Fortinet black logo

Devices Managed by FortiOS

Optional FortiLink configuration

Copy Link
Copy Doc ID a5cb2173-7e2e-11ec-a0d0-fa163e15d75b:173280
Download PDF

Optional FortiLink configuration

This section covers the following topics:

Using the FortiSwitch serial number for automatic name resolution

By default, you can check that FortiSwitch unit is accessible from the FortiGate unit with the execute ping <FortiSwitch_IP_address> command. If you want to use the FortiSwitch serial number instead of the FortiSwitch IP address, use the following commands:

config switch-controller global

set sn-dns-resolution enable

end

NOTE:The set sn-dns-resolution enable configuration is enabled by default.

Then you can use the execute ping <FortiSwitch_serial_ number>.<domain_name> command to check if the FortiSwitch unit is accessible from the FortiGate unit. For example:

FG100D3G15817028 (root) # execute ping S524DF4K15000024.fsw

PING S524DF4K15000024.fsw (123.456.7.8): 56 data bytes

64 bytes from 123.456.7.8: icmp_seq=0 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=1 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=2 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=3 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=4 ttl=64 time=0.0 ms

Optionally, you can omit the domain name (.fsw) from the command by setting the default DNS domain on the FortiGate unit.

config system dns

set domain "fsw"

end

Now you can use the execute ping <FortiSwitch_serial_number> command to check if the FortiSwitch unit is accessible from the FortiGate unit. For example:

FG100D3G15817028 (root) # execute ping S524DF4K15000024

PING S524DF4K15000024.fsw (123.456.7.8): 56 data bytes

64 bytes from 123.456.7.8: icmp_seq=0 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=1 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=2 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=3 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=4 ttl=64 time=0.0 ms

--- S524DF4K15000024.fsw ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 0.0/0.0/0.0 ms

Changing the admin password on the FortiGate for all managed FortiSwitch units

By default, each FortiSwitch has an admin account without a password. To replace the admin passwords for all FortiSwitch units managed by a FortiGate, use the following commands from the FortiGate CLI:

config switch-controller switch-profile

edit default

set login-passwd-override {enable | disable}

set login-passwd <password>

next

end

If you had already applied a profile with the override enabled and the password set and then decide to remove the admin password, you need to apply a profile with the override enabled and no password set; otherwise, your previously set password will remain in the FortiSwitch. For example:

config switch-controller switch-profile

edit default

set login-passwd-override enable

unset login-passwd

next

end

Using automatic network detection and configuration

There are three commands that let you use automatic network detection and configuration.

To specify which policies can override the defaults for a specific ISL, ICl, or FortiLink interface:

config switch-controller auto-config custom

edit <automatically configured FortiLink, ISL, or ICL interface name>

config switch-binding

edit "switch serial number"

set policy "custom automatic-configuation policy"

end

To specify policies that are applied automatically for all ISL, ICL, and FortiLink interfaces:

config switch-controller auto-config default

set fgt-policy <default FortiLink automatic-configuration policy>

set isl-policy <default ISL automatic-configuration policy>

set icl-policy <default ICL automatic-configuration policy>

end

NOTE: The ICL automatic-configuration policy requires FortiOS 6.2.0 or later.

To specify policy definitions that define the behavior on automatically configured interfaces:

config switch-controller auto-config policy

edit <policy_name>

set qos-policy <automatic-configuration QoS policy>

set storm-control-policy <automatic-configuation storm-control policy>

set poe-status {enable | disable}

set igmp-flood-report {enable | disable}

set igmp-flood-traffic {enable | disable}

end

Limiting the number of parallel processes for FortiSwitch configuration

Use the following CLI commands to reduce the number of parallel processes that the switch controller uses for configuring FortiSwitch units:

config global

config switch-controller system

set parallel-process-override enable

set parallel-process <1-300>

end

end

Configuring access to management and internal interfaces

The set allowaccess command configures access to all interfaces on a FortiSwitch unit. If you need to have different access to the FortiSwitch management interface and the FortiSwitch internal interface, you can set up a local-access security policy with the following commands:

config switch-controller security-policy local-access

edit <policy_name>

set mgmt-allowaccess {https | ping | ssh | snmp | http | telnet | radius-acct}

set internal-allowaccess {https | ping | ssh | snmp | http | telnet | radius-acct}

end

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

set access-profile <name_of_policy>

end

For example:

config switch-controller security-policy local-access

edit policy1

set mgmt-allowaccess https ping ssh radius-acct

set internal-allowaccess https ssh snmp telnet

end

config switch-controller managed-switch

edit S524DF4K15000024

set access-profile policy1

end

NOTE: After you upgrade to FortiOS 6.2, the allowaccess settings for the FortiSwitch mgmt and internal interfaces are overridden by the default local-access security policy.

set min-bundle <int>

set max-bundle <int>

set members <port1 port2 ...>

next

end

end

end

Enabling FortiLink VLAN optimization

When inter-switch links (ISLs) are automatically formed on trunks, the switch controller allows VLANs 1-4093 on ISL ports. This configuration can increase data processing on the FortiSwitch unit. When VLAN optimization is enabled, the FortiSwitch unit allows only user-defined VLANs on the automatically generated trunks.

NOTE: VLAN optimization is enabled by default.

To enable FortiLink VLAN optimization on FortiSwitch units from the FortiGate unit:

config switch-controller global

set vlan-optimization enable

end

NOTE: You cannot use the set vlan-all-mode all command with the set vlan-optimization enable command.

Configuring the MAC sync interval

Use the following commands to configure the global MAC synch interval.

The MAC sync interval is the time interval between MAC synchronizations. The range is 30 to 600 seconds, and the default value is 60.

config switch-controller mac-sync-settings

set mac-sync-interval <30-600>

end

Configuring the FortiSwitch management port

If the FortiSwitch model has a dedicated management port, you can configure remote management to the FortiSwitch. In FortiLink mode, the FortiGate is the default gateway, so you need to configure an explicit route for the FortiSwitch management port.

Using the FortiGate GUI
  1. Go to Network > Static Routes > Create New > Route.
  2. Set Destination to Subnet and enter a subnetwork and mask.
  3. Set Device to the management interface.
  4. Add a Gateway IP address.
Using the FortiSwitch CLI

Enter the following commands:

config router static

edit 1

set device mgmt

set gateway <router IP address>

set dst <router subnet> <subnet mask>

end

end

In the following example, the FortiSwitch management port is connected to a router with IP address 192.168.0.10:

config router static

edit 1

set device mgmt

set gateway 192.168.0.10

set dst 192.168.0.0 255.255.0.0

end

end

If provisioned with custom commands on the FortiGate device, the configuration is preserved on the FortiGate device. See Executing custom FortiSwitch scripts.

Multiple FortiLink interfaces

If you are adding a second FortiLink interface, use the CLI to enable FortiLink. For example:

config system interface

edit "fortilink_2"

set fortilink enable

next

end

After that, the interface is available in the GUI to complete the settings. Click Create to add additional FortiLink interfaces.

Grouping FortiSwitch units

You can simplify the configuration and management of complex topologies by creating FortiSwitch groups. A group can include one or more FortiSwitch units and you can include different models in a group.

Using the GUI:
  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Select Create New > FortiSwitch Group.
  3. In the Name field, enter a name for the FortiSwitch group.
  4. In the Members field, click + to select which switches to include in the FortiSwitch group.
  5. In the Description field, enter a description of the FortiSwitch group.
  6. Select OK.
Using the CLI:

config switch-controller switch-group

edit <name>

set description <string>

set members <serial-number> <serial-number> ...

end

end

Grouping FortiSwitch units allows you to restart all of the switches in the group instead of individually. For example, you can use the following command to restart all of the FortiSwitch units in a group named my-sw-group:

execute switch-controller switch-action restart delay switch-group my-sw-group

Upgrading the firmware of FortiSwitch groups is easier, too, because fewer commands are needed. See the next section for the procedure.

Firmware upgrade of stacked or tiered FortiSwitch units

In this topology, the core FortiSwitch units are model FS-224E, and the access FortiSwitch units are model FS-108E-FPOE. Because the switches are stacked or tiered, the procedure to update the firmware is simpler. The FortiGate unit is running FortiOS 6.2.2 GA. In the following procedure, the four FortiSwitch units are upgraded from 6.2.1 to 6.2.2.

To upgrade the firmware of stacked or tiered FortiSwitch units:
  1. Check that all of the FortiSwitch units are connected and which firmware versions they are running. For example:

    FGT81ETK19001274 # execute switch-controller get-conn-status 
    Managed-devices in current vdom root:
    
    STACK-NAME: FortiSwitch-Stack-flink
    SWITCH-ID         VERSION           STATUS         FLAG   ADDRESS       JOIN-TIME      NAME 
    S108EF5918003577  v6.2.1 (176)      Authorized/Up   -   10.105.22.6     Thu Oct 24 10:47:27 2019    -  
    S108EP5918008265  v6.2.1 (176)      Authorized/Up   -   10.105.22.5     Thu Oct 24 10:47:20 2019    -     
    S224ENTF18001408  v6.2.1 (176)      Authorized/Up   -   10.105.22.2     Thu Oct 24 10:44:36 2019    -    
    S224ENTF18001432  v6.2.1 (176)      Authorized/Up   -   10.105.22.3     Thu Oct 24 10:44:49 2019    -    
    
    Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=configuration sync error
    Managed-Switches: 4 (UP: 4 DOWN: 0)
  2. (Optional) To speed up how fast the image is pushed from the FortiGate unit to the FortiSwitch units, enable the HTTPS image push instead of the CAPWAP image push. For example:

    FGT81ETK19001274 # config switch-controller global 
    FGT81ETK19001274 (global) # set https-image-push enable 
    FGT81ETK19001274 (global) # end
  3. Download the file for the FortiSwitchOS 6.2.2 GA build 194 in the FortiGate unit. For example:

    FGT81ETK19001274 # execute switch-controller switch-software upload tftp FSW_224E-v6-build0194-FORTINET.out 10.105.16.15
    
    Downloading file FSW_224E-v6-build0194-FORTINET.out from tftp server 10.105.16.15...
    #########################
    Image checking ...
    Image MD5 calculating ...
    Image Saving S224EN-IMG.swtp ...
    Successful!
    
    File Syncing...
    
    FGT81ETK19001274 # execute switch-controller switch-software upload tftp FSW_108E_POE-v6-build0194-FORTINET.out 10.105.16.15
    
    Downloading file FSW_108E_POE-v6-build0194-FORTINET.out from tftp server 10.105.16.15...
    ##################
    Image checking ...
    Image MD5 calculating ...
    Image Saving S108EP-IMG.swtp ...
    Successful!
    
    File Syncing...
    
    FGT81ETK19001274 # execute switch-controller switch-software upload tftp FSW_108E_FPOE-v6-build0194-FORTINET.out 10.105.16.15
    
    Downloading file FSW_108E_FPOE-v6-build0194-FORTINET.out from tftp server 10.105.16.15...
    ##################
    Image checking ...
    Image MD5 calculating ...
    Image Saving S108EF-IMG.swtp ...
    Successful!
    
    File Syncing...
    
    FGT81ETK19001274 #
  4. Check the downloaded FortiSwitch image. For example:
    FGT81ETK19001274 # execute switch-controller switch-software list-available 
    
    ImageName              ImageSize(B)   ImageInfo               Uploaded Time  
    S108EF-IMG.swtp        19574769       S108EF-v6.2-build194    Thu Oct 24 13:03:51 2019
    S108EP-IMG.swtp        19583362       S108EP-v6.2-build194    Thu Oct 24 13:03:23 2019
    S224EN-IMG.swtp        27159659       S224EN-v6.2-build194    Thu Oct 24 13:03:02 2019
    
    FGT81ETK19001274 #
  5. Start the image staging. For example:
    FGT81ETK19001274 #  execute switch-controller switch-software stage all S224EN-IMG.swtp
    Staged Image Version S224EN-v6.2-build194
    Image staging operation is started for FortiSwitch S224ENTF18001408 ...
    Image staging operation is started for FortiSwitch S224ENTF18001432 ...
    
    FGT81ETK19001274 # execute switch-controller switch-software stage all S108EF-IMG.swtp
    Staged Image Version S108EF-v6.2-build194
    Image staging operation is started for FortiSwitch S108EF5918003577 ...
    
    FGT81ETK19001274 # execute switch-controller switch-software stage all S108EP-IMG.swtp
    Staged Image Version S108EP-v6.2-build194
    Image staging operation is started for FortiSwitch S108EP5918008265 ...
  6. Check the status of the image staging. The Status column reports (from left to right) the percentage of the new firmware downloaded, the percentage of data erased to make space in the switchʼs local storage, and the percentage of the new firmware saved to the switchʼs local storage. For example:
    FGT81ETK19001274 # execute switch-controller get-upgrade-status
    Device    Running-version                                Status      Next-boot
    ===========================================================================================
    VDOM : root
    S224ENTF18001408  S224EN-v6.2.1-build176,190620 (GA)             (100/0/0)   S224EN-v6.2-build176       (Staging) 
    S224ENTF18001432  S224EN-v6.2.1-build176,190620 (GA)             (100/0/0)   S224EN-v6.2-build176       (Staging) 
    S108EP5918008265  S108EP-v6.2.1-build176,190620 (GA)             (18/0/0)   S108EP-v6.2-build176        (Staging) 
    S108EF5918003577  S108EF-v6.2.1-build176,190620 (GA)             (25/0/0)   S108EF-v6.2-build176        (Staging)
  7. Verify that the image staging has completed. For example:
    FGT81ETK19001274 # execute switch-controller get-upgrade-status
    Device    Running-version                                Status      Next-boot
    ===========================================================================================
    VDOM : root
    S224ENTF18001408  S224EN-v6.2.1-build176,190620 (GA)             (0/100/100)   S224EN-v6.2-build194     (Idle) 
    S224ENTF18001432  S224EN-v6.2.1-build176,190620 (GA)             (0/100/100)   S224EN-v6.2-build194     (Idle) 
    S108EP5918008265  S108EP-v6.2.1-build176,190620 (GA)             (0/100/100)   S108EP-v6.2-build194     (Idle) 
    S108EF5918003577  S108EF-v6.2.1-build176,190620 (GA)             (0/100/100)   S108EF-v6.2-build194     (Idle)
  8. Reboot all switches (or reboot the switches by group). For example:
    FGT81ETK19001274 # execute switch-controller switch-action restart delay all
    Delayed restart operation is requested for FortiSwitch S224ENTF18001408 ...
    Delayed restart operation is requested for FortiSwitch S224ENTF18001432 ...
    Delayed restart operation is requested for FortiSwitch S108EP5918008265 ...
    Delayed restart operation is requested for FortiSwitch S108EF5918003577 ...
  9. Check the status of the switch reboot. For example:
    FGT81ETK19001274 # execute switch-controller switch-action restart delay all
    Delayed restart operation is requested for FortiSwitch S224ENTF18001408 ...
    Delayed restart operation is requested for FortiSwitch S224ENTF18001432 ...
    Delayed restart operation is requested for FortiSwitch S108EP5918008265 ...
    Delayed restart operation is requested for FortiSwitch S108EF5918003577 ...
    
