FortiSwitch - Cookbook

FortiSwitch Cookbook
FORTINET DOCUMENT LIBRARY

https://docs.fortinet.com
FORTINET VIDEO GUIDE

https://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com
FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://www.fortiguard.com
END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: techdoc@fortinet.com
February 22, 2021

FortiSwitch Cookbook
TABLE OF CONTENTS
Capturing packets from a sniffer VLAN in a FortiLink setup 4

Remote sampling of a MAC address 4
Remote sampling of a FortiSwitch port 5
Setting up port-based 802.1x authentication in a FortiLink setup 6
Configuring the FortiGate and FortiSwitch units 6
Configuring the RADIUS server 13
Troubleshooting 21
Configuring Windows 10 25
Enterprise FortiSwitch secure access 31
Logging 31
FortiLink configuration 32
MCLAG configuration 36
IDF configuration 39
HA configuration 41
Validation 44
Security Fabric visibility 45
Bonus—FortiSwitch access 46
Interconnecting three sites with MCLAG 48
Adding the third site 49
Checking the topology 52
Relevant configuration 53
Carrying customer VLANs over a provider network 56
Configure the provider switches 57
Accept specific VLANs at the provider ingress 58
Assign different service tags at the provider ingress 59
Retag service VLANs 59
VLAN retagging/translation of regular 802.1Q traffic 61
MCLAG peer group managed with FortiLink over layer 3 62
Set up the FortiGate device 63
Configure the WAN router 65
Configure the site1_mclag1 switch 67
Authorize the site1_mclag1 switch 68
Configure the site1_mclag2 switch 70
Configure the FortiGate device 72
Configure the access switches 77
Finish the FortiSwitch configuration from the FortiGate device 78
Check the configuration 82
FortiSwitch Cookbook 3
Fortinet, Inc.
Capturing packets from a sniffer VLAN in a FortiLink setup
Capturing packets from a sniffer VLAN in a FortiLink

setup
This cookbook article documents how to capture packets on a VLAN that is being used as the network sniffer
(also known as the packet analyzer) and then send the packets to a remote destination.
To capture packets (mirror traffic) on the FortiSwitch fabric, you need to decide what traffic you want to examine.
The traffic can be specific switch ports, MAC addresses , or IP addresses. Then you can decide where to send
the packet capture (mirrored traffic) to. The destination can be the FortiGate unit, where you can use the local
FortiGate packet capture facility, or the destination can be somewhere else in the network (such as across the
network through the FortiGate unit or a device directly connected to the FortiSwitch fabric).
Remote sampling of a MAC address
The following is a basic FortiOS configuration for remote sampling:

config switch-controller traffic-sniffer
set erspan-ip 192.168.41.100 // the target IP address for the traffic, which is
routed through the FortiGate unit
config target-mac
edit 28:d2:44:ea:e7:8e // a specific MAC address you want to examine
next
Fortinet, Inc.
Capturing packets from a sniffer VLAN in a FortiLink setup
end
end
In this example, the IP address is a remote end station (such as a desktop PC connected to a network, which is
accessed through the FortiGate unit). The traffic is delivered to the FortiGate unit and then routed to the PC
where you can use a packet analyzer to examine it. Specific targeted MAC addresses or IP addresses are only
sampled when the traffic enters the FortiSwitch fabric (the network perimeter), so you only see one copy of the
frame in the sampling.
Remote sampling of a FortiSwitch port
One common use case is to enable sniffing on a FortiSwitch port for quick debugging.
FortiGate-100E # config switch-controller traffic-sniffer
set erspan-ip 10.254.253.254 // the traffic is sent only to the FortiGate unit
config target-port
edit "S424DP3X17000354"
set in-ports "port1" // mirror all traffic to/from the switch port to
FortiGate
set out-ports "port1"
next
end
end
Fortinet, Inc.
Setting up port-based 802.1x authentication in a FortiLink setup
Setting up port-based 802.1x authentication in a

FortiLink setup
This cookbook article documents how to set up port-based 802.1x authentication. The following tasks are
covered:
l Configuring the FortiGate and FortiSwitch units on page 6
l Configuring the RADIUS server on page 13
l Configuring Windows 10 on page 25
802.1x is an IEEE Standard for port-based Network Access Control (PNAC).
The following are the main parts of 802.1x authentication:
l A supplicant—the user or client that wants to be authenticated
l An authentication server—the actual server doing the authentication, typically a RADIUS server. It decides
whether to accept the end userʼs request for full network access.
l An authenticator—a network device that provides a data link between the client and the network and can
allow or block network traffic between the two, such as an Ethernet switch or wireless access point
802.1x uses the Extensible Authentication Protocol (EAP) to facilitate communication from the supplicant to the
authenticator and from the authenticator to the authentication server.
Configuring the FortiGate and FortiSwitch units
This section shows how to configure port-based 802.1x authentication with managed FortiSwitch ports when
using FortiLink and how to troubleshoot the configuration.
Fortinet, Inc.
1. Log on to your FortiGate unit.

2. Go to User & Device > RADIUS Servers and select Create New.
3. Make the following changes:
l In the Name field, enter a name for your RADIUS server. The name can match the Windows server
name to make it easier to identify.

l Select Specify for the authentication method and select MS-CHAP-v2.
l In the NAS IP field, enter the IP address of your RADIUS server.
l In the Primary Server area, enter the IP address of your RADIUS server again.
l In the Secret field, enter the secret password that you configured in the RADIUS client settings.
4. Select Test Connectivity.

You should get a green response saying that the connectivity is successful.
NOTE: The Test User Credentials button does not work with MS-CHAP-v2. The button is designed to
function only with the insecure Password Authentication Protocol (PAP). With MS-CHAP-v2 configured,
you will always receive a failure message if you select this button.
5. To complete a successful user test, run a command from the FortiOS command line:
FortiGate# diagnose test authserver radius RADIUSSERVERNAME mschap2 username

password
The following is the successful output of this command:
6. Create a user group:

a. Go to User & Device > User Groups and select Create New.
b. In the Group field, enter a name for the user group.
c. Select Firewall as the type.
d. Select OK to create the user group.
Fortinet, Inc.
7. Create the FortiSwitch/FortiLink VLAN interface.

a. Go to WiFi & Switch Controller>FortiSwitch VLANs and select Create New.
The following figure shows the configured FortiSwitch/FortiLink VLAN interface.
b. Check the configuration in the FortiOS CLI:
FWF60D4615010908 # show system interface LAGuest

config system interface
edit "LAGuest"
set vdom "root"
set ip 172.16.34.254 255.255.255.0
set allowaccess ping
set device-identification enable
set device-identification-active-scan enable
set role lan
set snmp-index 12
set switch-controller-dhcp-snooping enable
set interface "internal7"
set vlanid 34
next
end
FWF60D4615010908 # show system interface LALanSecure

edit "LALanSecure"
set vdom "root"
set ip 172.16.32.254 255.255.255.0
set allowaccess ping https ssh http capwap
Fortinet, Inc.
set alias "--HQ Secure LAN"

set device-identification-active-scan enable
set fortiheartbeat enable
set role lan
set snmp-index 14
set switch-controller-dhcp-snooping enable
set interface "internal7"
set vlanid 32
next
end
8. Configure the 802.1x settings in the FortiOS CLI:
config switch-controller 802-1X-settings

set link-down-auth set-unauth
set reauth-period 60
set max-reauth-attempt 2
end
9. Configure the 802.1x security policy in the FortiOS CLI:
config switch-controller security-policy 802-1X

edit "LASecure_802-1X-policy"
set user-group "Radius-Group"
set mac-auth-bypass disable
set open-auth disable
set eap-passthru enable
set guest-vlan enable
set guest-vlan-id "LAGuest" // same as auth-fail-vlan
set guest-auth-delay 60
set auth-fail-vlan enable // use a specific VLAN upon authentication failure
set auth-fail-vlan-id "LAGuest"
set radius-timeout-overwrite enable
next
end
If you want to reduce the time delay in recovering from auth-fail-vlan when an 802.1X failure
happens, reduce the max-reauth-attempt and guest-auth-delay settings.
10. Apply the port security policy to the FortiSwitch port in the FortiOS CLI:
config switch-controller managed-switch

edit "FS108D3W15000509"
set fsw-wan1-peer "internal7"
set fsw-wan1-admin enable
set version 1
set dynamic-capability 71836
config ports
edit "port2"
set poe-capable 1
set vlan "LALanSecure"
set allowed-vlans "LAGuest"
set port-security-policy "LASecure_802-1X-policy" // use “port-based”
authentication
set export-to "root"
next
Fortinet, Inc.
end
next
end
11. Configure the firewall policy for the FortiSwitch connection to the RADIUS server, as shown in the following
figure:
Fortinet, Inc.
12. Configure the firewall policy for the VLAN interface to the Internet, as shown in the following figure:
To troubleshoot your configuration:
1. In the FortiOS CLI, verify that the connection from the FortiGate unit to the FortiSwitch unit is up:
exec switch-controller get-conn-status
2. In the FortiSwitchOS CLI, you can check if the authentication. The following output shows a successful
authentication:
FS108D3W15000509 # diagnose switch 802-1x status port2

port2 : Mode: port-based (mac-by-pass disable)
Link: Link up
Port State: authorized ( )
Dynamic Authorized Vlan : 0
EAP pass-through mode : Enable
Native Vlan : 32
Allowed Vlan list: 32
Untagged Vlan list:
Guest Vlan : 34 Guest Auth Delay :120
Auth-Fail Vlan : 34
Sessions info:
54:e1:ad:4a:2d:6b Type=802.1x,PEAP,state=AUTHENTICATED,etime=0,eap_cnt=10
params:reAuth=600
Fortinet, Inc.
The following output shows a failed authentication:
FS108D3W15000509 # diagnose switch 802-1x status port2

port2 : Mode: port-based (mac-by-pass disable)
Link: Link up
Port State: unauthorized ( )
Dynamic Authorized Vlan : 0
EAP pass-through mode : Enable
Native Vlan : 32
Allowed Vlan list: 32
Untagged Vlan list:
Guest Vlan : 34 Guest Auth Delay :120
Auth-Fail Vlan : 34
Sessions info:
54:e1:ad:4a:2d:6b Type=802.1x,IDENTITY,state=HELD,etime=0,eap_cnt=5
params:reAuth=600
FS108D3W15000509 # diagnose switch vlan list 32
VlanId Ports
______ ___________________________________________________
32 port2 port10
After a wrong password being entered, port2 is removed from VLAN 32 (LALanSecure) and is replaced by
VLAN 34(LAGuest).

VlanId Ports
______ ___________________________________________________
32 port10

VlanId Ports
______ ___________________________________________________
34 port1 port2 port10
After a successful authentication, port2 is moved to VLAN 32 (LALanSecure) and removed from VLAN 34
(LAGuest).

VlanId Ports
______ ___________________________________________________
32 port2 port10

VlanId Ports
______ ___________________________________________________
34 port1 port10
NOTE: When you replace an existing RADIUS server with a new one, the configuration is not updated in the
FortiSwitch unit. Use the following procedure to update the RADIUS server configuration in the FortiSwitch unit:
1. Use the FortiGate unit to access the FortiSwitch using SSH.
2. Remove the configuration associated with the existing RADIUS server. Use the following commands to find
the existing RADIUS server configuration:
Fortinet, Inc.
show user group

show user radius
3. To synchronize the configuration with the FortiSwitch unit:
exe switch-controller trigger-config-sync
4. Verify that the FortiGate unit and the FortiSwitch unit are synchronized:
exe switch-controller get-sync-status all
Configuring the RADIUS server
This section shows how to configure the RADIUS server to accept port-based 802.1x authentication. This
example shows how to install and configure RADIUS in Windows Server 2016.
1. Log in to the Windows Server 2016 that you plan to use as your RADIUS server.
2. Launch the Server Manager and select Manage from the top right.
3. Select Add Roles and Features to launch the wizard.
4. From the wizard page, select Network Policy and Access Services, as shown in the following figure:
Fortinet, Inc.
5. Select Next and then select Finish to start the installation. No reboot is required.
6. After the installation is complete, select Tools from the Server Manager and then select Network Policy
Server.
7. Right-click on RADIUS Clients and select New to display the new RADIUS client dialog box. Use the
following procedure to configure the RADIUS clients:
a. Select the Enable the RADIUS client checkbox.
b. Enter a name for your RADIUS server, such as FGTAuth.
c. Enter the IP address of the FortiGate unit that is used to access the RADIUS server. Typically, this is
the interface in the FortiGate unit with the same network as the RADIUS server. Otherwise, this will be
the IP address you have configured as the source-ip in the user RADIUS settings in FortiOS.
d. In the Shared Secret area, keep Manual selected and enter a password in the Shared secret field.
NOTE: This password must match the FortiGate RADIUS server settings.
e. Select OK.
Fortinet, Inc.
8. Under the Policies section of the NPS Snap-in, right-click Connection Request Policies and select New.
l In the Overview tab, enter a name for the policy, such as FGTAUth.
l Select the Policy enabled check box.
l Leave the type of network access server as Unspecified.
Fortinet, Inc.
9. Select the Conditions tab.

a. Select Add and then select the Client IPv4 Address condition.
b. Select Add again and enter the IP address of the RADIUS client, which is the IP address of the
FortiSwitch unit.
c. Enable the NAT to the firewall policy from the FortiLink interface to the interface in which the RADIUS
server is routed. In this example, it is the wan1 interface with an IP address of 172.17.96.6.
10. Select the Settings tab.

a. Select Vendor Specific and then select Add.
b. Scroll to the very bottom of the list and select Vendor-Specific.
c. Select Add.
Fortinet, Inc.
11. Configure a network policy.

a. From the Network Policy Server Snap-in, right-click on Network Policies and select New.
b. Enter a name for the policy, such as FGTAuth.
c. On the Overview tab, make sure that Policy enabled checkbox is selected.
d. Verify that Grant access is selected.
e. Verify that the type of network access server is set to Unspecified.
12. Select the Conditions tab.

a. Select Add.
b. Select Windows Groups and then select Add.
c. Select Add Groups.
d. Enter the name of the group in AD that you want to allow for 802.1x connections.
e. Select OK.
Fortinet, Inc.
13. In the Constraints tab, verify that the following check boxes are selected, select Apply, and then select OK
to complete the policy.
Fortinet, Inc.
14. To verify the server certificate used by Microsoft Protocol EAP (PEAP), select Edit, and then select the
certificate for the server to prove its identity to the client.
15. Download the certificate that you selected and save it in the Trusted Root Certificate Authorities directory of
the local PC.
Fortinet, Inc.
16. Under Certification Authority (Local), make certain that the settings match those in the following figure.
Otherwise, you will receive an authentication failure with the following reason: “The client could not be
authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the
server.”
Fortinet, Inc.
Troubleshooting
The best way to troubleshoot 802.1x connections is by looking at the Event Viewer of the Windows Server.
Under Server Roles, check the output of the Network Policy and Access Services.
The following figure shows the successful output of an 802.1x connection from the PC:
Fortinet, Inc.
Issue 1: The certificate chain was issued by an authority that is not trusted.
Fortinet, Inc.
To fix this issue, import the CA certificate into the local machine and add it to the Trusted Root Certification
Authorities.
Fortinet, Inc.
Issue 2: The specified user does not exist.
To fix this issue, under Advanced settings, you can specify whether you want user authentication, computer
authentication, or both.
Fortinet, Inc.
Configuring Windows 10
This section shows how to configure Windows 10 for 802.1x user authentication.
1. Select Start, right-click Computer, select Manage, and then select Services and Applications.
2. In the details pane, double-click Services and then do one of the following:
l To configure the startup type, right-click Wired AutoConfig, and then select Properties. In Startup type,
select Automatic and then select Start.

l To start the service for the current session only, right-click Wired AutoConfig and then select Start.
3. Install the RADIUS serverʼs certificate to the PC, as shown in the following figure:
Fortinet, Inc.
4. In the properties of the network connection, navigate to the Authentication tab, and make sure the Enable
IEEE 802.1X authentication check box is selected.
5. Select Settings.
Fortinet, Inc.
6. To select the Certificate Authority (CA) that the RADIUS serverʼs certificate uses, import the CA certificate
into the local machine and save it in the Trusted Root Certification Authorities directory. If you purchased
an SSL certificate from a major CA (such Verisign or GoDaddy), Windows should have the CA loaded and
listed already.
Fortinet, Inc.
7. Under Advanced settings, you can specify whether you want user authentication.
Fortinet, Inc.
8. Make sure the Wired AutoConfig service is set up for automatic startup, as shown in the following figure.
The Wired AutoConfig service allows Windows to interact with 802.1x.
9. To verify that the PC successfully connects, check the network connections. Look for the Ethernet port and
make sure that there is no “Authentication failed” message.
10. When the authentication succeeds, you should get an IP address from the right VLAN, as shown in the
following figure:
Fortinet, Inc.
11. When the authentication fails, you should get the IP address from the auth-fail-vlan VLAN, as shown in the
following figure:
Fortinet, Inc.
Enterprise FortiSwitch secure access
This cookbook article documents a highly resilient 2-tier FortiSwitch architecture (faster convergence) that take
advantage of the full performance (bandwidth utilization) offered by MCLAG (multichassis LAG).
The FortiGates, for the exercise, are under FortiOS 6.0.1 and FortiSwitch at 6.0 or 3.6.6 (depending on platform
compatibility). FortiSwitch must be at least at 3.6.4 in order to deploy MCLAG with access ring.
Also ensure that the FortiSwitch models used for MCLAG supports the feature: FortiSwitch Datasheet
In the end, the topology above will be deployed.
Logging
Increase the level of logging to follow the deployments steps.
Fortinet, Inc.
FortiLink configuration
1. From Network > Interfaces, create a 802.3ad port

2. Add the two member ports that will form the LAG and will be interconnected from the FortiGate-Master to
the distribution 1 and 2.
3. Select the addressing mode “Dedicated to FortiSwitch.”
4. By default, the FortiLink segment is configured in an APIPA address range. In the present context, we will
make sure that this segment is routable in order to validate certain metrics on the FortiSwitch GUI. Ensure
in an enterprise context that this environment is accessible only through legitimate and restricted privileges.
5. For the purpose of the exercise, we will ensure that FortiSwitch are not automatically authorized to validate
certain steps. But it is quite possible to speed up the process and allow automatic authorization.
6. Make sure at first that split interface is enabled (until MCLAG configuration).
Fortinet, Inc.
7. Connect the FG1-Master to Disti-1 (port9 to port48).
8. Confirm the discovery of the FortiSwitch unit in the logs.
9. Authorize the Disti-1 thereafter.
Fortinet, Inc.
10. At this point, the switch will reboot and will be converted from standalone to managed mode.
11. The switch receives an IP address in the previously configured segment.
12. The CAPWAP tunnel will appear as UP in the logs.
13. Disti-1 will now be managed.
14. Link the Distribution 1 to Distribution 2 as follows:
Fortinet, Inc.
15. Allow the addition of the Disti2.
Fortinet, Inc.
MCLAG configuration
1. Connect in CLI to Disti2.
2. Enable MCLAG-ICL on the trunk toward Disti-1.
3. Which will result in the following confirmation at log level:
4. Connect to the Disti-1 in the CLI:
5. Enable MCLAG-ICL on the trunk toward Disti-2.
Fortinet, Inc.
6. Disable the split interface from FortiLink and enable automatic authorization.
7. Close the loop from the Disti-2 to the second port of the FortiLink LAG of the FortiGate Master.
Fortinet, Inc.
8. Resulting FortiSwitch presentation:
9. You can validate the consistency at the MCLAG level using the following command:
Fortinet, Inc.
10. Several other commands allow you to diagnose the feature:

