Optional configuration required before discovering and authorizing FortiSwitch units
This section covers the following topics:
- Migrating the configuration of standalone FortiSwitch units
- VLAN interface templates for FortiSwitch units
- Automatic provisioning of FortiSwitch firmware upon authorization
Migrating the configuration of standalone FortiSwitch units
When a configured standalone FortiSwitch unit is converted to managed mode, the standalone configuration is lost. To save time, use the fortilinkify.py utility to migrate your standalone configuration from one or more FortiSwitch units to a combined FortiSwitch-Manager-compatible configuration.
To get the script and instructions, go to:
https://fndn.fortinet.net/index.php?/tools/file/68-fortiswitch-configuration-migration-tool/
VLAN interface templates for FortiSwitch units
NOTE: You can only create VLAN interface templates when FortiSwitch Manager has not authorized any FortiSwitch units yet, so only physically connect the FortiSwitch unit to FortiSwitch Manager after completing this section.
You can create configuration templates that define the VLAN interfaces and are applied to new FortiSwitch devices when they are discovered and managed by FortiSwitch Manager.
You can create templates, and then assign those templates to the automatically created switch VLAN interfaces for six types of traffic. The network subnet that is reserved for the switch controller can also be customized.
To ensure that switch VLAN interface names are unique for each system, the interface names are the same as the template names.
You can also customize the FortiLink management VLAN per FortiLink interface:
config system interface
edit <fortilink interface>
set fortilink enable
set switch-controller-mgmt-vlan <integer>
next
end
The management VLAN can be a number from 1 to 4094. the default value is 4094.
Create VLAN interface templates
To configure the VLAN interface templates:
config switch-controller initial-config template
edit <template_name>
set vlanid <integer>
set ip <ip/netmask>
set allowaccess {options}
set auto-ip {enable | disable}
set dhcp-server {enable | disable}
next
end
|
<template_name> |
The name, or part of the name, of the template. |
|
vlanid <integer> |
The unique VLAN ID for the type of traffic the template is assigned to (1-4094; the default is 4094) |
|
ip <ip/netmask> |
The IP address and subnet mask of the switch VLAN interface. This can only be configured when auto‑ip is disabled. |
|
allowaccess {options} |
The permitted types of management access to this interface. |
|
auto-ip {enable | disable} |
When enabled, the switch-controller will pick an unused 24 bit subnet from the switch‑controller‑reserved‑network (configured in config system global). |
|
dhcp-server {enable | disable} |
When enabled, the switch-controller will create a DHCP server for the switch VLAN interface |
To assign the templates to the specific traffic types:
config switch-controller initial-config vlans
set default-vlan <template>
set quarantine <template>
set rspan <template>
set voice <template>
set video <template>
set nac <template>
end
|
default-vlan <template> |
Default VLAN assigned to all switch ports upon discovery. |
|
quarantine <template> |
VLAN for quarantined traffic. |
|
rspan <template> |
VLAN for RSPAN/ERSPAN mirrored traffic. |
|
voice <template> |
VLAN dedicated for voice devices. |
|
video <template> |
VLAN dedicated for video devices. |
|
nac <template> |
VLAN for NAC onboarding devices. |
To configure the network subnet that is reserved for the switch controller:
config system global
set switch-controller-reserved-network <ip/netmask>
end
The default value is 169.254.0.0 255.255.0.0.
Example
In this example, six templates are configured with different VLAN IDs. Except for the default template, all of them have DHCP server enabled. When a FortiSwitch is discovered, VLANs and the corresponding DHCP servers are automatically created.
To configure six templates and apply them to VLAN traffic types:
config switch-controller initial-config template
edit "default"
set vlanid 1
set auto-ip disable
next
edit "quarantine"
set vlanid 4093
set dhcp-server enable
next
edit "rspan"
set vlanid 4092
set dhcp-server enable
next
edit "voice"
set vlanid 4091
set dhcp-server enable
next
edit "video"
set vlanid 4090
set dhcp-server enable
next
edit "onboarding"
set vlanid 4089
set dhcp-server enable
next
end
config switch-controller initial-config vlans
set default-vlan "default"
set quarantine "quarantine"
set rspan "rspan"
set voice "voice"
set video "video"
set nac "onboarding"
end
To see the automatically created VLANs and DHCP servers:
show system interface
edit "default"
set vdom "root"
set snmp-index 24
set switch-controller-feature default-vlan
set interface "fortilink"
set vlanid 1
next
edit "quarantine"
set vdom "root"
set ip 169.254.11.1 255.255.255.0
set description "Quarantine VLAN"
set security-mode captive-portal
set replacemsg-override-group "auth-intf-quarantine"
set device-identification enable
set snmp-index 25
set switch-controller-access-vlan enable
set switch-controller-feature quarantine
set color 6
set interface "fortilink"
set vlanid 4093
next
...
end
show system dhcp server
edit 2
set dns-service local
set ntp-service local
set default-gateway 169.254.1.1
set netmask 255.255.255.0
set interface "fortilink"
config ip-range
edit 1
set start-ip 169.254.1.2
set end-ip 169.254.1.254
next
end
set vci-match enable
set vci-string "FortiSwitch" "FortiExtender"
next
edit 3
set dns-service default
set default-gateway 169.254.11.1
set netmask 255.255.255.0
set interface "quarantine"
config ip-range
edit 1
set start-ip 169.254.11.2
set end-ip 169.254.11.254
next
end
set timezone-option default
next
...
end
Automatic provisioning of FortiSwitch firmware upon authorization
Administrators no longer need to upload the FortiSwitch firmware. Instead, administrators can configure the managed FortiSwitch units to be automatically upgraded to the latest FortiSwitchOS version available in FortiGuard when the switches are authorized by FortiSwitch Manager. If the FortiSwitch units are already running the latest version of FortiSwitchOS when they are authorized, no changes are made.
|
|
To configure the automatic provisioning using uploaded FortiSwitch firmware:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
set firmware-provision {enable | disable}
set firmware-provision-version <version>
next
end
|
firmware-provision {enable | disable} |
Enable or disable provisioning firmware to the FortiSwitch unit after authorization (the default is disable). |
|
firmware-provision-version <version> |
The firmware version to provision the FortiSwitch unit with on bootup. The format is major_version.minor_version.build_number, for example, 6.4.0454. |
To set up the one-time automatic upgrade of the FortiSwitch firmware:
- On FortiSwitch Manager, configure automatic provisioning:
config switch-controller global
set firmware-provision-on-authorization enable
end
By default, the
set firmware-provision-latestcommand is set todisableunderconfig switch-controller managed-switchbefore the FortiSwitch unit is authorized by FortiSwitch Manager. - On FortiSwitch Manager, authorize the FortiSwitch unit.
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
set fsw-wan1-peer <FortiLink_interface_name>
set fsw-wan1-admin enable
end
Authorizing the FortiSwitch unit changes the setting of the
set firmware-provision-latestcommand toonceunderconfig switch-controller managed-switch. - When the status of the managed FortiSwitch unit is “Authorized/Up,” FortiSwitch Manager downloads the latest supported version of FortiSwitchOS from FortiGuard and then upgrades the switch.
- The setting of the
set firmware-provision-latestcommand is changed todisableunderconfig switch-controller managed-switch.
|
|
Instead of enabling |