Fortinet black logo

Handbook

Packet forwarding using Cisco protocols

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:724579
Download PDF

Packet forwarding using Cisco protocols

In order to pass Cisco Discover Protocol (CDP) or Cisco VLAN Trunk Protocol (VTP) packets through a FortiGate in transparent mode, the parameter stpforward must be applied on the port configuration. VTP and CDP packets are sent to the destination MAC address 01-00-0C-CC-CC-CC.

note icon A Cisco NATIVE VLAN carries CDP/VTP frames. The frames of this VLAN must be received on the FortiGate physical interfaces (not VLAN sub-interface). Physical interfaces are the only ones that can send/accept non-tagged packets.

The example below will allow CDP and VTP packets to be sent from port3 up to the Remote unit, through two VDOMs, via one physical port and three port aggregations.

Port and port aggregation configuration:

config system interface

edit "port1"

set vdom "VD1"

next

edit "port2"

set vdom "VD1"

next

edit "port3"

set vdom "VD1"

set stpforward enable

next

edit "port5"

set vdom "VD3"

next

edit "port6"

set vdom "VD3"

next

edit "port17"

set vdom "VD2"

next

edit "port18"

set vdom "VD2"

next

edit "port19"

set vdom "VD2"

next

edit "port20"

set vdom "VD2"

next

edit "LACP_VD2_IN"

set vdom "VD2"

set stpforward enable

set type aggregate

set member "port17" "port18"

next

edit "LACP_VD2_OUT"

set vdom "VD2"

set stpforward enable

set type aggregate

set member "port19" "port20"

next

edit "LACP_VD1"

set vdom "VD1"

set stpforward enable

set type aggregate

set member "port1" "port2"

next

end

note icon

When using aggregation, the stpforward setting needs to be applied only on the port aggregation level, not on the physical port

This will also forward regular Spanning Tree BPDUs

Verification with a sniffer trace:

FGT# diagnose sniffer packet any "" 4

41.365434 port3 in llc unnumbered, ui, flags [command], length 72

41.365437 LACP_VD1 out llc unnumbered, ui, flags [command], length 72

41.365439 port2 out llc unnumbered, ui, flags [command], length 72

41.365479 LACP_VD2_IN in llc unnumbered, ui, flags [command], length 72

41.365482 LACP_VD2_OUT out llc unnumbered, ui, flags [command], length 72

41.365484 port19 out llc unnumbered, ui, flags [command], length 72

See above the CDP packet flow from port3, LACP_VD1 (port2), LACP_VD2_IN, LACP_VD2_OUT (port19).

note icon

The following sniffer trace command will filter only CDP or VTP packets :

FGT# diagnose sniffer packet port_name "ether host 01-00-0C-CC-CC-CC"

Packet forwarding using Cisco protocols

In order to pass Cisco Discover Protocol (CDP) or Cisco VLAN Trunk Protocol (VTP) packets through a FortiGate in transparent mode, the parameter stpforward must be applied on the port configuration. VTP and CDP packets are sent to the destination MAC address 01-00-0C-CC-CC-CC.

note icon A Cisco NATIVE VLAN carries CDP/VTP frames. The frames of this VLAN must be received on the FortiGate physical interfaces (not VLAN sub-interface). Physical interfaces are the only ones that can send/accept non-tagged packets.

The example below will allow CDP and VTP packets to be sent from port3 up to the Remote unit, through two VDOMs, via one physical port and three port aggregations.

Port and port aggregation configuration:

config system interface

edit "port1"

set vdom "VD1"

next

edit "port2"

set vdom "VD1"

next

edit "port3"

set vdom "VD1"

set stpforward enable

next

edit "port5"

set vdom "VD3"

next

edit "port6"

set vdom "VD3"

next

edit "port17"

set vdom "VD2"

next

edit "port18"

set vdom "VD2"

next

edit "port19"

set vdom "VD2"

next

edit "port20"

set vdom "VD2"

next

edit "LACP_VD2_IN"

set vdom "VD2"

set stpforward enable

set type aggregate

set member "port17" "port18"

next

edit "LACP_VD2_OUT"

set vdom "VD2"

set stpforward enable

set type aggregate

set member "port19" "port20"

next

edit "LACP_VD1"

set vdom "VD1"

set stpforward enable

set type aggregate

set member "port1" "port2"

next

end

note icon

When using aggregation, the stpforward setting needs to be applied only on the port aggregation level, not on the physical port

This will also forward regular Spanning Tree BPDUs

Verification with a sniffer trace:

FGT# diagnose sniffer packet any "" 4

41.365434 port3 in llc unnumbered, ui, flags [command], length 72

41.365437 LACP_VD1 out llc unnumbered, ui, flags [command], length 72

41.365439 port2 out llc unnumbered, ui, flags [command], length 72

41.365479 LACP_VD2_IN in llc unnumbered, ui, flags [command], length 72

41.365482 LACP_VD2_OUT out llc unnumbered, ui, flags [command], length 72

41.365484 port19 out llc unnumbered, ui, flags [command], length 72

See above the CDP packet flow from port3, LACP_VD1 (port2), LACP_VD2_IN, LACP_VD2_OUT (port19).

note icon

The following sniffer trace command will filter only CDP or VTP packets :

FGT# diagnose sniffer packet port_name "ether host 01-00-0C-CC-CC-CC"