Tag Archives: managing a fortiswitch from fortigate

Chapter 20 – Managing a FortiSwitch with a FortiGate

Chapter 20 – Managing a FortiSwitch with a FortiGate

 

Managing a FortiSwitch with a FortiGate

 

Introduction

This document provides information about how to setup and configure Managed FortiSwitches with a FortiGate. This is also known as using FortiSwitch in Fortilink mode.

 

Supported Models

The following table shows the FortiSwitch models that support Fortilink mode when paired with the corresponding

FortiGate models and the listed minimum software releases.

FortiGate Models                                                Earliest

FortiOS

FortiSwitch Models

FGT-90D                                                                  5.2.2           FS-224D-POE

FGT-60D FGT-90D

FGT-100D, FGT-140D (POE, T1)

FGT-200D, FGT-240D, FGT-280D (POE) FGT-600C

FGT-800C FGT-1000C 5.2.3 5.4.0

FSR-112D-POE FS-108D-POE FS-124D

FS-124D-POE FS-224D-POE FS-224D-FPOE

 

All FortiSwitch D-series models. FortiSwitchOS 3.3.x or 3.4.0 is recommended.

 

FGT-1200D FGT-1500D FGT-3700D FGT-3700DX 5.4.0

All FortiSwitch D-series models.

FortiSwitchOS 3.3.x or 3.4.0 is recom- mended.

 

 

Whats New

The following new Fortilink features are available

 

FortiOS 5.4.0 with FortiSwitchOS 3.3.0 (or later)

  • FortiGate High-Availability mode
  • Multiple VLANs per port (native VLAN and tagged VLANs)
  • Auto-authorization of the FortiSwitch.
  • FortiLink GUI enabled for FGT600C, 800C and 1000C
  • POE configuration on the FortiSwitch ports.
  • Fortilink Link Aggregation Group (LAG)
  • Auto-detect Fortilink ports on the FortiSwitch.

 

Before You Begin

Before you configure the managed FortiSwitch unit, the following assumptions have been made in the writing of this manual:

  • You have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your FortiSwitch, and you have administrative access to the FortiSwitch web-based manager and CLI.
  • You have installed a FortiGate unit on your network and have administrative access to the FortiGate web-based manager and CLI.

 

How this Guide is Organized

 

This guide contains the following sections:

  • Connecting FortiLink Ports – information about connecting FortiSwitch ports to FortiGate ports.
  • FortiLink Configuration – how to configure FortiLink
  • Configuring Fortilink for FortiGate HA – how to configure Fortilink when you have a pair of FortiGate units in HA mode.
  • Optional Setup Tasks – describes other set up tasks.
  • VLAN Configuration – configure VLANs from the FortiGate unit.
  • FortiSwitch POE Configuration – configure Ports and POE from the FortiGate unit. Add STP and LAG?
  • Troubleshooting – describes techniques for troubleshooting common problems.
  • Scenarios – contains practical examples of how to use managed FortiSwitch units in a network.

 

Connecting FortiLink Ports

This section contains information about the FortiSwitch and FortiGate ports that you connect to establish a FortiLink connection.

You have a choice of connecting a single FortiLink port or multiple FortiLink ports in a link-aggregation group (LAG).

In FortiSwitchOS 3.3.0 and later releases, you can use any of the switch ports for FortiLink. Some or all of the switch ports (depending on the model) support auto-discovery of the FortiLink ports.

 

Summary of the Steps

1. If required,enable the Switch Controller on FortiGate

2. Connect a cable between the FortiSwitch port and the FortiGate port (or ports for a LAG)

 

Enable the Switch Controller on FortiGate

Prior to connecting the FortiSwitch and FortiGate units, ensure that the Switch Controller feature is enabled on the FortiGate (depending on the FortiGate model and software release, this feature may be enabled by default).

Use the FortiGate web-based manager or CLI to enable the Switch Controller.

 

Using the FortiGate web-based manager

1. Go to System > Features.

2. Turn on the Switch Controller feature.

3. Select Apply.

The menu option WiFi & Switch Controller now appears in the web-based manager.

 

Using the FortiGate CLI

Use the following command to enable the Switch Controller.

