Category Archives: Administration Guides

FortiWLC – Configuring the Controller-Based DHCP Server

1 Reply

Configuring the Controller-Based DHCP Server

In FortiWLC (SD) release 5.1 and later, users have the ability to configure a DHCP server that can be operated directly from the controller. This configuration is ideal for relatively small

AP Groups

deployments that do not require a separate server to handle DHCP duties. This can be particularly useful for deployments that require a DHCP sever for a separate VLAN (such as one used for a guest network) but also would prefer not to allow that traffic to impact the corporate DHCP server.

The internal DHCP server does not support using Option 43 for multiple subnets. Use an external DHCP sever that supports Option 43 for multiple subnets.

The controller-based DHCP server requires that the DHCP Relay Passthrough option (in the Global Controller Parameters) be set to On for the controller. To verify or adjust this, access the WebUI and navigate to Configuration > Devices > Controller.

It is recommended that you do not user internal DHCP server in an enterprise deployment.

Creating a DHCP Server

The controller can have multiple different DHCP servers configured on it at any given time. A DHCP server can be associated to only one VLAN. The steps below can be repeated in order to configure different DHCP servers for separate VLANs or Virtual Interface Profiles as needed.

To create a DHCP Server:

  1. From the WebUI, navigate to Configuration > DHCP and click the DHCP Server tab to view the current configured DHCP servers. Note that if no servers have been configured, the page will be blank.
  2. Click Add to begin configuring the DHCP server parameters.

Figure 11: DHCP Server Configuration

  1. Provide the necessary information as described in Table 8.

Configuring the Controller-Based DHCP Server

 

TABLE 8: DHCP Options

Option Description
DHCP Server Pool

Name

 Enter a name to be ascribed to the DHCP Server.
VLAN Name This drop-down list allows you to select a VLAN to which the server should be applied. Note that this is only available if the controller is operating in Layer 2 routing mode.
State Set to Enabled in order to activate the DHCP server, Disabled to deactivate it.
Lease Time The duration of IP leases that are assigned by the DHCP server. This value is displayed in seconds.
IP Pool Start/End The start and end IP addresses of the IP pool that may be assigned by the DHCP server.
Domain Name The domain on which the DHCP server will be active.
Primary/Secondary DNS Server The primary and secondary DNS servers to be used by the DHCP server.
Primary/Secondary Netbios Server The primary and secondary Netbios servers to be used by the DHCP server.
DHCP Option 43 Option 43 allows you to manually specify the primary and secondary controllers to be used by the server. Enter the primary and secondary controller IP addresses (separated by a comma) in this field.
  1. Click OK to save the server.
Viewing DHCP Leases

After the DHCP server has been configured and is active, it can begin providing IP addresses to clients. These assignments will appear in the DHCP Lease table. To view it, open the WebUI and navigate to Configuration > DHCP. The DHCP Lease table appears automatically.

FortiWLC – AP Groups

Leave a reply

AP Groups

Create AP groups with list of APs associated in this controller. The AP groups can be mapped to feature groups to easily deploy configurations to the associated APs.

You can create a maximum 128 AP groups. The maximum number APs in an AP group is same as the maximum supported by the controller. An AP can be part of only one AP group or one feature group at any pont of time.

The default page, lists available AP groups with the following details about each of the AP groups:

  • AP Group ID: A unique number associated with the AP group.
  • AP Group Name: Name of the AP group.
  • Description: Descriptive text about the AP group.
  • Default AP Group: Specifies if an AP group is set as default. If set as default, all APs that join the controller will be associated with this AP group. You can have only one default group.

NOTE: The default AP group takes precedence even if you have a default feature group.

Creating an AP Group

Click the Add button and specify name (special characters and spaces cannot be used), description and also select if this group is the default AP group. Click OK to complete this step.

