Bert Zéfat

Security Enthusiast

HackTheBox user

Ethical Hacker

Linux lover

Bert Zéfat

Security Enthusiast

HackTheBox user

Ethical Hacker

Linux lover

Menu

Blog Post

fortilink LACP to Hardware Switch

October 5, 2021 FortiGate, FortiNet, FortiSwitch by Bert Zefat
fortilink LACP to Hardware Switch

If you have 2 (or more) 100 Series FortiSwitches (which are not MCLAG capable) and you want to be able to update them without interrupting all traffic towards your FortiGate (as they are mostly daisy chained), you can change the 802.3ad Aggregate (which is the default setting) of a fortilink to a Hardware Switch

The issue is that Port B goes on, and off immediately.

(fortilink daisy chained)

Normal, from a default point of view the FortiGate fortilink is an 802.3ad Aggregate.

(fortilink Aggreggate)

(fortilink hardware switch)

But if you want to be able to update a FortiSwitch, and it not MCLAG capable (so no redundancy) you want the Aggregate to be a Hardware Switch.

To change the Aggregate to an Hardware Switch here are the pointers to change in the config:

  1. Make a backup of the config from your FortiGate.
  2. Choose your editor to change following.

Change the interface:

config system interface
    edit "fortilink"
        set vdom "root"
        set fortilink enable
        set ip 169.254.1.1 255.255.255.0
        set allowaccess ping fabric
        set type aggregate
        set member "a" "b"
        set lldp-reception enable
        set lldp-transmission enable
    next
end
Should become:
config system interface
    edit "fortilink"
        set vdom "root"
        set fortilink enable
        set ip 169.254.1.1 255.255.255.0
        set type hard-switch
        set allowaccess ping fabric
        set device-identification enable
        set lldp-reception enable
        set lldp-transmission enable
    next
end

Create the hardware switch:

config system virtual-switch
    edit "fortilink"
        set physical-switch "sw0"
        config port
            edit "a"
            next
            edit "b"
            next
        end
    next
end

Make sure you have NTP enabled in the new interface, as FortiLink depends highly on it.

config system ntp
    set ntpsync enable
    set server-mode enable
    set interface "fortilink"
end

Recreate your DHCP server (or check).

config system dhcp server
    edit 2
        set dns-service default
        set ntp-service local
        set default-gateway 169.254.1.1
        set netmask 255.255.255.0
        set interface "fortilink"
        config ip-range
            edit 1
                set start-ip 169.254.1.2
                set end-ip 169.254.1.254
            next
        end
    next
end

Restore your config into your FortiGate. After this is done, you should have a Hardware Switch. You can connect each separate port to a separate switch.

**NOTE: Make sure you do not connect the switches to each other, as you will create a loop.

Taggs: