FortiLink configuration using the FortiGate CLI
This section describes how to configure FortiLink using the FortiGate CLI. Fortinet recommends using the FortiGate GUI because the CLI procedures are more complex (and therefore more prone to error).
If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection (single port or LAG) with no configuration steps on the FortiSwitch and with a few simple configuration steps on the FortiGate unit.
You can also configure FortiLink mode over a layer-3 network.
Summary of the procedure
- Configure FortiLink on a physical port or configure FortiLink on a logical interface.
- Configure NTP.
- Authorize the managed FortiSwitch unit.
- Configure DHCP.
Configure FortiLink on a physical port
Configure FortiLink on any physical port on the FortiGate unit and authorize the FortiSwitch unit as a managed switch.
In the following steps, port 1 is configured as the FortiLink port.
- If required, remove port 1 from the lan interface:
config system virtual-switch edit lan config port delete port1
end
end
end
- Configure port 1 as the FortiLink interface:
config system interface edit port1 set auto-auth-extension-device enable set fortilink enable
end
end
- Configure an NTP server on port 1:
config system ntp set server-mode enable set interface port1 end
- Authorize the FortiSwitch unit as a managed switch.
config switch-controller managed-switch edit FS224D3W14000370 set fsw-wan1-admin enable
end
end
NOTE: The FortiSwitch unit will reboot when you issue the set fsw-wan1-admin enable command.
Configure FortiLink on a logical interface
You can configure FortiLink on a logical interface: link-aggregation group (LAG), hardware switch, or software switch).
NOTE: LAG is supported on all FortiSwitch models and on FortiGate models FGT-100D and above. Hardware switch is supported on some FortiGate models.
Connect any of the FortiLink-capable ports on the FortiGate to the FortiSwitch. Ensure that you configure autodiscovery on the FortiSwitch ports (unless it is auto-discovery by default).
In the following procedure, port 4 and port 5 are configured as a FortiLink LAG.
- If required, remove the FortiLink ports from the lan interface:
config system virtual-switch edit lan config port delete port4 delete port5
end
end
end
- Create a trunk with the two ports that you connected to the switch:
config system interface edit flink1 (enter a name, 11 characters maximum) set ip 169.254.3.1 255.255.255.0 set allowaccess ping capwap https set vlanforward enable set type aggregate set member port4 port5 set lacp-mode static set fortilink enable
(optional) set fortilink-split-interface enable next
end
NOTE: If the members of the aggregate interface connect to more than one FortiSwitch, you must enable fortilink-split-interface.
- Authorize the FortiSwitch unit as a managed switch.
config switch-controller managed-switch edit FS224D3W14000370
set fsw-wan1-admin enable
end
end
NOTE: FortiSwitch will reboot when you issue the set fsw-wan1-admin enable command.
Enable multiple FortiLink interfaces
NOTE: Only the first FortiLink interface has GUI support.
Use the following command to enable or disable multiple FortiLink interfaces.
config switch-controller global set allow-multiple-interfaces {enable | disable}
end
FortiLink mode over a layer-3 network
This feature allows FortiSwitch islands (FSIs) to operate in FortiLink mode over a layer-3 network, even though they are not directly connected to the switch-controller FortiGate unit. FSIs contain one or more FortiSwitch units.
The following limitations apply to FSIs operating in FortiLink mode over a layer-3 network:
- All FortiSwitch units using this feature must be included in the FortiGate preconfigured switch table.
- No layer-2 data path component, such as VLANs, can span across layer 3 between the FortiGate unit and the FortiSwitch unit.
- All FortiSwitch units within an FSI must be connected to the same FortiGate unit.
- The FortiSwitch unit needs a functioning layer-3 routing configuration to reach the FortiGate unit or any featureconfigured destination, such as syslog or 802.1x.
- Do not connect a layer-2 FortiGate unit and a layer-3 FortiGate unit to the same FortiSwitch unit.
- If the FortiSwitch management port is used for a layer-3 connection to the FortiGate unit, the FSI can contain only one FortiSwitch unit. All switch ports must remain in standalone mode.
- Do not connect a FortiSwitch unit to a layer-3 network and a layer-2 network on the same segment.
- If the network has a wide geographic distribution, some features, such as software downloads, might operate slowly.
To configure a FortiSwitch unit to operate in a layer-3 network:
- Reset the FortiSwitch to factory default settings with the execute factoryreset
- Manually set the FortiSwitch unit to FortiLink mode:
config system global
set switch-mgmt-mode fortilink end
- Configure the discovery setting for the FortiSwitch unit. You can either use DHCP discovery or static discovery.
The default dhcp-option-code is 138.
To use DHCP discovery:
config switch-controller global set ac-discovery dhcp set dhcp-option-code <integer> end
To use static discovery:
config switch-controller global
set ac-discovery static
config ac-list
edit <id>
set ipv4-address <IPv4_address>
next
end
end
- Configure at least one port of the FortiSwitch unit as an uplink port. When the FortiSwitch is in FortiLink mode, VLAN 4094 is configured on an internal port, which can provide a path to the layer-3 network with the following commands:
config switch interface edit <port_number> set fortilink-l3-mode enable
end
end
NOTE: The NTP server must be configured on the FortiSwitch unit either manually or provided by DHCP. The NTP server must be reachable from the FortiSwitch unit.
Is it possible to remove the fortilink interface setting on a Fortigate 40F and add it to the hardware switch like interfaces 1-3 are by default? Won’t be using a Fortiswitch, so it’s just a burned port at this point.
Thanks and love your site!