FortiWLC – Feature Group

Leave a reply

Feature Group

Feature group makes it easier to deploy and manage configuration for large number of APs. Traditionally, you could apply a configuration to an AP or an AP group. Using feature groups, you can instantly apply a ESS Profile, DPI Policies, Port Profile, ARRP, and Radio Interfaces to one or more APs or AP Groups . You can create a maximum of 10 feature groups.

The default page, lists available feature groups with the following details about each of the feature groups:

  • Feature Group ID: A unique number associated with the feature group.
  • Feature Group Name: Name of the feature group.
  • Feature Group Description: Descriptive text about the feature group.
  • Default Feature Group: Specifes if a feature group is set as default. If set as default, all APs that join the controller will be associated with this feature group. You can have only one default group.

NOTE: If you have a default AP group, then this takes precedence and all APs that join the controller will be associate with the default AP group.

Creating a Feature Group

Click the Add button and specify name (special characters and spaces cannot be used), description and also select if this group is the default feature group. Click OK to complete this step.

After the feature group name is selected, you can now add configurations to this group. These configurations can be instantly applied to one or more APs.

  • APs – Select this option to add AP Groups and individual APs to this feature group.
  • ARRP – ARRP profiles are local to the group. Select this option to add ARRP configurations. For more information, See “Automatic Radio Resource Provisioning (ARRP)” on page 360.
  • Radio – Select this option to specify the radio interface and its antenna settings.
  • ESS – Select this option to select and associate ESS profiles at the interface level.

Feature Group

  • Port Profiles – Select port profile to associate at the interface level.
  • DPI – Create DPI policies for this feature group. Each feature group can contain a maximum of 25 DPI policies. DPI policies are local to group but this must be enabled at Configuration > Access Control > Application > Settings (tab)

Other options include, deleting and cloning a feature group.

Cloning a Feature Group

To clone a feature group, select the feature group and click the CLONE button. Specify a new name and description for this cloned feature group. The cloned feature group will not carry the list of mapped APs, AP groups, and DPI policies.

FortiWLC (SD) Communication Ports

Leave a reply

FortiWLC (SD) Communication Ports

The tunnel between an AP and a controller uses the following ports for communication.

Traffic Port
AeroScout UDP/6091
Captive Portal (http redirection) TCP/8080
Captive Portal (https redirection) TCP/8081
NM Location Manager – Web UI TCP/443
NM Location Manager – Administrative Web UI (SSL) TCP/8003
NM Location Manager – AP Communication (Capture Packets subsystem) UDP/9177and UDP/ 37008
FTP TCP/20 and TCP/21
H.323v1 flow detection. TCP/1720
HTTP TCP/8080
HTTPS TCP/443
Fortinet L3 AP COMM UDP/5000
Licensing – for connections initiated from within the controller only for licensing purposes (e.g. wncagent -> merud) TCP/32780
Fortinet L3 AP Data UDP/9393
Fortinet L3 AP Discovery/Keepalive UDP/9292
NP1 advertisements / config UDP/9980
NTP UDP/123
RADIUS accounting 1813 / 1646
RADIUS auth 1812 / 1645
SIP UDP/TCP 5060
SSH TCP/22
SNMP UDP/161 and 162
Syslog UDP/514
TFTP UDP/69
UDP broadcast up to 5 upstream/downstream configurable UPD/xxx
TACACS+ TCP/49

FortiWLC (SD) Communication Ports

Traffic Port
Telnet TCP/23
Controller packet capture UDP/9177
WIPS UDP/9178
WireShark, OmniPeek, Newbury UDP/9177
SAM (AP and server) EtherIP 97

FortiOS 6 – FortiSwitch Troubleshooting

Leave a reply

Troubleshooting

Troubleshooting FortiLink issues

If the FortiGate does not establish the FortiLink connection with the FortiSwitch, perform the following troubleshooting checks.

