Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BobAHomeOfficeUser
New Contributor II

How to set up FG 40F to manage two independent switches?

Would like to set up Fortigate 40F to manage two independent (not interconnected) switches.
One switch located in home office space.
Other switch located near printers and entertainment devices.

 

There is little traffic between the switches. Occasionally traffic between office and printers;

 

Have already re-allocated lan3 from the hardware switch to the fortilink 802.3ad interface; and disabled the split link interface on fortilink.

 

Even so, only one switch shows as online at a time.

 

Currently:

hardware / OS:
1 FortiGate 40F FortiOS v7.0.5
1 FortiSwitch 108E v7.0.3
1 FortiSwitch 108F v7.0.3

 

Physical connections:
FG40F port lan3 - FS108E port 8
FG40F port a - FS108F port 8

 

current fortilink configuration:
config system interface
edit "fortilink"
set vdom "root"
set fortilink enable
set ip 192.168.4.1 255.255.255.0
set allowaccess ping fabric
set type aggregate
set member "a" "lan3"
set lldp-reception enable
set lldp-transmission enable
set snmp-index 6
set auto-auth-extension-device enable
set fortilink-split-interface disable
set switch-controller-nac "fortilink"
set switch-controller-dynamic "fortilink"
set swc-first-create 255
next
end

 

Can this be done using a single fortilink interface? If so, what configuration changes are needed?

Does a second independent 802.3ad aggregate and/or fortilink interface need to be added? Is this even possible? (I'm not afraid of the CLI interface; but I need to know what to enter.)

What relevant documentation exists to address this specific question?

Bob a home office user
Bob a home office user
7 REPLIES 7
Anthony_E
Community Manager
Community Manager

Hello Bob,

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Thanks,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hi Bob,

 

I have found this KB article:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Set-up-hardware-switch-interface-as-port-m...

 

Could you please tell me if it helped?

If not, we will find another to solution to answer your question.

 

Regards,

Anthony-Fortinet Community Team.
BobAHomeOfficeUser

Anthony,


Thanks for taking the time to answer.


The link provided discusses how to configure a port to be an HA port monitor.
I followed the steps of:
1. Dissociate port3 from the lan
2. Configure port3
2a. Role LAN
2b. Addressing mode Manual
2c. IP 192.168.3.1
2d. Administrative access HTTPS / PING / FMG_Access / Security Fabric connection
3a. Additionally I set up a DHCP Server; as the switch being connected has no fixed IP address (yet)
3b. Additionally set up a firewall policy to access the 192.168.3.0 subnet

 

Result so far is that I can ping and get administrative access by logging directly on to the switch at its assigned IP address. The only management mode on the switch is local management.

 

Back on the fortigate, the link3 shows up, and the DHCP client is assigned; but the switch does not appear under managed switches.

 

I'm back to my original questions
A. Can this be done using a single fortilink interface?
A1. If so, what configuration changes are needed?
A2. Is set type aggregate appropriate? What other options exist for a Fortilink?

 

B. Does a second independent fortilink interface need to be added?
B1. Is this even possible?
B2. (I'm not afraid of the CLI interface; but I need to know what to enter.)

 

Regards,

Bob

Bob a home office user
Bob a home office user
sachitdas_FTNT

Hi,

Please refer https://docs.fortinet.com/document/fortiswitch/7.0.4/devices-managed-by-fortios/801202/single-fortig...

 

 

Regards,
Sachit Das
ETAC Engineer
Wifi-Switching – International Support
BobAHomeOfficeUser

Sachit,

Thanks for taking the time to answer. 

The link is a diagram of a topology; but doesn't address the steps to make all the switches managed by the Fortigate.

Regards,

Bob

Bob a home office user
Bob a home office user
sachitdas_FTNT

Hi Bob,

You need to configure interface type as hardware switch on FGT - map 2 ports of FGT as member of hardware switch - connect the switches to the ports.

Regards,
Sachit Das
ETAC Engineer
Wifi-Switching – International Support
ede_pfau
Esteemed Contributor III

@BobAHomeOfficeUserIndeed, if you want to manage multiple switches you need to enable 'fortilink-split-interface' mode.

As there can only be one fortilink on each FGT, you will need to either use a hardware switch, a software switch or an aggregate (LACP). As you are already using the latter, you're fine.

The fortilink interface offers IP addresses to switches via DHCP.

Make sure you connect the switches using switch ports which have auto-detection enabled. These ports vary with the switch model. On a FS-108E, it's port 7-10. On a FS-108F, I would assume the same ports. The table in https://docs.fortinet.com/document/fortiswitch/7.0.4/devices-managed-by-fortios/173260/configuring-f... does not mention the F series switches.

So, in short:

- use a multiport interface

- enable split mode

- connect an auto-detecting switchport on each switch


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors