Optional management configuration
This section covers the following topics:
- Using the FortiSwitch serial number for automatic name resolution
- Changing the admin password for all managed FortiSwitch units
- Disabling the FortiSwitch console port login
- Using automatic network detection and configuration
- Limiting the number of parallel processes for FortiSwitch configuration
- Configuring access to management and internal interfaces
- Enabling VLAN optimization
- Grouping FortiSwitch units
Using the FortiSwitch serial number for automatic name resolution
By default, you can check that FortiSwitch unit is accessible from FortiSwitch Manager with the execute ping <FortiSwitch_IP_address> command. If you want to use the FortiSwitch serial number instead of the FortiSwitch IP address, use the following commands:
config switch-controller global
set sn-dns-resolution enable
end
NOTE:The set sn-dns-resolution enable configuration is enabled by default.
Then you can use the execute ping <FortiSwitch_serial_ number>.<domain_name> command to check if the FortiSwitch unit is accessible from FortiSwitch Manager. For example:
FSWMVMTM21000008 (root) # execute ping S524DF4K15000024.fsw
PING S524DF4K15000024.fsw (123.456.7.8): 56 data bytes
64 bytes from 123.456.7.8: icmp_seq=0 ttl=64 time=0.0 ms
64 bytes from 123.456.7.8: icmp_seq=1 ttl=64 time=0.0 ms
64 bytes from 123.456.7.8: icmp_seq=2 ttl=64 time=0.0 ms
64 bytes from 123.456.7.8: icmp_seq=3 ttl=64 time=0.0 ms
64 bytes from 123.456.7.8: icmp_seq=4 ttl=64 time=0.0 ms
Now you can use the execute ping <FortiSwitch_serial_number> command to check if the FortiSwitch unit is accessible from FortiSwitch Manager. For example:
FSWMVMTM21000008 (root) # execute ping S524DF4K15000024
PING S524DF4K15000024.fsw (123.456.7.8): 56 data bytes
64 bytes from 123.456.7.8: icmp_seq=0 ttl=64 time=0.0 ms
64 bytes from 123.456.7.8: icmp_seq=1 ttl=64 time=0.0 ms
64 bytes from 123.456.7.8: icmp_seq=2 ttl=64 time=0.0 ms
64 bytes from 123.456.7.8: icmp_seq=3 ttl=64 time=0.0 ms
64 bytes from 123.456.7.8: icmp_seq=4 ttl=64 time=0.0 ms
--- S524DF4K15000024.fsw ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
Changing the admin password for all managed FortiSwitch units
By default, each FortiSwitch has an admin account without a password. To replace the admin passwords for all managed FortiSwitch units, use the following commands from FortiSwitch Manager:
config switch-controller switch-profile
edit default
set login-passwd-override {enable | disable}
set login-passwd <password>
next
end
If you had already applied a profile with the override enabled and the password set and then decide to remove the admin password, you need to apply a profile with the override enabled and no password set; otherwise, your previously set password will remain in the FortiSwitch. For example:
config switch-controller switch-profile
edit default
set login-passwd-override enable
unset login-passwd
next
end
Disabling the FortiSwitch console port login
Administrators can use the FortiSwitch profile to control whether users can log in with the managed FortiSwitchOS console port. By default, users can log in with the managed FortiSwitchOS console port.
To change the FortiSwitch profile:
config switch-controller switch-profile
edit {default | <FortiSwitch_profile_name>}
set login {enable | disable} enabled by default
end
To disable logging in to the managed FortiSwitch consort port in the default FortiSwitch profile:
config switch-controller switch-profile
edit default
set login disable
end
To change which FortiSwitch profile is used by a managed switch
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
set switch-profile {default | <FortiSwitch_profile_name>}
end
For example:
config switch-controller managed-switch
edit S524DF4K15000024
set switch-profile new_switch_profile
end
Using automatic network detection and configuration
There are three commands that let you use automatic network detection and configuration.
To specify which policies can override the defaults for a specific ISL, ICl, or FortiLink interface:
config switch-controller auto-config custom
edit <automatically configured FortiLink, ISL, or ICL interface name>
config switch-binding
edit "switch serial number"
set policy "custom automatic-configuation policy"
end
To specify policies that are applied automatically for all ISL, ICL, and FortiLink interfaces:
config switch-controller auto-config default
set fgt-policy <default FortiLink automatic-configuration policy>
set isl-policy <default ISL automatic-configuration policy>
set icl-policy <default ICL automatic-configuration policy>
end
To specify policy definitions that define the behavior on automatically configured interfaces:
config switch-controller auto-config policy
edit <policy_name>
set qos-policy <automatic-configuration QoS policy>
set storm-control-policy <automatic-configuation storm-control policy>
set poe-status {enable | disable}
set igmp-flood-report {enable | disable}
set igmp-flood-traffic {enable | disable}
end
Limiting the number of parallel processes for FortiSwitch configuration
Use the following CLI commands to reduce the number of parallel processes that the switch controller uses for configuring FortiSwitch units:
config global
config switch-controller system
set parallel-process-override enable
set parallel-process <1-300>
end
end
Configuring access to management and internal interfaces
The set allowaccess command configures access to all interfaces on a FortiSwitch unit. If you need to have different access to the FortiSwitch management interface and the FortiSwitch internal interface, you can set up a local-access security policy with the following commands:
config switch-controller security-policy local-access
edit <policy_name>
set mgmt-allowaccess {https | ping | ssh | snmp | http | telnet | radius-acct}
set internal-allowaccess {https | ping | ssh | snmp | http | telnet | radius-acct}
end
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
set access-profile <name_of_policy>
end
For example:
config switch-controller security-policy local-access
edit policy1
set mgmt-allowaccess https ping ssh radius-acct
set internal-allowaccess https ssh snmp telnet
end
config switch-controller managed-switch
edit S524DF4K15000024
set access-profile policy1
end
Enabling VLAN optimization
When inter-switch links (ISLs) are automatically formed on trunks, the switch controller allows VLANs 1-4093 on ISL ports. This configuration can increase data processing on the FortiSwitch unit. When VLAN optimization is enabled, the FortiSwitch unit allows only user-defined VLANs on the automatically generated trunks.
NOTE: VLAN optimization is enabled by default.
To enable VLAN optimization on FortiSwitch units from FortiSwitch Manager:
config switch-controller global
set vlan-optimization enable
end
NOTE: You cannot use the set vlan-all-mode all command with the set vlan-optimization enable command.
Grouping FortiSwitch units
You can simplify the configuration and management of complex topologies by creating FortiSwitch groups. A group can include one or more FortiSwitch units and you can include different models in a group.
Using the GUI:
- Go to Switch Controller > Managed FortiSwitch.
- Select Create New > FortiSwitch Group.
- In the Name field, enter a name for the FortiSwitch group.
- In the Members field, click + to select which switches to include in the FortiSwitch group.
- In the Description field, enter a description of the FortiSwitch group.
- Select OK.
Using the CLI:
config switch-controller switch-group
edit <name>
set description <string>
set members <serial-number> <serial-number> ...
end
end
Grouping FortiSwitch units allows you to restart all of the switches in the group instead of individually. For example, you can use the following command to restart all of the FortiSwitch units in a group named my-sw-group:
execute switch-controller switch-action restart delay switch-group my-sw-group
Upgrading the firmware of FortiSwitch groups is easier, too, because fewer commands are needed. See the next section for the procedure.