fortiswitch-workshop-v1.5.3-handouts-lab · retail/enterprise: we are shipping fs -248d-fpoe and fs...

PrimaryBenefits:✓ HighPortDensity

✓ IntegratedPowerOverEthernet

✓ ConnectAccessPoints,Peripherals,Cameras,Phones

✓ ManagedbyFortiGate- Createanintegrated,securenetwork

✓ LineRatePerformance

✓ LimitedLifetimeWarranty

7

AllportsPOE+(FPOE)L2andPOE+oneveryportaremainrequirementsinRetail/Enterprise:WeareshippingFS-248D-fpoeandFS-548D-fpoe.AllportsPOE+capable

SecureInFortilink mode,eliminateneedtologintotheFortiSwitch.SecuremanagementchannelfromFortiGate.CentralVLANprovisioning.Centralizeduserauthentication.

CostOptimizedVerycompetitivepricing.Switch+opticalmodulesfromFortinet<50%ofcompetition.ReplacechassisandstackingsolutionsusingFortilink Stacking

CompletePortfolio1Gand10G/40GportdensitiesforRetail/Enterprise/DatacenterLayer2AccessmarketfocusReplacechassisandstackingsolutionsusinginnovativeFortilinkStacking

8

WithFortiSwitchOSversion3.3.0andFortiOS5.4.0,allFSWDmodelssupportFortilinkwiththeFGmodelslistedinthetable.

*Roadmap:FGR-60D/FGR-90D/FG-300D/FG-70D/FG-80CM/FG-VM/FG-92D

20

Complete actionsrequiredincasedefaultconfig notbeingusedonFortiSwitch:1. PrepareFortiGate

enableswitchcontroller(CLI)– enabledbydefaultinmostmodels!configureinterfaceforFortilink(GUI– ifLAGthenCLI)

NTPandDHCPserversenabledautomaticallywhenusingGUI2. PrepareFortiSwitch

enableswitchcontroller(GUIorCLI)configureinterfaceforFortilink(CLI– enabledbydefault)

3. Connectcabling4. OnFGT,authorizeFSW

checkmanagedswitches,right-clicktoauthorize(GUI)

The followingconfigurationisoptional:5. ConfigureVLANs

createFortiSwitchVLANandassigntoFSWports(GUI)6. Enable802.1xportauthentication7.ManagePOEconfiguration

23

disconnectyourlaptop,it’snotnecessarytoaccessFSW

27

Initial Verfication:Fromyourlaptops:- PingFG-100Dunits- connecttoFG-100Dunits(SSHorGUI)– user:admin/password:<blank>

28

MostFGmodelshaveswitch controller enabledbydefault,ifnotusethefollowingconfig:config systemglobalsetswitch-controllerenablesetswitch-controller-reserved-network169.254.254.0255.255.255.0end

29

Setmodeto“DedicatedtoExtensionDevice”IP addressing,NTPandDHCPserverconfigs areaddedautomatically

30

UsingCLI,eachstep isdoneseparately:IPNTPDHCP

31


32


33

FortiSwitch keepssendingFortilinkpacketstoFortiGate.

OnFortiGate,theFSWislistedin“ManagedSwitches”listwaitingforauthorization.

34



35

FortiSwitch rebootsandjoins fortilink

36

Allportsareaddedtovlan “vsw.root”theIP/dhcp settings canbeconfigured

39

FSWIPcanbefoundintheDHCP monitorlist.

41

FortilinkVLANid4094isusedforcommunicationbetweenFSWandFGTvlan id4074isusedbydefaultFortiSwitchVLAN

FS224D3Z14000202#showswitchinterfaceconfig switchinterfaceedit"port1"setnative-vlan4074

nextedit"port2"setnative-vlan4074




next

42

edit"port6"setnative-vlan4074















42

nextedit"port21"setdynamic-fortilink-modeenable




nextedit"internal"setnative-vlan4094setstp-statedisabled

nextend

42

It’sonlynecessarytosaveFGTconfiguration, itincludestheconfigurationofthemanagedswitches.

usethefortigate gui orcli,FGT#execssh [email protected]

FSW#execfactoryreset

43

connectport21oneach FSWtothecorrespondingportintheFG-100D-1Fortilinkwillbeestablishedusingthesinglelinkbetweenthedevices

49

EachFSWdeviceisconnectedwith2x1Gports(port21andport22)tooneFortiGate(FG-100D-HA1)and2x1Gports(port23andport24)totheother(FG-100D-HA2)Example:

FS-224D-POE-1port21 port1FG-100D-HA1port22 port2FG-100D-HA1port23 port1FG-100D-HA2port24 port2FG-100D-HA2

DISCONNECTcablefromFSW,theconfigurationisdoneviaFGT

50

FortiGateisconfiguredwithHAinactive-passivemode,withsessionsynchronizationenabled.Overrideisdisabledtofacilitatetesting.

