Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Devices Managed by FortiOS

Replacing a managed FortiSwitch unit

If a managed FortiSwitch unit fails, you can replace it with another FortiSwitch unit that is managed by the same FortiGate unit. The replacement FortiSwitch unit will inherit the configuration of the FortiSwitch unit that it replaces. The failed FortiSwitch unit is no longer managed by a FortiGate unit or discovered by FortiLink.

NOTE:

  • Both FortiSwitch units must be of the same model.
  • The replacement FortiSwitch unit must be discovered by FortiLink but not authorized.
  • If the replacement FortiSwitch unit is one of an MCLAG pair, you need to manually reconfigure the MCLAG-ICL trunk.
  • After replacing the failed FortiSwitch unit, the automatically created trunk name does not change. If you want different trunk name, you need to delete the trunk. The new trunk is created automatically with an updated name. At the end of this section is a detailed procedure for renaming the MCLAG-ICL trunk.
  • If the replaced managed FortiSwitch unit is part of an MCLAG, only the ICL should be connected to the new switch to avoid any traffic loops. The other interfaces should be connected only to the switch that is fully managed the FortiGate unit with the correct configuration.
  • The best way to replace a MCLAG FortiSwitch unit in FortiLink:
  1. Back up the configuration of the failed FortiSwitch unit.
  2. Restore the configuration to the replaced Fortiswitch unit while it is offline.
  3. Enter the replace-device command in FortiOS.
  4. Physically replace the failed FortiSwitch unit.
To replace a managed FortiSwitch unit:
  1. Unplug the failed FortiSwitch unit.
  2. Plug in the replacement FortiSwitch unit.
  3. Upgrade the firmware of the replacement FortiSwitch unit to the same version as the firmware on the failed FortiSwitch unit. See Viewing and upgrading the FortiSwitch firmware version.
  4. Reset the replacement FortiSwitch unit to factory default settings with the execute factoryreset command.
  5. Check the serial number of the replacement FortiSwitch unit.
  6. From the FortiGate unit, go to WiFi & Switch Controller > Managed FortiSwitch.
  7. Select the faceplate of the failed FortiSwitch unit.
  8. Select Deauthorize.
  9. Connect the replacement FortiSwitch unit to the FortiGate unit that was managing the failed FortiSwitch unit.

    NOTE: If the replaced managed FortiSwitch unit is part of an MCLAG, only the ICL should be connected to the new switch to avoid any traffic loops. The other interfaces should be connected only to the switch that is fully managed the FortiGate unit with the correct configuration.

  10. If the failed FortiSwitch unit was part of a VDOM, enter the following commands:

    config vdom

    edit <VDOM_name>

    execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_FortiSwitch_serial_number>


    For example:

    config vdom

    edit vdom_new

    execute replace-device fortiswitch S124DN3W16002025 S124DN3W16002026


    If the failed FortiSwitch unit was not part of a VDOM, enter the following command:

    execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_FortiSwitch_serial_number>


    An error is returned if the replacement FortiSwitch unit is authorized.

  11. Authorize the replaced managed FortiSwitch unit.
  12. Connect the rest of the cables required for the uplinks and downlinks for the MCLAG FortiSwitch units.
To rename the MCLAG-ICL trunk:

After replacing the failed FortiSwitch unit, the automatically created trunk name does not change. If you want different trunk name, you need to delete the trunk. The new trunk is created automatically with an updated name.

Changing the name of the MCLAG-ICL trunk must be done on both the FortiGate unit and the MCLAG-ICL switches. You need a maintenance window for the change.

  1. Shut down the FortiLink interface on the FortiGate unit.
    1. On the FortiGate unit, execute the show system interface command. For example:

      FG3K2D3Z17800156 # show system interface root-lag
      config system interface
         edit "root-lag"
            set vdom "root"
            set fortilink enable
            set ip 10.105.60.254 255.255.255.0
            set allowaccess ping capwap
            set type aggregate
            set member "port45" "port48"
            config managed-device


    2. Write down the member port information. In this example, port45 and port48 are the member ports.
    3. Shut down the member ports with the config system interface, edit <member-port#>, set status down, and end commands. For example:

      FG3K2D3Z17800156 # config system interface
      FG3K2D3Z17800156 (interface) # edit port48
      FG3K2D3Z17800156 (port48) # set status down
      FG3K2D3Z17800156 (port48) # next // repeat for each member port
      FG3K2D3Z17800156 (interface) # edit port45
      FG3K2D3Z17800156 (port45) # set status down
      FG3K2D3Z17800156 (port45) # end


    4. Verify that FortiLink is down with the exec switch-controller get-conn-status command. For example:

      FG3K2D3Z17800156 # exec switch-controller get-conn-status
      Managed-devices in current vdom root:
      STACK-NAME: FortiSwitch-Stack-root-lag
      SWITCH-ID VERSION STATUS ADDRESS JOIN-TIME NAME
      FS1D483Z17000282 v6.0.0 Authorized/Down 0.0.0.0 N/A icl-sw2
      FS1D483Z17000348 v6.0.0 Authorized/Down 0.0.0.0 N/A icl-sw1


  2. Rename the MCLAG-ICL trunk name on both MCLAG-ICL switches.
    1. Execute the show switch trunk command on both MCLAG-ICL switches. Locate the ICL trunk that includes the set mclag-icl enable command in its configuration and write down the member ports and configuration information. For example:

      icl-sw1 # show switch trunk
      config switch trunk
      ...
      edit "D483Z17000282-0"
      set mode lacp-active
      set auto-isl 1
      set mclag-icl enable // look for this line
      set members "port27" "port28" // note the member ports
      next
      end


    2. Note the output of the show switch interface <MCLAG-ICL-trunk-name>, diagnose switch mclag icl, and diagnose switch trunk summary <MCLAG-ICL-trunk-name> commands. For example:

      icl-sw1 # show switch interface D483Z17000282-0
      config switch interface
      edit "D483Z17000282-0"
      set native-vlan 4094
      set allowed-vlans 1,100,2001-2060,4093
      set dhcp-snooping trusted
      set stp-state disabled
      set edge-port disabled
      set igmps-flood-reports enable
      set igmps-flood-traffic enable
      set snmp-index 57
      next
      end

      icl-sw1 # diag switch mclag icl
      D483Z17000282-0
      icl-ports 27-28
      egress-block-ports 3-4,7-12,47-48
      interface-mac 70:4c:a5:86:6d:e5
      lacp-serial-number FS1D483Z17000348
      peer-mac 70:4c:a5:49:50:53
      peer-serial-number FS1D483Z17000282
      Local uptime 0 days 1h:49m:24s
      Peer uptime 0 days 1h:49m:17s
      MCLAG-STP-mac 70:4c:a5:49:50:52
      keepalive interval 1
      keepalive timeout 60

      Counters
      received keepalive packets 4852
      transmited keepalive packets 5293
      received keepalive drop packets 20
      receive keepalive miss 1
       
      icl-sw1 # diagnose switch trunk sum D483Z17000282-0
      Trunk Name Mode PSC MAC Status Up Time
      ________________ _________________________ ___________ _________________ ___________ _________________________________
      D483Z17000282-0 lacp-active(auto-isl,mclag-icl) src-dst-ip 70:4C:A5:86:6E:00 up(2/2) 0 days,0 hours,16 mins,4 secs


    3. Shut down the ICL member ports using the config switch physical-port, edit <member port#>, set status down, next, and end commands. For example:

      icl-sw1 # config switch physical-port
      icl-sw1 (physical-port) # edit port27
      icl-sw1 (port27) # set status down
      icl-sw1 (port27) # n // repeat for each ICL member port
      icl-sw1 (physical-port) # edit port28
      icl-sw1 (port28) # set status down
      icl-sw1 (port28) # next
      icl-sw1 (physical-port) # end


    4. Delete the original MCLAG-ICL trunk name on the switch using the config switch trunk, delete <mclag-icl-trunk-name>, and end commands. For example:

      icl-sw1 # config switch trunk
      icl-sw1 (trunk) # delete D483Z17000282-0


    5. Use the show switch trunk command to verify that the trunk is deleted.
    6. Create a new trunk for the MCLAG ICL using the original ICL trunk configuration collected in step 2b and the set auto-isl 0 command in the configuration. For example:

      icl-sw1 # config switch trunk

      icl-sw1 (trunk) # edit MCLAG-ICL
      new entry 'MCLAG-ICL' added
      icl-sw1 (MCLAG-ICL) #set mode lacp-active
      icl-sw1 (MCLAG-ICL) #set members "port27" "port28"
      icl-sw1 (MCLAG-ICL) #set mclag-icl enable
      icl-sw1 (MCLAG-ICL) # end


    7. Use the show switch trunk command to check the trunk configuration.
    8. Start the trunk member ports by using the config switch physical-port, edit <member port#>, set status up, next, and end commands. For example:

      icl-sw1 # config switch physical-port
      icl-sw1 (physical-port) # edit port27
      icl-sw1 (port27) # set status up
      icl-sw1 (port27) # next // repeat for each trunk member port
      icl-sw1 (physical-port) # edit port28
      icl-sw1 (port28) # set status up
      icl-sw1 (port28) # end


      NOTE: Follow steps 2a through 2h on both switches.
  3. Set up the FortiLink interface on the FortiGate unit. Enter the config system interface, edit <interface-member-port>, set status up, next, and end commands. For example:

    FG3K2D3Z17800156 # config system interface
    FG3K2D3Z17800156 (interface) # edit port45
    FG3K2D3Z17800156 (port45) # set status up
    FG3K2D3Z17800156 (port45) # next // repeat on all member ports
    FG3K2D3Z17800156 (interface) # edit port48
    FG3K2D3Z17800156 (port48) # set status up
    FG3K2D3Z17800156 (port48) # next
    FG3K2D3Z17800156 (interface) # end


  4. Check the configuration and status on both MCLAG-ICL switches
    1. Enter the show switch trunk, diagnose switch mclag icl, and diagnose switch trunk summary <new-trunk-name> commands. For example:

      icl-sw1 # show switch trunk
      config switch trunk
      <snip>
      edit "MCLAG-ICL"
      set mode lacp-active
      set mclag-icl enable
      set members "port27" "port28"
      next
      end

      icl-sw1 # show switch interface MCLAG-ICL
      config switch interface
      edit "MCLAG-ICL"
      set native-vlan 4094
      set allowed-vlans 1,100,2001-2060,4093
      set dhcp-snooping trusted
      set stp-state disabled
      set igmps-flood-reports enable
      set igmps-flood-traffic enable
      set snmp-index 56
      next
      end

      icl-sw1 # diagnose switch mclag icl
      MCLAG-ICL
      icl-ports 27-28
      egress-block-ports 3-4,7-12,47-48
      interface-mac 70:4c:a5:86:6d:e5
      lacp-serial-number FS1D483Z17000348
      peer-mac 70:4c:a5:49:50:5
      peer-serial-number FS1D483Z17000282
      Local uptime 0 days 2h:11m:13s
      Peer uptime 0 days 2h:11m: 7s
      MCLAG-STP-mac 70:4c:a5:49:50:52
      keepalive interval 1
      keepalive timeout 60

      Counters
      received keepalive packets 5838
      transmited keepalive packets 6279
      received keepalive drop packets 27
      receive keepalive miss 1

      icl-sw1 # diagnose switch trunk summary MCLAG-ICL

      Trunk Name Mode PSC MAC Status Up Time
      ________________ _________________________ ___________ _________________ ___________ _________________________________

      MCLAG-ICL lacp-active(auto-isl,mclag-icl) src-dst-ip 70:4C:A5:86:6E:00 up(2/2) 0 days,1 hours,4 mins,57 secs

    2. Compare the command results in step 4a with the command results in step 2b.

Replacing a managed FortiSwitch unit

If a managed FortiSwitch unit fails, you can replace it with another FortiSwitch unit that is managed by the same FortiGate unit. The replacement FortiSwitch unit will inherit the configuration of the FortiSwitch unit that it replaces. The failed FortiSwitch unit is no longer managed by a FortiGate unit or discovered by FortiLink.

