Created on 12-22-2009 09:28 AM Edited on 06-08-2022 02:40 PM By Anonymous
Description
In order to pass CDP(*) or VTP(*) packets through a FortiGate in Transparent mode, the parameter stpforward must be applied on the port configuration.
VTP and CDP packets are sent to the destination MAC address 01-00-0C-CC-CC-CC
(*) VTP : Cisco VLAN Trunk Protocol - CDP : Cisco Discovery Protocol
Solution
The example below will allow CDP and VTP packets to be sent from port3 up to the Remote unit, through two VDOMs, via one physical port and three port aggregations.
The following diagram illustrates this example :
Port and Port aggregation configuration :
config system interface edit "port1" set vdom "VD1" next edit "port2" set vdom "VD1" next edit "port3" set vdom "VD1" set stpforward enable next edit "port5" set vdom "VD3" next edit "port6" set vdom "VD3" next edit "port17" set vdom "VD2" next edit "port18" set vdom "VD2" next edit "port19" set vdom "VD2" next edit "port20" set vdom "VD2" next edit "LACP_VD2_IN" set vdom "VD2" set stpforward enable set type aggregate set member "port17" "port18" next edit "LACP_VD2_OUT" set vdom "VD2" set stpforward enable set type aggregate set member "port19" "port20" next edit "LACP_VD1" set vdom "VD1" set stpforward enable set type aggregate set member "port1" "port2" next end |
Notes:
Verification with a sniffer trace :
FGT# diagnose sniffer packet any "" 4
41.365434 port3 in llc unnumbered, ui, flags [command], length 72 41.365437 LACP_VD1 out llc unnumbered, ui, flags [command], length 72 41.365439 port2 out llc unnumbered, ui, flags [command], length 72 41.365479 LACP_VD2_IN in llc unnumbered, ui, flags [command], length 72 41.365482 LACP_VD2_OUT out llc unnumbered, ui, flags [command], length 72 41.365484 port19 out llc unnumbered, ui, flags [command], length 72 |
See above the CDP packet flow from port3, LACP_VD1 (port2), LACP_VD2_IN, LACP_VD2_OUT (port19)
Note: the following sniffer trace command will filter only CDP or VTP packets :
FGT# diagnose sniffer packet port_name "ether host 01-00-0C-CC-CC-CC"
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.