FortiLink mode over a layer-3 network
This feature allows FortiSwitch islands to operate in FortiLink mode over a layer-3 network, even though they are not directly connected to the switch-controller FortiGate unit. FortiSwitch islands contain one or more FortiSwitch units.
There are two main deployment scenarios for using FortiLink mode over a layer-3 network:
- In-band management, which uses the FortiSwitch unitʼs internal interface to connect to the layer-3 network
- Out-of-band management, which uses the FortiSwitch unitʼs mgmt interface to connect to the layer-3 network
Starting in FortOS 6.4.3, you can now configure a FortiLink-over-layer-3 network to use the FortiLink interface as the source IP address for the communication between the FortiGate unit and the FortiSwitch unit. You can still use the outbound interface as the source IP address if you prefer.
After you have configured FortiLink mode over a layer-3 network, downgrading FortiSwitchOS is not supported. |
To use the FortiLink interface as the source IP address:
config system interface
edit <FortiLink_interface>
set switch-controller-source-ip fixed
end
In-band management
To configure a FortiSwitch unit to operate in a layer-3 network:
NOTE: You must enter these commands in the indicated order for this feature to work.
- Reset the FortiSwitch to factory default settings with the
execute factoryreset
command. - If you are using DHCP discovery with DHCP option 138, the FortiSwitch unit automatically connects to the FortiGate unit and establishes FortiLink. If you are not using DHCP discovery with DHCP option 138, you can configure DHCP discovery with a different
ac-dhcp-option-code
or configure static discovery to find the IP address of the FortiGate unit (switch controller) that manages this switch. If you configure static discovery, you need to create a static inter-switch link (ISL) trunk and then enable or disable automatic VLAN configuration on the manually created (static) ISL trunk.NOTE: Starting in FortiOS 7.4.1 with FortiSwitchOS 7.4.1, when using FortiLink mode over a layer-3 network and DHCP discovery with DHCP option 138, the top FortiSwitch unit (with the _FlinkDhcpDisc_ trunk) will now automatically have a Spanning Tree Protocol (STP) priority of 24576, instead of an STP priority of 32768.
To use DHCP discovery:
config switch-controller global
set ac-discovery-type dhcp
set ac-dhcp-option-code <integer>
end
To use static discovery:
config switch-controller global
set ac-discovery-type static
config ac-list
edit <id>
set ipv4-address <IPv4_address>
next
end
end
config switch trunk
edit <trunk_name>
set static-isl enable
set static-isl-auto-vlan {enable | disable}
next
end
NOTE:
- Make certain that each FortiSwitch unit can successfully ping the FortiGate unit.
- The NTP server must be configured on the FortiSwitch unit either manually or provided by DHCP. The NTP server must be reachable from the FortiSwitch unit.
- In addition to the two layer-3 discovery modes (DHCP and static), there is the default layer-2 discovery broadcast mode. The layer-3 discovery multicast mode is unsupported.
Connecting additional FortiSwitch units to the first FortiSwitch unit
In this scenario, the default FortiLink-enabled port of FortiSwitch 2 is connected to FortiSwitch 1, and the two switches then form an auto-ISL. You only need to configure the discovery settings (see Step 2) for additional switches (FortiSwitch 2 in the following diagram). Check that each FortiSwitch unit can reach the FortiGate unit.
Out-of-band management
You can use the internal interface for one FortiSwitch island to connect to the layer-3 network and the mgmt interface for another FortiSwitch island to connect to the same layer-3 network. Do not mix the internal interface connection and mgmt interface connection within a single FortiSwitch island. |
Other topologies
If you have a layer-2 loop topology, make certain that the alternative path can reach the FortiGate unit and that STP is enabled on the FortiLink layer-3 trunk.
If you have two FortiSwitch units separately connected to two different intermediary routers or switches and the FortiSwitch units are also connected to each other, an auto-ISL forms automatically, and STP must be enabled to avoid loops.
A single logical interface (which can be a LAG) is supported when they use the internal interface as the FortiLink management interface.
You can use a LAG connected to a single intermediary router or switch. A topology with multiple ports connected to different intermediary routers or switches is not supported.
Limitations
The following limitations apply to FortiSwitch islands operating in FortiLink mode over a layer-3 network:
- FortiSwitch NAC is not supported.
- No layer-2 data path component, such as VLANs, can span across layer 3 between the FortiGate unit and the FortiSwitch unit.
- All FortiSwitch units within an FortiSwitch island must be connected to the same FortiGate unit.
- The FortiSwitch unit needs a functioning layer-3 routing configuration to reach the FortiGate unit or any feature-configured destination, such as syslog or 802.1x.
- Do not connect a layer-2 FortiGate unit and a layer-3 FortiGate unit to the same FortiSwitch unit.
- If the FortiSwitch management port is used for a layer-3 connection to the FortiGate unit, the FortiSwitch island can contain only one FortiSwitch unit. All switch ports must remain in standalone mode. If you need more than one physical link, you can group the links as a link aggregation group (LAG).
- Do not connect a FortiSwitch unit to a layer-3 network and a layer-2 network on the same segment.
- If the network has a wide geographic distribution, some features, such as software downloads, might operate slowly.
- After a topology change, make certain that every FortiSwitch unit can reach the FortiGate unit.
-
NAT is not supported between the FortiSwitch unit and FortiGate unit.
Starting in FortiOS 7.2.1, the config switch trunk edit <trunk_name> set static-isl enable set static-isl-auto-vlan {enable | disable} next end |