Since policy routes are evaluated top-down, you can work around this limit by placing a more specific entry matching traffic from internal subnet A to internal subnet B.
However, this should be less than comfortable if you have many different networks attached to your internal interface.
In this case, I would recommend you a trick I once used:
since Fortigate devices ignore QoS marks, you should sign your "internet" packets on the firewall-facing port of your Cisco switch with a specific TOS and then use that mark in your policy-route.
I frequently use
sh int | i (FastEthernet|0 packets input)
or the same with GigabitEthernet, whatever kind of interfaces I want to check.
sh int (which is show interfaces) gives a huge list of ste status of all interfaces- The pipe symbol
| can be used for filtering, but also in search expressions
| i (for include) filters the output which matches the following search expressions- I use
(...|...) to match two conditions: the interface name and a status I like to see, we can use regular expressions here, like this "or" expression
The output can look like:
...
FastEthernet1/0/31 is up, line protocol is up (connected)
95445640 packets input, 18990165053 bytes, 0 no buffer
FastEthernet1/0/32 is up, line protocol is up (connected)
FastEthernet1/0/33 is up, line protocol is up (connected)
FastEthernet1/0/34 is down, line protocol is down (notconnect)
0 packets input, 0 bytes, 0 no buffer
FastEthernet1/0/35 is down, line protocol is down (notconnect)
FastEthernet1/0/36 is up, line protocol is up (connected)
FastEthernet1/0/37 is down, line protocol is down (notconnect)
0 packets input, 0 bytes, 0 no buffer
...
Now I can see my candidates, with actually 0 packets input over time, even if my expression matches numbers just ending with 0. I could make it more perfect, but being easy to remember is also a benefit. The interface names right before each 0 packets input lines are my candidates.
- Check each chosen interface if it's really unused by
sh int <name>
- From time to time, it's good to clear the counters:
clear counters [type number]
It can be good practice, to leave unused switchports shutdown. So it's easy to identify them using sh ip int bri or the like. And you don't run into problems if you use a switchport which was definitly shut off before.
Best Answer
You can check the MAC address table on the switch to see on what port you learned the MAC address of the Fortigate's management interface.
It should be possible to enable LLDP on the Fortinet as of FortiOS 5.2 as well according to their documentation:
You can enable LLDP on your switch using the command
lldp run. After that, you can useshow lldp neighborsto see which LLDP speaking hosts are seen.