Description |
This article describes how to Single FortiGate unit manages multiple FortiSwitch units using a hardware and Software switch Interface.
Some small deployments require FortiGate to manage multiple FortiSwitch units. Even though this topology is supported, it is not recommended. Refer to the FortiSwitch topologies according to the current FortiGate version. |
Scope | FortiOS v7.2.4, other versions might work. |
Solution |
1) Factory reset each FortiSwitch. 2) Configure and use hardware/software switch on FortiGate. 3) Reboot FortiGate. 4) Delete all authorized Switches from the Topology. 5) Start connecting the FortiSwitches on the ports configured in Step 2.
What to expect with this topology: Using hardware or software switches is not recommended.
Some unexpected behavior might occur on FortiGate, despite the model, these behaviors include the following:
- FortiSwitches become offline: in this case, be sure not to have any loop cable connected. - High traffic might be disrupting the network. - Do not create rings under this topology. - When more FortiSwitches are included in this topology (Star), the throughput and efficiency of the network will decrease (Using the hardware or software switch interface in FortiLink mode is not recommended in most cases. It can be used when the traffic on the ports is very light because all traffic across the switches and moves through the FortiGate unit).
This Lab was completed using: - FortiGate 100E v7.2.4. - FortiSwitch 224E-POE v7.2.3. - FortiSwitch 108E-POE v7.2.4.
Before reproducing this lab, consider the following limitations:
Also, consider using a different type of Interface; the most recommended is the 802.3ad Aggregate interface, as it has the capability to increase throughput by using 1 link to multiple links as a link aggregation (LAG) combining two or more physical Ethernet links into one logical link. The FortiLink can manage more traffic rather than only 1 physical link, which is the case with this topology (A single FortiGate unit managing multiple FortiSwitch units using a hardware switch Interface).
When using a Hardware switch, the FortiGate participates with STP topology, acting also as an L2 device. https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/154471/interfaces
If using an 802.3ad interface to connect the FortiSwitches under cascade mode, review the topologies available here:
Procedure: 1) If already having an interface created as a Hardware Switch use it or create a new one: Interfaces -> Create new -> Interface -> Type -> Hardware Switch or Software Switch -> OK.
In this step, it should also be created with a name.
2) On WiFi & Switch Controller menu, select Network -> Interfaces. Then, open the Hardware Switch interface or Software Switch interface created by selecting its name. Then, edit the interface by selecting the button on the right: Edit in CLI -> Enter the command show full-configuration. It will display that the interface has FortiLink disabled. Then run the commands below to enable it:
set fortilink enable
Once completing this step, check again the interface if it has the Dedicated to FortiSwitch option enabled and check if it has DHCP status Enabled; finally, assign the ports needed to connect the Switches (in this example, port1 and port4 are used).
Hardware Switch:
Software Switch: This is the same procedure, continue with step 3 onwards.
3) Perform a factory reset for each FortiSwitch to be managed on this topology. It can be done by running the following command on its CLI:
execute factoryreset
4) Delete all the authorized switches previously configured under Managed FortiSwitches -> Select under each Switch -> Deauthorize.
5) Connect the FortiSwitches to the port already assigned as the Hardware switch in step 2.
6) Reboot the FortiGate:
execute reboot
7) After the reboot, it should be seen the topology created with the Hardware switch. As displayed, more FortiLink interfaces have been created, fortilink1 was dedicated to an aggregate interface.
Hardware switch topology:
Software switch topology:
The VLAN assignment is the same as any other FortiLink interface. Refer to or use only the VLANs needed. Make sure not to use VLAN1 for any other purpose different than FortiLink.
Related document: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.