NOTE:

  • Both FortiSwitch units must be of the same model.
  • The replacement FortiSwitch unit must be discovered by FortiLink but not authorized.
  • If the replacement FortiSwitch unit is one of an MCLAG pair, you need to manually reconfigure the MCLAG-ICL trunk.
  • After replacing the failed FortiSwitch unit, the automatically created trunk name does not change. If you want different trunk name, you need to delete the trunk. The new trunk is created automatically with an updated name. At the end of this section is a detailed procedure for renaming the MCLAG-ICL trunk.
  • If the replaced managed FortiSwitch unit is part of an MCLAG, only the ICL should be connected to the new switch to avoid any traffic loops. The other interfaces should be connected only to the switch that is fully managed the FortiGate unit with the correct configuration.
  • The best way to replace a MCLAG FortiSwitch unit in FortiLink:
  1. Back up the configuration of the failed FortiSwitch unit.
  2. Restore the configuration to the replaced Fortiswitch unit while it is offline.
  3. Enter the replace-device command in FortiOS.
  4. Physically replace the failed FortiSwitch unit.
To replace a managed FortiSwitch unit:
  1. Unplug the failed FortiSwitch unit.
  2. Plug in the replacement FortiSwitch unit.
  3. Upgrade the firmware of the replacement FortiSwitch unit to the same version as the firmware on the failed FortiSwitch unit. See Viewing and upgrading the FortiSwitch firmware version.
  4. Reset the replacement FortiSwitch unit to factory default settings with the execute factoryreset command.
  5. Check the serial number of the replacement FortiSwitch unit.
  6. From the FortiGate unit, go to WiFi & Switch Controller > Managed FortiSwitch.
  7. Select the faceplate of the failed FortiSwitch unit.
  8. Select Deauthorize.
  9. Connect the replacement FortiSwitch unit to the FortiGate unit that was managing the failed FortiSwitch unit.

    NOTE: If the replaced managed FortiSwitch unit is part of an MCLAG, only the ICL should be connected to the new switch to avoid any traffic loops. The other interfaces should be connected only to the switch that is fully managed the FortiGate unit with the correct configuration.

  10. If the failed FortiSwitch unit was part of a VDOM, enter the following commands:

    config vdom

    edit <VDOM_name>

    execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_FortiSwitch_serial_number>


    For example:

    config vdom

    edit vdom_new

    execute replace-device fortiswitch S124DN3W16002025 S124DN3W16002026


    If the failed FortiSwitch unit was not part of a VDOM, enter the following command:

    execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_FortiSwitch_serial_number>


    An error is returned if the replacement FortiSwitch unit is authorized.

  11. Authorize the replaced managed FortiSwitch unit.
  12. Connect the rest of the cables required for the uplinks and downlinks for the MCLAG FortiSwitch units.
To rename the MCLAG-ICL trunk:

After replacing the failed FortiSwitch unit, the automatically created trunk name does not change. If you want different trunk name, you need to delete the trunk. The new trunk is created automatically with an updated name.

Changing the name of the MCLAG-ICL trunk must be done on both the FortiGate unit and the MCLAG-ICL switches. You need a maintenance window for the change.

  1. Shut down the FortiLink interface on the FortiGate unit.
    1. On the FortiGate unit, execute the show system interface command. For example:

      FG3K2D3Z17800156 # show system interface root-lag
      config system interface
         edit "root-lag"
            set vdom "root"
            set fortilink enable
            set ip 10.105.60.254 255.255.255.0
            set allowaccess ping capwap
            set type aggregate
            set member "port45" "port48"
            config managed-device


    2. Write down the member port information. In this example, port45 and port48 are the member ports.
    3. Shut down the member ports with the config system interface, edit <member-port#>, set status down, and end commands. For example:

      FG3K2D3Z17800156 # config system interface
      FG3K2D3Z17800156 (interface) # edit port48
      FG3K2D3Z17800156 (port48) # set status down
      FG3K2D3Z17800156 (port48) # next // repeat for each member port
      FG3K2D3Z17800156 (interface) # edit port45
      FG3K2D3Z17800156 (port45) # set status down
      FG3K2D3Z17800156 (port45) # end


    4. Verify that FortiLink is down with the exec switch-controller get-conn-status command. For example:

      FG3K2D3Z17800156 # exec switch-controller get-conn-status
      Managed-devices in current vdom root:
      STACK-NAME: FortiSwitch-Stack-root-lag
      SWITCH-ID VERSION STATUS ADDRESS JOIN-TIME NAME
      FS1D483Z17000282 v6.0.0 Authorized/Down 0.0.0.0 N/A icl-sw2
      FS1D483Z17000348 v6.0.0 Authorized/Down 0.0.0.0 N/A icl-sw1


  2. Rename the MCLAG-ICL trunk name on both MCLAG-ICL switches.
    1. Execute the show switch trunk command on both MCLAG-ICL switches. Locate the ICL trunk that includes the set mclag-icl enable command in its configuration and write down the member ports and configuration information. For example:

      icl-sw1 # show switch trunk
      config switch trunk
      ...
      edit "D483Z17000282-0"
      set mode lacp-active
      set auto-isl 1
      set mclag-icl enable // look for this line
      set members "port27" "port28" // note the member ports
      next
      end


    2. Note the output of the show switch interface <MCLAG-ICL-trunk-name>, diagnose switch mclag icl, and diagnose switch trunk summary <MCLAG-ICL-trunk-name> commands. For example:

      icl-sw1 # show switch interface D483Z17000282-0
      config switch interface
      edit "D483Z17000282-0"
      set native-vlan 4094
      set allowed-vlans 1,100,2001-2060,4093
      set dhcp-snooping trusted
      set stp-state disabled
      set edge-port disabled
      set igmps-flood-reports enable
      set igmps-flood-traffic enable
      set snmp-index 57
      next
      end

      icl-sw1 # diag switch mclag icl
      D483Z17000282-0
      icl-ports 27-28
      egress-block-ports 3-4,7-12,47-48
      interface-mac 70:4c:a5:86:6d:e5
      lacp-serial-number FS1D483Z17000348
      peer-mac 70:4c:a5:49:50:53
      peer-serial-number FS1D483Z17000282
      Local uptime 0 days 1h:49m:24s
      Peer uptime 0 days 1h:49m:17s
      MCLAG-STP-mac 70:4c:a5:49:50:52
      keepalive interval 1
      keepalive timeout 60

      Counters
      received keepalive packets 4852
      transmited keepalive packets 5293
      received keepalive drop packets 20
      receive keepalive miss 1
       
      icl-sw1 # diagnose switch trunk sum D483Z17000282-0
      Trunk Name Mode PSC MAC Status Up Time
      ________________ _________________________ ___________ _________________ ___________ _________________________________
      D483Z17000282-0 lacp-active(auto-isl,mclag-icl) src-dst-ip 70:4C:A5:86:6E:00 up(2/2) 0 days,0 hours,16 mins,4 secs


    3. Shut down the ICL member ports using the config switch physical-port, edit <member port#>, set status down, next, and end commands. For example:

      icl-sw1 # config switch physical-port
      icl-sw1 (physical-port) # edit port27
      icl-sw1 (port27) # set status down
      icl-sw1 (port27) # n // repeat for each ICL member port
      icl-sw1 (physical-port) # edit port28
      icl-sw1 (port28) # set status down
      icl-sw1 (port28) # next
      icl-sw1 (physical-port) # end