o On FortiGate: diagnose netlinkaggregate name fortilink
o On FortiSwitch Disti: diagnose switch trunk list __FoRtI1LiNk0__
o On FortiSwitch Disti: diagnose switch mclag list __FoRtI1LiNk0__
o On FortiSwitch Disti: diagnose switch mclag icl
IDF configuration
1. Interconnect the Disti-1, cascading the switches that make up the stack of the IDF, as follows:
2. All that remains is to connect the IDF-3 to the Disti-2.
Fortinet, Inc.
Fortinet, Inc.
HA configuration
1. Configure HA in active-passive mode.
2. Make sure the configuration is well synchronized
3. Connect the balance of the links in order to coherently replicate the wiring of the FortiGate Master and
FortiGate Slave, as follows:
Fortinet, Inc.
4. This configuration results in the managed FortiSwitch units.
5. Finalize by doubling the ICL links between the two distribution switches.
Fortinet, Inc.
6. Validate the automatic integration into the trunk (LAG).
Fortinet, Inc.
Validation
1. To ensure the robustness of the topology, create a test VLAN that will be assigned, for example, to one of
the IDF switches.
Fortinet, Inc.
2. Allow access to the Internet.
3. You should be able to reboot the FortiGate-Master, remove some links (Disti1 port to IDF-1 in this case),
generate HA balancing using the loss of the monitored link (WAN), and see at most only the loss of some
packets:
Security Fabric visibility
With the Security Fabric, in addition to extend your control and protection, you get unparalleled end-to-end
visibility:
Fortinet, Inc.
Bonus—FortiSwitch access
1. To access the FortiSwitch unit, configure a policy in the CLI.
2. The configured policy appears in the GUI.
Fortinet, Inc.
3. This policy allows you to get access to the FortiSwitch unit.
4. The hardware configuration is as follows:
Fortinet, Inc.
Interconnecting three sites with MCLAG
This cookbook article describes how to add a third site that interconnects a third MCLAG peer group with the
existing redundancy between two sites. The links between sites 1 and 3 and sites 2 and 3 are independent;
therefore, loops are avoided by using the Spanning Tree Protocol (STP).
The following tasks are covered:
1. Adding the third site on page 49
2. Checking the topology on page 52
3. Relevant configuration on page 53
This cookbook article assumes that sites 1 and 2 are already deployed. See the “HA-mode FortiGate units in
remote sites” section in the FortiSwitch Managed by FortiOS 6.4 guide.
You can refer to the following topics for more information:
l HA-mode FortiGate units in remote sites
l FortiSwitch Managed by FortiOS 6.4
l MCLAG topologies
Fortinet, Inc.
Adding the third site
Perform the following steps on the primary FortiGate device:

1. Connect to the Site1_FSW1 and Site2_FSW1 CLI and use the config switch auto-isl-port-
group command to group the ports going to site 3. See the “MCLAG topologies” section in the FortiSwitch
Managed by FortiOS 6.4 guide.
2. Connect the MCLAG peer switches Site3_FSW1 and Site3_FSW2 to site 1 only and authorize the two
switches on the FortiGate device.
3. Connect to the Site3_FSW2 CLI and use the config switch auto-isl-port-group command to
group the ports going to site 2. See the “MCLAG topologies” section in the FortiSwitch Managed by FortiOS
6.4 guide.
4. Connect to the Site3_FSW1 CLI and use the config switch auto-isl-port-group command to
group the ports going to site 1. The group name must be different than the one in the previous step. See the
“MCLAG topologies” section in the FortiSwitch Managed by FortiOS 6.4 guide.
5. In the primary FortiGate CLI, set the LLDP profile to default-auto-mclag-icl on the ports used for the
MCLAG ICL in the Site3_FSW1 and Site3_FSW2 switches. Wait until the MCLAG peer group is formed
between the two switches. See the following figure.
6. Connect Site3_FSW2 to Site2_FSW1 to form the connection between sites 2 and 3. Wait until the topology
converges. See the following figure. The link between sites 1 and 3 is blocked by the Spanning Tree
Fortinet, Inc.
Protocol to avoid forming a loop.
Fortinet, Inc.
7. Connect to Site3_FSW3 and authorize it on the FortiGate device.
Fortinet, Inc.
Checking the topology
The final topology is shown in the following figure.
You can use the FortiOS CLI to display the final topology as well.
Fortinet, Inc.
Relevant configuration
Check the relevant FortiGate configuration:

FGT500E-1 # config switch-controller managed-switch
FGT500E-1 (managed-switch) # edit S426EFTF19000243
FGT500E-1 (S426EFTF19000243) # config ports
FGT500E-1 (ports) # edit port25
FGT500E-1 (port25) # show

config ports
edit "port25"
set lldp-profile "default-auto-mclag-icl"
next
end
FGT500E-1 (port25) # n

config ports
edit "port26"
next
Fortinet, Inc.
end
FGT500E-1 (port26) # end
FGT500E-1 (S426EFTF19000243) # n
FGT500E-1 (managed-switch) # edit S426EFTF19000296
FGT500E-1 (S426EFTF19000296) # config ports

config ports
edit "port25"
next
end
FGT500E-1 (port25) # n

config ports
edit "port26"
next
end
FGT500E-1 (port26) # end
FGT500E-1 (S426EFTF19000296) # end
Check the relevant FortiSwitch configuration:

Site1_FSW1 # show switch auto-isl-port-group
config switch auto-isl-port-group
edit "TO_SITE_3"
set members "port48"
next
end

edit "TO_SITE_3"
set members "port48"
next
end

edit "TO_SITE_1"
set members "port2"
next
end
Fortinet, Inc.

edit "TO_SITE_2"
set members "port2"
next
end
Fortinet, Inc.
Carrying customer VLANs over a provider network
This cookbook article is for FortiSwitch units in standalone mode.
This cookbook article describes how to use VLAN stacking (QinQ) to carry customer VLANs over a service
provider network. The following tasks are covered:
1. Configure the provider switches on page 57
2. Accept specific VLANs at the provider ingress on page 58
3. Assign different service tags at the provider ingress on page 59
4. Retag service VLANs on page 59
5. VLAN retagging/translation of regular 802.1Q traffic on page 61
There are two customers, Customer Red and Customer Green, each with two FortiSwitch units. They are
connected to the three FortiSwitch units belonging to the service provider.
l Customer Red is using VLANs 10-15, VLAN 30, and untagged VLAN 60 to connect to port1 of the provider
switches PSW1 and PSW3. The provider is using port3 to connect to Customer Red through VLANs 10-15,
VLAN 30, and untagged VLAN 60.
l Customer Green is using VLANs 20, 40, and 50 to connect to port2 of the provider. The provider is using
port3 to connect to Customer Green through VLANs 20, 40, and 50.
Provider switches
The service provider is using VLANs 100 and 200 to connect the three provider switches.
Fortinet, Inc.
For the customer port, the provider switches PSW1 and PSW3 have QinQ enabled with all tags accepted at
ingress. The switches has the “native-vlan” as the service VLAN for the customer port, and allowed-vlans are
not used. The inner tag needs to be set or removed for untagged traffic on the customer port.
For the provider port, the provider switches PSW1 and PSW3 have QinQ disabled with regular allowed-vlans for
each service VLAN. If the default VLAN TPID profile of 0x8100 is not being used, you need to specify the VLAN
TPID profile with the set vlan-tpid command.
The provider switch PSW2 has QinQ disabled with regular allowed-vlans for each service VLAN. If the default
VLAN TPID profile of 0x8100 is not being used, you need to specify the VLAN TPID profile with the set vlan-
tpid command. For QinQ, use a VLAN TPID profile of 0x88a8.
Customer switches
The customer switches use simple 802.1Q VLANs. They are unaware of QinQ.
Configure the provider switches
You need to configure the provider switches PSW1, PSW2, and PSW3.
To configure the customer ports port1 and port2 of PSW1 and PSW3:
config switch interface

edit "port1"
set native-vlan 100
config qnq
set status enable
set add-inner 60
set remove-inner enable
end
next
end

edit "port2"
set native-vlan 200
config qnq
set status enable
end
next
end
You can use VLAN mapping to accept only specific customer VLANs. See Accept specific VLANs at the
provider ingress on page 58.
To configure the service provider port port3 of PSW1 and PSW3:

edit "port3"
set allowed-vlans 100,200
set vlan-tpid “qnq”
next
end
Fortinet, Inc.
config switch vlan-tpid

edit "qnq"
set ether-type 0x88a8
next
end
To configure the service provider ports port1 and port2 of PSW2:

edit "port1"
set vlan-tpid "qnq"
next
end

edit "port2"
set vlan-tpid "qnq"
next
end

edit "qnq"
next
end
Non-edge provider switches can use VLAN mapping to retag services VLANs. See Retag service VLANs on
page 59.
Accept specific VLANs at the provider ingress
Optionally, you can accept specific VLANs at the provider ingress on PSW1 and PSW3. To do this, use VLAN
mapping inside QinQ. You need to enable vlan-mapping-miss-drop and specify each customer and the
corresponding service tags. For example:
config vlan-mapping
edit 1
set match-c-vlan 10
set new-s-vlan 100
next
end
Service tags must be listed as allowed-vlans.

The following example accepts only VLAN 10.
edit "port1"
set native-vlan 100
config qnq
set status enable
set vlan-mapping-miss-drop enable
Fortinet, Inc.
config vlan-mapping
edit 1
set match-c-vlan 10
set new-s-vlan 100
next
end
next
end
Assign different service tags at the provider ingress
Optionally, you can assign different service tags at the provider ingress on PSW1 and PSW3. To do this, use
VLAN mapping inside QinQ. You need to specify each customer and the corresponding service tags. Service
tags must be listed as allowed-vlans. Different service tags might be needed for QoS purposes.
edit "port1"
set native-vlan 100
config qnq
set status enable
config vlan-mapping
edit 1
set match-c-vlan 10
set new-s-vlan 100
next
edit 2
set match-c-vlan 20
set new-s-vlan 120
next
end
end
next
end
Retag service VLANs
The following figure shows the topology for the non-edge provider PSW2 receiving QinQ traffic from the
provider edge switch PSW1 on port1 with customer VLAN 350 and service-tag 1000. The traffic is then sent out
on port2 with service-tag 3000, preserving the customer VLAN. The reverse is done for traffic coming on port2
and leaving port1. In this example, the service VLAN retagging operation is done on the ingress port.
Fortinet, Inc.
The following is the configuration of the provider port port1 of PSW2:

edit "port1"
set allowed-vlans 1-4094
config vlan-mapping
edit 1
set direction ingress
set match-c-vlan 350
set action replace
set new-s-vlan 3000
next
end
set vlan-tpid "qnq"
next
end

edit "qnq"
next
end
The following is the configuration of the provider port port2 of PSW2:

edit "port2"
set allowed-vlans 1-4094
config vlan-mapping
edit 1
set direction ingress
set match-c-vlan 350
set action replace
set new-s-vlan 1000
next
end
set vlan-tpid "qnq"
next
end
Fortinet, Inc.
You can also apply service VLAN retagging on egress. In this case, the match is done on the service tag. If you
choose action replace, the new service VLAN must be specified. If you choose action delete, the
service tag is removed, and the frame is forwarded with only the customer VLAN.
VLAN retagging/translation of regular 802.1Q traffic
You can use ACLs (to match the VLAN and set the action of the outer-vlan-tag) to retag or translate VLANs with
regular 802.1Q traffic.
config switch acl ingress
edit 1
config action
set outer-vlan-tag 2333
end
config classifier
set vlan-id 350
end
set ingress-interface "mclag-761_419"
next
end
On some FortiSwitch models, you can also apply an ACL on the prelookup and egress stages. The
configuration is similar to the configuration in this section and is done under the config switch acl
prelookup or config switch acl egress commands, respectively.
Fortinet, Inc.
MCLAG peer group managed with FortiLink over layer 3
MCLAG peer group managed with FortiLink over layer

3
This cookbook article describes how to configure a multichassis link aggregation group (MCLAG) peer group
that is managed with FortiLink over layer 3. The following tasks are covered:
1. Set up the FortiGate device on page 63
2. Configure the WAN router on page 65
3. Configure the site1_mclag1 switch on page 67
4. Authorize the site1_mclag1 switch on page 68
5. Configure the site1_mclag2 switch on page 70
6. Configure the FortiGate device on page 72
7. Configure the access switches on page 77
8. Finish the FortiSwitch configuration from the FortiGate device on page 78
9. Check the configuration on page 82
Assumptions
The following tasks must be done before starting this procedure:

l The FortiGate device is already configured with an interface towards the WAN router.
l The FortiGate device is already managing FortiSwitch units connected locally, and different VLANs are
needed in the remote FortiSwitch units.
Fortinet, Inc.
l The WAN router has an 802.3ad link aggregation group (LAG) connected to the FortiSwitch MCLAG peer
group, and the WAN router is VLAN-capable. (An untagged VLAN is needed for FortiSwitch control, and
tagged VLANs are needed for user data traffic.)
Configuration summary
Here is a summary of the procedure:

1. On the FortiGate device:
a. Configure the routing so the FortiGate unit can reach the FortiSwitch units.
b. Configure a dedicated FortiLink interface to control the FortiSwitch units connected to the FortiGate
device from remote locations.
c. Configure a firewall policy to allow the connections from the FortiSwitch units.
2. On the WAN router, configure an untagged interface or VLAN on the LAG connected to the FortiSwitch
units. Assign an IP address and DHCP service, including the Network Time Protocol (NTP) server and
option 138 (the switch controller IP address).
3. On the site1_mclag1 FortiSwitch unit in the MCLAG peer group:
a. Enable FortiLink mode.
b. Set the switch-controller discovery type to DHCP.
c. Enable FortiLink over layer 3 on the switch interface connected to the WAN router and enable the Link
Aggregation Control Protocol (LACP) on the newly formed trunk.
4. On the FortiGate device, authorize and name the site1_mclag1 FortiSwitch unit.
5. On the site1_mclag2 FortiSwitch unit in the MCLAG peer group:
a. Authorize and name the site1_mclag2 FortiSwitch unit.
b. Enable the MCLAG peer group.
c. Connect to the CLI of the site1_mclag2 FortiSwitch unit and enable FortiLink over layer 3 on the switch
interface connected to the WAN router. Enable LACP on the newly formed trunk.
d. Connect to the CLI of the site1_mclag1 FortiSwitch unit and enable MCLAG on the trunk connected to
the WAN router.
7. On the access FortiSwitch units:
a. Authorize and name the access FortiSwitch units.
b. Create FortiSwitch VLANs and assign them to FortiSwitch ports.
Set up the FortiGate device
1. Configure the routing so that the FortiGate device can reach the FortiSwitch units. For example, the
following figure shows a static route to the network destination 10.33.33/24 used by the FortiSwitch units.
The gateway IP address is 10.40.88.253, which is the address of the interface of the WAN router
connected to the FortiGate unit.
Fortinet, Inc.
2. Configure a dedicated FortiLink interface to control the FortiSwitch units connected to the FortiGate device
from remote locations. Use the CLI to configure the dedicated FortiLink interface, and then the interface will
be listed in the FortiLink interface list in the GUI. Set the interface type to aggregate, specify the IP
address, enable FortiLink, and set the source IP address of the switch controller to use a fixed IP address
from the FortiLink interface itself.
FGT_Switch_Controller # config system interface

