Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ABUELKHAIR
New Contributor III

I need to change the Fortilink to Hardware type

I have FG60F and this default fortilink type is FortiLink (802.3ad Aggregate)

With this i can connect only one Fortiswicth and cascade the other switches, but it will cause single point of failure  

I need to change the fortilink type to Hardware switch then i can connect the three switches directly to the Fortigate as per the following document

 https://docs.fortinet.com/document/fortiswitch/7.2.4/fortilink-guide/801202/single-fortigate-unit-ma...

 

I tried the CLI and Gui and the only option is (802.3ad Aggregate)

 

Firmware is 7.2.4

 

Thx

 

13 REPLIES 13
gfleming
Staff
Staff

You probably want to use this topology instead: https://docs.fortinet.com/document/fortiswitch/7.2.4/fortilink-guide/801204/single-fortigate-unit-ma...

 

Just turn on split-interface and connect one of the FortiLink ports to the first switch in the ring and the other FortiLink port to the last switch in the ring. Presto! Done! NO need to change your FortiLink interfface on the FortiGate.

Cheers,
Graham
Brent-BITSLLC
New Contributor II

The reply from gfleming is one way to add redundancy to an 802.3ad FortiLink for certain topos. However, if for example you need two distribution switches to directly connect via FortiLink and both be active, it might be better to use the Hardware Switch FortiLink.

 

To do this, you'll need to first get rid of your 802.3ad FortiLink interface - which means getting rid of all references to it. Most of this will need to be done in the CLI.  Before you start, it would be helpful to delete any switches that have already been authorized. Then you'll want to conf sys interfaceedit <FortiLink Interface>, and then disable FortiLink via set fortilink disable. Next, you'll want to delete the DHCP and DHCP6 servers on the interface via conf sys dhcp server and conf sys dhcp6 server.

 

Hopefully that will be enough to let you then delete the 802.3ad FortiLink interface, but if not... just keep working to remove config references.  Once you delete the 802.3ad FortiLink interface, you'll then want to use the GUI to create a new Hardware Switch.  Go to Network > Interfaces and click the Create button to create a new interface.  Select the Hardware Switch type and select the member interfaces that will be part of it.  Save it, then go back to the CLI and enable FortiLink on that new interface via conf sys intedit <New FortiLink Interface>, and set fortilink enable.  At this point, you should be ready to start authorizing your switches again. 

I hope this is helpful!

gfleming

JUst an added note, it's not a recommended topology to use Hardware or Software Switch Topology as all inter-switch traffic has to flow through the FortiGate and this can cause resource contention.

 

If you need more bandwidth between the FortiGate and the FortiSwitch "stack"/ring you can use MC-LAG if your switches support it (anything above the 1XX models).

 

Most use-cases a single FortiLink is suitable especially if it's a 10GE uplink.

Cheers,
Graham
Brent-BITSLLC

What's your advice on the optimal way to connect two FGTs in HA to two distribution FortiSwitches (1048E for example) in a Two-Tier topo? I like the idea of all Layer 3 traffic going to the FGT, but would want Layer 2 traffic to just switch without taking a ride to the FGT. 

gfleming

OK if you are using 1048E's you can leverage MC-LAG. FortiGate acts as Core and 1048E's in MC-LAG pair act as distribution/aggregation. You can form HA uplinks between the switches to your downstream devices.

 

https://docs.fortinet.com/document/fortiswitch/7.2.4/fortilink-guide/780635/switch-redundancy-with-m...

 

Please note however that if you have a lot of inter-VLAN routing (and you might on a 48-port 10GE switch) the FortiGate 60F might not be up to the task. It tops out at 10Gbps stateful firewall throughput. That's assuming it's not doing anything else for you like NGFW functionality.

 

https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/fortigate-fortiwifi-60f-series.pdf

 

Intra-VLAN traffic will always stay on the switches.

 

You might be better off configuring your 1048E's as standlone switches and do the L3 there...

Cheers,
Graham
Brent-BITSLLC

Ok thanks, you've confirmed some suspicions I had from recent reading.  Also in this example, I'll be using two FGT-600Fs ;)

 

Last question - after MCLAGing those two 1048Es together, would they still show up as two different switches in the FortiGate's switch manager?  I would want to still have individual management over them for firmware and diagnostics, etc. 

gfleming

Phew! 600F is much better than previously-mentioned 60f :)

 

Yes that is the benefit of MC-LAG. there is no shared control plane or management plane. They are individual switches fully separated except for the sharing of LAG info.

Cheers,
Graham
Brent-BITSLLC

Figured it out thanks to your help. Got my Distros into MC-LAG on a 802.3ad FortiLink and everything is working as desired. 

gfleming

You're most welcome. And good job!

 

Please cosider marking the thread as solved for others' benefits.

Cheers,
Graham
Labels
Top Kudoed Authors