Fortinet Document Library

Version:


Table of Contents

New Features

6.2.0
Download PDF
Copy Link

Virtual Switch Extensions

The Virtual Switch concept was introduced in previous releases. It provides a container for physical ports to be loaned out to other VDOMs, which allows local management of the resource. In the original feature, only a minimum of switch capability was introduced, such as VLAN, allowed-vlan, status, speed, poe-status, and poe-reset.

This extends some of the port capabilities including:

  • poe-pre-standard-detection
  • learning-limit
  • qos-policy
  • port-security-policy
  • trunk ports (with some limitations)

Example

The following example shows how to export managed FortiSwitch ports to multi-tenant VDOMs. Some of the capabilities are available in previous releases of FortiOS, and the 6.2.0 release expands the functionality.

To export managed FortiSwitch ports to multi-tenant VDOMs:
  1. Configure switch VLAN interfaces, and assign them to the tenant VDOM:

    In this example, the owner VDOM is root, and the tenant VDOM is vdom2.

    (root) #  config system interface

    edit "tenant-vlan1"

    set vdom "vdom2"

    set device-identification enable

    set fortiheart beat enable

    set role lan

    set snmp-index 34

    set interface "aggr1"

    set vlanid 101

    next

    end

  2. In the tenant VDOM, designate default-virtual-switch-vlan, which is used to set the native VLAN of ports leased from the owner VDOM:

    (vdom2) # config switch-controller global

    set default-virtual-switch-vlan "tenant-vlan1"

    end

  3. Owner vdom admin can export managed fsw ports to tenant vdom, as below

      (root) # conf switch-controller  managed-switch 

    (managed-switch) # edit S248EPTF1800XXXX 

    (S248EPTF1800XXXX) # conf ports 

    (ports) # edit port1

    (port1) # set export-to ?

    <string>  string    please input string value

    root    vdom

    vdom1   vdom

    vdom2   vdom

    vdom3   vdom

    (port1) # set export-to vdom2

    (port1) # end

    Alternatively, the admin of the owner VDOM can export managed FortiSwitch ports to shared virtual-switch pools for the tenant VDOM to pick, for example:

     (root) # config switch-controller virtual-port-pool

    edit "pool1"

    next

    end

    (root) # conf switch-controller  managed-switch 

    (managed-switch) # edit S248EPTF18001384 

    (S248EPTF18001384) # conf ports 

    (ports) # edit port8

    (port8) # set export-to-pool pool1 

    (port8) # next 

    (ports) # edit port9

    (port9) # set export-to-pool pool1 

    (port9) # end

  4. The admin of the tenant VDOM logs in, and configures the ports of the leased managed FortiSwitch, or the admin continues to lease/release ports from virtual switch pool.

    Then in each tenant VDOM, the tenant admin can configure and leverage the FortiSwitch ports locally with limited range of operations based on the available CLI operations:

    login: vdom2

    Password: *****

    Welcome !

    $ show switch-controller  managed-switch 

    config switch-controller managed-switch

    edit "S248EPTF1800XXXX"

    set type virtual

    set owner-vdom "root"

    config ports

    edit "port1"

    set poe-capable 1

    set vlan "tenant-vlan1"

    next

    edit "port6"

    set poe-capable 1

    set vlan "tenant-vlan1"

    next

    $ conf switch-controller managed-switch 

    (managed-switch) $ edit S248EPTF1800XXXX 

    (S248EPTF1800XXXX) $ config ports 

    (ports) $ edit port1 

    (port1) $ set 

    port-owner Switch port name.

    speed Switch port speed; default and available settings depend on hardware.

    status Switch port admin status: up or down.

    poe-status Enable/disable PoE status.

    poe-pre-standard-detection Enable/disable PoE pre-standard detection. --> expanded to tenant VDOM in FortiOS 6.2

    poe-capable PoE capable.

    vlan Assign switch ports to a VLAN.

    allowed-vlans Configure switch port tagged vlans

    untagged-vlans Configure switch port untagged vlans

    type Interface type: physical or trunk port.

    qos-policy Switch controller QoS policy from available options. --> expanded to tenant VDOM in FortiOS 6.2

    storm-control-policy     Switch controller storm control policy from available options.

    port-security-policy      Switch controller authentication policy to apply to this managed switch from available options.--> expanded to tenant VDOM in FortiOS 6.2

    learning-limit Limit the number of dynamic MAC addresses on this Port (1 - 128, 0 = no limit, default).--> expanded to tenant VDOM in FortiOS 6.2

    (ports) # edit trunk1

    (trunk) # set type trunk --> expanded to tenant VDOM in FortiOS 6.2

    $ exe switch-controller virtual-port-pool request S248EPTF1800XXXX port8

    $ exe switch-controller virtual-port-pool show

Virtual Switch Extensions

The Virtual Switch concept was introduced in previous releases. It provides a container for physical ports to be loaned out to other VDOMs, which allows local management of the resource. In the original feature, only a minimum of switch capability was introduced, such as VLAN, allowed-vlan, status, speed, poe-status, and poe-reset.