 

config system global

set switch-controller enable end

 

Connect the FortiSwitch and FortiGate

In FortiSwitchOS 3.3.0 and later releases, FortiSwitchOS provides additional flexibility for FortiLink:

  • Use any switch port for FortiLink
  • Provides auto-discovery of the FortiLink ports on the FortiSwitch
  • Choice of a single FortiLink port or multiple FortiLink ports in a link-aggregation group (LAG)

 

Autodiscovery of the FortiSwitch Ports

In releases FortiSwitchOS 3.3.0 and beyond, the D-series FortiSwitch models support FortiLink auto-discovery, which is automatic detection of the port connected to the FortiGate.

You can use any of the switch ports for FortiLink. Use the following commands to configure a port for FortiLink auto-discovery:

 

config switch interface edit <port>

set auto-discovery-fortilink enable end

 

NOTE: Some ports are enabled for auto-discovery by default. See table below.

NOTE: Complete this configuration step BEFORE connecting the switch to the FortiGate.

Each FortiSwitch model provides a set of ports that are enabled for FortiLink auto-discovery by default. If you connect the FortiLink using one of these ports, no switch configuration is required.

In general (in FortiSwitchOS 3.4.0 and later releases), the last four ports are the default auto-discovery FortiLink ports. You can also run the show switch interface CLI command on the FortiSwitch to see the ports that have auto-discovery enabled.

The table below lists the default auto-discovery ports for each switch model:

FortiSwitch Model                                    Default Auto-FortiLink ports

FS-108D                                                       ports 9 and 10

FSR-112D                                                     ports 9, 10, 11 and 12

FS-224D-POE                                               ports 21, 22, 23 and 24

FS-1024D, FS-1048D, FS-3032D                 all ports

FS-124D, FS-124D-POE                              ports 23, 24, 25 and 26

FS-224D-FPOE                                            ports 25, 26, 27 and 28

FS-424D-FPOE                                            ports 25 and 26

FS-524D-FPOE                                            ports 25, 26, 27, 28, 29 and 30

FS-548D-FPOE                                            ports 49, 50, 51, 52, 53 and 54

FS-248D-FPOE                                            ports 49, 50, 51, and 52

FS-524D                                                       ports 25, 26, 27, 28, 29 and 30

FS-548D                                                       ports 49, 50, 51, 52, 53 and 54

 

Choosing the FortiGate Ports

For all FortiGate models, you can connect up to 16 FortiSwitches to one FortiGate unit. The FortiGate manages all of the switches through one active FortiLink. The FortiLink may consist of one port or multiple ports (for a LAG).

The following table shows the ports for each model of FortiGate that you can use for FortiLink.

 

FortiGate Model                                                        Ports for Fortilink connection

FGT-60D, FGT-60D-POE FWF-60D, FWF-60D-POE

FGT-90D, FGT-90D-POE FWF-90D, FWF-90D-POE port1 – port7 port1 – port14

FGT-100D                                                                      port1 – port16

FGT-140D , 140D-POE, 140D-POE-T1                          port1 – port36

FGT-200D                                                                      port1 – port16

FGT-240D                                                                      port1 – port40

FGT-280D, FGT-280D-POE                                          port1 – port84

FGT-600C                                                                      port3 – port22

FGT-800C                                                                      port3 – port24

FGT-1000C                                                                    port3 – port14, port23 – port24

FGT-1200D                                                                    port1 – port36

FGT-1500D                                                                    port1 – port40

FGT-3700D, FGT-3700DX                                             port1 – port32

 

FortiLink Configuration

This section describes the configuration steps to establish a FortiLink between a FortiSwitch and a FortiGate unit. You can configure FortiLink using the FortiGate web-based manager (GUI) or the FortiGate CLI. We recommend using the FortiGate GUI, because the CLI steps are more complex (and therefore more prone to error).

If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection (single port or LAG) with zero configuration steps on the FortiSwitch, and with a few simple configuration steps on the FortiGate.

 

Summary of the Steps

1. On the FortiGate, configure the FortLink port or create a FortLink LAG

2. Authorize the managed FortiSwitch.

 

Using FortiGate GUI to Configure FortiLink (Single Link)

The following sections describe how to configure FortiLink using a single switch port.