    FGT81ETK19001274 # execute switch-controller get-upgrade-status
    Device    Running-version                                Status      Next-boot
    ===========================================================================================
    VDOM : root
    S224ENTF18001408                        Prepping for delayed restart triggered ... please wait for switch to reboot in a moment
    S224ENTF18001432                        Prepping for delayed restart triggered ... please wait for switch to reboot in a moment
    S108EP5918008265                        Prepping for delayed restart triggered ... please wait for switch to reboot in a moment
    S108EF5918003577                        Prepping for delayed restart triggered ... please wait for switch to reboot in a moment
    
    FGT81ETK19001274 # execute switch-controller get-conn-status 
    Managed-devices in current vdom root:
    
    STACK-NAME: FortiSwitch-Stack-flink
    SWITCH-ID         VERSION           STATUS         FLAG   ADDRESS      JOIN-TIME       NAME 
    S108EF5918003577  v6.2.1 ()         Authorized/Down D   0.0.0.0         N/A               -    
    S108EP5918008265  v6.2.1 ()         Authorized/Down D   0.0.0.0         N/A               -     
    S224ENTF18001408  v6.2.1 ()         Authorized/Down D   0.0.0.0         N/A               -    
    S224ENTF18001432  v6.2.1 ()         Authorized/Down D   0.0.0.0         N/A               -    
    
    Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=configuration sync error
    Managed-Switches: 4 (UP: 0 DOWN: 4)
    
    FGT81ETK19001274 # 
  10. Wait for a while before checking that all switches are online. For example:
    FGT81ETK19001274 # execute switch-controller get-upgrade-status
    Device    Running-version                                Status      Next-boot
    ===========================================================================================
    VDOM : root
    S224ENTF18001408  S224EN-v6.2.2-build194,191018 (GA)             (0/100/100)   S224EN-v6.2-build194     (Idle) 
    S224ENTF18001432  S224EN-v6.2.2-build194,191018 (GA)             (0/100/100)   S224EN-v6.2-build194     (Idle) 
    S108EP5918008265  S108EP-v6.2.2-build194,191018 (GA)             (0/100/100)   S108EP-v6.2-build194     (Idle) 
    S108EF5918003577  S108EF-v6.2.2-build194,191018 (GA)             (0/100/100)   S108EF-v6.2-build194     (Idle) 
    
    FGT81ETK19001274 # execute switch-controller get-conn-status   
    Managed-devices in current vdom root:
    
    STACK-NAME: FortiSwitch-Stack-flink
    SWITCH-ID         VERSION           STATUS         FLAG   ADDRESS              JOIN-TIME            NAME            
    S108EF5918003577  v6.2.2 (194)      Authorized/Up   -   10.105.22.6     Thu Oct 24 13:22:27 2019    -     
    S108EP5918008265  v6.2.2 (194)      Authorized/Up   -   10.105.22.5     Thu Oct 24 13:22:41 2019    -     
    S224ENTF18001408  v6.2.2 (194)      Authorized/Up   -   10.105.22.2     Thu Oct 24 13:20:11 2019    -    
    S224ENTF18001432  v6.2.2 (194)      Authorized/Up   -   10.105.22.3     Thu Oct 24 13:19:58 2019    -    
    
    Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=configuration sync error
    Managed-Switches: 4 (UP: 4 DOWN: 0)
    
    FGT81ETK19001274 #

config switch-controller global

append disable-discovery S012345678

unselect disable-discovery S1234567890

end

Optional FortiLink configuration

This section covers the following topics:

Using the FortiSwitch serial number for automatic name resolution

By default, you can check that FortiSwitch unit is accessible from the FortiGate unit with the execute ping <FortiSwitch_IP_address> command. If you want to use the FortiSwitch serial number instead of the FortiSwitch IP address, use the following commands:

config switch-controller global

set sn-dns-resolution enable

end

NOTE:The set sn-dns-resolution enable configuration is enabled by default.