FGT_Switch_Controller (interface) # edit fol3_wan
FGT_Switch_Controller (fol3_wan) # set vdom root
FGT_Switch_Controller (fol3_wan) # set type aggregate
FGT_Switch_Controller (fol3_wan) # set ip 172.17.1.254/24
FGT_Switch_Controller (fol3_wan) # set fortilink enable
FGT_Switch_Controller (fol3_wan) # set switch-controller-source-ip fixed
FGT_Switch_Controller (fol3_wan) # end
3. Configure a firewall policy to allow the connections from the FortiSwitch units. The service is CAPWAP
(UDP port 5246). Configure the policy in the GUI first, specifying that the destination interface is the same
as the source interface.
Then edit the policy in the CLI and change the destination interface to the FortiLink interface.
Fortinet, Inc.
FGT_Switch_Controller # config firewall policy

FGT_Switch_Controller (policy) # edit 5
FGT_Switch_Controller (5) # show
config firewall policy
edit 5
set name "fsw_to_fol3_wan"
set uuid 98af1592-354d-51eb-e09e-8d8000c0663a
set srcintf "wan"
set dstintf "wan"
set srcaddr "fsw"
set dstaddr "fol3_wan_IP"
set action accept
set schedule "always"
set service "CAPWAP" "ALL_ICMP"
next
end
FGT_Switch_Controller (5) # set dstintf fol3_wan
FGT_Switch_Controller (5) # end
The firewall policy is listed in the GUI.
Configure the WAN router
Configure an untagged interface or VLAN on the LAG connected to the FortiSwitch units. Assign the IP address
and DHCP service, including NTP and option 138 (the switch controller IP address).
Fortinet, Inc.
For the purpose of this procedure, the WAN router is a FortiSwitch unit in standalone mode. The DHCP server is
using vendor class identifier (VCI) matching to restrict the IP assignment to FortiSwitch units only.
config router static
edit 2
set device "to_fgt"
set dst 172.17.1.0 255.255.255.0
set gateway 10.40.88.254
next
end

edit "to_fgt"
set ip 10.40.88.253 255.255.255.0
set allowaccess ping https ssh
set snmp-index 16
set vlanid 4088
set interface "internal"
next
end

edit "to_fgt"
set native-vlan 4088
set snmp-index 14
next
end
config switch trunk

edit "to_fgt"
set mode lacp-active
set members "port7" "port8"
next
end

edit "fol3"
set ip 10.33.33.254 255.255.255.0
set snmp-index 17
set vlanid 4094
next
end

edit "fol3"
set allowed-vlans 1001
set edge-port disabled
set snmp-index 15
next
end
config switch trunk

edit "fol3"
Fortinet, Inc.

next
end
config system dhcp server

edit 1
set default-gateway 10.33.33.254
set dns-service local
set interface "fol3"
config ip-range
edit 1
set end-ip 10.33.33.99
set start-ip 10.33.33.1
next
end
set lease-time 300
set netmask 255.255.255.0
set ntp-service local
set vci-match enable
set vci-string "FortiSwitch"
set wifi-ac1 172.17.1.254
next
end
Configure the site1_mclag1 switch
Follow these steps on the site1_mclag1 FortiSwitch unit in the MCLAG peer group:
1. Enable FortiLink mode.
config system global

set switch-mgmt-mode fortilink
end
2. Set the switch-controller discovery type to DHCP.
config switch-controller global

set ac-discovery-type dhcp
end
3. Enable FortiLink over layer 3 on the switch interface connected to the WAN router and enable LACP on the
newly formed __FoRtILnk0L3__ trunk, which is automatically created by the system.

edit port8
set fortilink-l3-mode enable
end
config switch trunk

edit "__FoRtILnk0L3__"
set members "port8"
next
Fortinet, Inc.
end

set allowed-vlans 1
set dhcp-snooping trusted
set igmp-snooping-flood-reports enable
set igmp-snooping-flood-traffice enable
set snmp-index 12
next
end
Authorize the site1_mclag1 switch
On the FortiGate device, authorize and name the site1_mclag1 FortiSwitch unit.
Fortinet, Inc.
Fortinet, Inc.
Configure the site1_mclag2 switch
Follow these steps on the site1_mclag2 FortiSwitch unit in the MCLAG peer group:
Fortinet, Inc.

end
2. Set the switch-controller discovery type to DHCP.

end
3. FortiLink over layer 3 is not enabled on the switch interface connected to the WAN router. NOTE: The
FortiGate device can already be reached using the inter-switch link (ISL) formed with the site1_mclag1
FortiSwitch unit.

edit "8DVHFUKEFGG54-0"
set allowed-vlans 1
set snmp-index 12
next
end
Fortinet, Inc.
Configure the FortiGate device
1. Authorize and name the site1_mclag2 FortiSwitch unit.
Fortinet, Inc.
2. To enable the MCLAG peer group from the FortiGate device, use the switch-recommendations
command, specifying the FortiLink interface and the serial numbers of the MCLAG peers. (Alternatively, on
the FortiGate device, set the LLDP profile to default-auto-mclag-icl in the ports used for the
MCLAG ICL on both peers.)
FGT_Switch_Controller # execute switch-controller switch-recommendations set-

tier1-mclag-icl fol3_wan S108DVHFUKEFGG54 S108DVSPUKEFGG54
Fortinet, Inc.
Fortinet, Inc.
3. Connect to the CLI of the site1_mclag2 FortiSwitch unit and enable FortiLink over layer 3 on the switch
interface connected to the WAN router. Enable LACP on the newly formed trunk. NOTE: The automatically
created trunk has the same name as in the site1_mclag1 FortiSwitch unit, so it will form the MCLAG trunk
(the trunk name must be the same in both FortiSwitch units to form the MCLAG trunk).
edit port8
set fortilink-l3-mode enable
end
config switch trunk

edit "_FlInK1_ICL0_"
set auto-isl 1
set mclag-icl enable
set members "port7"
next
set mclag enable
set members "port8"
next
end
config switch trunk
Fortinet, Inc.
end
The switch interface is configured automatically.
site1_mclag2 # show switch interface __FoRtILnk0L3__

set allowed-vlans 1,4089-4093
set igmp-snooping-flood-reports enable
set igmp-snooping-flood-traffic enable
set snmp-index 13
next
end
4. Connect to the CLI of the site1_mclag1 FortiSwitch unit and enable MCLAG on the trunk connected to the
WAN router.
site1_mclag1 # config switch trunk

site1_mclag1 (trunk) # edit "__FoRtILnk0L3__"
site1_mclag1 (__FoRtILnk0L3__) # set mclag enable
site1_mclag1 (__FoRtILnk0L3__) # end
5. Check that both FortiSwitch units are managed.
Fortinet, Inc.
Configure the access switches

end
2. Set the switch-controller discovery type to DHCP. The ISL is automatically formed with the MCLAG peer
group (you do not need to enable FortiLink over layer 3).

