Fortinet black logo

CLI Reference

switch-controller managed-switch

switch-controller managed-switch

Use this command to add managed FortiSwitch to a FortiGate and to configure how the switch is managed.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.5.

Command Description

set poe-detection-type <type>

Set the POE detection type for the managed FortiSwitch.

The following table shows all added, changed, or removed entries as of FortiOS 6.0.

Command Description

config mirror

edit <name>

set status {active | inactive}

set switching-packet {enable | disable}

set dst <port-name>

set src-ingress <port-name>

set src-egress <port-name>

next

...

New configuration method to edit FortiSwitch packet port mirroring.

config ports

edit <name>

set discard-mode {none | all-untagged | all-tagged}

next

...

Determine frame discard mode for ports.

config ports

edit <name>

set sflow-sampler {enable | disable}

set sflow-sample-rate <every-n-packets>

set sflow-counter-interval <seconds>

set sample-direction {tx | rx | both}

next

...

Configure sFlow data-analysis settings for managed FortiSwitches, including sFlow sample rate, counter intervals, and the sample direction.

config ports

edit <name>

set export-to-pool <pool-name>

set export-tags <tag-name>

set export-to <vdom-or-pool-name>

next

...

Use these entries to define how VDOMs export ports directly either to a VDOM or to a shared pool (as configured under config switch-controller virtual-port-pool).

config ports

edit <name>

set learning-limit <pool-name>

next

...

Updated existing learning-limit option to have a default value of 0, meaning no limit.

config ports

edit <name>

set arp-inspection-trust {untrusted | trusted}

next

...

Trusted or untrusted dynamic ARP inspection.
config switch-controller managed-switch
    edit {switch-id}
    # Configure FortiSwitch devices that are managed by this FortiGate.
        set switch-id {string}   Managed-switch id. size[16]
        set name {string}   Managed-switch name. size[35]
        set description {string}   Description. size[63]
        set switch-profile {string}   FortiSwitch profile. size[35] - datasource(s): switch-controller.switch-profile.name
        set fsw-wan1-peer {string}   Fortiswitch WAN1 peer port. size[35]
        set fsw-wan1-admin {discovered | disable | enable}   FortiSwitch WAN1 admin status; enable to authorize the FortiSwitch as a managed switch.
        set fsw-wan2-peer {string}   FortiSwitch WAN2 peer port. size[35]
        set fsw-wan2-admin {discovered | disable | enable}   FortiSwitch WAN2 admin status; enable to authorize the FortiSwitch as a managed switch.
        set poe-pre-standard-detection {enable | disable}   Enable/disable PoE pre-standard detection.
        set poe-detection-type {integer}   PoE detection type for FortiSwitch. range[0-255]
        set directly-connected {integer}   Directly connected FortiSwitch. range[0-1]
        set version {integer}   FortiSwitch version. range[0-255]
        set max-allowed-trunk-members {integer}   FortiSwitch maximum allowed trunk members. range[0-255]
        set pre-provisioned {integer}   Pre-provisioned managed switch. range[0-255]
        set dynamic-capability {integer}   List of features this FortiSwitch supports (not configurable) that is sent to the FortiGate device for subsequent configuration initiated by the FortiGate device. range[0-4294967295]
        set switch-device-tag {string}   User definable label/tag. size[32]
        set dynamically-discovered {integer}   Dynamically discovered FortiSwitch. range[0-1]
        set type {virtual | physical}   Indication of switch type, physical or virtual.
                virtual   Switch is of type virtual.
                physical  Switch is of type physical.
        set owner-vdom {string}   VDOM which owner of port belongs to. size[31]
        set staged-image-version {string}   Staged image version for FortiSwitch. size[127]
        set delayed-restart-trigger {integer}   Delayed restart triggered for this FortiSwitch. range[0-255]
        config ports
            edit {port-name}
            # Managed-switch port list.
                set port-name {string}   Switch port name. size[15]
                set port-owner {string}   Switch port name. size[15]
                set switch-id {string}   Switch id. size[16]
                set speed {option}   Switch port speed; default and available settings depend on hardware.
                        10half       10M half-duplex.
                        10full       10M full-duplex.
                        100half      100M half-duplex.
                        100full      100M full-duplex.
                        1000auto     Auto-negotiation (1G full-duplex only).
                        1000fiber    1G full-duplex (fiber SFPs only)
                        1000full     1G full-duplex
                        10000        10G full-duplex
                        40000        40G full-duplex
                        auto         Auto-negotiation.
                        auto-module  Auto Module.
                        100FX-half   100Mbps half-duplex.100Base-FX.
                        100FX-full   100Mbps full-duplex.100Base-FX.
                        100000full   100Gbps full-duplex.
                        2500full     2.5Gbps full-duplex.
                        25000full    25Gbps full-duplex.
                        50000full    50Gbps full-duplex.
                        10000cr      10Gbps copper interface.
                        10000sr      10Gbps SFI interface.
                        100000sr4    100Gbps SFI interface.
                        100000cr4    100Gbps copper interface.
                        25000cr4     25Gbps copper interface.
                        25000sr4     25Gbps SFI interface.
                        5000full     5Gbps full-duplex.
                set speed-mask {integer}   Switch port speed mask. range[0-4294967295]
                set status {up | down}   Switch port admin status: up or down.
                        up    Set admin status up.
                        down  Set admin status down.
                set poe-status {enable | disable}   Enable/disable PoE status.
                set poe-pre-standard-detection {enable | disable}   Enable/disable PoE pre-standard detection.
                set port-number {integer}   Port number. range[1-64]
                set port-prefix-type {integer}   Port prefix type. range[0-1]
                set fortilink-port {integer}   FortiLink uplink port. range[0-1]
                set poe-capable {integer}   PoE capable. range[0-1]
                set stacking-port {integer}   Stacking port. range[0-1]
                set fiber-port {integer}   Fiber-port. range[0-1]
                set flags {integer}   Port properties flags. range[0-4294967295]
                set virtual-port {integer}   Virtualized switch port. range[0-1]
                set isl-local-trunk-name {string}   ISL local trunk name. size[15]
                set isl-peer-port-name {string}   ISL peer port name. size[15]
                set isl-peer-device-name {string}   ISL peer device name. size[16]
                set fgt-peer-port-name {string}   FGT peer port name. size[15]
                set fgt-peer-device-name {string}   FGT peer device name. size[16]
                set vlan {string}   Assign switch ports to a VLAN. size[15] - datasource(s): system.interface.name
                set allowed-vlans-all {enable | disable}   Enable/disable all defined vlans on this port.
                config allowed-vlans
                    edit {vlan-name}
                    # Configure switch port tagged vlans
                        set vlan-name {string}   VLAN name. size[79] - datasource(s): system.interface.name
                    next
                config untagged-vlans
                    edit {vlan-name}
                    # Configure switch port untagged vlans
                        set vlan-name {string}   VLAN name. size[79] - datasource(s): system.interface.name
                    next
                set type {physical | trunk}   Interface type: physical or trunk port.
                        physical  Physical port.
                        trunk     Trunk port.
                set dhcp-snooping {untrusted | trusted}   Trusted or untrusted DHCP-snooping interface.
                        untrusted  Untrusted DHCP snooping interface.
                        trusted    Trusted DHCP snooping interface.
                set dhcp-snoop-option82-trust {enable | disable}   Enable/disable allowance of DHCP with option-82 on untrusted interface.
                set arp-inspection-trust {untrusted | trusted}   Trusted or untrusted dynamic ARP inspection.
                        untrusted  Untrusted dynamic ARP inspection.
                        trusted    Trusted dynamic ARP inspection.
                set igmp-snooping {enable | disable}   Set IGMP snooping mode for the physical port interface.
                set igmps-flood-reports {enable | disable}   Enable/disable flooding of IGMP reports to this interface when igmp-snooping enabled.
                set igmps-flood-traffic {enable | disable}   Enable/disable flooding of IGMP snooping traffic to this interface.
                set stp-state {enabled | disabled}   Enable/disable Spanning Tree Protocol (STP) on this interface.
                        enabled   Enable STP on this interface.
                        disabled  Disable STP on this interface.
                set stp-root-guard {enabled | disabled}   Enable/disable STP root guard on this interface.
                        enabled   Enable STP root-guard on this interface.
                        disabled  Disable STP root-guard on this interface.
                set stp-bpdu-guard {enabled | disabled}   Enable/disable STP BPDU guard on this interface.
                        enabled   Enable STP BPDU guard on this interface.
                        disabled  Disable STP BPDU guard on this interface.
                set stp-bpdu-guard-timeout {integer}   BPDU Guard disabling protection (0 - 120 min). range[0-120]
                set edge-port {enable | disable}   Enable/disable this interface as an edge port, bridging connections between workstations and/or computers.
                set discard-mode {none | all-untagged | all-tagged}   Configure discard mode for port.
                        none          Discard disabled.
                        all-untagged  Discard all frames that are untagged.
                        all-tagged    Discard all frames that are tagged.
                set sflow-sampler {enabled | disabled}   Enable/disable sFlow protocol on this interface.
                        enabled   Enable sFlow protocol on this interface.
                        disabled  Disable sFlow protocol on this interface.
                set sflow-sample-rate {integer}   sFlow sampler sample rate (0 - 99999 p/sec). range[0-99999]
                set sflow-counter-interval {integer}   sFlow sampler counter polling interval (1 - 255 sec). range[1-255]
                set sample-direction {tx | rx | both}   sFlow sample direction.
                        tx    Monitor transmitted traffic.
                        rx    Monitor received traffic.
                        both  Monitor transmitted and received traffic.
