Fortinet black logo

CLI Reference

Home FortiGate / FortiOS 6.0.0 CLI Reference

system switch-interface

6.0.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.0.0
5.6.0
5.4.0
5.2.0
5.0.0
Copy Link
Copy Doc ID c287b6bf-a995-11e9-81a4-00505692583a:351883
Download PDF

system switch-interface

Use this command to group physical and wifi interfaces into a software switch interface (also called a softswitch, soft-switch or soft switch). A software switch is a virtual switch that is implemented in software instead of hardware. When you add interfaces to a software switch the interfaces all share one IP address and become a single entry on the interface list. As a result, all of the interfaces are on the same subnet and traffic between devices connected to each interface of the software switch cannot be filtered by firewall policies.

Adding a software switch can be used to simplify communication between devices connected to different FortiGate interfaces. For example, using a software switch you can place the FortiGate interface connected to an internal network on the same subnet as your wireless interfaces. Then devices on the internal network can communicate with devices on the wireless network without any additional configuration on the FortiGate unit.

The physical and WiFi interfaces added to a software switch interface cannot be used in any other configurations. The wifi interfaces can be implemented on the FortiWiFi unit or on remote FortiWiFi units of FortiAP units controlled by the wireless controller feature. Interfaces in a software switch cannot be monitored by HA or used as heart beat devices. This command can be used at the Global or VDOM level.

config system switch-interface
    edit {name}
    # Configure software switch interfaces by grouping physical and WiFi interfaces.
        set name {string}   Interface name (name cannot be in use by any other interfaces, VLANs, or inter-VDOM links). size[15]
        set vdom {string}   VDOM that the software switch belongs to. size[31] - datasource(s): system.vdom.name
        set span-dest-port {string}   SPAN destination port name. All traffic on the SPAN source ports is echoed to the SPAN destination port. size[15] - datasource(s): system.interface.name
        config span-source-port
            edit {interface-name}
            # Physical interface name. Port spanning echoes all traffic on the SPAN source ports to the SPAN destination port.
                set interface-name {string}   Physical interface name. size[64] - datasource(s): system.interface.name
            next
        config member
            edit {interface-name}
            # Names of the interfaces that belong to the virtual switch.
                set interface-name {string}   Physical interface name. size[64] - datasource(s): system.interface.name
            next
        set type {switch | hub}   Type of switch based on functionality: switch for normal functionality, or hub to duplicate packets to all port members.
                switch  Switch for normal switch functionality (available in NAT mode only).
                hub     Hub to duplicate packets to all member ports.
        set intra-switch-policy {implicit | explicit}   Allow any traffic between switch interfaces or require firewall policies to allow traffic between switch interfaces.
                implicit  Traffic between switch members is implicitly allowed.
                explicit  Traffic between switch members must match firewall policies.
        set span {disable | enable}   Enable/disable port spanning. Port spanning echoes traffic received by the software switch to the span destination port.
        set span-direction {rx | tx | both}   The direction in which the SPAN port operates, either: rx, tx, or both.
                rx    Copies only received packets from source SPAN ports to the destination SPAN port.
                tx    Copies only transmitted packets from source SPAN ports to the destination SPAN port.
                both  Copies both received and transmitted packets from source SPAN ports to the destination SPAN port.
    next
end

Additional information

The following section is for those options that require additional explanation.

member <iflist>

Enter a list of the interfaces that will be part of this software switch. Separate interface names with a space. Use <tab> to advance through the list of available interfaces.

span {enable | disable}

Enable or disable port spanning. This is available only when type is switch. Port spanning echoes traffic received by the software switch to the span destination port. Port spanning can be used to monitor all traffic passing through the soft switch. You can also configure the span destination port and the span source ports, which are the switch ports for which traffic is echoed. Disabled by default.

span-dest-port <portnum>

Enter the span port destination port name. All traffic on the span source ports is echoed to the span destination port. Use <tab> to advance through the list of available interfaces. Available when span is enabled.

span-direction {rx | tx | both}

Select the direction in which the span port operates:

rx copy only received packets from source SPAN ports to the destination SPAN port.

tx copy only transmitted packets from source SPAN ports to the destination SPAN port.

both (the default) copy both transmitted and received packets from source SPAN ports to the destination SPAN port.

span-direction is available only when span is enabled.

span-source-port <portlist>

Enter a list of the interfaces that are span source ports. Separate interface names with a space. Port spanning echoes all traffic on the span source ports to the span destination port. Use <tab> to advance through the list of available interfaces. Available when span is enabled.

type {hub | switch | hardware-switch}

Select the type of switch functionality:

hub duplicates packets to all member ports

switch (the default) normal switch functionality (available in NAT mode only)

vdom <vdom_name>

Enter the name of the VDOM to which the software switch belongs.