Check the FortiGate configuration

To use the FortiGate GUI to check the FortiLink interface configuration:

  1. In Network > Interfaces, double-click the interface used for FortiLink.
  2. Ensure that Dedicated to FortiSwitch is set for this interface.

To use the FortiGate CLI to verify that you have configured the DHCP and NTP settings correctly:

  1. Verify that the NTP server is enabled and that the FortiLink interface has been added to the list:

show system ntp

  1. Ensure that the DHCP server on the Fortilink interface is configured correctly:

show system dhcp

Check the FortiSwitch configuration

To use FortiSwitch CLI commands to check the FortiSwitch configuration:

  1. Verify that the switch system time matches the time on the FortiGate:

get system status

  1. Verify that FortiGate has sent an IP address to the FortiSwitch (anticipate an IP address in the range 169.254.x.x):

get system interfaces

  1. Verify that you can ping the FortiGate IP address:

exec ping x.x.x.x

To use FortiGate CLI commands to check the FortiSwitch configuration:

  1. Verify that the connections from the FortiGate to the FortiSwitch units are up:

exec switch-controller get-conn-status

  1. Verify that ports for a specific FortiSwitch stack are connected to the correct locations:

exec switch-controller get-physical-conn <FortiSwitch-Stack-ID>

  1. Verify that all the ports for a specific FortiSwitch are up:

exec switch-controller get-conn-status <FortiSwitch-device-ID>

Synchronizing the FortiGate unit with the managed FortiSwitch units

Leave a reply

Synchronizing the FortiGate unit with the managed FortiSwitch units

You can synchronize the FortiGate unit with the managed FortiSwitch units to check for synchronization errors on each managed FortiSwitch unit.

Use the following command to synchronize the full configuration of a FortiGate unit with the managed FortiSwitch unit:

execute switch-controller trigger-config-sync <FortiSwitch_serial_number>

Use one of the following commands to display the synchronization state of a FortiGate unit with a specific managed FortiSwitch unit:

execute switch-controller get-sync-status switch-id <FortiSwitch_serial_number> execute switch-controller get-sync-status name <FortiSwitch_name>

Use the following command to display the synchronization state of a FortiGate unit with a group of managed FortiSwitch units:

execute switch-controller get-sync-status group <FortiSwitch_group_name>

Synchronizing the FortiGate unit with the managed FortiSwitch units

Use the following command to check the synchronization state of all managed FortiSwitch units in the current VDOM: execute switch-controller get-sync-status all

For example:

FG100D3G14813513 (root) # execute switch-controller get-sync-status all Managed-devices in current vdom root:

STACK-NAME: FortiSwitch-Stack-port5

SWITCH (NAME)                               STATUS CONFIG             MAC-SYNC          UPGRADE

FS1D243Z14000173 Up Idle Idle Idle S124DP3X16006228 (Desktop-Switch) Up Idle Idle Idle

FortiOS 6 – Configuring QoS with managed FortiSwitch units

Leave a reply

Configuring QoS with managed FortiSwitch units

Quality of Service (QoS) provides the ability to set particular priorities for different applications, users, or data flows.

NOTE: FortiGate does not support QoS for hard or soft switch ports.

FortiSwitch supports the following QoS configuration capabilities:

  • Mapping the IEEE 802.1p and Layer 3 QoS values (Differentiated Services and IP Precedence) to an outbound QoS queue number.
  • Providing eight egress queues on each port. l Policing the maximum data rate of egress traffic on the interface.

To configure the QoS for managed FortiSwitch units:

  1. Configure a Dot1p map.

A Dot1p map defines a mapping between IEEE 802.1p class of service (CoS) values (from incoming packets on a trusted interface) and the egress queue values. Values that are not explicitly included in the map will follow the default mapping, which maps each priority (0-7) to queue 0. If an incoming packet contains no CoS value, the switch assigns a CoS value of zero.

