Category Archives: FortiSwitch

Configuring ports using the FortiGate CLI

Configuring ports using the FortiGate CLI

Configuring port speed and status

Use the following commands to set port speed and other base port settings:

config switch-controller managed-switch edit <switch> config ports edit <port> set description <text> set speed <speed> set status {down | up}

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set description “First port” set speed auto set status up

end

end

Sharing FortiSwitch ports between VDOMs

Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual units that function as multiple independent units. VDOMs provide separate security domains that allow separate zones, user authentication, security policies, routing, and VPN configurations.

FortiSwitch ports can now be shared between VDOMs.

NOTE: You cannot use the quarantine feature while sharing FortiSwitch ports between VDOMs.

To share FortiSwitch ports between VDOMs:

  1. Create one or more VDOMs.
  2. Assign VLANs to each VDOM as required.

 

  1. From these VLANs, select one VLAN to be the default VLAN for the ports in the virtual switch:

config switch-controller global

set default-virtual-switch-vlan <VLAN>

NOTE: You must execute these commands from the VDOM that the default VLAN belongs to.

When you add a new port to the VDOM, the new port will be automatically assigned to the default VLAN. You can reassign the ports to other VLANs later.

  1. Create a virtual port pool (VPP) to contain the ports to be shared:

config switch-controller virtual-port-pool edit <VPP_name> description <string>

next

end

NOTE: You must execute these commands from the VDOM that the default VLAN belongs to.

For example:

config switch-controller virtual-port-pool edit “pool3” description “pool for port3”

next

end

  1. Share a FortiSwitch port from the VDOM that the FortiSwitch belongs to with another VDOM or export the FortiSwitch port to a VPP where it can be used by any VDOM:

config switch-controller managed-switch edit <switch.id> config ports edit <port_name> set {export-to-pool <VPP_name> | export-to <VDOM_name>} set export-tags <string1,string2,string3,…>

next

end

next

end

NOTE: You must execute these commands from the VDOM that the default VLAN belongs to.

For example, if you want to export a port to the VPP named pool3:

config switch-controller managed-switch edit “S524DF4K15000024” config ports edit port3 set export-to-pool “pool3” set export-tags “Pool 3”

next

end

next end

For example, if you want to export a port to the VDOM named vdom3:

config switch-controller managed-switch edit “S524DF4K15000024” config ports edit port3 set export-to “vdom3” set export-tags “VDOM 3”

next

end

next

end

  1. Request a port in a VPP: execute switch-controller virtual-port-pool request <FortiSwitch_device_ID> <port_name>

NOTE: You must execute this command from the VDOM that is requesting the port.

For example:

execute switch-controller virtual-port-pool request S524DF4K15000024h port3

  1. Return a port to a VPP: execute switch-controller virtual-port-pool return <FortiSwitch_device_ID> <port_name>

NOTE: You must execute this command from the VDOM that owns the port.

For example: execute switch-controller virtual-port-pool return S524DF4K15000024h port3

You can create your own export tags using the following CLI commands:

config switch-controller switch-interface-tag edit <tag_name>

end

Use the following CLI command to list the contents of a specific VPP: execute switch-controller virtual-port-pool show-by-pool <VPP_name>

Use the following CLI command to list all VPPs and their contents: execute switch-controller virtual-port-pool show

NOTE: Shared ports do not support the following features: l LLDP

  • 1x l STP l BPDU guard l Root guard l DHCP snooping l IGMP snooping l QoS
  • Port security l MCLAG

Limiting the number of learned MAC addresses on a FortiSwitch interface

You can limit the number of MAC addresses learned on a FortiSwitch interface (port or VLAN). The limit ranges from 1 to 128. If the limit is set to the default value zero, there is no learning limit.

NOTE: Static MAC addresses are not counted in the limit. The limit refers only to learned MAC addresses.

Use the following CLI commands to limit MAC address learning on a VLAN:

config switch vlan edit <integer> set switch-controller-learning-limit <limit>

end

end

For example:

config switch vlan edit 100 set switch-controller-learning-limit 20

end

end

Use the following CLI commands to limit MAC address learning on a port:

config switch-controller managed-switch edit <FortiSwitch_Serial_Number> config ports edit <port> set learning-limit <limit>

next

end

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port3 set learning-limit 50

next

end

end

end

You can change how long learned MAC addresses are stored. By default, each learned MAC address is aged out after 300 seconds. After this amount of time, the inactive MAC address is deleted from the FortiSwitch hardware. The value ranges from 10 to 1000,000 seconds. Set the value to 0 to disable MAC address aging.

config switch-controller global set mac-aging-interval <10 to 1000000> end

For example:

config switch-controller global set mac-aging-interval 500

end

If you want to see the first MAC address that exceeded the learning limit for an interface or VLAN, you can enable the learning-limit violation log for a managed FortiSwitch unit. Only one violation is recorded per interface or VLAN.

By default, logging is disabled. The most recent violation that occurred on each interface or VLAN is recorded in the system log. After that, no more violations are logged until the log is reset for the triggered interface or VLAN. Only the most recent 128 violations are displayed in the console.

Use the following commands to control the learning-limit violation log and to control how long learned MAC addresses are save:

config switch-controller global set mac-violation-timer <0-1500>

set log-mac-limit-violations {enable | disable}

end

For example:

config switch-controller global set mac-violation-timer 1000 set log-mac-limit-violations enable

end

To view the content of the learning-limit violation log for a managed FortiSwitch unit, use one of the following commands:

  • diagnose switch-controller dump mac-limit-violations all <FortiSwitch_serial_ number>
  • diagnose switch-controller dump mac-limit-violations interface <FortiSwitch_ serial_number> <port_name>
  • diagnose switch-controller dump mac-limit-violations vlan <FortiSwitch_serial_ number> <VLAN_ID>

For example, to set the learning-limit violation log for VLAN 5 on a managed FortiSwitch unit: diagnose switch-controller dump mac-limit-violations vlan S124DP3XS12345678 5

To reset the learning-limit violation log for a managed FortiSwitch unit, use one of the following commands:

  • execute switch-controller mac-limit-violation reset all <FortiSwitch_serial_ number>
  • execute switch-controller mac-limit-violation reset vlan <FortiSwitch_serial_ number> <VLAN_ID>
  • execute switch-controller mac-limit-violation reset interface <FortiSwitch_ serial_number> <port_name>

For example, to clear the learning-limit violation log for port 5 of a managed FortiSwitch unit:

execute switch-controller mac-limit-violation reset interface S124DP3XS12345678 port5

Configuring the DHCP trust setting

The DHCP blocking feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent this, DHCP blocking filters messages on untrusted ports.

Set the port as a trusted or untrusted DHCP-snooping interface:

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set dhcp-snooping {trusted | untrusted}

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set dhcp-snooping trusted

end

end

Configuring PoE

The following PoE CLI commands are available starting in FortiSwitchOS 3.3.0.

Enable PoE on the port

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set poe-status {enable | disable}

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set poe-status enable

end

end

Reset the PoE port

Power over Ethernet (PoE) describes any system that passes electric power along with data on twisted pair Ethernet cabling. Doing this allows a single cable to provide both data connection and electric power to devices (for example, wireless access points, IP cameras, and VoIP phones).

