Chapter 20 – Managing a FortiSwitch with a FortiGate
Managing a FortiSwitch with a FortiGate
Introduction
This document provides information about how to setup and configure Managed FortiSwitches with a FortiGate. This is also known as using FortiSwitch in Fortilink mode.
Supported Models
The following table shows the FortiSwitch models that support Fortilink mode when paired with the corresponding
FortiGate models and the listed minimum software releases.
FortiGate Models Earliest
FortiOS
FortiSwitch Models
FGT-90D 5.2.2 FS-224D-POE
FGT-60D FGT-90D
FGT-100D, FGT-140D (POE, T1)
FGT-200D, FGT-240D, FGT-280D (POE) FGT-600C
FGT-800C FGT-1000C 5.2.3 5.4.0
FSR-112D-POE FS-108D-POE FS-124D
FS-124D-POE FS-224D-POE FS-224D-FPOE
All FortiSwitch D-series models. FortiSwitchOS 3.3.x or 3.4.0 is recommended.
FGT-1200D FGT-1500D FGT-3700D FGT-3700DX 5.4.0
All FortiSwitch D-series models.
FortiSwitchOS 3.3.x or 3.4.0 is recom- mended.
What‘s New
The following new Fortilink features are available
FortiOS 5.4.0 with FortiSwitchOS 3.3.0 (or later)
- FortiGate High-Availability mode
- Multiple VLANs per port (native VLAN and tagged VLANs)
- Auto-authorization of the FortiSwitch.
- FortiLink GUI enabled for FGT600C, 800C and 1000C
- POE configuration on the FortiSwitch ports.
- Fortilink Link Aggregation Group (LAG)
- Auto-detect Fortilink ports on the FortiSwitch.
Before You Begin
Before you configure the managed FortiSwitch unit, the following assumptions have been made in the writing of this manual:
- You have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your FortiSwitch, and you have administrative access to the FortiSwitch web-based manager and CLI.
- You have installed a FortiGate unit on your network and have administrative access to the FortiGate web-based manager and CLI.
How this Guide is Organized
This guide contains the following sections:
- Connecting FortiLink Ports – information about connecting FortiSwitch ports to FortiGate ports.
- FortiLink Configuration – how to configure FortiLink
- Configuring Fortilink for FortiGate HA – how to configure Fortilink when you have a pair of FortiGate units in HA mode.
- Optional Setup Tasks – describes other set up tasks.
- VLAN Configuration – configure VLANs from the FortiGate unit.
- FortiSwitch POE Configuration – configure Ports and POE from the FortiGate unit. Add STP and LAG?
- Troubleshooting – describes techniques for troubleshooting common problems.
- Scenarios – contains practical examples of how to use managed FortiSwitch units in a network.
Connecting FortiLink Ports
This section contains information about the FortiSwitch and FortiGate ports that you connect to establish a FortiLink connection.
You have a choice of connecting a single FortiLink port or multiple FortiLink ports in a link-aggregation group (LAG).
In FortiSwitchOS 3.3.0 and later releases, you can use any of the switch ports for FortiLink. Some or all of the switch ports (depending on the model) support auto-discovery of the FortiLink ports.
Summary of the Steps
1. If required,enable the Switch Controller on FortiGate
2. Connect a cable between the FortiSwitch port and the FortiGate port (or ports for a LAG)
Enable the Switch Controller on FortiGate
Prior to connecting the FortiSwitch and FortiGate units, ensure that the Switch Controller feature is enabled on the FortiGate (depending on the FortiGate model and software release, this feature may be enabled by default).
Use the FortiGate web-based manager or CLI to enable the Switch Controller.
Using the FortiGate web-based manager
1. Go to System > Features.
2. Turn on the Switch Controller feature.
3. Select Apply.
The menu option WiFi & Switch Controller now appears in the web-based manager.
