Fortinet black logo

Handbook

Additional capabilities

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:395997
Download PDF

Additional capabilities

This chapter covers the following topics:

Execute custom FortiSwitch commands

From the FortiGate, you can execute FortiSwitch commands on the managed FortiSwitch.

This feature adds a simple scripting mechanism for users to execute generic commands on the switch.

NOTE: FortiOS 5.6.0 introduces additional capabilities related to the managed FortiSwitch.

Create a command

Use the following syntax to create a command file:

config switch-controller custom-command

edit <cmd-name>

set command "<FortiSwitch commands>"

Next, create a command file to set the STP max-age parameter:

config switch-controller custom-command

edit "stp-age-10"

set command "config switch stp setting

set max-age 10

end

next

end

Execute a command

After you have created a command file, use the following command on the FortiGate to execute the command file on the target switch:

exec switch-controller custom-command <cmd-name> <target-switch>

The following example runs the stp-age-10 command on the specified target FortiSwitch:

exec switch-controller custom-command stp-age-10 S124DP3X15000118

View and upgrade the FortiSwitch firmware version

You can view the current firmware version of a FortiSwitch unit and upgrade the FortiSwitch to a new firmware version. The FortiGate unit will suggest an upgrade when a new version is available in FortiGuard.

Using the FortiGate web interface

To view the FortiSwitch firmware version:

  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. In the main panel, select the FortiSwitch faceplate and click Edit.
  3. In the Edit Managed FortiSwitch panel, the Firmware section displays the current build on the FortiSwitch.
To upgrade the firmware on multiple FortiSwitch units at the same time:
  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Select the faceplates of the FortiSwitch units that you want to upgrade.
  3. Click Upgrade.The Upgrade FortiSwitches page opens.
  4. Select FortiGuard or select Upload and then select the firmware file to upload. If you select FortiGuard, all FortiSwitch units that can be upgraded are upgraded. If you select Upload, only one firmware image can be used at a time for upgrading.
  5. Select Upgrade.
Using the CLI

Use the following command to display the latest version:

diagnose fdsm fortisw-latest-ver <model>

Use the following command to download the image:

diagnose fdsm fortisw-download <image id>

The following example shows how to download the latest image for FS224D:

FG100D3G15801204 (global) # diagnose fdsm fortisw-latest-ver FS224D

FS224D - 3.4.2 b192 03004000FIMG0900904002FG100D3G15801204 (global) #

diagnose fdsm fortisw-download 03004000FIMG0900904002

Download image-03004000FIMG0900904002:

################################################################################

Result=Success

Use the following CLI commands to enable the use of HTTPS to download firmware to managed FortiSwitch units:

config switch-controller global

set https-image-push enable

end

From your FortiGate CLI, you can upgrade the firmware of all of the managed FortiSwitch units of the same model using a single execute command. The command includes the name of a firmware image file and all of the managed FortiSwitch units compatible with that firmware image file are upgraded. For example:

execute switch-controller stage-tiered-swtp-image ALL <firmware-image-file>

You can also use the following command to restart all of the managed FortiSwitch units after a 2-minute delay.

execute switch-controller restart-swtp-delayed ALL

FortiSwitch log export

You can enable and disable the managed FortiSwitch units to export their syslogs to the FortiGate. The setting is global, and the default setting is enabled. Starting in FortiOS 5.6.3, more details are included in the exported FortiSwitch logs.

To allow a level of filtering, FortiGate sets the user field to "fortiswitch-syslog” for each entry.

The following is the CLI command syntax:

config switch-controller switch-log

set status (*enable | disable)

set severity [emergency | alert | critical | error | warning | notification | *information | debug]

end

You can override the global log settings for a FortiSwitch, using the following commands:

config switch-controller managed-switch

edit <switch-id>

config switch-log

set local-override enable

At this point, you can configure the log settings that apply to this specific switch.

FortiSwitch per-port device visibility

In the FortiGate GUI, User & Device > Device List displays a list of devices attached to the FortiSwitch ports. For each device, the table displays the IP address of the device and the interface (FortiSwitch name and port).

From the CLI, the following command displays information about the host devices:

diagnose switch-controller dump mac-hosts_switch-ports

FortiGate CLI support for FortiSwitch features (on non-FortiLink ports)

You can configure the following FortiSwitch features from the FortiGate CLI.

Configuring a link aggregation group (LAG)

You can configure a link aggregation group (LAG) for non-FortiLink ports on a FortiSwitch. You cannot configure ports from different FortiSwitch units in one LAG.

config switch-controller managed-switch

edit <switch-id>

config ports

it <trunk name>

set type trunk

set mode < static | lacp > Link Aggregation mode

set bundle (enable | disable)

set min-bundle <int>

set max-bundle <int>

set members < port1 port2 ...>

next

end

end

end

Configuring an MCLAG with managed FortiSwitch units

A multichassis LAG (MCLAG) provides node-level redundancy by grouping two FortiSwitch models together so that they appear as a single switch on the network. If either switch fails, the MCLAG continues to function without any interruption, increasing network resiliency and eliminating the delays associated with the Spanning Tree Protocol (STP). For the network topology, see Dual-homed servers connected to a pair of FortiSwitch units using an MCLAG and Standalone FortiGate unit with dual-homed FortiSwitch access.

Notes

  • Both peer switches should be of the same hardware model and same software version. Mismatched configurations might work but are unsupported.
  • There is a maximum of two FortiSwitch models per MCLAG.
  • The routing feature is not available within an MCLAG.
  • For static MAC addresses within an MCLAG, if one FortiSwitch learns the MAC address, the second FortiSwitch will automatically learn the MAC address.

