Description
This article describes when FortiSwitch is showing online on wrong FortiGate
.
Related links:
https://docs.fortinet.com/product/fortiswitch/6.4
LLDP profile, page# 117 https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/b895b007-f1f3-11e9-8977-005056...
Solution
Setup.
In some deployments, requirement is to manage FortiSwitch on the respective firewalls with inter switch link.
For example, refer to the below diagram, here the requirement is that 'FSW1' has to be be managed by 'FGT1' and 'FSW2' has to be managed by 'FGT2'.
In such situations, witness issue where both FortiSwitches shows up on both GortiGates and connection fluctuates.
This article describes when FortiSwitch is showing online on wrong FortiGate
.
Related links:
https://docs.fortinet.com/product/fortiswitch/6.4
LLDP profile, page# 117 https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/b895b007-f1f3-11e9-8977-005056...
Solution
Setup.
In some deployments, requirement is to manage FortiSwitch on the respective firewalls with inter switch link.
For example, refer to the below diagram, here the requirement is that 'FSW1' has to be be managed by 'FGT1' and 'FSW2' has to be managed by 'FGT2'.
In such situations, witness issue where both FortiSwitches shows up on both GortiGates and connection fluctuates.
Solution.
By default, all FortiSwitch ports are mapped with 'default-auto-isl' LLDP profile.
That is the reason when 2 managed FortiSwitches are connected with inter switch link (ISL), both FortiSwitches will automatically form FortiLink trunk and will try to come online on FortiGate.
For example:
1) First bring up 'FSW1' on 'FGT1' and 'FSW2' on 'FGT2'. Do not connect link between both FortiSwitches (Port3).
2) Map 'default' 'LLDP' profile on both FortiSwitches port3.
For example:
FSW# show switch physical-port port1 <----- 'LLDP' profile is set to 'default-auto-isl'.
# config switch physical-port
edit "port1"
set lldp-profile "default-auto-isl"
set speed auto
next
end
FSW # show switch lldp profile default-auto-isl <----- 'default-auto-isl' 'LLDP' profile has 'auto-isl enable'.So, while deploying such setups, follow below steps:
# config switch lldp profile
edit "default-auto-isl"
set auto-isl enable
next
end
1) First bring up 'FSW1' on 'FGT1' and 'FSW2' on 'FGT2'. Do not connect link between both FortiSwitches (Port3).
2) Map 'default' 'LLDP' profile on both FortiSwitches port3.
The 'default' LLD profile has auto-isl disabled, so FortiSwitches will not form ISL FortiLink trunk and will not come online on other FortiGate.
Map the profile from FortiGate GUI is possible. Go to Wifi & Switch Controller -> FortiSwitch Ports, select the Port#, select 'LLDP' profile column, edit and map 'default' 'LLDP'profile.
If LLDP profile column is not visible, add the column by doing a right click and then add the column:
If LLDP profile column is not visible, add the column by doing a right click and then add the column:
3) On 'FGT1', disable discovery for 'FSW2' serial# and on 'FGT2', disable discovery for 'FSW1' serial#. For example:
FortiGate # config switch-controller globalRelated link:
FortiGate (global) set disable-discovery <switch serial#>
end
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/85f6d214-7c18-11e9-81a4-00505...
4) Connect ISL Port3 on both FortiSwitches and FortiSwitches will not come online on other FortiGate.
What if incase inter switch link (ISL) was already connected and FortiSwitches are showing up on wrong FortiGate?
4) Connect ISL Port3 on both FortiSwitches and FortiSwitches will not come online on other FortiGate.
What if incase inter switch link (ISL) was already connected and FortiSwitches are showing up on wrong FortiGate?
In such scenario, follow below steps:
- Disconnect the ISL between the FortiSwitches.
- Delete the switch entry from the wrong FortiGate. Go to Managed FortiSwitch and select the FortiSwitch and select 'Delete'.
- Take CLI access to both FortiSwitches and delete the FortiLink ISL trunk.
- Disconnect the ISL between the FortiSwitches.
- Delete the switch entry from the wrong FortiGate. Go to Managed FortiSwitch and select the FortiSwitch and select 'Delete'.
- Take CLI access to both FortiSwitches and delete the FortiLink ISL trunk.
For example if FortiSwitch S248EFTF1-----75 Port23 is connected to FortiSwitch S248EFTF18-----1 Port23, then both FortiSwitches will have ISL FortiLink trunk which gets automatically formed.
Delete the trunk.
On FSW S248EFTF1-----75.
On FSW S248EFTF1-----75.
# sh switch trunkOn FSW S248EFTF18-----1.
edit "8EFTF18-----1-0"
set mode lacp-active
set auto-isl 1
set members "port23"
# config switch trunk
delete "8EFTF18-----1-0"
end
# sh switch trunk- Once the trunks are deleted, follow steps 1-4.
edit "8EFTF18000075-0"
set mode lacp-active
set auto-isl 1
set members "port23"
# config switch trunk
delete "8EFTF1-----75-0"
end
