Optional FortiLink configuration required before discovering and authorizing FortiSwitch units
This section covers the following topics:
- Migrating the configuration of standalone FortiSwitch units
- VLAN interface templates for FortiSwitch units
- Automatic provisioning of FortiSwitch firmware upon authorization
Migrating the configuration of standalone FortiSwitch units
When a configured standalone FortiSwitch unit is converted to FortiLink mode, the standalone configuration is lost. To save time, use the fortilinkify.py utility to migrate your standalone configuration from one or more FortiSwitch units to a combined FortiGate-compatible configuration.
To get the script and instructions, go to:
https://fndn.fortinet.net/index.php?/tools/file/68-fortiswitch-configuration-migration-tool/
VLAN interface templates for FortiSwitch units
NOTE: You can only create VLAN interface templates when the FortiGate device has not authorized any FortiSwitch units yet, so only physically connect the FortiSwitch unit to the FortiGate device after completing this section.
You can create configuration templates that define the VLAN interfaces and are applied to new FortiSwitch devices when they are discovered and managed by the FortiGate device.
For each VDOM, you can create templates, and then assign those templates to the automatically created switch VLAN interfaces for six types of traffic. The network subnet that is reserved for the switch controller can also be customized.
To ensure that switch VLAN interface names are unique for each system, the following naming rules are used:
- root VDOM: The interface names are the same as the template names.
- other VDOMs: The interface name is created from the template name and the SNMP index of the interface. For example, if the template name is
quarantinedand the SNMP index is29, the interface name isquarantined.29.
You can also customize the FortiLink management VLAN per FortiLink interface:
config system interface
edit <fortilink interface>
set fortilink enable
set switch-controller-mgmt-vlan <integer>
next
end
The management VLAN can be a number from 1 to 4094. the default value is 4094.
Create VLAN interface templates
To configure the VLAN interface templates:
config switch-controller initial-config template
edit <template_name>
set vlanid <integer>
set ip <ip/netmask>
set allowaccess {options}
set auto-ip {enable | disable}
set dhcp-server {enable | disable}
next
end
|
<template_name> |
The name, or part of the name, of the template. |
|
vlanid <integer> |
The unique VLAN ID for the type of traffic the template is assigned to (1-4094; the default is 4094) |
|
ip <ip/netmask> |
The IP address and subnet mask of the switch VLAN interface. This can only be configured when auto‑ip is disabled. |
|
allowaccess {options} |
The permitted types of management access to this interface. |
|
auto-ip {enable | disable} |
When enabled, the switch-controller will pick an unused 24 bit subnet from the switch‑controller‑reserved‑network (configured in config system global). |
|
dhcp-server {enable | disable} |
When enabled, the switch-controller will create a DHCP server for the switch VLAN interface |
To assign the templates to the specific traffic types:
config switch-controller initial-config vlans
set default-vlan <template>
set quarantine <template>
set rspan <template>
set voice <template>
set video <template>
set nac <template>
end
|
default-vlan <template> |
Default VLAN assigned to all switch ports upon discovery. |
|
quarantine <template> |
VLAN for quarantined traffic. |
|
rspan <template> |
VLAN for RSPAN/ERSPAN mirrored traffic. |
|
voice <template> |
VLAN dedicated for voice devices. |
|
video <template> |
VLAN dedicated for video devices. |
|
nac <template> |
VLAN for NAC onboarding devices. |
To configure the network subnet that is reserved for the switch controller:
config system global
set switch-controller-reserved-network <ip/netmask>
end
The default value is 169.254.0.0 255.255.0.0.
Example
In this example, six templates are configured with different VLAN IDs. Except for the default template, all of them have DHCP server enabled. When a FortiSwitch is discovered, VLANs and the corresponding DHCP servers are automatically created.
To configure six templates and apply them to VLAN traffic types:
config switch-controller initial-config template
edit "default"
set vlanid 1
set auto-ip disable
next
edit "quarantine"
set vlanid 4093
set dhcp-server enable
next
edit "rspan"
set vlanid 4092
set dhcp-server enable
next
edit "voice"
set vlanid 4091
set dhcp-server enable
next
edit "video"
set vlanid 4090
set dhcp-server enable
next
edit "onboarding"
set vlanid 4089
set dhcp-server enable
next
end
config switch-controller initial-config vlans
set default-vlan "default"
set quarantine "quarantine"
set rspan "rspan"
set voice "voice"
set video "video"
set nac "onboarding"
end
To see the automatically created VLANs and DHCP servers:
show system interface
edit "default"
set vdom "root"
set snmp-index 24
set switch-controller-feature default-vlan
set interface "fortilink"
set vlanid 1
next
edit "quarantine"
set vdom "root"
set ip 169.254.11.1 255.255.255.0
set description "Quarantine VLAN"
set security-mode captive-portal
set replacemsg-override-group "auth-intf-quarantine"
set device-identification enable
set snmp-index 25
set switch-controller-access-vlan enable
set switch-controller-feature quarantine
set color 6
set interface "fortilink"
set vlanid 4093
next
...
end
show system dhcp server
edit 2
set dns-service local
set ntp-service local
set default-gateway 169.254.1.1
set netmask 255.255.255.0
set interface "fortilink"
config ip-range
edit 1
set start-ip 169.254.1.2
set end-ip 169.254.1.254
next
end
set vci-match enable
set vci-string "FortiSwitch" "FortiExtender"
next
edit 3
set dns-service default
set default-gateway 169.254.11.1
set netmask 255.255.255.0
set interface "quarantine"
config ip-range
edit 1
set start-ip 169.254.11.2
set end-ip 169.254.11.254
next
end
set timezone-option default
next
...
end
Automatic provisioning of FortiSwitch firmware upon authorization
Starting in FortiOS 7.0.0, administrators can use the FortiOS CLI to upload the FortiSwitch firmware and then configure the managed FortiSwitch units to be automatically upgraded with the uploaded firmware when the switches were authorized by FortiLink. On FortiGate models that have a hard disk, up to four images for the same FortiSwitch model can be uploaded. For FortiGate models without a hard disk, only one image can be uploaded for each FortiSwitch model.