To configure an MCLAG with managed FortiSwitch unis:

  1. For each MCLAG peer switch, log into the FortiSwitch to create a LAG:

    config switch trunk

    edit "LAG-member"

    set mode lacp-active

    set mclag-icl enable

    set members "<port>" "<port>"

    next

  2. Enable the MCLAG on each managed FortiSwitch:

    config switch-controller managed-switch

    edit "<switch-id>"

    config ports

    edit "<trunk name>"

    set type trunk

    set mode {static | lacp-passive | lacp-active}

    set bundle {enable | disable}

    set members "<port>,<port>"

    set mclag {enable | disable}

    next

    end

    next

  3. Log into each managed FortiSwitch to check the MCLAG configuration:

    diagnose switch mclag

After the FortiSwitch units are configured as MCLAG peer switches, any port that supports advanced features on the FortiSwitch can become a LAG port. When mclag is enabled and the LAG port names match, an MCLAG peer set is automatically formed. The member ports for each FortiSwitch in the MCLAG do not need to be identical to the member ports on the peer FortiSwitch.

Note

If you disable the MCLAG ICL (with the set mclag-icl disable command), you need to enable the fortilink-split-interface.

Configuring storm control

Storm control uses the data rate (packets/sec, default 500) of the link to measure traffic activity, preventing traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on a port.

When the data rate exceeds the configured threshold, storm control drops excess traffic. You can configure the types of traffic to drop: broadcast, unknown unicast, or multicast.

The storm control settings are global to all of the non-FortiLink ports on the managed switches. Use the following CLI commands to configure storm control:

config switch-controller storm-control

set rate <rate>

set unknown-unicast (enable | disable)

set unknown-multicast (enable | disable)

set broadcast (enable | disable)

end

You can override the global storm control settings for a FortiSwitch using the following commands:

config switch-controller managed-switch

edit <switch-id>

config storm-control

set local-override enable

At this point, you can configure the storm control settings that apply to this specific switch.

Displaying port statistics

Port statistics will be accessed using the following FortiSwitch CLI command:

FG100D3G15804763 # diagnose switch-controller dump port-stats

S124DP3X16000413 port8

S124DP3X16000413 0 :

{

"port8":{

"tx-bytes":823526672,

"tx-packets":1402390,

"tx-ucast":49047,

"tx-mcast":804545,

"tx-bcast":548798,

"tx-errors":0,

"tx-drops":3,

"tx-oversize":0,

"rx-bytes":13941793,

"rx-packets":160303,

"rx-ucast":148652,

"rx-mcast":7509,

"rx-bcast":4142,

"rx-errors":0,

"rx-drops":720,

"rx-oversize":0,

"undersize":0,

"fragments":0,

"jabbers":0,

"collisions":0,

"crc-alignments":0,

"l3packets":0

}

}

Configuring QoS with managed FortiSwitch units

Quality of Service (QoS) provides the ability to set particular priorities for different applications, users, or data flows.

NOTE: The FortiGate unit does not support QoS for hard or soft switch ports.

The FortiSwitch unit supports the following QoS configuration capabilities:

  • Mapping the IEEE 802.1p and Layer 3 QoS values (Differentiated Services and IP Precedence) to an outbound QoS queue number.
  • Providing eight egress queues on each port.
  • Policing the maximum data rate of egress traffic on the interface.
To configure the QoS for managed FortiSwitch units:
  1. Configure a Dot1p map.

    A Dot1p map defines a mapping between IEEE 802.1p class of service (CoS) values (from incoming packets on a trusted interface) and the egress queue values. Values that are not explicitly included in the map will follow the default mapping, which maps each priority (0-7) to queue 0. If an incoming packet contains no CoS value, the switch assigns a CoS value of zero.

    NOTE: Do not enable trust for both Dot1p and DSCP at the same time on the same interface. If you do want to trust both Dot1p and IP-DSCP, the FortiSwitch uses the latter value (DSCP) to determine the queue. The switch will use the Dot1p value and mapping only if the packet contains no DSCP value.

    config switch-controller qos dot1p-map

    edit <Dot1p map name>

    set description <text>

    set priority-0 <queue number>

    set priority-1 <queue number>

    set priority-2 <queue number>

    set priority-3 <queue number>

    set priority-4 <queue number>

    set priority-5 <queue number>

    set priority-6 <queue number>

    set priority-7 <queue number>

    next

    end

  2. Configure a DSCP map.A DSCP map defines a mapping between IP precedence or DSCP values and the egress queue values. For IP precedence, you have the following choices:
    • network-control—Network control
    • internetwork-control—Internetwork control
    • critic-ecp—Critic and emergency call processing (ECP)
    • flashoverride—Flash override
    • flash—Flash
    • immediate—Immediate
    • priority—Priority
    • routine—Routine

    config switch-controller qos ip-dscp-map

    edit <DSCP map name>

    set description <text>

    configure map <map_name>

    edit <entry name>

    set cos-queue <COS queue number>

    set diffserv {CS0 | CS1 | AF11 | AF12 | AF13 | CS2 | AF21 | AF22 | AF23 | CS3 | AF31 | AF32 | AF33 | CS4 | AF41 | AF42 | AF43 | CS5 | EF | CS6 | CS7}

    set ip-precedence {network-control | internetwork-control | critic-ecp | flashoverride | flash | immediate | priority | routine}

    set value <DSCP raw value>

    next

    end

    end

  3. Configure the egress QoS policy.In a QoS policy, you set the scheduling mode for the policy and configure one or more CoS queues. Each egress port supports eight queues, and three scheduling modes are available:
    • With strict scheduling, the queues are served in descending order (of queue number), so higher number queues receive higher priority.
    • In simple round-robin mode, the scheduler visits each backlogged queue, servicing a single packet from each queue before moving on to the next one.
    • In weighted round-robin mode, each of the eight egress queues is assigned a weight value ranging from 0 to 63.

    config switch-controller qos queue-policy

    edit <QoS egress policy name>

    set schedule {strict | round-robin | weighted}

    config cos-queue

    edit [queue-<number>]

    set description <text>

    set min-rate <rate in kbps>

    set max-rate <rate in kbps>

    set drop-policy {taildrop | random-early-detection}

    set weight <weight value>

    next

    end

    next

    end

  4. Configure the overall policy that will be applied to the switch ports.

    config switch-controller qos qos-policy

    edit <QoS egress policy name>

    set default-cos <default CoS value 0-7>

    set trust-dot1p-map <Dot1p map name>

    set trust-ip-dscp-map <DSCP map name>

    set queue-policy <queue policy name>

    next

    end

  5. Configure each switch port.

    config switch-controller managed-switch

    edit <switch-id>

    config ports

    edit <port>

    set qos-policy <CoS policy>

    next

    end

    next

    end

    Synchronizing the FortiGate unit with the managed FortiSwitch units

    You can synchronize the FortiGate unit with the managed FortiSwitch units to check for synchronization errors on each managed FortiSwitch unit.

    Use the following command to synchronize the full configuration of a FortiGate unit with the managed FortiSwitch unit:

    execute switch-controller trigger-config-sync <FortiSwitch_serial_number>

    Use one of the following commands to display the synchronization state of a FortiGate unit with a specific managed FortiSwitch unit:

    execute switch-controller get-sync-status switch-id <FortiSwitch_serial_number>

    execute switch-controller get-sync-status name <FortiSwitch_name>

    Use the following command to display the synchronization state of a FortiGate unit with a group of managed FortiSwitch units:

    execute switch-controller get-sync-status group <FortiSwitch_group_name>

    Use the following command to check the synchronization state of all managed FortiSwitch units in the current VDOM:

    execute switch-controller get-sync-status all

    For example:

    Managed-devices in current vdom root:

    STACK-NAME: FortiSwitch-Stack-port15

    SWITCH (NAME)

    STATUS

    CONFIG

    MAC-SYNC

    UPGRADE

    S448DNTF18001048

    Down

    Idle

    Idle

    Idle

Replacing a managed FortiSwitch unit

If a managed FortiSwitch unit fails, you can replace it with another FortiSwitch unit that is managed by the same FortiGate unit. The replacement FortiSwitch unit will inherit the configuration of the FortiSwitch unit that it replaces. The failed FortiSwitch unit is no longer managed by a FortiGate unit or discovered by FortiLink.

NOTE:

  • Both FortiSwitch units must be of the same model.
  • The replacement FortiSwitch unit must be discovered by FortiLink but not authorized.
  • If the replacement FortiSwitch unit is one of an MCLAG pair, you need to manually reconfigure the MCLAG-ICL trunk.
  • After replacing the failed FortiSwitch unit, the automatically created trunk name does not change. If you want different trunk name, you need to delete the trunk. The new trunk is created automatically with an updated name. At the end of this section is a detailed procedure for renaming the MCLAG-ICL trunk.
To replace a managed FortiSwitch unit:
  1. Unplug the failed FortiSwitch unit.
  2. Plug in the replacement FortiSwitch unit.
  3. Upgrade the firmware of the replacement FortiSwitch unit to the same version as the firmware on the failed FortiSwitch unit. See View and upgrade the FortiSwitch firmware version.
  4. Reset the replacement FortiSwitch unit to factory default settings with the execute factoryreset command.
  5. Check the serial number of the replacement FortiSwitch unit.
  6. From the FortiGate unit, go to WiFi & Switch Controller > Managed FortiSwitch.
  7. Select the faceplate of the failed FortiSwitch unit.
  8. Select Deauthorize.
  9. Connect the replacement FortiSwitch unit to the FortiGate unit that was managing the failed FortiSwitch unit.
  10. If the failed FortiSwitch unit was part of a VDOM, enter the following commands:

    config vdom

    edit <VDOM_name>

    execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_FortiSwitch_serial_number>


    For example:


    config vdom

    edit vdom_new

    execute replace-device fortiswitch S124DN3W16002025 S124DN3W16002026


    If the failed FortiSwitch unit was not part of a VDOM, enter the following command:


    execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_FortiSwitch_serial_number>


    An error is returned if the replacement FortiSwitch unit is authorized.

To rename the MCLAG-ICL trunk:

Changing the name of the MCLAG-ICL trunk must be done on both the FortiGate unit and the MCLAG-ICL switches. You need a maintenance window for the change.

  1. Shut down the FortiLink interface on the FortiGate unit.
    1. On the FortiGate unit, execute the show system interface command. For example:

      FG3K2D3Z17800156 # show system interface root-lag
      config system interface
      edit "root-lag"
      set vdom "root"
      set fortilink enable
      set ip 10.105.60.254 255.255.255.0
      set allowaccess ping capwap
      set type aggregate
      set member "port45" "port48"
      config managed-device


    2. Write down the member port information. In this example, port45 and port48 are the member ports.
    3. Shut down the member ports with the config system interface, edit <member-port#>, set status down, and end commands. For example:

      FG3K2D3Z17800156 # config system interface
      FG3K2D3Z17800156 (interface) # edit port48
      FG3K2D3Z17800156 (port48) # set status down
      FG3K2D3Z17800156 (port48) # next // repeat for each member port
      FG3K2D3Z17800156 (interface) # edit port45
      FG3K2D3Z17800156 (port45) # set status down
      FG3K2D3Z17800156 (port45) # end


    4. Verify that FortiLink is down with the exec switch-controller get-conn-status command. For example:

      FG3K2D3Z17800156 # exec switch-controller get-conn-status
      Managed-devices in current vdom root:
      STACK-NAME: FortiSwitch-Stack-root-lag
      SWITCH-ID VERSION STATUS ADDRESS JOIN-TIME NAME
      FS1D483Z17000282 v6.0.0 Authorized/Down 0.0.0.0 N/A icl-sw2
      FS1D483Z17000348 v6.0.0 Authorized/Down 0.0.0.0 N/A icl-sw1


  2. Rename the MCLAG-ICL trunk name on both MCLAG-ICL switches.
    1. Execute the show switch trunk command on both MCLAG-ICL switches. Locate the ICL trunk that includes the set mclag-icl enable command in its configuration and write down the member ports and configuration information. For example:

      icl-sw1 # show switch trunk
      config switch trunk
      ...
      edit "D483Z17000282-0"
      set mode lacp-active
      set auto-isl 1
      set mclag-icl enable // look for this line
      set members "port27" "port28" // note the member ports
      next
      end


