Fortinet opublikował właśnie aktualizację oprogramowania dla przełączników FortiSwitch oznaczoną numerem 6.2.0. Aktualizacja obejmuje nie tylko sam system operacyjny FortiSwitchOS, ale  również sam FortiOS i moduł zarządzania switchami. Nowa wersja daje nam większe możliwości przy zarządzaniu trasami routingu, umożliwia także dynamiczne przydzielanie VLAN na podstawie grupy. Nowy soft umożliwia również konfigurację MCLAG z poziomu interfejsu GUI, dodatkowo pojawił się nowy moduł Fortilink Interface który umożliwia podgląd stanu i konfigurację tejże funkcjonalności. Zachęcamy do lektury!

Nowości w  FortiSwitchOS 6.2.0

• VLAN stacking (QinQ)
• Remote SPAN (RSPAN) and encapsulated RSPAN (ERSPAN)
• When STP is disabled, you can enable the forwarding of STP packets using the CLI and GUI.
• IPv6 support has been expanded. You can use IPv6 addresses with DHCP, automatic address configuration, static routes, router advertisement, neighbor cache table, Telnet client, and SSH.
• Power priority (high, critical, or low) for power over Ethernet (PoE) ports
• Multiple ingress groups for access control lists (ACLs), allowing multiple matches
• Enabling and disabling ACLs using a schedule
• Clearing unused classifiers on ASIC hardware for ACL policies
• Storm control can be configured per port using the CLI and GUI.
• IP source guard
• Allowed server list for DHCP snooping
• IGMP proxy using the CLI and GUI
• Wildcards can be configured in more than one system admin profile.
• Enabling and disabling static routes in the GUI and CLI
• Private data encryption using an AES 128-bit key
• LLDP-MED support for enhanced 911 emergency calls
• Power over Ethernet (PoE) negotiation in LLDP-MED
• NetFlow and IPFIX flow tracking and export
• MAC address learning can be configured per VLAN.
• When you have multiple FortiSwitch units and need to locate a specific switch, you can use a command to flash all
  port LEDs on and off for a specified number of minutes. After you locate the FortiSwitch unit, you can use disable to
  stop the LEDs from flashing.
• A new command allows you to add the switch’s host name in the circuit ID field when DHCP option 82 is enabled.
• The 1xxE models now support IGMP snooping, MAC address learning limit violation log, and dynamic ARP inspection.
• The FSR-112D-POE model now supports access VLANs.
• The 1048E model now supports split ports.

Nowości w  FortiOS 6.2.0 – Managed FortiSwitch

• You can now have FortiGate units in HA mode that are managing FortiSwitch units in an MCLAG with LACP.
• You can now make the following global system configuration changes in FortiLink mode (asterisks indicate the default values):
  

  config system global
  set admin-concurrent {enable* | disable}
  set admin-https-pki-required {enable | disable*}
  set admin-sport <443*>
  set admin-https-ssl-versions {tlsv1-0 | tlsv1-1* | tlsv1-2*}
  end

• There are new commands that let you use automatic network detection and configuration.
• FortiSwitch units in FortiLink mode now support dynamic VLAN assignment by group name.
• FortiLink interfaces are now configured on the new WiFi & Switch Controller > FortiLink Interface page.
• You can now combine the configuration of multiple standalone FortiSwitch units into a single FortiGate-compatible configuration.
• You can make dynamically learned MAC addresses persistent (sticky) when the status of a managed FortiSwitch port changes (goes down or up).
• You can sample IP packets on managed FortiSwitch units and then export the data in NetFlow format or Internet
• Protocol Flow Information Export (IPFIX) format. You can choose to sample on a single ingress or egress port, on all FortiSwitch units, or on all FortiSwitch ingress ports.
• FortiSwitch split ports are now supported.
• You can now use encapsulated remote switched port analyzer (ERSPAN) for port mirroring.
• You can now use a traffic policy to control quarantined devices.
• Multiple Spanning Tree Protocol (MSTP) is now supported.
• You can now use the GUI to configure a MCLAG.
• The number of FortiSwitch units supported by certain FortiGate models has been increased.
• You can change the ping setting to use the FortiSwitch serial number instead of the FortiSwitch IP address when checking that the FortiSwitch unit is accessible from the FortiGate unit.
• You can configure different access to the FortiSwitch management interface and the FortiSwitch internal interface.
• By default, two trunks are created in HA mode when there are managed FortiSwitch units. One trunk is created between the active FortiGate unit and FortiSwitch unit; another trunk is created between the backup FortiGate unit and FortiSwitch unit.

Rozwiązane problemy:

 

Bug ID	Description
403313	LACP active cannot be enabled on an MCLAG in FortiLink mode.
424432	The IGMP reports received on the tier-1 FortiSwitch units in FortiLink mode (with MCLAG enabled) are not synchronized.
489064	The output of the get switch modules summary command shows LOS in the RX column for SFP ports.
494714	After disconnecting one of the ports used to form an MCLAG between two FortiSwitch units, the ICL/ISL is not removed after 10 minutes.
503110	A FortiSwitch 1048E restarts continuously when managed by a FortiGate unit.
511671	When a 448D switch in FortiLink mode stopped responding, the crash log showed “signal 11 (Segmentation fault) received.”
525257	You cannot configure the TLS version and related SSL parameters in FortiLink mode.
529688	After a FortiSwitch unit is restarted, the FortiGate unit sends traffic out of the wrong port
530605	When the FortiSwitch unit is discovered on a FortiLink interface, there should be default fcam and fvoi VLANs available.
535736	If a FortiSwitch firmware image is an even multiple of 1024 bytes, it will not upgrade properly using the default FortiLink upgrade mechanism.
541871	Some users are unable to use SSH with a public key to connect to a managed FortiSwitch unit.
522490	After adding 12 FortiSwitch units to a two-tier MCLAG, the 448DN crashed when the diagnose stp instance list command was run.
522605	Tracebacks were seen when a 448DN was connected to 48 switches.
534922, 515211	Upgrading from FortiSwitchOS 6.0.3 can cause the switch to stop responding.
537187	The set security-mode command needs to be removed from under config switch interface.
540302	When IGMP reports with the group destination IP address outside of the multicast range are received, the IGMP reports should be dropped, instead of being registered in the IGMP snooping table as group entries.
380239	IGMP-snooped multicast groups are not immediately flushed out of the snooping table when the querier port is shut down.
391607	Switch does not send gratuitous ARP for IP conflict when the system boots up and adds a new switch virtual interface (SVI).
416655	When using DHCP, the IPv6 address cannot be configured. Also, the automatic configuration of the global address does not work.
424432	The IGMP reports received on the tier-1 FortiSwitch units in FortiLink mode (with MCLAG enabled) are not synchronized.
450820, 452205	DHCP snooping does not work with access VLANs.
475628	VLANs 0 and 4095 were incorrectly allowed to be used as part of the configuration and are no longer supported. Configurations such as config switch vlan and config switch interface (set allowed-vlans, set native-vlan, or set private-vlan) that tried to use 0 or 4095 are considered invalid and will be rejected, in full or part, possibly leaving a partial configuration. Fortinet recommends that, if you used 0 or 4095, you need to remove such references by manually backing up, editing for removal, and restoring the configuration after an upgrade.
488044	On a Protocol Independent Multicast (PIM) topology using the assert mechanism when the assert winner lost the route to the source, no multicast route was created, and the multicast traffic stopped.
489064	The output of the get switch modules summary command shows LOS in the RX column for SFP ports.
489451	The fsModel SNMP trap should not appear in logs.
494714	After disconnecting one of the ports used to form an MCLAG between two FortiSwitch units, the ICL/ISL is not removed after 10 minutes.
505451	LACP trunks are periodically reset on the FortiSwitch unit.
516101	There is an increase in latency between clients and VM servers every half an hour.
520300	You cannot add port1 when you create a new mirror or edit an existing mirror.

 

Znane problemy do rozwiązania:

 

Bug ID	Description
414972	LACP active cannot be enabled on an MCLAG in FortiLink mode.
382518,417024,417073,417099,438441	DHCP snooping and dynamic ARP inspection (DAI) do not work with private VLANs (PVLANs).
480605	When DHCP snooping is enabled on the FSR-112D-POE, the switched virtual interface (SVI) cannot get the IP address from the DHCP server. Workarounds: —Use a static IP address in the SVI when DHCP snooping is enabled on that VLAN. —Temporarily disable dhcp-snooping on vlan, issue the execute interface dhcpclient-renew command to renew the IP address. After the SVI gets the IP address from the DHCP server, you can enable DHCP snooping.
520954	When a “FortiLink mode over a layer-3 network” topology has been configured, the FortiGate GUI does not always display the complete network.
542031	For the 5xx switches, the diagnose switch physical-ports led-flash command flashes only the SFP port LEDs, instead of all the port LEDs.
548783	Some models support setting the mirror destination to “internal.” This is intended only for debugging purposes and might prevent critical protocols from operating onports being used as mirror sources.
545395	Bulk-image staging might fail for some FortiSwitch units. CAPWAP is the default mode for image staging. In large deployments, scaling-related issues might be encountered when using CAPWAP for bulk staging. Some FortiSwitch units might fail to stage the image properly due to the extra load on the setup during the process. Fortinet recommends using HTTP mode instead of the bulk-staging transaction when the CAPWAP mode presents issues. With the FOS 6.0.x and 6.2.0 releases, use the following commands to change to HTTP mode: config switch global set https-image-push enable next
547163	The FortiGate unit cannot push the configuration to a managed FortiSwitch unit. FOS versions: 6.0.x and 6.2.0 The FortiGate unit cannot push the configuration or fails in pushing the new image to the managed FortiSwitch unit. Execute the execute switch-controller get-syncstatus all”command.If you see „pending” under config and upgrade, use the following procedure to resolve the issue. 1. On the FortiGate unit, execute „fnsysctl ps” and find the „/bin/flcfgd” processes. If only one process is found, then it is not the problem. 2. Kill the child process of flcfgd, that is, the larger number of the flcfgd process ID with the „fnsysctl kill -9 ” command. 3. (Optional) Re-push the image to the previous pending switch if the new image installation is needed. 4. (Optional) Access the switch and verify the next-boot image version with the diagnose sys flash list command.

Notatki do wydania

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

FortiSwitch