Then you can use the execute ping <FortiSwitch_serial_ number>.<domain_name> command to check if the FortiSwitch unit is accessible from the FortiGate unit. For example:

FG100D3G15817028 (root) # execute ping S524DF4K15000024.fsw

PING S524DF4K15000024.fsw (123.456.7.8): 56 data bytes

64 bytes from 123.456.7.8: icmp_seq=0 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=1 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=2 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=3 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=4 ttl=64 time=0.0 ms

Optionally, you can omit the domain name (.fsw) from the command by setting the default DNS domain on the FortiGate unit.

config system dns

set domain "fsw"

end

Now you can use the execute ping <FortiSwitch_serial_number> command to check if the FortiSwitch unit is accessible from the FortiGate unit. For example:

FG100D3G15817028 (root) # execute ping S524DF4K15000024

PING S524DF4K15000024.fsw (123.456.7.8): 56 data bytes

64 bytes from 123.456.7.8: icmp_seq=0 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=1 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=2 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=3 ttl=64 time=0.0 ms

64 bytes from 123.456.7.8: icmp_seq=4 ttl=64 time=0.0 ms

--- S524DF4K15000024.fsw ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 0.0/0.0/0.0 ms

Changing the admin password on the FortiGate for all managed FortiSwitch units

By default, each FortiSwitch has an admin account without a password. To replace the admin passwords for all FortiSwitch units managed by a FortiGate, use the following commands from the FortiGate CLI:

config switch-controller switch-profile

edit default

set login-passwd-override {enable | disable}

set login-passwd <password>

next

end

If you had already applied a profile with the override enabled and the password set and then decide to remove the admin password, you need to apply a profile with the override enabled and no password set; otherwise, your previously set password will remain in the FortiSwitch. For example:

config switch-controller switch-profile

edit default

set login-passwd-override enable

unset login-passwd

next

end

Using automatic network detection and configuration

There are three commands that let you use automatic network detection and configuration.

To specify which policies can override the defaults for a specific ISL, ICl, or FortiLink interface:

config switch-controller auto-config custom

edit <automatically configured FortiLink, ISL, or ICL interface name>

config switch-binding

edit "switch serial number"

set policy "custom automatic-configuation policy"

end

To specify policies that are applied automatically for all ISL, ICL, and FortiLink interfaces:

config switch-controller auto-config default

set fgt-policy <default FortiLink automatic-configuration policy>

set isl-policy <default ISL automatic-configuration policy>

set icl-policy <default ICL automatic-configuration policy>

end

NOTE: The ICL automatic-configuration policy requires FortiOS 6.2.0 or later.

To specify policy definitions that define the behavior on automatically configured interfaces:

config switch-controller auto-config policy

edit <policy_name>

set qos-policy <automatic-configuration QoS policy>

set storm-control-policy <automatic-configuation storm-control policy>

set poe-status {enable | disable}

set igmp-flood-report {enable | disable}

set igmp-flood-traffic {enable | disable}

end

Limiting the number of parallel processes for FortiSwitch configuration

Use the following CLI commands to reduce the number of parallel processes that the switch controller uses for configuring FortiSwitch units:

config global

config switch-controller system

set parallel-process-override enable

set parallel-process <1-300>

end

end

Configuring access to management and internal interfaces

The set allowaccess command configures access to all interfaces on a FortiSwitch unit. If you need to have different access to the FortiSwitch management interface and the FortiSwitch internal interface, you can set up a local-access security policy with the following commands:

config switch-controller security-policy local-access

edit <policy_name>

set mgmt-allowaccess {https | ping | ssh | snmp | http | telnet | radius-acct}

set internal-allowaccess {https | ping | ssh | snmp | http | telnet | radius-acct}

end

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

set access-profile <name_of_policy>

end

For example:

config switch-controller security-policy local-access

edit policy1

set mgmt-allowaccess https ping ssh radius-acct

set internal-allowaccess https ssh snmp telnet

end

config switch-controller managed-switch

edit S524DF4K15000024

set access-profile policy1

end

NOTE: After you upgrade to FortiOS 6.2, the allowaccess settings for the FortiSwitch mgmt and internal interfaces are overridden by the default local-access security policy.

set min-bundle <int>

set max-bundle <int>

set members <port1 port2 ...>

next

end

end

end

Enabling FortiLink VLAN optimization

When inter-switch links (ISLs) are automatically formed on trunks, the switch controller allows VLANs 1-4093 on ISL ports. This configuration can increase data processing on the FortiSwitch unit. When VLAN optimization is enabled, the FortiSwitch unit allows only user-defined VLANs on the automatically generated trunks.

