Category Archives: FortiSwitch

Configuring an MCLAG with managed FortiSwitch units

Configuring an MCLAG with managed FortiSwitch units

A multichassis LAG (MCLAG) provides node-level redundancy by grouping two FortiSwitch models together so that they appear as a single switch on the network. If either switch fails, the MCLAG continues to function without any interruption, increasing network resiliency and eliminating the delays associated with the Spanning Tree Protocol (STP). For the network topology, see Dual-homed servers connected to FortiLink tier-1 FortiSwitch units using an MCLAG on page 45 and Standalone FortiGate unit with dual-homed FortiSwitch access on page 46. Notes

  • Both peer switches should be of the same hardware model and same software version. Mismatched configurations might work but are unsupported. l There is a maximum of two FortiSwitch models per MCLAG. l The routing feature is not available within an MCLAG.
  • For static MAC addresses within an MCLAG, if one FortiSwitch learns the MAC address, the second FortiSwitch will automatically learn the MAC address.

To configure an MCLAG with managed FortiSwitch unis:

  1. For each MCLAG peer switch, log into the FortiSwitch to create a LAG:

config switch trunk edit “LAG-member” set mode lacp-active set mclag-icl enable set members “<port>” “<port>”

next

  1. Enable the MCLAG on each managed FortiSwitch:

config switch-controller managed-switch edit “<switch-id>” config ports edit “<trunk name>”

FortiGate CLI support for FortiSwitch features (on non-FortiLink ports)

set type trunk

set mode {static | lacp-passive | lacp-active} set bundle {enable | disable} set members “<port>,<port>” set mclag {enable | disable}

next

end

next

  1. Log into each managed FortiSwitch to check the MCLAG configuration:

diagnose switch mclag

After the FortiSwitch units are configured as MCLAG peer switches, any port that supports advanced features on the FortiSwitch can become a LAG port. When mclag is enabled and the LAG port names match, an MCLAG peer set is automatically formed. The member ports for each FortiSwitch in the MCLAG do not need to be identical to the member ports on the peer FortiSwitch.

Configuring a link aggregation group (LAG)

Configuring a link aggregation group (LAG)

You can configure a link aggregation group (LAG) for non-FortiLink ports on a FortiSwitch. You cannot configure ports from different FortiSwitch units in one LAG.

config switch-controller managed-switch edit <switch-id> config ports it <trunk name> set type trunk

set mode < static | lacp > Link Aggregation mode set bundle (enable | disable) set min-bundle <int> set max-bundle <int> set members < port1 port2 …>

next

end

end

end

FortiSwitch per-port device visibility

FortiSwitch per-port device visibility

In the FortiGate GUI, User & Device > Device List displays a list of devices attached to the FortiSwitch ports. For each device, the table displays the IP address of the device and the interface (FortiSwitch name and port).

From the CLI, the following command displays information about the host devices: diagnose switch-controller dump mac-hosts_switch-ports

FortiGate CLI support for FortiSwitch features (on non-FortiLink ports)

You can configure the following FortiSwitch features from the FortiGate CLI.

FortiGate CLI support for FortiSwitch features (on non-FortiLink ports)

FortiOS 6 – FortiSwitch log export

FortiSwitch log export

You can enable and disable the managed FortiSwitch units to export their syslogs to the FortiGate. The setting is global, and the default setting is enabled. Starting in FortiOS 5.6.3, more details are included in the exported FortiSwitch logs.

To allow a level of filtering, FortiGate sets the user field to “fortiswitch-syslog” for each entry.

The following is the CLI command syntax:

config switch-controller switch-log set status (*enable | disable)

set severity [emergency | alert | critical | error | warning | notification |

*information | debug] end

You can override the global log settings for a FortiSwitch, using the following commands:

config switch-controller managed-switch edit <switch-id> config switch-log set local-override enable

At this point, you can configure the log settings that apply to this specific switch.

View and upgrade the FortiSwitch firmware version

View and upgrade the FortiSwitch firmware version

You can view the current firmware version of a FortiSwitch and upgrade the FortiSwitch to a new firmware version. FortiGate will suggest an upgrade when a new version is available in FortiGuard.

Using the FortiGate Web interface

To view the FortiSwitch firmware version:

  1. Go to WiFi & Switch Controller>Managed FortiSwitch.
  2. In the main panel, select the FortiSwitch faceplate and click Edit.
  3. In the Edit Managed FortiSwitch panel, the Firmware section displays the current build on the FortiSwitch.

To upgrade the firmware on multiple FortiSwitch units at the same time:

  1. Go to WiFi & Switch Controller> Managed FortiSwitch.
  2. Select the faceplates of the FortiSwitch units that you want to upgrade.
  3. Click Upgrade.

The Upgrade FortiSwitches page opens.

  1. Select FortiGuard or select Upload and then select the firmware file to upload.

If you select FortiGuard, all FortiSwitch units that can be upgraded are upgraded. If you select Upload, only one firmware image can be used at a time for upgrading.

  1. Select Upgrade.

Using the CLI

Use the following command to display the latest version: diagnose fdsm fortisw-latest-ver <model>

Use the following command to download the image: diagnose fdsm fortisw-download <image id>

The following example shows how to download the latest image for FS224D:

FG100D3G15801204 (global) # diagnose fdsm fortisw-latest-ver FS224D FS224D – 3.4.2 b192 03004000FIMG0900904002FG100D3G15801204 (global) # diagnose fdsm fortisw-download 03004000FIMG0900904002

Download image-03004000FIMG0900904002:

################################################################################ Result=Success

Use the following CLI commands to enable the use of HTTPS to download firmware to managed FortiSwitch units:

config switch-controller global set https-image-push enable end

FortiSwitch log export

From your FortiGate CLI, you can upgrade the firmware of all of the managed FortiSwitch units of the same model using a single execute command. The command includes the name of a firmware image file and all of the managed FortiSwitch units compatible with that firmware image file are upgraded. For example: execute switch-controller stage-tiered-swtp-image ALL <firmware-image-file>

You can also use the following command to restart all of the managed FortiSwitch units after a 2-minute delay.

execute switch-controller restart-swtp-delayed ALL

Execute custom FortiSwitch commands

Execute custom FortiSwitch commands

From the FortiGate, you can execute FortiSwitch commands on the managed FortiSwitch.

This feature adds a simple scripting mechanism for users to execute generic commands on the switch.

NOTE: FortiOS 5.6.0 introduces additional capabilities related to the managed FortiSwitch.

Create a command

Use the following syntax to create a command file:

config switch-controller custom-command edit <cmd-name> set command ” <FortiSwitch commands>”

Next, create a command file to set the STP max-age parameter:

config switch-controller custom-command edit “stp-age-10” set command “config switch stp setting set max-age 10

end

” next

end

Execute a command

After you have created a command file, use the following command on the FortiGate to execute the command file on the target switch: exec switch-controller custom-command <cmd-name> <target-switch>

The following example runs the stp-age-10 command on the specified target FortiSwitch:

# exec switch-controller custom-command stp-age-10 S124DP3X15000118

View and upgrade the FortiSwitch firmware version

FortiSwitch Managed By FortiOS 6 – FortiSwitch port security policy

FortiSwitch port security policy

The features listed here are valuable in endpoint authorization and access-control within a retail/enterprise LAN environment. In a FortiLink setup, you can configure these capabilities from the FortiGate while endpoints are connected to switch ports.

NOTE: In FortiLink mode, you must manually create a firewall policy to allow RADIUS traffic for 802.1x authentication from the FortiSwitch (for example, from the FortiLink interface) to the RADIUS server through the FortiGate.

End devices fall into two supported categories: one that supports 8021.X client and one that does not.

Before the Managed Release 5.6.0, only the following configuration was supported per VLAN:

  • 1X

With Managed Release 5.6.0, additional port security features are available:

  • Move 802.1X control from VLAN to port o Previously, only one VLAN could be assigned to one port. With both tagged and untagged VLANs allowed in 5.4.x, this is no longer suitable and will be migrated to the switch port.

o Automatic configuration migration is supported.

  • Support for client-less devices using mac-auth-bypass (MAB) o For devices that are incapable of supporting EAPoL/EAP, FortiSwitch will conduct the authentication on behalf of the device. A maximum of three concurrent MAB devices per port can exist. l Multiple secured endpoints on single port o Enforcement is per MAC address
  • Dynamic VLAN assignment o RADIUS-assigned VLANs
  • Guest VLAN configuration o With authentication timeout
  • RADIUS configuration o Set secret keys for primary and secondary servers. l User configuration o Use a RADIUS server to authenticate users.
  • Additional timers and modes o Re-authentication period o Maximum re-authentication attempts o Link down to un-authenticate

NOTE: In the following commands, “*” indicates the default setting.

Configure the 802.1X settings for a virtual domain

To configure the 802.1X security policy for a virtual domain, use the following commands:

config switch-controller 802-1X-settings set reauth-period < int > set max-reauth-attempt < int >

security policy                                                                           Override the virtual domain settings

set link-down-auth < *set-unauth | no-action >

end

Option Description
set link-down-auth If a link is down, this command determines the authentication state. Choosing set-auth sets the interface to unauthenticated when a link is down, and reauthentication is needed. Choosing no-auth means that the interface does not need to be reauthenticated when a link is down.
set reauth-period This command sets how often reauthentication is needed. The range is 11440 minutes. The default is 60 minutes. Setting the value to 0 minutes disables reauthenticaion.
set max-reauth-attempt This command sets the maximum number of reauthentication attempts. The range is 1-15. the default is 3. Setting the value to 0 disables reauthentication.

Override the virtual domain settings

You can override the virtual domain settings for the 802.1X security policy.

Using the FortiGate GUI

To override the 802.1X settings for a virtual domain:

  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Click on a FortiSwitch faceplate and click Edit.
  3. In the Edit Managed FortiSwitch page, move the Override 802-1X settings slider to the right.
  4. In the Reauthentication Interval field, enter the number of minutes before reauthentication is required. The maximum interval is 1,440 minutes. Setting the value to 0 minutes disables reauthentiction.
  5. In the Max Reauthentication Attempts field, enter the maximum times that reauthentication is attempted. The maximum number of attempts is 15. Setting the value to 0 disables reauthentication.
  6. Select Deauthenticate or None for the link down action. Selecting Deauthenticate sets the interface to unauthenticated when a link is down, and reauthentication is needed. Selecting None means that the interface does not need to be reauthenticated when a link is down.
  7. Click OK.

Using the FortiGate CLI

To override the 802.1X settings for a virtual domain, use the following commands:

config switch-controller managed-switch edit < switch > config 802-1X-settings set local-override [ enable | *disable ] set reauth-period < int >                 // visible if override enabled set max-reauth-attempt < int >             // visible if override enabled set link-down-auth < *set-unauth | no-action >   // visible if override enabled

end

Define an 802.1X security policy

next

end

For a description of the options, see Configure the 802.1X settings for a virtual domain.

Define an 802.1X security policy

You can define multiple 802.1X security policies.

Using the FortiGate GUI

To create an 802.1X security policy:

  1. Go to WiFi & Switch Controller > FortiSwitch Security Policies.
  2. Click Create New.
  3. Enter a name for the new FortiSwitch security policy.
  4. For the security mode, select Port-based or MAC-based.
  5. Click + to select which user groups will have access.
  6. Enable or disable guest VLANs on this interface to allow restricted access for some users.
  7. Enter the number of seconds for authentication delay for guest VLANs. The range is 60-900 seconds.
  8. Enable or disable authentication fail VLAN on this interface to allow restricted access for users who fail to access the guest VLAN.
  9. Enable or disable MAC authentication bypass (MAB) on this interface.
  10. Enable or disable EAP pass-through mode on this interface.
  11. Enable or disable whether the session timeout for the RADIUS server will overwrite the local timeout.
  12. Click OK.

Using the FortiGate CLI

To create an 802.1X security policy, use the following commands:

config switch-controller security-policy 802-1X edit “<policy.name>” set security-mode {802.1X | 802.1X-mac-based)

set user-group <*group_name | Guest-group | SSO_Guest_Users> set mac-auth-bypass [enable | *disable] set eap-passthru [enable | disable] set guest-vlan [enable | *disable] set guest-vlan-id “guest-VLAN-name” set guest-auth-delay <integer> set auth-fail-vlan [enable | *disable] set auth-fail-vlan-id “auth-fail-VLAN-name” set radius-timeout-overwrite [enable | *disable] set policy-type 802.1X

end end

security policy                                                    Apply an 802.1X security policy to a FortiSwitch port

Option                                                Description
set security-mode             You can restrict access with 802.1X port-based authentication or with 802.1X MAC-based authentication.
You can set a specific group name, Guest-group, or SSO_Guest_Users to set user-group

have access. This setting is mandatory.

set mac-auth-bypass           You can enable or disable MAB on this interface.
set eap-passthrough           You can enable or disable EAP pass-through mode on this interface.
set guest-vlan                You can enable or disable guest VLANs on this interface to allow restricted access for some users.
set guest-vlan-id “guest-

You can specify the name of the guest VLAN.

VLAN-name”

set guest-auth-delay          You can set the authentication delay for guest VLANs on this interface. The range is 60-900 seconds.
You can enable or disable authentication fail VLAN on this interface to set auth-fail-vlan allow restricted access for users who fail to access the guest VLAN.
set auth-fail-vlan-id    You can specify the name of the authentication fail VLAN “auth-fail-VLAN-name”
set radius-timeout- You can enable or disable whether the session timeout for the RADIUS overwrite server will overwrite the local timeout.
set policy-type 802.1X        You can set the policy type to the 802.1X security policy.

