Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AGMP
New Contributor II

Created on ‎02-08-2023 06:27 AM Edited on ‎02-08-2023 07:43 AM

standalone Fortiswitches configure LAG/LACP

Hey everyone,

I have two fortiswitch 224D running 7.2.2 firmware that i want to configure standalone.
Switch 1 uses ports 23/24 for WAN and is connected to switch 2 with fiber.
My workstation is connected to switch 1 using mgmt port.

I created the vlans i need and also created a trunk using the fiber ports however, i seem not to be able to communicate with switch 2.

Since i am obviously doing something wrong but don't know what, could someone point me in the right direction ?

Labels:
957
0 Kudos
1 Solution
ebilcari
Staff
Staff
In response to AGMP

Created on ‎04-19-2023 03:17 AM

You have to configure a valid GW on the static route configurations on the switch being part of this subnet 172.16.0.x. The gateway device should be able to route the traffic from the switch to the PC you are using to access it.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

729
15 REPLIES 15
ebilcari
Staff
Staff

Created on ‎02-08-2023 07:50 AM

As I understood you have connected the two switches with two fiber links and you are trying to setup a Link Aggregation on those 2 links. Did you pass the needed VLAN on the trunk interface?

https://docs.fortinet.com/document/fortiswitch/7.2.2/administration-guide/352388/link-aggregation-gr...

You can try to setup two IPs on both Switches on the same subnet and VLAN, make sure it's allowed on the trunk and try to ping from one switch to another.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
669
0 Kudos
AGMP
New Contributor II
In response to ebilcari

Created on ‎02-13-2023 07:03 AM

Thank you for your reply. You are correct, that is what i am trying.
I want to connect switch one to my router and connect switch 2 to switch 1 using fiber.
I have 3 VLANS and assigned an ip address to VLAN1 (on both switches. last octed .240 and .241) and can ping .241 from .240

 

637
0 Kudos
gfleming
Staff
Staff
In response to AGMP

Created on ‎02-13-2023 09:02 AM

What connectivity between switches is not working? You should have L2 connectivity across the trunk. That is endpoints on SW2 in VLANX should be able to communicate to endpoints on SW1 in VLANX.

 

Are you struggling to communicate with SW2's L3 management IP address?

Cheers,
Graham
634
AGMP
New Contributor II

Created on ‎03-17-2023 01:04 AM

Due to illness i was unable to reply.
The situation is now like this:

Switch 2:
- Connected to the network on port 24 (uplink)
- Endpoint device on port 1 (dhcp)
- Fiber on port 28 to switch 3

Switch 3:
- Fiber to Switch 2 on port 28
- Endpoint on port 1 (dhcp)

On both switches port 28 is added to a trunk
Both switches have the same VLAN setup on the same ports (1,10,18 where 10 is native)
VLAN 1 has a static ip address:

Traffic is forwarded from switch 2 to switch 3 and also returning. So Endpoint devices have internet and network access.


I can connect to both switches now through the network when i set my network adapter to the same subnet as VLAN1, else not.

I do have configured a static route on both switches to the gateway

At this point i am not sure what the problem could be. As far i i understand it, i should be perfectly able to connect to the switch from any VLAN. Not only the MGMT port or when using the same subnet ?


570
0 Kudos
ebilcari
Staff
Staff
In response to AGMP

Created on ‎03-17-2023 02:30 AM Edited on ‎03-17-2023 02:36 AM

I was doing some tests and found out that on the route the Device should be set as Internal

internal.PNG

You can also check if the route is being applied by running this command

# get router info routing-table all
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, P - PIM, A - Babel,
> - selected route, * - FIB route, ^ - HW install failed

S>* 0.0.0.0/0 [10/0] via 10.5.32.1, internal
C>* 10.5.32.0/23 is directly connected, internal
C>* 127.0.0.0/8 is directly connected, lo

https://docs.fortinet.com/document/fortiswitch/7.2.3/administration-guide/095393/remote-access-to-th...

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
561
0 Kudos
ebilcari
Staff
Staff

Created on ‎03-17-2023 01:20 AM

A simple ping from the GW to the switch management VLAN verifies that the mgmt VLAN spanning is done between the switches and the GW, than is a matter of routing and security policies. If you have used the VLAN1 just make sure that the Gateway is routing this traffic and the static route configured in the switches are correct.

 

If you want to create a dedicated management interface tied to a VLAN you have to create an internal interface and setup the IP. (default is on VLAN 1). 

 

mgmt.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
566
0 Kudos
AGMP
New Contributor II
In response to ebilcari

Created on ‎03-17-2023 03:17 AM Edited on ‎03-17-2023 03:18 AM

This is what my configuration of Switch 3 looks like. Gateway is 172.16.0.240 which is switch 2

 

1.png2.png3.png4.png

557
0 Kudos
ebilcari
Staff
Staff
In response to AGMP

Created on ‎03-17-2023 06:23 AM Edited on ‎03-17-2023 06:29 AM

You have to span VLAN 1 (mgmt) to the L3 device you have in the network and set the IP of that L3 devices (router/firewall/L3switch) as gateway on both of this switches.


In your current configuration you are adding switch 2 as the next hop and I don't think that switch 2 is routing these packets anywhere.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
547
AGMP
New Contributor II

Created on ‎03-27-2023 02:54 AM

Sorry for the late reaction.

I have made some changes as you suggested and it is pretty much working. Only thing is that i still can not connect to the management vlan from a different vlan.

So what i want to achieve is this:

I do have a management VLAN (VLAN1) that is used to manage servers and network devices.
Admins are allowed to use that VLAN and access the webinterface. Users are not allowed to use that vlan or  connect to the webinterface of the switch.

I (as an admin) want to be able to connect to the switch using VLAN3 from whatever VLAN i am on.
That is how it works on the current unify gear. 

At this point i can only connect to the fortiswitch web interface when i use a local IP of 172.16.0.x

So at this point i am not sure where to add what to achieve what i want.

514
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.