Configuring layer-3 routing on FortiSwitch units

To use layer-3 routing on FortiSwitch units, the managed switches must be running FortiSwitchOS 7.2.0 or later.

You can configure the following layer-3 routing on FortiSwitch units:

Static routes for IPv4 traffic

You add static routes to manually control traffic exiting the FortiSwitch unit. You configure routes by specifying destination IP addresses and network masks and adding gateways for these destination addresses. Gateways are the next-hop routers to which traffic that matches the destination addresses in the route are forwarded.

Switch virtual interfaces

A switch virtual interface (SVI) is a logical interface that is associated with a VLAN and supports routing and switching protocols.

You can assign an IP address to the SVI to enable routing between VLANs. For example, SVIs can route between two different VLANs connected to a switch (no need to connect through a layer-3 router).
Routed VLAN interfaces

A routed VLAN interface (RVI) is a physical port or trunk interface that supports layer-3 routing protocols. When the physical port or trunk is administratively down, the RVI for that physical port or trunk goes down as well. All RVIs use the same VLAN, 4095.

RVIs support ECMP, multiple IP addresses, IPv4 addresses, IPv6 addresses, BFD, VRRP, DHCP server, DHCP relay, RIP, OSPF, ISIS, BGP, and PIM. VRF support of RVIs on managed switches requires FortiSwitchOS 7.2.1 or later.

You can use the virtual routing and forwarding (VRF) feature to create multiple routing tables within the same router.

After you create a VRF instance, you can assign the VRF instance to an SVI or RVI when you create the SVI or RVI or assign the VRF instance to an IPv4 static route when you create the static route.

You need to configure VRF before using the VRF instance in an SVI or RVI configuration.

Static routes for IPv4 traffic

If you use the same sequence number for a static route in FortiSwitch Manager and an existing route on a managed switch, the FortiSwitch Manager static route will overwrite the managed switch static route. Managed switches might have existing static routes that are necessary for the management connection or for networking, such as VXLAN. To avoid overwriting any existing static routes on managed switches, use higher numbers (such as 100 and higher) for the sequence numbers for FortiSwitch Manager static routes.

You cannot use the management port of a FortiSwitch unit in the set device command. FortiSwitch Manager cannot create static routes that use the management port of a FortiSwitch unit as the device. If static routes must include the management port, add the routes using custom commands or add the static route directly on the FortiSwitch unit.

config switch-controller managed-switch

edit <FortiSwitch-serial-number>

config router-static

edit <sequence_number>

set switch-id <FortiSwitch-serial-number>

set blackhole {enable | disable}

set comment <string>

set device <interface_name>

set distance <1-255>

set dst <destination-address_IPv4mask>

set dynamic-gateway {enable | disable}

set gateway <gateway-address_IPv4>

set status {enable | disable}

set vrf <VRF_name>

end

Variable	Description	Default
<sequence_number>	Enter a sequence number for the static route. NOTE: To avoid overwriting any existing static routes on managed switches, use higher numbers (such as 100 and higher) for the sequence numbers for FortiSwitch Manager static routes.	No default
switch-id <FortiSwitch-serial-number>	Enter the serial number for the managed FortiSwitch unit.	No default
blackhole {enable \| disable}	Enable or disable dropping all packets that match this route.	disable
comment <string>	Optionally enter a descriptive comment.	No default
device <interface_name>	Enter the name of the interface through which to route traffic. Enter ‘?’ to see a list of interfaces. NOTE: You cannot use the management port of a FortiSwitch unit in the `set device` command	No default
distance <1-255>	Enter the administrative distance for the route.	10
dst <destination-address_IPv4mask>	Enter the destination IPv4 address and network mask for this route. You can enter `0.0.0.0/0` to create a new static default route.	0.0.0.0 0.0.0.0
dynamic-gateway {enable \| disable}	When enabled, the route gateway IP is obtained using DHCP running on the provided routeʼs device interface.	disable
gateway <gateway-address_IPv4>	Enter the IPv4 address of the next-hop router to which traffic is forwarded.	0.0.0.0
status {enable \| disable}	Enable this setting for the route to be added to the routing table.	enable
vrf <VRF_name>	Enter the name of the VRF instance.	No default

