Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
KennyLi
New Contributor II

Created on ‎10-10-2023 06:01 AM Edited on ‎02-26-2024 06:50 AM By Community Manager

Config Trunk Ports between Fortigate and Fortiswitch

Hi All,

 

I am suffering by the trunk port crash when two trunk ports plugged between Forigate and Fortiswitch

 

Environment: I am using 1x Fortigate 80F, 1x Fortiswitch 124F-POE and 6x FortiAP 431F.

 

The cable connections are below:

a. 6x FortiAPs are connected with 124F (Port 1 - 6) with PoE enabled

b. 80F is connecting with 124F as below:

     i) Fortilink Ports: 80F dedicate Ports (a and b) connect to 124F (23 and 24 Ports)

     ii) Trunk Ports: 80F (Port 5 and 6 ) connect to 124F (21 and 22 Ports)

 

The trunk port configured as:

     i) MC-LAG: disabled

     ii) Mode: Static

     iii) Enabled Features: Edge Port and Spanning Tree Protocol

 

When I configured the trunk port and plug two cables to the port, all the port in the switch crashed, because I cannot ping the gateway in 80F as well as the FortiAP will lost the configuration and failed connect with wireless devices (no SSID showed). Only the network resumed if unplug one of the trunk ports.

 

I have tried but no luck:

a) Removed the Edge Port in trunk ports

b) Change to another ports as new trunk ports

c) Replace the Cat 6 cables.

 

Please can you help on this? 

Thanks

Ken

Labels:
5258
0 Kudos
1 Solution
ebilcari
Staff
Staff
In response to KennyLi

Created on ‎10-11-2023 01:40 AM

You have to create a normal VLAN on the Switch controller and assign an IP and a DHCP scope. Don't forget to enable Security Fabric Connection, this will allow the AP to build the tunnel automatically with FGT.

AP port.png

and make this VLAN as Native VLAN on the ports where the APs are connected:

AP-vlan.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

5178
10 REPLIES 10
ebilcari
Staff
Staff

Created on ‎10-10-2023 08:20 AM

If you have already configured two ports as part of the FortiLink, why do you need to add another trunk?

FortiLink will be used to transfer user data and multiple VLANs if needed, the topology is shown here.

All the VLANs that are created in FGT> Switch Controller will be added automatically in the FortiLink interface.

fl-vlans.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
4692
KennyLi
New Contributor II
In response to ebilcari

Created on ‎10-10-2023 08:38 AM

Hi elilcari,

Thank you for your reply.

Actually I missed to mentioned that I tried to use two fortilink ports, but the devices connected with switch cannot ping the gateway in 80F. I have followed the instruction here, and followed the topology you provided.

There is a little bit different the screen you share with my side, please see attached for detail.

I think maybe I have config the devices inappropriate.

 

Picture 1: fortilink interface under FGT> Switch Controller

Screenshot 2023-10-10 at 11.29.51 PM.png

 

Image 2: Fortilink under FGT>Network>Interfaces

Screenshot 2023-10-10 at 11.28.40 PM.png

 

Please can you take a look and advice? 

Thanks

 

 

4688
0 Kudos
ebilcari
Staff
Staff
In response to KennyLi

Created on ‎10-10-2023 08:56 AM

The configuration of FL is ok, mine just use a single port for it (port5) that's why it show differently. I see that you have only the built in VLANs created, you can go on and create the necessary VLANs and their IP configurations in WiFi & Switch controller> FortiSwitch VLANs

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
4679
KennyLi
New Contributor II

Created on ‎10-10-2023 08:45 AM

One more thing, I have created the SSID with the DHCP for the FortiAP, that connected with the Fortiswitch (Port 1 - 6), is it necessary to add the subnet/vlan to the fortilink interface? attached the settings below for your reference. Thanks again

Screenshot 2023-10-10 at 11.42.30 PM.png

4686
0 Kudos
ebilcari
Staff
Staff
In response to KennyLi

Created on ‎10-10-2023 09:03 AM

If you are using "Tunnel" like shown above than there is no need to create WiFi user's VLAN on the ports where the APs connect. Only the AP's management VLAN is needed to be configured on these ports 1-6, all the WiFi user's traffic is tunneled from AP directly to the FGT, FSW is transparent in this case. For SSIDs in bridge mode you need to span the VLANs on the AP port.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
4676
KennyLi
New Contributor II
In response to ebilcari

Created on ‎10-10-2023 10:03 AM

Hi ebilcari,

Thank you for your help.

I am not familiar on AP's management VLAN is needed to be configured for port 1-6, may I know how to do this? Thanks again

4665
0 Kudos
ebilcari
Staff
Staff
In response to KennyLi

Created on ‎10-11-2023 01:40 AM

You have to create a normal VLAN on the Switch controller and assign an IP and a DHCP scope. Don't forget to enable Security Fabric Connection, this will allow the AP to build the tunnel automatically with FGT.

AP port.png

and make this VLAN as Native VLAN on the ports where the APs are connected:

AP-vlan.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
5179
KennyLi
New Contributor II
In response to ebilcari

Created on ‎10-11-2023 07:54 AM Edited on ‎10-11-2023 08:12 AM

Thanks. I will try. 

and:

1. May I know the DHCP in VLAN conflicts with the DHCP setup in SSID?

2. I have some wired printer in the 192.168.1.1/24 network, is it still printable after change the settings?

 

Thanks again

4622
0 Kudos
ebilcari
Staff
Staff
In response to KennyLi

Created on ‎10-11-2023 08:58 AM

For SSID in tunnel mode you have to use different subnets for the Wifi user's traffic (SSID) and AP management. It's not recommended but you can use an existing VLAN/Subnet to put the APs like the existing printer's VLAN.

 

For bridged SSIDs you can use the same VLAN of AP management to bridge the WiFi user's traffic but that is also not recommended.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
4610
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.