fortiswitch-workshop-v1.5.3-handouts-lab · retail/enterprise: we are shipping fs -248d-fpoe and fs...
TRANSCRIPT
1
3
4
5
6
PrimaryBenefits:✓ HighPortDensity
✓ IntegratedPowerOverEthernet
✓ ConnectAccessPoints,Peripherals,Cameras,Phones
✓ ManagedbyFortiGate- Createanintegrated,securenetwork
✓ LineRatePerformance
✓ LimitedLifetimeWarranty
7
AllportsPOE+(FPOE)L2andPOE+oneveryportaremainrequirementsinRetail/Enterprise:WeareshippingFS-248D-fpoeandFS-548D-fpoe.AllportsPOE+capable
SecureInFortilink mode,eliminateneedtologintotheFortiSwitch.SecuremanagementchannelfromFortiGate.CentralVLANprovisioning.Centralizeduserauthentication.
CostOptimizedVerycompetitivepricing.Switch+opticalmodulesfromFortinet<50%ofcompetition.ReplacechassisandstackingsolutionsusingFortilink Stacking
CompletePortfolio1Gand10G/40GportdensitiesforRetail/Enterprise/DatacenterLayer2AccessmarketfocusReplacechassisandstackingsolutionsusinginnovativeFortilinkStacking
8
9
10
11
12
13
14
15
16
17
18
WithFortiSwitchOSversion3.3.0andFortiOS5.4.0,allFSWDmodelssupportFortilinkwiththeFGmodelslistedinthetable.
*Roadmap:FGR-60D/FGR-90D/FG-300D/FG-70D/FG-80CM/FG-VM/FG-92D
20
21
22
Complete actionsrequiredincasedefaultconfig notbeingusedonFortiSwitch:1. PrepareFortiGate
enableswitchcontroller(CLI)– enabledbydefaultinmostmodels!configureinterfaceforFortilink(GUI– ifLAGthenCLI)
NTPandDHCPserversenabledautomaticallywhenusingGUI2. PrepareFortiSwitch
enableswitchcontroller(GUIorCLI)configureinterfaceforFortilink(CLI– enabledbydefault)
3. Connectcabling4. OnFGT,authorizeFSW
checkmanagedswitches,right-clicktoauthorize(GUI)
The followingconfigurationisoptional:5. ConfigureVLANs
createFortiSwitchVLANandassigntoFSWports(GUI)6. Enable802.1xportauthentication7.ManagePOEconfiguration
23
24
25
26
disconnectyourlaptop,it’snotnecessarytoaccessFSW
27
Initial Verfication:Fromyourlaptops:- PingFG-100Dunits- connecttoFG-100Dunits(SSHorGUI)– user:admin/password:<blank>
28
MostFGmodelshaveswitch controller enabledbydefault,ifnotusethefollowingconfig:config systemglobalsetswitch-controllerenablesetswitch-controller-reserved-network169.254.254.0255.255.255.0end
29
Setmodeto“DedicatedtoExtensionDevice”IP addressing,NTPandDHCPserverconfigs areaddedautomatically
30
UsingCLI,eachstep isdoneseparately:IPNTPDHCP
31
UsingCLI,eachstep isdoneseparately:IPNTPDHCP
32
UsingCLI,eachstep isdoneseparately:IPNTPDHCP
33
FortiSwitch keepssendingFortilinkpacketstoFortiGate.
OnFortiGate,theFSWislistedin“ManagedSwitches”listwaitingforauthorization.
34
FortiSwitch keepssendingFortilinkpacketstoFortiGate.
OnFortiGate,theFSWislistedin“ManagedSwitches”listwaitingforauthorization.
35
FortiSwitch rebootsandjoins fortilink
36
37
38
Allportsareaddedtovlan “vsw.root”theIP/dhcp settings canbeconfigured
39
40
FSWIPcanbefoundintheDHCP monitorlist.
41
FortilinkVLANid4094isusedforcommunicationbetweenFSWandFGTvlan id4074isusedbydefaultFortiSwitchVLAN
FS224D3Z14000202#showswitchinterfaceconfig switchinterfaceedit"port1"setnative-vlan4074
nextedit"port2"setnative-vlan4074
nextedit"port3"setnative-vlan4074
nextedit"port4"setnative-vlan4074
nextedit"port5"setnative-vlan4074
next
42
edit"port6"setnative-vlan4074
nextedit"port7"setnative-vlan4074
nextedit"port8"setnative-vlan4074
nextedit"port9"setnative-vlan4074
nextedit"port10"setnative-vlan4074
nextedit"port11"setnative-vlan4074
nextedit"port12"setnative-vlan4074
nextedit"port13"setnative-vlan4074
nextedit"port14"setnative-vlan4074
nextedit"port15"setnative-vlan4074
nextedit"port16"setnative-vlan4074
nextedit"port17"setnative-vlan4074
nextedit"port18"setnative-vlan4074
nextedit"port19"setnative-vlan4074
nextedit"port20"setnative-vlan4074
42
nextedit"port21"setdynamic-fortilink-modeenable
nextedit"port22"setdynamic-fortilink-modeenable
nextedit"port23"setdynamic-fortilink-modeenable
nextedit"port24"setdynamic-fortilink-modeenable
nextedit"internal"setnative-vlan4094setstp-statedisabled
nextend
42
It’sonlynecessarytosaveFGTconfiguration, itincludestheconfigurationofthemanagedswitches.