end
Fortinet, Inc.
Finish the FortiSwitch configuration from the FortiGate device
1. Authorize and name the access FortiSwitch units.
Fortinet, Inc.
Fortinet, Inc.
2. Create FortiSwitch VLANs and assign them to FortiSwitch ports. You do not need to specify the IP address
because the FortiGate device will not receive any of the data traffic (it will be switched locally or routed by
the WAN router). Therefore, the DHCP service must be provided by the WAN router or other system
located at the site.
Fortinet, Inc.
Fortinet, Inc.
Check the configuration
The following is the relevant FortiGate configuration:
FGT_Switch_Controller # show system interface wan

edit "wan"
set vdom "root"
set ip 10.40.88.254 255.255.255.0
set allowaccess ping https ssh http
set type aggregate
set member "port9" "port10"
set lldp-reception enable
set role wan
set snmp-index 21
next
end
FGT_Switch_Controller # show router static 2
edit 2
set dst 10.33.33.0 255.255.255.0
set device "wan"
next
end
FGT_Switch_Controller # show system interface fol3_wan
edit "fol3_wan"
set vdom "root"
set fortilink enable
Fortinet, Inc.
set switch-controller-source-ip fixed

set ip 172.17.1.254 255.255.255.0
set allowaccess ping fabric
set type aggregate
set lldp-reception enable
set lldp-transmission enable
set snmp-index 22
set switch-controller-nac "fol3_wan"
set swc-first-create 127
set lacp-mode static
next
end
FGT_Switch_Controller # show firewall policy 5

config firewall policy
edit 5
set name "fsw_to_fol3_wan"
set uuid 98af1592-354d-51eb-e09e-8d8000c0663a
set srcintf "wan"
set dstintf "fol3_wan"
set srcaddr "fsw"
set dstaddr "fol3_wan_IP"
set action accept
set schedule "always"
set service "CAPWAP" "ALL_ICMP"
next
end
FGT_Switch_Controller # show firewall service custom CAPWAP

config firewall service custom
edit "CAPWAP"
set udp-portrange 5246
next
end
FGT_Switch_Controller # show firewall address fsw

config firewall address
edit "fsw"
set uuid 77e968bc-354d-51eb-f618-e3e145d6a172
set subnet 10.33.33.0 255.255.255.0
next
end
FGT_Switch_Controller # show firewall address fol3_wan_IP

config firewall address
edit "fol3_wan_IP"
set uuid 84cf157c-354d-51eb-ab4f-6518749b4bd9
set subnet 172.17.1.254 255.255.255.255
next
end
FGT_Switch_Controller # show switch-controller managed-switch

config switch-controller managed-switch
edit "S108DVHFUKEFGG54"
set name "site1_mclag1"
set fsw-wan1-peer "fol3_wan"
Fortinet, Inc.

set poe-detection-type 3
set version 1
set max-allowed-trunk-members 8
set pre-provisioned 1
set dynamic-capability 0x0000000000000000000000751c51f9f7
config ports
edit "port1"
set vlan "default.22"
set allowed-vlans "quarantine.22"
set untagged-vlans "quarantine.22"
set mac-addr 02:09:0f:d3:00:0c
next
edit "port2"
set mac-addr 02:09:0f:d3:00:0d
next
edit "port3"
set mac-addr 02:09:0f:d3:00:0e
next
edit "port4"
set mac-addr 02:09:0f:d3:00:0f
next
edit "port5"
set mac-addr 02:09:0f:d3:0a:01
next
edit "port6"
set mac-addr 02:09:0f:d3:22:01
next
edit "port7"
set mac-addr 02:09:0f:d3:1f:01
next
Fortinet, Inc.
edit "port8"
set mac-addr 02:09:0f:d3:1d:02
next
end
next
edit "S108DVSPUKEFGG54"
set name "site1_mclag2"
set version 1
config ports
edit "port1"
next
edit "port2"
next
edit "port3"
next
edit "port4"
next
edit "port5"
set mac-addr 02:09:0f:d3:0b:02
next
edit "port6"
Fortinet, Inc.

next
edit "port7"
set mac-addr 02:09:0f:d3:1f:02
next
edit "port8"
set mac-addr 02:09:0f:d3:1e:02
next
end
next
edit "S108DVUBYKEFGG54"
set name "site1_access1"
set version 1
config ports
edit "port1"
set vlan "office"
next
edit "port2"
set vlan "access_point"
set allowed-vlans "office" "quarantine.22" "warehouse"
next
edit "port3"
next
edit "port4"
Fortinet, Inc.

next
edit "port5"
next
edit "port6"
set mac-addr 02:09:0f:d3:00:0a
next
edit "port7"
next
edit "port8"
next
end
next
edit "S108DVD5FTEFGG54"
set name "site1_access2"
set version 1
config ports
edit "port1"
set vlan "office"
next
edit "port2"
set vlan "access_point"
set allowed-vlans "office" "quarantine.22" "warehouse"
next
edit "port3"
Fortinet, Inc.

set mac-addr 02:09:0f:d3:00:1a
next
edit "port4"
set mac-addr 02:09:0f:d3:00:1b
next
edit "port5"
set mac-addr 02:09:0f:d3:00:1c
next
edit "port6"
set mac-addr 02:09:0f:d3:00:1d
next
edit "port7"
next
edit "port8"
next
end
next
end
The following is the relevant configuration of the WAN router:
WAN_ROUTER # show system interface to_fgt

edit "to_fgt"
set ip 10.40.88.253 255.255.255.0
set snmp-index 16
set vlanid 4088
next
end
Fortinet, Inc.
WAN_ROUTER # show switch interface to_fgt

edit "to_fgt"
set snmp-index 14
next
end
WAN_ROUTER # show switch trunk to_fgt

config switch trunk
edit "to_fgt"
next
end
WAN_ROUTER # show system interface fol3

edit "fol3"
set ip 10.33.33.254 255.255.255.0
set snmp-index 17
set vlanid 4094
next
end
WAN_ROUTER # show system dhcp server

config system dhcp server
edit 1
set default-gateway 10.33.33.254
set dns-service local
set interface "fol3"
config ip-range
edit 1
set end-ip 10.33.33.99
set start-ip 10.33.33.1
next
end
set lease-time 300
set netmask 255.255.255.0
set ntp-service local
set vci-match enable
set vci-string "FortiSwitch"
set wifi-ac1 172.17.1.254
next
end
WAN_ROUTER # show switch interface fol3

edit "fol3"
set snmp-index 15
next
Fortinet, Inc.
end
WAN_ROUTER # show switch trunk fol3

config switch trunk
edit "fol3"
next
end
WAN_ROUTER # show router static 2

edit 2
set device "to_fgt"
set dst 172.17.1.0 255.255.255.0
next
end
The following is the relevant configuration of the FortiSwitch MCLAG 1:
site1_mclag1 # show switch-controller global

end
site1_mclag1 # show switch trunk

config switch trunk
set mclag enable
set members "port8"
next
set auto-isl 1
set members "port7"
next
edit "8DVUBYKEFGG54-0"
set auto-isl 1
set mclag enable
set members "port6"
next
edit "8DVD5FTEFGG54-0"
set auto-isl 1
set mclag enable
set members "port5"
next
end

