Hello Team,
We have an environment with a FortiWiFi 40F. In this environment, we will install more than 15 FortiSwitches. As FGT 40F's datasheet, it only supports up to 8 Fortiswitches.
Is there a way to manage that FortiSwitch by a remote FortiGate with Fortilink Layer 3?
Basically, the 40F is in a branch office. This Branch Office is connected to the headquarters by a dedicated link, but, the dedicated link is terminated at a 3rd party firewall upstream the FGT. So, the topology looks like this:
Branch FGT >> (Dedicated Link) >> 3rd Party FW >> HQ FGT
If I configure the Fortilink Layer 3 in Fortiswitches, it can be work? In this case, how can I handle with VLANs? Can I create the vlans only in FGT 40F and passing it to the switches by a link aggregate interface, and just use the HQ FGT to manage the fswitches ports (assign vlans, configure trunks, etc)?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You can do this but your inter-VLAN traffic will backhaul over the WAN link from Branch FGT to HQ FGT where the FortiSwitches are managed, along with their VLANs. Unless you have a standalone layer 3 switch at branch office handling your inter-VLAN routing, of course. Then you can just define layer 2 VLANs and define the port memberships that way.
Alternatively, look at FortiSwitch Manager. It can manage remote FortiSwitches (or local if you have a hypervisor at Branch) and leverage the layer 3 functionality right on the switch while keeping it managed.
https://docs.fortinet.com/product/fortiswitch-manager/7.2
There's a very good doc you should check out. Here's a specific section on the topology you are interested in: https://docs.fortinet.com/document/fortiswitch/7.2.1/fortilink-guide/801182/fortilink-mode-over-a-la...
In summary, when FortiSwitches are managed by FortiGate, the FortiLink interface becomes the L3 backhaul back to the FortiGate where all inter-VLAN routing occurs.
So if you don't want your inter-VLAN traffic to backhaul over the WAN to the HQ fortigate, you'd have to have a standalone L3 FortiSwitch or router at Branch to do this for you. You could still have remaining FortiSwitches managed by HQ FGT doing VLAN port assignment only (no L3 at HQ side).
Ideally, if I were you, I would invest in a FGT-70F to act as your L3 "core" at branch, managing all of your FortiSwitches and inter-VLAN traffic. Keep the FGT-40F as your WAN firewall.
You can do this but your inter-VLAN traffic will backhaul over the WAN link from Branch FGT to HQ FGT where the FortiSwitches are managed, along with their VLANs. Unless you have a standalone layer 3 switch at branch office handling your inter-VLAN routing, of course. Then you can just define layer 2 VLANs and define the port memberships that way.
Alternatively, look at FortiSwitch Manager. It can manage remote FortiSwitches (or local if you have a hypervisor at Branch) and leverage the layer 3 functionality right on the switch while keeping it managed.
https://docs.fortinet.com/product/fortiswitch-manager/7.2
Hello Graham!
Thanks for your reply.
So, in this case, if the Branch FGT is the only L3 device in the branch, the VLANs cannot be treated only locally, it needs to pass to HQ FGT (as their gateway), correct? Why can't I use the branch FGT to deal with the inter-vlan routing?
And just another question:
What is the recommended configuration for the Fortilink Interface in the HQ FGT? Now, the HQ FGT is connected to the WAN (dedicated link) by a physical L3 interface connected to a 3rd Party Router. What type of interface can I use to create the fortilink interface and add the WAN interface as member of (Aggregate, soft-switch or even keep as physical interface and just enable fortilink)?
Is there a way to configure the Fortilink interface and their vlans without change any configuration in the router side? I need to consider that even if we use a method where the vlans are treated locally in the Branch, at least the internet traffic needs to pass to HQ FGT, where the outgoing access lists as placed. So, at leat one vlan need to be create in the Fortilink interface.
Thanks.
There's a very good doc you should check out. Here's a specific section on the topology you are interested in: https://docs.fortinet.com/document/fortiswitch/7.2.1/fortilink-guide/801182/fortilink-mode-over-a-la...
In summary, when FortiSwitches are managed by FortiGate, the FortiLink interface becomes the L3 backhaul back to the FortiGate where all inter-VLAN routing occurs.
So if you don't want your inter-VLAN traffic to backhaul over the WAN to the HQ fortigate, you'd have to have a standalone L3 FortiSwitch or router at Branch to do this for you. You could still have remaining FortiSwitches managed by HQ FGT doing VLAN port assignment only (no L3 at HQ side).
Ideally, if I were you, I would invest in a FGT-70F to act as your L3 "core" at branch, managing all of your FortiSwitches and inter-VLAN traffic. Keep the FGT-40F as your WAN firewall.
Hi Graham,
Thanks again for your reply and patience.
I've already read the documentation, but still have some doubts about the fortilink configuration in the HQ FGT. All other question I understood by your explanation.
I don't understand yet how is the behaviour of a fortilink interface connected to a non-Fortinet L3 device.
For example: If I create an aggregate interface to fortilink on the FGT and add the interface faced to router as a member, the router can't communicate with the FGT anymore, once the router's interface is a routed port and not an aggregate.
I have tested two scenarios in a lab (VM) environment and had this two results:
Scenario 1:
Scenario 2:
My doubt in scenario 2 is:
Regarding scenario 1 I'm not sure why you need to do VLAN tagging between FGT and a router. It should all be untagged IMO. But if there's a reason to do VLAN tagging then you need to ensure the VLAN is tagged both ways. You are tagging on the FGT side, are you tagging on the Router side too?
For scenario 2 (and 1), you are configuring FortiLink aggregate interface. This means the router needs to be configured the same. This is LACP, or 802.3.ad. Is router configured for LACP as well? If not, don't use aggregate interface type on FGT side.
The only important thing here is that you have L3 reachability to the FGT FortiLink interface from your downstream devices. Once that is in place you can configure DHCP discovery or static discovery of the FortiLink interface on HQ FGT for your FortiSwitches at the Branch site.
FortiLink interface is used for management *and* traffic. It will manage the switch configurations and also will receive inter-VLAN traffic for VLANs that you have defined on the HQ FGT with IP addressing.
This is why I suggest a dedicated standalone L3 FortiSwitch (or third party switch/router) at the branch to handle inter-VLAN routing so you don't backhaul your inter-VLAN traffic from Branch to HQ and back to Branch.
This is also why I suggest a dedicated FGT-60F or greater to act as your Branch L3 "core" and switch controller.
Thanks again for your rensponses, Graham.
Actually I don't need to tag the vlans, I think that I was not very clear in the question.
But now I can understood the needs for the fortilink configuration in this scenario and I'll test it in a lab enviornment before implement at the customer.
Thank you very much.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.