| Description | This article describes steps to configure separate ISL between 2 Managed FortiSwitch for data traffic. |
| Scope | FortiGate and FortiSwitch 6.4.x and above. |
| Solution |
Sometimes, the requirement is to segregate data traffic and control traffic between Managed FortiSwitches. Refer to the below diagram: -
Here on FortiSwitch 448D port3 and FortiSwitch 108E port7 are ISL FortiLink trunk. By default, all vlans are allowed in FortiLink trunk, here the requirement is that there should be a different link port6 for data vlan11 traffic.
Configuration Steps: -
1) In above example, a trunk interface 'usertraffic_isl' is created. If required, more ports can be added as member of trunk (LACP). The user vlan is mapped as native vlan, one can add multiple allowed vlans as well if required.
2) Create a separate MSTP instance ID on both FortiSwitches - add vlan11 to the MSTP instance – make sure that core FortiSwitch is the stp root bridge, so a lower stp priority on core switch is required. This step is needed, so that the trunk 'usertraffic_isl' doesn’t move to alternate state.
If multiple vlans are present, then one can give a vlan range as well. For example:- 1,3-4,6,7,9-100, so the command will be
'set command config switch stp instance %0a edit 1 %0a set vlan-range 11-100 %0a end %0a'
- Use custom commands on the FortiGate to push stp instance config to the FortiSwitches. Here 2 custom command are created:- one for access FortiSwitch 448D ‘StpInstanceAccessFSW' and one for core FortiSwitch 108E 'StpInstanceCoreFSW'.
# config switch-controller custom-command edit "StpInstanceAccessFSW" set command "config switch stp instance %0a edit 1 %0a set vlan-range 11 %0a end %0a" next edit "StpInstanceCoreFSW" set command "config switch stp instance %0a edit 1 %0a set vlan-range 11 %0a set priority 4096 %0a end %0a" next end
- Map the custom commands to respective FortiSwitches.
# config switch-controller managed-switch edit "S108EF5919000846" config custom-command edit "1" set command-name "StpInstanceCoreFSW" end
# config switch-controller managed-switch edit "S448DN3X16000002" config custom-command edit "1" set command-name "StpInstanceAccessFSW" end
- Connect a client on native vlan11 port1 of 448D FortiSwitch and ping the gateway on FortiGate 11.11.11.1. The ping should work fine, and the traffic hitting the 'usertraffic_isl' trunk interface should be seen.
Login to the FortiSwitch and verify the results: -
1) On core FortiSwitch 108E, mac address is learnt on 'usertraffic_isl' interface,
S108EF # diagnose switch mac-address list | grep e4:b9:7a:55:48:20 MAC: e4:b9:7a:55:48:20 VLAN: 23 Trunk: usertraffic_isl(trunk-id 2)
2) On access FortiSwitch 448D:-
MAC: e4:b9:7a:55:48:20 VLAN: 23 Port: port1(port-id 1) Flags: 0x00010441 [ hit dynamic src-hit native ]
Useful Links: - FortiGate custom command: https://docs.fortinet.com/document/fortiswitch/7.2.1/fortilink-guide/173262/executing-custom-fortisw... STP: https://docs.fortinet.com/document/fortiswitch/7.2.2/administration-guide/364614/stp
Reference KB article: https://community.fortinet.com/t5/FortiSwitch/Technical-Tip-Configure-STP-priority-using-custom-comm...
Useful FortiSwitch commands:
# diag stp instance list # diag switch mac-address list # diag switch trunk summary # diag switch trunk list # show switch interface # show switch trunk # show switch stp instance |
