Setting up an internal network with a managed FortiSwitch

In this recipe, you will set up a FortiGate to connect to and manage an internal wired network consisting of client PCs connected to a managed FortiSwitch.

This recipe is part of the Cooperative Security Fabric collection. It can also be used as a standalone recipe.

Once management communication is set up between the FortiGate and the FortiSwitch, you will create and assign VLANs and configure port information on the FortiSwitch from the FortiGate. Then you can connect client PCs to the FortiSwitch and add policies to the FortiGate to allow the client PCs to access the Internet and other resources.

Management communication between the FortiGate and the managed FortiSwitch uses Fortinet’s proprietary FortiLink protocol. FortiLink is only supported for selected FortiGate and FortiSwitch models, see the FortiSwitch/FortiGate Compatibility Matrix.

In this example, a FortiGate 90D (called Marketing) manages a FortiSwitch 108D by using an Ethernet cable to connect the FortiGate’s internal 1 interface to the FortiSwitch’s port 9. The interfaces to use for these connections vary by FortiGate and FortiSwitch model. See Connecting FortiLink ports for details.

Find this recipe for other FortiOS versions:
5.2 | 5.4

1. Enabling Switch Controller on the FortiGate

Go to System > Feature Select. Under Basic Features, turn on Switch Controller and select Apply.

 

2. Configuring the FortiGate interface and connecting the FortiSwitch

By default, a FortiGate 90D’s internal 1 interface is part of the internal hardware switch. This interface must be removed from the switch on the Marketing FortiGate before it can be used to connect the FortiSwitch.

Go to Network > Interfaces and edit the internal interface. Removing internal 1 from the Physical Interface Members list.

 

Edit the internal 1 interface.

Set Addressing mode to Dedicated to FortiSwitch and enable Automatically authorize devices.

 
Connect the Marketing FortiGate and FortiSwitch.

3. Setting up the FortiSwitch and connecting devices

Go to WiFi & Switch Controller > Managed FortiSwitch. The marketing FortiSwitch appears.

 

Double-click on the FortiSwitch to edit its Name and Description. You can also Restart the FortiSwitch, De-authorize it, or upgrade its firmware.

 

Go to WiFi & Switch Controller > FortiSwitch Ports. This page shows information on each physical port of the FortiSwitch, including VLAN assignment and Power over Ethernet (PoE) capabilities. By default, all FortiSwitch ports are part of the vsw.internal1 VLAN interface.

 

Go to WiFi & Switch Controller > FortiSwitch VLANs and edit the default vsw.internal1 VLAN.

Set Addressing mode to Manual and set the IP/Network mask to a private IP address (in the example, 10.10.201.1). Configure Administrative Access to allow FortiTelemetry.

Enable DHCP Server and Device Detection.

 

Connect internal Marketing network PCs and other devices to FortiSwitch interfaces that are part of the default VLAN. The devices that you connect will get their IP configuration from the DHCP server added to the default VLAN.

Go to Policy & Objects > IPv4 Policy and create a policy that allows devices on the Marketing internal network to access the Internet.

 

4. (Optional) Adding the default VLAN to OSPF routing table

In the example network created as part of the Cooperative Security Fabric collection, OSPF routing is used for communication between the internal Fortinet devices. If you are using OSPF routing for your network, the FortiSwitch must be added to the OSPF routing table.

For more information about the OSPF routing in this network, see Installing internal FortiGates and enabling a security fabric.

In the example, the Marketing FortiGate is a 90D, a model that does not support OSPF configuration using the GUI. To add OSPF routing, use the following CLI command:

config router ospf
  config network
    edit 0
      set prefix 10.10.201.0/255.255.255.0
    next
  end
end

5. Results

Devices on the internal Marketing network can now access the Internet.

You can view information about this traffic by going to FortiView > All Sessions and selecting the now view.

 

6. Additional CSF Results

On the External FortiGate, go to FortiView > Physical Topology and select the Access Device view. The FortiSwitch appears as part of the Cooperative Security Fabric.  

For additional information, see Managing FortiSwitches with FortiGate, which is available in the FortiOS 5.4 Handbook.

Share this recipe:

Facebooktwittergoogle_pluslinkedin

Leave a comment:

Before commenting, please read the site's comment policy. Only questions related to documentation will be answered. For other concerns, please contact Fortinet support.