                set loop-guard {enabled | disabled}   Enable/disable loop-guard on this interface, an STP optimization used to prevent network loops.
                        enabled   Enable loop-guard on this interface.
                        disabled  Disable loop-guard on this interface.
                set loop-guard-timeout {integer}   Loop-guard timeout (0 - 120 min, default = 45). range[0-120]
                set qos-policy {string}   Switch controller QoS policy from available options. size[63] - datasource(s): switch-controller.qos.qos-policy.name
                set port-security-policy {string}   Switch controller authentication policy to apply to this managed switch from available options. size[31] - datasource(s): switch-controller.security-policy.802-1X.name,switch-controller.security-policy.captive-portal.name
                set export-to-pool {string}   Switch controller export port to pool-list. size[35] - datasource(s): switch-controller.virtual-port-pool.name
                config export-tags
                    edit {tag-name}
                    # Switch controller export tag name.
                        set tag-name {string}   Switch tag name. size[63] - datasource(s): switch-controller.switch-interface-tag.name
                    next
                set export-to-pool-flag {integer}   Switch controller export port to pool-list. range[0-1]
                set learning-limit {integer}   Limit the number of dynamic MAC addresses on this Port (1 - 128, 0 = no limit, default). range[0-128]
                set lldp-status {disable | rx-only | tx-only | tx-rx}   LLDP transmit and receive status.
                        disable  Disable LLDP TX and RX.
                        rx-only  Enable LLDP as RX only.
                        tx-only  Enable LLDP as TX only.
                        tx-rx    Enable LLDP TX and RX.
                set lldp-profile {string}   LLDP port TLV profile. size[63] - datasource(s): switch-controller.lldp-profile.name
                set export-to {string}   Export managed-switch port to a tenant VDOM. size[31] - datasource(s): system.vdom.name
                set port-selection-criteria {option}   Algorithm for aggregate port selection.
                        src-mac      Source MAC address.
                        dst-mac      Destination MAC address.
                        src-dst-mac  Source and destination MAC address.
                        src-ip       Source IP address.
                        dst-ip       Destination IP address.
                        src-dst-ip   Source and destination IP address.
                set description {string}   Description for port. size[63]
                set lacp-speed {slow | fast}   end Link Aggregation Control Protocol (LACP) messages every 30 seconds (slow) or every second (fast).
                        slow  Send LACP message every 30 seconds.
                        fast  Send LACP message every second.
                set mode {static | lacp-passive | lacp-active}   LACP mode: ignore and do not send control messages, or negotiate 802.3ad aggregation passively or actively.
                        static        Static aggregation, do not send and ignore any control messages.
                        lacp-passive  Passively use LACP to negotiate 802.3ad aggregation.
                        lacp-active   Actively use LACP to negotiate 802.3ad aggregation.
                set bundle {enable | disable}   Enable/disable Link Aggregation Group (LAG) bundling for non-FortiLink interfaces.
                set member-withdrawal-behavior {forward | block}   Port behavior after it withdraws because of loss of control packets.
                        forward  Forward traffic.
                        block    Block traffic.
                set mclag {enable | disable}   Enable/disable multi-chassis link aggregation (MCLAG).
                set min-bundle {integer}   Minimum size of LAG bundle (1 - 24, default = 1) range[1-24]
                set max-bundle {integer}   Maximum size of LAG bundle (1 - 24, default = 24) range[1-24]
                config members
                    edit {member-name}
                    # Aggregated LAG bundle interfaces.
                        set member-name {string}   Interface name from available options. size[64]
                    next
            next
        config stp-settings
            set local-override {enable | disable}   Enable to configure local STP settings that override global STP settings.
            set name {string}   Name of local STP settings configuration. size[31]
            set status {enable | disable}   Enable/disable STP.
            set revision {integer}   STP revision number (0 - 65535). range[0-65535]
            set hello-time {integer}   Period of time between successive STP frame Bridge Protocol Data Units (BPDUs) sent on a port (1 - 10 sec, default = 2). range[1-10]
            set forward-time {integer}   Period of time a port is in listening and learning state (4 - 30 sec, default = 15). range[4-30]
            set max-age {integer}   Maximum time before a bridge port saves its configuration BPDU information (6 - 40 sec, default = 20). range[6-40]
            set max-hops {integer}   Maximum number of hops between the root bridge and the furthest bridge (1- 40, default = 20). range[1-40]
            set pending-timer {integer}   Pending time (1 - 15 sec, default = 4). range[1-15]
        config switch-stp-settings
            set status {enable | disable}   Enable/disable STP.
        config switch-log
            set local-override {enable | disable}   Enable to configure local logging settings that override global logging settings.
            set status {enable | disable}   Enable/disable adding FortiSwitch logs to the FortiGate event log.
            set severity {option}   Severity of FortiSwitch logs that are added to the FortiGate event log.
                    emergency     Emergency level.
                    alert         Alert level.
                    critical      Critical level.
                    error         Error level.
                    warning       Warning level.
                    notification  Notification level.
                    information   Information level.
                    debug         Debug level.
        config storm-control
            set local-override {enable | disable}   Enable to override global FortiSwitch storm control settings for this FortiSwitch.
            set rate {integer}   Rate in packets per second at which storm traffic is controlled (1 - 10000000, default = 500). Storm control drops excess traffic data rates beyond this threshold. range[1-10000000]
            set unknown-unicast {enable | disable}   Enable/disable storm control to drop unknown unicast traffic.
            set unknown-multicast {enable | disable}   Enable/disable storm control to drop unknown multicast traffic.
            set broadcast {enable | disable}   Enable/disable storm control to drop broadcast traffic.
        config mirror
            edit {name}
            # Configuration method to edit FortiSwitch packet mirror.
                set name {string}   Mirror name. size[63]
                set status {active | inactive}   Active/inactive mirror configuration.
                        active    Activate mirror configuration.
                        inactive  Deactivate mirror configuration.
                set switching-packet {enable | disable}   Enable/disable switching functionality when mirroring.
                set dst {string}   Destination port. size[63]
                config src-ingress
                    edit {name}
                    # Source ingress interfaces.
                        set name {string}   Interface name. size[64]
                    next
                config src-egress
                    edit {name}
                    # Source egress interfaces.
                        set name {string}   Interface name. size[64]
                    next
            next
        config custom-command
            edit {command-entry}
            # Configuration method to edit FortiSwitch commands to be pushed to this FortiSwitch device upon rebooting the FortiGate switch controller or the FortiSwitch.
                set command-entry {string}   List of FortiSwitch commands. size[35]
                set command-name {string}   Names of commands to be pushed to this FortiSwitch device, as configured under config switch-controller custom-command. size[35] - datasource(s): switch-controller.custom-command.command-name
            next
        config igmp-snooping
            set local-override {enable | disable}   Enable/disable overriding the global IGMP snooping configuration.
            set aging-time {integer}   Maximum time to retain a multicast snooping entry for which no packets have been seen (15 - 3600 sec, default = 300). range[15-3600]
            set flood-unknown-multicast {enable | disable}   Enable/disable unknown multicast flooding.
        config 802-1X-settings
            set local-override {enable | disable}   Enable to override global 802.1X settings on individual FortiSwitches.
            set link-down-auth {set-unauth | no-action}   Authentication state to set if a link is down.
                    set-unauth  Interface set to unauth when down. Reauthentication is needed.
                    no-action   Interface reauthentication is not needed.
            set reauth-period {integer}   Reauthentication time interval (1 - 1440 min, default = 60, 0 = disable). range[1-1440]
            set max-reauth-attempt {integer}   Maximum number of authentication attempts (0 - 15, default = 3). range[0-15]
    next
end

