Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
albertocobo
New Contributor II

Routing on layer 3 Fortiswitch

Hi all.

I have installed a Fortiswitch over layer 3 network, my fortiswitch is already managed by a remote Fortgate. Fortiswitch is connected directly with a 3rd party firewall in a branch site.

 

Config looks like this:

 

config system global
set switch-mgmt-mode fortilink
config switch interface

edit "internal"
set native-vlan 4094
set stp-state disabled
set snmp-index 11
next
edit "__FoRtILnk0L3__"
set native-vlan 4094
set allowed-vlans 1-4094
set dhcp-snooping trusted
set igmp-snooping-flood-reports enable
set mcast-snooping-flood-traffic enable
set snmp-index 13
next

config system interface
edit "internal"
set ip 172.29.xx.xx 255.255.255.0
set allowaccess ping https ssh
set type physical
set snmp-index 12
next

config switch-controller global
set ac-discovery-type static
config ac-list
edit 1
set ipv4-address 172.29.8.1
next
end
end
config system ntp
set allow-unsync-source enable
config ntpserver
edit 1
set server "172.29.8.1"
next
end
set ntpsync enable
end
config router static
edit 1
set dst 0.0.0.0 0.0.0.0
set gateway 172.29.254.1
next
end

 

The Fortiswitch is connected to an access port on the firewall (port without any vlan tagging), in a tagged port of the firewall Fortilink did not came up due to problems with native vlan.

 

How do I route local VLANs in the branch? Do I have to connect another physical port Fortiswith <--> Firewall configured as trunk with all the vlans? How can I do it with only one physical port?

 

I can not find any example on the Fortinet community.

 

Thanks.

1 Solution
albertocobo
New Contributor II

Hello,

 

finally I made the installation and al the environment works with only one Fortilink L3 connected to a 3rd party firewall with native vlan 4094. And all the rest of the vlans are routed on the firewall.

 

Solved.

View solution in original post

6 REPLIES 6
ebilcari
Staff
Staff

Depending on the Switch model you have, you need to configure Switch virtual interfaces
A switch virtual interface (SVI) is a logical interface that is associated with a VLAN and supports routing and switching protocols.
You can assign an IP address to the SVI to enable routing between VLANs. For example, SVIs can route between two different VLANs connected to a switch (no need to connect through a layer-3 router)


page 214 of the Standalone mode guide: - https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/d49b948d-6c99-11eb-9995-005056...

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
gfleming
Staff
Staff

Sounds like you are using FortiLink / FortiGate-managed switch here. If that's so, FortiGate takes care of all L3 routing. If you want L3 routing on the switch it needs to be in standalone mode.

Cheers,
Graham
albertocobo
New Contributor II

Thanks for your reply emirjon and Graham.

 

This is a Fortiswitch managed by a remote Fortigate with a fortilink over a L3 network (https://docs.fortinet.com/document/fortiswitch/7.0.4/devices-managed-by-fortios/801182/fortilink-mod...)

 

The fortiswitch is connected to a 3rd party firewall to reach the Fortigate.

 

The thing is that I want to route all the local VLANs created on the Fortiswitch in the local 3rd party firewall.

 

It is not an standalone switch nor a Fortiswitch over L2.

gfleming

I've never done this before but I don't see why it wouldn't work as long as the L3 connectivity is still available from the FSW to the FGT. Did you try setting the native VLAN on the uplink port to 4094?

Cheers,
Graham
albertocobo

Hi gfleing,

 

this is the only thing missing I need to test (I made the configuration in a test environment), unfortunately I'm not the manager of the firewalls and I have to ask Security team to configure the firewall port.

 

If it works I will reply with the solution.

 

Many thanks.

albertocobo
New Contributor II

Hello,

 

finally I made the installation and al the environment works with only one Fortilink L3 connected to a 3rd party firewall with native vlan 4094. And all the rest of the vlans are routed on the firewall.

 

Solved.

Top Kudoed Authors