Starting in FortiOS 7.0.4, administrators no longer need to upload the FortiSwitch firmware. Instead, administrators can configure the managed FortiSwitch units to be automatically upgraded to the latest FortiSwitchOS version available in FortiGuard when the switches are authorized by FortiLink. If the FortiSwitch units are already running the latest version of FortiSwitchOS when they are authorized, no changes are made.
|
|
To configure the automatic provisioning using uploaded FortiSwitch firmware:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
set firmware-provision {enable | disable}
set firmware-provision-version <version>
next
end
|
firmware-provision {enable | disable} |
Enable or disable provisioning firmware to the FortiSwitch unit after authorization (the default is disable). |
|
firmware-provision-version <version> |
The firmware version to provision the FortiSwitch unit with on bootup. The format is major_version.minor_version.build_number, for example, 6.4.0454. |
In the following example, a FortiSwitch 248E-POE is upgraded from FortiSwitchOS 6.4.3 to 6.4.4:
-
Upload the FortiSwitch image to the FortiGate device and confirm that it was uploaded successfully:
# execute switch-controller switch-software upload tftp 248-454.out 172.18.60.160 Downloading file 248-454.out from tftp server 172.18.60.160... ########################### Image checking ... Image MD5 calculating ... Image Saving S248EP-IMG.swtp ... Successful! File Syncing...
# execute switch-controller switch-software list-available ImageName ImageSize(B) ImageInfo Uploaded Time S248EP-v6.4-build454-IMG.swtp 28579517 S248EP-v6.4-build454 Mon Nov 30 15:06:07 2020
-
On the FortiSwitch unit, check the current version:
# get system status Version: FortiSwitch-248E-POE v6.4.3,build0452,201029 (GA) Serial-Number: S248EPTF18001842 BIOS version: 04000004 System Part-Number: P22169-02 Burn in MAC: 70:4c:a5:e1:53:f6 Hostname: S248EPTF18001842 Distribution: International Branch point: 452 System time: Wed Dec 31 16:11:17 1969
-
On the FortiSwitch unit, change the management mode to FortiLink:
config system global set switch-mgmt-mode fortilink end
-
On the FortiGate device, enable firmware provisioning and specify the version:
config switch-controller managed-switch edit S248EPTF18000000 set firmware-provision enable set firmware-provision-version 6.4.0454 next end
-
On the FortiGate device, authorize the FortiSwitch unit:
config switch-controller managed-switch edit S248EPTF18000000 set fsw-wan1-peer flink set fsw-wan1-admin enable next end
-
When the authorized FortiSwitch unit is in FortiLink mode, it automatically starts upgrading to the provisioned firmware:
# execute switch-controller get-upgrade-status Device Running-version Status Next-boot =================================================================================================================== VDOM : vdom1 FS1D243Z170000XX FS1D24-v6.4.0-build456,201121 (Interim) (0/0/0) N/A (Idle) S248DN3X170002XX S248DN-v6.4.0-build456,201121 (Interim) (0/0/0) N/A (Idle) S248EPTF18000000 S248EP-v6.4.3-build452,201029 (GA) (14/0/0) N/A (Upgrading)
-
Check the version when the upgrade is complete:
# execute switch-controller get-conn-status Managed-devices in current vdom vdom1: FortiLink interface : flink SWITCH-ID VERSION STATUS FLAG ADDRESS JOIN-TIME NAME FS1D243Z17000032 v6.4.0 (456) Authorized/Up - 169.254.1.3 Mon Nov 30 11:08:10 2020 - S248DN3X170002XX v6.4.0 (456) Authorized/Up - 169.254.1.4 Mon Nov 30 11:08:32 2020 - S248EPTF18000000 v6.4.4 (454) Authorized/Up C 169.254.1.6 Mon Nov 30 15:20:53 2020 -
To set up the one-time automatic upgrade of the FortiSwitch firmware:
- On the FortiGate device, configure automatic provisioning:
config switch-controller global
set firmware-provision-on-authorization enable
end
By default, the
set firmware-provision-latestcommand is set todisableunderconfig switch-controller managed-switchbefore the FortiSwitch unit is authorized by the FortiGate device. - On the FortiGate device, authorize the FortiSwitch unit.
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
set fsw-wan1-peer <FortiLink_interface_name>
set fsw-wan1-admin enable
end
Authorizing the FortiSwitch unit changes the setting of the
set firmware-provision-latestcommand toonceunderconfig switch-controller managed-switch. - When the status of the managed FortiSwitch unit is “Authorized/Up,” the FortiGate device downloads the latest supported version of FortiSwitchOS from FortiGuard and then upgrades the switch.
- The setting of the
set firmware-provision-latestcommand is changed todisableunderconfig switch-controller managed-switch.
|
|
Instead of enabling |