Additional information

The following section is for those options that require additional explanation.

Support FSW BPDU Guard

With standard STP, a device that sends BPDU(s) to any switch port becomes a member of that switch’s STP network topology. In order to enforce a network edge, the access ports on the switch can be configured with BPDU guard. With BPDU guard enabled, the port does not forward BPDUs upstream (toward its root bridge). Instead, when a BPDU guard enabled port receives any BPDU, it immediately puts the port into a blocking state and alerts the user.

This prevents the access port from accepting the downstream device, removing it from the receiving switch’s STP calculations. In order to unblock the port after bpdu guard has triggered, the user must execute a reset command. After the port is reset, it will resume normal operation and return to a blocking state only if another BPDU is received.

BPDU guard is typically used in conjunction with Root Guard to enforce a specific network topology.

Syntax

config switch-controller managed-switch

edit <switch SN>

config ports

edit <port>

set stp-bpdu-guard <enable | *disable>

set stp-bpdu-guard-timeout <time> (0-120 in minutes)

next

end

next

end

config switch-controller managed-switch

edit <switch SN>

config ports

edit <port>

set stp-root-guard <enable | *disable>

next

end

next

end

config mirror

Use this configuration method to configure FortiSwitch to send a copy of any ingress/egress packets on a port to egress on another port on the switch. This process, also known as port mirroring, is typically for external analysis and capture, and does not affect the original traffic.

At the moment, the ingress and egress ports must be on the same switch.

Note: The src-ingress and src-egress entries are only available when dst has been set.

config ports

Use this configuration method to configure managed-switch port lists.

arp-inspection-trust {untrusted | trusted}

Trusted or untrusted dynamic ARP inspection.

Dynamic ARP Inspection (DAI) enables FortiSwitch to intercept and examine all ARP request and response packets in a subnet and discard those packets with invalid IP to MAC address bindings. DAI can prevent common man-in-the-middle (MiM) attacks such as ARP cache poisoning and disallow mis-configuration of client IP addresses.

discard-mode {none | all-untagged | all-tagged}

Allow switch interfaces to enforce what types of tagged or untagged 802.1Q frames are considered acceptable.

IEE 802.1Q ports can run in hybrid mode, simultaneously accepting tagged or untagged frames based on VLAN membership. This option permits greater control over what types of frames (tagged or untagged) may access a given port. By default, all frames have access to each FortiSwitch port.

sflow-sampler {enable | disable}

Enable or disable (by default) sFlow protocol on this interface. Once enabled, use the other sFlow related entries to configure the sample rate, counter interval, and sample direction for sFlow data-analysis.

sflow-sample-rate <every-n-packets>

Define a sampling rate, where an average of one out of n packets or operations is randomly sampled. This type of sampling does not provide a 100% accurate result, but it does provide a result with quantifiable accuracy.

The sample rate defines the average number of packets to wait between samples. Set the value between 10 - 99999. The default is 512, which provides high enough accuracy in most cases.

The lower the sample-rate the higher the number of packets sampled. Sampling more packets increases the accuracy of the sampling data but also increases the CPU and network bandwidth required to support sFlow.

sflow-counter-interval <seconds>

The amount of time in seconds that the sFlow agent waits between sending collected data to the sFlow collector. Set the range between 1 - 255. The default is 30.

sFlow counter sampling can be more efficient than SNMP polling when monitoring a large number of interfaces. A higher polling-interval means less data is sent across the network but also means that the sFlow collector’s picture of the network may be out of date.

sample-direction {tx | rx | both}

Determine whether the sFlow agent should sample traffic received by the interface (rx) or sent from the interface (tx) or both.

set poe-detection-type <type>

Set the power over ethernet (POE) detection method to be used by the managed FortiSwitch.

switch-controller managed-switch

Use this command to add managed FortiSwitch to a FortiGate and to configure how the switch is managed.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.5.

