Skip to main content
albertocobo
albertocobo
New Member
November 28, 2022
Solved

Routing on layer 3 Fortiswitch

  • November 28, 2022
  • 4 replies
  • 5727 views

Hi all.

I have installed a Fortiswitch over layer 3 network, my fortiswitch is already managed by a remote Fortgate. Fortiswitch is connected directly with a 3rd party firewall in a branch site.

 

Config looks like this:

 

config system global
set switch-mgmt-mode fortilink
config switch interface

edit "internal"
set native-vlan 4094
set stp-state disabled
set snmp-index 11
next
edit "__FoRtILnk0L3__"
set native-vlan 4094
set allowed-vlans 1-4094
set dhcp-snooping trusted
set igmp-snooping-flood-reports enable
set mcast-snooping-flood-traffic enable
set snmp-index 13
next

config system interface
edit "internal"
set ip 172.29.xx.xx 255.255.255.0
set allowaccess ping https ssh
set type physical
set snmp-index 12
next

config switch-controller global
set ac-discovery-type static
config ac-list
edit 1
set ipv4-address 172.29.8.1
next
end
end
config system ntp
set allow-unsync-source enable
config ntpserver
edit 1
set server "172.29.8.1"
next
end
set ntpsync enable
end
config router static
edit 1
set dst 0.0.0.0 0.0.0.0
set gateway 172.29.254.1
next
end

 

The Fortiswitch is connected to an access port on the firewall (port without any vlan tagging), in a tagged port of the firewall Fortilink did not came up due to problems with native vlan.

 

How do I route local VLANs in the branch? Do I have to connect another physical port Fortiswith <--> Firewall configured as trunk with all the vlans? How can I do it with only one physical port?

 

I can not find any example on the Fortinet community.

 

Thanks.

Best answer by albertocobo

Hello,

 

finally I made the installation and al the environment works with only one Fortilink L3 connected to a 3rd party firewall with native vlan 4094. And all the rest of the vlans are routed on the firewall.

 

Solved.

4 replies

ebilcari
Staff
ebilcari
Staff
November 28, 2022

Depending on the Switch model you have, you need to configure Switch virtual interfaces
A switch virtual interface (SVI) is a logical interface that is associated with a VLAN and supports routing and switching protocols.
You can assign an IP address to the SVI to enable routing between VLANs. For example, SVIs can route between two different VLANs connected to a switch (no need to connect through a layer-3 router)


page 214 of the Standalone mode guide: - https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/d49b948d-6c99-11eb-9995-00505692583a/FortiSwitchOS-6.4.6-Administration_Guide%E2%80%94Standalone_Mode.pdf

Emirjon
gfleming
Staff
gfleming
Staff
November 28, 2022

Sounds like you are using FortiLink / FortiGate-managed switch here. If that's so, FortiGate takes care of all L3 routing. If you want L3 routing on the switch it needs to be in standalone mode.

albertocobo
albertocoboAuthor
New Member
November 29, 2022

Thanks for your reply emirjon and Graham.

 

This is a Fortiswitch managed by a remote Fortigate with a fortilink over a L3 network (https://docs.fortinet.com/document/fortiswitch/7.0.4/devices-managed-by-fortios/801182/fortilink-mode-over-a-layer-3-network)

 

The fortiswitch is connected to a 3rd party firewall to reach the Fortigate.

 

The thing is that I want to route all the local VLANs created on the Fortiswitch in the local 3rd party firewall.

 

It is not an standalone switch nor a Fortiswitch over L2.

gfleming
Staff
gfleming
Staff
November 30, 2022

I've never done this before but I don't see why it wouldn't work as long as the L3 connectivity is still available from the FSW to the FGT. Did you try setting the native VLAN on the uplink port to 4094?

albertocobo
albertocoboAuthor
New Member
November 30, 2022

Hi gfleing,

 

this is the only thing missing I need to test (I made the configuration in a test environment), unfortunately I'm not the manager of the firewalls and I have to ask Security team to configure the firewall port.

 

If it works I will reply with the solution.

 

Many thanks.

albertocobo
albertocoboAuthorAnswer
New Member
December 23, 2022

Hello,

 

finally I made the installation and al the environment works with only one Fortilink L3 connected to a 3rd party firewall with native vlan 4094. And all the rest of the vlans are routed on the firewall.

 

Solved.

Terms & ConditionsAccessibility statement