Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: FortiSwitch setup - best practices for new ins...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiSwitch setup - best practices for new installation on a remote site
I need to install a few FortiSwitches (FS) as replacement for very old cisco switches in a quite remote site.
I already got the switches here in my office and wanted to prepare them before I go onsite.
How should or could I prepare the FortiSwitches here in my lab to reduce onsite time?
The FS will be connected via FortiLink (FL)to a local Fortigate 40F with FortiOS 7.0.14
40F(FL)---FS124---FS148---FS148
|
FS148
Uplinks are FO 10GB, no reduncancy, so I need to connect the switches mostlty in serial order. See in the schema above. I should be able to connect the FS with FortiLink in parallel to the Cisco setup.
The old Cisco setup is pretty straightforward. Just two VLAN's.
Actual Cisco Switch (CS) setup looks like this here:
40F(LAN1)---CS24---CS48---CS48---CS48
|
CS48
That said, what can I do to prepare?
- Can I register the FS devices? Does it make sense?
- Can I do firmware upgrades in standalone mode? Or should I rather wait until I connect the FS with the local FortiGate?
- What firmware should the FortiGate have, and what firmware version the FortiSwitches?
- Ho do I move all setings (LAN, VLAN's, networks, policies, etc) from LAN1 to FortiLink? Do I have to recreate everything again?
- What is the best way to replace the cisco switches with the fortiswitches in general?
Thanks
Dan
Networking and such...
Solved! Go to Solution.
Networking and such...
Labels:
- Labels:
-
FortiSwitch
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've been testing the Interface Migration to accomplish the same migration attempt per the original question and have always been stuck with the wizard being greyed out due to some conflict or dependency in running. In testing a migration strategy of my own, I was successfully able to set up the new FortiSwitch environment in parallel and an existing Cisco switch environment and bridge together using a trunk port to allow a short window of migration.
The first staging step is to get the FortiSwitch's connected and authorized under FortiLink. Then create the VLAN(s) under FortiLink without defining an interface IP or DHCP settings. Then update any firewall policies that included the old interface port by adding the new FortiLink VLAN(s). Next, cable between a FortiSwitch port and Cisco switch port, making sure both ports pass all VLAN's (this only works if using the same VLAN ID's on both sides of switches or instead set native VLAN on each side if just migrating a single VLAN). Verification is successful when a FortiSwitch port is able to switch through the Cisco switching to the FG.
The outage part is really just manually removing the interface IP and DHCP settings from the old FG interface connected to the Cisco switches and add it to the FortiLink VLAN interface created earlier. This reverses the switching path so all traffic goes through the FortiLink VLAN interface for routing.
Cleanup is removing the old Cisco switching interfaces from the firewall polices and zeroing out the old FG interface. The only downside I have found with this method is the new FortiLink VLAN interface name cannot be the same as the previous interface name due to FG only allowing an interface name once. Otherwise, this method has tested out fine in a lab migration. Hope this helps.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the detailed explanation @Jeremy5385 ,
I actually tried moving with the "Integrate Interface" funktion, but that failed. It said that the task needs to be done manually. It was not such a complex setup after all, so I edited the config file and rebooted with it. No errors. I only had to move the VLAN's unterneath the fortilink adapter. All other configuration was not affected.
VLAN's were now on fortilink and the LAN1 port was "empty", so no internet for the whole building. I created an interface that provided the needed VLAN's and connected it back to the cisco switch.
This are the steps I've done:
- Cleaned up computerroom to get some room to work in (we just took over responsibility)
- Setup complete FortiSwitch (FS) infrastructure (FO cabling) on a table and connected to the fortigate (FGT).
- When I got the topology set up, updated all switches.
- Made room in the rack for the new switch close to the old switch
- Mounted the new central FS just above the old cisco switch
- Mounted the other FS switches in an empty rack just beside the main rack
- Cabled all switches via fortilink on copper cables, similar to the final setup.
- Tested and made sure fortilink topology was ok
- Prepared a port on the old cisco central switch, connected it with the FS central switch.
