FortiSwitch port features
You can configure the FortiSwitch port feature settings from the FortiGate using the FortiSwitch CLI or web administration GUI.
FortiSwitch ports display
The WiFi & Switch Controller> FortiSwitch Ports page displays port information about each of the managed switches.
The following figure shows the display for a FortiSwitch 524D-FPOE:
The switch faceplate displays:
- active ports (green) l PoE-enabled ports (blue rectangle) l FortiLink port (link icon)
PoE Status displays the total power budget and the actual power currently allocated.
The allocated power displays a blue bar for the used power (currently being consumed) and a green bar for the reserved power (power available for additional devices on the POE ports). See the following figures:
GUI
Each entry in the port list displays the following information:
- Port status (red for down, green for up) l Port name l Native VLAN l Allowed VLANs l Device information l PoE status
- Bytes sent and received by the port
Configuring ports using the GUI
You can use the WiFi & Switch Controller> FortiSwitch Ports page to do the following with FortiSwitch switch ports:
l Set the native VLAN and add more VLANs l Edit the description of the port l Enable or disable the port l Enable or disable PoE for the port l Enable or disable DHCP blocking (if supported by the port) l Enable or disable IGMP snooping (if supported by the port) l Enable or disable whether a port is an edge port l Enable or disable STP (if supported by the port) l Enable or disable loop guard (if supported by the port) l Enable or disable STP BPDU guard (if supported by the port) l Enable or disable STP root guard (if supported by the port)
Resetting PoE-enabled ports
If you need to reset PoE-enabled ports, go to WiFi & Switch Control > FortiSwitch Ports, right-click on one or more PoE-enabled ports and select Reset PoE from the context menu.
You can also go to WiFi & Switch Control > Managed FortiSwitch and click on a port icon for the FortiSwitch of interest. In the FortiSwitch Ports page, right-click on one or more PoE-enabled ports and select Reset PoE from the context menu.
Configuring ports using the FortiGate CLI
You can configure the following FortiSwitch port settings using the FortiGate CLI:
- Configuring port speed and status on page 74 l Configure a VLAN on the port (see VLAN configuration) l Sharing FortiSwitch ports between VDOMs (391878) on page 74 l Limiting the number of learned MAC addresses on a FortiSwitch interface on page 77 l Configuring the DHCP trust setting on page 77
- Configuring PoE on page 78 l Configuring edge ports on page 79 l Configuring STP on page 79 l Configuring STP root guard on page 81 l Configuring STP BPDU guard on page 81 l Configuring loop guard on page 83 l Configuring LLDP settings on page 83 l Configuring IGMP settings on page 84 l Configuring sFlow on page 84 l Configuring Dynamic ARP inspection (DAI) on page 85 l Configuring FortiSwitch port mirroring on page 86
Configuring port speed and status
Use the following commands to set port speed and other base port settings:
config switch-controller managed-switch edit <switch> config ports edit <port> set description <text> set speed <speed> set status {down | up}
end
end
For example:
config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set description “First port” set speed auto set status up
end
end
Sharing FortiSwitch ports between VDOMs (391878)
Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual units that function as multiple independent units. VDOMs provide separate security domains that allow separate zones, user authentication, security policies, routing, and VPN configurations.
FortiSwitch ports can now be shared between VDOMs.
NOTE: You cannot use the quarantine feature while sharing FortiSwitch ports between VDOMs.
To share FortiSwitch ports between VDOMs:
- Create one or more VDOMs.
- Assign VLANs to each VDOM as required.
- From these VLANs, select one VLAN to be the default VLAN for the ports in the virtual switch:
config switch-controller global
set default-virtual-switch-vlan <VLAN>
NOTE: You must execute these commands from the VDOM that the default VLAN belongs to.
When you add a new port to the VDOM, the new port will be automatically assigned to the default VLAN. You can reassign the ports to other VLANs later.
- Create a virtual port pool (VPP) to contain the ports to be shared:
config switch-controller virtual-port-pool edit <VPP_name> description <string>
next
end
NOTE: You must execute these commands from the VDOM that the default VLAN belongs to.
For example:
config switch-controller virtual-port-pool edit “pool3” description “pool for port3”
next
end
- Share a FortiSwitch port from the VDOM that the FortiSwitch belongs to with another VDOM or export the FortiSwitch port to a VPP where it can be used by any VDOM:
config switch-controller managed-switch edit <switch.id> config ports edit <port_name> set {export-to-pool <VPP_name> | export-to <VDOM_name>} set export-tags <string1,string2,string3,…>
next
end
next
end
NOTE: You must execute these commands from the VDOM that the default VLAN belongs to.
For example, if you want to export a port to the VPP named pool3:
config switch-controller managed-switch edit “S524DF4K15000024” config ports edit port3 set export-to-pool “pool3” set export-tags “Pool 3”
next
end
next end
For example, if you want to export a port to the VDOM named vdom3:
config switch-controller managed-switch edit “S524DF4K15000024” config ports edit port3 set export-to “vdom3” set export-tags “VDOM 3”
next
end
next
end
- Request a port in a VPP: execute switch-controller virtual-port-pool request <FortiSwitch_device_ID> <port_name>
NOTE: You must execute this command from the VDOM that is requesting the port.
For example:
execute switch-controller virtual-port-pool request S524DF4K15000024h port3
- Return a port to a VPP: execute switch-controller virtual-port-pool return <FortiSwitch_device_ID> <port_name>
NOTE: You must execute this command from the VDOM that owns the port.
For example: execute switch-controller virtual-port-pool return S524DF4K15000024h port3
You can create your own export tags using the following CLI commands:
config switch-controller switch-interface-tag edit <tag_name>
end
Use the following CLI command to list the contents of a specific VPP: execute switch-controller virtual-port-pool show-by-pool <VPP_name>
Use the following CLI command to list all VPPs and their contents: execute switch-controller virtual-port-pool show
NOTE: Shared ports do not support the following features: l LLDP
- 1x l STP l BPDU guard l Root guard l DHCP snooping l IGMP snooping l QoS
- Port security l MCLAG
Limiting the number of learned MAC addresses on a FortiSwitch interface
You can limit the number of MAC addresses learned on a FortiSwitch interface (port or VLAN). The limit ranges from 1 to 128. If the limit is set to the default value zero, there is no learning limit.
NOTE: Static MAC addresses are not counted in the limit. The limit refers only to learned MAC addresses.
Use the following CLI commands to limit MAC address learning on a VLAN:
config switch vlan edit <integer> set switch-controller-learning-limit <limit>
end
end
For example:
config switch vlan edit 100 set switch-controller-learning-limit 20
end
end
Use the following CLI commands to limit MAC address learning on a port:
config switch-controller managed-switch edit <FortiSwitch_Serial_Number> config ports edit <port> set learning-limit <limit>
next
end
end
end
For example:
config switch-controller managed-switch edit S524DF4K15000024 config ports edit port3 set learning-limit 50
next
end
end
end
Configuring the DHCP trust setting
The DHCP blocking feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent this, DHCP blocking filters messages on untrusted ports.
Set the port as a trusted or untrusted DHCP-snooping interface:
config switch-controller managed-switch edit <switch-id> config ports edit <port name> set dhcp-snooping {trusted | untrusted}
end
end
For example:
config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set dhcp-snooping trusted
end
end
Configuring PoE
The following PoE CLI commands are available starting in FortiSwitchOS 3.3.0.
Enable PoE on the port
config switch-controller managed-switch edit <switch-id> config ports edit <port name> set poe-status {enable | disable}
end
end
For example:
config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set poe-status enable
end
end
Reset the PoE port
Power over Ethernet (PoE) describes any system that passes electric power along with data on twisted pair Ethernet cabling. Doing this allows a single cable to provide both data connection and electric power to devices (for example, wireless access points, IP cameras, and VoIP phones).
The following command resets PoE on the port:
execute switch-controller poe-reset <fortiswitch-id> <port>
Display general PoE status get switch-controller <fortiswitch-id> <port>
The following example displays the PoE status for port 6 on the specified switch:
# get switch-controller poe FS108D3W14000967 port6
Port(6) Power:3.90W, Power-Status: Delivering Power
Power-Up Mode: Normal Mode
Remote Power Device Type: IEEE802.3AT PD
Power Class: 4
Defined Max Power: 30.0W, Priority:3
Voltage: 54.00V
Current: 78mA
Configuring edge ports
Use the following commands to enable or disable an interface as an edge port:
config switch-controller managed-switch edit <switch> config ports edit <port> set edge-port {enable | disable}
end end
For example:
config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set edge-port enable
end
end
Configuring STP
Starting with FortiSwitch Release 3.4.2, STP is enabled by default for the non-FortiLink ports on the managed FortiSwitch units. STP is a link-management protocol that ensures a loop-free layer-2 network topology.
NOTE: STP is not supported between a FortiGate unit and a FortiSwitch unit in FortiLink mode.
To configure global STP settings, see Configure STP settings on page 66.
Use the following commands to enable or disable STP on FortiSwitch ports:
config switch-controller managed-switch edit <switch-id> config ports edit <port name> set stp-state {enabled | disabled}
end
end
For example:
config switch-controller managed-switch edit S524DF4K15000024 config ports
edit port1 set stp-state enabled
end
end
To check the STP configuration on a FortiSwitch, use the following command: diagnose switch-controller dump stp <FortiSwitch_serial_number> <instance_number>
For example:
FG100D3G15817028 # diagnose switch-controller dump stp S524DF4K15000024 0 |
|
|
MST Instance Information, primary-Channel:
Instance ID : 0
Switch Priority : 24576
Root MAC Address : 085b0ef195e4
Root Priority: 24576
Root Pathcost: 0
Regional Root MAC Address : 085b0ef195e4 |
|
|
|
Regional Root Priority: |
24576 |
|
|
|
|
|
Regional Root Path Cost: Remaining Hops: 20 |
0 |
|
|
|
|
|
This Bridge MAC Address : This bridge is the root |
085b0ef195e4 |
|
|
|
|
|
Port
Protection |
Speed |
Cost |
Priority |
Role |
State |
Edge |
STP-Status |
Loop |
________________ |
______ |
_________ |
_________ |
___________ |
__________ |
____ |
__________ |
________ |
port1 |
– |
200000000 |
128 |
DISABLED |
DISCARDING |
YES |
ENABLED |
NO |
port2 |
– |
200000000 |
128 |
DISABLED |
DISCARDING |
YES |
ENABLED |
NO |
port3 |
– |
200000000 |
128 |
DISABLED |
DISCARDING |
YES |
ENABLED |
NO |
port4 |
– |
200000000 |
128 |
DISABLED |
DISCARDING |
YES |
ENABLED |
NO |
port5 |
– |
200000000 |
128 |
DISABLED |
DISCARDING |
YES |
ENABLED |
NO |
port6 |
– |
200000000 |
128 |
DISABLED |
DISCARDING |
YES |
ENABLED |
NO |
port7 |
– |
200000000 |
128 |
DISABLED |
DISCARDING |
YES |
ENABLED |
NO |
port8 |
– |
200000000 |
128 |
DISABLED |
DISCARDING |
YES |
ENABLED |
NO |
port9 |
– |
200000000 |
128 |
DISABLED |
DISCARDING |
YES |
ENABLED |
NO |
port10 |
– |
200000000 |
128 |
DISABLED |
DISCARDING |
YES |
ENABLED |
NO |
port11 |
– |
200000000 |
128 |
DISABLED |
DISCARDING |
YES |
ENABLED |
NO |
port12 |
– |
200000000 |
128 |
DISABLED |
DISCARDING |
YES |
ENABLED |
NO |
port13 |
– |
200000000 |
128 |
DISABLED |
DISCARDING |
YES |
ENABLED |
NO |
port14 |
– |
200000000 |
128 |
DISABLED |
DISCARDING |
YES |
ENABLED |
NO |
port15 |
– |
200000000 |
128 |
DISABLED |
DISCARDING |
YES |
ENABLED |
NO |
port16 |
– |
200000000 |
128 |
DISABLED |
DISCARDING |
YES |
ENABLED |
NO |
port17 |
– |
200000000 |
128 |
DISABLED |
DISCARDING |
YES |
ENABLED |
NO |
port18 |
– |
200000000 |
128 |
DISABLED |
DISCARDING |
YES |
ENABLED |
NO |
port19 |
– |
200000000 |
128 |
DISABLED |
DISCARDING |
YES |
ENABLED |
NO |
port20 |
– |
200000000 |
128 |
DISABLED |
DISCARDING |
YES |
ENABLED |
NO |
port21 |
– |
200000000 |
128 |
DISABLED |
DISCARDING |
YES |
ENABLED |
NO |
port22 |
– |
200000000 |
128 |
DISABLED |
DISCARDING |
YES |
ENABLED |
NO |
port23 |
– |
200000000 |
128 |
DISABLED |
DISCARDING |
YES |
ENABLED |
NO |
port25 |
– |
200000000 |
128 |
DISABLED |
DISCARDING |
YES |
ENABLED |
NO |
port26 |
– |
200000000 |
128 |
DISABLED |
DISCARDING |
YES |
ENABLED |
NO |
port27 |
– |
200000000 |
128 |
DISABLED |
DISCARDING |
YES |
ENABLED |
NO |
port28 |
– |
200000000 |
128 |
DISABLED |
DISCARDING |
YES |
ENABLED |
NO |
port29 |
– |
200000000 |
128 |
DISABLED |
DISCARDING |
YES |
ENABLED |
NO |
port30 |
– |
200000000 |
128 |
DISABLED |
DISCARDING |
YES |
ENABLED |
NO |
internal |
1G |
20000 |
128 |
DESIGNATED |
FORWARDING |
YES |
DISABLED |
NO |
__FoRtI1LiNk0__ |
1G |
20000 |
128 |
DESIGNATED |
FORWARDING |
YES |
DISABLED |
NO |
Configuring STP root guard
Root guard protects the interface on which it is enabled from becoming the path to root. When enabled on an interface, superior BPDUs received on that interface are ignored or dropped. Without using root guard, any switch that participates in STP maintains the ability to reroute the path to root. Rerouting might cause your network to transmit large amounts of traffic across suboptimal links or allow a malicious or misconfigured device to pose a security risk by passing core traffic through an insecure device for packet capture or inspection. By enabling root guard on multiple interfaces, you can create a perimeter around your existing paths to root to enforce the specified network topology.
Enable root guard on all ports that should not be root bridges. Do not enable root guard on the root port. You must have STP enabled to be able to use root guard.
Use the following commands to enable or disable STP root guard on FortiSwitch ports:
config switch-controller managed-switch edit <switch-id> config ports edit <port name> set stp-root-guard {enabled | disabled}
end
end
For example:
config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set stp-root-guard enabled
end
end
Configuring STP BPDU guard
Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard is enabled on STP edge ports, any BPDUs received cause the ports to go down for a specified number of minutes. The BPDUs are not forwarded, and the network edge is enforced. There are two prerequisites for using BPDU guard:
l You must define the port as an edge port with the set edge-port enable command. l You must enable STP on the switch interface with the set stp-state enabled command.
You can set how long the port will go down when a BPDU is received for a maximum of 120 minutes. The default port timeout is 5 minutes. If you set the timeout value to 0, the port will not go down when a BPDU is received, but you will have manually reset the port.
Use the following commands to enable or disable STP BPDU guard on FortiSwitch ports:
config switch-controller managed-switch edit <switch-id> config ports edit <port name> set stp-bpdu-guard {enabled | disabled} set stp-bpdu-guard-time <0-120>
end
end
For example:
config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set stp-bpdu-guard enabled set stp-bpdu-guard-time 10
end
end
To check the configuration of STP BPDU guard on a FortiSwitch unit, use the following command: diagnose switch-controller dump bpdu-guard-status <FortiSwitch_serial_number>
For example:
FG100D3G15817028 # diagnose switch-controller dump bpdu-guard-status |
S524DF4K15000024
Managed Switch : S524DF4K15000024 0 |
|
|
|
Portname |
State |
Status |
Timeout(m) |
Count |
Last-Event |
_________________ |
_______ |
_________ |
___________ |
_____ |
_______________ |
port1 |
enabled |
– |
10 |
0 |
– |
port2 |
disabled |
– |
– |
– |
– |
port3 |
disabled |
– |
– |
– |
– |
port4 |
disabled |
– |
– |
– |
– |
port5 |
disabled |
– |
– |
– |
– |
port6 |
disabled |
– |
– |
– |
– |
port7 |
disabled |
– |
– |
– |
– |
port8 |
disabled |
– |
– |
– |
– |
port9 |
disabled |
– |
– |
– |
– |
port10 |
disabled |
– |
– |
– |
– |
port11 |
disabled |
– |
– |
– |
– |
port12 |
disabled |
– |
– |
– |
– |
port13 |
disabled |
– |
– |
– |
– |
port14 |
disabled |
– |
– |
– |
– |
port15 |
disabled |
– |
– |
– |
– |
port16 |
disabled |
– |
– |
– |
– |
port17 |
disabled |
– |
– |
– |
– |
port18 |
disabled |
– |
– |
– |
– |
port19 |
disabled |
– |
– |
– |
– |
port20 |
disabled |
– |
– |
– |
– |
port21 |
disabled |
– |
– |
– |
– |
port22 |
disabled |
– |
– |
– |
– |
port23 |
disabled |
– |
– |
– |
– |
port25 |
disabled |
– |
– |
– |
– |
port26 |
disabled |
– |
– |
– |
– |
port27 |
disabled |
– |
– |
– |
– |
port28 |
disabled |
– |
– |
– |
– |
port29 |
disabled |
– |
– |
– |
– |
port30 |
disabled |
– |
– |
– |
– |
|
__FoRtI1LiNk0__ |
disabled |
– |
– |
– |
– |
|
|
|
|
|
|
|
|
|
|
|
|
Configuring loop guard
A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects. Fortinet loop guard helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any downstream loops. The loop guard feature is designed to work in concert with STP rather than as a replacement for STP. By default, loop guard is disabled on all ports.
Use the following commands to configure loop guard on a FortiSwitch port:
config switch-controller managed-switch edit <switch-id> config ports edit <port name> set loop-guard {enabled | disabled}
end
end
For example:
config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set stp-bpdu-guard enabled set stp-bpdu-guard-time 10
end
end
Configuring LLDP settings
The Fortinet data center switches support the Link Layer Discovery Protocol (LLDP) for transmission and reception wherein the switch will multicast LLDP packets to advertise its identity and capabilities. A switch receives the equivalent information from adjacent layer-2 peers.
Use the following commands to configure LLDP on a FortiSwitch port:
config switch-controller managed-switch edit <switch-id> config ports edit <port name> set lldp-status {rx-only | tx-only | tx-rx | disable} set lldp-profile <profile name>
end
end
For example:
config switch-controller managed-switch edit S524DF4K15000024 config ports edit port2 set lldp-status tx-rx set lldp-profile default end
end
Configuring IGMP settings
IGMP snooping allows the FortiSwitch to passively listen to the Internet Group Management Protocol (IGMP) network traffic between hosts and routers. The switch uses this information to determine which ports are interested in receiving each multicast feed. FortiSwitch can reduce unnecessary multicast traffic on the LAN by pruning multicast traffic from links that do not contain a multicast listener.
config switch-controller managed-switch edit <switch-id> config ports edit <port name> set igmp-snooping {enable | disable} set igmps-flood-reports {enable | disable}
end
end
For example:
config switch-controller managed-switch edit S524DF4K15000024 config ports edit port3 set igmp-snooping enable set igmps-flood-reports enable
end
end
Configuring sFlow
sFlow is a method of monitoring the traffic on your network to identify areas on the network that might impact performance and throughput. With sFlow, you can export truncated packets and interface counters. FortiSwitch implements sFlow version 5 and supports trunks and VLANs.