Apply an 802.1X security policy to a FortiSwitch port

You can apply a different 802.1X security policy to each FortiSwitch port.

Using the FortiGate GUI

To apply an 802.1X security policy to a managed FortiSwitch port:

  1. Go to WiFi & Switch Controller > FortiSwitch Ports.
  2. Click the + next to a FortiSwitch.
  3. In the Security Policy column for a port, click + to select a security policy.
  4. Click OK to apply the security policy to that port.

Using the FortiGate CLI

To apply an 802.1X security policy to a managed FortiSwitch port, use the following commands:

config switch-controller managed-switch

Restrict the type of frames allowed through IEEE 802.1Q ports

edit <managed-switch> config ports edit <port> set port-security-policy <802.1X-policy>

next

end

next

end

Restrict the type of frames allowed through IEEE 802.1Q ports

You can now specify whether each FortiSwitch port discards tagged 802.1Q frames or untagged 802.1Q frames or allows all frames access to the port. By default, all frames have access to each FortiSwitch port.

Use the following CLI commands:

config switch-controller managed-switch <SN> config ports edit <port_name> set discard-mode <none | all-tagged | all-untagged>

next

next

end

RADIUS accounting support

The FortiSwitch unit uses 802.1x-authenticated ports to send five types of RADIUS accounting messages to the RADIUS accounting server to support FortiGate RADIUS single sign-on:

l START—The FortiSwitch has been successfully authenticated, and the session has started. l STOP—The FortiSwitch session has ended. l INTERIM—Periodic messages sent based on the value set using the set acct-interim-interval command. l ON—FortiSwitch will send this message when the switch is turned on. l OFF—FortiSwitch will send this message when the switch is shut down.

Use the following commands to set up RADIUS accounting so that FortiOS can send accounting messages to managed FortiSwitch units:

config user radius edit <RADIUS_server_name> set acct-interim-interval <seconds> config accounting-server edit <entry_ID> set status {enable | disable} set server <server_IP_address> set secret <secret_key> set port <port_number>

next

end

next end

 

Execute custom FortiSwitch commands

FortiSwitch on FortiOS 6 – FortiSwitch port features

FortiSwitch port features

You can configure the FortiSwitch port feature settings from the FortiGate using the FortiSwitch CLI or web administration GUI.

FortiSwitch ports display

The WiFi & Switch Controller> FortiSwitch Ports page displays port information about each of the managed switches.

The following figure shows the display for a FortiSwitch 524D-FPOE:

The switch faceplate displays:

  • active ports (green) l PoE-enabled ports (blue rectangle) l FortiLink port (link icon)

PoE Status displays the total power budget and the actual power currently allocated.

The allocated power displays a blue bar for the used power (currently being consumed) and a green bar for the reserved power (power available for additional devices on the POE ports). See the following figures:

GUI

Each entry in the port list displays the following information:

  • Port status (red for down, green for up) l Port name l Native VLAN l Allowed VLANs l Device information l PoE status
  • Bytes sent and received by the port

Configuring ports using the GUI

You can use the WiFi & Switch Controller> FortiSwitch Ports page to do the following with FortiSwitch switch ports:

l Set the native VLAN and add more VLANs l Edit the description of the port l Enable or disable the port l Enable or disable PoE for the port l Enable or disable DHCP blocking (if supported by the port) l Enable or disable IGMP snooping (if supported by the port) l Enable or disable whether a port is an edge port l Enable or disable STP (if supported by the port) l Enable or disable loop guard (if supported by the port) l Enable or disable STP BPDU guard (if supported by the port) l Enable or disable STP root guard (if supported by the port)

Resetting PoE-enabled ports

If you need to reset PoE-enabled ports, go to WiFi & Switch Control > FortiSwitch Ports, right-click on one or more PoE-enabled ports and select Reset PoE from the context menu.

You can also go to WiFi & Switch Control > Managed FortiSwitch and click on a port icon for the FortiSwitch of interest. In the FortiSwitch Ports page, right-click on one or more PoE-enabled ports and select Reset PoE from the context menu.

