Check the configuration
The following is the relevant FortiGate configuration:
FGT_Switch_Controller # show system interface wan
config system interface
edit "wan"
set vdom "root"
set ip 10.40.88.254 255.255.255.0
set allowaccess ping https ssh http
set type aggregate
set member "port9" "port10"
set lldp-reception enable
set role wan
set snmp-index 21
next
end
FGT_Switch_Controller # show router static 2
config router static
edit 2
set dst 10.33.33.0 255.255.255.0
set gateway 10.40.88.253
set device "wan"
next
end
FGT_Switch_Controller # show system interface fol3_wan
config system interface
edit "fol3_wan"
set vdom "root"
set fortilink enable
set switch-controller-source-ip fixed
set ip 172.17.1.254 255.255.255.0
set allowaccess ping fabric
set type aggregate
set device-identification enable
set lldp-reception enable
set lldp-transmission enable
set snmp-index 22
set switch-controller-nac "fol3_wan"
set swc-first-create 127
set lacp-mode static
next
end
FGT_Switch_Controller # show firewall policy 5
config firewall policy
edit 5
set name "fsw_to_fol3_wan"
set uuid 98af1592-354d-51eb-e09e-8d8000c0663a
set srcintf "wan"
set dstintf "fol3_wan"
set srcaddr "fsw"
set dstaddr "fol3_wan_IP"
set action accept
set schedule "always"
set service "CAPWAP" "ALL_ICMP"
next
end
FGT_Switch_Controller # show firewall service custom CAPWAP
config firewall service custom
edit "CAPWAP"
set udp-portrange 5246
next
end
FGT_Switch_Controller # show firewall address fsw
config firewall address
edit "fsw"
set uuid 77e968bc-354d-51eb-f618-e3e145d6a172
set subnet 10.33.33.0 255.255.255.0
next
end
FGT_Switch_Controller # show firewall address fol3_wan_IP
config firewall address
edit "fol3_wan_IP"
set uuid 84cf157c-354d-51eb-ab4f-6518749b4bd9
set subnet 172.17.1.254 255.255.255.255
next
end
FGT_Switch_Controller # show switch-controller managed-switch
config switch-controller managed-switch
edit "S108DVHFUKEFGG54"
set name "site1_mclag1"
set fsw-wan1-peer "fol3_wan"
set fsw-wan1-admin enable
set poe-detection-type 3
set version 1
set max-allowed-trunk-members 8
set pre-provisioned 1
set dynamic-capability 0x0000000000000000000000751c51f9f7
config ports
edit "port1"
set vlan "default.22"
set allowed-vlans "quarantine.22"
set untagged-vlans "quarantine.22"
set export-to "root"
set mac-addr 02:09:0f:d3:00:0c
next
edit "port2"
set vlan "default.22"
set allowed-vlans "quarantine.22"
set untagged-vlans "quarantine.22"
set export-to "root"
set mac-addr 02:09:0f:d3:00:0d
next
edit "port3"
set vlan "default.22"
set allowed-vlans "quarantine.22"
set untagged-vlans "quarantine.22"
set export-to "root"
set mac-addr 02:09:0f:d3:00:0e
next
edit "port4"
set vlan "default.22"
set allowed-vlans "quarantine.22"
set untagged-vlans "quarantine.22"
set export-to "root"
set mac-addr 02:09:0f:d3:00:0f
next
edit "port5"
set vlan "default.22"
set allowed-vlans "quarantine.22"
set untagged-vlans "quarantine.22"
set export-to "root"
set mac-addr 02:09:0f:d3:0a:01
next
edit "port6"
set vlan "default.22"
set allowed-vlans "quarantine.22"
set untagged-vlans "quarantine.22"
set export-to "root"
set mac-addr 02:09:0f:d3:22:01
next
edit "port7"
set vlan "default.22"
set allowed-vlans "quarantine.22"
set untagged-vlans "quarantine.22"
set lldp-profile "default-auto-mclag-icl"
set export-to "root"
set mac-addr 02:09:0f:d3:1f:01
next
edit "port8"
set vlan "default.22"
set allowed-vlans "quarantine.22"
set untagged-vlans "quarantine.22"
set export-to "root"
set mac-addr 02:09:0f:d3:1d:02
next
end
next
edit "S108DVSPUKEFGG54"
set name "site1_mclag2"
set fsw-wan1-peer "fol3_wan"
set fsw-wan1-admin enable
set poe-detection-type 3
set version 1
set max-allowed-trunk-members 8
set pre-provisioned 1
set dynamic-capability 0x0000000000000000000000751c51f9f7
config ports
edit "port1"
set vlan "default.22"
set allowed-vlans "quarantine.22"
set untagged-vlans "quarantine.22"
set export-to "root"
set mac-addr 02:09:0f:d3:00:11
next
edit "port2"
set vlan "default.22"
set allowed-vlans "quarantine.22"