    4. Delete the original MCLAG-ICL trunk name on the switch using the config switch trunk, delete <mclag-icl-trunk-name>, and end commands. For example:

      icl-sw1 # config switch trunk
      icl-sw1 (trunk) # delete D483Z17000282-0


    5. Use the show switch trunk command to verify that the trunk is deleted.
    6. Create a new trunk for the MCLAG ICL using the original ICL trunk configuration collected in step 2b and the set auto-isl 0 command in the configuration. For example:

      icl-sw1 # config switch trunk

      icl-sw1 (trunk) # edit MCLAG-ICL
      new entry 'MCLAG-ICL' added
      icl-sw1 (MCLAG-ICL) #set mode lacp-active
      icl-sw1 (MCLAG-ICL) #set members "port27" "port28"
      icl-sw1 (MCLAG-ICL) #set mclag-icl enable
      icl-sw1 (MCLAG-ICL) # end


    7. Use the show switch trunk command to check the trunk configuration.
    8. Start the trunk member ports by using the config switch physical-port, edit <member port#>, set status up, next, and end commands. For example:

      icl-sw1 # config switch physical-port
      icl-sw1 (physical-port) # edit port27
      icl-sw1 (port27) # set status up
      icl-sw1 (port27) # next // repeat for each trunk member port
      icl-sw1 (physical-port) # edit port28
      icl-sw1 (port28) # set status up
      icl-sw1 (port28) # end


      NOTE: Follow steps 2a through 2h on both switches.
  3. Set up the FortiLink interface on the FortiGate unit. Enter the config system interface, edit <interface-member-port>, set status up, next, and end commands. For example:

    FG3K2D3Z17800156 # config system interface
    FG3K2D3Z17800156 (interface) # edit port45
    FG3K2D3Z17800156 (port45) # set status up
    FG3K2D3Z17800156 (port45) # next // repeat on all member ports
    FG3K2D3Z17800156 (interface) # edit port48
    FG3K2D3Z17800156 (port48) # set status up
    FG3K2D3Z17800156 (port48) # next
    FG3K2D3Z17800156 (interface) # end


  4. Check the configuration and status on both MCLAG-ICL switches
    1. Enter the show switch trunk, diagnose switch mclag icl, and diagnose switch trunk summary <new-trunk-name> commands. For example:

      icl-sw1 # show switch trunk
      config switch trunk
      <snip>
      edit "MCLAG-ICL"
      set mode lacp-active
      set mclag-icl enable
      set members "port27" "port28"
      next
      end

      icl-sw1 # show switch interface MCLAG-ICL
      config switch interface
      edit "MCLAG-ICL"
      set native-vlan 4094
      set allowed-vlans 1,100,2001-2060,4093
      set dhcp-snooping trusted
      set stp-state disabled
      set igmps-flood-reports enable
      set igmps-flood-traffic enable
      set snmp-index 56
      next
      end

      icl-sw1 # diagnose switch mclag icl
      MCLAG-ICL
      icl-ports 27-28
      egress-block-ports 3-4,7-12,47-48
      interface-mac 70:4c:a5:86:6d:e5
      lacp-serial-number FS1D483Z17000348
      peer-mac 70:4c:a5:49:50:5
      peer-serial-number FS1D483Z17000282
      Local uptime 0 days 2h:11m:13s
      Peer uptime 0 days 2h:11m: 7s
      MCLAG-STP-mac 70:4c:a5:49:50:52
      keepalive interval 1
      keepalive timeout 60

      Counters
      received keepalive packets 5838
      transmited keepalive packets 6279
      received keepalive drop packets 27
      receive keepalive miss 1

      icl-sw1 # diagnose switch trunk summary MCLAG-ICL

      Trunk Name Mode PSC MAC Status Up Time
      ________________ _________________________ ___________ _________________ ___________ _________________________________

      MCLAG-ICL lacp-active(auto-isl,mclag-icl) src-dst-ip 70:4C:A5:86:6E:00 up(2/2) 0 days,1 hours,4 mins,57 secs

    2. Compare the command results in step 4a with the command results in step 2b.