Fortinet black logo

FortiLink Guide

Home FortiSwitch 7.2.0 FortiLink Guide
7.2.0
7.4.2
7.4.1
7.4.0
7.2.6
7.2.4
7.2.1
7.2.0

Managing FortiSwitch units on VXLAN interfaces

Managing FortiSwitch units on VXLAN interfaces

You can use Virtual Extensible LAN (VXLAN) interfaces to create a layer-2 overlay network when managing a FortiSwitch unit over a layer-3 network. After a VXLAN tunnel is set up between a FortiGate device and a FortiSwitch unit, the FortiGate device can use the VXLAN interface to manage the FortiSwitch unit. Only the management traffic uses the VXLAN tunnel; the FortiSwitch data traffic does not go through the VXLAN tunnel to the FortiGate device.

In the following configuration example, the FG-500E device is connected with a VXLAN tunnel to the FS-524D unit. After FortiLink is enabled on the VXLAN interface, the FortiGate device can manage the FortiSwitch unit.

To manage the FortiSwitch unit with the VXLAN interface:

  1. Configure the FortiSwitch unit.

  2. Configure the FortiGate device.

Configure the FortiSwitch unit

  1. Configure a VLAN to use as the VXLAN interface.

    config system interface

    edit "vlan-1000"

    set ip 10.200.1.2 255.255.255.0

    set vlanid 1000

    set interface "internal"

    next

    end

  2. Configure the VXLAN interface with the remote IP address of the FortiGate device.

    config system vxlan

    edit "vx-4094"

    set vni 123456

    set vlanid 4094

    set interface "vlan-1000"

    set remote-ip "10.100.1.1"

    next

    end

  3. Configure a static route with the VXLAN remote IP address as the destination.

    config router static

    edit 1

    set device "vlan-1000"

    set dst 10.100.1.1 255.255.255.255

    set gateway 10.200.1.50

    next

    end

  4. Set up the switch port that physically connects to the router and enable FortiLink mode over layer-3 network.

    config switch interface

    edit port19

    set fortilink-l3-mode enable

    end

  5. Configure the switch trunk to make it static and disable the automatic VLAN provisioning.

    config switch trunk

    edit "__FoRtILnk0L3__"

    set auto-isl 1

    set static-isl enable

    set static-isl-auto-vlan disable

    set members "port19"

    next

    end

  6. Configure the FortiLink interface to set the native VLAN to match the VLAN used for the VXLAN defined in step 1.

    config switch interface

    edit "__FoRtILnk0L3__"

    set native-vlan 1000

    set allowed-vlans 1,1000,4088-4094

    set dhcp-snooping trusted

    ....

    next

    end

  7. If you are not using DHCP option 138 to inform the FortiSwitch unit of the FortiGate IP address, enable static discovery.

    config switch-controller global

    set ac-discovery-type static

    config ac-list

    edit 1

    set ipv4-address 10.255.2.1

    next

    end

    end

  8. Assign VLAN ID 4094 to the “internal” interface, which will be used to establish the FortiLink connection with the FortiGate device over VXLAN.

    config switch interface

    edit "internal"

    set native-vlan 4094

    next

    end

Configure the FortiGate device

  1. Configure the system interface.

    config system interface

    edit "port2"

    set vdom "root"

    set ip 10.100.1.1 255.255.255.0

    set allowaccess ping https http

    set type physical

    set snmp-index 4

    next

    end

  2. Configure the VXLAN interface.

    config system vxlan

    edit "flk-vxlan"

    set interface "port2"

    set vni 123456

    set remote-ip "10.200.1.2"

    next

    end

  3. Configure the FortiLink interface as the VXLAN type and set the IP address.

    config system interface

    edit "flk-vxlan"

    set vdom "root"

    set fortilink enable

    set ip 10.255.2.1 255.255.255.0

    set allowaccess ping fabric

    set type vxlan

    set lldp-reception enable

    set lldp-transmission enable

    set snmp-index 26

    set interface "port2"

    next

    end

  4. Configure a static route.

    config router static

    edit 2

    set dst 10.200.1.0 255.255.255.0

    set gateway 10.100.1.50

    set distance 5

    set device "port2"

    next

    end

  5. Configure the DHCP server with option 138 to provide the switch-controller IP address to the FortiSwitch unit. DNS and NTP services are provided by the FortiGate device.

    config system dhcp server

    edit 6

    set dns-service local

    set ntp-service local

    set default-gateway 10.255.2.1

    set netmask 255.255.255.0

    set interface "flk-vxlan"

    config ip-range

    edit 1

    set start-ip 10.255.2.2

    set end-ip 10.255.2.254

    next

    end

    config options

    edit 1

    set code 138

    set type ip

    set ip "10.255.2.1"

    next

    end

    set vci-match enable

    set vci-string "FortiSwitch"

    next

    end

FortiSwitch VLANs over VXLAN

On some FortiSwitch models, you can send user traffic over a VXLAN tunnel, creating a layer-2 overlay over a layer-3 network, allowing all Security Fabric functionality to be applied to devices connecting to the FortiSwitch unit.