ModelsinHApairmustbeidenticaleveninhardwarerev

51



55

lagbalancing basedonIPsrc anddst

59

connectto FortiSwitch viatheFortiGate#execssh [email protected]

60

connectto FortiSwitch viatheFortiGate#execssh [email protected]

61

All4fortilinkportsareenabled:port21,22,23and24

FS224D3Z14000202#showswitchinterfaceconfig switchinterfaceedit"port1"setnative-vlan4074





nextedit"port6"

62

setnative-vlan4074nextedit"port7"setnative-vlan4074














next

62

edit"port21"setdynamic-fortilink-modeenable




nextedit"internal"setnative-vlan4094setstp-statedisabled

nextend

62

It’sonlynecessarytosaveFGTconfiguration, itincludestheconfigurationofthemanagedswitches.

63

EachFSWdeviceisconnectedwith2x1Gports(port21andport22)tooneFortiGate(FG-100D-HA1)and2x1Gports(port23andport24)totheother(FG-100D-HA2)Example:

FS-224D-POE-1port21 port1FG-100D-HA1port22 port2FG-100D-HA1port23 port1FG-100D-HA2port24 port2FG-100D-HA2

afterthevlans areconfigured,usethecableagainandconnecttotheFSWuserport.

67

Usetheinformationprovided intheaddressingtable.

69

First3stepsdoneatonce: VLAN,IPaddressandDHCPserver

73

First3stepsdoneatonce: VLAN,IPaddressandDHCPserver

HoldCtrlkeytoselectmultipleportsthatarenon-contiguous

74

Thereshouldbeatleastapolicyallowingtrafficbetweenyourvlans andtheothers,andasecondpolicytoallowtrafficfromyourvlan totheservers

servers:172.16.1.160-172.16.1.165

75

servers:172.16.1.160-172.16.1.165

76

1.createthevlan thatisgoingtoreceivetaggedtrafficFG-100D-HA1#showswitch-controllervlan vlan-voipconfig switch-controllervlanedit"vlan-voip"setvlanid 50setcolor25

nextend

2.ConfigureIPaddressingandDHCPserverFG-100D-HA1#showsysteminterfacevlan-voipconfig systeminterfaceedit"vlan-voip"setvdom "root"setip 10.10.50.1255.255.255.0setallowaccess pinghttpssshsettypeswitch-vlansetsnmp-index21setmacaddr 08:5b:0e:de:77:d0

next

80

end

FG-100D-HA1#showsystemdhcp server5config systemdhcp serveredit5setdns-servicedefaultsetdefault-gateway10.10.50.1setnetmask255.255.255.0setinterface"vlan-voip"config ip-rangeedit1setstart-ip 10.10.50.2setend-ip 10.10.50.254

nextend

nextend

3.ConfigureFSWporttoallowthisVLAN:config switch-controller managed-switch

edit "FS224D3Z14000202"config ports

edit "port11"set allowed-vlans “vlan-voip”

next end

nextend

80

EachFSWdeviceisconnectedwith2x1Gports(port25andport26)totheFortiGate

85

Configurationrequiredfor802.1xauthentication:

1.Configureuser/usergrouponFortiGate (alreadypreparedfortheworkshop)Forsimplicity,userisdefinedlocallyonFortiGate,howeveritcouldalsouse

externalservers

2.Enable802.1xauthenticationonFortiSwitchVLAN=>FortiSwitchportsautomaticallyenabled

When802.1xisenabledontheFortiSwitchVLAN,allportsthatareassignedtothatFortiSwitchVLANareautomaticallyenabledfor802.1xauthentication

802.1xstatuscanbeverifiedusingthecommand:FG-100D-HA1#config switch-controllermanaged-switch

FG-100D-HA1(managed-switch)#editFS224D3Z14000202

FG-100D-HA1(FS224D3Z14000202)#FG-100D-HA1(FS224D3Z14000202)#config ports

FG-100D-HA1(ports)#

86

FG-100D-HA1(ports)#FG-100D-HA1(ports)#editport9

FG-100D-HA1(port9)#getport-name:port9switch-id:FS224D3Z14000202speed:autostatus:updot1x-enable:enabledot1x-status:authenticatingvlan :vlan100allowed-vlans:

86

InWindows clients,enable802.1xinthenetworkadapterpropertiesuncheck“Remembermycredentials….”sothatyougettheuser/pwd

promptineveryconnectionattempt

InAdvancedSettings,choosetospecifyauthenticationmodeas“Userauthentication”

90

Afterchanging adaptersettings,orwhentheadapterisdisabled/enabled,orwhenthecableinunplugged/plugged,theusergetsthecredentialspopup

91

EachFSWdeviceisconnectedwith2x1Gports(port25andport26)totheFortiGate.

97

toresetaPOEportusingCLI,runthefollowingcommand:executeswitch-controllerpoe-reset<switchSN><port>

99

EachFSWdeviceisconnectedwith2x1Gports(port25andport26)totheFortiGate.