    2. Note the output of the show switch interface <MCLAG-ICL-trunk-name>, diagnose switch mclag icl, and diagnose switch trunk summary <MCLAG-ICL-trunk-name> commands. For example:

      icl-sw1 # show switch interface D483Z17000282-0
      config switch interface
      edit "D483Z17000282-0"
      set native-vlan 4094
      set allowed-vlans 1,100,2001-2060,4093
      set dhcp-snooping trusted
      set stp-state disabled
      set edge-port disabled
      set igmps-flood-reports enable
      set igmps-flood-traffic enable
      set snmp-index 57
      next
      end

      icl-sw1 # diag switch mclag icl
      D483Z17000282-0
      icl-ports 27-28
      egress-block-ports 3-4,7-12,47-48
      interface-mac 70:4c:a5:86:6d:e5
      lacp-serial-number FS1D483Z17000348
      peer-mac 70:4c:a5:49:50:53
      peer-serial-number FS1D483Z17000282
      Local uptime 0 days 1h:49m:24s
      Peer uptime 0 days 1h:49m:17s
      MCLAG-STP-mac 70:4c:a5:49:50:52
      keepalive interval 1
      keepalive timeout 60

      Counters
      received keepalive packets 4852
      transmited keepalive packets 5293
      received keepalive drop packets 20
      receive keepalive miss 1

      icl-sw1 # diagnose switch trunk sum D483Z17000282-0
      Trunk Name Mode PSC MAC Status Up Time
      ________________ _________________________ ___________ _________________ ___________ _________________________________
      D483Z17000282-0 lacp-active(auto-isl,mclag-icl) src-dst-ip 70:4C:A5:86:6E:00 up(2/2) 0 days,0 hours,16 mins,4 secs


    3. Shut down the ICL member ports using the config switch physical-port, edit <member port#>, set status down, next, and end commands. For example:

      icl-sw1 # config switch physical-port
      icl-sw1 (physical-port) # edit port27
      icl-sw1 (port27) # set status down
      icl-sw1 (port27) # n // repeat for each ICL member port
      icl-sw1 (physical-port) # edit port28
      icl-sw1 (port28) # set status down
      icl-sw1 (port28) # next
      icl-sw1 (physical-port) # end


    4. Delete the original MCLAG-ICL trunk name on the switch using the config switch trunk, delete <mclag-icl-trunk-name>, and end commands. For example:

      icl-sw1 # config switch trunk
      icl-sw1 (trunk) # delete D483Z17000282-0


    5. Use the show switch trunk command to verify that the trunk is deleted.
    6. Create a new trunk for the MCLAG ICL using the the original trunk configuration collected in step 2b. For example:

      icl-sw1 # config switch trunk

      icl-sw1 (trunk) # edit MCLAG-ICL
      new entry 'MCLAG-ICL' added
      icl-sw1 (MCLAG-ICL) #set mode lacp-active
      icl-sw1 (MCLAG-ICL) #set auto-isl 1
      icl-sw1 (MCLAG-ICL) #set members "port27" "port28"
      icl-sw1 (MCLAG-ICL) #set mclag-icl enable
      icl-sw1 (MCLAG-ICL) # end


    7. Use the show switch trunk command to check the trunk configuration.
    8. Start the trunk member ports by using the config switch physical-port, edit <member port#>, set status up, next, and end commands. For example:

      icl-sw1 # config switch physical-port
      icl-sw1 (physical-port) # edit port27
      icl-sw1 (port27) # set status up
      icl-sw1 (port27) # next // repeat for each trunk member port
      icl-sw1 (physical-port) # edit port28
      icl-sw1 (port28) # set status up
      icl-sw1 (port28) # end


      NOTE: Follow steps 2a through 2h on both switches.
  3. Set up the FortiLink interface on the FortiGate unit. Enter the config system interface, edit <interface-member-port>, set status up, next, and end commands. For example:

    FG3K2D3Z17800156 # config system interface
    FG3K2D3Z17800156 (interface) # edit port45
    FG3K2D3Z17800156 (port45) # set status up
    FG3K2D3Z17800156 (port45) # next // repeat on all member ports
    FG3K2D3Z17800156 (interface) # edit port48
    FG3K2D3Z17800156 (port48) # set status up
    FG3K2D3Z17800156 (port48) # next
    FG3K2D3Z17800156 (interface) # end


  4. Check the configuration and status on both MCLAG-ICL switches
    1. Enter the show switch trunk, diagnose switch mclag icl, and diagnose switch trunk summary <new-trunk-name> commands. For example:


    2. icl-sw1 # show switch trunk
      config switch trunk
      <snip>
      edit "MCLAG-ICL"
      set mode lacp-active
      set auto-isl 1
      set mclag-icl enable
      set members "port27" "port28"
      next
      end

      icl-sw1 # show switch interface MCLAG-ICL
      config switch interface
      edit "MCLAG-ICL"
      set native-vlan 4094
      set allowed-vlans 1,100,2001-2060,4093
      set dhcp-snooping trusted
      set stp-state disabled
      set igmps-flood-reports enable
      set igmps-flood-traffic enable
      set snmp-index 56
      next
      end

      icl-sw1 # diagnose switch mclag icl
      MCLAG-ICL
      icl-ports 27-28
      egress-block-ports 3-4,7-12,47-48
      interface-mac 70:4c:a5:86:6d:e5
      lacp-serial-number FS1D483Z17000348
      peer-mac 70:4c:a5:49:50:5
      peer-serial-number FS1D483Z17000282
      Local uptime 0 days 2h:11m:13s
      Peer uptime 0 days 2h:11m: 7s
      MCLAG-STP-mac 70:4c:a5:49:50:52
      keepalive interval 1
      keepalive timeout 60

      Counters
      received keepalive packets 5838
      transmited keepalive packets 6279
      received keepalive drop packets 27
      receive keepalive miss 1

      icl-sw1 # diagnose switch trunk summary MCLAG-ICL

      Trunk Name Mode PSC MAC Status Up Time
      ________________ _________________________ ___________ _________________ ___________ _________________________________

      MCLAG-ICL lacp-active(auto-isl,mclag-icl) src-dst-ip 70:4C:A5:86:6E:00 up(2/2) 0 days,1 hours,4 mins,57 secs


    3. Compare the command results in step 4a with the command results in step 2b.

Additional capabilities

This chapter covers the following topics:

Execute custom FortiSwitch commands

From the FortiGate, you can execute FortiSwitch commands on the managed FortiSwitch.