In the following configuration example, the FG-1800F device is connected with a VXLAN tunnel to the FS-1048E unit. After FortiLink is enabled on the VXLAN interface, the FortiGate device can manage the FortiSwitch unit.

  1. Configure a VLAN to use as the VXLAN interface.

    config system interface

    edit "vlan-1000"

    set ip 10.200.1.2 255.255.255.0

    set vlanid 1000

    set interface "internal"

    next

    end

  2. Configure a static route with the VXLAN remote IP address as the destination.

    config router static

    edit 1

    set device "vlan-1000"

    set dst 10.100.1.1 255.255.255.255

    set gateway 10.200.1.50

    next

    end

  3. Configure the link monitor to monitor access to the gateway.

    config system link-monitor

    edit "1"

    set srcintf "vlan-1000"

    set protocol ping

    set gateway-ip 10.200.1.50

    set interval 60

    next

    end

  4. Set up the switch port that physically connects to the router and enable FortiLink mode over a layer-3 network.

    config switch interface

    edit port19

    set fortilink-l3-mode enable

    next

    end

  5. Configure the switch trunk to make it static and disable the automatic VLAN provisioning.

    config switch trunk

    edit "__FoRtILnk0L3__"

    set auto-isl 1

    set static-isl enable

    set static-isl-auto-vlan disable

    set members "port19"

    next

    end

  6. Configure the FortiLink interface so that the native VLAN matches the VLAN used for the VXLAN defined in step 1.

    config switch interface

    edit "__FoRtILnk0L3__"

    set native-vlan 1000

    next

    end

  7. Assign VLAN ID 4094 to the “internal” interface that will be used to establish the FortiLink connection with the FortiGate device over VXLAN.

    config switch interface

    edit "internal"

    set native-vlan 4094

    next

    end

  8. If you are not using DHCP option 138 to inform the FortiSwitch unit of the FortiGate IP address, enable static discovery.

    config switch-controller global

    set ac-discovery-type static

    config ac-list

    edit 1

    set ipv4-address 10.255.2.1

    next

    end

    end

  9. Connect two physical ports to each other as a loopback. In this example, port23 and port24 are connected.

  10. Create two trunks, each trunk with one physical link that is connected as a loopback. In this example, trunk tr1 is created with port23 as a member. Trunk tr2 is created with port24 as a member. port24 forms a loopback with port23.

  11. Configure trunk tr2 as static-isl. Leave the rest of the values at the defaults.

    config switch trunk

    edit "tr2"

    set auto-isl 1

    set static-isl enable

    set static-isl-auto-vlan disable

    set members "port24"

    next

    end

  12. Configure the tr2 interface with a native VLAN of 4094 and the allowed VLANs as 1-4094.

    config switch interface

    edit "tr2"

    set native-vlan 4094

    set allowed-vlans 1-4094

    next

    end

  13. Configure trunk tr1 as static-isl and static-isl-auto-vlan. Leave the rest of the values at the defaults. This trunk will be used in the VXLAN tunnel-loopback interface. port23 forms a loopback with port24.

    config switch trunk

    edit "tr1"

    set auto-isl 1

    set static-isl enable

    set static-isl-auto-vlan disable

    set members "port23"

    next

    end

  14. Configure the tr2 interface with a native VLAN of 4087 and disable STP.

    config switch trunk

    edit "tr1“

    set native-vlan 4087

    set stp-state disabled

    next

    end

  15. Configure the VXLAN interface with tr1 as the tunnel-loopback interface. Set the interface to a normal SVI from step 1 to reach the Internet. The remote-ip address is the remote VTEP; in this case, the remote VTEP is the FortiGate interface being used for the VXLAN tunnel.

