Support for the authentication and encryption of fabric links 7.4.1
The FortiLink secured fabric provides authentication and encryption to all fabric links, wherever possible, making your Security Fabric more secure.
By default, authentication and encryption are disabled on the Security Fabric. After you specify the authentication mode and encryption mode for the FortiLink secured fabric in the LLDP profile:
-
FortiOS authenticates the connected LLDP neighbors.
-
FortiOS forms an authenticated secure inter-switch link (ISL) trunk.
-
Ports that are members of the authenticated secure ISL trunk are encrypted with Media Access Control security (MACsec) (IEEE 802.1AE-2018).
-
After the peer authentication (and MACsec encryption, if enabled) is complete, FortiOS configures the user VLANs.
-
If FortiOS detects a new FortiSwitch unit in the Security Fabric, one of the FortiSwitch peers validates whether the new switch has a Fortinet factory SSL certificate chain. If the new FortiSwitch unit has a valid certificate, it becomes a FortiSwitch peer in the Fortinet secured fabric.
The following figure shows the FortiLink secured fabric. The links between the FortiGate device and the managed FortiSwitch units are always unencrypted. The green links between FortiSwitch peers are encrypted ISLs. The orange links between FortiSwitch peers are unencrypted ISLs.
Authentication modes
By default, there is no authentication. You can select one of three authentication modes:
-
Legacy—This mode is the default. There is no authentication.
-
Relax—If authentication succeeds, FortiOS forms a secure ISL trunk. If authentication fails, FortiOS forms a restricted ISL trunk.
A restricted ISL trunk is the same as a regular ISL trunk, but FortiOS does not add any user VLANs. The restricted ISL trunk allows limited access so that users can authenticate unauthenticated switches. Use a restricted ISL trunk for a new FortiSwitch unit that was just added to the Security Fabric or a FortiSwitch unit that does not support authentication or encryption.
-
Strict—If authentication succeeds, FortiOS forms a secure ISL trunk. If authentication fails, no ISL trunk is formed.
Encryption modes
By default, there is no encryption. You must select the strict
or relax
authentication mode before you can select the mixed
or must
encryption mode.
-
None—There is no encryption, and FortiOS does not enable MACsec on the ISL trunk members.
-
Mixed—FortiOS enables MACsec on the ISL trunk ports that support MACsec; the ISL trunk members act as encrypted links. FortiOS disables MACsec on the ISL members that do not support MACsec; these ISL trunk members act as unencrypted links.
-
Must—FortiOS enables MACsec on all ISL trunk members. If the port supports MACsec, the port acts as an encrypted link. If the port does not support MACsec, the port is removed from the ISL trunk, but the port still functions as a user port.
Configuring the FortiLink secured fabric
To configure the FortiLink secured fabric:
-
Configure the LLDP profile.
-
Assign the LLDP profile to a FortiSwitch physical port.
To configure the LLDP profile:
config switch-controller lldp-profile
edit {LLDP_profile_name | default-auto-isl | default-auto-mclag-icl}
set auto-isl-auth {legacy | relax | strict}
set auto-isl-auth-user <string>
set auto-isl-auth-identity <string>
set auto-isl-auth-reauth <10-3600>
set auto-isl-auth-encrypt {none | mixed | must}
set auto-isl-auth-macsec-profile default-macsec-auto-isl
next
end
Option |
Description |
Default |
---|---|---|
{LLDP_profile_name | default-auto-isl | default-auto-mclag-icl} |
Select one of the two default LLDP profiles ( |
No default |
auto-isl-auth {legacy | relax | strict} |
Select the authentication mode. |
legacy |
auto-isl-auth-user <string> |
Select the user certificate, such as This option is available when |
No default |
auto-isl-auth-identity <string> |
Enter the identity, such as This option is available when |
No default |
auto-isl-auth-reauth <10-3600> |
Enter the reauthentication period in minutes. This option is available when |
3600 |
auto-isl-auth-encrypt {none | mixed | must} |
Select the encryption mode. This option is available when |
none |
auto-isl-auth-macsec-profile <string> |
Use the This option is available when |
default-macsec-auto-isl |
Configuration example
config switch-controller lldp-profile
edit customLLDPprofile
set auto-isl-auth relax
set auto-isl-auth-user Fortinet_Factory
set auto-isl-auth-identity fortilink
set auto-isl-auth-reauth 60
set auto-isl-auth-encrypt mixed
set auto-isl-auth-macsec-profile default-macsec-auto-isl
next
end
config switch physical-port
edit port49
set lldp-profile customLLDPprofile
set speed auto-module
set storm-control-mode disabled
next
end
Viewing the FortiLink secured fabric
To get information from the FortiGate device about which FortiSwitch units ports are authenticated, secured, or restricted:
execute switch-controller get-physical-conn {dot | standard} <FortiLink_interface>
To get the FortiLink authentication status for the port from the FortiSwitch unit:
diagnose switch fortilink-auth status <port_name>
To get the FortiLink authentication traffic statistics for the port from the FortiSwitch unit:
diagnose switch fortilink-auth statistics <port_name>
To delete the FortiLink authentication traffic statistics for the port from the FortiSwitch unit:
execute fortilink-auth clearstat physical-port <port_name>
To reauthenticate FortiLink secured fabric peers from the specified port from the FortiSwitch unit:
execute fortilink-auth reauth physical-port <port_name>
To reset the authentication for the FortiLink secured fabric from the FortiSwitch unit on the specified port:
execute fortilink-auth reset physical-port <port_name>
To display statistics and status of the FortiLink secured fabric for the port from the FortiSwitch unit:
get switch lldp auto-isl-status <port_name>
To display the status of the FortiLink secured fabric for the trunk from the FortiSwitch unit:
get switch trunk
Requirements and limitations
-
FortiOS 7.4.1 or later and FortiSwitchOS 7.4.1 or later are required.
-
FortiLink mode over a layer-2 network and FortiLink mode over a layer-3 network are supported.
-
VXLAN is not supported.
-
When a new FortiSwitch unit is added to the fabric, it must have a Fortinet factory SSL certificate before it is allowed to become an authenticated peer within the FortiLink secured fabric.
-
When a new FortiSwitch unit is added to the FortiLink secured fabric with the
strict
authentication mode, the restricted ISL trunk is not formed. You must configure the FortiSwitch unit manually (under theconfig switch lldp-profile
command). -
You need to manually import a custom certificate on the managed FortiSwitch units first; then you can specify the custom certificate on the FortiLink secured fabric with the
set auto-isl-auth-user
command underconfig switch-controller lldp-profile
. After that, you can configure the custom certificate on the running Security Fabric.