usethefortigate gui orcli,FGT#execssh [email protected]
FSW#execfactoryreset
43
44
45
46
47
connectport21oneach FSWtothecorrespondingportintheFG-100D-1Fortilinkwillbeestablishedusingthesinglelinkbetweenthedevices
49
EachFSWdeviceisconnectedwith2x1Gports(port21andport22)tooneFortiGate(FG-100D-HA1)and2x1Gports(port23andport24)totheother(FG-100D-HA2)Example:
FS-224D-POE-1port21 port1FG-100D-HA1port22 port2FG-100D-HA1port23 port1FG-100D-HA2port24 port2FG-100D-HA2
DISCONNECTcablefromFSW,theconfigurationisdoneviaFGT
50
FortiGateisconfiguredwithHAinactive-passivemode,withsessionsynchronizationenabled.Overrideisdisabledtofacilitatetesting.
ModelsinHApairmustbeidenticaleveninhardwarerev
51
52
53
54
FortiSwitch keepssendingFortilinkpacketstoFortiGate.
OnFortiGate,theFSWislistedin“ManagedSwitches”listwaitingforauthorization.
55
56
57
58
lagbalancing basedonIPsrc anddst
59
connectto FortiSwitch viatheFortiGate#execssh [email protected]
60
connectto FortiSwitch viatheFortiGate#execssh [email protected]
61
All4fortilinkportsareenabled:port21,22,23and24
FS224D3Z14000202#showswitchinterfaceconfig switchinterfaceedit"port1"setnative-vlan4074
nextedit"port2"setnative-vlan4074
nextedit"port3"setnative-vlan4074
nextedit"port4"setnative-vlan4074
nextedit"port5"setnative-vlan4074
nextedit"port6"
62
setnative-vlan4074nextedit"port7"setnative-vlan4074
nextedit"port8"setnative-vlan4074
nextedit"port9"setnative-vlan4074
nextedit"port10"setnative-vlan4074
nextedit"port11"setnative-vlan4074
nextedit"port12"setnative-vlan4074
nextedit"port13"setnative-vlan4074
nextedit"port14"setnative-vlan4074
nextedit"port15"setnative-vlan4074
nextedit"port16"setnative-vlan4074
nextedit"port17"setnative-vlan4074
nextedit"port18"setnative-vlan4074
nextedit"port19"setnative-vlan4074
nextedit"port20"setnative-vlan4074
next
62
edit"port21"setdynamic-fortilink-modeenable
nextedit"port22"setdynamic-fortilink-modeenable
nextedit"port23"setdynamic-fortilink-modeenable
nextedit"port24"setdynamic-fortilink-modeenable
nextedit"internal"setnative-vlan4094setstp-statedisabled
nextend
62
It’sonlynecessarytosaveFGTconfiguration, itincludestheconfigurationofthemanagedswitches.
63
64
65
66
EachFSWdeviceisconnectedwith2x1Gports(port21andport22)tooneFortiGate(FG-100D-HA1)and2x1Gports(port23andport24)totheother(FG-100D-HA2)Example:
FS-224D-POE-1port21 port1FG-100D-HA1port22 port2FG-100D-HA1port23 port1FG-100D-HA2port24 port2FG-100D-HA2
afterthevlans areconfigured,usethecableagainandconnecttotheFSWuserport.
67
68
Usetheinformationprovided intheaddressingtable.