NOTE: Do not enable trust for both Dot1p and DSCP at the same time on the same interface. If you do want to trust both Dot1p and IP-DSCP, the FortiSwitch uses the latter value (DSCP) to determine the queue. The switch will use the Dot1p value and mapping only if the packet contains no DSCP value.

config switch-controller qos dot1p-map edit <Dot1p map name> set description <text> set priority-0 <queue number> set priority-1 <queue number> set priority-2 <queue number>

FortiGate CLI support for FortiSwitch features (on non-FortiLink ports)

set priority-3 <queue number> set priority-4 <queue number> set priority-5 <queue number> set priority-6 <queue number> set priority-7 <queue number>

next

end

  1. Configure a DSCP map.

A DSCP map defines a mapping between IP precedence or DSCP values and the egress queue values. For IP precedence, you have the following choices: o network-control—Network control o internetwork-control—Internetwork control o critic-ecp—Critic and emergency call processing (ECP) o flashoverride—Flash override o flash—Flash o immediate—Immediate

o priority—Priority o routine—Routine

config switch-controller qos ip-dscp-map edit <DSCP map name> set description <text> configure map <map_name> edit <entry name> set cos-queue <COS queue number>

set diffserv {CS0 | CS1 | AF11 | AF12 | AF13 | CS2 | AF21 | AF22 | AF23 | CS3 | AF31 | AF32 | AF33 | CS4 | AF41 | AF42 | AF43 | CS5 | EF |

CS6 | CS7} set ip-precedence {network-control | internetwork-control | critic-ecp

| flashoverride | flash | immediate | priority | routine} set value <DSCP raw value>

next

end

end

  1. Configure the egress QoS policy.

In a QoS policy, you set the scheduling mode for the policy and configure one or more CoS queues. Each egress port supports eight queues, and three scheduling modes are available:

  • With strict scheduling, the queues are served in descending order (of queue number), so higher number queues receive higher priority.
  • In simple round-robin mode, the scheduler visits each backlogged queue, servicing a single packet from each queue before moving on to the next one.
  • In weighted round-robin mode, each of the eight egress queues is assigned a weight value ranging from 0 to 63.

config switch-controller qos queue-policy edit <QoS egress policy name> set schedule {strict | round-robin | weighted} config cos-queue

Synchronizing the FortiGate unit with the managed FortiSwitch units

edit [queue-<number>] set description <text> set min-rate <rate in kbps> set max-rate <rate in kbps>

set drop-policy {taildrop | random-early-detection} set weight <weight value>

next

end

next

end

  1. Configure the overall policy that will be applied to the switch ports.

config switch-controller qos qos-policy edit <QoS egress policy name> set default-cos <default CoS value 0-7> set trust-dot1p-map <Dot1p map name> set trust-ip-dscp-map <DSCP map name> set queue-policy <queue policy name>

next

end

  1. Configure each switch port.

config switch-controller managed-switch edit <switch-id> config ports edit <port> set qos-policy <CoS policy>

next

end

next

end

Displaying port statistics

2 Replies

Displaying port statistics

Port statistics will be accessed using the following FortiSwitch CLI command:

FG100D3G15804763 # diagnose switch-controller dump port-stats S124DP3X16000413 port8 S124DP3X16000413 0 :

{

“port8”:{

“tx-bytes”:823526672,

“tx-packets”:1402390,

FortiGate CLI support for FortiSwitch features (on non-FortiLink ports)

“tx-ucast”:49047,

“tx-mcast”:804545,

“tx-bcast”:548798,

“tx-errors”:0,

“tx-drops”:3,

“tx-oversize”:0,

“rx-bytes”:13941793,

“rx-packets”:160303,

“rx-ucast”:148652,

“rx-mcast”:7509,

“rx-bcast”:4142,

“rx-errors”:0,

“rx-drops”:720,

“rx-oversize”:0,

“undersize”:0,

“fragments”:0,

“jabbers”:0,

“collisions”:0,

“crc-alignments”:0,

“l3packets”:0

}

}