- Moved the VLAN's over to fortilink by editing the config file and rebooted
- Cisco network did not have internet access, as LAN1 did not hold the VLAN's anymore
- Checked the FGT configuration, all ok
- Applied the moved VLAN's to the prepared port on the new FS central switch
- Moved the cisco port cabling from LAN1 to the prepared FS port. Cisco network had Internet again.
- I got me some time now. FO uplinks to other cisco switches remained in place for the time being.
- Assigned VLAN's to FS ports. I made my work simple by configuring identically to the old cisco switches.
- Moved all physical connections from the old cisco central switch to the new FS central switch. - Short interrupts for some end-devices, but it's vacation time in that building and no soul is around.
- Now did the same for each other switch the same way.
- Made room in the rack fort the new FS, close to the old cisco switch
- Mounted the new FS beneath or above the old cisco switch
- Moved the FO connection from cisco to FS, controlled the fortilink topology
- Physically moved the cables from cisco to FS, making sure the old switch can be removed
- Removed the old switch
- Health checks for the whole network
Along the way, I found that one of the transceivers I got from Fortinet was damaged. It would not setup a proper fortilink connection. That cost me a lot of time, especially since fortilink takes a while to sync.
Some things I will remember for the future
- don't forget a small electric screwdriver
- reserve some time for mundane things like removing tons of dust
- enough drinking water close by
Dan
Networking and such...
Networking and such...
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Dan,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Anthony-Fortinet Community Team.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @dan,
• Yes, you can register FortiSwitches serial numbers on FortiCloud.
• You can upgrade FortiSwitches in standalone or from FortiGate. https://community.fortinet.com/t5/FortiSwitch/Technical-Note-Upgrading-FortiSwitch-Firmware/ta-p/197...
• You can check firmware compatibility here https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/d756e8a9-6d2d-11e9-81a4-005056...
• You can use 'Interface migration' feature to move VLANs from LAN1 to fortilink. https://docs.fortinet.com/document/fortigate/7.0.15/administration-guide/885870/interface-migration-...
Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @hbac ,
I have not been using "Interface migration" so far. But reading the doc seems to indicate that the destination confguration is replaced by the moved configuration. Would I have to re-enable fortilink again on that interface?
Networking and such...
Networking and such...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@dan,
fortilink should be enabled by default on fortilink interface. If not, you can enable it.
Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a 40F with 7.2.8 in my testlab and made some tests. Created an interface lan1 with an attached vlan. Then used "Integrate Interface" to move lan1 to fortilink. I tried it twice.
Results:
- "Move lan1 to an interface" (the Integrate Interface wizard, never stops. At least I waited 15 minutes the first time, then restored a backup and waited 1h the second time.
- I opened another session to the 40F to check the results. Basically the VLAN was moved, and the interface was moved as well. But the lan1 settings (IP, DHCP and so on) was lost.
I did another test with Port configuration ON. This time, the lan1 settings were migrated, except the DHCP setting, which was lost again.
The previous 169.254.1.1 address of the fortilink interface is gone, replaced with the original lan1 address.
And, surprising, the DHCP server is still there, but with a range of 169.254.1.2-169.254.1.254
Is this the way it is supposed to work?
I remember from some time ago that after attaching Fortiswitches to a Fortigate, there were a lot of preconfigured VLANs and other settings. What happens to those VLANs and settings if I use the option Port configuration ON?
I am puzzled...
Dan
Networking and such...
Networking and such...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've been testing the Interface Migration to accomplish the same migration attempt per the original question and have always been stuck with the wizard being greyed out due to some conflict or dependency in running. In testing a migration strategy of my own, I was successfully able to set up the new FortiSwitch environment in parallel and an existing Cisco switch environment and bridge together using a trunk port to allow a short window of migration.
The first staging step is to get the FortiSwitch's connected and authorized under FortiLink. Then create the VLAN(s) under FortiLink without defining an interface IP or DHCP settings. Then update any firewall policies that included the old interface port by adding the new FortiLink VLAN(s). Next, cable between a FortiSwitch port and Cisco switch port, making sure both ports pass all VLAN's (this only works if using the same VLAN ID's on both sides of switches or instead set native VLAN on each side if just migrating a single VLAN). Verification is successful when a FortiSwitch port is able to switch through the Cisco switching to the FG.
