Would like to set up Fortigate 40F to manage two independent (not interconnected) switches.
One switch located in home office space.
Other switch located near printers and entertainment devices.
There is little traffic between the switches. Occasionally traffic between office and printers;
Have already re-allocated lan3 from the hardware switch to the fortilink 802.3ad interface; and disabled the split link interface on fortilink.
Even so, only one switch shows as online at a time.
Currently:
hardware / OS:
1 FortiGate 40F FortiOS v7.0.5
1 FortiSwitch 108E v7.0.3
1 FortiSwitch 108F v7.0.3
Physical connections:
FG40F port lan3 - FS108E port 8
FG40F port a - FS108F port 8
current fortilink configuration:
config system interface
edit "fortilink"
set vdom "root"
set fortilink enable
set ip 192.168.4.1 255.255.255.0
set allowaccess ping fabric
set type aggregate
set member "a" "lan3"
set lldp-reception enable
set lldp-transmission enable
set snmp-index 6
set auto-auth-extension-device enable
set fortilink-split-interface disable
set switch-controller-nac "fortilink"
set switch-controller-dynamic "fortilink"
set swc-first-create 255
next
end
Can this be done using a single fortilink interface? If so, what configuration changes are needed?
Does a second independent 802.3ad aggregate and/or fortilink interface need to be added? Is this even possible? (I'm not afraid of the CLI interface; but I need to know what to enter.)
What relevant documentation exists to address this specific question?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Bob,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hi Bob,
I have found this KB article:
Could you please tell me if it helped?
If not, we will find another to solution to answer your question.
Regards,
Anthony,
Thanks for taking the time to answer.
The link provided discusses how to configure a port to be an HA port monitor.
I followed the steps of:
1. Dissociate port3 from the lan
2. Configure port3
2a. Role LAN
2b. Addressing mode Manual
2c. IP 192.168.3.1
2d. Administrative access HTTPS / PING / FMG_Access / Security Fabric connection
3a. Additionally I set up a DHCP Server; as the switch being connected has no fixed IP address (yet)
3b. Additionally set up a firewall policy to access the 192.168.3.0 subnet
Result so far is that I can ping and get administrative access by logging directly on to the switch at its assigned IP address. The only management mode on the switch is local management.
Back on the fortigate, the link3 shows up, and the DHCP client is assigned; but the switch does not appear under managed switches.
I'm back to my original questions
A. Can this be done using a single fortilink interface?
A1. If so, what configuration changes are needed?
A2. Is set type aggregate appropriate? What other options exist for a Fortilink?
B. Does a second independent fortilink interface need to be added?
B1. Is this even possible?
B2. (I'm not afraid of the CLI interface; but I need to know what to enter.)
Regards,
Bob
Hi,
Please refer https://docs.fortinet.com/document/fortiswitch/7.0.4/devices-managed-by-fortios/801202/single-fortig...
Sachit,
Thanks for taking the time to answer.
The link is a diagram of a topology; but doesn't address the steps to make all the switches managed by the Fortigate.
Regards,
Bob
Hi Bob,
You need to configure interface type as hardware switch on FGT - map 2 ports of FGT as member of hardware switch - connect the switches to the ports.
@BobAHomeOfficeUserIndeed, if you want to manage multiple switches you need to enable 'fortilink-split-interface' mode.
As there can only be one fortilink on each FGT, you will need to either use a hardware switch, a software switch or an aggregate (LACP). As you are already using the latter, you're fine.
The fortilink interface offers IP addresses to switches via DHCP.
Make sure you connect the switches using switch ports which have auto-detection enabled. These ports vary with the switch model. On a FS-108E, it's port 7-10. On a FS-108F, I would assume the same ports. The table in https://docs.fortinet.com/document/fortiswitch/7.0.4/devices-managed-by-fortios/173260/configuring-f... does not mention the F series switches.
So, in short:
- use a multiport interface
- enable split mode
- connect an auto-detecting switchport on each switch
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.