Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Devices Managed by FortiOS

Optional FortiLink configuration required before discovering and authorizing FortiSwitch units

This section covers the following topics:

Migrating the configuration of standalone FortiSwitch units

When a configured standalone FortiSwitch unit is converted to FortiLink mode, the standalone configuration is lost. To save time, use the fortilinkify.py utility to migrate your standalone configuration from one or more FortiSwitch units to a combined FortiGate-compatible configuration.

To get the script and instructions, go to:

https://fndn.fortinet.net/index.php?/tools/file/68-fortiswitch-configuration-migration-tool/

VLAN interface templates for FortiSwitch units

NOTE: You can only create VLAN interface templates when the FortiGate device has not authorized any FortiSwitch units yet, so only physically connect the FortiSwitch unit to the FortiGate device after completing this section.

You can create configuration templates that define the VLAN interfaces and are applied to new FortiSwitch devices when they are discovered and managed by the FortiGate device.

For each VDOM, you can create templates, and then assign those templates to the automatically created switch VLAN interfaces for six types of traffic. The network subnet that is reserved for the switch controller can also be customized.

To ensure that switch VLAN interface names are unique for each system, the following naming rules are used:

  • root VDOM: The interface names are the same as the template names.
  • other VDOMs: The interface name is created from the template name and the SNMP index of the interface. For example, if the template name is quarantined and the SNMP index is 29, the interface name is quarantined.29.

You can also customize the FortiLink management VLAN per FortiLink interface:

config system interface

edit <fortilink interface>

set fortilink enable

set switch-controller-mgmt-vlan <integer>

next

end

The management VLAN can be a number from 1 to 4094. the default value is 4094.

Create VLAN interface templates

To configure the VLAN interface templates:

config switch-controller initial-config template

edit <template_name>

set vlanid <integer>

set ip <ip/netmask>

set allowaccess {options}

set auto-ip {enable | disable}

set dhcp-server {enable | disable}

next

end

<template_name>

The name, or part of the name, of the template.

vlanid <integer>

The unique VLAN ID for the type of traffic the template is assigned to (1-4094; the default is 4094)

ip <ip/netmask>

The IP address and subnet mask of the switch VLAN interface. This can only be configured when auto‑ip is disabled.

allowaccess {options}

The permitted types of management access to this interface.

auto-ip {enable | disable}

When enabled, the switch-controller will pick an unused 24 bit subnet from the switch‑controller‑reserved‑network (configured in config system global).

dhcp-server {enable | disable}

When enabled, the switch-controller will create a DHCP server for the switch VLAN interface

To assign the templates to the specific traffic types:

config switch-controller initial-config vlans

set default-vlan <template>

set quarantine <template>

set rspan <template>

set voice <template>

set video <template>

set nac <template>

end

default-vlan <template>

Default VLAN assigned to all switch ports upon discovery.

quarantine <template>

VLAN for quarantined traffic.

rspan <template>

VLAN for RSPAN/ERSPAN mirrored traffic.

voice <template>

VLAN dedicated for voice devices.

video <template>

VLAN dedicated for video devices.

nac <template>

VLAN for NAC onboarding devices.

To configure the network subnet that is reserved for the switch controller:

config system global

set switch-controller-reserved-network <ip/netmask>

end

The default value is 169.254.0.0 255.255.0.0.

Example

In this example, six templates are configured with different VLAN IDs. Except for the default template, all of them have DHCP server enabled. When a FortiSwitch is discovered, VLANs and the corresponding DHCP servers are automatically created.

To configure six templates and apply them to VLAN traffic types:

config switch-controller initial-config template

edit "default"

set vlanid 1

set auto-ip disable

next

edit "quarantine"

set vlanid 4093

set dhcp-server enable

next

edit "rspan"

set vlanid 4092

set dhcp-server enable

next

edit "voice"

set vlanid 4091

set dhcp-server enable

next

edit "video"

set vlanid 4090

set dhcp-server enable

next

edit "onboarding"

set vlanid 4089

set dhcp-server enable

next

end

config switch-controller initial-config vlans

set default-vlan "default"

set quarantine "quarantine"

set rspan "rspan"

set voice "voice"

set video "video"

set nac "onboarding"

end

To see the automatically created VLANs and DHCP servers:

show system interface

edit "default"

set vdom "root"

set snmp-index 24

set switch-controller-feature default-vlan

set interface "fortilink"

set vlanid 1

next

edit "quarantine"

set vdom "root"

set ip 169.254.11.1 255.255.255.0

set description "Quarantine VLAN"

set security-mode captive-portal

set replacemsg-override-group "auth-intf-quarantine"

set device-identification enable

set snmp-index 25

set switch-controller-access-vlan enable

set switch-controller-feature quarantine

set color 6

set interface "fortilink"

set vlanid 4093

next

...

end

show system dhcp server

edit 2

set dns-service local

set ntp-service local

set default-gateway 169.254.1.1

set netmask 255.255.255.0

set interface "fortilink"

config ip-range

edit 1

set start-ip 169.254.1.2

set end-ip 169.254.1.254

next

end

set vci-match enable

set vci-string "FortiSwitch" "FortiExtender"

next

edit 3

set dns-service default

set default-gateway 169.254.11.1

set netmask 255.255.255.0

set interface "quarantine"

config ip-range

edit 1

set start-ip 169.254.11.2

set end-ip 169.254.11.254

next

end

set timezone-option default

next

...

end

Optional FortiLink configuration required before discovering and authorizing FortiSwitch units

This section covers the following topics:

Migrating the configuration of standalone FortiSwitch units

When a configured standalone FortiSwitch unit is converted to FortiLink mode, the standalone configuration is lost. To save time, use the fortilinkify.py utility to migrate your standalone configuration from one or more FortiSwitch units to a combined FortiGate-compatible configuration.