    With this configuration, all VLAN traffic from the switch, including all FortiSwitch VLANs, will loop to tr1 and initiate the VXLAN tunnel to the FortiGate device.

    config system vxlan

    edit vx1

    set interface vlan-1000

    set vni 4094

    set remote-ip 10.100.1.1

    set tunnel-loopback "tr1"

    next

    end

Previous
Next

Managing FortiSwitch units on VXLAN interfaces

You can use Virtual Extensible LAN (VXLAN) interfaces to create a layer-2 overlay network when managing a FortiSwitch unit over a layer-3 network. After a VXLAN tunnel is set up between a FortiGate device and a FortiSwitch unit, the FortiGate device can use the VXLAN interface to manage the FortiSwitch unit. Only the management traffic uses the VXLAN tunnel; the FortiSwitch data traffic does not go through the VXLAN tunnel to the FortiGate device.

In the following configuration example, the FG-500E device is connected with a VXLAN tunnel to the FS-524D unit. After FortiLink is enabled on the VXLAN interface, the FortiGate device can manage the FortiSwitch unit.

To manage the FortiSwitch unit with the VXLAN interface:

  1. Configure the FortiSwitch unit.

  2. Configure the FortiGate device.

Configure the FortiSwitch unit

  1. Configure a VLAN to use as the VXLAN interface.

    config system interface

    edit "vlan-1000"

    set ip 10.200.1.2 255.255.255.0

    set vlanid 1000

    set interface "internal"

    next

    end

  2. Configure the VXLAN interface with the remote IP address of the FortiGate device.

    config system vxlan

    edit "vx-4094"

    set vni 123456

    set vlanid 4094

    set interface "vlan-1000"

    set remote-ip "10.100.1.1"

    next

    end

  3. Configure a static route with the VXLAN remote IP address as the destination.

    config router static

    edit 1

    set device "vlan-1000"

    set dst 10.100.1.1 255.255.255.255

    set gateway 10.200.1.50

    next

    end

  4. Set up the switch port that physically connects to the router and enable FortiLink mode over layer-3 network.

    config switch interface

    edit port19

    set fortilink-l3-mode enable

    end

  5. Configure the switch trunk to make it static and disable the automatic VLAN provisioning.

    config switch trunk

    edit "__FoRtILnk0L3__"

    set auto-isl 1

    set static-isl enable

    set static-isl-auto-vlan disable

    set members "port19"

    next

    end

  6. Configure the FortiLink interface to set the native VLAN to match the VLAN used for the VXLAN defined in step 1.

    config switch interface

    edit "__FoRtILnk0L3__"

    set native-vlan 1000

    set allowed-vlans 1,1000,4088-4094

    set dhcp-snooping trusted

    ....

    next

    end

  7. If you are not using DHCP option 138 to inform the FortiSwitch unit of the FortiGate IP address, enable static discovery.

    config switch-controller global

    set ac-discovery-type static

    config ac-list

    edit 1

    set ipv4-address 10.255.2.1

    next

    end

    end

  8. Assign VLAN ID 4094 to the “internal” interface, which will be used to establish the FortiLink connection with the FortiGate device over VXLAN.

    config switch interface

    edit "internal"

    set native-vlan 4094

    next

    end

Configure the FortiGate device

  1. Configure the system interface.

    config system interface

    edit "port2"

    set vdom "root"

    set ip 10.100.1.1 255.255.255.0

    set allowaccess ping https http

    set type physical

    set snmp-index 4

    next

    end

  2. Configure the VXLAN interface.

    config system vxlan

    edit "flk-vxlan"

    set interface "port2"

    set vni 123456

    set remote-ip "10.200.1.2"

    next

    end

  3. Configure the FortiLink interface as the VXLAN type and set the IP address.

    config system interface

    edit "flk-vxlan"

    set vdom "root"

    set fortilink enable

    set ip 10.255.2.1 255.255.255.0

    set allowaccess ping fabric

    set type vxlan

    set lldp-reception enable

    set lldp-transmission enable

    set snmp-index 26

    set interface "port2"

    next

    end

  4. Configure a static route.

    config router static

    edit 2

    set dst 10.200.1.0 255.255.255.0

    set gateway 10.100.1.50

    set distance 5

    set device "port2"

    next

    end

  5. Configure the DHCP server with option 138 to provide the switch-controller IP address to the FortiSwitch unit. DNS and NTP services are provided by the FortiGate device.

    config system dhcp server

    edit 6

    set dns-service local

    set ntp-service local

    set default-gateway 10.255.2.1

    set netmask 255.255.255.0

    set interface "flk-vxlan"

    config ip-range

    edit 1

    set start-ip 10.255.2.2

    set end-ip 10.255.2.254

    next

    end

    config options

    edit 1

    set code 138

    set type ip

    set ip "10.255.2.1"

    next

    end

    set vci-match enable

    set vci-string "FortiSwitch"

    next

    end

FortiSwitch VLANs over VXLAN

On some FortiSwitch models, you can send user traffic over a VXLAN tunnel, creating a layer-2 overlay over a layer-3 network, allowing all Security Fabric functionality to be applied to devices connecting to the FortiSwitch unit.

