Hi all.
I have installed a Fortiswitch over layer 3 network, my fortiswitch is already managed by a remote Fortgate. Fortiswitch is connected directly with a 3rd party firewall in a branch site.
Config looks like this:
config system global
set switch-mgmt-mode fortilink
config switch interface
edit "internal"
set native-vlan 4094
set stp-state disabled
set snmp-index 11
next
edit "__FoRtILnk0L3__"
set native-vlan 4094
set allowed-vlans 1-4094
set dhcp-snooping trusted
set igmp-snooping-flood-reports enable
set mcast-snooping-flood-traffic enable
set snmp-index 13
next
config system interface
edit "internal"
set ip 172.29.xx.xx 255.255.255.0
set allowaccess ping https ssh
set type physical
set snmp-index 12
next
config switch-controller global
set ac-discovery-type static
config ac-list
edit 1
set ipv4-address 172.29.8.1
next
end
end
config system ntp
set allow-unsync-source enable
config ntpserver
edit 1
set server "172.29.8.1"
next
end
set ntpsync enable
end
config router static
edit 1
set dst 0.0.0.0 0.0.0.0
set gateway 172.29.254.1
next
end
The Fortiswitch is connected to an access port on the firewall (port without any vlan tagging), in a tagged port of the firewall Fortilink did not came up due to problems with native vlan.
How do I route local VLANs in the branch? Do I have to connect another physical port Fortiswith <--> Firewall configured as trunk with all the vlans? How can I do it with only one physical port?
I can not find any example on the Fortinet community.
Thanks.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
finally I made the installation and al the environment works with only one Fortilink L3 connected to a 3rd party firewall with native vlan 4094. And all the rest of the vlans are routed on the firewall.
Solved.
Depending on the Switch model you have, you need to configure Switch virtual interfaces
A switch virtual interface (SVI) is a logical interface that is associated with a VLAN and supports routing and switching protocols.
You can assign an IP address to the SVI to enable routing between VLANs. For example, SVIs can route between two different VLANs connected to a switch (no need to connect through a layer-3 router)
page 214 of the Standalone mode guide: - https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/d49b948d-6c99-11eb-9995-005056...
Sounds like you are using FortiLink / FortiGate-managed switch here. If that's so, FortiGate takes care of all L3 routing. If you want L3 routing on the switch it needs to be in standalone mode.
Thanks for your reply emirjon and Graham.
This is a Fortiswitch managed by a remote Fortigate with a fortilink over a L3 network (https://docs.fortinet.com/document/fortiswitch/7.0.4/devices-managed-by-fortios/801182/fortilink-mod...)
The fortiswitch is connected to a 3rd party firewall to reach the Fortigate.
The thing is that I want to route all the local VLANs created on the Fortiswitch in the local 3rd party firewall.
It is not an standalone switch nor a Fortiswitch over L2.
I've never done this before but I don't see why it wouldn't work as long as the L3 connectivity is still available from the FSW to the FGT. Did you try setting the native VLAN on the uplink port to 4094?
Hi gfleing,
this is the only thing missing I need to test (I made the configuration in a test environment), unfortunately I'm not the manager of the firewalls and I have to ask Security team to configure the firewall port.
If it works I will reply with the solution.
Many thanks.
Hello,
finally I made the installation and al the environment works with only one Fortilink L3 connected to a 3rd party firewall with native vlan 4094. And all the rest of the vlans are routed on the firewall.
Solved.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.