labunix's blog

labunixのラボUnix

LLDPを使ってFortigate-60Cの情報をCisco892Jで取得してみる。

■LLDPを使ってFortigate-60Cの情報をCisco892Jで取得してみる。
 ただ単に出来るよ。という程度ですが、
 CiscoスイッチとCisco892Jの間にFortigateがあるので、
 CDPでは情報を取得出来ない。

Switch>show cdp neighbors 
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID

Router>show cdp neighbors 
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, 
                  D - Remote, C - CVTA, M - Two-port Mac Relay 

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID

■Fortigateは以下のHA構成で、
 1号機のdmzインターフェイスはCisco892JのFa4に、
 2号機のdmzインターフェイスはCisco892JのFa5に接続されている。

home-utm2 # diagnose sys ha status 
HA information
Statistics
	traffic.local = s:0 p:3780 b:586704
	traffic.total = s:0 p:3787 b:586928
	activity.fdb  = c:0 q:0

Model=60, Mode=2 Group=0 Debug=0
nvcluster=1, ses_pickup=0, delay=0

HA group member information: is_manage_master=1.
FGT60C*********2, 0. Master:128 home-utm2
FGT60C*********1, 1.  Slave:128 home-utm1

vcluster 1, state=work, master_ip=169.254.0.1, master_id=0:
FGT60C*********2, 0. Master:128 home-utm2(prio=0, rev=0)
FGT60C*********1, 1.  Slave:128 home-utm1(prio=1, rev=1)

■Cisco892J側でLLDPを有効にする。

Router#show running-config | section lldp
lldp run

■Fortigate-60C側のdmzインターフェイスのみLLDPを有効にする。

home-utm2 # show | grep -f lldp
config system global
    set admin-https-redirect disable
    set admin-sport 8443
    set fgd-alert-subscription advisory latest-threat
    set gui-central-nat-table enable
    set gui-endpoint-control disable
    set gui-ips enable
    set gui-multiple-utm-profiles enable
    set gui-spamfilter enable
    set gui-vpn disable
    set gui-vulnerability-scan enable
    set gui-wan-load-balancing disable
    set gui-wireless-controller disable
    set hostname "home-utm2"
    set language japanese
    set lldp-transmission enable <---
    set timezone 60
end
config system interface
    edit "dmz"
        set vdom "root"
        set ip 192.168.102.252 255.255.255.0
        set allowaccess ping
        set type physical
        set lldp-transmission enable <---
        set snmp-index 1
    next
end

■Fortigate-60CのHA同期は正常

# execute ha manage 0
home-utm1 $ show | grep -f lldp
config system global
    set admin-https-redirect disable
    set admin-sport 8443
    set fgd-alert-subscription advisory latest-threat
    set gui-central-nat-table enable
    set gui-endpoint-control disable
    set gui-ips enable
    set gui-multiple-utm-profiles enable
    set gui-spamfilter enable
    set gui-vpn disable
    set gui-vulnerability-scan enable
    set gui-wan-load-balancing disable
    set gui-wireless-controller disable
    set hostname "home-utm1"
    set language japanese
    set lldp-transmission enable <---
    set timezone 60
end
config system interface
    edit "dmz"
        set vdom "root"
        set ip 192.168.102.252 255.255.255.0
        set allowaccess ping
        set type physical
        set lldp-transmission enable <---
        set snmp-index 1
    next
end

■Cisco892J側で確認
 2号機がアクティブなため、Fa5で認識している。

Router#show lldp 

Global LLDP Information:
    Status: ACTIVE
    LLDP advertisements are sent every 30 seconds
    LLDP hold time advertised is 120 seconds
    LLDP interface reinitialisation delay is 2 seconds

Router#show lldp neighbors 
Capability codes:
    (R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
    (W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other

Device ID           Local Intf     Hold-time  Capability      Port ID
FortiGate-60C       Fa5            120        R               dmz

Total entries displayed: 1

Router#show lldp neighbors detail 
------------------------------------------------
Chassis id: dmz
Port id: dmz
Port Description - not advertised
System Name: FortiGate-60C

System Description: 
FortiGate-60C v5.2.3,build0670,150318 (GA)

Time remaining: 112 seconds
System Capabilities: B,R
Enabled Capabilities: R
Management Addresses - not advertised
Auto Negotiation - not supported
Physical media capabilities - not advertised
Media Attachment Unit type - not advertised
Vlan ID: - not advertised


Total entries displayed: 1

Router#show lldp neighbors 
Capability codes:
    (R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
    (W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other

Device ID           Local Intf     Hold-time  Capability      Port ID
FortiGate-60C       Fa5            120        R               dmz

Total entries displayed: 1


■Fortigate-HAを手動でフェイルオーバ

home-utm2 # diagnose sys ha reset-uptime

■Cisco892J側で確認
 1号機のdmzインターフェイスの接続がFa4なので、Fa5->Fa4に変更されている。

Router#show lldp neighbors 
Capability codes:
    (R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
    (W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other

Device ID           Local Intf     Hold-time  Capability      Port ID
FortiGate-60C       Fa4            120        R               dmz

Total entries displayed: 1

Router#show lldp neighbors detail 
------------------------------------------------
Chassis id: dmz
Port id: dmz
Port Description - not advertised
System Name: FortiGate-60C

System Description: 
FortiGate-60C v5.2.3,build0670,150318 (GA)

Time remaining: 113 seconds
System Capabilities: B,R
Enabled Capabilities: R
Management Addresses - not advertised
Auto Negotiation - not supported
Physical media capabilities - not advertised
Media Attachment Unit type - not advertised
Vlan ID: - not advertised


Total entries displayed: 1

■syslogにも以下のキーワードで分かるし、
 SNMPトラップにも出るので、どうしても必要というわけではない。

msg="Virtual cluster's member state moved"