NOTE: VLAN optimization is enabled by default.

To enable FortiLink VLAN optimization on FortiSwitch units from the FortiGate unit:

config switch-controller global

set vlan-optimization enable

end

NOTE: You cannot use the set vlan-all-mode all command with the set vlan-optimization enable command.

Configuring the MAC sync interval

Use the following commands to configure the global MAC synch interval.

The MAC sync interval is the time interval between MAC synchronizations. The range is 30 to 600 seconds, and the default value is 60.

config switch-controller mac-sync-settings

set mac-sync-interval <30-600>

end

Configuring the FortiSwitch management port

If the FortiSwitch model has a dedicated management port, you can configure remote management to the FortiSwitch. In FortiLink mode, the FortiGate is the default gateway, so you need to configure an explicit route for the FortiSwitch management port.

Using the FortiGate GUI
  1. Go to Network > Static Routes > Create New > Route.
  2. Set Destination to Subnet and enter a subnetwork and mask.
  3. Set Device to the management interface.
  4. Add a Gateway IP address.
Using the FortiSwitch CLI

Enter the following commands:

config router static

edit 1

set device mgmt

set gateway <router IP address>

set dst <router subnet> <subnet mask>

end

end

In the following example, the FortiSwitch management port is connected to a router with IP address 192.168.0.10:

config router static

edit 1

set device mgmt

set gateway 192.168.0.10

set dst 192.168.0.0 255.255.0.0

end

end

If provisioned with custom commands on the FortiGate device, the configuration is preserved on the FortiGate device. See Executing custom FortiSwitch scripts.

Multiple FortiLink interfaces

If you are adding a second FortiLink interface, use the CLI to enable FortiLink. For example:

config system interface

edit "fortilink_2"

set fortilink enable

next

end

After that, the interface is available in the GUI to complete the settings. Click Create to add additional FortiLink interfaces.

Grouping FortiSwitch units

You can simplify the configuration and management of complex topologies by creating FortiSwitch groups. A group can include one or more FortiSwitch units and you can include different models in a group.

Using the GUI:
  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Select Create New > FortiSwitch Group.
  3. In the Name field, enter a name for the FortiSwitch group.
  4. In the Members field, click + to select which switches to include in the FortiSwitch group.
  5. In the Description field, enter a description of the FortiSwitch group.
  6. Select OK.
Using the CLI:

config switch-controller switch-group

edit <name>

set description <string>

set members <serial-number> <serial-number> ...

end

end

Grouping FortiSwitch units allows you to restart all of the switches in the group instead of individually. For example, you can use the following command to restart all of the FortiSwitch units in a group named my-sw-group:

execute switch-controller switch-action restart delay switch-group my-sw-group

Upgrading the firmware of FortiSwitch groups is easier, too, because fewer commands are needed. See the next section for the procedure.

Firmware upgrade of stacked or tiered FortiSwitch units

In this topology, the core FortiSwitch units are model FS-224E, and the access FortiSwitch units are model FS-108E-FPOE. Because the switches are stacked or tiered, the procedure to update the firmware is simpler. The FortiGate unit is running FortiOS 6.2.2 GA. In the following procedure, the four FortiSwitch units are upgraded from 6.2.1 to 6.2.2.

To upgrade the firmware of stacked or tiered FortiSwitch units:
  1. Check that all of the FortiSwitch units are connected and which firmware versions they are running. For example:

    FGT81ETK19001274 # execute switch-controller get-conn-status 
    Managed-devices in current vdom root:
    
    STACK-NAME: FortiSwitch-Stack-flink
    SWITCH-ID         VERSION           STATUS         FLAG   ADDRESS       JOIN-TIME      NAME 
    S108EF5918003577  v6.2.1 (176)      Authorized/Up   -   10.105.22.6     Thu Oct 24 10:47:27 2019    -  
    S108EP5918008265  v6.2.1 (176)      Authorized/Up   -   10.105.22.5     Thu Oct 24 10:47:20 2019    -     
    S224ENTF18001408  v6.2.1 (176)      Authorized/Up   -   10.105.22.2     Thu Oct 24 10:44:36 2019    -    
    S224ENTF18001432  v6.2.1 (176)      Authorized/Up   -   10.105.22.3     Thu Oct 24 10:44:49 2019    -    
    
    Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=configuration sync error
    Managed-Switches: 4 (UP: 4 DOWN: 0)
  2. (Optional) To speed up how fast the image is pushed from the FortiGate unit to the FortiSwitch units, enable the HTTPS image push instead of the CAPWAP image push. For example:

    FGT81ETK19001274 # config switch-controller global 
    FGT81ETK19001274 (global) # set https-image-push enable 
    FGT81ETK19001274 (global) # end
  3. Download the file for the FortiSwitchOS 6.2.2 GA build 194 in the FortiGate unit. For example:

    FGT81ETK19001274 # execute switch-controller switch-software upload tftp FSW_224E-v6-build0194-FORTINET.out 10.105.16.15
    
    Downloading file FSW_224E-v6-build0194-FORTINET.out from tftp server 10.105.16.15...
    #########################
    Image checking ...
    Image MD5 calculating ...
    Image Saving S224EN-IMG.swtp ...
    Successful!
    
    File Syncing...
    
    FGT81ETK19001274 # execute switch-controller switch-software upload tftp FSW_108E_POE-v6-build0194-FORTINET.out 10.105.16.15
    
    Downloading file FSW_108E_POE-v6-build0194-FORTINET.out from tftp server 10.105.16.15...
    ##################
    Image checking ...
    Image MD5 calculating ...
    Image Saving S108EP-IMG.swtp ...
    Successful!
    
    File Syncing...
    
    FGT81ETK19001274 # execute switch-controller switch-software upload tftp FSW_108E_FPOE-v6-build0194-FORTINET.out 10.105.16.15
    
    Downloading file FSW_108E_FPOE-v6-build0194-FORTINET.out from tftp server 10.105.16.15...
    ##################
    Image checking ...
    Image MD5 calculating ...
    Image Saving S108EF-IMG.swtp ...
    Successful!
    
    File Syncing...
    
    FGT81ETK19001274 #
  4. Check the downloaded FortiSwitch image. For example:
    FGT81ETK19001274 # execute switch-controller switch-software list-available 
    
    ImageName              ImageSize(B)   ImageInfo               Uploaded Time  
    S108EF-IMG.swtp        19574769       S108EF-v6.2-build194    Thu Oct 24 13:03:51 2019
    S108EP-IMG.swtp        19583362       S108EP-v6.2-build194    Thu Oct 24 13:03:23 2019
    S224EN-IMG.swtp        27159659       S224EN-v6.2-build194    Thu Oct 24 13:03:02 2019
    
    FGT81ETK19001274 #
  5. Start the image staging. For example:
    FGT81ETK19001274 #  execute switch-controller switch-software stage all S224EN-IMG.swtp
    Staged Image Version S224EN-v6.2-build194
    Image staging operation is started for FortiSwitch S224ENTF18001408 ...
    Image staging operation is started for FortiSwitch S224ENTF18001432 ...
    
    FGT81ETK19001274 # execute switch-controller switch-software stage all S108EF-IMG.swtp
    Staged Image Version S108EF-v6.2-build194
    Image staging operation is started for FortiSwitch S108EF5918003577 ...
    
    FGT81ETK19001274 # execute switch-controller switch-software stage all S108EP-IMG.swtp
    Staged Image Version S108EP-v6.2-build194
    Image staging operation is started for FortiSwitch S108EP5918008265 ...
  6. Check the status of the image staging. The Status column reports (from left to right) the percentage of the new firmware downloaded, the percentage of data erased to make space in the switchʼs local storage, and the percentage of the new firmware saved to the switchʼs local storage. For example:
    FGT81ETK19001274 # execute switch-controller get-upgrade-status
    Device    Running-version                                Status      Next-boot
    ===========================================================================================
    VDOM : root
    S224ENTF18001408  S224EN-v6.2.1-build176,190620 (GA)             (100/0/0)   S224EN-v6.2-build176       (Staging) 
    S224ENTF18001432  S224EN-v6.2.1-build176,190620 (GA)             (100/0/0)   S224EN-v6.2-build176       (Staging) 
    S108EP5918008265  S108EP-v6.2.1-build176,190620 (GA)             (18/0/0)   S108EP-v6.2-build176        (Staging) 
    S108EF5918003577  S108EF-v6.2.1-build176,190620 (GA)             (25/0/0)   S108EF-v6.2-build176        (Staging)
  7. Verify that the image staging has completed. For example:
    FGT81ETK19001274 # execute switch-controller get-upgrade-status
    Device    Running-version                                Status      Next-boot
    ===========================================================================================
    VDOM : root
    S224ENTF18001408  S224EN-v6.2.1-build176,190620 (GA)             (0/100/100)   S224EN-v6.2-build194     (Idle) 
    S224ENTF18001432  S224EN-v6.2.1-build176,190620 (GA)             (0/100/100)   S224EN-v6.2-build194     (Idle) 
    S108EP5918008265  S108EP-v6.2.1-build176,190620 (GA)             (0/100/100)   S108EP-v6.2-build194     (Idle) 
    S108EF5918003577  S108EF-v6.2.1-build176,190620 (GA)             (0/100/100)   S108EF-v6.2-build194     (Idle)
  8. Reboot all switches (or reboot the switches by group). For example:
    FGT81ETK19001274 # execute switch-controller switch-action restart delay all
    Delayed restart operation is requested for FortiSwitch S224ENTF18001408 ...
    Delayed restart operation is requested for FortiSwitch S224ENTF18001432 ...
    Delayed restart operation is requested for FortiSwitch S108EP5918008265 ...
    Delayed restart operation is requested for FortiSwitch S108EF5918003577 ...
  9. Check the status of the switch reboot. For example:
    FGT81ETK19001274 # execute switch-controller switch-action restart delay all
    Delayed restart operation is requested for FortiSwitch S224ENTF18001408 ...
    Delayed restart operation is requested for FortiSwitch S224ENTF18001432 ...
    Delayed restart operation is requested for FortiSwitch S108EP5918008265 ...
    Delayed restart operation is requested for FortiSwitch S108EF5918003577 ...
    
