This feature allows FortiSwitch islands to operate in FortiLink mode over a layer-3 network, even though they are not directly connected to the switch-controller FortiGate unit. FortiSwitch islands contain one or more FortiSwitch units.
There are two main deployment scenarios for using FortiLink mode over a layer-3 network:
- In-band management, which uses the FortiSwitch unitʼs internal interface to connect to the layer-3 network
- Out-of-band management, which uses the FortiSwitch unitʼs mgmt interface to connect to the layer-3 network
Starting in FortOS 6.4.3, you can now configure a FortiLink-over-layer-3 network to use the FortiLink interface as the source IP address for the communication between the FortiGate unit and the FortiSwitch unit. You can still use the outbound interface as the source IP address if you prefer.
config system interface
set switch-controller-source-ip fixed
NOTE: You must enter these commands in the indicated order for this feature to work.
- Reset the FortiSwitch to factory default settings with the
- Manually set the FortiSwitch unit to FortiLink mode:
config system global
set switch-mgmt-mode fortilink
Configure the discovery setting for the FortiSwitch unit. You can either use DHCP discovery or static discovery to find the IP address of the FortiGate unit (switch controller) that manages this switch. The default
config switch-controller global
set ac-discovery-type dhcp
set dhcp-option-code <integer>
config switch-controller global
set ac-discovery-type static
set ipv4-address <IPv4_address>
- Configure only one physical port or LAG interface of the FortiSwitch unit as an uplink port. When the FortiSwitch unit is in FortiLink mode, VLAN 4094 is configured on an internal port, which can provide a path to the layer-3 network with the following commands:
config switch interface
set fortilink-l3-mode enable
fortilink-l3-modecommand is only visible after you configure DHCP or static discovery.
- Make certain that each FortiSwitch unit can successfully ping the FortiGate unit.
- The NTP server must be configured on the FortiSwitch unit either manually or provided by DHCP. The NTP server must be reachable from the FortiSwitch unit.
- If more than one port (switch interface) has
fortilink-l3-modeenabled, the FortiSwitch unit automatically forms a link aggregation group (LAG) trunk that contains all
fortilink-l3-mode-enabled ports as a single logical interface.
- If you have more than one port with
fortilink-l3-modeenabled, all ports are automatically added to the __FoRtILnk0L3__ trunk. Make certain that the layer-3 network is also configured as a LAG with a matching LACP mode.
- In addition to the two layer-3 discovery modes (DHCP and static), there is the default layer-2 discovery broadcast mode. The layer-3 discovery multicast mode is unsupported.
In this scenario, the default FortiLink-enabled port of FortiSwitch 2 is connected to FortiSwitch 1, and the two switches then form an auto-ISL. You only need to configure the discovery settings (see Step 3) for additional switches (FortiSwitch 2 in the following diagram). You do not need to enable
fortilink-l3-mode on the uplink port. Check that each FortiSwitch unit can reach the FortiGate unit.
If you use the mgmt port to connect to the layer-3 network, you do not need to enable
fortilink-l3-mode on any physical port because the mgmt port is directly connected to the layer-3 network.
You can use the internal interface for one FortiSwitch island to connect to the layer-3 network and the mgmt interface for another FortiSwitch island to connect to the same layer-3 network. Do not mix the internal interface connection and mgmt interface connection within a single FortiSwitch island.
If you have a layer-2 loop topology, make certain that the alternative path can reach the FortiGate unit and that STP is enabled on the FortiLink layer-3 trunk.
If you have two FortiSwitch units separately connected to two different intermediary routers or switches, the uplink interfaces for both FortiSwitch units must have
fortilink-l3-mode enabled. If the FortiSwitch units are also connected to each other, an auto-ISL forms automatically, and STP must be enabled to avoid loops.
A single logical interface (which can be a LAG) is supported when they use the internal interface as the FortiLink management interface.
You can use a LAG connected to a single intermediary router or switch. A topology with multiple ports connected to different intermediary routers or switches is not supported.
The following limitations apply to FortiSwitch islands operating in FortiLink mode over a layer-3 network:
- No layer-2 data path component, such as VLANs, can span across layer 3 between the FortiGate unit and the FortiSwitch unit.
- All FortiSwitch units within an FortiSwitch island must be connected to the same FortiGate unit.
- The FortiSwitch unit needs a functioning layer-3 routing configuration to reach the FortiGate unit or any feature-configured destination, such as syslog or 802.1x.
- Do not connect a layer-2 FortiGate unit and a layer-3 FortiGate unit to the same FortiSwitch unit.
- If the FortiSwitch management port is used for a layer-3 connection to the FortiGate unit, the FortiSwitch island can contain only one FortiSwitch unit. All switch ports must remain in standalone mode. If you need more than one physical link, you can group the links as a link aggregation group (LAG).
- Do not connect a FortiSwitch unit to a layer-3 network and a layer-2 network on the same segment.
- If the network has a wide geographic distribution, some features, such as software downloads, might operate slowly.
- After a topology change, make certain that every FortiSwitch unit can reach the FortiGate unit.
Splitting ports is not supported when a FortiSwitch unit is managed through layer 3.
NAT is not supported between the FortiSwitch unit and FortiGate unit.