top of page
Writer's pictureGreg Bales (he/him)
Nov 137 min read

FortiSwitch On FortiGate Aggregate Interface

Disclaimer: This is not specifically documented in FortiLink docs but I have been told it would be supported. That was one person who told me, so implement this at your own risk. More on why I think this will be supported in the post.


Expand me to watch the video

Expand me for Acronym definitions


When learning more about FortiSwitches and how I can manage them from the FortiGate via FortiLink, I wanted to understand any and all limitations.

My first big jump in taught me that you could either go all in on Fortinet and manage FortiSwitch through Layer 2 FortiLink or you could do it over Layer 3 FortiLink if you had third party devices in between the FortiGate and the FortiSwitch.


Left: FortiLink Over Layer 2

Right: FortiLink Over Layer 3


While things are certainly easier if it's a FortiSwitch directly connected to a FortiGate, I found that many environments had core switches that had plenty of life on them so it was unrealistic to replace everything with FortiSwitch. For certain topologies that was fine as their core switches did inter-VLAN routing, but for others who used more of a layer 2 distribution switch it caused issues.

Connecting a third party switch to the FortiLink interface is not a supported topology so even if you can get it to work, support will not help you in the event of an issue. Also, you can't get Layer 2 FortiLink to work if the third party switch was connected to a non-FortiLink interface.


At that point I simply told people that those were the two ways and if you wanted to use a FortiSwitch with a third party device in between it had to be running Layer 3.


That was until I was in the middle of demonstrating FortiLink over Layer 3 when I was asked to not have the default gateways on the third party switch but instead on the FortiGate.

I thought about it for a few seconds and said to give me a day to test out a theory.


Instead of trying to get Layer 2 FortiLink to work with a third party Layer 2 switch, I would try getting Layer 3 FortiLink to work through a third party Layer 2 switch.


I was honestly surprised at how easy it was!


I simply removed the Layer 3 capabilities on the third party switch and allowed the VLANs through. Then I added the VLANs under the Aggregate interface of the FortiGate. This was still more complex than simply configuring everything for the FortiSwitch VLANs but it was still all configured on the same device. That is, unless you want to add another VLAN, in which case you need to update the third party Layer 2 switch again.


Thanks for reading my version of a recipe sites backstory. Onto the actual configuration!


Topology

Since I built this example from my FortiLink over Layer 3 setup here is the topology:



FortiLink Interface

While the physical interfaces for FortiLink will not be used for this setup, the interface is still important as it will be used as the Switch Controller IP. We mainly need to make sure that we have the IP address documented in the event it's not the default, like how I have it set up.


FortiGate #
config system interface
    edit "fortilink"
        set fortilink enable
        set ip 10.2.255.1 255.255.255.0
        set allowaccess ping fabric
        set type aggregate
    next
end

NOTE: I have the setting turned on to automatically authorize devices to simplify this setup but if you do not you will still have to authorize the switches when they connect.


Aggregate and VLAN Interfaces

First we'll look at the FortiGate configuration of the Aggregate interface.

FortiGate #
config system interface
    edit "agg"
        set type aggregate
        set member "port3" "port4"
        set device-identification enable
        set lldp-transmission enable
        set role lan
    next
end

It's a very basic setup as this is being used simply for the aggregation and everything else will be done on the VLANs attached to it.


Now onto the VLANs


You will see VLAN 4094 listed in this example but we will not use it, just VLANs 1 and 11.



I set this up with configuring FortiLink over Layer 3 via DHCP to simplify things so we need to open up the advanced DHCP options to tell the FortiSwitches where to find their controller. You will set this to the FortiLink IP we checked out earlier.



FortiGate #
config system interface
    edit "fortitest"
        set vdom "root"
        set ip 10.2.2.1 255.255.255.0
        set allowaccess ping
        set device-identification enable
        set role lan
        set interface "agg"
        set vlanid 1
    next
end
config system dhcp server
edit 14
        set dns-service default
        set default-gateway 10.2.4.1
        set netmask 255.255.255.0
        set interface "fortitest"
        config ip-range
            edit 1
                set start-ip 10.2.2.2
                set end-ip 10.2.2.254
            next
        end
        config options
            edit 1
                set code 138
                set type ip
                set ip "10.2.255.1" 
            next
        end
    next
end

Other than the DHCP option, this is nothing out of the normal, just a VLAN with IP space under an Aggregate interface. VLAN 11 is configured similarly but does not need the wireless controller set in the DHCP.


FortiSwitch VLANs

You may be curious why we still need to use FortiSwitch VLANs since we just configured our VLANs under the Aggregate interface. This is where the configuration is a little more complex than just using Layer 2 FortiLink where we configure it all under FortiSwitch VLANs.

