■LLDPを使ってFortigate-60Cの情報をCisco892Jで取得してみる。
ただ単に出来るよ。という程度ですが、
CiscoスイッチとCisco892Jの間にFortigateがあるので、
CDPでは情報を取得出来ない。
Switch>show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
Router>show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
■Fortigateは以下のHA構成で、
1号機のdmzインターフェイスはCisco892JのFa4に、
2号機のdmzインターフェイスはCisco892JのFa5に接続されている。
home-utm2
HA information
Statistics
traffic.local = s:0 p:3780 b:586704
traffic.total = s:0 p:3787 b:586928
activity.fdb = c:0 q:0
Model=60, Mode=2 Group=0 Debug=0
nvcluster=1, ses_pickup=0, delay=0
HA group member information: is_manage_master=1.
FGT60C*********2, 0. Master:128 home-utm2
FGT60C*********1, 1. Slave:128 home-utm1
vcluster 1, state=work, master_ip=169.254.0.1, master_id=0:
FGT60C*********2, 0. Master:128 home-utm2(prio=0, rev=0)
FGT60C*********1, 1. Slave:128 home-utm1(prio=1, rev=1)
■Cisco892J側でLLDPを有効にする。
Router#show running-config | section lldp
lldp run
■Fortigate-60C側のdmzインターフェイスのみLLDPを有効にする。
home-utm2
config system global
set admin-https-redirect disable
set admin-sport 8443
set fgd-alert-subscription advisory latest-threat
set gui-central-nat-table enable
set gui-endpoint-control disable
set gui-ips enable
set gui-multiple-utm-profiles enable
set gui-spamfilter enable
set gui-vpn disable
set gui-vulnerability-scan enable
set gui-wan-load-balancing disable
set gui-wireless-controller disable
set hostname "home-utm2"
set language japanese
set lldp-transmission enable <---
set timezone 60
end
config system interface
edit "dmz"
set vdom "root"
set ip 192.168.102.252 255.255.255.0
set allowaccess ping
set type physical
set lldp-transmission enable <---
set snmp-index 1
next
end
■Fortigate-60CのHA同期は正常
home-utm1 $ show | grep -f lldp
config system global
set admin-https-redirect disable
set admin-sport 8443
set fgd-alert-subscription advisory latest-threat
set gui-central-nat-table enable
set gui-endpoint-control disable
set gui-ips enable
set gui-multiple-utm-profiles enable
set gui-spamfilter enable
set gui-vpn disable
set gui-vulnerability-scan enable
set gui-wan-load-balancing disable
set gui-wireless-controller disable
set hostname "home-utm1"
set language japanese
set lldp-transmission enable <---
set timezone 60
end
config system interface
edit "dmz"
set vdom "root"
set ip 192.168.102.252 255.255.255.0
set allowaccess ping
set type physical
set lldp-transmission enable <---
set snmp-index 1
next
end
■Cisco892J側で確認
2号機がアクティブなため、Fa5で認識している。
Router#show lldp
Global LLDP Information:
Status: ACTIVE
LLDP advertisements are sent every 30 seconds
LLDP hold time advertised is 120 seconds
LLDP interface reinitialisation delay is 2 seconds
Router#show lldp neighbors
Capability codes:
(R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
(W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other
Device ID Local Intf Hold-time Capability Port ID
FortiGate-60C Fa5 120 R dmz
Total entries displayed: 1
Router#show lldp neighbors detail
------------------------------------------------
Chassis id: dmz
Port id: dmz
Port Description - not advertised
System Name: FortiGate-60C
System Description:
FortiGate-60C v5.2.3,build0670,150318 (GA)
Time remaining: 112 seconds
System Capabilities: B,R
Enabled Capabilities: R
Management Addresses - not advertised
Auto Negotiation - not supported
Physical media capabilities - not advertised
Media Attachment Unit type - not advertised
Vlan ID: - not advertised
Total entries displayed: 1
Router#show lldp neighbors
Capability codes:
(R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
(W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other
Device ID Local Intf Hold-time Capability Port ID
FortiGate-60C Fa5 120 R dmz
Total entries displayed: 1
■Fortigate-HAを手動でフェイルオーバ
home-utm2
■Cisco892J側で確認
1号機のdmzインターフェイスの接続がFa4なので、Fa5->Fa4に変更されている。
Router#show lldp neighbors
Capability codes:
(R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
(W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other
Device ID Local Intf Hold-time Capability Port ID
FortiGate-60C Fa4 120 R dmz
Total entries displayed: 1
Router#show lldp neighbors detail
------------------------------------------------
Chassis id: dmz
Port id: dmz
Port Description - not advertised
System Name: FortiGate-60C
System Description:
FortiGate-60C v5.2.3,build0670,150318 (GA)
Time remaining: 113 seconds
System Capabilities: B,R
Enabled Capabilities: R
Management Addresses - not advertised
Auto Negotiation - not supported
Physical media capabilities - not advertised
Media Attachment Unit type - not advertised
Vlan ID: - not advertised
Total entries displayed: 1
■syslogにも以下のキーワードで分かるし、
SNMPトラップにも出るので、どうしても必要というわけではない。
msg="Virtual cluster's member state moved"