Hello all,
So I've got a situation that I've not seen reference to, so i figured i would post here.
I have two FortiGate 100F devices set up in HA (two ISP's/108F's in SDWAN outside) running 6.4.11.
I currently have a mish-mash of switches inside the network-x1 HP ProCurve 2810-48G, x2 Juniper EX2200 POE, and x1 Dell N2048. All these were in place when I started working here and I have been working to upgrade things as I can. There are multiple VLAN's set up (server, users, voip, printers) and DHCP is handled by an active directory server.
So now I have finally received x5 FortiSwitch 148-FPOE devices and I am working to try to slowly integrate and replace these switches with the existing ones. The new switches will be set up in a ring to the Fortigates via the SFP+ ports.
Is there some documentation or something I have missed that advises in this situation? I am working to replicate the VLAN configs from the established switches, but I am also trying to avoid downtime.
Initially, i planned to try to go switch-by-switch and swap over user connections per switch--however I am running into issues when creating the VLAN's.
For instance, I created the VLAN for our voip phones and set it to pull from the DHCP server. As soon as I enabled the VLAN, all the phones on our network went down. Thing is---i haven't even plugged he switch into anything, other than direct to the Fortigates.
Basically I am looking for anything that guides on how to integrate the Fortigate method of managing VLAN's and such with an already established setup--rather than creating something new.
Thanks in advance for any help.
Thoughts?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Unfortunately this just sounds like network planning and design which can't be documented for unlimited use-cases and architectures.
In your case you need to be careful about a few things before you proceed with connecting and unplugging and migrating things. Make a solid plan first, test as much as possible.
I assume you are using FortiLink to manage the FortiSwitches on the Fortigate?
So let's take into consideration some things before you proceed further:
1. Where is the L3 gateway today for all of your VLANs? Where is the DHCP server for the VLAN subnets?
2. Basically what/where is your "core" switch today? You'll eventually be replacing this with the FortiGate. So you probably want to keep the "core" L3 switch in place until the end.
If I were you I would set up the FSW ring topology, configure the VLANs (without IP addresses and without DHCP servers, etc just dumb L2 VLANs). Assign a variety of trunk ports that have all your VLANs tagged and connect your existing switches to the FSW ring (starting with the L3 core switch). Confirming everything is still connected properly, you can now migrate devices by physically connecting them to the FSW. Your last step will be migrating the L3 routing to the FortiGate.
And to be honest I would plan for some downtime, there's no real way to do this without it. You have to consider the fact that you are disconnecting devices from the network, changing default gateways, changing DHCP servers (possibly), etc etc.
Unfortunately this just sounds like network planning and design which can't be documented for unlimited use-cases and architectures.
In your case you need to be careful about a few things before you proceed with connecting and unplugging and migrating things. Make a solid plan first, test as much as possible.
I assume you are using FortiLink to manage the FortiSwitches on the Fortigate?
So let's take into consideration some things before you proceed further:
1. Where is the L3 gateway today for all of your VLANs? Where is the DHCP server for the VLAN subnets?
2. Basically what/where is your "core" switch today? You'll eventually be replacing this with the FortiGate. So you probably want to keep the "core" L3 switch in place until the end.
If I were you I would set up the FSW ring topology, configure the VLANs (without IP addresses and without DHCP servers, etc just dumb L2 VLANs). Assign a variety of trunk ports that have all your VLANs tagged and connect your existing switches to the FSW ring (starting with the L3 core switch). Confirming everything is still connected properly, you can now migrate devices by physically connecting them to the FSW. Your last step will be migrating the L3 routing to the FortiGate.
And to be honest I would plan for some downtime, there's no real way to do this without it. You have to consider the fact that you are disconnecting devices from the network, changing default gateways, changing DHCP servers (possibly), etc etc.
Thanks for the info!
Yeah this network is a bit of a Frankenstein's monster type of situation---so many different switches, and the interconnection between them when I arrived was...rough to say the least. I have spent a good deal of time trying to understand and learn how this is configured, because there was little documentation explaining anything.
What I had thought was the core, isn't actually the core. But now that i have identified it I can start moving in the right direction.
one question--as I am less familiar with FortiSwitches--how does one specify a L2 VLAN? Simply don't assign any IP's to it during creation? I really like how Fortinet does things through FortiOS, and I am getting a decent grasp on it...but it interacting with non-Fortinet devices is the question mark for me that I am unsure about.
A L2 VLAN is created the same way as a L3 VLAN, just don't assign an IP address to it.
Now be careful because when all of your FortiSwitches are managed by the FortiGate all L3 routing has to happen on the FortiGate. Unless you are keeping some other L3 switch or router in place, you probably want all your VLANs to be L3.
You also need to make sure your FortiGate won't be overloaded by all the inter-VLAN traffic. If you are pushing 10Gbps it might be too much if you are also doing security processing on your WAN traffic.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.