Technical Tip: Good practices for a standalone FortiSwitch

• Disable auto-network: FortiSwitch is going to send FortiLink packets by default, trying to find a FortiGate where it can be controlled. This behavior can be modified with the next commands:

config switch auto-network
    set status disable
end

• Change the LLDP profile from 'default-auto-isl' to default on physical ports: By default, FortiSwitch has configured the LLDP profile 'default-auto-isl' on all physical ports. The intention of this is when connecting to a new FortiSwitch, they negotiate its LAG trunk. This behavior is not expected in standalone mode, so, it is a good practice to change the LLDP profile on all physical ports. It is possible to use the 'default' LLDP profile instead.

This is an example of how to change it:

config switch physical-port
    edit "port1"
        set lldp-profile "default"
    next

end

• Do not allow all VLANs on trunks: Is a generally good practice to only allow the VLANs that need to cross to any other switch. This is the command needed to limit the VLANs on the trunk interface

config switch interface
    edit "Trunk1"
        set allowed-vlans 10,20,40,99
    next
end

Another way to to this in the badge for all FortiSwitches on a FortiLink interface is by following this article: Technical Tip: Enable lock-down-topo-lldp-profile on managed FortiSwitches.