69
70
71
72
First3stepsdoneatonce: VLAN,IPaddressandDHCPserver
73
First3stepsdoneatonce: VLAN,IPaddressandDHCPserver
HoldCtrlkeytoselectmultipleportsthatarenon-contiguous
74
Thereshouldbeatleastapolicyallowingtrafficbetweenyourvlans andtheothers,andasecondpolicytoallowtrafficfromyourvlan totheservers
servers:172.16.1.160-172.16.1.165
75
servers:172.16.1.160-172.16.1.165
76
77
78
79
1.createthevlan thatisgoingtoreceivetaggedtrafficFG-100D-HA1#showswitch-controllervlan vlan-voipconfig switch-controllervlanedit"vlan-voip"setvlanid 50setcolor25
nextend
2.ConfigureIPaddressingandDHCPserverFG-100D-HA1#showsysteminterfacevlan-voipconfig systeminterfaceedit"vlan-voip"setvdom "root"setip 10.10.50.1255.255.255.0setallowaccess pinghttpssshsettypeswitch-vlansetsnmp-index21setmacaddr 08:5b:0e:de:77:d0
next
80
end
FG-100D-HA1#showsystemdhcp server5config systemdhcp serveredit5setdns-servicedefaultsetdefault-gateway10.10.50.1setnetmask255.255.255.0setinterface"vlan-voip"config ip-rangeedit1setstart-ip 10.10.50.2setend-ip 10.10.50.254
nextend
nextend
3.ConfigureFSWporttoallowthisVLAN:config switch-controller managed-switch
edit "FS224D3Z14000202"config ports
edit "port11"set allowed-vlans “vlan-voip”
next end
nextend
80
81
82
83
84
EachFSWdeviceisconnectedwith2x1Gports(port25andport26)totheFortiGate
85
Configurationrequiredfor802.1xauthentication:
1.Configureuser/usergrouponFortiGate (alreadypreparedfortheworkshop)Forsimplicity,userisdefinedlocallyonFortiGate,howeveritcouldalsouse
externalservers
2.Enable802.1xauthenticationonFortiSwitchVLAN=>FortiSwitchportsautomaticallyenabled
When802.1xisenabledontheFortiSwitchVLAN,allportsthatareassignedtothatFortiSwitchVLANareautomaticallyenabledfor802.1xauthentication
802.1xstatuscanbeverifiedusingthecommand:FG-100D-HA1#config switch-controllermanaged-switch
FG-100D-HA1(managed-switch)#editFS224D3Z14000202
FG-100D-HA1(FS224D3Z14000202)#FG-100D-HA1(FS224D3Z14000202)#config ports
FG-100D-HA1(ports)#
86
FG-100D-HA1(ports)#FG-100D-HA1(ports)#editport9
FG-100D-HA1(port9)#getport-name:port9switch-id:FS224D3Z14000202speed:autostatus:updot1x-enable:enabledot1x-status:authenticatingvlan :vlan100allowed-vlans:
86
87
88
89
InWindows clients,enable802.1xinthenetworkadapterpropertiesuncheck“Remembermycredentials….”sothatyougettheuser/pwd
promptineveryconnectionattempt
InAdvancedSettings,choosetospecifyauthenticationmodeas“Userauthentication”
90
Afterchanging adaptersettings,orwhentheadapterisdisabled/enabled,orwhenthecableinunplugged/plugged,theusergetsthecredentialspopup
91
92
93
94
95
96
EachFSWdeviceisconnectedwith2x1Gports(port25andport26)totheFortiGate.
97
98
toresetaPOEportusingCLI,runthefollowingcommand:executeswitch-controllerpoe-reset<switchSN><port>
99
100
101
102
103
EachFSWdeviceisconnectedwith2x1Gports(port25andport26)totheFortiGate.
104
Thespeakerwilladd“office”FortiSwitchVLAN,IPandDHCPserver;andconfigureSSID
ThedelegateswillassigntheirportstothisFortiSwitchVLAN,andonevolunteerwillauthorizetheAP
FG-100D-HA1#showswitch-controllervlanofficeconfig switch-controllervlanedit"office"next
end
FG-100D-HA1#showsysteminterfaceofficeconfig systeminterfaceedit"office"setvdom "root"setip 10.10.60.1255.255.255.0setallowaccess pinghttpsssh capwapsettypeswitch-vlansetsnmp-index22setmacaddr 08:5b:0e:de:77:d0
105
nextend
FG-100D-HA1#showsystemdhcp server6config systemdhcp serveredit6setdns-servicedefaultsetdefault-gateway10.10.60.1setnetmask255.255.255.0setinterface"office"config ip-rangeedit1setstart-ip 10.10.60.2setend-ip 10.10.60.254
nextend
settimezone-optiondefaultnext
end
config switch-controllermanaged-switchedit"FS224D3Z14000202"setfsw-wan1-peer"fortilinkFSW1"setfsw-wan1-adminenableconfig portsedit"port1"setvlan "office"
nextedit"port2"setvlan "office"
nextedit"port3"setvlan "office"
nextedit"port4"setvlan "office"
nextedit"port5"setvlan "office"
nextedit"port6"setvlan "office"
nextedit"port7"
105
setvlan "office"nextedit"port8"setvlan "office"
nextedit"port9"setvlan "office"
nextedit"port10"setvlan "office"
nextedit"port11"setvlan "office"
nextedit"port12"setvlan "office"
nextedit"port13"setvlan "office"
nextedit"port14"setvlan "office"
nextedit"port15"setvlan "office"
nextedit"port16"setvlan "office"
nextedit"port17"setvlan "office"
nextedit"port18"setvlan "office"
nextedit"port19"setvlan "office"
nextedit"port20"setvlan "office"
nextedit"port21"setvlan “vsw.root"
next
105
edit"port22"setvlan "vsw.root"
nextedit"port23"setvlan "vsw.root"
nextedit"port24"setvlan "vsw.root"
nextend
nextend
105
106
107
Usethefollowing commandtoauthorizeyourFAP,makesuretoincludethecorrectserialnumber:config wireless-controller wtp
edit "FAP24D3X15000029"set admin enable
nextend
108
109
110
111
SSIDsareassignedtotheFAPusingdifferentVLANs:VLAN110:GuestSSIDVLAN120:OfficeVLAN130:Customers
PoliciesarecreatedonFGTtocontroltrafficbetweentheSSIDs.