The following command resets PoE on the port:

execute switch-controller poe-reset <fortiswitch-id> <port>

Display general PoE status get switch-controller <fortiswitch-id> <port>

The following example displays the PoE status for port 6 on the specified switch:

# get switch-controller poe FS108D3W14000967 port6

Port(6) Power:3.90W, Power-Status: Delivering Power

Power-Up Mode: Normal Mode

Remote Power Device Type: IEEE802.3AT PD

Power Class: 4

Defined Max Power: 30.0W, Priority:3

Voltage: 54.00V

Current: 78mA

Configuring edge ports

Use the following commands to enable or disable an interface as an edge port:

config switch-controller managed-switch edit <switch> config ports edit <port> set edge-port {enable | disable}

end end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set edge-port enable

end

end

Configuring STP

Starting with FortiSwitch Release 3.4.2, STP is enabled by default for the non-FortiLink ports on the managed FortiSwitch units. STP is a link-management protocol that ensures a loop-free layer-2 network topology.

NOTE: STP is not supported between a FortiGate unit and a FortiSwitch unit in FortiLink mode.

To configure global STP settings, see Configure STP settings on page 71.

Use the following commands to enable or disable STP on FortiSwitch ports:

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set stp-state {enabled | disabled} end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set stp-state enabled

end

end

To check the STP configuration on a FortiSwitch, use the following command: diagnose switch-controller dump stp <FortiSwitch_serial_number> <instance_number>

For example:

FG100D3G15817028 # diagnose switch-controller dump stp S524DF4K15000024 0    
MST Instance Information, primary-Channel:

Instance ID :     0

Switch Priority : 24576

Root MAC Address :       085b0ef195e4

Root Priority:      24576

Root Pathcost:      0

Regional Root MAC Address :      085b0ef195e4

     
Regional Root Priority: 24576          
Regional Root Path Cost: Remaining Hops:  20 0          
This Bridge MAC Address : This bridge is the root 085b0ef195e4          
Port

Protection

Speed Cost Priority Role State Edge STP-Status Loop
________________ ______ _________ _________ ___________ __________ ____ __________ ________
port1 200000000 128 DISABLED DISCARDING YES ENABLED NO
port2 200000000 128 DISABLED DISCARDING YES ENABLED NO
port3 200000000 128 DISABLED DISCARDING YES ENABLED NO
port4 200000000 128 DISABLED DISCARDING YES ENABLED NO
port5 200000000 128 DISABLED DISCARDING YES ENABLED NO
port6 200000000 128 DISABLED DISCARDING YES ENABLED NO
port7 200000000 128 DISABLED DISCARDING YES ENABLED NO
port8 200000000 128 DISABLED DISCARDING YES ENABLED NO
port9 200000000 128 DISABLED DISCARDING YES ENABLED NO
port10 200000000 128 DISABLED DISCARDING YES ENABLED NO
port11 200000000 128 DISABLED DISCARDING YES ENABLED NO
port12 200000000 128 DISABLED DISCARDING YES ENABLED NO
port13 200000000 128 DISABLED DISCARDING YES ENABLED NO
port14 200000000 128 DISABLED DISCARDING YES ENABLED NO
port15 200000000 128 DISABLED DISCARDING YES ENABLED NO
port16 200000000 128 DISABLED DISCARDING YES ENABLED NO
port17 200000000 128 DISABLED DISCARDING YES ENABLED NO
port18 200000000 128 DISABLED DISCARDING YES ENABLED NO
port19 200000000 128 DISABLED DISCARDING YES ENABLED NO
port20 200000000 128 DISABLED DISCARDING YES ENABLED NO
port21 200000000 128 DISABLED DISCARDING YES ENABLED NO
port22 200000000 128 DISABLED DISCARDING YES ENABLED NO
port23 200000000 128 DISABLED DISCARDING YES ENABLED NO
port25 200000000 128 DISABLED DISCARDING YES ENABLED NO
port26 200000000 128 DISABLED DISCARDING YES ENABLED NO
port27 200000000 128 DISABLED DISCARDING YES ENABLED NO
port28 200000000 128 DISABLED DISCARDING YES ENABLED NO
port29 200000000 128 DISABLED DISCARDING YES ENABLED NO  
port30 200000000 128 DISABLED DISCARDING YES ENABLED NO  
internal 1G 20000 128 DESIGNATED FORWARDING YES DISABLED NO  
__FoRtI1LiNk0__ 1G 20000 128 DESIGNATED FORWARDING YES DISABLED NO  

Configuring STP root guard

Root guard protects the interface on which it is enabled from becoming the path to root. When enabled on an interface, superior BPDUs received on that interface are ignored or dropped. Without using root guard, any switch that participates in STP maintains the ability to reroute the path to root. Rerouting might cause your network to transmit large amounts of traffic across suboptimal links or allow a malicious or misconfigured device to pose a security risk by passing core traffic through an insecure device for packet capture or inspection. By enabling root guard on multiple interfaces, you can create a perimeter around your existing paths to root to enforce the specified network topology.

Enable root guard on all ports that should not be root bridges. Do not enable root guard on the root port. You must have STP enabled to be able to use root guard.

Use the following commands to enable or disable STP root guard on FortiSwitch ports:

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set stp-root-guard {enabled | disabled}

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set stp-root-guard enabled

end

end

Configuring STP BPDU guard

Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard is enabled on STP edge ports, any BPDUs received cause the ports to go down for a specified number of minutes. The BPDUs are not forwarded, and the network edge is enforced. There are two prerequisites for using BPDU guard:

l You must define the port as an edge port with the set edge-port enable command. l You must enable STP on the switch interface with the set stp-state enabled command.

You can set how long the port will go down when a BPDU is received for a maximum of 120 minutes. The default port timeout is 5 minutes. If you set the timeout value to 0, the port will not go down when a BPDU is received, but you will have manually reset the port.

Use the following commands to enable or disable STP BPDU guard on FortiSwitch ports:

config switch-controller managed-switch edit <switch-id>

config ports edit <port name> set stp-bpdu-guard {enabled | disabled} set stp-bpdu-guard-time <0-120>

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set stp-bpdu-guard enabled set stp-bpdu-guard-time 10

end

end

To check the configuration of STP BPDU guard on a FortiSwitch unit, use the following command: diagnose switch-controller dump bpdu-guard-status <FortiSwitch_serial_number>

For example:

FG100D3G15817028 # diagnose switch-controller dump bpdu-guard-status
S524DF4K15000024

Managed Switch : S524DF4K15000024 0

     
Portname State Status Timeout(m) Count Last-Event
_________________ _______ _________ ___________ _____ _______________
port1 enabled 10 0
port2 disabled
port3 disabled
port4 disabled
port5 disabled
port6 disabled
port7 disabled
port8 disabled
port9 disabled
port10 disabled
port11 disabled
port12 disabled
port13 disabled
port14 disabled
port15 disabled
port16 disabled
port17 disabled
port18 disabled
port19 disabled
port20 disabled
port21 disabled
port22 disabled
port23 disabled
port25 disabled
port26 disabled  
port27 disabled  
port28 disabled  
port29 disabled  
port30 disabled  
__FoRtI1LiNk0__ disabled  

Configuring loop guard

A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects. Fortinet loop guard helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any downstream loops. The loop guard feature is designed to work in concert with STP rather than as a replacement for STP. By default, loop guard is disabled on all ports.

Use the following commands to configure loop guard on a FortiSwitch port:

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set loop-guard {enabled | disabled} set loop-guard-timeout <0-120 minutes>

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set loop-guard enabled set loop-guard-timeout 10

end

end

Configuring LLDP settings

The Fortinet data center switches support the Link Layer Discovery Protocol (LLDP) for transmission and reception wherein the switch will multicast LLDP packets to advertise its identity and capabilities. A switch receives the equivalent information from adjacent layer-2 peers.