For example:

config switch-controller managed-switch

edit S548DF5018000776

config router-static

edit 1

set switch-id "S108DVM4HDA47J08"

set comment "staticroute1.1.1.1"

set device "vlan101"

set distance 101

set dst 5.5.5.0 255.255.255.0

set gateway 101.1.1.2

set vrf "vpn1"

end

Switch virtual interfaces

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config system-interface

edit <SVI_name>

set switch-id <FortiSwitch_serial_number>

set allowaccess {https | http | ping | radius-acct | snmp | ssh | telnet}

set distance

set interface <interface_name>

set ip <IP_address_and_mask>

set mode {static | dhcp}

set status {up | down}

set type vlan

set vlan <id_number>

set vrf <VRF_name>

end

Variable	Description	Default
<SVI_name>	Enter the name for the new SVI. NOTE: Avoid reserved names or system-created names, such as those listed in Reserved names.	No default
switch-id <FortiSwitch-serial-number>	Enter the serial number for the managed FortiSwitch unit.	No default
allowaccess {https \| http \| ping \| radius-acct \| snmp \| ssh \| telnet}	Enter the types of management access permitted on this interface or secondary IP address. Separate each type with a space. To add or remove an option from the list, retype the complete list as required.	No default
distance <1-255>	Enter the distance for routes learned through PPPoE or DHCP, with the lowest number indicating the preferred route. This option is available when `mode` is set to `dhcp`.	5
interface <interface_name>	Enter the name of the interface. This option is only available when `vlanid` is set.	internal
ip <IP_address_and_mask>	Enter the interface IP address and netmask. This option is available when `mode` is set to `static`. You can set the IP and netmask, but they are not displayed. This is only available in NAT/Route mode. The IP address cannot be on the same subnet as any other interface.	0.0.0.0 0.0.0.0
mode {static \| dhcp}	Configure the connection mode for the interface as one of: `static` — configure a static IP address for the interface. `dhcp` — configure the interface to receive its IP address from an external DHCP server.	static
status {up \| down}	Start or stop the interface. If the interface is stopped, it does not accept or send packets. If you stop a physical interface, associated virtual interfaces such as VLAN interfaces will also stop.	up
type vlan	Enter `vlan` for a virtual LAN interface. This is the type of interface created by default on any existing physical interface. VLANs increase the number of network interfaces beyond the physical connections on the system. VLANs cannot be configured on a switch mode interface in Transparent mode.	vlan
vlan <id_number>	NOTE: This VLAN must have been created in FortiSwitch Manager using the `config system interface` command. Enter a VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. The VLAN ID can be any number between 1 and 4094, as 0 and 4095 are reserved, but it must match the VLAN ID added by the IEEE 802.1Q-compliant router on the other end of the connection. Two VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID. However, you can add two or more VLAN subinterfaces with the same VLAN ID to different physical interfaces, and you can add more multiple VLANs with different VLAN IDs to the same physical interface. This is available only when editing an interface with a type of `vlan`.	No default
vrf <VRF_name>	Enter the name of the VRF instance.	No default

For example:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config system-interface

edit "svi1"

set switch-id "S108DVM4HDA47J08"

set ip 101.1.1.2 255.255.255.0

set distance 100

set allowaccess ping https http ssh snmp telnet radius-acct

set type vlan

set vlan "vlan101"

set vrf "vpn2"

end

Reserved names

Using FortiSwitch reserved names or system-created names for RVI, SVI, or VRF names can cause synchronization errors. Avoid using the following names:

flink.sniffer
flink
rpsan
internal
mgmt
mgmtn, such as mgmt1, mgmt2, mgmt3, …, mgmt10, mgmt11, mgmt12, …
spn, such as sp1, sp2, sp3, …, sp10, sp11, sp12, …
ppp
pn, such as p1, p2, p3, …, p10, p11, p12,…
__port__n, such as __port__1, __port__2, __port__3, …, __port__10, __port__11, __port__12, …

Routed VLAN interfaces

Avoid using a reserved name or system-created name for the RVI name. See Reserved names.