Command Description

set poe-detection-type <type>

Set the POE detection type for the managed FortiSwitch.

The following table shows all added, changed, or removed entries as of FortiOS 6.0.

Command Description

config mirror

edit <name>

set status {active | inactive}

set switching-packet {enable | disable}

set dst <port-name>

set src-ingress <port-name>

set src-egress <port-name>

next

...

New configuration method to edit FortiSwitch packet port mirroring.

config ports

edit <name>

set discard-mode {none | all-untagged | all-tagged}

next

...

Determine frame discard mode for ports.

config ports

edit <name>

set sflow-sampler {enable | disable}

set sflow-sample-rate <every-n-packets>

set sflow-counter-interval <seconds>

set sample-direction {tx | rx | both}

next

...

Configure sFlow data-analysis settings for managed FortiSwitches, including sFlow sample rate, counter intervals, and the sample direction.

config ports

edit <name>

set export-to-pool <pool-name>

set export-tags <tag-name>

set export-to <vdom-or-pool-name>

next

...

Use these entries to define how VDOMs export ports directly either to a VDOM or to a shared pool (as configured under config switch-controller virtual-port-pool).

config ports

edit <name>

set learning-limit <pool-name>

next

...

Updated existing learning-limit option to have a default value of 0, meaning no limit.

config ports

edit <name>

set arp-inspection-trust {untrusted | trusted}

next

...