    FGT81ETK19001274 # execute switch-controller get-upgrade-status
    Device    Running-version                                Status      Next-boot
    ===========================================================================================
    VDOM : root
    S224ENTF18001408                        Prepping for delayed restart triggered ... please wait for switch to reboot in a moment
    S224ENTF18001432                        Prepping for delayed restart triggered ... please wait for switch to reboot in a moment
    S108EP5918008265                        Prepping for delayed restart triggered ... please wait for switch to reboot in a moment
    S108EF5918003577                        Prepping for delayed restart triggered ... please wait for switch to reboot in a moment
    
    FGT81ETK19001274 # execute switch-controller get-conn-status 
    Managed-devices in current vdom root:
    
    STACK-NAME: FortiSwitch-Stack-flink
    SWITCH-ID         VERSION           STATUS         FLAG   ADDRESS      JOIN-TIME       NAME 
    S108EF5918003577  v6.2.1 ()         Authorized/Down D   0.0.0.0         N/A               -    
    S108EP5918008265  v6.2.1 ()         Authorized/Down D   0.0.0.0         N/A               -     
    S224ENTF18001408  v6.2.1 ()         Authorized/Down D   0.0.0.0         N/A               -    
    S224ENTF18001432  v6.2.1 ()         Authorized/Down D   0.0.0.0         N/A               -    
    
    Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=configuration sync error
    Managed-Switches: 4 (UP: 0 DOWN: 4)
    
    FGT81ETK19001274 # 
  10. Wait for a while before checking that all switches are online. For example:
    FGT81ETK19001274 # execute switch-controller get-upgrade-status
    Device    Running-version                                Status      Next-boot
    ===========================================================================================
    VDOM : root
    S224ENTF18001408  S224EN-v6.2.2-build194,191018 (GA)             (0/100/100)   S224EN-v6.2-build194     (Idle) 
    S224ENTF18001432  S224EN-v6.2.2-build194,191018 (GA)             (0/100/100)   S224EN-v6.2-build194     (Idle) 
    S108EP5918008265  S108EP-v6.2.2-build194,191018 (GA)             (0/100/100)   S108EP-v6.2-build194     (Idle) 
    S108EF5918003577  S108EF-v6.2.2-build194,191018 (GA)             (0/100/100)   S108EF-v6.2-build194     (Idle) 
    
    FGT81ETK19001274 # execute switch-controller get-conn-status   
    Managed-devices in current vdom root:
    
    STACK-NAME: FortiSwitch-Stack-flink
    SWITCH-ID         VERSION           STATUS         FLAG   ADDRESS              JOIN-TIME            NAME            
    S108EF5918003577  v6.2.2 (194)      Authorized/Up   -   10.105.22.6     Thu Oct 24 13:22:27 2019    -     
    S108EP5918008265  v6.2.2 (194)      Authorized/Up   -   10.105.22.5     Thu Oct 24 13:22:41 2019    -     
    S224ENTF18001408  v6.2.2 (194)      Authorized/Up   -   10.105.22.2     Thu Oct 24 13:20:11 2019    -    
    S224ENTF18001432  v6.2.2 (194)      Authorized/Up   -   10.105.22.3     Thu Oct 24 13:19:58 2019    -    
    
    Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=configuration sync error
    Managed-Switches: 4 (UP: 4 DOWN: 0)
    
    FGT81ETK19001274 #

config switch-controller global

append disable-discovery S012345678

unselect disable-discovery S1234567890

end