 

Configuring the Port

Configure the FortiLink port on the FortiGate using the following steps:

1. Go to System > Network > Interfaces

2. (Optional) If the FortiLink physical port is currently included in the internal interface, edit the internal interface and remove the desired port from the Physical Interface Members.

3. Edit the FortiLink port.

4. Enter the following fields in the Edit Interface form:

a. Addressing mode: Set to Dedicate to Extension Device.

b. IP/Network Mask: system automatically sets the IP address and network mask.

c. (Optional) Automatically authorize devices: disable to manually authorize the FortiSwitch.

d. Select OK.

 

Authorizing the FortiSwitch

If you set the FortiLink port to manually authorize the FortiSwitch as a managed switch, perform the following steps:

1. Go to WiFi & Switch Controller > Managed FortiSwitch.

2. (Optional)Click on the FortiSwitch faceplate and click Authorize. This step is required only if you disabled the automatic authorization field of the interface.

 

Network Interface Display

The following image shows the Managed FortiSwitch display. The page displays the FortiGate ports on the left, and the faceplate for each switch on the right.

When the FortiLink is established successfully, the port status is green (on the FortiGate port and on the FortiSwitch faceplate) and the link between the ports is a solid line.

In System > Network > Interfaces, the system displays the switch ID next to the interface name, and displays Dedicated to Extension Device in the IP/Netmask field .

Note: An interface configured for managed FortiAP is also set to Dedicated to Extension Device. Make sure that you are viewing the correct FortiLink interface.

 

Using FortiGate GUI to Configure FortiLink (LAG)

Starting in FortiSwitchOS 3.3.0, you can configure the FortiLink as a Link Aggregation Group (LAG) to provide increased FortiLink bandwidth between the FortiGate and FortiSwitch.

NOTE: LAG is supported on all FortiSwitch models and on FortiGate models FGT-100D and above.

Connect any of the FortiLink-capable ports on the FortiGate to the FortiSwitch. Make sure that you configure auto-discovery on the FortiSwitch ports (unless the port is a default auto-discovery port).

 

Configuring the LAG on the FortiGate

1. Go to Network> Interfaces

2. (Optional) If the FortiLink physical ports are currently included in the internal interface, edit the internal interface and remove the desired ports from the Physical Interface Members.

3. Click Create New

4. Enter the following fields in the Add Interface form:

a. Interface name: enter a name for the interface (11 characters maximum)

b. Type: select FortiLink

c. Physical Interface Members : select the FortiGate ports for the LAG

d. IP/Network Mask: system automatically sets the IP address and network mask.

e. Administrative Access: check the boxes for ping, capwap, http and https.

 

Authorizing the FortiSwitch

To authorize the FortiSwitch as a managed switch, perform the following steps:

1. Go to WiFi & Switch Controller > Managed Devices > Managed FortiSwitch. Click on the switch faceplate and select Authorize.

2. From the FortiGate CLI, ensure that NTP is enabled for the FortiLink LAG:

config system ntp

set server-mode enable set interface fortilink

end

The following image shows the Managed FortiSwitch display. The page displays the FortiGate ports on the left, and the faceplate for each FortiSwitch on the right. The link between the FortiSwitch and FortiGate splits at each end to indicate which ports are members of the LAG.

Before the LAG becomes established, the FortiLink is displayed with dashed lines with a broken-link icon. When the FortiLink LAG is established successfully, the port status for the LAG ports is green (on the FortiGate port list and on the FortiSwitch faceplate), and the link between the ports is a solid line.

 

Network Interface Display

In System > Network > Interfaces, the system displays the switch ID next to the interface name, and displays Dedicated to Extension Device in the IP/Netmask field .

Note: An interface configured for managed FortiAP is also set to Dedicated to Extension Device. Make sure that you are viewing the correct FortiLink interface.

 

Using FortiGate CLI to Configure FortiLink (Single Link)

The following sections describe how to use the FortiGate CLI to configure FortiLink using a single link.

 

Configuring the Port and Authorizing the FortiSwitch

Configure the FortiLink port on the FortiGate, and authorize the FortiSwitch as a managed switch. In the following steps, port1 is configured as the FortiLink port.

1. If required, remove port 1 from the lan interface:

config system virtual-switch edit lan

config port delete port1

end end

end

2. Configure for port 1 as the FortiLink interface

config system interface edit port1

set auto-auth-extension-device enable set fortilink enable

end end

3. Configure an NTP server on port 1.

config system ntp

set server-mode enable set interface port1

end

4. Authorize the FortiSwitch unit as a managed switch.

config switch-controller managed-switch edit FS224D3W14000370

set fsw-wan1-admin enable end

end

NOTE: FortiSwitch will reboot when you issue the above command.

 

Using FortiGate CLI to Configure FortiLink (LAG)

Starting in FortiSwitchOS 3.3.0, you can configure the FortiLink as a Link Aggregation Group (LAG) to provide increased FortiLink bandwidth between the FortiGate and FortiSwitch.

NOTE: LAG is supported on all FortiSwitch models and on FortiGate models FGT-100D and above.

Connect any of the FortiLink-capable ports on the FortiGate to the FortiSwitch. Make sure that you configure auto-discovery on the FortiSwitch ports (unless the port is a default auto-discovery port).

 

Configuring the LAG on the FortiGate

 

To configure the FortiLink as a LAG, create a FortiLink interface on the FortiGate, add the physical ports, and authorize the FortiSwitch as a managed switch. In the following steps, port4 and port5 are configured as the FortiLink LAG.

1. If required, remove the LAG ports from the lan interface:

config system virtual-switch edit lan

config port

delete port4 port5 end

end end

2. Create a trunk (of type fortilink) with the two ports that you connected to the switch:

config system interface

edit flink1 (enter a name, 11 characters maximum)

set allowaccess ping capwap https

set type fortilink

set member port4 port5 set lacp-mode static

next end

3. Configure an NTP server on the LAG interface:

config system ntp

set server-mode enable set interface flink1

end

4. Authorize the FortiSwitch unit as a managed switch.

config switch-controller managed-switch edit FS224D3W14000370

set fsw-wan1-admin enable end

end

NOTE: FortiSwitch will reboot when you issue the above command.

5. Configure a DHCP server on port 1.

config system dhcp server edit 0

set ntp-service local

set netmask 255.255.255.252 set interface flink1

config ip-range edit 1

set start-ip 169.254.254.2 set end-ip 169.254.254.2

end

set vci-match enable

set vci-string FortiSwitch end

end

 

Configuring FortiLink for FortiGate HA

With FortiOS 5.4.0 and later releases, a FortiGate operating in HA mode can use FortiLink (to FortiSwitches running FortiSwitchOS 3.3.0 or later release).

To use FortiLink mode with a pair of FortiGate units in a high-availability cluster, you must connect FortiLink from the switch to both of the FortiGate units.

 

Highlights of this configuration:

1. No console port or direct management is required on the FortiSwitch.

2. All the actions described here can be performed from FortiCloud if needed

3. All FortiSwitch internal state and counters are visible when in FortiLink managed mode

 

Example Topology

The LAN and WAN links connect to FortiSwitch ports. The FortiSwitch connects to the active and standby FortiGate units. If the standby FortiGate (for example, FGT2) becomes active, this is transparent to the LAN and WAN ports. FortiLink is automatically established to FGT2, and the active traffic path becomes LAN <-> FGT2<-> WAN.

 

Note the following points:

1. FortiSwitch connects with FortiLink to both of the FortiGate units. These connections can be LAGs (in FortiSwitch 3.3.0 and later releases).

2. LAN and WAN links can connect to separate FortiSwitches, as shown in the figure. You can also connect them to the same FortiSwitch (and use VLANs to separate the LAN and WAN traffic).

3. Connect the FortiLinks from any two FortiSwitch ports to FGT1 port X and FGT2 port X, where the FortiGate port numbers must match (port1 in the above topology diagram).

4. For FortiLink LAGs, connect Fortilinks from two additional FortiSwitch ports to FGT1 port Y and FGT2 port Y, where the FortiGate port numbers must match.

 

Adding a Second FortiGate to Existing Single FortiGate

Connect an additional FortiLink from the FortiSwitch to the new FortiGate, and configure HA on both of the FortiGate units.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!