set untagged-vlans "quarantine.22"
set export-to "root"
set mac-addr 02:09:0f:d3:00:12
next
edit "port3"
set vlan "default.22"
set allowed-vlans "quarantine.22"
set untagged-vlans "quarantine.22"
set export-to "root"
set mac-addr 02:09:0f:d3:00:13
next
edit "port4"
set vlan "default.22"
set allowed-vlans "quarantine.22"
set untagged-vlans "quarantine.22"
set export-to "root"
set mac-addr 02:09:0f:d3:00:14
next
edit "port5"
set vlan "default.22"
set allowed-vlans "quarantine.22"
set untagged-vlans "quarantine.22"
set export-to "root"
set mac-addr 02:09:0f:d3:0b:02
next
edit "port6"
set vlan "default.22"
set allowed-vlans "quarantine.22"
set untagged-vlans "quarantine.22"
set export-to "root"
set mac-addr 02:09:0f:d3:23:01
next
edit "port7"
set vlan "default.22"
set allowed-vlans "quarantine.22"
set untagged-vlans "quarantine.22"
set lldp-profile "default-auto-mclag-icl"
set export-to "root"
set mac-addr 02:09:0f:d3:1f:02
next
edit "port8"
set vlan "default.22"
set allowed-vlans "quarantine.22"
set untagged-vlans "quarantine.22"
set export-to "root"
set mac-addr 02:09:0f:d3:1e:02
next
end
next
edit "S108DVUBYKEFGG54"
set name "site1_access1"
set fsw-wan1-peer "fol3_wan"
set fsw-wan1-admin enable
set poe-detection-type 3
set version 1
set max-allowed-trunk-members 8
set pre-provisioned 1
set dynamic-capability 0x0000000000000000000000751c51f9f7
config ports
edit "port1"
set vlan "office"
set allowed-vlans "quarantine.22"
set untagged-vlans "quarantine.22"
set export-to "root"
set mac-addr 02:09:0f:d3:29:01
next
edit "port2"
set vlan "access_point"
set allowed-vlans "office" "quarantine.22" "warehouse"
set untagged-vlans "quarantine.22"
set export-to "root"
set mac-addr 02:09:0f:d3:2d:01
next
edit "port3"
set vlan "default.22"
set allowed-vlans "quarantine.22"
set untagged-vlans "quarantine.22"
set export-to "root"
set mac-addr 02:09:0f:d3:00:07
next
edit "port4"
set vlan "default.22"
set allowed-vlans "quarantine.22"
set untagged-vlans "quarantine.22"
set export-to "root"
set mac-addr 02:09:0f:d3:00:08
next
edit "port5"
set vlan "default.22"
set allowed-vlans "quarantine.22"
set untagged-vlans "quarantine.22"
set export-to "root"
set mac-addr 02:09:0f:d3:00:09
next
edit "port6"
set vlan "default.22"
set allowed-vlans "quarantine.22"
set untagged-vlans "quarantine.22"
set export-to "root"
set mac-addr 02:09:0f:d3:00:0a
next
edit "port7"
set vlan "default.22"
set allowed-vlans "quarantine.22"
set untagged-vlans "quarantine.22"
set export-to "root"
set mac-addr 02:09:0f:d3:20:02
next
edit "port8"
set vlan "default.22"
set allowed-vlans "quarantine.22"
set untagged-vlans "quarantine.22"
set export-to "root"
set mac-addr 02:09:0f:d3:20:02
next
end
next
edit "S108DVD5FTEFGG54"
set name "site1_access2"
set fsw-wan1-peer "fol3_wan"
set fsw-wan1-admin enable
set poe-detection-type 3
set version 1
set max-allowed-trunk-members 8
set pre-provisioned 1
set dynamic-capability 0x0000000000000000000000751c51f9f7
config ports
edit "port1"
set vlan "office"
set allowed-vlans "quarantine.22"
set untagged-vlans "quarantine.22"
set export-to "root"
set mac-addr 02:09:0f:d3:0d:01
next
edit "port2"
set vlan "access_point"
set allowed-vlans "office" "quarantine.22" "warehouse"
set untagged-vlans "quarantine.22"
set export-to "root"
set mac-addr 02:09:0f:d3:11:02
next
edit "port3"
set vlan "default.22"
set allowed-vlans "quarantine.22"
set untagged-vlans "quarantine.22"
set export-to "root"
set mac-addr 02:09:0f:d3:00:1a
next
edit "port4"
set vlan "default.22"
set allowed-vlans "quarantine.22"
set untagged-vlans "quarantine.22"
set export-to "root"
set mac-addr 02:09:0f:d3:00:1b
next
edit "port5"
set vlan "default.22"
set allowed-vlans "quarantine.22"
set untagged-vlans "quarantine.22"
set export-to "root"
set mac-addr 02:09:0f:d3:00:1c
next
edit "port6"
set vlan "default.22"
set allowed-vlans "quarantine.22"
set untagged-vlans "quarantine.22"
set export-to "root"
set mac-addr 02:09:0f:d3:00:1d
next
edit "port7"
set vlan "default.22"
set allowed-vlans "quarantine.22"