Trusted or untrusted dynamic ARP inspection.
config switch-controller managed-switch
    edit {switch-id}
    # Configure FortiSwitch devices that are managed by this FortiGate.
        set switch-id {string}   Managed-switch id. size[16]
        set name {string}   Managed-switch name. size[35]
        set description {string}   Description. size[63]
        set switch-profile {string}   FortiSwitch profile. size[35] - datasource(s): switch-controller.switch-profile.name
        set fsw-wan1-peer {string}   Fortiswitch WAN1 peer port. size[35]
        set fsw-wan1-admin {discovered | disable | enable}   FortiSwitch WAN1 admin status; enable to authorize the FortiSwitch as a managed switch.
        set fsw-wan2-peer {string}   FortiSwitch WAN2 peer port. size[35]
        set fsw-wan2-admin {discovered | disable | enable}   FortiSwitch WAN2 admin status; enable to authorize the FortiSwitch as a managed switch.
        set poe-pre-standard-detection {enable | disable}   Enable/disable PoE pre-standard detection.
        set poe-detection-type {integer}   PoE detection type for FortiSwitch. range[0-255]
        set directly-connected {integer}   Directly connected FortiSwitch. range[0-1]
        set version {integer}   FortiSwitch version. range[0-255]
        set max-allowed-trunk-members {integer}   FortiSwitch maximum allowed trunk members. range[0-255]
        set pre-provisioned {integer}   Pre-provisioned managed switch. range[0-255]
        set dynamic-capability {integer}   List of features this FortiSwitch supports (not configurable) that is sent to the FortiGate device for subsequent configuration initiated by the FortiGate device. range[0-4294967295]
        set switch-device-tag {string}   User definable label/tag. size[32]
        set dynamically-discovered {integer}   Dynamically discovered FortiSwitch. range[0-1]
        set type {virtual | physical}   Indication of switch type, physical or virtual.
                virtual   Switch is of type virtual.
                physical  Switch is of type physical.
        set owner-vdom {string}   VDOM which owner of port belongs to. size[31]
        set staged-image-version {string}   Staged image version for FortiSwitch. size[127]
        set delayed-restart-trigger {integer}   Delayed restart triggered for this FortiSwitch. range[0-255]
        config ports
            edit {port-name}
            # Managed-switch port list.
                set port-name {string}   Switch port name. size[15]
                set port-owner {string}   Switch port name. size[15]
                set switch-id {string}   Switch id. size[16]
                set speed {option}   Switch port speed; default and available settings depend on hardware.
                        10half       10M half-duplex.
                        10full       10M full-duplex.
                        100half      100M half-duplex.
                        100full      100M full-duplex.
                        1000auto     Auto-negotiation (1G full-duplex only).
                        1000fiber    1G full-duplex (fiber SFPs only)
                        1000full     1G full-duplex
                        10000        10G full-duplex
                        40000        40G full-duplex
                        auto         Auto-negotiation.
                        auto-module  Auto Module.
                        100FX-half   100Mbps half-duplex.100Base-FX.
                        100FX-full   100Mbps full-duplex.100Base-FX.
                        100000full   100Gbps full-duplex.
                        2500full     2.5Gbps full-duplex.
                        25000full    25Gbps full-duplex.
                        50000full    50Gbps full-duplex.
                        10000cr      10Gbps copper interface.
                        10000sr      10Gbps SFI interface.
                        100000sr4    100Gbps SFI interface.
                        100000cr4    100Gbps copper interface.
                        25000cr4     25Gbps copper interface.
                        25000sr4     25Gbps SFI interface.
                        5000full     5Gbps full-duplex.
                set speed-mask {integer}   Switch port speed mask. range[0-4294967295]
                set status {up | down}   Switch port admin status: up or down.
                        up    Set admin status up.
                        down  Set admin status down.
                set poe-status {enable | disable}   Enable/disable PoE status.
                set poe-pre-standard-detection {enable | disable}   Enable/disable PoE pre-standard detection.
                set port-number {integer}   Port number. range[1-64]
                set port-prefix-type {integer}   Port prefix type. range[0-1]
                set fortilink-port {integer}   FortiLink uplink port. range[0-1]
                set poe-capable {integer}   PoE capable. range[0-1]
                set stacking-port {integer}   Stacking port. range[0-1]
                set fiber-port {integer}   Fiber-port. range[0-1]
                set flags {integer}   Port properties flags. range[0-4294967295]
                set virtual-port {integer}   Virtualized switch port. range[0-1]
                set isl-local-trunk-name {string}   ISL local trunk name. size[15]
                set isl-peer-port-name {string}   ISL peer port name. size[15]
                set isl-peer-device-name {string}   ISL peer device name. size[16]
                set fgt-peer-port-name {string}   FGT peer port name. size[15]
                set fgt-peer-device-name {string}   FGT peer device name. size[16]
                set vlan {string}   Assign switch ports to a VLAN. size[15] - datasource(s): system.interface.name
                set allowed-vlans-all {enable | disable}   Enable/disable all defined vlans on this port.
                config allowed-vlans
                    edit {vlan-name}
                    # Configure switch port tagged vlans
                        set vlan-name {string}   VLAN name. size[79] - datasource(s): system.interface.name
                    next
                config untagged-vlans
                    edit {vlan-name}
                    # Configure switch port untagged vlans
                        set vlan-name {string}   VLAN name. size[79] - datasource(s): system.interface.name
                    next
                set type {physical | trunk}   Interface type: physical or trunk port.
                        physical  Physical port.
                        trunk     Trunk port.
                set dhcp-snooping {untrusted | trusted}   Trusted or untrusted DHCP-snooping interface.
                        untrusted  Untrusted DHCP snooping interface.
                        trusted    Trusted DHCP snooping interface.
                set dhcp-snoop-option82-trust {enable | disable}   Enable/disable allowance of DHCP with option-82 on untrusted interface.
                set arp-inspection-trust {untrusted | trusted}   Trusted or untrusted dynamic ARP inspection.
                        untrusted  Untrusted dynamic ARP inspection.
                        trusted    Trusted dynamic ARP inspection.
                set igmp-snooping {enable | disable}   Set IGMP snooping mode for the physical port interface.
                set igmps-flood-reports {enable | disable}   Enable/disable flooding of IGMP reports to this interface when igmp-snooping enabled.
                set igmps-flood-traffic {enable | disable}   Enable/disable flooding of IGMP snooping traffic to this interface.
                set stp-state {enabled | disabled}   Enable/disable Spanning Tree Protocol (STP) on this interface.
                        enabled   Enable STP on this interface.
                        disabled  Disable STP on this interface.
                set stp-root-guard {enabled | disabled}   Enable/disable STP root guard on this interface.
                        enabled   Enable STP root-guard on this interface.
                        disabled  Disable STP root-guard on this interface.
                set stp-bpdu-guard {enabled | disabled}   Enable/disable STP BPDU guard on this interface.
                        enabled   Enable STP BPDU guard on this interface.
                        disabled  Disable STP BPDU guard on this interface.
                set stp-bpdu-guard-timeout {integer}   BPDU Guard disabling protection (0 - 120 min). range[0-120]
                set edge-port {enable | disable}   Enable/disable this interface as an edge port, bridging connections between workstations and/or computers.
                set discard-mode {none | all-untagged | all-tagged}   Configure discard mode for port.
                        none          Discard disabled.
                        all-untagged  Discard all frames that are untagged.
                        all-tagged    Discard all frames that are tagged.
                set sflow-sampler {enabled | disabled}   Enable/disable sFlow protocol on this interface.
                        enabled   Enable sFlow protocol on this interface.
                        disabled  Disable sFlow protocol on this interface.
                set sflow-sample-rate {integer}   sFlow sampler sample rate (0 - 99999 p/sec). range[0-99999]
                set sflow-counter-interval {integer}   sFlow sampler counter polling interval (1 - 255 sec). range[1-255]
                set sample-direction {tx | rx | both}   sFlow sample direction.
                        tx    Monitor transmitted traffic.
                        rx    Monitor received traffic.
                        both  Monitor transmitted and received traffic.