112
113
114
115
116
117
D-series FortiSwitchEnhancedsoftwareroadmapAllmodelssupportFortilinkmode
AllportsPOE+(FPOE)L2andPOE+oneveryportaremainrequirementsinRetail/EnterpriseNewmodelsshippingFS-224D-FPOEandFS-548D-FPOE
SecureInFortilinkmode,eliminatelogintoFortiSwitch.AllcontrolsfromFortiGate.CentralVLANprovisioningCentralizeduserauthentication
CostOptimizedVerycompetitivepricing.Switch+opticalmodulesfrom
118
Fortinet<50%ofcompetition.NewmodelshavenewSupportSKUpricingReplacechassisandstackingsolutionsusingFortilink Stacking
TheFortilink technologytomanageswitchingfromafirewallisuniqueintheindustryAbilitytomanageanetworkfromacentralcontrolleriswhatSDNpromisesConfiguringSecurityprofilesonanetworkinasimplemannerisvaluable
SecuritymanagementfromFortiGate consoleFAPandFSWareportextensionsofFortigateUnifiedsecuritypoliciesforwiredorwirelessconnections
118
119
120
121
Initial Verfication:Fromyourlaptops:- PingFG-100Dunits- connecttoFG-100Dunits(SSHorGUI)– user:admin/password:<blank>
122
Initial Verfication:Fromyourlaptops:- Ping FG-100Dunits- connecttoFG-100Dunits(SSHorGUI)– user:admin/password:<blank>
123
124
[root@centos-client-1~]#ssh [email protected]#getsystemstatusVersion:FortiSwitch-224D-POEv3.3.0,build0112,150612(Interim)Serial-Number:FS224D3Z14000202BIOSversion:04000002SystemPart-Number:P15455-01BurninMAC:08:5b:0e:5e:3e:4cHostname:FS224D3Z14000202Distribution:InternationalBranchpoint:112Systemtime:WedDec3116:03:231969
FS224D3Z14000202#getsystemglobaladmin-concurrent:enableadmin-https-pki-required:disableadmin-lockout-duration:60admin-lockout-threshold:3admin-maintainer:enableadmin-port:80admin-scp :disable
125
admin-server-cert:self-signadmin-sport:443admin-ssh-grace-time:120admin-ssh-port:22admin-ssh-v1:disableadmin-telnet-port:23admintimeout :5allow-subnet-overlap:disablecfg-save:automaticcsr-ca-attribute:enabledaily-restart:disabledetect-ip-conflict:enabledst :enablegui-lines-per-page:50hostname:FS224D3Z14000202language:englishldapconntimeout :500log-user-in-upper:disableradius-port:1812refresh:0registration-notification:enableremoteauthtimeout :5revision-backup-on-logout:enableservice-expire-notification:enablestrong-crypto:disableswitch-mgmt-mode:localtimezone :(GMT-8:00)PacificTime(US&Canada)user-server-cert:self-sign
125
Browsetohttp://192.168.1.99user:adminpassword:<blank>
126
Checkswitchconfiguration,note thatallportsareinthesameVLAN(vlan-id1)bydefault#showswitchinterface#config switchinterface#editport##get
Andports21to24areenabledforautodiscoverybyFortilink
127
Checkswitchconfiguration,note thatallportsareinthesameVLAN(vlan-id1)bydefault#showswitchinterface#config switchinterface#editport##get
Andports21to24areenabledforautodiscoverybyFortilink
128
129
136
137
138
139
140
141
142