping set ip 192.168.30.1/24 next end
interface Port-channel 30 switchport trunk allow vlan 10,20,30 switchport mode trunk interface GigabitEthernet1/0/12 switchport trunk allow vlan 10,20,30 switchport mode trunk channel-group 30 mode active
03-23-2020 04:13 AM - edited 03-23-2020 04:15 AM
Hi,
With the given configuration, you decided the gateway (for VLAN 10,20,30) are at the FortiGate.
So, I assume your client at different VLAN will have the default gateway as follow:
VLAN10 : 192.168.10.1/24
VLAN20 : 192.168.20.1/24
VLAN30 : 192.168.30.1/24
If your default gateway on your machine (PC) is configured correctly, the inter-VLAN traffic will pass through the FortiGate. You will need to configure firewall policy to allow such connection. Did you configure policy on FortiGate? Here is an example to allow 192.168.10.0/24 to ping 192.168.20.0/24 & 192.168.30.0/24.
configure firewall address edit 192.168.10.0/24 set subnet 192.168.10.0/24 next edit 192.168.20.0/24 set subnet 192.168.20.0/24 next edit 192.168.30.0/24 set subnet 192.168.30.0/24 next end configure firewall policy edit 0 set srcintf VLAN10 set dstintf VLAN20 VLAN30 set srcaddr 192.168.10.0/24 set dstaddr 192.168.20.0/24 192.168.30.0/24 set service ALL_ICMP set schedule always set action accept next end
You may want to configure FortiGate via HTTPS GUI, which is more user-friendly.
03-23-2020 12:51 PM
03-23-2020 08:38 PM
03-31-2020 12:12 PM
Thanks again and stay safe :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide