Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8070
Views
10
Helpful
20
Replies

2960X isn't forwarding packets to Fortigate 100D

Go to solution
NPO-IT
Level 1
Level 1

‎03-15-2019 02:03 PM

I've got a Catalyst 2960X, trying to connect to a Fortigate 100D.  I've created VLAN64 on the FG100 as well as on the 2960.  I configured a trunk port and allowed just that VLAN to pass through.  I've also configured my access ports to be a member of VLAN64.

When I connect a device to an access port, however, the traffic is not making it to the FG100.  When I run a 'sho int xx trunk' on my trunk port, the only VLAN being allowed through is the the default, which should actually be blocked.  I also turned off VTP on the trunk port.

interface GigabitEthernet1/0/1
 switchport access vlan 64
 switchport mode access

and then my trunk port
interface GigabitEthernet1/0/48
description TRUNK
switchport trunk native vlan 64
switchport trunk allowed vlan 64
no vtp

there aren't any rules on the FG restricting traffic to or from this VLAN, so I'm trying to isolate the problem on this switch.  This is the output from a 'sho int gi1/0/48 trunk':

 

Port Mode Encapsulation Status Native vlan
Gi1/0/48 auto 802.1q not-trunking 64

Port Vlans allowed on trunk
Gi1/0/48 1

Port Vlans allowed and active in management domain
Gi1/0/48 1

Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/48 1

 

What am I missing?  Thank you!

2 people had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to NPO-IT

‎03-16-2019 01:38 PM

Orginal post you had configured Trunk, but now your post do not have that config..

 

 

Couple of suggestions here :

 

If fortigate side you required Trunk below changes required and test it

 

interface GigabitEthernet1/0/48
description TRUNK
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 64
switchport mode trunk

interface Vlan1   <---- this should change to Vlan 64
 ip address 192.168.64.2 255.255.255.0

 

If fortigate sire not Trunk required you can also achieve this by below config :

 

 

interface GigabitEthernet1/0/48
 switchport access vlan 64
 switchport mode access
interface Vlan1   <---- this should change to Vlan 64
 ip address 192.168.64.2 255.255.255.0

 

Another thing i see on Fortigate you have many vDom, what is the reason ? do you have high level topology ?

 

make sense ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to NPO-IT

‎03-16-2019 11:31 PM

Hi,

If there is only a single VLAN available for configuration then there is no need for the VLAN configuration on the Fortigate Site. 

Your configuration Will be like:

1. Fortigate: Assign IP address directly on the Physical Interface. 

2. Switchport: Switchport mode configured as Access and run below commands:

Interface fas X/X/X

Switchport mode access

switc port access vlan 64

 

(If there will multiple VLANs on the Fortigate then VLAN ID 0 will be untagged VLAN. Note: VLAN ID 0 is not standard and this is not available on Cisco switches. As FortiGate firewall is not fully Switch then there is an issue with Untagged VLAN configuration so he is showing option as VLAN 0).

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

20 Replies 20

Go to solution
Jaderson Pessoa
VIP Alumni
VIP Alumni

‎03-15-2019 02:14 PM

Hello @NPO-IT 

 

interface GigabitEthernet1/0/1 < This port go to your PC?
 switchport access vlan 64
 switchport mode access

and then my trunk port
interface GigabitEthernet1/0/48    < this go to FORTIGATE?
description TRUNK
switchport mode trunk
switchport trunk native vlan 64 << remove this command
switchport trunk allowed vlan 64


 

check if vlan 64 is already up/up.  

 

show ip interface brief   < post the output here

show vlan brief < post the output here

 

Thanks in advance

Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

Go to solution
NPO-IT
Level 1
Level 1
In response to Jaderson Pessoa

‎03-15-2019 04:25 PM - edited ‎03-15-2019 04:27 PM

Hi,

I removed the native vlan command, and posting output from the sho commands

 

Interface IP-Address OK? Method Status Protocol
Vlan1 192.168.64.2 YES manual up up
FastEthernet0 unassigned YES manual down down
GigabitEthernet1/0/1 unassigned YES unset up up
GigabitEthernet1/0/2 unassigned YES unset down down
GigabitEthernet1/0/3 unassigned YES unset down down
GigabitEthernet1/0/4 unassigned YES unset down down
GigabitEthernet1/0/5 unassigned YES unset down down
GigabitEthernet1/0/6 unassigned YES unset down down
GigabitEthernet1/0/7 unassigned YES unset down down
GigabitEthernet1/0/8 unassigned YES unset down down
GigabitEthernet1/0/9 unassigned YES unset down down
GigabitEthernet1/0/10 unassigned YES unset down down
GigabitEthernet1/0/11 unassigned YES unset down down
GigabitEthernet1/0/12 unassigned YES unset down down
GigabitEthernet1/0/13 unassigned YES unset down down
GigabitEthernet1/0/14 unassigned YES unset down down
GigabitEthernet1/0/15 unassigned YES unset down down
GigabitEthernet1/0/16 unassigned YES unset down down
GigabitEthernet1/0/17 unassigned YES unset down down
GigabitEthernet1/0/18 unassigned YES unset down down
GigabitEthernet1/0/19 unassigned YES unset down down
GigabitEthernet1/0/20 unassigned YES unset down down
GigabitEthernet1/0/21 unassigned YES unset down down
GigabitEthernet1/0/22 unassigned YES unset down down
GigabitEthernet1/0/23 unassigned YES unset down down
GigabitEthernet1/0/24 unassigned YES unset down down
GigabitEthernet1/0/25 unassigned YES unset down down
GigabitEthernet1/0/26 unassigned YES unset down down
GigabitEthernet1/0/27 unassigned YES unset down down
GigabitEthernet1/0/28 unassigned YES unset down down
GigabitEthernet1/0/29 unassigned YES unset down down
GigabitEthernet1/0/30 unassigned YES unset down down
GigabitEthernet1/0/31 unassigned YES unset down down
GigabitEthernet1/0/32 unassigned YES unset down down
GigabitEthernet1/0/33 unassigned YES unset down down
GigabitEthernet1/0/34 unassigned YES unset down down
GigabitEthernet1/0/35 unassigned YES unset down down
GigabitEthernet1/0/36 unassigned YES unset down down
GigabitEthernet1/0/37 unassigned YES unset down down
GigabitEthernet1/0/38 unassigned YES unset down down
GigabitEthernet1/0/39 unassigned YES unset down down
GigabitEthernet1/0/40 unassigned YES unset down down
GigabitEthernet1/0/41 unassigned YES unset down down
GigabitEthernet1/0/42 unassigned YES unset down down
GigabitEthernet1/0/43 unassigned YES unset down down
GigabitEthernet1/0/44 unassigned YES unset down down
GigabitEthernet1/0/45 unassigned YES unset down down
GigabitEthernet1/0/46 unassigned YES unset down down
GigabitEthernet1/0/47 unassigned YES unset down down
GigabitEthernet1/0/48 unassigned YES unset up up
GigabitEthernet1/0/49 unassigned YES unset down down
GigabitEthernet1/0/50 unassigned YES unset down down
GigabitEthernet1/0/51 unassigned YES unset down down
GigabitEthernet1/0/52 unassigned YES unset down down

and

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi1/0/46, Gi1/0/48, Gi1/0/49
                                                Gi1/0/50, Gi1/0/51, Gi1/0/52
64   SERVER_SUBNET                    active    Gi1/0/1, Gi1/0/2, Gi1/0/3
                                                Gi1/0/4, Gi1/0/5, Gi1/0/6
                                                Gi1/0/7, Gi1/0/8, Gi1/0/9
                                                Gi1/0/10, Gi1/0/11, Gi1/0/12
                                                Gi1/0/13, Gi1/0/14, Gi1/0/15
                                                Gi1/0/16, Gi1/0/17, Gi1/0/18
                                                Gi1/0/19, Gi1/0/20, Gi1/0/21
                                                Gi1/0/22, Gi1/0/23, Gi1/0/24
                                                Gi1/0/25, Gi1/0/26, Gi1/0/27
                                                Gi1/0/28, Gi1/0/29, Gi1/0/30
                                                Gi1/0/31, Gi1/0/32, Gi1/0/33
                                                Gi1/0/34, Gi1/0/35, Gi1/0/36
                                                Gi1/0/37, Gi1/0/38, Gi1/0/39
                                                Gi1/0/40, Gi1/0/41, Gi1/0/42
                                                Gi1/0/43, Gi1/0/44, Gi1/0/45
                                                Gi1/0/47
65   WORKSTATIONS                     active
99   NATIVE_VLAN_NO_USE               active