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config system-interface

edit <RVI_name>

set switch-id <FortiSwitch_serial_number>

set allowaccess {https | http | ping | radius-acct | snmp | ssh | telnet}

set ip <IP_address_and_netmask>

set type physical

set interface <existing_interface_name>

set vrf <VRF_name>

end

For example:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config system-interface

edit "RVI31"

set switch-id "S548DF4K17000019"

set ip 50.31.1.2 255.255.255.0

set allowaccess ping https http ssh snmp telnet radius-acct

set type physical

set interface "port21"

set vrf "vpn31"

end

Virtual routing and forwarding

You need to configure VRF before using the VRF instance in an SVI or RVI configuration.

Use the following steps to configure VRF:

Create a VRF instance.
Assign the VRF instance to an SVI or RVI or assign the VRF to an IPv4 static route.

NOTE:

The VRF name cannot be the same as a reserved name or system-created name, such as those listed in Reserved names.

The VRF name cannot match any SVI name.
The VRF identifier is a number in the range of 1-1023, except for 252, 253, 254, and 255. You cannot assign the same VRF identifier to more than one VRF instance. After the VRF instance is created, the VRF identifier cannot be changed.
After the SVI or RVI is created, the VRF instance cannot be changed or unset. You can assign the same VRF instance to more than one SVI or RVI. The VRF instance cannot be assigned to an internal SVI.
After the static route is created, the VRF instance cannot be changed or unset. You can assign the same VRF instance to more than one static route.

To create the VRF instance:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config router-vrf

edit <VRF_name>

set vrfid <VRF_identifier>

end

For example:

config switch-controller managed-switch

set switch-id "S548DF4K17000019"

config router-vrf

edit vrfv4

set vrfid 1

edit vrfv6

set vrfid 2

end

Configuring layer-3 routing on FortiSwitch units

To use layer-3 routing on FortiSwitch units, the managed switches must be running FortiSwitchOS 7.2.0 or later.

You can configure the following layer-3 routing on FortiSwitch units:

Static routes for IPv4 traffic

You add static routes to manually control traffic exiting the FortiSwitch unit. You configure routes by specifying destination IP addresses and network masks and adding gateways for these destination addresses. Gateways are the next-hop routers to which traffic that matches the destination addresses in the route are forwarded.

Switch virtual interfaces

A switch virtual interface (SVI) is a logical interface that is associated with a VLAN and supports routing and switching protocols.

You can assign an IP address to the SVI to enable routing between VLANs. For example, SVIs can route between two different VLANs connected to a switch (no need to connect through a layer-3 router).
Routed VLAN interfaces

A routed VLAN interface (RVI) is a physical port or trunk interface that supports layer-3 routing protocols. When the physical port or trunk is administratively down, the RVI for that physical port or trunk goes down as well. All RVIs use the same VLAN, 4095.

RVIs support ECMP, multiple IP addresses, IPv4 addresses, IPv6 addresses, BFD, VRRP, DHCP server, DHCP relay, RIP, OSPF, ISIS, BGP, and PIM. VRF support of RVIs on managed switches requires FortiSwitchOS 7.2.1 or later.

Virtual routing and forwarding

You can use the virtual routing and forwarding (VRF) feature to create multiple routing tables within the same router.

After you create a VRF instance, you can assign the VRF instance to an SVI or RVI when you create the SVI or RVI or assign the VRF instance to an IPv4 static route when you create the static route.

You need to configure VRF before using the VRF instance in an SVI or RVI configuration.