                set loop-guard {enabled | disabled}   Enable/disable loop-guard on this interface, an STP optimization used to prevent network loops.
                        enabled   Enable loop-guard on this interface.
                        disabled  Disable loop-guard on this interface.
                set loop-guard-timeout {integer}   Loop-guard timeout (0 - 120 min, default = 45). range[0-120]
                set qos-policy {string}   Switch controller QoS policy from available options. size[63] - datasource(s): switch-controller.qos.qos-policy.name
                set port-security-policy {string}   Switch controller authentication policy to apply to this managed switch from available options. size[31] - datasource(s): switch-controller.security-policy.802-1X.name,switch-controller.security-policy.captive-portal.name
                set export-to-pool {string}   Switch controller export port to pool-list. size[35] - datasource(s): switch-controller.virtual-port-pool.name
                config export-tags
                    edit {tag-name}
                    # Switch controller export tag name.
                        set tag-name {string}   Switch tag name. size[63] - datasource(s): switch-controller.switch-interface-tag.name
                    next
                set export-to-pool-flag {integer}   Switch controller export port to pool-list. range[0-1]
                set learning-limit {integer}   Limit the number of dynamic MAC addresses on this Port (1 - 128, 0 = no limit, default). range[0-128]
                set lldp-status {disable | rx-only | tx-only | tx-rx}   LLDP transmit and receive status.
                        disable  Disable LLDP TX and RX.
                        rx-only  Enable LLDP as RX only.
                        tx-only  Enable LLDP as TX only.
                        tx-rx    Enable LLDP TX and RX.
                set lldp-profile {string}   LLDP port TLV profile. size[63] - datasource(s): switch-controller.lldp-profile.name
                set export-to {string}   Export managed-switch port to a tenant VDOM. size[31] - datasource(s): system.vdom.name
                set port-selection-criteria {option}   Algorithm for aggregate port selection.
                        src-mac      Source MAC address.
                        dst-mac      Destination MAC address.
                        src-dst-mac  Source and destination MAC address.
                        src-ip       Source IP address.
                        dst-ip       Destination IP address.
                        src-dst-ip   Source and destination IP address.
                set description {string}   Description for port. size[63]
                set lacp-speed {slow | fast}   end Link Aggregation Control Protocol (LACP) messages every 30 seconds (slow) or every second (fast).
                        slow  Send LACP message every 30 seconds.
                        fast  Send LACP message every second.
                set mode {static | lacp-passive | lacp-active}   LACP mode: ignore and do not send control messages, or negotiate 802.3ad aggregation passively or actively.
                        static        Static aggregation, do not send and ignore any control messages.
                        lacp-passive  Passively use LACP to negotiate 802.3ad aggregation.
                        lacp-active   Actively use LACP to negotiate 802.3ad aggregation.
                set bundle {enable | disable}   Enable/disable Link Aggregation Group (LAG) bundling for non-FortiLink interfaces.
                set member-withdrawal-behavior {forward | block}   Port behavior after it withdraws because of loss of control packets.
                        forward  Forward traffic.
                        block    Block traffic.
                set mclag {enable | disable}   Enable/disable multi-chassis link aggregation (MCLAG).
                set min-bundle {integer}   Minimum size of LAG bundle (1 - 24, default = 1) range[1-24]
                set max-bundle {integer}   Maximum size of LAG bundle (1 - 24, default = 24) range[1-24]
                config members
                    edit {member-name}
                    # Aggregated LAG bundle interfaces.
                        set member-name {string}   Interface name from available options. size[64]
                    next
            next
        config stp-settings
            set local-override {enable | disable}   Enable to configure local STP settings that override global STP settings.
            set name {string}   Name of local STP settings configuration. size[31]
            set status {enable | disable}   Enable/disable STP.
            set revision {integer}   STP revision number (0 - 65535). range[0-65535]
            set hello-time {integer}   Period of time between successive STP frame Bridge Protocol Data Units (BPDUs) sent on a port (1 - 10 sec, default = 2). range[1-10]
            set forward-time {integer}   Period of time a port is in listening and learning state (4 - 30 sec, default = 15). range[4-30]
            set max-age {integer}   Maximum time before a bridge port saves its configuration BPDU information (6 - 40 sec, default = 20). range[6-40]
            set max-hops {integer}   Maximum number of hops between the root bridge and the furthest bridge (1- 40, default = 20). range[1-40]
            set pending-timer {integer}   Pending time (1 - 15 sec, default = 4). range[1-15]
        config switch-stp-settings
            set status {enable | disable}   Enable/disable STP.
        config switch-log
            set local-override {enable | disable}   Enable to configure local logging settings that override global logging settings.
            set status {enable | disable}   Enable/disable adding FortiSwitch logs to the FortiGate event log.
            set severity {option}   Severity of FortiSwitch logs that are added to the FortiGate event log.
                    emergency     Emergency level.
                    alert         Alert level.
                    critical      Critical level.
                    error         Error level.
                    warning       Warning level.
                    notification  Notification level.
                    information   Information level.
                    debug         Debug level.
        config storm-control
            set local-override {enable | disable}   Enable to override global FortiSwitch storm control settings for this FortiSwitch.
            set rate {integer}   Rate in packets per second at which storm traffic is controlled (1 - 10000000, default = 500). Storm control drops excess traffic data rates beyond this threshold. range[1-10000000]
            set unknown-unicast {enable | disable}   Enable/disable storm control to drop unknown unicast traffic.
            set unknown-multicast {enable | disable}   Enable/disable storm control to drop unknown multicast traffic.
            set broadcast {enable | disable}   Enable/disable storm control to drop broadcast traffic.
        config mirror
            edit {name}
            # Configuration method to edit FortiSwitch packet mirror.
                set name {string}   Mirror name. size[63]
                set status {active | inactive}   Active/inactive mirror configuration.
                        active    Activate mirror configuration.
                        inactive  Deactivate mirror configuration.
                set switching-packet {enable | disable}   Enable/disable switching functionality when mirroring.
                set dst {string}   Destination port. size[63]
                config src-ingress
                    edit {name}
                    # Source ingress interfaces.
                        set name {string}   Interface name. size[64]
                    next
                config src-egress
                    edit {name}
                    # Source egress interfaces.
                        set name {string}   Interface name. size[64]
                    next
            next
        config custom-command
            edit {command-entry}
            # Configuration method to edit FortiSwitch commands to be pushed to this FortiSwitch device upon rebooting the FortiGate switch controller or the FortiSwitch.
                set command-entry {string}   List of FortiSwitch commands. size[35]
                set command-name {string}   Names of commands to be pushed to this FortiSwitch device, as configured under config switch-controller custom-command. size[35] - datasource(s): switch-controller.custom-command.command-name
            next
        config igmp-snooping
            set local-override {enable | disable}   Enable/disable overriding the global IGMP snooping configuration.
            set aging-time {integer}   Maximum time to retain a multicast snooping entry for which no packets have been seen (15 - 3600 sec, default = 300). range[15-3600]
            set flood-unknown-multicast {enable | disable}   Enable/disable unknown multicast flooding.
        config 802-1X-settings
            set local-override {enable | disable}   Enable to override global 802.1X settings on individual FortiSwitches.
            set link-down-auth {set-unauth | no-action}   Authentication state to set if a link is down.
                    set-unauth  Interface set to unauth when down. Reauthentication is needed.
                    no-action   Interface reauthentication is not needed.
            set reauth-period {integer}   Reauthentication time interval (1 - 1440 min, default = 60, 0 = disable). range[1-1440]
            set max-reauth-attempt {integer}   Maximum number of authentication attempts (0 - 15, default = 3). range[0-15]
    next
end