Configuring ports using the FortiGate CLI

You can configure the following FortiSwitch port settings using the FortiGate CLI:

  • Configuring port speed and status on page 74 l Configure a VLAN on the port (see VLAN configuration) l Sharing FortiSwitch ports between VDOMs (391878) on page 74 l Limiting the number of learned MAC addresses on a FortiSwitch interface on page 77 l Configuring the DHCP trust setting on page 77
  • Configuring PoE on page 78 l Configuring edge ports on page 79 l Configuring STP on page 79 l Configuring STP root guard on page 81 l Configuring STP BPDU guard on page 81 l Configuring loop guard on page 83 l Configuring LLDP settings on page 83 l Configuring IGMP settings on page 84 l Configuring sFlow on page 84 l Configuring Dynamic ARP inspection (DAI) on page 85 l Configuring FortiSwitch port mirroring on page 86

Configuring port speed and status

Use the following commands to set port speed and other base port settings:

config switch-controller managed-switch edit <switch> config ports edit <port> set description <text> set speed <speed> set status {down | up}

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set description “First port” set speed auto set status up

end

end

Sharing FortiSwitch ports between VDOMs (391878)

Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual units that function as multiple independent units. VDOMs provide separate security domains that allow separate zones, user authentication, security policies, routing, and VPN configurations.

FortiSwitch ports can now be shared between VDOMs.

NOTE: You cannot use the quarantine feature while sharing FortiSwitch ports between VDOMs.

To share FortiSwitch ports between VDOMs:

  1. Create one or more VDOMs.
  2. Assign VLANs to each VDOM as required.

 

  1. From these VLANs, select one VLAN to be the default VLAN for the ports in the virtual switch:

config switch-controller global

set default-virtual-switch-vlan <VLAN>

NOTE: You must execute these commands from the VDOM that the default VLAN belongs to.

When you add a new port to the VDOM, the new port will be automatically assigned to the default VLAN. You can reassign the ports to other VLANs later.

  1. Create a virtual port pool (VPP) to contain the ports to be shared:

config switch-controller virtual-port-pool edit <VPP_name> description <string>

next

end

NOTE: You must execute these commands from the VDOM that the default VLAN belongs to.

For example:

config switch-controller virtual-port-pool edit “pool3” description “pool for port3”

next

end

  1. Share a FortiSwitch port from the VDOM that the FortiSwitch belongs to with another VDOM or export the FortiSwitch port to a VPP where it can be used by any VDOM:

config switch-controller managed-switch edit <switch.id> config ports edit <port_name> set {export-to-pool <VPP_name> | export-to <VDOM_name>} set export-tags <string1,string2,string3,…>

next

end

next

end

NOTE: You must execute these commands from the VDOM that the default VLAN belongs to.

For example, if you want to export a port to the VPP named pool3:

config switch-controller managed-switch edit “S524DF4K15000024” config ports edit port3 set export-to-pool “pool3” set export-tags “Pool 3”

next

end

next end

For example, if you want to export a port to the VDOM named vdom3:

config switch-controller managed-switch edit “S524DF4K15000024” config ports edit port3 set export-to “vdom3” set export-tags “VDOM 3”

next

end

next

end

  1. Request a port in a VPP: execute switch-controller virtual-port-pool request <FortiSwitch_device_ID> <port_name>

NOTE: You must execute this command from the VDOM that is requesting the port.

For example:

execute switch-controller virtual-port-pool request S524DF4K15000024h port3

  1. Return a port to a VPP: execute switch-controller virtual-port-pool return <FortiSwitch_device_ID> <port_name>

NOTE: You must execute this command from the VDOM that owns the port.

For example: execute switch-controller virtual-port-pool return S524DF4K15000024h port3

You can create your own export tags using the following CLI commands:

config switch-controller switch-interface-tag edit <tag_name>

end

Use the following CLI command to list the contents of a specific VPP: execute switch-controller virtual-port-pool show-by-pool <VPP_name>

Use the following CLI command to list all VPPs and their contents: execute switch-controller virtual-port-pool show

NOTE: Shared ports do not support the following features: l LLDP

  • 1x l STP l BPDU guard l Root guard l DHCP snooping l IGMP snooping l QoS
  • Port security l MCLAG

Limiting the number of learned MAC addresses on a FortiSwitch interface

You can limit the number of MAC addresses learned on a FortiSwitch interface (port or VLAN). The limit ranges from 1 to 128. If the limit is set to the default value zero, there is no learning limit.

NOTE: Static MAC addresses are not counted in the limit. The limit refers only to learned MAC addresses.