Fortinet, Inc.
set allowed-vlans 1,444,555,777,4089-4093

set snmp-index 12
next
end
site1_mclag1 # show switch interface _FlInK1_ICL0_

set snmp-index 13
next
end
site1_mclag1 # show switch physical-port port8

config switch physical-port
edit "port8"
set lldp-profile "default-auto-isl"
set speed auto
set storm-control-mode disabled
next
end

edit "port7"
set l2-learning disabled
set speed auto
set l2-sa-unknown forward
next
end

edit "port6"
set speed auto
next
end

edit "port5"
set speed auto
next
end
The following is the relevant configuration of the FortiSwitch MCLAG 2:
site1_mclag2 # show switch-controller global

Fortinet, Inc.

end
site1_mclag2 # show switch trunk

config switch trunk
set auto-isl 1
set members "port7"
next
set mclag enable
set members "port8"
next
edit "8DVUBYKEFGG54-0"
set auto-isl 1
set mclag enable
set members "port6"
next
edit "8DVD5FTEFGG54-0"
set auto-isl 1
set mclag enable
set members "port5"
next
end

set snmp-index 13
next
end
site1_mclag2 # show switch interface _FlInK1_ICL0_

set snmp-index 12
next
end

edit "port8"
set speed auto
Fortinet, Inc.
next
end

edit "port7"
set l2-learning disabled
set speed auto
set l2-sa-unknown forward
next
end

edit "port6"
set speed auto
next
end

edit "port5"
set speed auto
next
end
The following is the relevant configuration of the FortiSwitch access switch 1:
site1_access1 # show switch-controller global

end
site1_access1 # show switch trunk

config switch trunk
edit "_FlInK1_MLAG0_"
set auto-isl 1
set mclag enable
next
end
site1_access1 # show switch interface _FlInK1_MLAG0_

set snmp-index 13
next
end
Fortinet, Inc.
site1_access1 # show switch physical-port port7

edit "port7"
set speed auto
next
end

edit "port8"
set speed auto
next
end
site1_access1 # show switch interface port1

edit "port1"
set native-vlan 444
set untagged-vlans 4093
set snmp-index 1
next
end

edit "port2"
set native-vlan 555
set allowed-vlans 444,777,4093
set snmp-index 2
next
end
The following is the relevant configuration of the FortiSwitch access switch 2:
site1_access2 # show switch-controller global

end
site1_access2 # show switch trunk

config switch trunk
set auto-isl 1
set mclag enable
next
end
site1_access2 # show switch interface _FlInK1_MLAG0_
Fortinet, Inc.

set snmp-index 13
next
end

edit "port7"
set speed auto
next
end

edit "port8"
set speed auto
next
end

edit "port1"
set native-vlan 444
set snmp-index 1
next
end

edit "port2"
set native-vlan 555
set allowed-vlans 444,777,4093
set snmp-index 2
next
end
Fortinet, Inc.
Copyright© 2022 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the
U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and
other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such
event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable.

FortiSwitch - Cookbook

Uploaded by

Copyright:

Available Formats

FortiSwitch - Cookbook

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiSwitch - Cookbook

Uploaded by

Copyright:

Available Formats

FortiSwitch Cookbook

FORTINET DOCUMENT LIBRARY

FORTINET VIDEO GUIDE

CUSTOMER SERVICE & SUPPORT

FORTINET TRAINING & CERTIFICATION PROGRAM

END USER LICENSE AGREEMENT

February 22, 2021

Capturing packets from a sniffer VLAN in a FortiLink setup 4

Capturing packets from a sniffer VLAN in a FortiLink

Remote sampling of a MAC address

The following is a basic FortiOS configuration for remote sampling:

Remote sampling of a FortiSwitch port

Setting up port-based 802.1x authentication in a

Configuring the FortiGate and FortiSwitch units

1. Log on to your FortiGate unit.

name to make it easier to identify.

l In the NAS IP field, enter the IP address of your RADIUS server.

4. Select Test Connectivity.

FortiGate# diagnose test authserver radius RADIUSSERVERNAME mschap2 username

The following is the successful output of this command:

6. Create a user group:

7. Create the FortiSwitch/FortiLink VLAN interface.

b. Check the configuration in the FortiOS CLI:

FWF60D4615010908 # show system interface LAGuest

FWF60D4615010908 # show system interface LALanSecure

set alias "--HQ Secure LAN"

8. Configure the 802.1x settings in the FortiOS CLI:

config switch-controller 802-1X-settings

9. Configure the 802.1x security policy in the FortiOS CLI:

config switch-controller security-policy 802-1X

config switch-controller managed-switch

To troubleshoot your configuration:

exec switch-controller get-conn-status

FS108D3W15000509 # diagnose switch 802-1x status port2

The following output shows a failed authentication:

FS108D3W15000509 # diagnose switch 802-1x status port2

FS108D3W15000509 # diagnose switch vlan list 32

FS108D3W15000509 # diagnose switch vlan list 32

FS108D3W15000509 # diagnose switch vlan list 34

FS108D3W15000509 # diagnose switch vlan list 32

FS108D3W15000509 # diagnose switch vlan list 34

show user group

3. To synchronize the configuration with the FortiSwitch unit:

exe switch-controller trigger-config-sync

exe switch-controller get-sync-status all

Configuring the RADIUS server

l Select the Policy enabled check box.

l Leave the type of network access server as Unspecified.

9. Select the Conditions tab.

10. Select the Settings tab.

11. Configure a network policy.

12. Select the Conditions tab.

Issue 2: The specified user does not exist.

select Automatic and then select Start.

Enterprise FortiSwitch secure access

Increase the level of logging to follow the deployments steps.

1. From Network > Interfaces, create a 802.3ad port

7. Connect the FG1-Master to Disti-1 (port9 to port48).

8. Confirm the discovery of the FortiSwitch unit in the logs.

o On FortiSwitch Disti: diagnose switch trunk list FoRtI1LiNk0

o On FortiSwitch Disti: diagnose switch mclag list FoRtI1LiNk0