FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rfernando
Staff
Staff
Description
This article shows how to link two FortiSwitches together and manage both switches by FortiGate via a single link.

All FortiSwitch devices must be running FortiSwitchOS 3.4.2 or later. They must be upgraded prior to upgrading the FortiGate unit to FortiOS 5.4.1.

Topology

rfernando_FD38893_tn_FD38893-0.jpg

Scope
FortiOS 5.4.1, FortiSwitch 3.4.2 or later.    

Solution
1)  FortiSwitch A is being managed by a FortiGate. Port24 on FortiSwitch A connects to Port5 on the FortiGate via Fortilink.

rfernando_FD38893_tn_FD38893-1.jpg

2)  root-sw is created when upgrading from FortiOS 5.4 to 5.4.1, Port5 is connected to Switch A.

rfernando_FD38893_tn_FD38893-2.jpg

3)  Port5 is under root-sw and dedicated to FortiSwitch.  The 'Automatically authorized devices' function is enabled.

rfernando_FD38893_tn_FD38893-3.jpg

4) Checking FortiGate CLI will show Switch IP and Port24 information.  Note that dynamic-fortilink-mode is enabled.

rfernando_FD38893_tn_FD38893-4.jpg

5)  The new Switch's (Switch B) Port24 is now connected to the first Switch's Port23 (Switch A) via a single cable.  It will take about a minute to get the link established between the switches.  Once the link is established, both FortiSwitch devices will show up under WiFi & Switch Controller > Managed FortiSwitch.

rfernando_FD38893_tn_FD38893-5.jpg

6)  The key point to notice after connecting both switches is that Port23 and Port24 are no longer visible under CLI from both switches. Instead, there are two new “trunk” ports that are created automatically based on the device's serial number.  These trunk ports are responsible to traverse traffic between the two switches. Notice also that native-vlan 4094 is created and it is under native-vlan and allowed-vlan.

rfernando_FD38893_tn_FD38893-6.jpg

7)  Assign VLAN50 to a Switch Port13.
(a) Create a new VLAN under FortiGate > FortiSwitch VLANs > Create New. This will automatically create a new VLAN sub interface under root-sw Switch Interface.

(b) Enable DHCP and assign a range.  Administrative Access (https, ping etc.) can also be enabled.
By default, Switch Port13 belongs to vsw.root-sw VLAN.  Now assign VLAN50 to Port13 (right click on vsw.root-sw and select VLAN50) on the newly added switch and connect to the workstation.  The workstation will get the DHCP address from the FortiGate's VLAN50 interface DHCP range under root-sw interface.  Many VLANs  can be created under FortiGate > FortiSwitch VLANs and VLANs can be assigned to either Switch Ports under FortiGate > FortiSwitch Ports.

rfernando_FD38893_tn_FD38893-7.jpg

8)  Verify the connectivity by pinging workstation 192.168.50.2.

rfernando_FD38893_tn_FD38893-8.jpg

Contributors