Additional information

The following section is for those options that require additional explanation.

Support FSW BPDU Guard

With standard STP, a device that sends BPDU(s) to any switch port becomes a member of that switch’s STP network topology. In order to enforce a network edge, the access ports on the switch can be configured with BPDU guard. With BPDU guard enabled, the port does not forward BPDUs upstream (toward its root bridge). Instead, when a BPDU guard enabled port receives any BPDU, it immediately puts the port into a blocking state and alerts the user.

This prevents the access port from accepting the downstream device, removing it from the receiving switch’s STP calculations. In order to unblock the port after bpdu guard has triggered, the user must execute a reset command. After the port is reset, it will resume normal operation and return to a blocking state only if another BPDU is received.

BPDU guard is typically used in conjunction with Root Guard to enforce a specific network topology.

Syntax

config switch-controller managed-switch

edit <switch SN>

config ports

edit <port>

set stp-bpdu-guard <enable | *disable>

set stp-bpdu-guard-timeout <time> (0-120 in minutes)

next

end

next

end

config switch-controller managed-switch

edit <switch SN>

config ports

edit <port>

set stp-root-guard <enable | *disable>

next

end

next

end

config mirror

Use this configuration method to configure FortiSwitch to send a copy of any ingress/egress packets on a port to egress on another port on the switch. This process, also known as port mirroring, is typically for external analysis and capture, and does not affect the original traffic.

At the moment, the ingress and egress ports must be on the same switch.

Note: The src-ingress and src-egress entries are only available when dst has been set.

config ports

Use this configuration method to configure managed-switch port lists.

arp-inspection-trust {untrusted | trusted}

Trusted or untrusted dynamic ARP inspection.

Dynamic ARP Inspection (DAI) enables FortiSwitch to intercept and examine all ARP request and response packets in a subnet and discard those packets with invalid IP to MAC address bindings. DAI can prevent common man-in-the-middle (MiM) attacks such as ARP cache poisoning and disallow mis-configuration of client IP addresses.

discard-mode {none | all-untagged | all-tagged}

Allow switch interfaces to enforce what types of tagged or untagged 802.1Q frames are considered acceptable.

IEE 802.1Q ports can run in hybrid mode, simultaneously accepting tagged or untagged frames based on VLAN membership. This option permits greater control over what types of frames (tagged or untagged) may access a given port. By default, all frames have access to each FortiSwitch port.

sflow-sampler {enable | disable}

Enable or disable (by default) sFlow protocol on this interface. Once enabled, use the other sFlow related entries to configure the sample rate, counter interval, and sample direction for sFlow data-analysis.

sflow-sample-rate <every-n-packets>

Define a sampling rate, where an average of one out of n packets or operations is randomly sampled. This type of sampling does not provide a 100% accurate result, but it does provide a result with quantifiable accuracy.

The sample rate defines the average number of packets to wait between samples. Set the value between 10 - 99999. The default is 512, which provides high enough accuracy in most cases.

The lower the sample-rate the higher the number of packets sampled. Sampling more packets increases the accuracy of the sampling data but also increases the CPU and network bandwidth required to support sFlow.

sflow-counter-interval <seconds>

The amount of time in seconds that the sFlow agent waits between sending collected data to the sFlow collector. Set the range between 1 - 255. The default is 30.

sFlow counter sampling can be more efficient than SNMP polling when monitoring a large number of interfaces. A higher polling-interval means less data is sent across the network but also means that the sFlow collector’s picture of the network may be out of date.

sample-direction {tx | rx | both}

Determine whether the sFlow agent should sample traffic received by the interface (rx) or sent from the interface (tx) or both.

set poe-detection-type <type>

Set the power over ethernet (POE) detection method to be used by the managed FortiSwitch.