Use the following CLI commands to limit MAC address learning on a VLAN:

config switch vlan edit <integer> set switch-controller-learning-limit <limit>

end

end

For example:

config switch vlan edit 100 set switch-controller-learning-limit 20

end

end

Use the following CLI commands to limit MAC address learning on a port:

config switch-controller managed-switch edit <FortiSwitch_Serial_Number> config ports edit <port> set learning-limit <limit>

next

end

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port3 set learning-limit 50

next

end

end

end

Configuring the DHCP trust setting

The DHCP blocking feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent this, DHCP blocking filters messages on untrusted ports.

Set the port as a trusted or untrusted DHCP-snooping interface:

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set dhcp-snooping {trusted | untrusted}

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set dhcp-snooping trusted

end

end

Configuring PoE

The following PoE CLI commands are available starting in FortiSwitchOS 3.3.0.

Enable PoE on the port

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set poe-status {enable | disable}

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set poe-status enable

end

end

Reset the PoE port

Power over Ethernet (PoE) describes any system that passes electric power along with data on twisted pair Ethernet cabling. Doing this allows a single cable to provide both data connection and electric power to devices (for example, wireless access points, IP cameras, and VoIP phones).

The following command resets PoE on the port:

execute switch-controller poe-reset <fortiswitch-id> <port>

Display general PoE status get switch-controller <fortiswitch-id> <port>

The following example displays the PoE status for port 6 on the specified switch:

# get switch-controller poe FS108D3W14000967 port6

Port(6) Power:3.90W, Power-Status: Delivering Power

Power-Up Mode: Normal Mode

Remote Power Device Type: IEEE802.3AT PD

Power Class: 4

Defined Max Power: 30.0W, Priority:3

Voltage: 54.00V

Current: 78mA

Configuring edge ports

Use the following commands to enable or disable an interface as an edge port:

config switch-controller managed-switch edit <switch> config ports edit <port> set edge-port {enable | disable}

end end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set edge-port enable

end

end

Configuring STP

Starting with FortiSwitch Release 3.4.2, STP is enabled by default for the non-FortiLink ports on the managed FortiSwitch units. STP is a link-management protocol that ensures a loop-free layer-2 network topology.

NOTE: STP is not supported between a FortiGate unit and a FortiSwitch unit in FortiLink mode.

To configure global STP settings, see Configure STP settings on page 66.

Use the following commands to enable or disable STP on FortiSwitch ports:

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set stp-state {enabled | disabled}

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports

edit port1 set stp-state enabled

end

end

To check the STP configuration on a FortiSwitch, use the following command: diagnose switch-controller dump stp <FortiSwitch_serial_number> <instance_number>

For example:

FG100D3G15817028 # diagnose switch-controller dump stp S524DF4K15000024 0    
MST Instance Information, primary-Channel:

Instance ID :     0

Switch Priority : 24576

Root MAC Address :       085b0ef195e4

Root Priority:      24576

Root Pathcost:      0

Regional Root MAC Address :      085b0ef195e4

     
Regional Root Priority: 24576          
Regional Root Path Cost: Remaining Hops:  20 0          
This Bridge MAC Address : This bridge is the root 085b0ef195e4          
Port

Protection

Speed Cost Priority Role State Edge STP-Status Loop
________________ ______ _________ _________ ___________ __________ ____ __________ ________
port1 200000000 128 DISABLED DISCARDING YES ENABLED NO
port2 200000000 128 DISABLED DISCARDING YES ENABLED NO
port3 200000000 128 DISABLED DISCARDING YES ENABLED NO
port4 200000000 128 DISABLED DISCARDING YES ENABLED NO
port5 200000000 128 DISABLED DISCARDING YES ENABLED NO
port6 200000000 128 DISABLED DISCARDING YES ENABLED NO
port7 200000000 128 DISABLED DISCARDING YES ENABLED NO
port8 200000000 128 DISABLED DISCARDING YES ENABLED NO
port9 200000000 128 DISABLED DISCARDING YES ENABLED NO
port10 200000000 128 DISABLED DISCARDING YES ENABLED NO
port11 200000000 128 DISABLED DISCARDING YES ENABLED NO
port12 200000000 128 DISABLED DISCARDING YES ENABLED NO
port13 200000000 128 DISABLED DISCARDING YES ENABLED NO
port14 200000000 128 DISABLED DISCARDING YES ENABLED NO
port15 200000000 128 DISABLED DISCARDING YES ENABLED NO
port16 200000000 128 DISABLED DISCARDING YES ENABLED NO
port17 200000000 128 DISABLED DISCARDING YES ENABLED NO
port18 200000000 128 DISABLED DISCARDING YES ENABLED NO
port19 200000000 128 DISABLED DISCARDING YES ENABLED NO
port20 200000000 128 DISABLED DISCARDING YES ENABLED NO
port21 200000000 128 DISABLED DISCARDING YES ENABLED NO
port22 200000000 128 DISABLED DISCARDING YES ENABLED NO
port23 200000000 128 DISABLED DISCARDING YES ENABLED NO
port25 200000000 128 DISABLED DISCARDING YES ENABLED NO
port26 200000000 128 DISABLED DISCARDING YES ENABLED NO
port27 200000000 128 DISABLED DISCARDING YES ENABLED NO
port28 200000000 128 DISABLED DISCARDING YES ENABLED NO
port29 200000000 128 DISABLED DISCARDING YES ENABLED NO
port30 200000000 128 DISABLED DISCARDING YES ENABLED NO
internal 1G 20000 128 DESIGNATED FORWARDING YES DISABLED NO
__FoRtI1LiNk0__ 1G 20000 128 DESIGNATED FORWARDING YES DISABLED NO

Configuring STP root guard

Root guard protects the interface on which it is enabled from becoming the path to root. When enabled on an interface, superior BPDUs received on that interface are ignored or dropped. Without using root guard, any switch that participates in STP maintains the ability to reroute the path to root. Rerouting might cause your network to transmit large amounts of traffic across suboptimal links or allow a malicious or misconfigured device to pose a security risk by passing core traffic through an insecure device for packet capture or inspection. By enabling root guard on multiple interfaces, you can create a perimeter around your existing paths to root to enforce the specified network topology.

Enable root guard on all ports that should not be root bridges. Do not enable root guard on the root port. You must have STP enabled to be able to use root guard.

Use the following commands to enable or disable STP root guard on FortiSwitch ports:

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set stp-root-guard {enabled | disabled}

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set stp-root-guard enabled

end

end

Configuring STP BPDU guard

Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard is enabled on STP edge ports, any BPDUs received cause the ports to go down for a specified number of minutes. The BPDUs are not forwarded, and the network edge is enforced. There are two prerequisites for using BPDU guard:

l You must define the port as an edge port with the set edge-port enable command. l You must enable STP on the switch interface with the set stp-state enabled command.

You can set how long the port will go down when a BPDU is received for a maximum of 120 minutes. The default port timeout is 5 minutes. If you set the timeout value to 0, the port will not go down when a BPDU is received, but you will have manually reset the port.

Use the following commands to enable or disable STP BPDU guard on FortiSwitch ports:

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set stp-bpdu-guard {enabled | disabled} set stp-bpdu-guard-time <0-120>

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set stp-bpdu-guard enabled set stp-bpdu-guard-time 10

end

end

To check the configuration of STP BPDU guard on a FortiSwitch unit, use the following command: diagnose switch-controller dump bpdu-guard-status <FortiSwitch_serial_number>

For example:

FG100D3G15817028 # diagnose switch-controller dump bpdu-guard-status
S524DF4K15000024

Managed Switch : S524DF4K15000024 0

     
Portname State Status Timeout(m) Count Last-Event
_________________ _______ _________ ___________ _____ _______________
port1 enabled 10 0
port2 disabled
port3 disabled
port4 disabled
port5 disabled
port6 disabled
port7 disabled
port8 disabled
port9 disabled
port10 disabled
port11 disabled
port12 disabled
port13 disabled
port14 disabled
port15 disabled
port16 disabled
port17 disabled
port18 disabled
port19 disabled
port20 disabled
port21 disabled
port22 disabled
port23 disabled
port25 disabled
port26 disabled
port27 disabled
port28 disabled
port29 disabled
port30 disabled  
__FoRtI1LiNk0__ disabled  

Configuring loop guard

A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects. Fortinet loop guard helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any downstream loops. The loop guard feature is designed to work in concert with STP rather than as a replacement for STP. By default, loop guard is disabled on all ports.

Use the following commands to configure loop guard on a FortiSwitch port:

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set loop-guard {enabled | disabled}

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set stp-bpdu-guard enabled set stp-bpdu-guard-time 10

end

end

Configuring LLDP settings

The Fortinet data center switches support the Link Layer Discovery Protocol (LLDP) for transmission and reception wherein the switch will multicast LLDP packets to advertise its identity and capabilities. A switch receives the equivalent information from adjacent layer-2 peers.