set untagged-vlans "quarantine.22"
set export-to "root"
set mac-addr 02:09:0f:d3:0b:01
next
edit "port8"
set vlan "default.22"
set allowed-vlans "quarantine.22"
set untagged-vlans "quarantine.22"
set export-to "root"
set mac-addr 02:09:0f:d3:0b:01
next
end
next
end
The following is the relevant configuration of the WAN router:
WAN_ROUTER # show system interface to_fgt
config system interface
edit "to_fgt"
set ip 10.40.88.253 255.255.255.0
set allowaccess ping https ssh
set snmp-index 16
set vlanid 4088
set interface "internal"
next
end
WAN_ROUTER # show switch interface to_fgt
config switch interface
edit "to_fgt"
set native-vlan 4088
set snmp-index 14
next
end
WAN_ROUTER # show switch trunk to_fgt
config switch trunk
edit "to_fgt"
set mode lacp-active
set members "port7" "port8"
next
end
WAN_ROUTER # show system interface fol3
config system interface
edit "fol3"
set ip 10.33.33.254 255.255.255.0
set allowaccess ping https ssh
set snmp-index 17
set vlanid 4094
set interface "internal"
next
end
WAN_ROUTER # show system dhcp server
config system dhcp server
edit 1
set default-gateway 10.33.33.254
set dns-service local
set interface "fol3"
config ip-range
edit 1
set end-ip 10.33.33.99
set start-ip 10.33.33.1
next
end
set lease-time 300
set netmask 255.255.255.0
set ntp-service local
set vci-match enable
set vci-string "FortiSwitch"
set wifi-ac1 172.17.1.254
next
end
WAN_ROUTER # show switch interface fol3
config switch interface
edit "fol3"
set native-vlan 4094
set allowed-vlans 1001
set edge-port disabled
set snmp-index 15
next
end
WAN_ROUTER # show switch trunk fol3
config switch trunk
edit "fol3"
set mode lacp-active
set members "port5" "port6"
next
end
WAN_ROUTER # show router static 2
config router static
edit 2
set device "to_fgt"
set dst 172.17.1.0 255.255.255.0
set gateway 10.40.88.254
next
end
The following is the relevant configuration of the FortiSwitch MCLAG 1:
site1_mclag1 # show switch-controller global
config switch-controller global
set ac-discovery-type dhcp
end
site1_mclag1 # show switch trunk
config switch trunk
edit "__FoRtILnk0L3__"
set mode lacp-active
set mclag enable
set members "port8"
next
edit "_FlInK1_ICL0_"
set mode lacp-active
set auto-isl 1
set mclag-icl enable
set members "port7"
next
edit "8DVUBYKEFGG54-0"
set mode lacp-active
set auto-isl 1
set mclag enable
set members "port6"
next
edit "8DVD5FTEFGG54-0"
set mode lacp-active
set auto-isl 1
set mclag enable
set members "port5"
next
end
site1_mclag1 # show switch interface __FoRtILnk0L3__
config switch interface
edit "__FoRtILnk0L3__"
set native-vlan 4094
set allowed-vlans 1,444,555,777,4089-4093
set dhcp-snooping trusted
set snmp-index 12
next
end
site1_mclag1 # show switch interface _FlInK1_ICL0_
config switch interface
edit "_FlInK1_ICL0_"
set native-vlan 4094
set allowed-vlans 1,444,555,777,4089-4093
set dhcp-snooping trusted
set edge-port disabled
set snmp-index 13
next
end
site1_mclag1 # show switch physical-port port8
config switch physical-port
edit "port8"
set lldp-profile "default-auto-isl"
set speed auto
set storm-control-mode disabled
next
end
site1_mclag1 # show switch physical-port port7
config switch physical-port
edit "port7"
set l2-learning disabled
set lldp-profile "default-auto-mclag-icl"
set speed auto
set storm-control-mode disabled
set l2-sa-unknown forward
next
end
site1_mclag1 # show switch physical-port port6
config switch physical-port
edit "port6"
set lldp-profile "default-auto-isl"
set speed auto
next
end
site1_mclag1 # show switch physical-port port5
config switch physical-port
edit "port5"
set lldp-profile "default-auto-isl"
set speed auto
next
end
The following is the relevant configuration of the FortiSwitch MCLAG 2:
site1_mclag2 # show switch-controller global
config switch-controller global
set ac-discovery-type dhcp
end
site1_mclag2 # show switch trunk
config switch trunk
edit "_FlInK1_ICL0_"
set mode lacp-active
set auto-isl 1
set mclag-icl enable
set members "port7"
next
edit "__FoRtILnk0L3__"
set mode lacp-active
set mclag enable
