Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gcarvalho
New Contributor III

Fortilink Layer 3

Hello Team,

 

We have an environment with a FortiWiFi 40F. In this environment, we will install more than 15 FortiSwitches. As FGT 40F's datasheet, it only supports up to 8 Fortiswitches.

 

Is there a way to manage that FortiSwitch by a remote FortiGate with Fortilink Layer 3?

 

Basically, the 40F is in a branch office. This Branch Office is connected to the headquarters by a dedicated link, but, the dedicated link is terminated at a 3rd party firewall upstream the FGT. So, the topology looks like this:

 

Branch FGT >> (Dedicated Link) >> 3rd Party FW >> HQ FGT

 

If I configure the Fortilink Layer 3 in Fortiswitches, it can be work? In this case, how can I handle with VLANs? Can I create the vlans only in FGT 40F and passing it to the switches by a link aggregate interface, and just use the HQ FGT to manage the fswitches ports (assign vlans, configure trunks, etc)?

Cheers,
Gui
Cheers,Gui
2 Solutions
gfleming
Staff
Staff

You can do this but your inter-VLAN traffic will backhaul over the WAN link from Branch FGT to HQ FGT where the FortiSwitches are managed, along with their VLANs. Unless you have a standalone layer 3 switch at branch office handling your inter-VLAN routing, of course. Then you can just define layer 2 VLANs and define the port memberships that way.

 

Alternatively, look at FortiSwitch Manager. It can manage remote FortiSwitches (or local if you have a hypervisor at Branch) and leverage the layer 3 functionality right on the switch while keeping it managed.

 

https://docs.fortinet.com/product/fortiswitch-manager/7.2

 

Cheers,
Graham

View solution in original post

gfleming

There's a very good doc you should check out. Here's a specific section on the topology you are interested in: https://docs.fortinet.com/document/fortiswitch/7.2.1/fortilink-guide/801182/fortilink-mode-over-a-la...

 

In summary, when FortiSwitches are managed by FortiGate, the FortiLink interface becomes the L3 backhaul back to the FortiGate where all inter-VLAN routing occurs.

 

So if you don't want your inter-VLAN traffic to backhaul over the WAN to the HQ fortigate, you'd have to have a standalone L3 FortiSwitch or router at Branch to do this for you. You could still have remaining FortiSwitches managed by HQ FGT doing VLAN port assignment only (no L3 at HQ side).

 

Ideally, if I were you, I would invest in a FGT-70F to act as your L3 "core" at branch, managing all of your FortiSwitches and inter-VLAN traffic. Keep the FGT-40F as your WAN firewall.

Cheers,
Graham

View solution in original post

6 REPLIES 6
gfleming
Staff
Staff

You can do this but your inter-VLAN traffic will backhaul over the WAN link from Branch FGT to HQ FGT where the FortiSwitches are managed, along with their VLANs. Unless you have a standalone layer 3 switch at branch office handling your inter-VLAN routing, of course. Then you can just define layer 2 VLANs and define the port memberships that way.

 

Alternatively, look at FortiSwitch Manager. It can manage remote FortiSwitches (or local if you have a hypervisor at Branch) and leverage the layer 3 functionality right on the switch while keeping it managed.

 

https://docs.fortinet.com/product/fortiswitch-manager/7.2

 

Cheers,
Graham
gcarvalho
New Contributor III

Hello Graham!

Thanks for your reply.

 

So, in this case, if the Branch FGT is the only L3 device in the branch, the VLANs cannot be treated only locally, it needs to pass to HQ FGT (as their gateway), correct? Why can't I use the branch FGT to deal with the inter-vlan routing?

 

And just another question:

 

What is the recommended configuration for the Fortilink Interface in the HQ FGT? Now, the HQ FGT is connected to the WAN (dedicated link) by a physical L3 interface connected to a 3rd Party Router. What type of interface can I use to create the fortilink interface and add the WAN interface as member of (Aggregate, soft-switch or even keep as physical interface and just enable fortilink)?


Is there a way to configure the Fortilink interface and their vlans without change any configuration in the router side? I need to consider that even if we use a method where the vlans are treated locally in the Branch, at least the internet traffic needs to pass to HQ FGT, where the outgoing access lists as placed. So, at leat one vlan need to be create in the Fortilink interface.

 

Thanks.

Cheers,
Gui
Cheers,Gui
gfleming

There's a very good doc you should check out. Here's a specific section on the topology you are interested in: https://docs.fortinet.com/document/fortiswitch/7.2.1/fortilink-guide/801182/fortilink-mode-over-a-la...

 

In summary, when FortiSwitches are managed by FortiGate, the FortiLink interface becomes the L3 backhaul back to the FortiGate where all inter-VLAN routing occurs.

 

So if you don't want your inter-VLAN traffic to backhaul over the WAN to the HQ fortigate, you'd have to have a standalone L3 FortiSwitch or router at Branch to do this for you. You could still have remaining FortiSwitches managed by HQ FGT doing VLAN port assignment only (no L3 at HQ side).

 

Ideally, if I were you, I would invest in a FGT-70F to act as your L3 "core" at branch, managing all of your FortiSwitches and inter-VLAN traffic. Keep the FGT-40F as your WAN firewall.

Cheers,
Graham
gcarvalho
New Contributor III

Hi Graham,

Thanks again for your reply and patience.


I've already read the documentation, but still have some doubts about the fortilink configuration in the HQ FGT. All other question I understood by your explanation.

I don't understand yet how is the behaviour of a fortilink interface connected to a non-Fortinet L3 device. 

 

For example: If I create an aggregate interface to fortilink on the FGT and add the interface faced to router as a member, the router can't communicate with the FGT anymore, once the router's interface is a routed port and not an aggregate.

 

I have tested two scenarios in a lab (VM) environment and had this two results: 

 

Scenario 1:

  • Create a fortilink interface as an aggregate type;
  • Add the FGT's interface faced to the router as a member;
  • Create a VLAN to the /30 network between the FGT and Router;
  • Result: FGT and Router can't communicate, once the router's interface is an L3 routed interface and the /30 is a tagged network inside the aggregate fortilink interface.

 

Scenario 2:

  • Create a fortilink interface as an aggregate type;
  • Add the FGT's interface faced to the router as a member;
  • In the fortilink interface, configured the /30 IP;
  • Result: In this scenario, once the fortilink vlan is untagged (IP is configured direct on the aggregate interface), the router and FGT can communicate.

My doubt in scenario 2 is:

  • Does this scenario work?
  • Shouldn't the fortilink interface be used for management only?
  • How can I handle with non-management traffic (once the branch's internet traffic have to pass throught the HQ Firewall)?

 

Cheers,
Gui
Cheers,Gui
gfleming

Regarding scenario 1 I'm not sure why you need to do VLAN tagging between FGT and a router. It should all be untagged IMO. But if there's a reason to do VLAN tagging then you need to ensure the VLAN is tagged both ways. You are tagging on the FGT side, are you tagging on the Router side too?

 

For scenario 2 (and 1), you are configuring FortiLink aggregate interface. This means the router needs to be configured the same. This is LACP, or 802.3.ad. Is router configured for LACP as well? If not, don't use aggregate interface type on FGT side.

 

The only important thing here is that you have L3 reachability to the FGT FortiLink interface from your downstream devices. Once that is in place you can configure DHCP discovery or static discovery of the FortiLink interface on HQ FGT for your FortiSwitches at the Branch site.

 

FortiLink interface is used for management *and* traffic. It will manage the switch configurations and also will receive inter-VLAN traffic for VLANs that you have defined on the HQ FGT with IP addressing. 

 

This is why I suggest a dedicated standalone L3 FortiSwitch (or third party switch/router) at the branch to handle inter-VLAN routing so you don't backhaul your inter-VLAN traffic from Branch to HQ and back to Branch.

 

This is also why I suggest a dedicated FGT-60F or greater to act as your Branch L3 "core" and switch controller.

Cheers,
Graham
gcarvalho
New Contributor III

Thanks again for your rensponses, Graham.

 

Actually I don't need to tag the vlans, I think that I was not very clear in the question.

 

But now I can understood the needs for the fortilink configuration in this scenario and I'll test it in a lab enviornment before implement at the customer.

 

Thank you very much.

Cheers,
Gui
Cheers,Gui
Labels
Top Kudoed Authors