Use the following commands to configure LLDP on a FortiSwitch port:

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set lldp-status {rx-only | tx-only | tx-rx | disable} set lldp-profile <profile name>

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024

config ports edit port2 set lldp-status tx-rx set lldp-profile default

end

end

Configuring IGMP settings

IGMP snooping allows the FortiSwitch to passively listen to the Internet Group Management Protocol (IGMP) network traffic between hosts and routers. The switch uses this information to determine which ports are interested in receiving each multicast feed. FortiSwitch can reduce unnecessary multicast traffic on the LAN by pruning multicast traffic from links that do not contain a multicast listener.

Use the following commands to configure IGMP settings on a FortiSwitch port:

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set igmp-snooping {enable | disable} set igmps-flood-reports {enable | disable}

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port3 set igmp-snooping enable set igmps-flood-reports enable

end

end

Configuring sFlow

sFlow is a method of monitoring the traffic on your network to identify areas on the network that might impact performance and throughput. With sFlow, you can export truncated packets and interface counters. FortiSwitch implements sFlow version 5 and supports trunks and VLANs.

NOTE: Because sFlow is CPU intensive, Fortinet does not recommend high rates of sampling for long periods.

sFlow uses packet sampling to monitor network traffic. The sFlow agent captures packet information at defined intervals and sends them to an sFlow collector for analysis, providing real-time data analysis. To minimize the impact on network throughput, the information sent is only a sampling of the data.

The sFlow collector is a central server running software that analyzes and reports on network traffic. The sampled packets and counter information, referred to as flow samples and counter samples, respectively, are sent as sFlow datagrams to a collector. Upon receiving the datagrams, the sFlow collector provides real-time analysis and graphing to indicate the source of potential traffic issues. sFlow collector software is available from a number of third-party software vendors. You must configure a FortiGate policy to transmit the samples from the FortiSwitch unit to the sFlow collector.

sFlow can monitor network traffic in two ways:

l Flow samples—You specify the percentage of packets (one out of n packets) to randomly sample. l Counter samples—You specify how often (in seconds) the network device sends interface counters.

Use the following CLI commands to specify the IP address and port for the sFlow collector. By default, the IP address is 0.0.0.0, and the port number is 6343.

config switch-controller sflow collector-ip <x.x.x.x> collector-port <port_number>

end

Use the following CLI commands to configure sFlow:

config switch-controller managed-switch <FortiSwitch_serial_number> config ports edit <port_name> set sflow-sampler <disabled | enabled> set sflow-sample-rate <0-99999> set sflow-counter-interval <1-255>

next

next

end

For example:

config switch-controller sflow collector-ip 1.2.3.4 collector-port 10

end

config switch-controller managed-switch S524DF4K15000024 config ports edit port5 set sflow-sampler enabled set sflow-sample-rate 10 set sflow-counter-interval 60

next

next

end

Configuring Dynamic ARP inspection (DAI)

DAI prevents man-in-the-middle attacks and IP address spoofing by checking that packets from untrusted ports have valid IP-MAC-address binding. DAI allows only valid ARP requests and responses to be forwarded.

To use DAI, you must first enable the DHCP-snooping feature, enable DAI, and then enable DAI for each VLAN. By default, DAI is disabled on all VLANs.

After enabling DHCP snooping with the set switch-controller-dhcp-snooping enable command, use the following CLI commands to enable DAI and then enable DAI for a VLAN:

config system interface edit vsw.test set switch-controller-arp-inpsection <enable | disable>

end config switch-controller managed-switch edit <sn> config ports edit <VLAN_ID> arp-inspection-trust <untrusted | trusted>

next

end

next

end

Use the following CLI command to check DAI statistics for a FortiSwitch unit: diagnose switch arp-inspection stats <FortiSwitch_Serial_Number>

Use the following CLI command to delete DAI statistics for a specific VLAN:

diagnose switch arp-inspection stats clear <VLAN_ID> <FortiSwitch_Serial_Number>

Configuring FortiSwitch port mirroring

The FortiSwitch unit can send a copy of any ingress or egress packet on a port to egress on another port of the same FortiSwitch unit. The original traffic is unaffected. This process is known as port mirroring and is typically used for external analysis and capture.

Use the following CLI commands to configure FortiSwitch port mirroring:

config switch-controller managed-switch edit <FortiSwitch_Serial_Number> config mirror edit <mirror_name> set status <active | inactive> set dst <port_name>

set switching-packet <enable | disable> set src-ingress <port_name> set src-egress <port_name>

next

end

next

NOTE: The set status and set dst commands are mandatory for port mirroring.

For example:

config switch-controller managed-switch edit S524DF4K15000024 config mirror edit 2 set status active set dst port1 set switching-packet enable set src-ingress port2 port3 set src-egress port4 port5

next

end next

 

FortiSwitch port features

FortiSwitch port features

You can configure the FortiSwitch port feature settings from the FortiGate using the FortiSwitch CLI or web administration GUI.

FortiSwitch ports display

The WiFi & Switch Controller> FortiSwitch Ports page displays port information about each of the managed switches.

The following figure shows the display for a FortiSwitch 524D-FPOE:

The switch faceplate displays:

  • active ports (green) l PoE-enabled ports (blue rectangle) l FortiLink port (link icon)

PoE Status displays the total power budget and the actual power currently allocated.

The allocated power displays a blue bar for the used power (currently being consumed) and a green bar for the reserved power (power available for additional devices on the POE ports). See the following figures:

GUI

Each entry in the port list displays the following information:

  • Port status (red for down, green for up) l Port name l Native VLAN l Allowed VLANs l Device information l PoE status
  • Bytes sent and received by the port

Configuring ports using the GUI

You can use the WiFi & Switch Controller> FortiSwitch Ports page to do the following with FortiSwitch switch ports:

l Set the native VLAN and add more VLANs l Edit the description of the port l Enable or disable the port l Enable or disable PoE for the port l Enable or disable DHCP blocking (if supported by the port) l Enable or disable IGMP snooping (if supported by the port) l Enable or disable whether a port is an edge port l Enable or disable STP (if supported by the port) l Enable or disable loop guard (if supported by the port) l Enable or disable STP BPDU guard (if supported by the port) l Enable or disable STP root guard (if supported by the port)

Resetting PoE-enabled ports

If you need to reset PoE-enabled ports, go to WiFi & Switch Control > FortiSwitch Ports, right-click on one or more PoE-enabled ports and select Reset PoE from the context menu.

You can also go to WiFi & Switch Control > Managed FortiSwitch and click on a port icon for the FortiSwitch of interest. In the FortiSwitch Ports page, right-click on one or more PoE-enabled ports and select Reset PoE from the context menu.

FortiSwitch features configuration

FortiSwitch features configuration

Configure VLANs

Use Virtual Local Area Networks (VLANs) to logically separate a LAN into smaller broadcast domains. VLANs allow you to define different policies for different types of users and to set finer control on the LAN traffic. (Traffic is only sent automatically within the VLAN. You must configure routing for traffic between VLANs.)

From the FortiGate unit, you can centrally configure and manage VLANs for the managed FortiSwitch units.

In FortiSwitchOS 3.3.0 and later releases, the FortiSwitch supports untagged and tagged frames in FortiLink mode. The switch supports up to 1,023 user-defined VLANs. You can assign a VLAN number (ranging from 14095) to each of the VLANs.

You can configure the default VLAN for each FortiSwitch port as well as a set of allowed VLANs for each FortiSwitch port.

FortiSwitch VLANs display

The WiFi & Switch Controller> FortiSwitch VLANs page displays VLAN information for the managed switches.