This feature adds a simple scripting mechanism for users to execute generic commands on the switch.

NOTE: FortiOS 5.6.0 introduces additional capabilities related to the managed FortiSwitch.

Create a command

Use the following syntax to create a command file:

config switch-controller custom-command

edit <cmd-name>

set command "<FortiSwitch commands>"

Next, create a command file to set the STP max-age parameter:

config switch-controller custom-command

edit "stp-age-10"

set command "config switch stp setting

set max-age 10

end

next

end

Execute a command

After you have created a command file, use the following command on the FortiGate to execute the command file on the target switch:

exec switch-controller custom-command <cmd-name> <target-switch>

The following example runs the stp-age-10 command on the specified target FortiSwitch:

exec switch-controller custom-command stp-age-10 S124DP3X15000118

View and upgrade the FortiSwitch firmware version

You can view the current firmware version of a FortiSwitch unit and upgrade the FortiSwitch to a new firmware version. The FortiGate unit will suggest an upgrade when a new version is available in FortiGuard.

Using the FortiGate web interface

To view the FortiSwitch firmware version:

  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. In the main panel, select the FortiSwitch faceplate and click Edit.
  3. In the Edit Managed FortiSwitch panel, the Firmware section displays the current build on the FortiSwitch.
To upgrade the firmware on multiple FortiSwitch units at the same time:
  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Select the faceplates of the FortiSwitch units that you want to upgrade.
  3. Click Upgrade.The Upgrade FortiSwitches page opens.
  4. Select FortiGuard or select Upload and then select the firmware file to upload. If you select FortiGuard, all FortiSwitch units that can be upgraded are upgraded. If you select Upload, only one firmware image can be used at a time for upgrading.
  5. Select Upgrade.
Using the CLI

Use the following command to display the latest version:

diagnose fdsm fortisw-latest-ver <model>

Use the following command to download the image:

diagnose fdsm fortisw-download <image id>

The following example shows how to download the latest image for FS224D:

FG100D3G15801204 (global) # diagnose fdsm fortisw-latest-ver FS224D

FS224D - 3.4.2 b192 03004000FIMG0900904002FG100D3G15801204 (global) #

diagnose fdsm fortisw-download 03004000FIMG0900904002

Download image-03004000FIMG0900904002:

################################################################################

Result=Success

Use the following CLI commands to enable the use of HTTPS to download firmware to managed FortiSwitch units:

config switch-controller global

set https-image-push enable

end

From your FortiGate CLI, you can upgrade the firmware of all of the managed FortiSwitch units of the same model using a single execute command. The command includes the name of a firmware image file and all of the managed FortiSwitch units compatible with that firmware image file are upgraded. For example:

execute switch-controller stage-tiered-swtp-image ALL <firmware-image-file>

You can also use the following command to restart all of the managed FortiSwitch units after a 2-minute delay.

execute switch-controller restart-swtp-delayed ALL

FortiSwitch log export

You can enable and disable the managed FortiSwitch units to export their syslogs to the FortiGate. The setting is global, and the default setting is enabled. Starting in FortiOS 5.6.3, more details are included in the exported FortiSwitch logs.

To allow a level of filtering, FortiGate sets the user field to "fortiswitch-syslog” for each entry.

The following is the CLI command syntax:

config switch-controller switch-log

set status (*enable | disable)

set severity [emergency | alert | critical | error | warning | notification | *information | debug]

end

You can override the global log settings for a FortiSwitch, using the following commands:

config switch-controller managed-switch

edit <switch-id>

config switch-log

set local-override enable

At this point, you can configure the log settings that apply to this specific switch.

FortiSwitch per-port device visibility

In the FortiGate GUI, User & Device > Device List displays a list of devices attached to the FortiSwitch ports. For each device, the table displays the IP address of the device and the interface (FortiSwitch name and port).

From the CLI, the following command displays information about the host devices:

diagnose switch-controller dump mac-hosts_switch-ports

FortiGate CLI support for FortiSwitch features (on non-FortiLink ports)

You can configure the following FortiSwitch features from the FortiGate CLI.

Configuring a link aggregation group (LAG)

You can configure a link aggregation group (LAG) for non-FortiLink ports on a FortiSwitch. You cannot configure ports from different FortiSwitch units in one LAG.

config switch-controller managed-switch

edit <switch-id>

config ports

it <trunk name>

set type trunk

set mode < static | lacp > Link Aggregation mode

set bundle (enable | disable)

set min-bundle <int>

set max-bundle <int>

set members < port1 port2 ...>

next

end

end

end

Configuring an MCLAG with managed FortiSwitch units

A multichassis LAG (MCLAG) provides node-level redundancy by grouping two FortiSwitch models together so that they appear as a single switch on the network. If either switch fails, the MCLAG continues to function without any interruption, increasing network resiliency and eliminating the delays associated with the Spanning Tree Protocol (STP). For the network topology, see Dual-homed servers connected to a pair of FortiSwitch units using an MCLAG and Standalone FortiGate unit with dual-homed FortiSwitch access.

Notes

  • Both peer switches should be of the same hardware model and same software version. Mismatched configurations might work but are unsupported.
  • There is a maximum of two FortiSwitch models per MCLAG.
  • The routing feature is not available within an MCLAG.
  • For static MAC addresses within an MCLAG, if one FortiSwitch learns the MAC address, the second FortiSwitch will automatically learn the MAC address.

To configure an MCLAG with managed FortiSwitch unis:

  1. For each MCLAG peer switch, log into the FortiSwitch to create a LAG:

    config switch trunk

    edit "LAG-member"

    set mode lacp-active

    set mclag-icl enable

    set members "<port>" "<port>"

    next

  2. Enable the MCLAG on each managed FortiSwitch:

    config switch-controller managed-switch

    edit "<switch-id>"

    config ports

    edit "<trunk name>"

    set type trunk

    set mode {static | lacp-passive | lacp-active}

    set bundle {enable | disable}

    set members "<port>,<port>"

    set mclag {enable | disable}

    next

    end

    next

  3. Log into each managed FortiSwitch to check the MCLAG configuration:

    diagnose switch mclag

After the FortiSwitch units are configured as MCLAG peer switches, any port that supports advanced features on the FortiSwitch can become a LAG port. When mclag is enabled and the LAG port names match, an MCLAG peer set is automatically formed. The member ports for each FortiSwitch in the MCLAG do not need to be identical to the member ports on the peer FortiSwitch.

Note

If you disable the MCLAG ICL (with the set mclag-icl disable command), you need to enable the fortilink-split-interface.

Configuring storm control

Storm control uses the data rate (packets/sec, default 500) of the link to measure traffic activity, preventing traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on a port.

When the data rate exceeds the configured threshold, storm control drops excess traffic. You can configure the types of traffic to drop: broadcast, unknown unicast, or multicast.

The storm control settings are global to all of the non-FortiLink ports on the managed switches. Use the following CLI commands to configure storm control:

config switch-controller storm-control

set rate <rate>

set unknown-unicast (enable | disable)

set unknown-multicast (enable | disable)

set broadcast (enable | disable)

end

You can override the global storm control settings for a FortiSwitch using the following commands:

config switch-controller managed-switch

edit <switch-id>

config storm-control

set local-override enable

At this point, you can configure the storm control settings that apply to this specific switch.

Displaying port statistics

Port statistics will be accessed using the following FortiSwitch CLI command:

FG100D3G15804763 # diagnose switch-controller dump port-stats

S124DP3X16000413 port8

S124DP3X16000413 0 :

{

"port8":{

"tx-bytes":823526672,

"tx-packets":1402390,

"tx-ucast":49047,

"tx-mcast":804545,

"tx-bcast":548798,

"tx-errors":0,

"tx-drops":3,

"tx-oversize":0,

"rx-bytes":13941793,

"rx-packets":160303,

"rx-ucast":148652,

"rx-mcast":7509,

"rx-bcast":4142,

"rx-errors":0,

"rx-drops":720,

"rx-oversize":0,

"undersize":0,

"fragments":0,

"jabbers":0,

"collisions":0,

"crc-alignments":0,

"l3packets":0

}

}

Configuring QoS with managed FortiSwitch units

Quality of Service (QoS) provides the ability to set particular priorities for different applications, users, or data flows.

NOTE: The FortiGate unit does not support QoS for hard or soft switch ports.

The FortiSwitch unit supports the following QoS configuration capabilities:

  • Mapping the IEEE 802.1p and Layer 3 QoS values (Differentiated Services and IP Precedence) to an outbound QoS queue number.
  • Providing eight egress queues on each port.
  • Policing the maximum data rate of egress traffic on the interface.
To configure the QoS for managed FortiSwitch units:
  1. Configure a Dot1p map.

    A Dot1p map defines a mapping between IEEE 802.1p class of service (CoS) values (from incoming packets on a trusted interface) and the egress queue values. Values that are not explicitly included in the map will follow the default mapping, which maps each priority (0-7) to queue 0. If an incoming packet contains no CoS value, the switch assigns a CoS value of zero.

    NOTE: Do not enable trust for both Dot1p and DSCP at the same time on the same interface. If you do want to trust both Dot1p and IP-DSCP, the FortiSwitch uses the latter value (DSCP) to determine the queue. The switch will use the Dot1p value and mapping only if the packet contains no DSCP value.

    config switch-controller qos dot1p-map

    edit <Dot1p map name>

    set description <text>

    set priority-0 <queue number>

    set priority-1 <queue number>

    set priority-2 <queue number>

    set priority-3 <queue number>

    set priority-4 <queue number>

    set priority-5 <queue number>

    set priority-6 <queue number>

    set priority-7 <queue number>

    next

    end

  2. Configure a DSCP map.A DSCP map defines a mapping between IP precedence or DSCP values and the egress queue values. For IP precedence, you have the following choices:
    • network-control—Network control
    • internetwork-control—Internetwork control
    • critic-ecp—Critic and emergency call processing (ECP)
    • flashoverride—Flash override
    • flash—Flash
    • immediate—Immediate
    • priority—Priority
    • routine—Routine

    config switch-controller qos ip-dscp-map

    edit <DSCP map name>

    set description <text>

    configure map <map_name>

    edit <entry name>

    set cos-queue <COS queue number>

    set diffserv {CS0 | CS1 | AF11 | AF12 | AF13 | CS2 | AF21 | AF22 | AF23 | CS3 | AF31 | AF32 | AF33 | CS4 | AF41 | AF42 | AF43 | CS5 | EF | CS6 | CS7}

    set ip-precedence {network-control | internetwork-control | critic-ecp | flashoverride | flash | immediate | priority | routine}

    set value <DSCP raw value>

    next

    end

    end

  3. Configure the egress QoS policy.In a QoS policy, you set the scheduling mode for the policy and configure one or more CoS queues. Each egress port supports eight queues, and three scheduling modes are available:
    • With strict scheduling, the queues are served in descending order (of queue number), so higher number queues receive higher priority.
    • In simple round-robin mode, the scheduler visits each backlogged queue, servicing a single packet from each queue before moving on to the next one.
    • In weighted round-robin mode, each of the eight egress queues is assigned a weight value ranging from 0 to 63.

    config switch-controller qos queue-policy

    edit <QoS egress policy name>

    set schedule {strict | round-robin | weighted}

    config cos-queue

    edit [queue-<number>]

    set description <text>

    set min-rate <rate in kbps>

    set max-rate <rate in kbps>

    set drop-policy {taildrop | random-early-detection}

    set weight <weight value>

    next

    end

    next

    end

  4. Configure the overall policy that will be applied to the switch ports.

    config switch-controller qos qos-policy

    edit <QoS egress policy name>

    set default-cos <default CoS value 0-7>

    set trust-dot1p-map <Dot1p map name>

    set trust-ip-dscp-map <DSCP map name>

    set queue-policy <queue policy name>

    next

    end

  5. Configure each switch port.

    config switch-controller managed-switch

    edit <switch-id>

    config ports

    edit <port>

    set qos-policy <CoS policy>

    next

    end

    next

    end

    Synchronizing the FortiGate unit with the managed FortiSwitch units

    You can synchronize the FortiGate unit with the managed FortiSwitch units to check for synchronization errors on each managed FortiSwitch unit.

    Use the following command to synchronize the full configuration of a FortiGate unit with the managed FortiSwitch unit:

    execute switch-controller trigger-config-sync <FortiSwitch_serial_number>

    Use one of the following commands to display the synchronization state of a FortiGate unit with a specific managed FortiSwitch unit:

    execute switch-controller get-sync-status switch-id <FortiSwitch_serial_number>

    execute switch-controller get-sync-status name <FortiSwitch_name>

    Use the following command to display the synchronization state of a FortiGate unit with a group of managed FortiSwitch units:

    execute switch-controller get-sync-status group <FortiSwitch_group_name>

    Use the following command to check the synchronization state of all managed FortiSwitch units in the current VDOM:

    execute switch-controller get-sync-status all

    For example:

    Managed-devices in current vdom root:

    STACK-NAME: FortiSwitch-Stack-port15

    SWITCH (NAME)

    STATUS

    CONFIG

    MAC-SYNC

    UPGRADE

    S448DNTF18001048

    Down

    Idle

    Idle

    Idle

Replacing a managed FortiSwitch unit

If a managed FortiSwitch unit fails, you can replace it with another FortiSwitch unit that is managed by the same FortiGate unit. The replacement FortiSwitch unit will inherit the configuration of the FortiSwitch unit that it replaces. The failed FortiSwitch unit is no longer managed by a FortiGate unit or discovered by FortiLink.

NOTE:

  • Both FortiSwitch units must be of the same model.
  • The replacement FortiSwitch unit must be discovered by FortiLink but not authorized.
  • If the replacement FortiSwitch unit is one of an MCLAG pair, you need to manually reconfigure the MCLAG-ICL trunk.
  • After replacing the failed FortiSwitch unit, the automatically created trunk name does not change. If you want different trunk name, you need to delete the trunk. The new trunk is created automatically with an updated name. At the end of this section is a detailed procedure for renaming the MCLAG-ICL trunk.
To replace a managed FortiSwitch unit:
  1. Unplug the failed FortiSwitch unit.
  2. Plug in the replacement FortiSwitch unit.
  3. Upgrade the firmware of the replacement FortiSwitch unit to the same version as the firmware on the failed FortiSwitch unit. See View and upgrade the FortiSwitch firmware version.
  4. Reset the replacement FortiSwitch unit to factory default settings with the execute factoryreset command.
  5. Check the serial number of the replacement FortiSwitch unit.
  6. From the FortiGate unit, go to WiFi & Switch Controller > Managed FortiSwitch.
  7. Select the faceplate of the failed FortiSwitch unit.
  8. Select Deauthorize.
  9. Connect the replacement FortiSwitch unit to the FortiGate unit that was managing the failed FortiSwitch unit.
  10. If the failed FortiSwitch unit was part of a VDOM, enter the following commands:

    config vdom

    edit <VDOM_name>

    execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_FortiSwitch_serial_number>


    For example:


    config vdom

    edit vdom_new

    execute replace-device fortiswitch S124DN3W16002025 S124DN3W16002026


    If the failed FortiSwitch unit was not part of a VDOM, enter the following command:


    execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_FortiSwitch_serial_number>


    An error is returned if the replacement FortiSwitch unit is authorized.

To rename the MCLAG-ICL trunk:

Changing the name of the MCLAG-ICL trunk must be done on both the FortiGate unit and the MCLAG-ICL switches. You need a maintenance window for the change.

  1. Shut down the FortiLink interface on the FortiGate unit.
    1. On the FortiGate unit, execute the show system interface command. For example:

      FG3K2D3Z17800156 # show system interface root-lag
      config system interface
      edit "root-lag"
      set vdom "root"
      set fortilink enable
      set ip 10.105.60.254 255.255.255.0
      set allowaccess ping capwap
      set type aggregate
      set member "port45" "port48"
      config managed-device


    2. Write down the member port information. In this example, port45 and port48 are the member ports.
    3. Shut down the member ports with the config system interface, edit <member-port#>, set status down, and end commands. For example:

      FG3K2D3Z17800156 # config system interface
      FG3K2D3Z17800156 (interface) # edit port48
      FG3K2D3Z17800156 (port48) # set status down
      FG3K2D3Z17800156 (port48) # next // repeat for each member port
      FG3K2D3Z17800156 (interface) # edit port45
      FG3K2D3Z17800156 (port45) # set status down
      FG3K2D3Z17800156 (port45) # end


    4. Verify that FortiLink is down with the exec switch-controller get-conn-status command. For example:

      FG3K2D3Z17800156 # exec switch-controller get-conn-status
      Managed-devices in current vdom root:
      STACK-NAME: FortiSwitch-Stack-root-lag
      SWITCH-ID VERSION STATUS ADDRESS JOIN-TIME NAME
      FS1D483Z17000282 v6.0.0 Authorized/Down 0.0.0.0 N/A icl-sw2
      FS1D483Z17000348 v6.0.0 Authorized/Down 0.0.0.0 N/A icl-sw1


  2. Rename the MCLAG-ICL trunk name on both MCLAG-ICL switches.
    1. Execute the show switch trunk command on both MCLAG-ICL switches. Locate the ICL trunk that includes the set mclag-icl enable command in its configuration and write down the member ports and configuration information. For example:

      icl-sw1 # show switch trunk
      config switch trunk
      ...
      edit "D483Z17000282-0"
      set mode lacp-active
      set auto-isl 1
      set mclag-icl enable // look for this line
      set members "port27" "port28" // note the member ports
      next
      end


    2. Note the output of the show switch interface <MCLAG-ICL-trunk-name>, diagnose switch mclag icl, and diagnose switch trunk summary <MCLAG-ICL-trunk-name> commands. For example:

      icl-sw1 # show switch interface D483Z17000282-0
      config switch interface
      edit "D483Z17000282-0"
      set native-vlan 4094
      set allowed-vlans 1,100,2001-2060,4093
      set dhcp-snooping trusted
      set stp-state disabled
      set edge-port disabled
      set igmps-flood-reports enable
      set igmps-flood-traffic enable
      set snmp-index 57
      next
      end

      icl-sw1 # diag switch mclag icl
      D483Z17000282-0
      icl-ports 27-28
      egress-block-ports 3-4,7-12,47-48
      interface-mac 70:4c:a5:86:6d:e5
      lacp-serial-number FS1D483Z17000348
      peer-mac 70:4c:a5:49:50:53
      peer-serial-number FS1D483Z17000282
      Local uptime 0 days 1h:49m:24s
      Peer uptime 0 days 1h:49m:17s
      MCLAG-STP-mac 70:4c:a5:49:50:52
      keepalive interval 1
      keepalive timeout 60

      Counters
      received keepalive packets 4852
      transmited keepalive packets 5293
      received keepalive drop packets 20
      receive keepalive miss 1

      icl-sw1 # diagnose switch trunk sum D483Z17000282-0
      Trunk Name Mode PSC MAC Status Up Time
      ________________ _________________________ ___________ _________________ ___________ _________________________________
      D483Z17000282-0 lacp-active(auto-isl,mclag-icl) src-dst-ip 70:4C:A5:86:6E:00 up(2/2) 0 days,0 hours,16 mins,4 secs


    3. Shut down the ICL member ports using the config switch physical-port, edit <member port#>, set status down, next, and end commands. For example:

      icl-sw1 # config switch physical-port
      icl-sw1 (physical-port) # edit port27
      icl-sw1 (port27) # set status down
      icl-sw1 (port27) # n // repeat for each ICL member port
      icl-sw1 (physical-port) # edit port28
      icl-sw1 (port28) # set status down
      icl-sw1 (port28) # next
      icl-sw1 (physical-port) # end


    4. Delete the original MCLAG-ICL trunk name on the switch using the config switch trunk, delete <mclag-icl-trunk-name>, and end commands. For example:

      icl-sw1 # config switch trunk
      icl-sw1 (trunk) # delete D483Z17000282-0


    5. Use the show switch trunk command to verify that the trunk is deleted.
    6. Create a new trunk for the MCLAG ICL using the the original trunk configuration collected in step 2b. For example:

      icl-sw1 # config switch trunk

      icl-sw1 (trunk) # edit MCLAG-ICL
      new entry 'MCLAG-ICL' added
      icl-sw1 (MCLAG-ICL) #set mode lacp-active
      icl-sw1 (MCLAG-ICL) #set auto-isl 1
      icl-sw1 (MCLAG-ICL) #set members "port27" "port28"
      icl-sw1 (MCLAG-ICL) #set mclag-icl enable
      icl-sw1 (MCLAG-ICL) # end


    7. Use the show switch trunk command to check the trunk configuration.
    8. Start the trunk member ports by using the config switch physical-port, edit <member port#>, set status up, next, and end commands. For example:

      icl-sw1 # config switch physical-port
      icl-sw1 (physical-port) # edit port27
      icl-sw1 (port27) # set status up
      icl-sw1 (port27) # next // repeat for each trunk member port
      icl-sw1 (physical-port) # edit port28
      icl-sw1 (port28) # set status up
      icl-sw1 (port28) # end


      NOTE: Follow steps 2a through 2h on both switches.
  3. Set up the FortiLink interface on the FortiGate unit. Enter the config system interface, edit <interface-member-port>, set status up, next, and end commands. For example:

    FG3K2D3Z17800156 # config system interface
    FG3K2D3Z17800156 (interface) # edit port45
    FG3K2D3Z17800156 (port45) # set status up
    FG3K2D3Z17800156 (port45) # next // repeat on all member ports
    FG3K2D3Z17800156 (interface) # edit port48
    FG3K2D3Z17800156 (port48) # set status up
    FG3K2D3Z17800156 (port48) # next
    FG3K2D3Z17800156 (interface) # end


  4. Check the configuration and status on both MCLAG-ICL switches
    1. Enter the show switch trunk, diagnose switch mclag icl, and diagnose switch trunk summary <new-trunk-name> commands. For example:


    2. icl-sw1 # show switch trunk
      config switch trunk
      <snip>
      edit "MCLAG-ICL"
      set mode lacp-active
      set auto-isl 1
      set mclag-icl enable
      set members "port27" "port28"
      next
      end

      icl-sw1 # show switch interface MCLAG-ICL
      config switch interface
      edit "MCLAG-ICL"
      set native-vlan 4094
      set allowed-vlans 1,100,2001-2060,4093
      set dhcp-snooping trusted
      set stp-state disabled
      set igmps-flood-reports enable
      set igmps-flood-traffic enable
      set snmp-index 56
      next
      end

      icl-sw1 # diagnose switch mclag icl
      MCLAG-ICL
      icl-ports 27-28
      egress-block-ports 3-4,7-12,47-48
      interface-mac 70:4c:a5:86:6d:e5
      lacp-serial-number FS1D483Z17000348
      peer-mac 70:4c:a5:49:50:5
      peer-serial-number FS1D483Z17000282
      Local uptime 0 days 2h:11m:13s
      Peer uptime 0 days 2h:11m: 7s
      MCLAG-STP-mac 70:4c:a5:49:50:52
      keepalive interval 1
      keepalive timeout 60

      Counters
      received keepalive packets 5838
      transmited keepalive packets 6279
      received keepalive drop packets 27
      receive keepalive miss 1

      icl-sw1 # diagnose switch trunk summary MCLAG-ICL

      Trunk Name Mode PSC MAC Status Up Time
      ________________ _________________________ ___________ _________________ ___________ _________________________________

      MCLAG-ICL lacp-active(auto-isl,mclag-icl) src-dst-ip 70:4C:A5:86:6E:00 up(2/2) 0 days,1 hours,4 mins,57 secs


    3. Compare the command results in step 4a with the command results in step 2b.