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

Related question: If I don't designate a native VLAN, doesn't that mean it's going to be VLAN1?  I was under the impression that I could block this vlan from traversing so that it doesn't carry any network data, but it would still work to carry diagnostic and 'behind the scenes' data so switches can talk to each other (and the router)?  Thank you for your quick reply!

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-15-2019 02:20 PM - edited ‎03-15-2019 02:39 PM

Firstly have you created the Vlan 64 ? 

 

config t

vlan 64

!

exit

 

Are you configured Fortigate 100D side port as Trunk ? or IP address, then where you connecting Fortigate 100D should be access port to that VLAN in your case may be VLAN 64.

 

So high level you should expect like this

 

PC ----Connect to switch port( Access VLAN 64 config) -----Siwtchh ( Access port vlan 64) --- Fortigate 100D

 

PC and fotigate have same VLAN and IP address

 

make sense ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
NPO-IT
Level 1
Level 1
In response to balaji.bandi

‎03-15-2019 05:59 PM

VLAN64 is created on the switch and the Fortigate.  On the Fortigate, I've bound the VLAN (along with others that are working as expected) to a grouping of ports on the appliance

0 Helpful

Go to solution
Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to NPO-IT

‎03-15-2019 07:28 PM

in this case, could you provide a full configuration of this switch?

show vtp status if possible
Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

Go to solution
NPO-IT
Level 1
Level 1
In response to Jaderson Pessoa

‎03-16-2019 09:21 AM - edited ‎03-16-2019 09:39 AM

Here's the config from the 2960:

Building configuration...

Current configuration : 6643 bytes
!
! Last configuration change at 04:54:54 UTC Fri Mar 15 2019
! NVRAM config last updated at 00:55:52 UTC Fri Mar 15 2019
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SERVER_ROOM_2960x
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 $1$grHf$pa9wU6/Nxq45jGZpBJzEl0
!
no aaa new-model
clock timezone UTC -10 0
switch 1 provision ws-c2960x-48lps-l
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3885568128
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3885568128
 revocation-check none
 rsakeypair TP-self-signed-3885568128
!
!
crypto pki certificate chain TP-self-signed-3885568128
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33383835 35363831 3238301E 170D3139 30313238 30373537
  35395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65725469 66696361 74652D33 38383535
  36383132 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100CAE1 05DB1838 AC575BD0 F3077E0A 31F9F593 F412CBDA 2688DBC8 32FBE1C2
  321D523B 0B7E073B A2B40D47 6731D92D F6842022 F7E4602B BDDFC8DF 03D2A068
  9B08B919 72DA9ABF 5082DF11 25497F80 49B39C8A B98DF4E6 59C48149 EA24DD79
  94C4C33F 53F0E142 AFD9B57F E58BD225 D1E0A01F C29CB92A 5513FBC2 E97D891F
  B96F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14ED5713 B892BE83 995C9F45 6219BBA6 7E3DC70A 74301D06
  03551D0E 04160414 ED5713B8 92BE8399 5C9F4562 19BBA67E 3DC70A74 300D0609
  2A864886 F70D0101 05050003 8181002E 3764AA3A 480BD138 23A6C285 F8190032
  F0910377 67E495E2 5C2BB05D C2E902DD EC8B30E5 AFBECD3E B0E7EE12 EAE795E5
  434BD668 C3A294EE 0462A85B 57DAFCDD 9B0F997A 2F6E63F2 66783D93 51971640
  1BEF5F6E 37F180F1 FADBC3E3 3BE8C088 20115C0C 922F33F0 4BD448FA 15D09F80
  50D1E74F 1392092E 219029D4 35B31D
        quit
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
 no ip address
!
interface GigabitEthernet1/0/1
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/2
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/3
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/4
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/5
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/6
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/7
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/8
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/9
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/10
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/11
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/12
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/13
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/14
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/15
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/16
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/17
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/18
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/19
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/20
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/21
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/22
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/23
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/24
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/25
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/26
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/27
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/28
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/29
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/30
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/31
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/32
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/33
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/34
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/35
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/36
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/37
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/38
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/39
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/40
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/41
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/42
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/43
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/44
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/45
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/46
 switchport mode trunk
!
interface GigabitEthernet1/0/47
 switchport access vlan 64
 switchport mode access
!
interface GigabitEthernet1/0/48
 description TRUNK LINE - NO ENDPOINT CONNECT
 no vtp
!
interface GigabitEthernet1/0/49
!
interface GigabitEthernet1/0/50
!
interface GigabitEthernet1/0/51
!
interface GigabitEthernet1/0/52
!
interface Vlan1
 ip address 192.168.64.2 255.255.255.0
!
ip http server
ip http secure-server
!
!
!
no vstack
!
line con 0
line vty 0 4
 password ***
 login
line vty 5 15
 password ***
 login
!
end

and here's the config from the FG

#config-version=FG100D-5.6.8-FW-build1672-190130:opmode=0:vdom=0:user=admin
#conf_file_ver=335776248312162
#buildno=1672
#global_vdom=1
#dedicated-management=dmgmt-vdom
config system global
    set admin-sport 8443
    set admintimeout 30
    set alias "FG100"
    set compliance-check disable
    set disk-usage log
    set hostname "B-F100D"
    set revision-backup-on-logout enable
    set revision-image-auto-backup enable
    set timezone 02
end
config system accprofile
    edit "prof_admin"
        set mntgrp read-write
        set admingrp read-write
        set updategrp read-write
        set authgrp read-write
        set sysgrp read-write
        set netgrp read-write
        set loggrp read-write
        set routegrp read-write
        set fwgrp read-write
        set vpngrp read-write
        set utmgrp read-write
        set wanoptgrp read-write
        set endpoint-control-grp read-write
        set wifi read-write
    next
end
config system interface
    edit "wan1"
        set vdom "root"
        set ip 199.xxx.x.xx 255.255.255.248
        set vlanforward enable
        set status down
        set type physical
        set description "ISP Connection"
        set alias "ISP"
        set snmp-index 1
    next
    edit "dmz"
        set vdom "root"
        set ip 10.0.0.1 255.255.255.0
        set allowaccess ping https http
        set vlanforward enable
        set type physical
        set description "DMZ Interface"
        set alias "DMZ"
        set snmp-index 2
    next
    edit "modem"
        set vdom "root"
        set mode pppoe
        set allowaccess capwap
        set vlanforward enable
        set type physical
        set snmp-index 3
    next
    edit "ssl.root"
        set vdom "root"
        set allowaccess capwap
        set type tunnel
        set alias "sslvpn tunnel interface"
        set snmp-index 4
    next
    edit "wan2"
        set vdom "root"
        set ip xx.x.xx.xx 255.255.255.248
        set allowaccess https http
        set vlanforward enable
        set type physical
        set alias "ISP2"
        set estimated-upstream-bandwidth 25000
        set estimated-downstream-bandwidth 300000
        set role wan
        set snmp-index 7
    next
    edit "mgmt"
        set vdom "dmgmt-vdom"
        set ip 192.168.1.99 255.255.255.0
        set allowaccess ping https fgfm
        set vlanforward enable
        set status down
        set type physical
        set snmp-index 8
    next
    edit "ha1"
        set vdom "root"
        set allowaccess capwap
        set vlanforward enable
        set status down
        set type physical
        set snmp-index 9
    next
    edit "ha2"
        set vdom "root"
        set allowaccess capwap
        set vlanforward enable
        set status down
        set type physical
        set snmp-index 10
    next
    edit "port9"
        set vdom "root"
        set type physical
        set snmp-index 22
    next
    edit "port10"
        set vdom "root"
        set type physical
        set snmp-index 21
    next
    edit "port11"
        set vdom "root"
        set type physical
        set snmp-index 20
    next
    edit "port12"
        set vdom "root"
        set type physical
        set snmp-index 26
    next
    edit "port13"
        set vdom "root"
        set type physical
        set snmp-index 19
    next
    edit "internal"
        set vdom "root"
        set dhcp-relay-service enable
        set ip 192.168.64.1 255.255.255.0
        set allowaccess ping https ssh
        set vlanforward enable
        set type hard-switch
        set stp enable
        set device-identification enable
        set device-identification-active-scan enable
        set role lan
        set snmp-index 11
        set dhcp-relay-ip "192.168.64.30" 
    next
    edit "LOCAL"
        set vdom "root"
        set ip 169.254.1.1 255.255.255.255
        set type tunnel
        set remote-ip 169.254.1.1 255.255.255.255
        set snmp-index 6
        set interface "wan2"
    next
    edit "BACH_TO_WAH"
        set vdom "root"
        set type tunnel
        set snmp-index 5
        set interface "wan2"
    next
    edit "B_TO_H"
        set vdom "root"
        set type tunnel
        set snmp-index 12
        set interface "wan2"
    next
    edit "VPN"
        set vdom "root"
        set ip 169.254.1.2 255.255.255.255
        set type tunnel
        set remote-ip 169.254.1.2 255.255.255.255
        set fortiheartbeat enable
        set snmp-index 13
        set interface "wan2"
    next
    edit "VLAN55"
        set vdom "root"
        set dhcp-relay-service enable
        set ip 192.168.55.1 255.255.255.0
        set allowaccess ping
        set alias "VoIP"
        set role lan
        set snmp-index 25
        set dhcp-relay-ip "192.168.64.30" 
        set interface "internal"
        set vlanid 55
    next
    edit "VLAN65"
        set vdom "root"
        set dhcp-relay-service enable
        set ip 192.168.65.1 255.255.255.0
        set allowaccess ping https http
        set alias "WORKSTATIONS and WIFI"
        set role lan
        set snmp-index 14
        set dhcp-relay-ip "192.168.64.30" 
        set interface "internal"
        set vlanid 65
    next
    edit "ISOLATE"
        set vdom "root"
        set ip 10.0.1.1 255.255.255.0
        set allowaccess ping https http
        set type hard-switch
        set alias "ISO"
        set device-identification enable
        set role lan
        set snmp-index 15
    next
    edit "Emergency"
        set vdom "root"
        set dhcp-relay-service enable
        set ip 192.168.99.1 255.255.255.0
        set allowaccess ping https http
        set type hard-switch
        set device-identification enable
        set role lan
        set snmp-index 16
        set dhcp-relay-ip "192.168.64.30" 
    next
    edit "VLAN64"
        set vdom "root"
        set dhcp-relay-service enable
        set ip 192.168.22.1 255.255.255.0
        set allowaccess ping https http
        set alias "SERVERS and DEVICES"
        set device-identification enable
        set role lan
        set snmp-index 18
        set dhcp-relay-ip "192.168.64.30" 
        set interface "internal"
        set vlanid 64
    next
end
config system physical-switch
    edit "sw0"
        set age-val 0
    next
end
config system virtual-switch
    edit "internal"
        set physical-switch "sw0"
        config port
            edit "port1"
            next
            edit "port2"
            next
            edit "port3"
            next
            edit "port4"
            next
            edit "port5"
            next
            edit "port6"
            next
            edit "port7"
            next
            edit "port8"
            next
        end
    next
    edit "ISOLATE"
        set physical-switch "sw0"
        config port
            edit "port15"
            next
            edit "port16"
            next
        end
    next
    edit "Emergency"
        set physical-switch "sw0"
        config port
            edit "port14"
            next
        end
    next
end