To get the script and instructions, go to:

https://fndn.fortinet.net/index.php?/tools/file/68-fortiswitch-configuration-migration-tool/

VLAN interface templates for FortiSwitch units

NOTE: You can only create VLAN interface templates when the FortiGate device has not authorized any FortiSwitch units yet, so only physically connect the FortiSwitch unit to the FortiGate device after completing this section.

You can create configuration templates that define the VLAN interfaces and are applied to new FortiSwitch devices when they are discovered and managed by the FortiGate device.

For each VDOM, you can create templates, and then assign those templates to the automatically created switch VLAN interfaces for six types of traffic. The network subnet that is reserved for the switch controller can also be customized.

To ensure that switch VLAN interface names are unique for each system, the following naming rules are used:

  • root VDOM: The interface names are the same as the template names.
  • other VDOMs: The interface name is created from the template name and the SNMP index of the interface. For example, if the template name is quarantined and the SNMP index is 29, the interface name is quarantined.29.

You can also customize the FortiLink management VLAN per FortiLink interface:

config system interface

edit <fortilink interface>

set fortilink enable

set switch-controller-mgmt-vlan <integer>

next

end

The management VLAN can be a number from 1 to 4094. the default value is 4094.

Create VLAN interface templates

To configure the VLAN interface templates:

config switch-controller initial-config template

edit <template_name>

set vlanid <integer>

set ip <ip/netmask>

set allowaccess {options}

set auto-ip {enable | disable}

set dhcp-server {enable | disable}

next

end

<template_name>

The name, or part of the name, of the template.

vlanid <integer>

The unique VLAN ID for the type of traffic the template is assigned to (1-4094; the default is 4094)

ip <ip/netmask>

The IP address and subnet mask of the switch VLAN interface. This can only be configured when auto‑ip is disabled.

allowaccess {options}

The permitted types of management access to this interface.

auto-ip {enable | disable}

When enabled, the switch-controller will pick an unused 24 bit subnet from the switch‑controller‑reserved‑network (configured in config system global).

dhcp-server {enable | disable}

When enabled, the switch-controller will create a DHCP server for the switch VLAN interface

To assign the templates to the specific traffic types:

config switch-controller initial-config vlans

set default-vlan <template>

set quarantine <template>

set rspan <template>

set voice <template>

set video <template>

set nac <template>

end

default-vlan <template>

Default VLAN assigned to all switch ports upon discovery.

quarantine <template>

VLAN for quarantined traffic.

rspan <template>

VLAN for RSPAN/ERSPAN mirrored traffic.

voice <template>

VLAN dedicated for voice devices.

video <template>

VLAN dedicated for video devices.

nac <template>

VLAN for NAC onboarding devices.

To configure the network subnet that is reserved for the switch controller:

config system global

set switch-controller-reserved-network <ip/netmask>

end

The default value is 169.254.0.0 255.255.0.0.

Example

In this example, six templates are configured with different VLAN IDs. Except for the default template, all of them have DHCP server enabled. When a FortiSwitch is discovered, VLANs and the corresponding DHCP servers are automatically created.

To configure six templates and apply them to VLAN traffic types:

config switch-controller initial-config template

edit "default"

set vlanid 1

set auto-ip disable

next

edit "quarantine"

set vlanid 4093

set dhcp-server enable

next

edit "rspan"

set vlanid 4092

set dhcp-server enable

next

edit "voice"

set vlanid 4091

set dhcp-server enable

next

edit "video"

set vlanid 4090

set dhcp-server enable

next

edit "onboarding"

set vlanid 4089

set dhcp-server enable

next

end

config switch-controller initial-config vlans

set default-vlan "default"

set quarantine "quarantine"

set rspan "rspan"

set voice "voice"

set video "video"

set nac "onboarding"

end

To see the automatically created VLANs and DHCP servers:

show system interface

edit "default"

set vdom "root"

set snmp-index 24

set switch-controller-feature default-vlan

set interface "fortilink"

set vlanid 1

next

edit "quarantine"

set vdom "root"

set ip 169.254.11.1 255.255.255.0

set description "Quarantine VLAN"

set security-mode captive-portal

set replacemsg-override-group "auth-intf-quarantine"

set device-identification enable

set snmp-index 25

set switch-controller-access-vlan enable

set switch-controller-feature quarantine

set color 6

set interface "fortilink"

set vlanid 4093

next

...

end

show system dhcp server

edit 2

set dns-service local

set ntp-service local

set default-gateway 169.254.1.1

set netmask 255.255.255.0

set interface "fortilink"

config ip-range

edit 1

set start-ip 169.254.1.2

set end-ip 169.254.1.254

next

end

set vci-match enable

set vci-string "FortiSwitch" "FortiExtender"

next

edit 3

set dns-service default

set default-gateway 169.254.11.1

set netmask 255.255.255.0

set interface "quarantine"

config ip-range

edit 1

set start-ip 169.254.11.2

set end-ip 169.254.11.254

next

end

set timezone-option default

next

...

end