2

I am setting up a 2 ethernet trunk between a Cisco switch and Fortinet 100E firewall. So far the below is working (i can ping from Cisco 192.168.1.2 and get replies from the Fortinet 192.168.1.1):

interface Port-channel1
 switchport trunk native vlan 1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 255
 switchport mode trunk
!
interface FastEthernet0/1
 switchport trunk native vlan 1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 255
 switchport mode trunk
 channel-group 1 mode active
!
interface FastEthernet0/2
 switchport trunk native vlan 1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 255
 switchport mode trunk
 channel-group 1 mode active
!
interface vlan255
 ip address 192.168.1.2 255.255.255.0

And as per https://forum.fortinet.com/tm.aspx?m=106460 the above is not a LACP trunk (although it does work), and instead should be:

int range gi 1/0/1-2
no shut
switchport
channel-group 1 mode active
channel-protocol lacp
load-interval 30
logging event link-status
logging event bundle-status
!

I have a couple of questions please:

  1. If the way i have done is not true LACP, how come it is working with the Fortinet (which is set for 802.3ad Aggregate)? Seems setting channel-protocol lacp on my ports makes no difference (is it LACP by default)?

  2. If i want to move my native vlan from 1 to 10, would this stop the trunk from working (as i cant see where to define native vlan on Fortinet, as i understand LACP negotiation goes over native vlan)?

  3. I see on the Fortinet there is the default network upon which VLANs are added - i have currently set this to no ip 0.0.0.0/0 but is there any way to remove this entirely and just have the VLANs? Or should one instead put the management IP on this default network? What is best practice?

trunk

morleyc
  • 1,120
  • 13
  • 45
  • 86
  • You are not even allowing the native VLAN on the trunk. The only VLAN allowed on the Cisco trunk is VLAN 255, which is not defined as the native VLAN. Some devices (perhaps Fortigate?) only allow VLAN 1 as the default and native VLAN. – Ron Maupin Oct 16 '17 at 18:04

2 Answers2

4

If the way i have done is not true LACP, how come it is working with the Fortinet (which is set for 802.3ad Aggregate)? Seems setting channel-protocol lacp on my ports makes no difference (is it LACP by default)?

By using channel-group 1 mode active you have defined the etherchannel to use LACP unconditionally.

Depending on platform you have additional keywords to use in place of active, but no matter the platform, they have the same meaning on Cisco platforms. For example:

  • on : statically configures the port as part of the etherchannel
  • active : use LACP
  • passive : use LACP only if connected to a device with LACP is detected
  • auto : use PAgP (Cisco proprietary link aggregation) if connected to a device that initiates PAgP (doesn't initiate negotiations itself)
  • desirable : use PAgP and attempt to initiate negotiation of PAgP

The reason the Fortinet post may be correct is that the configuration it is referencing only lists a port channel configuration, but doesn't list any port configuration that includes a channel-group command.

The channel-protocol lacp command is only relevant on a platfrom that by default only does PAgP and needs to be switched to LACP mode (this may be a port level or module level configuration). AFAIK, this is unnecessary configuration on the 3750G as listed in the post.

If i want to move my native vlan from 1 to 10, would this stop the trunk from working (as i cant see where to define native vlan on Fortinet, as i understand LACP negotiation goes over native vlan)?

I would recommend against changing the native VLAN as doing otherwise can hit a number of Cisco LACP bugs that result in LACP PDUs being tagged (which they shouldn't be according to the standard). Examples of such bugs are CSCsh97848 or CSCse14774 (may need Cisco TAC login to view).

While most of these bugs have been addressed by Cisco, you don't mention the platform or code version, so this is generally the safest approach when connecting Cisco devices to other vendor's equipment.

I see on the Fortinet there is the default network upon which VLANs are added - i have currently set this to no ip 0.0.0.0/0 but is there any way to remove this entirely and just have the VLANs? Or should one instead put the management IP on this default network? What is best practice?

Your screenshot shows the link aggregation interface with the physical interfaces that are part of it, as well as the subinterfaces. There is no way to remove the main interface from the configuration (i.e. you need to have the main interface to base the subinterfaces on) and having no IP address assigned isn't a problem if you aren't using it.

As for best practices, it is the best practice to keep the management interface on a secure subnet/VLAN. Other than that, it is what is best in your network configuration so what you have may be fine.

However I will point out that you are only allowing one VLAN on the Cisco side of your configuration, namely VLAN 255. So odds are good that while it appears you have two VLAN subinterfaces configured on the link aggregated interface, only one of them is actually usable.

YLearn
  • 1,237
  • 7
  • 17
1

If the way i have done is not true LACP, how come it is working with the Fortinet (which is set for 802.3ad Aggregate)? Seems setting channel-protocol lacp on my ports makes no difference (is it LACP by default)?

What you have done is configured a trunk. A trunk deals with sending and receiving packets for particular Virtual Local Area Networks (VLANs). LACP is about aggregating links. These are different technologies for different purposes. You have also configured a Cisco Port Channel. Port channels allow you to have some of the functionality of LACP but Port channels do not pass protocol packets. The consequence of this is all of the individual links are in the "on" mode for the channel. https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/EtherChannel.html#47157

If i want to move my native vlan from 1 to 10, would this stop the trunk from working (as i cant see where to define native vlan on Fortinet, as i understand LACP negotiation goes over native vlan)?

A native VLAN is the network untagged traffic sent to a trunk port will be assigned. If the native VLAN on the trunk port is VLAN 20 and untagged traffic is sent to the trunk port then it will be assigned to VLAN 20. To setup a native VLAN on the Fortinet firewall you need to create a trunk and put switch port members in it. Then edit the trunk and configure a native VLAN. https://networkengineering.stackexchange.com/questions/19377/is-the-default-vlan-simply-the-default-native-untagged-vlan-on-all-interface

I see on the Fortinet there is the default network upon which VLANs are added - i have currently set this to no ip 0.0.0.0/0 but is there any way to remove this entirely and just have the VLANs? Or should one instead put the management IP on this default network? What is best practice?

When you create a VLAN on the Fortinet firewall you need to select what interface you are creating the VLAN on. This is because VLAN tags are assigned on port interfaces. You cannot remove the physical interface (what you have set with 0.0.0.0/0) and still have the VLAN on the physical interface. Other vendors handle this differently, but this is how Fortinet does it. http://help.fortinet.com/fweb/580/Content/FortiWeb/fortiweb-admin/network_settings.htm#network_settings_2363754841_1026461

I would also suggest taking a look at http://kb.fortinet.com/kb/documentLink.do?externalID=FD30542.

user5870571
  • 2,900
  • 2
  • 11
  • 33