Hot!Configuration FortiLink across non-Fortiswitch

Author
dconsentini
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/01/30 01:53:30
  • Status: offline
2018/01/30 02:45:42 (permalink)
0

Configuration FortiLink across non-Fortiswitch

I want to configure Fortiswitch with FortiLink protocol over my actual infractructure. In that situation I have various non-Fortiswich (Cisco, HP,...) but I need configure a FortiLink protocol and I dont find information about the situation.
In all manual I can to see the configuration connecting the Fortiswitch directly to Fortigate, but I dont find any manual to connect the Fortiswitch across the other model of switches.
 
Do you help me?
#1
Knowledge_Team_FTNT
Bronze Member
  • Total Posts : 34
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/02/02 02:44:17
  • Status: offline
Re: Configuration FortiLink across non-Fortiswitch 2018/02/01 01:28:02 (permalink)
0
You can manage the FortSwitches via FortiLink over IP protocol, it doesn't matter about the interconnecting L2 infrastructure as FortiSwitch management is done on L3 https://docs.fortinet.com...manageFSWfromFGT54.pdf
#2
dconsentini
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/01/30 01:53:30
  • Status: offline
Re: Configuration FortiLink across non-Fortiswitch 2018/02/05 23:50:36 (permalink)
0
Thank for the reply!
 
I'm looking at Fortinet documents but I don't see how to connect over IP, always use Fortilink over Fortiswitch. My network scheme is,
 
Fortigate <--> switch(HP/cisco/...) <--> Fortiswitch
 
and I don't understand how I can connect over IP in this situation.
#3
FlavioB
Gold Member
  • Total Posts : 140
  • Scores: 0
  • Reward points: 0
  • Joined: 2011/10/03 23:11:15
  • Location: Switzerland
  • Status: offline
Re: Configuration FortiLink across non-Fortiswitch 2019/01/09 00:50:47 (permalink)
0
fortimonkey
You can manage the FortSwitches via FortiLink over IP protocol, it doesn't matter about the interconnecting L2 infrastructure as FortiSwitch management is done on L3 https://docs.fortinet.com...manageFSWfromFGT54.pdf


Hi there.
I'm facing the same issue - I have my FGT connected to a Cisco stack with a FortiLink LAG. The FSW is then connected with a LAG from Cisco stack, on which all VLANs are allowed and the default VLAN (1) is the "native" VLAN (untagged).
 
This way, the FSW is not getting recognized by the FGT.
 
Can someone explain how FortiLink actually works? Is it layer 2 or layer 3?
On which interface is FortiLink information transmitted? Is it the "fortilink" interface itself (the one "Dedicated to FortiSwitch), or the below interface "vsw.fortilink"?
 
Thanks for any help/suggestions.
Flavio.
#4
dconsentini
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/01/30 01:53:30
  • Status: offline
Re: Configuration FortiLink across non-Fortiswitch 2019/01/09 02:43:28 (permalink)
0
Hi,
 
I haven't tried it with LAG but I'll tell you something if it helps.
 
I understand that without LAG, with a configuration without stack with independent switches works correctly, right?
One problem I had in my case is that my FSW model didn't have the autodiscover enabled by default and I never found the FGT via L3. I had to activate it by CLI in FSW:
 
set auto-discovery-fortilink enable
 
However, fortilink in L3 has some limitations regarding a direct L2 connection. Similarly, it should be FOS 6.0.0 or higher. For example, the following options are not available in L3:
 
- Active-Active Split MCLAG from FortiGate to FortiSwitch
- Access VLAN
- DHCP Server on VLAN defined on FGT
 
 
On the issue of interface, I understand that "vsw" is the data transmission VLAN. From the latter you can create as many as you want. On the other hand, the interface dedicated to fortiswitch is the CAPWAP channel. Even if you don't pay much attention to me ;)
 
I'm sorry I'm not helping you anymore.
Daniel.
#5
FlavioB
Gold Member
  • Total Posts : 140
  • Scores: 0
  • Reward points: 0
  • Joined: 2011/10/03 23:11:15
  • Location: Switzerland
  • Status: offline
Re: Configuration FortiLink across non-Fortiswitch 2019/01/09 06:16:22 (permalink)
0
Ciao Daniel - thanks for your feedback.
 
So when FSWs are directly connected to FGT they're managed on L2, whereas L3 management occurs (or has to be configured) when they are connected through some other network devices.
 
This makes it clear that the 3 options you mention are not available anymore, as they're L2 functions/features...
Sadly, my design will not work - or better: it would work if I switch to L3 management completely.
 
BR,
Flavio.
#6
Daniel_FTNT
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/12/12 06:16:19
  • Status: offline
Re: Configuration FortiLink across non-Fortiswitch 2019/01/10 03:36:08 (permalink)
0
Hi Flavio, hi Daniel,
 
keep in mind you have to option if you have 3rd party switches in your topology especially between FGT and FSW (most likely Core/Distribution switches right?):
1. Use the FortiSwitch in Standalone Mode. This gives you the full feature set and you can use your switch-models full feature set (even in some cases L3 features). You may also consider the new FortiSwitch Cloud Management if you want to manage them centrally.
 
2. Use FortiLink.
How it works: FortiLink is the base for all the magic the Telemtry/Fabric and Switch Controller of the FGT can do. It is designed as a L2 protocol so ideally the FSW is directly connected to the FGT and/or in the same broadcast domain.
Anyway since FSW-OS-6.x and FortiOS 6.x we have the opportunity to tunnel the FortiLink Protocol over a L3 network with CAPWAP which behaves much like an AP in Tunnel-Mode does.
You can find references here: https://docs.fortinet.com/uploaded/files/4464/managed-fortiswitch-601.pdf (p.23)
Bare in mind that this is only tunneling the FortiLink connection - no data! So you still need to configure trunks/tagged interfaces as uplinks for the data streams.
 
Hope this helps,
 
Daniel
 
 
#7
FlavioB
Gold Member
  • Total Posts : 140
  • Scores: 0
  • Reward points: 0
  • Joined: 2011/10/03 23:11:15
  • Location: Switzerland
  • Status: offline
Re: Configuration FortiLink across non-Fortiswitch 2019/01/14 04:10:17 (permalink)
0
Hi Daniel.
In my case I can't yet upgrade to FOS 6 so I have to remain with L2 setup I believe. This will simply mean that if the cluster master would move over to the firewall connected to Cisco switche, I would not be able to manage the FSW.
Am I right?
F.
#8
Daniel_FTNT
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/12/12 06:16:19
  • Status: offline
Re: Configuration FortiLink across non-Fortiswitch 2019/01/16 01:07:52 (permalink)
0
Yes, then using Standalone Mode (maybe with FortiSwitch Cloud) is what you should aim for (for now).
Do you mean the stack master? Not sure what your actual setup is and how your Cisco Switches are configured. You might consider consulting a partner or local SE here.
 
P.S. thinking of it... do you use VLAN1 on that stack for something else than native?
post edited by Daniel_FTNT - 2019/01/16 01:19:24
#9
FlavioB
Gold Member
  • Total Posts : 140
  • Scores: 0
  • Reward points: 0
  • Joined: 2011/10/03 23:11:15
  • Location: Switzerland
  • Status: offline
Re: Configuration FortiLink across non-Fortiswitch 2019/01/16 05:41:08 (permalink)
0
Hi Daniel.
I'm already in touch with my local FSW Fortinet SE and he told me that my design is not supported.
 
VLAN1 in my Cisco stack is actually not needed/used - why do you ask?
F.
#10
Jump to:
© 2019 APG vNext Commercial Version 5.5