This extends some of the port capabilities including:

  • poe-pre-standard-detection
  • learning-limit
  • qos-policy
  • port-security-policy
  • trunk ports (with some limitations)

Example

The following example shows how to export managed FortiSwitch ports to multi-tenant VDOMs. Some of the capabilities are available in previous releases of FortiOS, and the 6.2.0 release expands the functionality.

To export managed FortiSwitch ports to multi-tenant VDOMs:
  1. Configure switch VLAN interfaces, and assign them to the tenant VDOM:

    In this example, the owner VDOM is root, and the tenant VDOM is vdom2.

    (root) #  config system interface

    edit "tenant-vlan1"

    set vdom "vdom2"

    set device-identification enable

    set fortiheart beat enable

    set role lan

    set snmp-index 34

    set interface "aggr1"

    set vlanid 101

    next

    end

  2. In the tenant VDOM, designate default-virtual-switch-vlan, which is used to set the native VLAN of ports leased from the owner VDOM:

    (vdom2) # config switch-controller global

    set default-virtual-switch-vlan "tenant-vlan1"

    end

  3. Owner vdom admin can export managed fsw ports to tenant vdom, as below

      (root) # conf switch-controller  managed-switch 

    (managed-switch) # edit S248EPTF1800XXXX 

    (S248EPTF1800XXXX) # conf ports 

    (ports) # edit port1

    (port1) # set export-to ?

    <string>  string    please input string value

    root    vdom

    vdom1   vdom

    vdom2   vdom

    vdom3   vdom

    (port1) # set export-to vdom2

    (port1) # end

    Alternatively, the admin of the owner VDOM can export managed FortiSwitch ports to shared virtual-switch pools for the tenant VDOM to pick, for example:

     (root) # config switch-controller virtual-port-pool

    edit "pool1"

    next

    end

    (root) # conf switch-controller  managed-switch 

    (managed-switch) # edit S248EPTF18001384 

    (S248EPTF18001384) # conf ports 

    (ports) # edit port8

    (port8) # set export-to-pool pool1 

    (port8) # next 

    (ports) # edit port9

    (port9) # set export-to-pool pool1 

    (port9) # end

  4. The admin of the tenant VDOM logs in, and configures the ports of the leased managed FortiSwitch, or the admin continues to lease/release ports from virtual switch pool.

    Then in each tenant VDOM, the tenant admin can configure and leverage the FortiSwitch ports locally with limited range of operations based on the available CLI operations:

    login: vdom2

    Password: *****

    Welcome !

    $ show switch-controller  managed-switch 

    config switch-controller managed-switch

    edit "S248EPTF1800XXXX"

    set type virtual

    set owner-vdom "root"

    config ports

    edit "port1"

    set poe-capable 1

    set vlan "tenant-vlan1"

    next

    edit "port6"

    set poe-capable 1

    set vlan "tenant-vlan1"

    next

    $ conf switch-controller managed-switch 

    (managed-switch) $ edit S248EPTF1800XXXX 

    (S248EPTF1800XXXX) $ config ports 

    (ports) $ edit port1 

    (port1) $ set 

    port-owner Switch port name.

    speed Switch port speed; default and available settings depend on hardware.

    status Switch port admin status: up or down.

    poe-status Enable/disable PoE status.

    poe-pre-standard-detection Enable/disable PoE pre-standard detection. --> expanded to tenant VDOM in FortiOS 6.2

    poe-capable PoE capable.

    vlan Assign switch ports to a VLAN.

    allowed-vlans Configure switch port tagged vlans

    untagged-vlans Configure switch port untagged vlans

    type Interface type: physical or trunk port.

    qos-policy Switch controller QoS policy from available options. --> expanded to tenant VDOM in FortiOS 6.2

    storm-control-policy     Switch controller storm control policy from available options.

    port-security-policy      Switch controller authentication policy to apply to this managed switch from available options.--> expanded to tenant VDOM in FortiOS 6.2

    learning-limit Limit the number of dynamic MAC addresses on this Port (1 - 128, 0 = no limit, default).--> expanded to tenant VDOM in FortiOS 6.2

    (ports) # edit trunk1

    (trunk) # set type trunk --> expanded to tenant VDOM in FortiOS 6.2

    $ exe switch-controller virtual-port-pool request S248EPTF1800XXXX port8

    $ exe switch-controller virtual-port-pool show