Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff

Created on ‎12-22-2009 09:28 AM Edited on ‎06-08-2022 02:40 PM By Anonymous

Article Id 197798

Technical Note : passing VTP or CDP packets through a FortiGate in Transparent mode

Description
In order to pass CDP(*) or VTP(*) packets through a FortiGate in Transparent mode, the parameter stpforward must be applied on the port configuration.
VTP and CDP packets are sent to the destination MAC address 01-00-0C-CC-CC-CC

(*)  VTP : Cisco VLAN Trunk Protocol     -    CDP : Cisco Discovery Protocol
Solution
The example below will allow CDP and VTP packets to be sent from port3 up to the Remote unit, through two VDOMs, via one physical port and three port aggregations.

The following diagram illustrates this example :

rmetzger_FD31618_CDP_VTP .jpg

Port and Port aggregation configuration :


config system interface
    edit "port1"
        set vdom "VD1"
    next
    edit "port2"
        set vdom "VD1"
    next
    edit "port3"
        set vdom "VD1"
        set stpforward enable
    next
    edit "port5"
        set vdom "VD3"
    next
    edit "port6"
        set vdom "VD3"
    next
    edit "port17"
        set vdom "VD2"
    next
    edit "port18"
        set vdom "VD2"
    next
    edit "port19"
        set vdom "VD2"
    next
    edit "port20"
        set vdom "VD2"
    next
        edit "LACP_VD2_IN"
        set vdom "VD2"
        set stpforward enable
        set type aggregate
            set member "port17" "port18"            
    next
    edit "LACP_VD2_OUT"
        set vdom "VD2"
        set stpforward enable
        set type aggregate
            set member "port19" "port20"            
    next
    edit "LACP_VD1"
        set vdom "VD1"
        set stpforward enable
        set type aggregate
            set member "port1" "port2"            
    next
end



Notes:

  • When using aggregation, the stpforward setting needs to be applied only on the port aggregation level, not on the physical port
  • This will also forward regular Spanning Tree BPDUs


Verification with a sniffer trace :

FGT# diagnose sniffer packet any "" 4


41.365434 port3 in llc unnumbered, ui, flags [command], length 72
41.365437 LACP_VD1 out llc unnumbered, ui, flags [command], length 72
41.365439 port2 out llc unnumbered, ui, flags [command], length 72
41.365479 LACP_VD2_IN in llc unnumbered, ui, flags [command], length 72
41.365482 LACP_VD2_OUT out llc unnumbered, ui, flags [command], length 72
41.365484 port19 out llc unnumbered, ui, flags [command], length 72


See above the CDP packet flow from port3, LACP_VD1 (port2), LACP_VD2_IN, LACP_VD2_OUT (port19)


Note: the following sniffer trace command will filter only CDP or VTP packets :

FGT# diagnose sniffer packet port_name "ether host 01-00-0C-CC-CC-CC"


     

 

Labels:
7693
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.