And here is the result from a show vtp status:

VTP Version capable             : 1 to 3
VTP version running             : 1
VTP Domain Name                 :
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : 34f8.e799.1080
Configuration last modified by 192.168.64.2 at 3-15-19 08:19:05
Local updater ID is 192.168.64.2 on interface Vl1 (lowest numbered VLAN interface found)

Feature VLAN:
--------------
VTP Operating Mode                : Server
Maximum VLANs supported locally   : 1005
Number of existing VLANs          : 8
Configuration Revision            : 3
MD5 digest                        : 0xAD 0x74 0xE1 0x15 0x35 0x98 0x2E 0xED
                                    0x4C 0xC4 0xA6 0xAB 0x02 0xB6 0x3F 0xC3
0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to NPO-IT

‎03-16-2019 01:38 PM

Orginal post you had configured Trunk, but now your post do not have that config..

 

 

Couple of suggestions here :

 

If fortigate side you required Trunk below changes required and test it

 

interface GigabitEthernet1/0/48
description TRUNK
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 64
switchport mode trunk

interface Vlan1   <---- this should change to Vlan 64
 ip address 192.168.64.2 255.255.255.0

 

If fortigate sire not Trunk required you can also achieve this by below config :

 

 

interface GigabitEthernet1/0/48
 switchport access vlan 64
 switchport mode access
interface Vlan1   <---- this should change to Vlan 64
 ip address 192.168.64.2 255.255.255.0

 

Another thing i see on Fortigate you have many vDom, what is the reason ? do you have high level topology ?

 

make sense ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to balaji.bandi

‎03-16-2019 03:18 PM

Perhaps it reflects my lack of experience with fortigate. I see where the vlan is configured but I do not see where any port/interface is assigned to that vlan. Is it there and I missed it?

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
NPO-IT
Level 1
Level 1
In response to Richard Burts

‎03-16-2019 08:00 PM

Hi Rick,

I can designate any number of of the FG's physical ports to an internal switch, and any VLANs I create under that switch are reachable on all ports.  I really like this, as we have a relatively flat network so I don't have to worry about managing individual ports at least on that appliance

0 Helpful

Go to solution
NPO-IT
Level 1
Level 1
In response to balaji.bandi

‎03-16-2019 07:56 PM

Thanks BB!

I didn't think i needed to specify the encapsulation in the config, but i'll try it with.  Also, I mindlessly set up VLAN1 without thinking about the fact that I needed it to be 64 later.  The fortigate allows me to assign VLANs to a hardware switch without having to declare a specific trunk port.  Should I still convert the trunk port a regular access port, like in your second code snippet?  I'd like it to behave as a trunk even though there's only a single VLAN right now...I may need to add VLANs in the near future.

On the FG, I've only got the one vdom, "root", and everything is attached to that.  there's an internal mgmt one that is a default from the factory, assigned to one of the management ports, though.  Thank you again!

0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to NPO-IT

‎03-16-2019 10:20 PM

Hi,

In the Fortigate firewall, There is no option to mark a port as Trunk or access. Whenever you will configure VLAN on a port will be treated as a trunk port. 

Here is the complete guide from the FortiGate:

http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/VLANs.103.17.html

 

http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/VLANs.103.24.html

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
NPO-IT
Level 1
Level 1
In response to Deepak Kumar

‎03-16-2019 10:49 PM

This is correct, Deepak.  That's what I was trying to articulate to Rick.  Thank you for the follow up...and for replying on a weekend!

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to NPO-IT

‎03-17-2019 01:32 AM

what i would like to gudie you,  @Deepak Kumar  much ahead and guided to fix the thing to work.

 

You choose what you want to configure to keep the futrue in mind.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
NPO-IT
Level 1
Level 1
In response to balaji.bandi

‎03-16-2019 11:08 PM

One more question re configuring VLAN64 explicitly...why do i do this instead of VLAN1? is it because i want to use it as my native VLAN?
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card