Since the Default Gateway was created under the Aggregate interface we can view that as the Layer 3 component of the VLAN but we still need a way to tag the Layer 2 traffic with the VLAN ID. That's where the FortiSwitch VLANs come into place as that's the only place you can use to assign VLANs on a FortiSwitch.



I have VLANs 1 and 11 set up with the IP space set to 0.0.0.0 as that was defined on the Aggregate interface VLANs.


FortiGate #
config system interface
    edit "testworkstation"
        set device-identification enable
        set role lan
        set interface "fortilink"
        set vlanid 11
    next
end

Firewall Policy

We will also need to allow traffic from the FortiSwitch IPs to talk to the FortiLink interface.

If you try to do this in the GUI you will notice that there is no FortiLink interface to choose. You will need to create the policy first with another interface, I usually do the same interface as the Incoming interface, and then in the CLI you can change it over to FortiLink.


FortiGate #
config firewall policy
    edit 6
        set name "FortiLink"
        set srcintf "fortitest"
        set dstintf "fortilink"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end

I also have other policies to allow traffic between VLANs and out to the internet but I won't show those to keep this simpler.


Third Party Switch (Cisco Switch)

I will be using a Cisco switch as my third party switch. You will have to make a similar configuration on your platform.

The main thing to keep in mind is to have the VLANs created that you would like to be allowed to the FortiSwitches. In my case this is just VLANs 1 and 11. VLAN 1 will be used as my native VLAN to the FortiSwitches as that will be the one that hands out the DHCP for the Switch Management and also tells them where to find their controller. VLAN 11 will just be for a test machine to get an IP from the FortiGate. VLAN 5 is just there since VLAN 1 is the default and I need that to be a tagged VLAN.


CiscoSwitch3560G#
vlan 1
 name FortiSwitchoL3
!
vlan 5
 name Native_VLAN
!
vlan 11
 name Workstation
!
interface Port-channel3
 description Link_to_FortiGate
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 5
 switchport trunk allowed vlan all
 switchport mode trunk
!
interface GigabitEthernet0/21
 description Link_to_FortiSwitch
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 1
 switchport trunk allowed vlan all
 switchport mode trunk
!
interface GigabitEthernet0/47
 description Link_to_FortiGate
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 5
 switchport trunk allowed vlan all
 switchport mode trunk
 channel-group 3 mode active
!
interface GigabitEthernet0/48
 description Link_to_FortiGate
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 5
 switchport trunk allowed vlan all
 switchport mode trunk
 channel-group 3 mode active

FortiSwitch Factory Reset

In order to simplify things we are going to use DHCP to configure this switch so the first thing to do is to do a factory reset on the FortiSwitch CLI.

If this is your first time logging in, the username is admin and there is no password but it will ask you to set one.

FortiSwitch #
execute factoryreset

After it resets, you will need to set your password again.

Now hook up your FortiSwitch to your third party switch and it will use the native VLAN on the trunk to it in order to get a DHCP IP along with it's switch controller.


Troubleshooting Controller Connectivity

Use these commands to check the state of your switch controller connectivity.

FortiSwitch #
execute switch-controller get-conn-status
get system interface physical

Before Switch Controller info is obtained:

After Switch Controller info is obtained but no connection:

After Switch Controller info is obtained and connected:

Check Switch DHCP IP


Use these commands on the FortiGate to check it's connectivity:

FortiGate #
execute switch-controller get-conn-status
execute switch-controller diagnose-connection

Before FortiSwitch Connection:

After FortiSwitch Connection:

If you're having issues this command helps break down common issues like not having the same timing through NTP with the Switch and Gate.


If it looks like there are no issues but things aren't fully showing up you may simply need to create some traffic like a ping to your gateway or to the internet.


FortiSwitch Port Configuration


Now you can configure your ports with the layer 2 VLANs you defined earlier in the FortiSwitch VLANs and they should get tagged appropriately. As long as the third party switch is also passing them, the devices on those ports should be able to contact the layer 3 gateways on the aggregate interface of the FortiGate.

  • LinkedIn
  • Instagram
  • TikTok
  • Youtube

Subscribe for Updates!

Thanks for submitting!

Please note: Some links on this site may be affiliate links. If you make a purchase through these links, I may earn a commission, at no extra cost to you. Thank you for supporting my content.

Important Disclaimer: The views, thoughts, and opinions expressed on this website belong solely to me and are not indicative of the views of any current or former employer. This content is for informational purposes and reflects my personal perspective, independent of any other association.

bottom of page