Optional FortiLink configuration required before discovering and authorizing FortiSwitch units
This section covers the following topics:
- Migrating the configuration of standalone FortiSwitch units
- VLAN interface templates for FortiSwitch units
Migrating the configuration of standalone FortiSwitch units
When a configured standalone FortiSwitch unit is converted to FortiLink mode, the standalone configuration is lost. To save time, use the fortilinkify.py
utility to migrate your standalone configuration from one or more FortiSwitch units to a combined FortiGate-compatible configuration.
To get the script and instructions, go to:
https://fndn.fortinet.net/index.php?/tools/file/68-fortiswitch-configuration-migration-tool/
VLAN interface templates for FortiSwitch units
NOTE: You can only create VLAN interface templates when the FortiGate device has not authorized any FortiSwitch units yet, so only physically connect the FortiSwitch unit to the FortiGate device after completing this section.
You can create configuration templates that define the VLAN interfaces and are applied to new FortiSwitch devices when they are discovered and managed by the FortiGate device.
For each VDOM, you can create templates, and then assign those templates to the automatically created switch VLAN interfaces for six types of traffic. The network subnet that is reserved for the switch controller can also be customized.
To ensure that switch VLAN interface names are unique for each system, the following naming rules are used:
- root VDOM: The interface names are the same as the template names.
- other VDOMs: The interface name is created from the template name and the SNMP index of the interface. For example, if the template name is
quarantined
and the SNMP index is29
, the interface name isquarantined.29
.
You can also customize the FortiLink management VLAN per FortiLink interface:
config system interface
edit <fortilink interface>
set fortilink enable
set switch-controller-mgmt-vlan <integer>
next
end
The management VLAN can be a number from 1 to 4094. the default value is 4094.
Create VLAN interface templates
To configure the VLAN interface templates:
config switch-controller initial-config template
edit <template_name>
set vlanid <integer>
set ip <ip/netmask>
set allowaccess {options}
set auto-ip {enable | disable}
set dhcp-server {enable | disable}
next
end
<template_name> |
The name, or part of the name, of the template. |
vlanid <integer> |
The unique VLAN ID for the type of traffic the template is assigned to (1-4094; the default is 4094) |
ip <ip/netmask> |
The IP address and subnet mask of the switch VLAN interface. This can only be configured when auto‑ip is disabled. |
allowaccess {options} |
The permitted types of management access to this interface. |
auto-ip {enable | disable} |
When enabled, the switch-controller will pick an unused 24 bit subnet from the switch‑controller‑reserved‑network (configured in config system global). |
dhcp-server {enable | disable} |
When enabled, the switch-controller will create a DHCP server for the switch VLAN interface |
To assign the templates to the specific traffic types:
config switch-controller initial-config vlans
set default-vlan <template>
set quarantine <template>
set rspan <template>
set voice <template>
set video <template>
set nac <template>
end
default-vlan <template> |
Default VLAN assigned to all switch ports upon discovery. |
quarantine <template> |
VLAN for quarantined traffic. |
rspan <template> |
VLAN for RSPAN/ERSPAN mirrored traffic. |
voice <template> |
VLAN dedicated for voice devices. |
video <template> |
VLAN dedicated for video devices. |
nac <template> |
VLAN for NAC onboarding devices. |
To configure the network subnet that is reserved for the switch controller:
config system global
set switch-controller-reserved-network <ip/netmask>
end
The default value is 169.254.0.0 255.255.0.0
.
Example
In this example, six templates are configured with different VLAN IDs. Except for the default template, all of them have DHCP server enabled. When a FortiSwitch is discovered, VLANs and the corresponding DHCP servers are automatically created.
To configure six templates and apply them to VLAN traffic types:
config switch-controller initial-config template
edit "default"
set vlanid 1
set auto-ip disable
next
edit "quarantine"
set vlanid 4093
set dhcp-server enable
next
edit "rspan"
set vlanid 4092
set dhcp-server enable
next
edit "voice"
set vlanid 4091
set dhcp-server enable
next
edit "video"
set vlanid 4090
set dhcp-server enable
next
edit "onboarding"
set vlanid 4089
set dhcp-server enable
next
end
config switch-controller initial-config vlans
set default-vlan "default"
set quarantine "quarantine"
set rspan "rspan"
set voice "voice"
set video "video"
set nac "onboarding"
end
To see the automatically created VLANs and DHCP servers:
show system interface
edit "default"
set vdom "root"
set snmp-index 24
set switch-controller-feature default-vlan
set interface "fortilink"
set vlanid 1
next
edit "quarantine"
set vdom "root"
set ip 169.254.11.1 255.255.255.0
set description "Quarantine VLAN"
set security-mode captive-portal
set replacemsg-override-group "auth-intf-quarantine"
set device-identification enable
set snmp-index 25
set switch-controller-access-vlan enable
set switch-controller-feature quarantine
set color 6
set interface "fortilink"
set vlanid 4093
next
...
end
show system dhcp server
edit 2
set dns-service local
set ntp-service local
set default-gateway 169.254.1.1
set netmask 255.255.255.0
set interface "fortilink"
config ip-range
edit 1
set start-ip 169.254.1.2
set end-ip 169.254.1.254
next
end
set vci-match enable
set vci-string "FortiSwitch" "FortiExtender"
next
edit 3
set dns-service default
set default-gateway 169.254.11.1
set netmask 255.255.255.0
set interface "quarantine"
config ip-range
edit 1
set start-ip 169.254.11.2
set end-ip 169.254.11.254
next
end
set timezone-option default
next
...
end