Each entry in the VLAN list displays the following information: l Name—name of the VLAN l VLAN ID—the VLAN number

l IP/Netmask—address and mask of the subnetwork that corresponds to this VLAN l Access—administrative access settings for the VLAN l Ref—number of configuration objects referencing this VLAN

Enabling and disabling switch-controller access VLANs through the FortiGate unit

Access VLANs are VLANs that aggregate client traffic solely to the FortiGate unit. This prevents direct client-toclient traffic visibility at the layer-2 VLAN layer. Clients can only communicate with the FortiGate unit. After the client traffic reaches the FortiGate, the FortiGate unit can then determine whether to allow various levels of access to the client by shifting the client’s network VLAN as appropriate.

NOTE: IPv6 is not supported between clients within a switch-controller access VLAN.

Use enable to allow traffic only to and from the FortiGate and to block FortiSwitch port-to-port traffic on the specified VLAN. Use disable to allow normal traffic on the specified VLAN.

config system interface edit <VLAN name> set switch-controller-access-vlan {enable | disable}

next

end

NOTE: You must configure the proxy ARP with the config system proxy-arp CLI command to be able to use the access VLANs. For example:

config system proxy-arp edit 1 set interface “V100” set ip 1.1.1.1 set end-ip 1.1.1.200

next

end

Creating VLANs

Setting up a VLAN requires you to create the VLAN and assign FortiSwitch ports to the VLAN. You can do this with either the Web GUI or CLI. Using the Web administration GUI

To create the VLAN:

  1. Go to WiFi & Switch Controller> FortiSwitch VLANS, select Create New, and change the following settings:
Interface Name VLAN name
VLAN ID Enter a number (1-4094)
Color Choose a unique color for each VLAN, for ease of visual display.
IP/Network Mask IP address and network mask for this VLAN.
  1. Enable DHCP Server and set the IP range.
  2. Set the Admission Control options as required.
  3. Select OK.

To assign FortiSwitch ports to the VLAN:

  1. Go to WiFi & Switch Controller> FortiSwitch Ports.
  2. Click the desired port row.
  3. Click the Native VLAN column in one of the selected entries to change the native VLAN.
  4. Select a VLAN from the displayed list. The new value is assigned to the selected ports.
  5. Click the + icon in the Allowed VLANs column to change the allowed VLANs.
  6. Select one or more of the VLANs (or the value all) from the displayed list. The new value is assigned to the selected port.

Using the FortiSwitch CLI

  1. Create the marketing VLAN.

config system interface edit <vlan name> set vlanid <1-4094> set color <1-32>

set interface <FortiLink-enabled interface>

end

  1. Set the VLAN’s IP address.

config system interface edit <vlan name> set ip <IP address> <Network mask> end

Configure IGMP settings

  1. Enable a DHCP Server.

config system dhcp server edit 1 set default-gateway <IP address> set dns-service default set interface <vlan name> config ip-range set start-ip <IP address> set end-ip <IP address>

end

set netmask <Network mask>

end

  1. Assign ports to the VLAN.

config switch-controller managed-switch edit <Switch ID> config ports edit <port name> set vlan <vlan name> set allowed-vlans <vlan name> or

set allowed-vlans-all enable

next

end

end

Assign untagged VLANs to a managed FortiSwitch port:

config switch-controller managed-switch edit <managed-switch> config ports edit <port> set untagged-vlans <VLAN-name>

next

end

next

end

Configure IGMP settings

Use the following command to configure the global IGMP settings.

Aging time is the maximum number of seconds that the system will retain a multicast snooping entry. Enter an integer value from 15 to 3600. The default value is 300.

Flood-unknown-multicast controls whether the system will flood unknown multicast messages within the VLAN.

config switch-controller igmp-snooping set aging-time <15-3600>

set flood-unknown-multicast {enable | disable} end

LLDP-MED

Configure LLDP-MED

To configure LLDP profiles:

config switch-controller lldp-profile

edit <profile number>

set 802.1-tlvs port-vlan-id set 802.3-tlvs max-frame-size set auto-isl {enable | disable} set auto-isl-hello-timer <1-30> set auto-isl-port-group <0-9> set auto-isl-receive-timeout <3-90> set med-tlvs (inventory-management | network-policy)

end

To configure LLDP settings:

config switch-controller lldp-settings

set status < enable | disable >

set tx-hold <int> set tx-interval <int> set fast-start-interval <int>

set management-interface {internal | management}

end

Variable Description
status Enable or disable
tx-hold Number of tx-intervals before the local LLDP data expires. Therefore, the packet TTL (in seconds) is tx-hold times tx-interval. The range for txhold is 1 to 16, and the default value is 4.
tx-interval How often the FortiSwitch transmits the LLDP PDU. The range is 5 to 4095 seconds, and the default is 30 seconds.
fast-start-interval How often the FortiSwitch transmits the first 4 LLDP packets when a link comes up. The range is 2 to 5 seconds, and the default is 2 seconds.

Set this variable to zero to disable fast start.

management-interface Primary management interface to be advertised in LLDP and CDP PDUs.

Create LLDP asset tags for each managed FortiSwitch

You can use the following commands to add an LLDP asset tag for a managed FortiSwitch:

config switch-controller managed-switch

edit <fsw> set switch-device-tag <string>

Configure LLDP-MED

end

Add media endpoint discovery (MED) to an LLDP configuration

You can use the following commands to add media endpoint discovery (MED) features to an LLDP profile:

config switch-controller lldp-profile edit <lldp-profle> config med-network-policy edit guest-voice set status {disable | enable}

next

edit guest-voice-signaling set status {disable | enable}

next

edit guest-voice-signaling set status {disable | enable}

next

edit softphone-voice set status {disable | enable}

next

edit streaming-video set status {disable | enable}

next

edit video-conferencing set status {disable | enable}

next

edit video-signaling set status {disable | enable}

next edit voice set status {disable | enable}

next

edit voice-signaling set status {disable | enable}

end

config custom-tlvs edit <name> set oui <identifier> set subtype <subtype> set information-string <string>

end

end

Display LLDP information

You can use the following commands to display LLDP information:

diagnose switch-controller dump lldp stats <switch> <port> diagnose switch-controller dump lldp neighbors-summary <switch> diagnose switch-controller dump lldp neighbors-detail <switch>

the MAC sync interval

Configure the MAC sync interval

Use the following commands to configure the global MAC synch interval.

The MAC sync interval is the time interval between MAC synchronizations. The range is 30 to 600 seconds, and the default value is 60.

config switch-controller mac-sync-settings set mac-sync-interval <30-600>

end

Configure STP settings

NOTE: STP is not supported between a FortiGate unit and a FortiSwitch unit in FortiLink mode.

Use the following CLI commands for global STP configuration. This configuration applies to all managed FortiSwitch units:

config switch-controller stp-settings set name <name> set revision <stp revision> set hello-time <hello time> set forward-time <forwarding delay> set max-age <maximum aging time> set max-hops <maximum number of hops>

end

You can override the global STP settings for a FortiSwitch unit using the following commands:

config switch-controller managed-switch edit <switch-id> config stp-settings set local-override enable

Quarantines

Administrators can use MAC addresses to quarantine hosts and users connected to a FortiSwitch unit.

Quarantined MAC addresses are isolated from the rest of the network and LAN by using a separate VLAN.

Quarantining MAC addresses

You can use the FortiGate GUI or CLI to quarantine a MAC address.

NOTE: If you have multiple FortiLink interfaces, only the first quarantine VLAN is created successfully (with an IP address of 10.254.254.254). Additional quarantine VLANs will have an empty IP address.

 

Using the FortiGate GUI

In the FortiGate GUI, the quarantine feature is automatically enabled when you quarantine a host.

