I have FG60F and this default fortilink type is FortiLink (802.3ad Aggregate)
With this i can connect only one Fortiswicth and cascade the other switches, but it will cause single point of failure
I need to change the fortilink type to Hardware switch then i can connect the three switches directly to the Fortigate as per the following document
I tried the CLI and Gui and the only option is (802.3ad Aggregate)
Firmware is 7.2.4
Thx
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You probably want to use this topology instead: https://docs.fortinet.com/document/fortiswitch/7.2.4/fortilink-guide/801204/single-fortigate-unit-ma...
Just turn on split-interface and connect one of the FortiLink ports to the first switch in the ring and the other FortiLink port to the last switch in the ring. Presto! Done! NO need to change your FortiLink interfface on the FortiGate.
The reply from gfleming is one way to add redundancy to an 802.3ad FortiLink for certain topos. However, if for example you need two distribution switches to directly connect via FortiLink and both be active, it might be better to use the Hardware Switch FortiLink.
To do this, you'll need to first get rid of your 802.3ad FortiLink interface - which means getting rid of all references to it. Most of this will need to be done in the CLI. Before you start, it would be helpful to delete any switches that have already been authorized. Then you'll want to conf sys interface, edit <FortiLink Interface>, and then disable FortiLink via set fortilink disable. Next, you'll want to delete the DHCP and DHCP6 servers on the interface via conf sys dhcp server and conf sys dhcp6 server.
Hopefully that will be enough to let you then delete the 802.3ad FortiLink interface, but if not... just keep working to remove config references. Once you delete the 802.3ad FortiLink interface, you'll then want to use the GUI to create a new Hardware Switch. Go to Network > Interfaces and click the Create button to create a new interface. Select the Hardware Switch type and select the member interfaces that will be part of it. Save it, then go back to the CLI and enable FortiLink on that new interface via conf sys int, edit <New FortiLink Interface>, and set fortilink enable. At this point, you should be ready to start authorizing your switches again.
I hope this is helpful!
JUst an added note, it's not a recommended topology to use Hardware or Software Switch Topology as all inter-switch traffic has to flow through the FortiGate and this can cause resource contention.
If you need more bandwidth between the FortiGate and the FortiSwitch "stack"/ring you can use MC-LAG if your switches support it (anything above the 1XX models).
Most use-cases a single FortiLink is suitable especially if it's a 10GE uplink.
Created on 03-08-2023 02:17 PM Edited on 03-08-2023 02:19 PM
What's your advice on the optimal way to connect two FGTs in HA to two distribution FortiSwitches (1048E for example) in a Two-Tier topo? I like the idea of all Layer 3 traffic going to the FGT, but would want Layer 2 traffic to just switch without taking a ride to the FGT.
OK if you are using 1048E's you can leverage MC-LAG. FortiGate acts as Core and 1048E's in MC-LAG pair act as distribution/aggregation. You can form HA uplinks between the switches to your downstream devices.
Please note however that if you have a lot of inter-VLAN routing (and you might on a 48-port 10GE switch) the FortiGate 60F might not be up to the task. It tops out at 10Gbps stateful firewall throughput. That's assuming it's not doing anything else for you like NGFW functionality.
https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/fortigate-fortiwifi-60f-series.pdf
Intra-VLAN traffic will always stay on the switches.
You might be better off configuring your 1048E's as standlone switches and do the L3 there...
Ok thanks, you've confirmed some suspicions I had from recent reading. Also in this example, I'll be using two FGT-600Fs ;)
Last question - after MCLAGing those two 1048Es together, would they still show up as two different switches in the FortiGate's switch manager? I would want to still have individual management over them for firmware and diagnostics, etc.
Phew! 600F is much better than previously-mentioned 60f :)
Yes that is the benefit of MC-LAG. there is no shared control plane or management plane. They are individual switches fully separated except for the sharing of LAG info.
Created on 03-09-2023 09:51 AM Edited on 03-09-2023 09:52 AM
Figured it out thanks to your help. Got my Distros into MC-LAG on a 802.3ad FortiLink and everything is working as desired.
You're most welcome. And good job!
Please cosider marking the thread as solved for others' benefits.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.