Previous
Next

system switch-interface

Use this command to group physical and wifi interfaces into a software switch interface (also called a softswitch, soft-switch or soft switch). A software switch is a virtual switch that is implemented in software instead of hardware. When you add interfaces to a software switch the interfaces all share one IP address and become a single entry on the interface list. As a result, all of the interfaces are on the same subnet and traffic between devices connected to each interface of the software switch cannot be filtered by firewall policies.

Adding a software switch can be used to simplify communication between devices connected to different FortiGate interfaces. For example, using a software switch you can place the FortiGate interface connected to an internal network on the same subnet as your wireless interfaces. Then devices on the internal network can communicate with devices on the wireless network without any additional configuration on the FortiGate unit.

The physical and WiFi interfaces added to a software switch interface cannot be used in any other configurations. The wifi interfaces can be implemented on the FortiWiFi unit or on remote FortiWiFi units of FortiAP units controlled by the wireless controller feature. Interfaces in a software switch cannot be monitored by HA or used as heart beat devices. This command can be used at the Global or VDOM level.

config system switch-interface
    edit {name}
    # Configure software switch interfaces by grouping physical and WiFi interfaces.
        set name {string}   Interface name (name cannot be in use by any other interfaces, VLANs, or inter-VDOM links). size[15]
        set vdom {string}   VDOM that the software switch belongs to. size[31] - datasource(s): system.vdom.name
        set span-dest-port {string}   SPAN destination port name. All traffic on the SPAN source ports is echoed to the SPAN destination port. size[15] - datasource(s): system.interface.name
        config span-source-port
            edit {interface-name}
            # Physical interface name. Port spanning echoes all traffic on the SPAN source ports to the SPAN destination port.
                set interface-name {string}   Physical interface name. size[64] - datasource(s): system.interface.name
            next
        config member
            edit {interface-name}
            # Names of the interfaces that belong to the virtual switch.
                set interface-name {string}   Physical interface name. size[64] - datasource(s): system.interface.name
            next
        set type {switch | hub}   Type of switch based on functionality: switch for normal functionality, or hub to duplicate packets to all port members.
                switch  Switch for normal switch functionality (available in NAT mode only).
                hub     Hub to duplicate packets to all member ports.
        set intra-switch-policy {implicit | explicit}   Allow any traffic between switch interfaces or require firewall policies to allow traffic between switch interfaces.
                implicit  Traffic between switch members is implicitly allowed.
                explicit  Traffic between switch members must match firewall policies.
        set span {disable | enable}   Enable/disable port spanning. Port spanning echoes traffic received by the software switch to the span destination port.
        set span-direction {rx | tx | both}   The direction in which the SPAN port operates, either: rx, tx, or both.
                rx    Copies only received packets from source SPAN ports to the destination SPAN port.
                tx    Copies only transmitted packets from source SPAN ports to the destination SPAN port.
                both  Copies both received and transmitted packets from source SPAN ports to the destination SPAN port.
    next
end

Additional information

The following section is for those options that require additional explanation.

member <iflist>

Enter a list of the interfaces that will be part of this software switch. Separate interface names with a space. Use <tab> to advance through the list of available interfaces.

span {enable | disable}

Enable or disable port spanning. This is available only when type is switch. Port spanning echoes traffic received by the software switch to the span destination port. Port spanning can be used to monitor all traffic passing through the soft switch. You can also configure the span destination port and the span source ports, which are the switch ports for which traffic is echoed. Disabled by default.

span-dest-port <portnum>

Enter the span port destination port name. All traffic on the span source ports is echoed to the span destination port. Use <tab> to advance through the list of available interfaces. Available when span is enabled.

span-direction {rx | tx | both}

Select the direction in which the span port operates:

rx copy only received packets from source SPAN ports to the destination SPAN port.

tx copy only transmitted packets from source SPAN ports to the destination SPAN port.

both (the default) copy both transmitted and received packets from source SPAN ports to the destination SPAN port.

span-direction is available only when span is enabled.

span-source-port <portlist>

Enter a list of the interfaces that are span source ports. Separate interface names with a space. Port spanning echoes all traffic on the span source ports to the span destination port. Use <tab> to advance through the list of available interfaces. Available when span is enabled.

type {hub | switch | hardware-switch}

Select the type of switch functionality:

hub duplicates packets to all member ports

switch (the default) normal switch functionality (available in NAT mode only)

vdom <vdom_name>

Enter the name of the VDOM to which the software switch belongs.

Previous
Next