Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Devices Managed by FortiOS

FortiLink mode over a layer-3 network

This feature allows FortiSwitch islands to operate in FortiLink mode over a layer-3 network, even though they are not directly connected to the switch-controller FortiGate unit. FortiSwitch islands contain one or more FortiSwitch units.

There are two main deployment scenarios for using FortiLink mode over a layer-3 network:

  • In-band management, which uses the FortiSwitch unitʼs internal interface to connect to the layer-3 network
  • Out-of-band management, which uses the FortiSwitch unitʼs mgmt interface to connect to the layer-3 network

Starting in FortOS 6.4.3, you can now configure a FortiLink-over-layer-3 network to use the FortiLink interface as the source IP address for the communication between the FortiGate unit and the FortiSwitch unit. You can still use the outbound interface as the source IP address if you prefer.

To use the FortiLink interface as the source IP address:

config system interface

edit <FortiLink_interface>

set switch-controller-source-ip fixed

end

In-band management

To configure a FortiSwitch unit to operate in a layer-3 network:

NOTE: You must enter these commands in the indicated order for this feature to work.

  1. Reset the FortiSwitch to factory default settings with the execute factoryreset command.
  2. Manually set the FortiSwitch unit to FortiLink mode:

    config system global

    set switch-mgmt-mode fortilink

    end


  3. Configure the discovery setting for the FortiSwitch unit. You can either use DHCP discovery or static discovery to find the IP address of the FortiGate unit (switch controller) that manages this switch. The default dhcp-option-code is 138.
    To use DHCP discovery:

    config switch-controller global

    set ac-discovery-type dhcp

    set dhcp-option-code <integer>

    end

    To use static discovery:

    config switch-controller global

    set ac-discovery-type static

    config ac-list

    edit <id>

    set ipv4-address <IPv4_address>

    next

    end

    end


  4. Configure only one physical port or LAG interface of the FortiSwitch unit as an uplink port. When the FortiSwitch unit is in FortiLink mode, VLAN 4094 is configured on an internal port, which can provide a path to the layer-3 network with the following commands:

    config switch interface

    edit <port_number>

    set fortilink-l3-mode enable

    end

    end


    The fortilink-l3-mode command is only visible after you configure DHCP or static discovery.

NOTE:

  • Make certain that each FortiSwitch unit can successfully ping the FortiGate unit.
  • The NTP server must be configured on the FortiSwitch unit either manually or provided by DHCP. The NTP server must be reachable from the FortiSwitch unit.
  • If more than one port (switch interface) has fortilink-l3-mode enabled, the FortiSwitch unit automatically forms a link aggregation group (LAG) trunk that contains all fortilink-l3-mode-enabled ports as a single logical interface.
  • If you have more than one port with fortilink-l3-mode enabled, all ports are automatically added to the __FoRtILnk0L3__ trunk. Make certain that the layer-3 network is also configured as a LAG with a matching LACP mode.
  • In addition to the two layer-3 discovery modes (DHCP and static), there is the default layer-2 discovery broadcast mode. The layer-3 discovery multicast mode is unsupported.

Connecting additional FortiSwitch units to the first FortiSwitch unit

In this scenario, the default FortiLink-enabled port of FortiSwitch 2 is connected to FortiSwitch 1, and the two switches then form an auto-ISL. You only need to configure the discovery settings (see Step 3) for additional switches (FortiSwitch 2 in the following diagram). You do not need to enable fortilink-l3-mode on the uplink port. Check that each FortiSwitch unit can reach the FortiGate unit.

Out-of-band management

If you use the mgmt port to connect to the layer-3 network, you do not need to enable fortilink-l3-mode on any physical port because the mgmt port is directly connected to the layer-3 network.

 

Note

You can use the internal interface for one FortiSwitch island to connect to the layer-3 network and the mgmt interface for another FortiSwitch island to connect to the same layer-3 network. Do not mix the internal interface connection and mgmt interface connection within a single FortiSwitch island.