The outage part is really just manually removing the interface IP and DHCP settings from the old FG interface connected to the Cisco switches and add it to the FortiLink VLAN interface created earlier. This reverses the switching path so all traffic goes through the FortiLink VLAN interface for routing.
Cleanup is removing the old Cisco switching interfaces from the firewall polices and zeroing out the old FG interface. The only downside I have found with this method is the new FortiLink VLAN interface name cannot be the same as the previous interface name due to FG only allowing an interface name once. Otherwise, this method has tested out fine in a lab migration. Hope this helps.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the detailed explanation @Jeremy5385 ,
I actually tried moving with the "Integrate Interface" funktion, but that failed. It said that the task needs to be done manually. It was not such a complex setup after all, so I edited the config file and rebooted with it. No errors. I only had to move the VLAN's unterneath the fortilink adapter. All other configuration was not affected.
VLAN's were now on fortilink and the LAN1 port was "empty", so no internet for the whole building. I created an interface that provided the needed VLAN's and connected it back to the cisco switch.
This are the steps I've done:
- Cleaned up computerroom to get some room to work in (we just took over responsibility)
- Setup complete FortiSwitch (FS) infrastructure (FO cabling) on a table and connected to the fortigate (FGT).
- When I got the topology set up, updated all switches.
- Made room in the rack for the new switch close to the old switch
- Mounted the new central FS just above the old cisco switch
- Mounted the other FS switches in an empty rack just beside the main rack
- Cabled all switches via fortilink on copper cables, similar to the final setup.
- Tested and made sure fortilink topology was ok
- Prepared a port on the old cisco central switch, connected it with the FS central switch.
- Moved the VLAN's over to fortilink by editing the config file and rebooted
- Cisco network did not have internet access, as LAN1 did not hold the VLAN's anymore
- Checked the FGT configuration, all ok
- Applied the moved VLAN's to the prepared port on the new FS central switch
- Moved the cisco port cabling from LAN1 to the prepared FS port. Cisco network had Internet again.
- I got me some time now. FO uplinks to other cisco switches remained in place for the time being.
- Assigned VLAN's to FS ports. I made my work simple by configuring identically to the old cisco switches.
- Moved all physical connections from the old cisco central switch to the new FS central switch. - Short interrupts for some end-devices, but it's vacation time in that building and no soul is around.
- Now did the same for each other switch the same way.
- Made room in the rack fort the new FS, close to the old cisco switch
- Mounted the new FS beneath or above the old cisco switch
- Moved the FO connection from cisco to FS, controlled the fortilink topology
- Physically moved the cables from cisco to FS, making sure the old switch can be removed
- Removed the old switch
- Health checks for the whole network
Along the way, I found that one of the transceivers I got from Fortinet was damaged. It would not setup a proper fortilink connection. That cost me a lot of time, especially since fortilink takes a while to sync.
Some things I will remember for the future
- don't forget a small electric screwdriver
- reserve some time for mundane things like removing tons of dust
- enough drinking water close by
Dan
Networking and such...
Networking and such...
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Best Practices for FortiGate HA Pair... 535 Views
- What FortiOS Event Logs should i... 1460 Views
- FortiSwitch setup - best practices for... 2452 Views
- FortiSwitch Auto-ISL Trunks Best Practice 5668 Views
- IPsec VPN Datasheet 3272 Views
Labels
-
FortiGate
8,472 -
FortiClient
1,716 -
5.2
801 -
FortiManager
712 -
5.4
639 -
FortiAnalyzer
547 -
FortiSwitch
457 -
FortiAP
457 -
6.0
416 -
FortiClient EMS
407 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
222 -
FortiWeb
199 -
5.0
196 -
IPsec
186 -
FortiNAC
177 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
98 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
75 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
Fortivoice
53 -
FortiADC
53 -
High Availability
52 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
DNS
40 -
Routing
39 -
BGP
38 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
SSL SSH inspection
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1661 | |
| 1077 | |
| 752 | |
| 443 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.