|
In some cases, the requirement is to bring up a FortiSwitch in FortiLink mode, but the FortiSwitch is not directly connected to the FortiGate.
There is a layer 3 network between FortiGate and FortiSwitch.
Read the below link before starting the configuration:
https://docs.fortinet.com/document/fortiswitch/7.2.4/fortilink-guide/801182/fortilink-mode-over-a-la...
https://docs.fortinet.com/document/fortiswitch/7.0.8/devices-managed-by-fortios/801182/fortilink-mod...
Note that the layer3 FortiLink config has changed from the 7.2.x version and above.
Refer to the below configuration:
FortiGate v7.2.4.
FortiSwitch v7.2.3.
FortiGate config:
Configure a Fortilink interface:
sh system interface port
config system interface
edit "port3"
set vdom "root"
set fortilink enable
set switch-controller-source-ip fixed <----- Make sure to enable this option.
set ip 11.11.11.1 255.255.255.0
set allowaccess ping fabric
set type physical
set device-identification enable
set lldp-reception enable
set lldp-transmission enable
set snmp-index 5
set auto-auth-extension-device enable
set fortilink-neighbor-detect lldp
set switch-controller-nac "port3"
set switch-controller-dynamic "port3"
set swc-first-create 255
next
end
When Fortilink is enabled on FortiGate, the Fortilink interface automatically gets added to NTP server.
sh system ntp
config system ntp
set ntpsync enable
set server-mode enable
set interface "port3"
end
FortiSwitch config.
1) Create the trunk:
config switch trunk
edit "fortilink"
set static-isl enable
set members "port47"
next
end
2) By default FortiLink VLAN is 4094
config switch auto-network
set mgmt-vlan 4094
set status enable
end
3) Configure FortiGate IP on FortiSwitch (static discovery is used in this example).
config switch-controller global
set ac-discovery-type static
config ac-list
edit 1
set ipv4-address 11.11.11.1 <-----
next
end
end
4) Add the NTP server (FortiGate FortiLink IP) on the FortiSwitch NTP config. FortiSwitch will sync its time with FortiGate.
config system ntp
config ntpserver
edit 1
set server "11.11.11.1" <-----
next
end
set ntpsync enable
end
5) Now, if the switch interface config is checked, it should look something like this: where the native VLAN is 4094.
sh switch interface internal
config switch interface
edit "internal"
set native-vlan 4094 <------ Internal interface will only have vlan 4094
set stp-state disabled
set snmp-index 53
next
end
sh switch interface fortilink
config switch interface
edit "fortilink"
set native-vlan 4094
set allowed-vlans 1,22,4088-4094 <----- All l2 VLANs are allowed by default.
set dhcp-snooping trusted
set stp-state disabled <----- STP is by default enabled, here it is disabled as its a point-to-point link.
set edge-port disabled
set snmp-index 56
next
end
6) By default internal interface is set to DHCP mode, but here it is configured in static mode.
config system interface
edit "internal"
set mode static
set ip 21.21.21.2 255.255.255.0
set allowaccess ping https ssh
set type physical
set secondary-IP enable
set snmp-index 55
config secondaryip
edit 1
set ip 192.168.1.99 255.255.255.0
set allowaccess ping https ssh
next
end
next
end
- Make sure FortiSwitch and FortiGate can reach each other and make sure services like NTP, capwap, LLDP, ICMP, are allowed.
Helpful Commands on FortiSwitch:
get system interface
== [ internal ]
name: internal mode: static ip: 21.21.21.2 255.255.255.0 status: up type: physical mtu-override: disable
get sys arp
Address Age(min) Hardware Addr Interface
21.21.21.1 0 00:12:e2:0f:5f:e6 internal
execute ping 21.21.21.1
PING 21.21.21.1 (21.21.21.1): 56 data bytes
64 bytes from 21.21.21.1: icmp_seq=0 ttl=64 time=1.6 ms
64 bytes from 21.21.21.1: icmp_seq=1 ttl=64 time=1.2 ms
diagnose sys ntp status
synchronized: yes, ntpsync: enabled, server-mode: disabled
ipv4 server(11.11.11.1) 11.11.11.1 -- reachable(0xff) S:1 T:47 selected
server-version=4, stratum=3
reference time is e8202c2a.69cd1b6f -- UTC Tue May 30 08:02:50 2023
clock offset is 0.001227 sec, root delay is 0.218719 sec
root dispersion is 0.010483 sec, peer dispersion is 48 msec
diagnose switch trunk summary
Trunk Name Mode PSC MAC Status Up Time
________________ _________________________ ___________ _________________ ___________ _________________________________
fortilink static(isl) src-dst-ip E8:ED:D6:CB:67:61 up(1/1) 1 days,18 hours,49 mins,12 secs
execute switch-controller get-conn-status
Get managed-switch S148Fxxxxx connection status:
Connection: Connected
Image Version: FG200F-v7.2-build1396
Remote Address: 11.11.11.1
Join Time: Tue May 30 00:06:53 2023
DTLS Version: DTLSv1.2
Helpful commands on FortiGate:
execute switch-controller get-conn-status
Managed-devices in current vdom root:
FortiLink interface : port3
SWITCH-ID VERSION STATUS FLAG ADDRESS JOIN-TIME NAME
S148FFxxxxx v7.2.3 (434) Authorized/Up 3 21.21.21.2 Tue May 30 00:06:53 2023 -
Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=config sync error, 3=L3
Managed-Switches: 1 (UP: 1 DOWN: 0 MAX: 64)
execute switch-controller diagnose-connection
|