Static routes for IPv4 traffic

config switch-controller managed-switch

edit <FortiSwitch-serial-number>

config router-static

edit <sequence_number>

set switch-id <FortiSwitch-serial-number>

set blackhole {enable | disable}

set comment <string>

set device <interface_name>

set distance <1-255>

set dst <destination-address_IPv4mask>

set dynamic-gateway {enable | disable}

set gateway <gateway-address_IPv4>

set status {enable | disable}

set vrf <VRF_name>

end

Variable	Description	Default
<sequence_number>	Enter a sequence number for the static route. NOTE: To avoid overwriting any existing static routes on managed switches, use higher numbers (such as 100 and higher) for the sequence numbers for FortiSwitch Manager static routes.	No default
switch-id <FortiSwitch-serial-number>	Enter the serial number for the managed FortiSwitch unit.	No default
blackhole {enable \| disable}	Enable or disable dropping all packets that match this route.	disable
comment <string>	Optionally enter a descriptive comment.	No default
device <interface_name>	Enter the name of the interface through which to route traffic. Enter ‘?’ to see a list of interfaces. NOTE: You cannot use the management port of a FortiSwitch unit in the `set device` command	No default
distance <1-255>	Enter the administrative distance for the route.	10
dst <destination-address_IPv4mask>	Enter the destination IPv4 address and network mask for this route. You can enter `0.0.0.0/0` to create a new static default route.	0.0.0.0 0.0.0.0
dynamic-gateway {enable \| disable}	When enabled, the route gateway IP is obtained using DHCP running on the provided routeʼs device interface.	disable
gateway <gateway-address_IPv4>	Enter the IPv4 address of the next-hop router to which traffic is forwarded.	0.0.0.0
status {enable \| disable}	Enable this setting for the route to be added to the routing table.	enable
vrf <VRF_name>	Enter the name of the VRF instance.	No default

For example:

config switch-controller managed-switch

edit S548DF5018000776

config router-static

edit 1

set switch-id "S108DVM4HDA47J08"

set comment "staticroute1.1.1.1"

set device "vlan101"

set distance 101

set dst 5.5.5.0 255.255.255.0

set gateway 101.1.1.2

set vrf "vpn1"

end

Switch virtual interfaces

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config system-interface

edit <SVI_name>

set switch-id <FortiSwitch_serial_number>

set allowaccess {https | http | ping | radius-acct | snmp | ssh | telnet}

set distance

set interface <interface_name>

set ip <IP_address_and_mask>

set mode {static | dhcp}

set status {up | down}

set type vlan

set vlan <id_number>

set vrf <VRF_name>

end

Variable	Description	Default
<SVI_name>	Enter the name for the new SVI. NOTE: Avoid reserved names or system-created names, such as those listed in Reserved names.	No default
switch-id <FortiSwitch-serial-number>	Enter the serial number for the managed FortiSwitch unit.	No default
allowaccess {https \| http \| ping \| radius-acct \| snmp \| ssh \| telnet}	Enter the types of management access permitted on this interface or secondary IP address. Separate each type with a space. To add or remove an option from the list, retype the complete list as required.	No default
distance <1-255>	Enter the distance for routes learned through PPPoE or DHCP, with the lowest number indicating the preferred route. This option is available when `mode` is set to `dhcp`.	5
interface <interface_name>	Enter the name of the interface. This option is only available when `vlanid` is set.	internal
ip <IP_address_and_mask>	Enter the interface IP address and netmask. This option is available when `mode` is set to `static`. You can set the IP and netmask, but they are not displayed. This is only available in NAT/Route mode. The IP address cannot be on the same subnet as any other interface.	0.0.0.0 0.0.0.0
mode {static \| dhcp}	Configure the connection mode for the interface as one of: `static` — configure a static IP address for the interface. `dhcp` — configure the interface to receive its IP address from an external DHCP server.	static
status {up \| down}	Start or stop the interface. If the interface is stopped, it does not accept or send packets. If you stop a physical interface, associated virtual interfaces such as VLAN interfaces will also stop.	up
type vlan	Enter `vlan` for a virtual LAN interface. This is the type of interface created by default on any existing physical interface. VLANs increase the number of network interfaces beyond the physical connections on the system. VLANs cannot be configured on a switch mode interface in Transparent mode.	vlan
vlan <id_number>	NOTE: This VLAN must have been created in FortiSwitch Manager using the `config system interface` command. Enter a VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. The VLAN ID can be any number between 1 and 4094, as 0 and 4095 are reserved, but it must match the VLAN ID added by the IEEE 802.1Q-compliant router on the other end of the connection. Two VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID. However, you can add two or more VLAN subinterfaces with the same VLAN ID to different physical interfaces, and you can add more multiple VLANs with different VLAN IDs to the same physical interface. This is available only when editing an interface with a type of `vlan`.	No default
vrf <VRF_name>	Enter the name of the VRF instance.	No default

For example:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config system-interface

edit "svi1"

set switch-id "S108DVM4HDA47J08"

set ip 101.1.1.2 255.255.255.0

set distance 100

set allowaccess ping https http ssh snmp telnet radius-acct

set type vlan

set vlan "vlan101"

set vrf "vpn2"

end

Reserved names

Using FortiSwitch reserved names or system-created names for RVI, SVI, or VRF names can cause synchronization errors. Avoid using the following names:

flink.sniffer
flink
rpsan
internal
mgmt
mgmtn, such as mgmt1, mgmt2, mgmt3, …, mgmt10, mgmt11, mgmt12, …
spn, such as sp1, sp2, sp3, …, sp10, sp11, sp12, …
ppp
pn, such as p1, p2, p3, …, p10, p11, p12,…
__port__n, such as __port__1, __port__2, __port__3, …, __port__10, __port__11, __port__12, …

Routed VLAN interfaces

Avoid using a reserved name or system-created name for the RVI name. See Reserved names.

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config system-interface

edit <RVI_name>

set switch-id <FortiSwitch_serial_number>

set allowaccess {https | http | ping | radius-acct | snmp | ssh | telnet}

set ip <IP_address_and_netmask>

set type physical

set interface <existing_interface_name>

set vrf <VRF_name>

end

For example:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config system-interface

edit "RVI31"

set switch-id "S548DF4K17000019"

set ip 50.31.1.2 255.255.255.0

set allowaccess ping https http ssh snmp telnet radius-acct

set type physical

set interface "port21"

set vrf "vpn31"

end

Virtual routing and forwarding

You need to configure VRF before using the VRF instance in an SVI or RVI configuration.

Use the following steps to configure VRF:

Create a VRF instance.
Assign the VRF instance to an SVI or RVI or assign the VRF to an IPv4 static route.

NOTE:

The VRF name cannot be the same as a reserved name or system-created name, such as those listed in Reserved names.

The VRF name cannot match any SVI name.
The VRF identifier is a number in the range of 1-1023, except for 252, 253, 254, and 255. You cannot assign the same VRF identifier to more than one VRF instance. After the VRF instance is created, the VRF identifier cannot be changed.
After the SVI or RVI is created, the VRF instance cannot be changed or unset. You can assign the same VRF instance to more than one SVI or RVI. The VRF instance cannot be assigned to an internal SVI.
After the static route is created, the VRF instance cannot be changed or unset. You can assign the same VRF instance to more than one static route.

To create the VRF instance:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config router-vrf

edit <VRF_name>

set vrfid <VRF_identifier>

end

For example:

config switch-controller managed-switch

set switch-id "S548DF4K17000019"

config router-vrf

edit vrfv4

set vrfid 1

edit vrfv6

set vrfid 2

end

Administration Guide

Configuring layer-3 routing on FortiSwitch units

Configuring layer-3 routing on FortiSwitch units

Static routes for IPv4 traffic

Switch virtual interfaces

Reserved names

Routed VLAN interfaces

Virtual routing and forwarding

NOTE:

To create the VRF instance:

Configuring layer-3 routing on FortiSwitch units

Static routes for IPv4 traffic

Switch virtual interfaces

Reserved names

Routed VLAN interfaces

Virtual routing and forwarding

NOTE:

To create the VRF instance: