Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8076
Views
10
Helpful
20
Replies

2960X isn't forwarding packets to Fortigate 100D

Go to solution
NPO-IT
Level 1
Level 1

‎03-15-2019 02:03 PM

I've got a Catalyst 2960X, trying to connect to a Fortigate 100D.  I've created VLAN64 on the FG100 as well as on the 2960.  I configured a trunk port and allowed just that VLAN to pass through.  I've also configured my access ports to be a member of VLAN64.

When I connect a device to an access port, however, the traffic is not making it to the FG100.  When I run a 'sho int xx trunk' on my trunk port, the only VLAN being allowed through is the the default, which should actually be blocked.  I also turned off VTP on the trunk port.

interface GigabitEthernet1/0/1
 switchport access vlan 64
 switchport mode access

and then my trunk port
interface GigabitEthernet1/0/48
description TRUNK
switchport trunk native vlan 64
switchport trunk allowed vlan 64
no vtp

there aren't any rules on the FG restricting traffic to or from this VLAN, so I'm trying to isolate the problem on this switch.  This is the output from a 'sho int gi1/0/48 trunk':

 

Port Mode Encapsulation Status Native vlan
Gi1/0/48 auto 802.1q not-trunking 64

Port Vlans allowed on trunk
Gi1/0/48 1

Port Vlans allowed and active in management domain
Gi1/0/48 1

Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/48 1

 

What am I missing?  Thank you!

2 people had this problem
Labels:
0 Helpful
20 Replies 20

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to NPO-IT

‎03-16-2019 11:31 PM

Hi,

If there is only a single VLAN available for configuration then there is no need for the VLAN configuration on the Fortigate Site. 

Your configuration Will be like:

1. Fortigate: Assign IP address directly on the Physical Interface. 

2. Switchport: Switchport mode configured as Access and run below commands:

Interface fas X/X/X

Switchport mode access

switc port access vlan 64

 

(If there will multiple VLANs on the Fortigate then VLAN ID 0 will be untagged VLAN. Note: VLAN ID 0 is not standard and this is not available on Cisco switches. As FortiGate firewall is not fully Switch then there is an issue with Untagged VLAN configuration so he is showing option as VLAN 0).

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Go to solution
NPO-IT
Level 1
Level 1
In response to balaji.bandi

‎03-28-2019 12:58 PM

It was changing the VLAN from 1 to 64, but keeping the addressing the same, that did it. I made the change, and after a few minutes (I'm not sure why it took that long to effect...there are no hops between this switch and the router), I was able to see traffic from the switch show up on the router. Thank you very much for your help!
0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to NPO-IT

‎03-28-2019 10:55 PM

Hi,

I am happy that my solution has worked for you. Don't forget to vote for a helpful solution and accept a solution.

 

Regards,
Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to NPO-IT

‎03-18-2019 06:55 AM

Thanks for posting the configs. Can you clarify which port on the 2960 connects to fortunate? If it is G1/0/46 then the switch will be sending frames for vlan 46 as tagged frames. If any other port is connected to fortigate then it will be sending simple Ethernet frames (no tagging). Is fortigate able to handle tagged frames in its current configuration?

 

There was a question in the preceding discussion about whether to use a trunk or not. Based on current configuration the big majority of your ports are in vlan 64, with a few ports not configured and so in vlan 1. You comment that in future you may want/need to configure additional vlans. If there will be multiple vlans that need to access the fortigate then you will need a trunk and so might as well set it up now. If fortigate will need to see only a single vlan (if other vlans on the switch do not need to go through fortigate) then an access port (untagged) is simpler and better.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎03-16-2019 01:29 AM

Hello,

 

post the Fortigate port and vlan configuration as well...

0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎03-16-2019 03:27 AM

Hi,

If you had configured a VLAN on the Fortigate then this VLAN ID must be assigned on Switch trunk port as tagged VLAN. If you assigned an IP address on the Physical port then it will count as native VLAN. 

 

Interface GigabitEthernet1/0/48
description TRUNK
switchport trunk allowed vlan 64
no vtp 

 

Regards,
Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card