Use the following commands to configure LLDP on a FortiSwitch port:

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set lldp-status {rx-only | tx-only | tx-rx | disable} set lldp-profile <profile name>

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port2 set lldp-status tx-rx set lldp-profile default end

end

Configuring IGMP settings

IGMP snooping allows the FortiSwitch to passively listen to the Internet Group Management Protocol (IGMP) network traffic between hosts and routers. The switch uses this information to determine which ports are interested in receiving each multicast feed. FortiSwitch can reduce unnecessary multicast traffic on the LAN by pruning multicast traffic from links that do not contain a multicast listener.

config switch-controller managed-switch edit <switch-id> config ports edit <port name> set igmp-snooping {enable | disable} set igmps-flood-reports {enable | disable}

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port3 set igmp-snooping enable set igmps-flood-reports enable

end

end

Configuring sFlow

sFlow is a method of monitoring the traffic on your network to identify areas on the network that might impact performance and throughput. With sFlow, you can export truncated packets and interface counters. FortiSwitch implements sFlow version 5 and supports trunks and VLANs.

NOTE: Because sFlow is CPU intensive, Fortinet does not recommend high rates of sampling for long periods.

sFlow uses packet sampling to monitor network traffic. The sFlow agent captures packet information at defined intervals and sends them to an sFlow collector for analysis, providing real-time data analysis. To minimize the impact on network throughput, the information sent is only a sampling of the data.

The sFlow collector is a central server running software that analyzes and reports on network traffic. The sampled packets and counter information, referred to as flow samples and counter samples, respectively, are sent as sFlow datagrams to a collector. Upon receiving the datagrams, the sFlow collector provides real-time analysis and graphing to indicate the source of potential traffic issues. sFlow collector software is available from a number of third-party software vendors. You must configure a FortiGate policy to transmit the samples from the FortiSwitch unit to the sFlow collector.

sFlow can monitor network traffic in two ways:

l Flow samples—You specify the percentage of packets (one out of n packets) to randomly sample. l Counter samples—You specify how often (in seconds) the network device sends interface counters.

Use the following CLI commands to specify the IP address and port for the sFlow collector. By default, the IP address is 0.0.0.0, and the port number is 6343.

config switch-controller sflow

collector-ip <x.x.x.x> collector-port <port_number>

end

Use the following CLI commands to configure sFlow:

config switch-controller managed-switch <FortiSwitch_serial_number> config ports edit <port_name> set sflow-sampler <disabled | enabled> set sflow-sample-rate <0-99999> set sflow-counter-interval <1-255>

next

next

end

For example:

config switch-controller sflow collector-ip 1.2.3.4 collector-port 10

end

config switch-controller managed-switch S524DF4K15000024 config ports edit port5 set sflow-sampler enabled set sflow-sample-rate 10 set sflow-counter-interval 60

next

next

end

Configuring Dynamic ARP inspection (DAI)

DAI prevents man-in-the-middle attacks and IP address spoofing by checking that packets from untrusted ports have valid IP-MAC-address binding. DAI allows only valid ARP requests and responses to be forwarded.

To use DAI, you must first enable the DHCP-snooping feature, enable DAI, and then enable DAI for each VLAN. By default, DAI is disabled on all VLANs.

After enabling DHCP snooping with the set switch-controller-dhcp-snooping enable command, use the following CLI commands to enable DAI and then enable DAI for a VLAN:

config system interface edit vsw.test set switch-controller-arp-inpsection <enable | disable>

end

config switch-controller managed-switch edit <sn> config ports edit <VLAN_ID> arp-inspection-trust <untrusted | trusted>

next

end next end

Use the following CLI command to check DAI statistics for a FortiSwitch unit: diagnose switch arp-inspection stats <FortiSwitch_Serial_Number>

Use the following CLI command to delete DAI statistics for a specific VLAN:

diagnose switch arp-inspection stats clear <VLAN_ID> <FortiSwitch_Serial_Number>

Configuring FortiSwitch port mirroring

The FortiSwitch unit can send a copy of any ingress or egress packet on a port to egress on another port of the same FortiSwitch unit. The original traffic is unaffected. This process is known as port mirroring and is typically used for external analysis and capture.

Use the following CLI commands to configure FortiSwitch port mirroring:

config switch-controller managed-switch edit <FortiSwitch_Serial_Number> config mirror edit <mirror_name> set status <active | inactive> set dst <port_name>

set switching-packet <enable | disable> set src-ingress <port_name> set src-egress <port_name>

next

end

next

NOTE: The set status and set dst commands are mandatory for port mirroring.

For example:

config switch-controller managed-switch edit S524DF4K15000024 config mirror edit 2 set status active set dst port1 set switching-packet enable set src-ingress port2 port3 set src-egress port4 port5

next

end next

 

Configure the 802.1X settings for a virtual domain