Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dan
Contributor

FortiSwitch setup - best practices for new installation on a remote site

 

I need to install a few FortiSwitches (FS) as replacement for very old cisco switches in a quite remote site.

I already got the switches here in my office and wanted to prepare them before I go onsite. 

How should or could I prepare the FortiSwitches here in my lab to reduce onsite time?

 

The FS will be connected via FortiLink (FL)to a local Fortigate 40F with FortiOS 7.0.14

40F(FL)---FS124---FS148---FS148

                    |

                FS148

 

Uplinks are FO 10GB, no reduncancy, so I need to connect the switches mostlty in serial order. See in the schema above. I should be able to connect the FS with FortiLink in parallel to the Cisco setup.

The old Cisco setup is pretty straightforward. Just two VLAN's.  

 

Actual Cisco Switch (CS) setup looks like this here:

40F(LAN1)---CS24---CS48---CS48---CS48

                                     |

                                  CS48

 

That said, what can I do to prepare?

  • Can I register the FS devices? Does it make sense?
  • Can I do firmware upgrades in standalone mode? Or should I rather wait until I connect the FS with the local FortiGate?
  • What firmware should the FortiGate have, and what firmware version the FortiSwitches?
  • Ho do I move all setings (LAN, VLAN's, networks, policies, etc) from LAN1 to FortiLink? Do I have to recreate everything again?
  • What is the best way to replace the cisco switches with the fortiswitches in general?

Thanks

Dan

 

 

6 REPLIES 6
Anthony_E
Community Manager
Community Manager

Hello Dan,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
hbac
Staff
Staff

Hi @dan,

 

• Yes, you can register FortiSwitches serial numbers on FortiCloud.

• You can upgrade FortiSwitches in standalone or from FortiGate. https://community.fortinet.com/t5/FortiSwitch/Technical-Note-Upgrading-FortiSwitch-Firmware/ta-p/197...

• You can check firmware compatibility here https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/d756e8a9-6d2d-11e9-81a4-005056...

• You can use 'Interface migration' feature to move VLANs from LAN1 to fortilink. https://docs.fortinet.com/document/fortigate/7.0.15/administration-guide/885870/interface-migration-...

 

Regards,

dan
Contributor

Thanks @hbac ,

I have not been using "Interface migration" so far. But reading the doc seems to indicate that the destination confguration is replaced by the moved configuration. Would I have to re-enable fortilink again on that interface?

 

 

hbac

@dan,

 

fortilink should be enabled by default on fortilink interface. If not, you can enable it. 

 

Regards,  

dan
Contributor

@hbac 

I have a 40F with 7.2.8 in my testlab and made some tests. Created an interface lan1 with an attached vlan. Then used "Integrate Interface" to move lan1 to fortilink. I tried it twice.

 

Results:

- "Move lan1 to an interface" (the Integrate Interface wizard, never stops. At least I waited 15 minutes the first time, then restored a backup and waited 1h the second time. 

- I opened another session to the 40F to check the results. Basically the VLAN was moved, and the interface was moved as well. But the lan1 settings (IP, DHCP and so on) was lost.

 

I did another test with Port configuration ON. This time, the lan1 settings were migrated, except the DHCP setting, which was lost again.

The previous 169.254.1.1 address of the fortilink interface is gone, replaced with the original lan1 address. 

And, surprising, the DHCP server is still there, but with a range of 169.254.1.2-169.254.1.254

 

Is this the way it is supposed to work?

 

I remember from some time ago that after attaching Fortiswitches to a Fortigate, there were a lot of preconfigured VLANs and other settings. What happens to those VLANs and settings if I use the option Port configuration ON?

 

I am puzzled... 

 

Dan

Jeremy5385
New Contributor

I've been testing the Interface Migration to accomplish the same migration attempt per the original question and have always been stuck with the wizard being greyed out due to some conflict or dependency in running.  In testing a migration strategy of my own, I was successfully able to set up the new FortiSwitch environment in parallel and an existing Cisco switch environment and bridge together using a trunk port to allow a short window of migration.

 

The first staging step is to get the FortiSwitch's connected and authorized under FortiLink.  Then create the VLAN(s) under FortiLink without defining an interface IP or DHCP settings.  Then update any firewall policies that included the old interface port by adding the new FortiLink VLAN(s).  Next, cable between a FortiSwitch port and Cisco switch port, making sure both ports pass all VLAN's (this only works if using the same VLAN ID's on both sides of switches or instead set native VLAN on each side if just migrating a single VLAN). Verification is successful when a FortiSwitch port is able to switch through the Cisco switching to the FG. 

 

The outage part is really just manually removing the interface IP and DHCP settings from the old FG interface connected to the Cisco switches and add it to the FortiLink VLAN interface created earlier. This reverses the switching path so all traffic goes through the FortiLink VLAN interface for routing. 

 

Cleanup is removing the old Cisco switching interfaces from the firewall polices and zeroing out the old FG interface.  The only downside I have found with this method is the new FortiLink VLAN interface name cannot be the same as the previous interface name due to FG only allowing an interface name once.  Otherwise, this method has tested out fine in a lab migration.  Hope this helps.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors