STP forwarding
A FortiGate doesn't participate in the Spanning Tree Protocol (STP). STP is an IEEE 802.1 protocol that ensures there are no layer-2 loops on the network. Loops are created when there is more than one route for traffic to take and that traffic is broadcast back to the original switch. This loop floods the network with traffic, reducing available bandwidth to nothing.
If you use a FortiGate in a network topology that relies on STP for network loop protection, you need to make changes to the FortiGate configuration. Otherwise, STP recognizes the FortiGate as a blocked link and forwards the data to another path. By default, the FortiGate blocks STP as well as other non-IP protocol traffic.
Using the CLI, you can enable forwarding of STP and other layer-2 protocols through the interface. In this example, layer-2 forwarding is enabled on the external interface:
config system interface
edit external
set l2forward enable
set stpforward enable
next
end
By substituting different commands for stpforward enable
, you can also allow layer-2 protocols, such as IPX, PPTP, or L2TP, to be used on the network.
STP support for FortiGate models with hardware switches
STP (Spanning Tree Protocol) used to be available only on the old style switch mode for the internal ports. You can now activate STP on the hardware switches found in the newer FortiGate models. These models use a virtual switch to simulate the old switch mode for the internal ports.
To enable STP - CLI:
config system interface
edit lan
set stp {enable | disable}
next
end