NOTE: Because sFlow is CPU intensive, Fortinet does not recommend high rates of sampling for long periods.
sFlow uses packet sampling to monitor network traffic. The sFlow agent captures packet information at defined intervals and sends them to an sFlow collector for analysis, providing real-time data analysis. To minimize the impact on network throughput, the information sent is only a sampling of the data.
The sFlow collector is a central server running software that analyzes and reports on network traffic. The sampled packets and counter information, referred to as flow samples and counter samples, respectively, are sent as sFlow datagrams to a collector. Upon receiving the datagrams, the sFlow collector provides real-time analysis and graphing to indicate the source of potential traffic issues. sFlow collector software is available from a number of third-party software vendors. You must configure a FortiGate policy to transmit the samples from the FortiSwitch unit to the sFlow collector.
sFlow can monitor network traffic in two ways:
l Flow samples—You specify the percentage of packets (one out of n packets) to randomly sample. l Counter samples—You specify how often (in seconds) the network device sends interface counters.
Use the following CLI commands to specify the IP address and port for the sFlow collector. By default, the IP address is 0.0.0.0, and the port number is 6343.
config switch-controller sflow
collector-ip <x.x.x.x> collector-port <port_number>
end
Use the following CLI commands to configure sFlow:
config switch-controller managed-switch <FortiSwitch_serial_number> config ports edit <port_name> set sflow-sampler <disabled | enabled> set sflow-sample-rate <0-99999> set sflow-counter-interval <1-255>
next
next
end
For example:
config switch-controller sflow collector-ip 1.2.3.4 collector-port 10
end
config switch-controller managed-switch S524DF4K15000024 config ports edit port5 set sflow-sampler enabled set sflow-sample-rate 10 set sflow-counter-interval 60
next
next
end
Configuring Dynamic ARP inspection (DAI)
DAI prevents man-in-the-middle attacks and IP address spoofing by checking that packets from untrusted ports have valid IP-MAC-address binding. DAI allows only valid ARP requests and responses to be forwarded.
To use DAI, you must first enable the DHCP-snooping feature, enable DAI, and then enable DAI for each VLAN. By default, DAI is disabled on all VLANs.
After enabling DHCP snooping with the set switch-controller-dhcp-snooping enable command, use the following CLI commands to enable DAI and then enable DAI for a VLAN:
config system interface edit vsw.test set switch-controller-arp-inpsection <enable | disable>
end
config switch-controller managed-switch edit <sn> config ports edit <VLAN_ID> arp-inspection-trust <untrusted | trusted>
next
end next end
Use the following CLI command to check DAI statistics for a FortiSwitch unit: diagnose switch arp-inspection stats <FortiSwitch_Serial_Number>
Use the following CLI command to delete DAI statistics for a specific VLAN:
diagnose switch arp-inspection stats clear <VLAN_ID> <FortiSwitch_Serial_Number>
Configuring FortiSwitch port mirroring
The FortiSwitch unit can send a copy of any ingress or egress packet on a port to egress on another port of the same FortiSwitch unit. The original traffic is unaffected. This process is known as port mirroring and is typically used for external analysis and capture.
Use the following CLI commands to configure FortiSwitch port mirroring:
config switch-controller managed-switch edit <FortiSwitch_Serial_Number> config mirror edit <mirror_name> set status <active | inactive> set dst <port_name>
set switching-packet <enable | disable> set src-ingress <port_name> set src-egress <port_name>
next
end
next
NOTE: The set status and set dst commands are mandatory for port mirroring.
For example:
config switch-controller managed-switch edit S524DF4K15000024 config mirror edit 2 set status active set dst port1 set switching-packet enable set src-ingress port2 port3 set src-egress port4 port5
next
end next
Configure the 802.1X settings for a virtual domain