Other topologies

If you have a layer-2 loop topology, make certain that the alternative path can reach the FortiGate unit and that STP is enabled on the FortiLink layer-3 trunk.

If you have two FortiSwitch units separately connected to two different intermediary routers or switches, the uplink interfaces for both FortiSwitch units must have fortilink-l3-mode enabled. If the FortiSwitch units are also connected to each other, an auto-ISL forms automatically, and STP must be enabled to avoid loops.

A single logical interface (which can be a LAG) is supported when they use the internal interface as the FortiLink management interface.

You can use a LAG connected to a single intermediary router or switch. A topology with multiple ports connected to different intermediary routers or switches is not supported.

Limitations

The following limitations apply to FortiSwitch islands operating in FortiLink mode over a layer-3 network:

  • No layer-2 data path component, such as VLANs, can span across layer 3 between the FortiGate unit and the FortiSwitch unit.
  • All FortiSwitch units within an FortiSwitch island must be connected to the same FortiGate unit.
  • The FortiSwitch unit needs a functioning layer-3 routing configuration to reach the FortiGate unit or any feature-configured destination, such as syslog or 802.1x.
  • Do not connect a layer-2 FortiGate unit and a layer-3 FortiGate unit to the same FortiSwitch unit.
  • If the FortiSwitch management port is used for a layer-3 connection to the FortiGate unit, the FortiSwitch island can contain only one FortiSwitch unit. All switch ports must remain in standalone mode. If you need more than one physical link, you can group the links as a link aggregation group (LAG).
  • Do not connect a FortiSwitch unit to a layer-3 network and a layer-2 network on the same segment.
  • If the network has a wide geographic distribution, some features, such as software downloads, might operate slowly.
  • After a topology change, make certain that every FortiSwitch unit can reach the FortiGate unit.
  • Splitting ports is not supported when a FortiSwitch unit is managed through layer 3.

  • NAT is not supported between the FortiSwitch unit and FortiGate unit.

FortiLink mode over a layer-3 network

This feature allows FortiSwitch islands to operate in FortiLink mode over a layer-3 network, even though they are not directly connected to the switch-controller FortiGate unit. FortiSwitch islands contain one or more FortiSwitch units.

There are two main deployment scenarios for using FortiLink mode over a layer-3 network:

  • In-band management, which uses the FortiSwitch unitʼs internal interface to connect to the layer-3 network
  • Out-of-band management, which uses the FortiSwitch unitʼs mgmt interface to connect to the layer-3 network

Starting in FortOS 6.4.3, you can now configure a FortiLink-over-layer-3 network to use the FortiLink interface as the source IP address for the communication between the FortiGate unit and the FortiSwitch unit. You can still use the outbound interface as the source IP address if you prefer.

To use the FortiLink interface as the source IP address:

config system interface

edit <FortiLink_interface>

set switch-controller-source-ip fixed

end

In-band management

To configure a FortiSwitch unit to operate in a layer-3 network:

NOTE: You must enter these commands in the indicated order for this feature to work.

  1. Reset the FortiSwitch to factory default settings with the execute factoryreset command.
  2. Manually set the FortiSwitch unit to FortiLink mode:

    config system global

    set switch-mgmt-mode fortilink

    end


  3. Configure the discovery setting for the FortiSwitch unit. You can either use DHCP discovery or static discovery to find the IP address of the FortiGate unit (switch controller) that manages this switch. The default dhcp-option-code is 138.
    To use DHCP discovery:

    config switch-controller global

    set ac-discovery-type dhcp

    set dhcp-option-code <integer>

    end

    To use static discovery:

    config switch-controller global

    set ac-discovery-type static

    config ac-list

    edit <id>

    set ipv4-address <IPv4_address>

    next

    end

    end


  4. Configure only one physical port or LAG interface of the FortiSwitch unit as an uplink port. When the FortiSwitch unit is in FortiLink mode, VLAN 4094 is configured on an internal port, which can provide a path to the layer-3 network with the following commands:

    config switch interface

    edit <port_number>

    set fortilink-l3-mode enable

    end

    end


    The fortilink-l3-mode command is only visible after you configure DHCP or static discovery.