104

Thespeakerwilladd“office”FortiSwitchVLAN,IPandDHCPserver;andconfigureSSID

ThedelegateswillassigntheirportstothisFortiSwitchVLAN,andonevolunteerwillauthorizetheAP

FG-100D-HA1#showswitch-controllervlanofficeconfig switch-controllervlanedit"office"next

end

FG-100D-HA1#showsysteminterfaceofficeconfig systeminterfaceedit"office"setvdom "root"setip 10.10.60.1255.255.255.0setallowaccess pinghttpsssh capwapsettypeswitch-vlansetsnmp-index22setmacaddr 08:5b:0e:de:77:d0

105

nextend

FG-100D-HA1#showsystemdhcp server6config systemdhcp serveredit6setdns-servicedefaultsetdefault-gateway10.10.60.1setnetmask255.255.255.0setinterface"office"config ip-rangeedit1setstart-ip 10.10.60.2setend-ip 10.10.60.254

nextend

settimezone-optiondefaultnext

end

config switch-controllermanaged-switchedit"FS224D3Z14000202"setfsw-wan1-peer"fortilinkFSW1"setfsw-wan1-adminenableconfig portsedit"port1"setvlan "office"

nextedit"port2"setvlan "office"





nextedit"port7"

105

setvlan "office"nextedit"port8"setvlan "office"













nextedit"port21"setvlan “vsw.root"

next

105

edit"port22"setvlan "vsw.root"

nextedit"port23"setvlan "vsw.root"

nextedit"port24"setvlan "vsw.root"

nextend

nextend

105

Usethefollowing commandtoauthorizeyourFAP,makesuretoincludethecorrectserialnumber:config wireless-controller wtp

edit "FAP24D3X15000029"set admin enable

nextend

108

SSIDsareassignedtotheFAPusingdifferentVLANs:VLAN110:GuestSSIDVLAN120:OfficeVLAN130:Customers

PoliciesarecreatedonFGTtocontroltrafficbetweentheSSIDs.

112

D-series FortiSwitchEnhancedsoftwareroadmapAllmodelssupportFortilinkmode

AllportsPOE+(FPOE)L2andPOE+oneveryportaremainrequirementsinRetail/EnterpriseNewmodelsshippingFS-224D-FPOEandFS-548D-FPOE

SecureInFortilinkmode,eliminatelogintoFortiSwitch.AllcontrolsfromFortiGate.CentralVLANprovisioningCentralizeduserauthentication

CostOptimizedVerycompetitivepricing.Switch+opticalmodulesfrom

118

Fortinet<50%ofcompetition.NewmodelshavenewSupportSKUpricingReplacechassisandstackingsolutionsusingFortilink Stacking

TheFortilink technologytomanageswitchingfromafirewallisuniqueintheindustryAbilitytomanageanetworkfromacentralcontrolleriswhatSDNpromisesConfiguringSecurityprofilesonanetworkinasimplemannerisvaluable

SecuritymanagementfromFortiGate consoleFAPandFSWareportextensionsofFortigateUnifiedsecuritypoliciesforwiredorwirelessconnections

118

Initial Verfication:Fromyourlaptops:- PingFG-100Dunits- connecttoFG-100Dunits(SSHorGUI)– user:admin/password:<blank>

122

Initial Verfication:Fromyourlaptops:- Ping FG-100Dunits- connecttoFG-100Dunits(SSHorGUI)– user:admin/password:<blank>

123

[root@centos-client-1~]#ssh [email protected]#getsystemstatusVersion:FortiSwitch-224D-POEv3.3.0,build0112,150612(Interim)Serial-Number:FS224D3Z14000202BIOSversion:04000002SystemPart-Number:P15455-01BurninMAC:08:5b:0e:5e:3e:4cHostname:FS224D3Z14000202Distribution:InternationalBranchpoint:112Systemtime:WedDec3116:03:231969

FS224D3Z14000202#getsystemglobaladmin-concurrent:enableadmin-https-pki-required:disableadmin-lockout-duration:60admin-lockout-threshold:3admin-maintainer:enableadmin-port:80admin-scp :disable

125

admin-server-cert:self-signadmin-sport:443admin-ssh-grace-time:120admin-ssh-port:22admin-ssh-v1:disableadmin-telnet-port:23admintimeout :5allow-subnet-overlap:disablecfg-save:automaticcsr-ca-attribute:enabledaily-restart:disabledetect-ip-conflict:enabledst :enablegui-lines-per-page:50hostname:FS224D3Z14000202language:englishldapconntimeout :500log-user-in-upper:disableradius-port:1812refresh:0registration-notification:enableremoteauthtimeout :5revision-backup-on-logout:enableservice-expire-notification:enablestrong-crypto:disableswitch-mgmt-mode:localtimezone :(GMT-8:00)PacificTime(US&Canada)user-server-cert:self-sign

125

Browsetohttp://192.168.1.99user:adminpassword:<blank>

126

Checkswitchconfiguration,note thatallportsareinthesameVLAN(vlan-id1)bydefault#showswitchinterface#config switchinterface#editport##get

Andports21to24areenabledforautodiscoverybyFortilink

127

Checkswitchconfiguration,note thatallportsareinthesameVLAN(vlan-id1)bydefault#showswitchinterface#config switchinterface#editport##get

Andports21to24areenabledforautodiscoverybyFortilink

128

fortiswitch-workshop-v1.5.3-handouts-lab · retail/enterprise: we are shipping fs -248d-fpoe and fs...

Documents