Sometimes, the requirement is to segregate data traffic and control traffic between Managed FortiSwitches.

Refer to the below diagram: -

Here on FortiSwitch 448D port3 and FortiSwitch 108E port7 are ISL FortiLink trunk.

By default, all vlans are allowed in FortiLink trunk, here the requirement is that there should be a different link port6 for data vlan11 traffic.

Configuration Steps: -

1) In above example, a trunk interface 'usertraffic_isl' is created.

 If required, more ports can be added as member of trunk (LACP). The user vlan is mapped as native vlan, one can add multiple allowed vlans as well if required.

2) Create a separate MSTP instance ID on both FortiSwitches - add vlan11 to the MSTP instance – make sure that core FortiSwitch is the stp root bridge, so a lower stp priority on core switch is required. This  step is needed, so that the trunk 'usertraffic_isl' doesn’t move to alternate state.

If multiple vlans are present, then one can give a vlan range as well. For example:- 1,3-4,6,7,9-100, so the command will be

'set command config switch stp instance %0a edit 1 %0a set vlan-range 11-100 %0a end %0a'

- Use custom commands on the FortiGate to push stp instance config to the FortiSwitches. Here 2 custom command are created:-

one for access FortiSwitch 448D ‘StpInstanceAccessFSW' and one for core FortiSwitch 108E 'StpInstanceCoreFSW'.

# config switch-controller custom-command

       edit "StpInstanceAccessFSW"

           set command "config switch stp instance %0a edit 1 %0a set vlan-range 11 %0a end %0a"

        next

        edit "StpInstanceCoreFSW"

          set command "config switch stp instance %0a edit 1 %0a set vlan-range 11 %0a set priority 4096 %0a end %0a"

        next

   end

- Map the custom commands to respective FortiSwitches.

# config switch-controller managed-switch

        edit "S108EF5919000846"

           config custom-command

               edit "1"

                  set command-name "StpInstanceCoreFSW"

   end

# config switch-controller managed-switch

        edit "S448DN3X16000002"

           config custom-command

               edit "1"

                   set command-name "StpInstanceAccessFSW"

  end

- Connect a client on native vlan11 port1 of 448D FortiSwitch and ping the gateway on FortiGate 11.11.11.1. The ping should work fine, and the traffic hitting the 'usertraffic_isl' trunk interface should be seen.

Login to the FortiSwitch and verify the results: -

1) On core FortiSwitch 108E, mac address is learnt on 'usertraffic_isl' interface,

 S108EF # diagnose switch  mac-address list | grep e4:b9:7a:55:48:20

MAC: e4:b9:7a:55:48:20  VLAN: 23 Trunk: usertraffic_isl(trunk-id 2)

2) On access FortiSwitch 448D:-

MAC: e4:b9:7a:55:48:20  VLAN: 23 Port: port1(port-id 1)

  Flags: 0x00010441 [ hit dynamic src-hit native ]

Useful Links: -

FortiGate custom command: https://docs.fortinet.com/document/fortiswitch/7.2.1/fortilink-guide/173262/executing-custom-fortisw...

STP: https://docs.fortinet.com/document/fortiswitch/7.2.2/administration-guide/364614/stp

Reference KB article: https://community.fortinet.com/t5/FortiSwitch/Technical-Tip-Configure-STP-priority-using-custom-comm...

Useful FortiSwitch commands:

# diag stp instance list

# diag switch mac-address list

# diag switch trunk summary

# diag switch trunk list

# show switch interface

# show switch trunk

# show switch stp instance