set members "port8"
next
edit "8DVUBYKEFGG54-0"
set mode lacp-active
set auto-isl 1
set mclag enable
set members "port6"
next
edit "8DVD5FTEFGG54-0"
set mode lacp-active
set auto-isl 1
set mclag enable
set members "port5"
next
end
site1_mclag2 # show switch interface __FoRtILnk0L3__
config switch interface
edit "__FoRtILnk0L3__"
set native-vlan 4094
set allowed-vlans 1,444,555,777,4089-4093
set dhcp-snooping trusted
set snmp-index 13
next
end
site1_mclag2 # show switch interface _FlInK1_ICL0_
config switch interface
edit "_FlInK1_ICL0_"
set native-vlan 4094
set allowed-vlans 1,444,555,777,4089-4093
set dhcp-snooping trusted
set edge-port disabled
set snmp-index 12
next
end
site1_mclag2 # show switch physical-port port8
config switch physical-port
edit "port8"
set lldp-profile "default-auto-isl"
set speed auto
set storm-control-mode disabled
next
end
site1_mclag2 # show switch physical-port port7
config switch physical-port
edit "port7"
set l2-learning disabled
set lldp-profile "default-auto-mclag-icl"
set speed auto
set storm-control-mode disabled
set l2-sa-unknown forward
next
end
site1_mclag2 # show switch physical-port port6
config switch physical-port
edit "port6"
set lldp-profile "default-auto-isl"
set speed auto
next
end
site1_mclag2 # show switch physical-port port5
config switch physical-port
edit "port5"
set lldp-profile "default-auto-isl"
set speed auto
next
end
The following is the relevant configuration of the FortiSwitch access switch 1:
site1_access1 # show switch-controller global
config switch-controller global
set ac-discovery-type dhcp
end
site1_access1 # show switch trunk
config switch trunk
edit "_FlInK1_MLAG0_"
set mode lacp-active
set auto-isl 1
set mclag enable
set members "port7" "port8"
next
end
site1_access1 # show switch interface _FlInK1_MLAG0_
config switch interface
edit "_FlInK1_MLAG0_"
set native-vlan 4094
set allowed-vlans 1,444,555,777,4089-4093
set dhcp-snooping trusted
set edge-port disabled
set snmp-index 13
next
end
site1_access1 # show switch physical-port port7
config switch physical-port
edit "port7"
set lldp-profile "default-auto-isl"
set speed auto
set storm-control-mode disabled
next
end
site1_access1 # show switch physical-port port8
config switch physical-port
edit "port8"
set lldp-profile "default-auto-isl"
set speed auto
set storm-control-mode disabled
next
end
site1_access1 # show switch interface port1
config switch interface
edit "port1"
set native-vlan 444
set allowed-vlans 4093
set untagged-vlans 4093
set snmp-index 1
next
end
site1_access1 # show switch interface port2
config switch interface
edit "port2"
set native-vlan 555
set allowed-vlans 444,777,4093
set untagged-vlans 4093
set snmp-index 2
next
end
The following is the relevant configuration of the FortiSwitch access switch 2:
site1_access2 # show switch-controller global
config switch-controller global
set ac-discovery-type dhcp
end
site1_access2 # show switch trunk
config switch trunk
edit "_FlInK1_MLAG0_"
set mode lacp-active
set auto-isl 1
set mclag enable
set members "port8" "port7"
next
end
site1_access2 # show switch interface _FlInK1_MLAG0_
config switch interface
edit "_FlInK1_MLAG0_"
set native-vlan 4094
set allowed-vlans 1,444,555,777,4089-4093
set dhcp-snooping trusted
set edge-port disabled
set snmp-index 13
next
end
site1_access2 # show switch physical-port port7
config switch physical-port
edit "port7"
set lldp-profile "default-auto-isl"
set speed auto
set storm-control-mode disabled
next
end
site1_access2 # show switch physical-port port8
config switch physical-port
edit "port8"
set lldp-profile "default-auto-isl"
set speed auto
set storm-control-mode disabled
next
end
site1_access2 # show switch interface port1
config switch interface
edit "port1"
set native-vlan 444
set allowed-vlans 4093
set untagged-vlans 4093
set snmp-index 1
next
end
site1_access2 # show switch interface port2
config switch interface
edit "port2"
set native-vlan 555
set allowed-vlans 444,777,4093
set untagged-vlans 4093
set snmp-index 2
next
end