  1. Select the host to quarantine.
    • Go to Security Fabric > Physical Topology, right-click on a host, and select Quarantine Host on FortiSwitch.
    • Go to Security Fabric > Logical Topology, right-click on a host, and select Quarantine Host on FortiSwitch.
    • Go to FortiView > Sources, right-click on an entry in the Source column, and select Quarantine Host on FortiSwitch.
  2. Select Accept to confirm that you want to quarantine the host.

Using the FortiGate CLI

NOTE: Previously, this feature used the config switch-controller quarantine CLI command.

By default, the quarantine feature is enabled. When you upgrade a FortiGate unit from an older to a newer firmware version, the FortiGate unit uses the quarantine feature status from the older configuration. If the quarantine feature was disabled in the older configuration, it will be disabled after the upgrade.

You can add MAC addresses to be quarantined even when the quarantine feature is disabled. The MAC addresses are only quarantined when the quarantine feature is enabled.

The table size limit for the quarantine entry is 512. There is no limit for how many MAC addresses can be quarantined per quarantine entry.

config user quarantine set quarantine enable config targets edit <quarantine_entry_name> set description <string> config macs edit <MAC_address_1> next

edit <MAC_address_2> next

edit <MAC_address_3> next

end end

Quarantines

end

Option Description
quarantine_entry_name A name for this quarantine entry.
string Optional. A description of the MAC addresses being quarantined.
MAC_address_1, MAC_ address_2, MAC_address_3 A layer-2 MAC address in the following format: 12:34:56:aa:bb:cc

For example:

config user quarantine set quarantine enable config targets edit quarantine1 config macs set description “infected by virus”

edit 00:00:00:aa:bb:cc next

edit 00:11:22:33:44:55 next

edit 00:01:02:03:04:05 next

end

end

end

Viewing quarantine entries

Quarantine entries are created on the FortiGate unit that is managing the FortiSwitch unit.

Using the FortiGate GUI

  1. Go to Monitor> Quarantine Monitor.
  2. Click Quarantined on FortiSwitch.

The Quarantined on FortiSwitch button is only available if a device is detected behind the FortiSwitch unit, which requires Device Detection to be enabled.

Using the FortiGate CLI

Use the following command to view the quarantine list of MAC addresses: show user quarantine

For example: show user quarantine config user quarantine

set quarantine enable config targets edit quarantine1 config macs set description “infected by virus”

edit 00:00:00:aa:bb:cc next

edit 00:11:22:33:44:55 next

edit 00:01:02:03:04:05 next

end

end

end

When the quarantine feature is enabled on the FortiGate unit, it creates a quarantine VLAN (qtn.<FortiLink_port_ name>) and a quarantine DHCP server (with the quarantine VLAN as default gateway) on the virtual domain. The quarantine VLAN is applied to the allowed and untagged VLANs on all connected FortiSwitch ports.

Use the following command to view the quarantine VLAN: show system interface qtn.<FortiLink_port_name>

For example:

show system interface qtn.port7

config system interface edit “qtn.port7” set vdom “vdom1” set ip 10.254.254.254 255.255.255.0 set description “Quarantine VLAN” set security-mode captive-portal

set replacemsg-override-group “auth-intf-qtn.port7” set device-identification enable set device-identification-active-scan enable set snmp-index 34

set switch-controller-access-vlan enable

set color 6 set interface “port7” set vlanid 4093

next

end

Use the following commands to view the quarantine DHCP server:

show system dhcp server config system dhcp server

edit 2 set dns-service default set default-gateway 10.254.254.254 set netmask 255.255.255.0 set interface “qtn.port7” config ip-range

edit 1 set start-ip 10.254.254.192 set end-ip 10.254.254.253 next

Quarantines

end

set timezone-option default

next

end

Use the following command to view how the quarantine VLAN is applied to the allowed and untagged VLANs on all connected FortiSwitch ports: show switch-controller managed-switch

For example: show switch-controller managed-switch

config switch-controller managed-switch edit “FS1D483Z15000036” set fsw-wan1-peer “port7” set fsw-wan1-admin enable set version 1 set dynamic-capability 503 config ports edit “port1” set vlan “vsw.port7” set allowed-vlans “qtn.port7” set untagged-vlans “qtn.port7”

next edit “port2” set vlan “vsw.port7” set allowed-vlans “qtn.port7” set untagged-vlans “qtn.port7”

next edit “port3” set vlan “vsw.port7” set allowed-vlans “qtn.port7” set untagged-vlans “qtn.port7”

next …

end

end

Releasing MAC addresses from quarantine

Using the FortiGate GUI

  1. Go to Monitor> Quarantine Monitor.
  2. Click Quarantined on FortiSwitch.
  3. Right-click on one of the entries and select Delete or Remove All.
  4. Click OK to confirm your choice.

Using the FortiGate CLI

To release MAC addresses from quarantine, you can delete a single MAC address or delete a quarantine entry, which will delete all of the MAC addresses listed in the entry. You can also disable the quarantine feature, which releases all quarantined MAC addresses from quarantine.

To delete a single quarantined MAC address:

config user quarantine config targets edit <quarantine_entry_name> config macs delete <MAC_address_1>

end

end

end

To delete all MAC addresses in a quarantine entry:

config user quarantine config targets delete <quarantine_entry_name>

end

end

To disable the quarantine feature:

config user quarantine set quarantine disable end

Limiting the number of parallel process for FortiSwitch configuration

Limiting the number of parallel process for FortiSwitch configuration

Use the following CLI commands to reduce the number of parallel process that the switch controller uses for configuring FortiSwitch units:

config global

config switch-controller system

set parallel-process-override enable

set parallel-process <1-300>

end end

Enabling network-assisted device detection

Enabling network-assisted device detection

Network-assisted device detection allows the FortiGate unit to use the information about connected devices detected by the managed FortiSwitch unit.

To enable network-assisted device detection on a VDOM:

config switch-controller network-monitor-settings set network-monitoring enable

end

You can display a list of detected devices from the Device Inventory menu in the GUI. To list the detected devices in the CLI, enter the following command: diagnose user device list

Changing the admin password on the FortiGate for all managed FortiSwitch units

Changing the admin password on the FortiGate for all managed FortiSwitch units

By default, each FortiSwitch has an admin account without a password. To replace the admin passwords for all FortiSwitch units managed by a FortiGate, use the following commands from the FortiGate CLI:

config switch-controller switch-profile edit default

set login-passwd-override {enable | disable} set login-passwd <password>

next

end

If you had already applied a profile with the override enabled and the password set and then decide to remove the admin password, you need to apply a profile with the override enabled and no password set; otherwise, your previously set password will remain in the FortiSwitch. For example:

config switch-controller switch-profile edit default set login-passwd-override enable unset login-passwd

next

end

Converting to FortiSwitch standalone mode

Converting to FortiSwitch standalone mode

Use one of the following commands to convert a FortiSwitch from FortiLink mode to standalone mode so that it will no longer be managed by a FortiGate:

  • execute switch-controller factory-reset <switch-id>

This command returns the FortiSwitch to the factory defaults and then reboots the FortiSwitch. If the FortiSwitch is configured for FortiLink auto-discovery, FortiGate can detect and automatically authorize the FortiSwitch. For example:

execute switch-controller factory-reset S1234567890

  • execute switch-controller set-standalone <switch-id>

This command returns the FortiSwitch to the factory defaults, reboots the FortiSwitch, and prevents the FortiGate from automatically detecting and authorizing the FortiSwitch. For example: execute switch-controller set-standalone S1234567890

You can disable FortiLink auto-discovery on multiple FortiSwitch units using the following commands:

config switch-controller global set disable-discovery <switch-id>

end

For example:

config switch-controller global set disable-discovery S1234567890

end

You can also add or remove entries from the list of FortiSwitch units that have FortiLink auto-discovery disabled using the following commands:

config switch-controller global append disable-discovery <switch-id> unselect disable-discovery <switch-id>

end

For example:

config switch-controller global append disable-discovery S012345678 unselect disable-discovery S1234567890

end

Network topologies for managed FortiSwitch units

Network topologies for managed FortiSwitch units

The FortiGate unit requires only one active FortiLink to manage all of the subtending FortiSwitch units (called stacking).