In the following configuration example, the FG-1800F device is connected with a VXLAN tunnel to the FS-1048E unit. After FortiLink is enabled on the VXLAN interface, the FortiGate device can manage the FortiSwitch unit.

  1. Configure a VLAN to use as the VXLAN interface.

    config system interface

    edit "vlan-1000"

    set ip 10.200.1.2 255.255.255.0

    set vlanid 1000

    set interface "internal"

    next

    end

  2. Configure a static route with the VXLAN remote IP address as the destination.

    config router static

    edit 1

    set device "vlan-1000"

    set dst 10.100.1.1 255.255.255.255

    set gateway 10.200.1.50

    next

    end

  3. Configure the link monitor to monitor access to the gateway.

    config system link-monitor

    edit "1"

    set srcintf "vlan-1000"

    set protocol ping

    set gateway-ip 10.200.1.50

    set interval 60

    next

    end

  4. Set up the switch port that physically connects to the router and enable FortiLink mode over a layer-3 network.

    config switch interface

    edit port19

    set fortilink-l3-mode enable

    next

    end

  5. Configure the switch trunk to make it static and disable the automatic VLAN provisioning.

    config switch trunk

    edit "__FoRtILnk0L3__"

    set auto-isl 1

    set static-isl enable

    set static-isl-auto-vlan disable

    set members "port19"

    next

    end

  6. Configure the FortiLink interface so that the native VLAN matches the VLAN used for the VXLAN defined in step 1.

    config switch interface

    edit "__FoRtILnk0L3__"

    set native-vlan 1000

    next

    end

  7. Assign VLAN ID 4094 to the “internal” interface that will be used to establish the FortiLink connection with the FortiGate device over VXLAN.

    config switch interface

    edit "internal"

    set native-vlan 4094

    next

    end

  8. If you are not using DHCP option 138 to inform the FortiSwitch unit of the FortiGate IP address, enable static discovery.

    config switch-controller global

    set ac-discovery-type static

    config ac-list

    edit 1

    set ipv4-address 10.255.2.1

    next

    end

    end

  9. Connect two physical ports to each other as a loopback. In this example, port23 and port24 are connected.

  10. Create two trunks, each trunk with one physical link that is connected as a loopback. In this example, trunk tr1 is created with port23 as a member. Trunk tr2 is created with port24 as a member. port24 forms a loopback with port23.

  11. Configure trunk tr2 as static-isl. Leave the rest of the values at the defaults.

    config switch trunk

    edit "tr2"

    set auto-isl 1

    set static-isl enable

    set static-isl-auto-vlan disable

    set members "port24"

    next

    end

  12. Configure the tr2 interface with a native VLAN of 4094 and the allowed VLANs as 1-4094.

    config switch interface

    edit "tr2"

    set native-vlan 4094

    set allowed-vlans 1-4094

    next

    end

  13. Configure trunk tr1 as static-isl and static-isl-auto-vlan. Leave the rest of the values at the defaults. This trunk will be used in the VXLAN tunnel-loopback interface. port23 forms a loopback with port24.

    config switch trunk

    edit "tr1"

    set auto-isl 1

    set static-isl enable

    set static-isl-auto-vlan disable

    set members "port23"

    next

    end

  14. Configure the tr2 interface with a native VLAN of 4087 and disable STP.

    config switch trunk

    edit "tr1“

    set native-vlan 4087

    set stp-state disabled

    next

    end

  15. Configure the VXLAN interface with tr1 as the tunnel-loopback interface. Set the interface to a normal SVI from step 1 to reach the Internet. The remote-ip address is the remote VTEP; in this case, the remote VTEP is the FortiGate interface being used for the VXLAN tunnel.

    With this configuration, all VLAN traffic from the switch, including all FortiSwitch VLANs, will loop to tr1 and initiate the VXLAN tunnel to the FortiGate device.

    config system vxlan

    edit vx1

    set interface vlan-1000

    set vni 4094

    set remote-ip 10.100.1.1

    set tunnel-loopback "tr1"

    next

    end

Previous
Next