Archive for August, 2017

Posted by keith.wirch at August 18, 2017

Category: Fortigate, Quick Notes

There isn’t really a way to create a GRE Tunnel in the Fortigate GUI but you can through a CLI.  I find this process to be FortiOS version agnostic.  Take the image below as reference.

Here is the CLI for Site 1:

config system global
edit "GRE-to-Site2"
set interface "wan"
set remote-gw 2.2.2.2    # Remote Firewall WAN IP
set local-gw 1.1.1.1    # Local Firewall IP
next
end

Once the GRE Tunnel is configured, you need to setup the actual interface as shown.

config system interface
edit "GRE-to-Site2"
set vdom "root"
set ip 192.168.6.1 255.255.255.255    # Local GRE Tunnel IP
set allowaccess ping    # Might just need ping for troubleshooting.
set type tunnel
set remote-ip 192.168.6.2    # GRE Tunnel IP for the Remote side
set interface "wan"
next
end

I will not cover it in the guide but you do need to create a route for 10.30.2.0/24 via the GRE tunnel.  Refer to Fortigate Documentation for creating a Static Route.  Do not forget to create a Firewall Policy to allow the traffic to traverse the tunnel.  Been there…  *shakes head*

Here is the CLI for Site 2:

The CLI here is very similar to Site 1.  Just flipped a little.

config system gre-tunnel
edit "GRE-to-Site1"
set interface "wan"
set remote-gw 1.1.1.1    # Remote Firewall WAN IP
set local-gw 2.2.2.2    # Local Firewall WAN IP
next
end

Now configure the actual interface since the GRE tunnel config is made.

config system interface
edit "GRE-to-Site1"
set vdom "root"
set ip 192.168.6.2 255.255.255.255    # Local GRE Tunnel IP
set allowaccess ping    # Ping can be helpful for troubleshooting
set type tunnel
set remote-ip 192.168.6.1    # Remote Firewall GRE Tunnel IP
set interface "wan"
next
end

Again, do not forget to create your routs and firewall policies to allow the traffic to flow.

NOTE:  I find GRE tunnels to be the PERFECT opportunity to use 169.254.0.0/16 addresses.  Use them on the actual tunnel IPs since they are not routeable and link-local according to RFC 5735.

Posted by keith.wirch at August 17, 2017

Category: CCNP Notes

Access
This will put the interface in a permanent non-trunking mode.  With exception of a Voice VLAN, only one vlan will pass over this port.  The port will NEVER become a trunking port.

Trunk
This will put the interface in a permanent trunking mode.  Allowed VLANs allowed on the trunk will pass.  VTP will also pass traffic over this port.  DTP packets will be sent to ask the other side to become a trunk.  If the other side does not respond, the port will become a trunk anyway.

Nonegotiate
This will cause the interface to not send DTP packets.  Meaning that it will not attempt to negotiate as a trunk.  But if the port does receive a DTP packet that it wants to become a trunk, it will become a trunk.

Dynamic Desirable
When a port comes up with this configuration, it will ask the other side “Hey, wanna be a Trunk?”.  In other words, it will actively try to be a trunk.  But it will cause port to the function of an access port if needed.

Dynamic Auto (DEFAULT)
In this configuration, the port will become a trunk if asked to but otherwise just stays a regular access port otherwise.