You can configure the FortiLink as a physical interface or as a logical interface (associated with one or more physical interfaces). Depending on the network topology, you can also configure a standby FortiLink.

NOTE: For any of the topologies:

  • All of the managed FortiSwitch units will function as one Layer-2 stack where the FortiGate unit manages each FortiSwitch separately.
  • The active FortiLink carries data as well as management traffic.

Single FortiGate managing a single FortiSwitch unit

On the FortiGate unit, the FortiLink interface is configured as physical or aggregate. The 802.3ad aggregate interface type provides a logical grouping of one or more physical interfaces.

NOTE:

  • For the aggregate interface, you must disable the split interface on the FortiGate unit.
  • When you are using the aggregate interface on the FortiGate unit for the FortiLink interface, the lacp-mode of the FortiLink aggregate interface must be set to static.

Network topologies for managed FortiSwitch units      Single FortiGate unit managing a stack of several

Single FortiGate unit managing a stack of several FortiSwitch units

The FortiGate unit connects directly to one FortiSwitch unit using a physical or aggregate interface. The remaining FortiSwitch units connect in a ring using inter-switch links (that is, ISL).

Optionally, you can connect a standby FortiLink connection to the last FortiSwitch unit. For this configuration, you create a FortiLink Split-Interface (an aggregate interface that contains one active link and one standby link).

NOTE:

  • When you are using the aggregate interface on the FortiGate unit for the FortiLink interface, the lacp-mode of the FortiLink aggregate interface must be set to static.
  • External devices shown in the following topology must be compliant endpoints, such as computers. They cannot be third-party switches or appliances.

HA-mode FortiGate units managing a single FortiSwitch unit

HA-mode FortiGate units managing a single FortiSwitch unit

The master and slave FortiGate units both connect a FortiLink to the FortiSwitch unit. The FortiLink port(s) and interface type must match on the two FortiGate units.

NOTE: When using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be active-passive.

 

FortiSwitch       HA-mode FortiGate units managing a stack of several FortiSwitch units          units

HA-mode FortiGate units managing a stack of several FortiSwitch units

The master and slave FortiGate units both connect a FortiLink to the first FortiSwitch unit and (optionally) to the last FortiSwitch unit. The FortiLink ports and interface type must match on the two FortiGate units.

For the active/standby FortiLink configuration, you create a FortiLink Split-Interface (an aggregate interface that contains one active link and one standby link).

NOTE:

  • When you are using the aggregate interface on the FortiGate unit for the FortiLink interface, the lacp-mode of the FortiLink aggregate interface must be set to static.
  • When using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be active-passive.

HA-mode FortiGate units managing a FortiSwitch two-tier

topology                                                                                                                                       FortiSwitch units

HA-mode FortiGate units managing a FortiSwitch two-tier topology

The distribution FortiSwitch unit connects to the master and slave FortiGate units. The FortiLink port(s) and interface type must match on the two FortiGate units.

NOTE: When using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be active-passive.

Single FortiGate unit managing multiple FortiSwitch units (using a hardware or

FortiSwitch units                                                                                                               software switch interface)

Single FortiGate unit managing multiple FortiSwitch units (using a hardware or software switch interface)

The FortiGate unit connects directly to each FortiSwitch unit. Each of these FortiLink ports is added to the logical hardware-switch or software-switch interface on the FortiGate unit.

Optionally, you can connect other devices to the FortiGate logical interface. These devices, which must support IEEE 802.1q VLAN tagging, will have Layer 2 connectivity with the FortiSwitch ports.

NOTE: Using the hardware or software switch interface in FortiLink mode is not recommended in most cases. It can be used when the traffic on the ports is very light because all traffic across the switches moves through the FortiGate unit.

 

HA-mode FortiGate units managing two-tier FortiSwitch units with Network topologies for managed FortiSwitch access rings          units

HA-mode FortiGate units managing two-tier FortiSwitch units with access rings

HA-mode FortiGate units connect to redundant distribution FortiSwitch units. Access FortiSwitch units are arranged in a stack in each IDF, connected to both distribution switches.

For the FortiLink connection to each distribution switch, you create a FortiLink split interface (an aggregate interface that contains one active link and one standby link).

NOTE:

  • Before FortiSwitchOS 3.6.4, MCLAG was not supported when access rings were present. Starting with FortiSwitchOS 3.6.4, MCLAG is supported, even with access rings present.
  • When using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be active-passive.
  • When you are using the aggregate interface on the FortiGate unit for the FortiLink interface, the lacp-mode of the FortiLink aggregate interface must be set to static.
  • This is only an example topology. Other combinations of FortiGate units and FortiSwitch units can be used to create a similar topology.

Dual-homed servers connected to FortiLink tier-1 FortiSwitch units using

FortiSwitch units                                                                                                                                    an MCLAG

Dual-homed servers connected to FortiLink tier-1 FortiSwitch units using an MCLAG

To configure a multichassis LAG, you need to configure FortiSwitch 1 and FortiSwitch 2 as MCLAG peer switches before creating a two-port LAG. Use the set mclag-icl enable command to create an inter-chassis link (ICL) on each FortiSwitch unit. Then you set up two MCLAGs towards the servers, each MCLAG using one port from each FortiSwitch unit. You must disable the FortiLink split interface for the FortiGate unit.

This topology is supported when the FortiGate unit is in HA mode.

Standalone FortiGate unit with dual-homed FortiSwitch access

Standalone FortiGate unit with dual-homed FortiSwitch access

This network topology provides high port density with two tiers of FortiSwitch units.

Use the set mclag-icl enable command to create an ICL on each FortiSwitch unit.

 

HA-mode FortiGate units with dual-homed FortiSwitch access

HA-mode FortiGate units with dual-homed FortiSwitch access

In HA mode, only one FortiGate is active at a time. If the active FortiGate unit fails, the backup FortiGate unit becomes active.

Use the set mclag-icl enable command to create an ICL on each FortiSwitch unit.

NOTE: When using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be active-passive.

