Technical Tip: Management of FortiSwitches in FortiLink Mode
Description
This article describes configuration steps to help avoid issues with device management in FortiNAC’s Network Inventory. FortiNAC expects each managed network device to have a unique, static, and routable management IP address.
For FortiSwitches operating in FortiLink mode, the FortiGate provides an automated configuration method to simplify deployments, as outlined in the FortiLink Guide. With default settings, FortiSwitches are assigned an IP address from the 10.255.1.0/24 subnet.
Scope
FortiNAC, FortiGate, FortiSwitch.
Solution
In environments with more than one FortiGate managing FortiSwitches, it is required to use a dedicated subnet for each branch. This helps with routing (for example, when SNMP and RADIUS are used) and ensures that each branch has a unique IP address range assigned to its FortiSwitches. This requirement is outlined in the FortiSwitch FortiLink Integration guide.
Additionally, the IP addresses of the FortiSwitches should remain unchanged after they are initially discovered in FortiNAC's Network Inventory through API queries to the FortiGate. Avoid using any NAT in the communication path between FortiSwitch and FortiNAC.
These requirements are often overlooked or bypassed in some environments, which can lead to reported issues after the FortiGate or FortiSwitches are normally rebooted or during upgrades.
Set DHCP reservation for discovered switches in FortiGate before starting the integration with FortiNAC:
In cases where IP address swapping has occurred between FortiSwitches, the affected switches must be removed from the Network Inventory. Afterwards, perform a Resync Interfaces operation on the FortiGate to rediscover the switches, and then proceed with configuration and enforcement on ports.
Managed network devices should also have unique names, otherwise, they may disappear from the network inventory. For more details, refer to the following article: Troubleshooting Tip: Devices unexpectedly deleted from inventory view.
Note: When RADIUS authentication is used for hosts that are connected in FortiSwithches remember to configure the switch as RADIUS client with a shared secret in FortiNAC Network Inventory. The IP of the switch that was discovered by FortiNAC, can be verified in the Element tab.
Related articles: