FortiLink mode over a layer-3 network

 

In some cases, the requirement is to bring up a FortiSwitch in FortiLink mode, but the FortiSwitch is not directly connected to the FortiGate.

There is a layer 3 network between FortiGate and FortiSwitch.

 

Read the below link before starting the configuration:

https://docs.fortinet.com/document/fortiswitch/7.2.4/fortilink-guide/801182/fortilink-mode-over-a-la…

https://docs.fortinet.com/document/fortiswitch/7.0.8/devices-managed-by-fortios/801182/fortilink-mod…

 

Note that the layer3 FortiLink config has changed from the 7.2.x version and above.

 

Refer to the below configuration:

FortiGate v7.2.4.

FortiSwitch v7.2.3.

 

 

sachitdas_FTNT_2-1685432383588.png

AAA – Tacacs+

AAA on IOS-XR (NCS540)

 
aaa authorization exec LOCAL local
aaa authorization exec TACACS group TACACS local

aaa authentication login LOCAL local
aaa authentication login TACACS group TACACS local

aaa accounting exec default start-stop group TACACS
aaa accounting system default start-stop group TACACS
aaa accounting commands default start-stop group TACACS

aaa group server tacacs+ TACACS
 server 10.0.0.1
 server 10.0.0.2

tacacs-server host 10.0.0.1 port 49
 key 7 xxx
!
tacacs-server host 10.0.0.2 port 49
 key 7 xxx
!
username admin
 group root-lr
 secret 10 xxx

line console
 authorization exec LOCAL
 login authentication LOCAL
 exec-timeout 12 0
!
line default
 authorization exec TACACS
 login authentication TACACS
 exec-timeout 12 0
 transport input ssh

Central Services Topology

> Question:  Have also seen comments in foreeum like. The best practice for this Hub and Spoke is to use TWO VRF in Hub site – “From-Spoke” and “To-Spoke”

 

This is immaterial implementation detail. Some shops do this, because their automation system abstracts VRF into set of import/export statements and clients share set and hubs share different set. Also if you have hub and spoke in the same PE, you’re going to need another name, if not, single name is fine, but may be more difficult to automate as name does not imply config.

 

ipv4 vrf hubs

  route-target export 42:hubs

  route-target import 42:spokes

ipv4 vrf spokes

  route-target export 42:spokes

  route-target import 42:hubs

 

Now the problem with this approach is that if you have >1 spokes in the same PE, they are able to communicate to each other. To workaround this, you’ll need ‘half duplex VRF’, where ingress and egress RIB/FIB are different.

Packets coming from spokes look at FibA, packets going to spokes look at FibB. FibA has only route to hubs, FibA has only routes to spokes.

 

ip vrf spokesIn

  route-target import 42:hubs

ip vrf spokesOut

  route-target export 42:spokes

ip vrf hubs

   route-target export 42:hubs

   route-target import 42:spokes

 

PE1:

int Spoke1

  ip vrf forwarding spokesIn downstream spokesOut int Spoke2

  ip vrf forwarding spokesIn downstream spokesOut int Hub1

  ip vrf hubs

int Hub2

  ip vrf hubs

 

Fortigate FGSP

https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD46111&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=164542366&stateId=0%200%20164540878%27

https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD46242&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=164542366&stateId=0%200%20164540878%27

Ansible – Fortigate

Ansible :

https://docs.ansible.com/ansible/latest/user_guide/playbooks_loops.html
https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
https://docs.ansible.com/ansible/latest/modules/fortios_system_email_server_module.html#status

https://help.github.com/en/github/setting-up-and-managing-your-github-user-account/setting-your-commit-email-address

https://github.com/ansible/ansible/issues/48859

https://docs.ansible.com/ansible/latest/user_guide/vault.html

IOS:

https://docs.ansible.com/ansible/latest/network/user_guide/platform_ios.html
https://docs.ansible.com/ansible/latest/plugins/connection/network_cli.html

Fortigate:

Modules (overzicht)
https://ftnt-ansible-docs.readthedocs.io/en/latest/fortios_modules.html
https://docs.ansible.com/ansible/latest/modules/fortios_ipv4_policy_module.html

https://galaxy.ansible.com/fortinet/fortios
https://pypi.org/project/fortiosapi/
https://docs.ansible.com/ansible/latest/modules/fortios_alertemail_setting_module.html
https://ftnt-ansible-docs.readthedocs.io/en/latest/fortios_playbooks/fortios_alertemail_setting.html

Fortios playbooks

Policy’s

Fortigate RestAPI Config Backup – FortiOS 6.0.4

1 2 3 20