NOTE:

  • Make certain that each FortiSwitch unit can successfully ping the FortiGate unit.
  • The NTP server must be configured on the FortiSwitch unit either manually or provided by DHCP. The NTP server must be reachable from the FortiSwitch unit.
  • If more than one port (switch interface) has fortilink-l3-mode enabled, the FortiSwitch unit automatically forms a link aggregation group (LAG) trunk that contains all fortilink-l3-mode-enabled ports as a single logical interface.
  • If you have more than one port with fortilink-l3-mode enabled, all ports are automatically added to the __FoRtILnk0L3__ trunk. Make certain that the layer-3 network is also configured as a LAG with a matching LACP mode.
  • In addition to the two layer-3 discovery modes (DHCP and static), there is the default layer-2 discovery broadcast mode. The layer-3 discovery multicast mode is unsupported.

Connecting additional FortiSwitch units to the first FortiSwitch unit

In this scenario, the default FortiLink-enabled port of FortiSwitch 2 is connected to FortiSwitch 1, and the two switches then form an auto-ISL. You only need to configure the discovery settings (see Step 3) for additional switches (FortiSwitch 2 in the following diagram). You do not need to enable fortilink-l3-mode on the uplink port. Check that each FortiSwitch unit can reach the FortiGate unit.

Out-of-band management

If you use the mgmt port to connect to the layer-3 network, you do not need to enable fortilink-l3-mode on any physical port because the mgmt port is directly connected to the layer-3 network.

 

Note

You can use the internal interface for one FortiSwitch island to connect to the layer-3 network and the mgmt interface for another FortiSwitch island to connect to the same layer-3 network. Do not mix the internal interface connection and mgmt interface connection within a single FortiSwitch island.

Other topologies

If you have a layer-2 loop topology, make certain that the alternative path can reach the FortiGate unit and that STP is enabled on the FortiLink layer-3 trunk.

If you have two FortiSwitch units separately connected to two different intermediary routers or switches, the uplink interfaces for both FortiSwitch units must have fortilink-l3-mode enabled. If the FortiSwitch units are also connected to each other, an auto-ISL forms automatically, and STP must be enabled to avoid loops.

A single logical interface (which can be a LAG) is supported when they use the internal interface as the FortiLink management interface.

You can use a LAG connected to a single intermediary router or switch. A topology with multiple ports connected to different intermediary routers or switches is not supported.

Limitations

The following limitations apply to FortiSwitch islands operating in FortiLink mode over a layer-3 network:

  • No layer-2 data path component, such as VLANs, can span across layer 3 between the FortiGate unit and the FortiSwitch unit.
  • All FortiSwitch units within an FortiSwitch island must be connected to the same FortiGate unit.
  • The FortiSwitch unit needs a functioning layer-3 routing configuration to reach the FortiGate unit or any feature-configured destination, such as syslog or 802.1x.
  • Do not connect a layer-2 FortiGate unit and a layer-3 FortiGate unit to the same FortiSwitch unit.
  • If the FortiSwitch management port is used for a layer-3 connection to the FortiGate unit, the FortiSwitch island can contain only one FortiSwitch unit. All switch ports must remain in standalone mode. If you need more than one physical link, you can group the links as a link aggregation group (LAG).
  • Do not connect a FortiSwitch unit to a layer-3 network and a layer-2 network on the same segment.
  • If the network has a wide geographic distribution, some features, such as software downloads, might operate slowly.
  • After a topology change, make certain that every FortiSwitch unit can reach the FortiGate unit.
  • Splitting ports is not supported when a FortiSwitch unit is managed through layer 3.

  • NAT is not supported between the FortiSwitch unit and FortiGate unit.