Using the FortiGate CLI
Use the following command to enable the Switch Controller.
config system global
set switch-controller enable end
Connect the FortiSwitch and FortiGate
In FortiSwitchOS 3.3.0 and later releases, FortiSwitchOS provides additional flexibility for FortiLink:
- Use any switch port for FortiLink
- Provides auto-discovery of the FortiLink ports on the FortiSwitch
- Choice of a single FortiLink port or multiple FortiLink ports in a link-aggregation group (LAG)
Auto–discovery of the FortiSwitch Ports
In releases FortiSwitchOS 3.3.0 and beyond, the D-series FortiSwitch models support FortiLink auto-discovery, which is automatic detection of the port connected to the FortiGate.
You can use any of the switch ports for FortiLink. Use the following commands to configure a port for FortiLink auto-discovery:
config switch interface edit <port>
set auto-discovery-fortilink enable end
NOTE: Some ports are enabled for auto-discovery by default. See table below.
NOTE: Complete this configuration step BEFORE connecting the switch to the FortiGate.
Each FortiSwitch model provides a set of ports that are enabled for FortiLink auto-discovery by default. If you connect the FortiLink using one of these ports, no switch configuration is required.
In general (in FortiSwitchOS 3.4.0 and later releases), the last four ports are the default auto-discovery FortiLink ports. You can also run the show switch interface CLI command on the FortiSwitch to see the ports that have auto-discovery enabled.
The table below lists the default auto-discovery ports for each switch model:
FortiSwitch Model Default Auto-FortiLink ports
FS-108D ports 9 and 10
FSR-112D ports 9, 10, 11 and 12
FS-224D-POE ports 21, 22, 23 and 24
FS-1024D, FS-1048D, FS-3032D all ports
FS-124D, FS-124D-POE ports 23, 24, 25 and 26
FS-224D-FPOE ports 25, 26, 27 and 28
FS-424D-FPOE ports 25 and 26
FS-524D-FPOE ports 25, 26, 27, 28, 29 and 30
FS-548D-FPOE ports 49, 50, 51, 52, 53 and 54
FS-248D-FPOE ports 49, 50, 51, and 52
FS-524D ports 25, 26, 27, 28, 29 and 30
FS-548D ports 49, 50, 51, 52, 53 and 54
Choosing the FortiGate Ports
For all FortiGate models, you can connect up to 16 FortiSwitches to one FortiGate unit. The FortiGate manages all of the switches through one active FortiLink. The FortiLink may consist of one port or multiple ports (for a LAG).
The following table shows the ports for each model of FortiGate that you can use for FortiLink.
FortiGate Model Ports for Fortilink connection
FGT-60D, FGT-60D-POE FWF-60D, FWF-60D-POE
FGT-90D, FGT-90D-POE FWF-90D, FWF-90D-POE port1 – port7 port1 – port14
FGT-100D port1 – port16
FGT-140D , 140D-POE, 140D-POE-T1 port1 – port36
FGT-200D port1 – port16
FGT-240D port1 – port40
FGT-280D, FGT-280D-POE port1 – port84
FGT-600C port3 – port22
FGT-800C port3 – port24
FGT-1000C port3 – port14, port23 – port24
FGT-1200D port1 – port36
FGT-1500D port1 – port40
FGT-3700D, FGT-3700DX port1 – port32
FortiLink Configuration
This section describes the configuration steps to establish a FortiLink between a FortiSwitch and a FortiGate unit. You can configure FortiLink using the FortiGate web-based manager (GUI) or the FortiGate CLI. We recommend using the FortiGate GUI, because the CLI steps are more complex (and therefore more prone to error).
If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection (single port or LAG) with zero configuration steps on the FortiSwitch, and with a few simple configuration steps on the FortiGate.
Summary of the Steps
1. On the FortiGate, configure the FortLink port or create a FortLink LAG
2. Authorize the managed FortiSwitch.
Using FortiGate GUI to Configure FortiLink (Single Link)
The following sections describe how to configure FortiLink using a single switch port.
Configuring the Port
Configure the FortiLink port on the FortiGate using the following steps:
1. Go to System > Network > Interfaces
2. (Optional) If the FortiLink physical port is currently included in the internal interface, edit the internal interface and remove the desired port from the Physical Interface Members.
3. Edit the FortiLink port.
4. Enter the following fields in the Edit Interface form:
a. Addressing mode: Set to Dedicate to Extension Device.
b. IP/Network Mask: system automatically sets the IP address and network mask.
c. (Optional) Automatically authorize devices: disable to manually authorize the FortiSwitch.
d. Select OK.
Authorizing the FortiSwitch
If you set the FortiLink port to manually authorize the FortiSwitch as a managed switch, perform the following steps:
1. Go to WiFi & Switch Controller > Managed FortiSwitch.
2. (Optional)Click on the FortiSwitch faceplate and click Authorize. This step is required only if you disabled the automatic authorization field of the interface.
Network Interface Display
The following image shows the Managed FortiSwitch display. The page displays the FortiGate ports on the left, and the faceplate for each switch on the right.
When the FortiLink is established successfully, the port status is green (on the FortiGate port and on the FortiSwitch faceplate) and the link between the ports is a solid line.
In System > Network > Interfaces, the system displays the switch ID next to the interface name, and displays Dedicated to Extension Device in the IP/Netmask field .
Note: An interface configured for managed FortiAP is also set to Dedicated to Extension Device. Make sure that you are viewing the correct FortiLink interface.
Using FortiGate GUI to Configure FortiLink (LAG)
Starting in FortiSwitchOS 3.3.0, you can configure the FortiLink as a Link Aggregation Group (LAG) to provide increased FortiLink bandwidth between the FortiGate and FortiSwitch.
NOTE: LAG is supported on all FortiSwitch models and on FortiGate models FGT-100D and above.
Connect any of the FortiLink-capable ports on the FortiGate to the FortiSwitch. Make sure that you configure auto-discovery on the FortiSwitch ports (unless the port is a default auto-discovery port).
Configuring the LAG on the FortiGate
1. Go to Network> Interfaces
2. (Optional) If the FortiLink physical ports are currently included in the internal interface, edit the internal interface and remove the desired ports from the Physical Interface Members.
3. Click Create New
4. Enter the following fields in the Add Interface form:
a. Interface name: enter a name for the interface (11 characters maximum)
b. Type: select FortiLink
c. Physical Interface Members : select the FortiGate ports for the LAG
d. IP/Network Mask: system automatically sets the IP address and network mask.
e. Administrative Access: check the boxes for ping, capwap, http and https.
Authorizing the FortiSwitch
To authorize the FortiSwitch as a managed switch, perform the following steps:
1. Go to WiFi & Switch Controller > Managed Devices > Managed FortiSwitch. Click on the switch faceplate and select Authorize.
2. From the FortiGate CLI, ensure that NTP is enabled for the FortiLink LAG:
config system ntp
set server-mode enable set interface fortilink
end
The following image shows the Managed FortiSwitch display. The page displays the FortiGate ports on the left, and the faceplate for each FortiSwitch on the right. The link between the FortiSwitch and FortiGate splits at each end to indicate which ports are members of the LAG.
Before the LAG becomes established, the FortiLink is displayed with dashed lines with a broken-link icon. When the FortiLink LAG is established successfully, the port status for the LAG ports is green (on the FortiGate port list and on the FortiSwitch faceplate), and the link between the ports is a solid line.
Network Interface Display
In System > Network > Interfaces, the system displays the switch ID next to the interface name, and displays Dedicated to Extension Device in the IP/Netmask field .
Note: An interface configured for managed FortiAP is also set to Dedicated to Extension Device. Make sure that you are viewing the correct FortiLink interface.
Using FortiGate CLI to Configure FortiLink (Single Link)
The following sections describe how to use the FortiGate CLI to configure FortiLink using a single link.
Configuring the Port and Authorizing the FortiSwitch
Configure the FortiLink port on the FortiGate, and authorize the FortiSwitch as a managed switch. In the following steps, port1 is configured as the FortiLink port.
1. If required, remove port 1 from the lan interface:
config system virtual-switch edit lan
config port delete port1
end end
end
2. Configure for port 1 as the FortiLink interface
config system interface edit port1
set auto-auth-extension-device enable set fortilink enable
end end
3. Configure an NTP server on port 1.
config system ntp
set server-mode enable set interface port1
end
4. Authorize the FortiSwitch unit as a managed switch.
config switch-controller managed-switch edit FS224D3W14000370
set fsw-wan1-admin enable end
end
NOTE: FortiSwitch will reboot when you issue the above command.
Using FortiGate CLI to Configure FortiLink (LAG)
Starting in FortiSwitchOS 3.3.0, you can configure the FortiLink as a Link Aggregation Group (LAG) to provide increased FortiLink bandwidth between the FortiGate and FortiSwitch.
NOTE: LAG is supported on all FortiSwitch models and on FortiGate models FGT-100D and above.
Connect any of the FortiLink-capable ports on the FortiGate to the FortiSwitch. Make sure that you configure auto-discovery on the FortiSwitch ports (unless the port is a default auto-discovery port).
Configuring the LAG on the FortiGate
To configure the FortiLink as a LAG, create a FortiLink interface on the FortiGate, add the physical ports, and authorize the FortiSwitch as a managed switch. In the following steps, port4 and port5 are configured as the FortiLink LAG.
1. If required, remove the LAG ports from the lan interface:
config system virtual-switch edit lan
config port
delete port4 port5 end
end end
2. Create a trunk (of type fortilink) with the two ports that you connected to the switch:
config system interface
edit flink1 (enter a name, 11 characters maximum)
set allowaccess ping capwap https
set type fortilink
set member port4 port5 set lacp-mode static
next end
3. Configure an NTP server on the LAG interface:
config system ntp
set server-mode enable set interface flink1
end
4. Authorize the FortiSwitch unit as a managed switch.
config switch-controller managed-switch edit FS224D3W14000370
set fsw-wan1-admin enable end
end
NOTE: FortiSwitch will reboot when you issue the above command.
5. Configure a DHCP server on port 1.
config system dhcp server edit 0
set ntp-service local
set netmask 255.255.255.252 set interface flink1
config ip-range edit 1
set start-ip 169.254.254.2 set end-ip 169.254.254.2
end
set vci-match enable
set vci-string FortiSwitch end
end
Configuring FortiLink for FortiGate HA
With FortiOS 5.4.0 and later releases, a FortiGate operating in HA mode can use FortiLink (to FortiSwitches running FortiSwitchOS 3.3.0 or later release).
To use FortiLink mode with a pair of FortiGate units in a high-availability cluster, you must connect FortiLink from the switch to both of the FortiGate units.
Highlights of this configuration:
1. No console port or direct management is required on the FortiSwitch.
2. All the actions described here can be performed from FortiCloud if needed
3. All FortiSwitch internal state and counters are visible when in FortiLink managed mode
Example Topology
The LAN and WAN links connect to FortiSwitch ports. The FortiSwitch connects to the active and standby FortiGate units. If the standby FortiGate (for example, FGT2) becomes active, this is transparent to the LAN and WAN ports. FortiLink is automatically established to FGT2, and the active traffic path becomes LAN <-> FGT2<-> WAN.
Note the following points:
1. FortiSwitch connects with FortiLink to both of the FortiGate units. These connections can be LAGs (in FortiSwitch 3.3.0 and later releases).
2. LAN and WAN links can connect to separate FortiSwitches, as shown in the figure. You can also connect them to the same FortiSwitch (and use VLANs to separate the LAN and WAN traffic).
3. Connect the FortiLinks from any two FortiSwitch ports to FGT1 port X and FGT2 port X, where the FortiGate port numbers must match (port1 in the above topology diagram).
4. For FortiLink LAGs, connect Fortilinks from two additional FortiSwitch ports to FGT1 port Y and FGT2 port Y, where the FortiGate port numbers must match.
Adding a Second FortiGate to Existing Single FortiGate
Connect an additional FortiLink from the FortiSwitch to the new FortiGate, and configure HA on both of the FortiGate units.