Multi-tiered MCLAG with HA-mode FortiGate units

NOTE:

  • When using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be active-passive.
  • In this topology, you must use the auto-isl-port-group setting as described in the following configuration example. This setting instructs the switches to group ports from MCLAG peers together into one MCLAG when the inter-switch link (ISL) is formed.
  • The inter-chassis link (ICL) and auto-isl-port-group settings must be done directly on the FortiSwitch unit. l CLI commands in red are manually configured.
  • In a two-tier MCLAG topology, disable STP on the first tier MCLAG peer group with the following commands on each peer switch and do not use access-ring connections on first tier MCLAG peer groups:

config switch global

set mclag-stp-aware disable end

To configure a multi-tiered MCLAG with HA-mode FortiGate units:

  1. Configure FortiSwitch-1 for the tier-1 MCLAG:
  2. Enable the ICL on the ISL formed with the MCLAG peer switch:

config switch trunk edit “D243Z14000288-0” // trunk name derived from FortiSwitch-2 SN set mode lacp-active set auto-isl 1

Multi-tiered MCLAG with HA-mode FortiGate

set mclag-icl enable set members “port21” “port22” end

  1. Configure the two auto-isl-port-groups based on the topology diagram. The group name must match the name that is configured on the peer switch.

config switch auto-isl-port-group edit “mclag-core1” set members “port1” “port2” next

edit “mclag-core2” set members “port3” “port4” end

  1. After you complete the CLI commands in Steps 1a and 1b, the trunks are automatically formed:

config switch trunk edit “D243Z14000288-0” set mode lacp-active set auto-isl 1 set mclag-icl enable set members “port21” “port22” next

edit “__FoRtI1LiNk0__” set mclag enable set members “port24” “port23” next

edit “8DN4K16000360-0” // trunk name derived from FortiSwitch-3 SN set mode lacp-active set auto-isl 1 set mclag enable set members “port20” next

edit “mclag-core1” set mode lacp-active set auto-isl 1 set mclag enable set members “port1” “port2” next

edit “mclag-core2” set mode lacp-active set auto-isl 1 set mclag enable set members “port3” “port4” next

end

  1. Configure FortiSwitch-2 for the tier-1 MCLAG:
  2. Enable the ICL on the ISL formed with the MCLAG peer switch:

config switch trunk edit “D243Z14000289-0” // trunk name derived from FortiSwitch-1 SN

set mode lacp-active set auto-isl 1 set mclag-icl enable set members “port21” “port22” end

  1. Configure the two auto-isl-port-groups based on the topology diagram. The group name must match the name that is configured on the peer switch.

config switch auto-isl-port-group edit “mclag-core1” set members “port1” “port2” next

edit “mclag-core2” set members “port3” “port4” end

  1. After you complete the CLI commands in Steps 2a and 2b, the trunks are automatically formed:

config switch trunk edit “D243Z14000288-0” set mode lacp-active set auto-isl 1 set mclag-icl enable set members “port21” “port22” next

edit “__FoRtI1LiNk0__” set mclag enable set members “port24” “port23” next

edit “8DN4K16000360-0” // trunk name derived from FortiSwitch-3 SN set mode lacp-active set auto-isl 1 set mclag enable set members “port20” next

edit “mclag-core1” set mode lacp-active set auto-isl 1 set mclag enable set members “port1” “port2” next

edit “mclag-core2” set mode lacp-active set auto-isl 1 set mclag enable set members “port3” “port4” next

end

  1. Tier-2 MCLAGs. Enable the ICL between the MCLAG peers. For example, configure FortiSwitch-6 as follows.
  2. Change the tier-2 MCLAG peer switches to FortiLink mode and connect them to each other. Enable the ICL on the ISL formed with the MCLAG peer switches.

Multi-tiered MCLAG with HA-mode FortiGate

config switch trunk edit “8DN3X15000026-0” // trunk name derived from FortiSwitch-7 SN set mode lacp-active set auto-isl 1 set mclag-icl enable set members “port43” “port44”

end

  1. The trunks are automatically formed as below:

config switch trunk edit “8DN3X15000026-0” set mode lacp-active set auto-isl 1 set mclag-icl enable set members “port43” “port44”

next

edit “8EP3X17000051-0” // trunk name derived from FortiSwitch-11 SN set mode lacp-active set auto-isl 1 set mclag enable set members “port45”

next

edit “_FlInK1_MLAG0_” set mode lacp-active set auto-isl 1 set mclag enable set members “port48” “port47”

next

edit “8EP3X17000069-0” // trunk name derived from FortiSwitch-12 SN set mode lacp-active set auto-isl 1 set mclag enable set members “port46”

next

end

  1. Access FortiSwitch units. The access switch trunks are formed automatically as below.

On FortiSwitch-11:

config switch trunk edit “_FlInK1_MLAG0_” set mode lacp-active set auto-isl 1 set mclag enable set members “port48” “port47”

next

end

On FortiSwitch-12:

config switch trunk edit “_FlInK1_MLAG0_” set mode lacp-active set auto-isl 1 set mclag enable set members “port47” “port48”

next

end

 

Grouping

Grouping FortiSwitch units

You can simplify the configuration and management of complex topologies by creating FortiSwitch groups. A group can include one or more FortiSwitch units and you can include different models in a group.

config switch-controller switch-group edit <name> set description <string> set members <serial-number> <serial-number> … end

end

Grouping FortiSwitch units allows you to restart all of the switches in the group instead of individually. For example, you can use the following command to restart all of the FortiSwitch units in a group named my-swgroup: execute switch-controller restart-swtp my-switch-group

Upgrading the firmware of FortiSwitch groups is easier, too, because fewer commands are needed. See Firmware upgrade of stacked or tiered FortiSwitch units on page 57.

Stacking configuration

To set up stacking:

  1. Configure the active FortiLink interface on the FortiGate unit.
  2. (Optional) Configure the standby FortiLink interface.
  3. Connect the FortiSwitch units together, based on your chosen topology.

1. Configure the active FortiLink

Configure the FortiLink interface (as described in the FortiLink configuration using the FortiGate GUIchapter).

When you configure the FortiLink interface, the stacking capability is enabled automatically.

2. Configure the standby FortiLink

Configure the standby FortiLink interface. Depending on your configuration, the standby FortiLink might connect to the same FortiGate unit as the active FortiLink or to a different FortiGate unit.

If the FortiGate unit receives discovery requests from two FortiSwitch units, the link from one FortiSwitch unit will be selected as active, and the link from other FortiSwitch unit will be selected as standby.

If the active FortiLink fails, the FortiGate unit converts the standby FortiLink to active.

3. Connect the FortiSwitch units

Refer to the topology diagrams to see how to connect the FortiSwitch units.

Inter-switch links (ISLs) form automatically between the stacked switches.

The FortiGate unit will discover and authorize all of the FortiSwitch units that are connected. After this, the FortiGate unit is ready to manage all of the authorized FortiSwitch units.

Grouping FortiSwitch units

Disable stacking

To disable stacking, execute the following commands from the FortiGate CLI. In the following example, port4 is the FortiLink interface:

config system interface edit port4 set fortilink-stacking disable

end

end

Firmware upgrade of stacked or tiered FortiSwitch units

In this topology, the core FortiSwitch units are model FS-224D-FPOE, and the access FortiSwitch units are model FS-124D-POE. Because the switches are stacked or tiered, the procedure to update the firmware is simpler. In the following procedure, the four FortiSwitch units are upgraded from 3.6.1 to 3.6.2.

To upgrade the firmware of stacked or tiered FortiSwitch units:

  1. Check that all of the FortiSwitch units are connected and which firmware versions they are running. For example:

execute switch-controller get-conn-status

STACK-NAME: FortiSwitch-Stack-port2

SWITCH-ID            VERSION     STATUS               ADDRESS           JOIN-TIME

NAME

S108DV2EJZDAC42F    v3.6.0       Authorized/Up      169.254.2.4        Thu Feb 8 17:07:35 2018

S108DV4FQON40Q07    v3.6.0       Authorized/Up      169.254.2.5        Thu Feb 8 17:08:37 2018

S108DVBWVLH4QGEB    v3.6.0       Authorized/Up      169.254.2.6        Thu Feb 8 17:09:13 2018

S108DVCY19SA0CD8    v3.6.0       Authorized/Up      169.254.2.2        Thu Feb 8 17:04:41 2018

S108DVD98KMQGC44* v3.6.0        Authorized/Up      169.254.2.7        Thu Feb 8 17:10:50 2018

Grouping

S108DVGGBJLQQO48* v3.6.0 – Authorized/Up 169.254.2.3 Thu Feb 8 17:06:57 2018
S108DVKM5T2QEA92 v3.6.0 – Authorized/Up 169.254.2.8 Thu Feb 8 17:11:00 2018
S108DVZX3VTAOO45 v3.6.0 – Authorized/Up 169.254.2.9 Thu Feb 8 17:11:00 2018
Managed-Switches: 8 UP: 8 DOWN: 0    
  1. Upload the firmware image for each FortiSwitch model (FS-224D-FPOE and FS-124D-POE) from either an FTP or TFTP server. If you are using a virtual domain (VDOM), you must enter the config global command before entering the upload-swtp-image command. For example:

FG100E4Q16004478 (global) # execute switch-controller upload-swtp-image tftp FSW_124D_POEv3-build0382-FORTINET.out 172.30.12.18

Downloading file FSW_124D_POE-v3-build0382-FORTINET.out from tftp server 172.30.12.18… ################## Image checking …

Image MD5 calculating …

Image Saving S124DP-IMG.swtp … Successful!

File Syncing…

FG100E4Q16004478 (global) # execute switch-controller upload-swtp-image tftp FSW_224D_FPOEv3-build0382-FORTINET.out 172.30.12.18

Downloading file FSW_224D_FPOE-v3-build0382-FORTINET.out from tftp server 172.30.12.18… ###################### Image checking …

Image MD5 calculating …

Image Saving S224DF-IMG.swtp … Successful!

File Syncing…

  1. Check which firmware images are available. For example:

FG100E4Q16004478 (root) # execute switch-controller list-swtp-image SWTP Images on AC:

ImageName                  ImageSize(B)    ImageInfo                ImageMTime

S124DP-IMG.swtp           19174985            S124DP-v3.6-build382 Mon Oct 2 14:40:54 2017

S224DF-IMG.swtp     23277106 S224DF-v3.6-build382 Mon Oct 2 14:42:55 2017 4. Stage the firmware image for each FortiSwitch model (FS-224D-FPOE and FS-124D-POE). For example:

FG100E4Q16004478 (root) # execute switch-controller stage-tiered-swtp-image ALL S124DPIMG.swtp

Staged Image Version S124DP-v3.6-build382

FG100E4Q16004478 (root) # execute switch-controller stage-tiered-swtp-image ALL S224DFIMG.swtp

Staged Image Version S224DF-v3.6-build382

  1. Check that the correct firmware image is staged for each FortiSwitch unit. For example:

diagnose switch-controller dump network-upgrade status

Running                                       Status       Next boot

__________________ ________________________________________ _________ __________________ _________

VDOM : root

S108DVCY19SA0CD8 S108DV-v3.6.0-build4277,171207 (Interim) (0/0/0) S108DV-v3.7.0build4277,171207 (Interim)

S108DV2EJZDAC42F S108DV-v3.6.0-build4277,171207 (Interim) (0/0/0)

  1. Restart the FortiSwitch units after a 2-minute delay. For example:

execute switch-controller restart-swtp-delayed ALL

Grouping FortiSwitch units

  1. When the FortiSwitch units are running again, check that they are running the new firmware version. For example:

execute switch-controller get-conn-status

STACK-NAME: FortiSwitch-Stack-port2    
SWITCH-ID NAME VERSION STATUS ADDRESS JOIN-TIME
S108DV2EJZDAC42F – v3.6.0 Authorized/Up 169.254.2.4 Thu Feb 8 17:07:35 2018
S108DV4FQON40Q07 – v3.6.0 Authorized/Up 169.254.2.5 Thu Feb 8 17:08:37 2018
S108DVBWVLH4QGEB – v3.6.0 Authorized/Up 169.254.2.6 Thu Feb 8 17:09:13 2018
S108DVCY19SA0CD8 – v3.6.0 Authorized/Up 169.254.2.2 Thu Feb 8 17:04:41 2018
S108DVD98KMQGC44* – v3.6.0 Authorized/Up 169.254.2.7 Thu Feb 8 17:10:50 2018
S108DVGGBJLQQO48* – v3.6.0 Authorized/Up 169.254.2.3 Thu Feb 8 17:06:57 2018
S108DVKM5T2QEA92 – v3.6.0 Authorized/Up 169.254.2.8 Thu Feb 8 17:11:00 2018
S108DVZX3VTAOO45 – v3.6.0 Authorized/Up 169.254.2.9 Thu Feb 8 17:11:00 2018
Managed-Switches: 8 UP: 8 DOWN: 0    

 

Transitioning from a FortiLink split interface to a FortiLink MCLAG

Transitioning from a FortiLink split interface to a FortiLink MCLAG

In this topology, the FortiLink split interface connects a FortiLink aggregate interface from one FortiGate unit to two FortiSwitch units.

NOTE:

  • This procedure also applies to a FortiGate unit in HA mode. l More links can be added between the FortiGate unit and FortiSwitch unit. l After the MCLAG is set up, only connect the tier-2 FortiSwitch units.
  • When you are using the aggregate interface on the FortiGate unit for the FortiLink interface, the lacp-mode of the FortiLink aggregate interface must be set to static.
  1. Enable the split interface on the FortiLink aggregate interface. By default, the split interface is enabled. For example:

config system interface edit flinksplit1 set ip 169.254.3.1 255.255.255.0 set allowaccess ping capwap https set vlanforward enable set type aggregate set member port4 port5 set lacp-mode static set fortilink enable

set fortilink-split-interface enable

next

end

  1. Log into FortiSwitch 2 using the Connect to CLI button in the FortiGate GUI, use the get switch lldp auto-isl-status command to find out the name of the trunk connecting the peer switches, and change the ISL to an ICL. For example:

get switch lldp auto-isl-status config switch trunk

Transitioning from a FortiLink split interface to a FortiLink MCLAG

edit <trunk_name> set mclag-icl enable

next

end

  1. Log into FortiSwitch 1 using the Connect to CLI button in the FortiGate GUI, use the get switch lldp auto-isl-status command to find out the name of the trunk connecting the peer switches, and change the ISL to an ICL. For example:

get switch lldp auto-isl-status

config switch trunk edit <trunk_name> set mclag-icl enable

next

end

  1. Log into the FortiGate unit and disable the split interface. For example:

config system interface edit flinksplit1 set fortilink-split-interface disable

next

end

  1. Enable the LACP active mode.
  2. Check that the LAG is working correctly. For example:

diagnose netlink aggregate name <aggregate_name>

Optional setup tasks Configuring the FortiSwitch management port Optional setup tasks

This section describes the following tasks:

  • Configuring the FortiSwitch management port on page 62 l Converting to FortiSwitch standalone mode on page 63 l Changing the admin password on the FortiGate for all managed FortiSwitch units on page 63 l Enabling network-assisted device detection on page 64
  • Limiting the number of parallel process for FortiSwitch configuration on page 64

Configuring the FortiSwitch management port

If the FortiSwitch model has a dedicated management port, you can configure remote management to the FortiSwitch. In FortiLink mode, the FortiGate is the default gateway, so you need to configure an explicit route for the FortiSwitch management port.

Using the Web administration GUI

  1. Go to Network > Static Routes > Create New > Route.
  2. Set Destination to Subnet and enter a subnetwork and mask.
  3. Set Device to the management interface.
  4. Add a Gateway IP address.

Using the FortiSwitch CLI

Enter the following commands:

config router static edit 1 set device mgmt set gateway <router IP address> set dst <router subnet> <subnet mask>

end

end

In the following example, the FortiSwitch management port is connected to a router with IP address 192.168.0.10:

config router static edit 1 set device mgmt set gateway 192.168.0.10 set dst 192.168.0.0 255.255.0.0

end end