Fortinet black logo

New Features

7.4.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0

Enhance port-level control for STP and 802.1x authentication 7.4.2

Enhance port-level control for STP and 802.1x authentication 7.4.2

Note

This information is also available in the FortiOS 7.4 Administration Guide:

FortiOS now provides the capability to enable or disable Spanning Tree Protocol (STP) and 802.1x authentication on a per-port basis, granting administrators precise management over what ports necessitate STP and 802.1x.

After ports are added to a virtual switch with STP enabled, a new option is available to enable or disable STP for each member port:

config system interface
    edit <port>
        set stp-edge {enable | disable}
    next
end

set stp-edge {enable | disable}

The stp-edge option is visible when <port> is a member of config system switch-interface with a corresponding config system interface entry that has set stp enable.

Specify whether the port supports STP:

  • enable: Enable as an STP edge port. The port does not send any STP BPDUs and ignores any STP BPDUs sent to it.

  • disable: Disable as an STP edge port. The port can send and receive STP.

After ports are added to a virtual switch with 802.1x authentication enabled, a new option is available to enable or disable 802.1x authentication for each member port:

config system interface
    edit <port>
        set security-8021x-member-mode {enable | disable}
    next
end

set security-8021x-member-mode {enable | disable}

The security-8021x-member-mode option is visible when <port> is a member of config system switch-interface with a corresponding config system interface entry that has set security-mode 802.1X.

Specify whether the port uses 802.1x authentication:

  • enable: Enable 802.1x authentication for the port.

  • disable: Disable 802.1x authentication for the port.

Example 1

In this example, FortiGate is connected to two switches, and a virtual switch named hw1 is configured with two port members: port3 and port5. STP is enabled for port3 and disabled for port5. Any STP sent to port5 is silently ignored. Port3 remains enabled for STP.

To configure STP for individual ports:

  1. Configure a virtual switch to use port3 and port5:

    config system virtual-switch
    edit "hw1"
        set physical-switch "sw0"
        config port
            edit "port3"
            next
            edit "port5"
            next
        end
    next
end

  2. Enable STP for the virtual switch:

    config system interface
    edit "hw1"
        set vdom "vdom1"
        set ip 6.6.6.1 255.255.255.0
        set allowaccess ping https ssh
        set type hard-switch
        set stp enable                                  
        set device-identification enable
        set lldp-transmission enable
        set role lan
        set snmp-index 55
        set ip-managed-by-fortiipam disable
    next
end

  3. Disable STP on port5 by enabling it as an STP edge port:

    config system interface
    edit "port5"
        set vdom "vdom1"
        set type physical
        set stp-edge enable
        set snmp-index 9
    next
end

    Port5 is enabled as an edge port with STP disabled. Port3 remains enabled for STP.

Example 2

In this example, FortiGate is connected to two switches, and a virtual switch named hw1 is configured with two port members: port3 and port5. 802.1x authentication is enabled for port3 and disabled for port5.

To configure 802.1x authentication for individual ports:

  1. Configure a virtual switch to use port3 and port5: 

    config system virtual-switch
    edit "hw1"
        set physical-switch "sw0"
        config port
            edit "port3"
            next
            edit "port5"
            next
        end
    next
end

  2. Enable 802.1x authentication for the virtual switch:

    config system interface
   edit "hw1"
        set vdom "vdom1"
        set ip 6.6.6.1 255.255.255.0
        set allowaccess ping https ssh
        set type hard-switch
        set security-mode 802.1X
        set security-groups "group_radius"
        set device-identification enable
        set lldp-transmission enable
        set role lan
        set snmp-index 55
        set ip-managed-by-fortiipam disable
    next
end

  3. Disable 802.1x authentication on port5:

    config system interface
    edit "port5"
        set vdom "vdom1"
        set type physical
        set security-8021x-member-mode disable
        set snmp-index 9
    next
end

    802.1x authentication is disabled on port5 and remains enabled on port3.

Previous
Next

Enhance port-level control for STP and 802.1x authentication 7.4.2

Note

This information is also available in the FortiOS 7.4 Administration Guide:

FortiOS now provides the capability to enable or disable Spanning Tree Protocol (STP) and 802.1x authentication on a per-port basis, granting administrators precise management over what ports necessitate STP and 802.1x.

After ports are added to a virtual switch with STP enabled, a new option is available to enable or disable STP for each member port:

config system interface
    edit <port>
        set stp-edge {enable | disable}
    next
end

set stp-edge {enable | disable}

The stp-edge option is visible when <port> is a member of config system switch-interface with a corresponding config system interface entry that has set stp enable.

Specify whether the port supports STP:

  • enable: Enable as an STP edge port. The port does not send any STP BPDUs and ignores any STP BPDUs sent to it.

  • disable: Disable as an STP edge port. The port can send and receive STP.

After ports are added to a virtual switch with 802.1x authentication enabled, a new option is available to enable or disable 802.1x authentication for each member port:

config system interface
    edit <port>
        set security-8021x-member-mode {enable | disable}
    next
end

set security-8021x-member-mode {enable | disable}

The security-8021x-member-mode option is visible when <port> is a member of config system switch-interface with a corresponding config system interface entry that has set security-mode 802.1X.

Specify whether the port uses 802.1x authentication:

  • enable: Enable 802.1x authentication for the port.

  • disable: Disable 802.1x authentication for the port.

Example 1

In this example, FortiGate is connected to two switches, and a virtual switch named hw1 is configured with two port members: port3 and port5. STP is enabled for port3 and disabled for port5. Any STP sent to port5 is silently ignored. Port3 remains enabled for STP.

To configure STP for individual ports:

  1. Configure a virtual switch to use port3 and port5:

    config system virtual-switch
    edit "hw1"
        set physical-switch "sw0"
        config port
            edit "port3"
            next
            edit "port5"
            next
        end
    next
end

  2. Enable STP for the virtual switch:

    config system interface
    edit "hw1"
        set vdom "vdom1"
        set ip 6.6.6.1 255.255.255.0
        set allowaccess ping https ssh
        set type hard-switch
        set stp enable                                  
        set device-identification enable
        set lldp-transmission enable
        set role lan
        set snmp-index 55
        set ip-managed-by-fortiipam disable
    next
end

  3. Disable STP on port5 by enabling it as an STP edge port:

    config system interface
    edit "port5"
        set vdom "vdom1"
        set type physical
        set stp-edge enable
        set snmp-index 9
    next
end

    Port5 is enabled as an edge port with STP disabled. Port3 remains enabled for STP.

Example 2

In this example, FortiGate is connected to two switches, and a virtual switch named hw1 is configured with two port members: port3 and port5. 802.1x authentication is enabled for port3 and disabled for port5.

To configure 802.1x authentication for individual ports:

  1. Configure a virtual switch to use port3 and port5: 

    config system virtual-switch
    edit "hw1"
        set physical-switch "sw0"
        config port
            edit "port3"
            next
            edit "port5"
            next
        end
    next
end

  2. Enable 802.1x authentication for the virtual switch:

    config system interface
   edit "hw1"
        set vdom "vdom1"
        set ip 6.6.6.1 255.255.255.0
        set allowaccess ping https ssh
        set type hard-switch
        set security-mode 802.1X
        set security-groups "group_radius"
        set device-identification enable
        set lldp-transmission enable
        set role lan
        set snmp-index 55
        set ip-managed-by-fortiipam disable
    next
end

  3. Disable 802.1x authentication on port5:

    config system interface
    edit "port5"
        set vdom "vdom1"
        set type physical
        set security-8021x-member-mode disable
        set snmp-index 9
    next
end

    802.1x authentication is disabled on port5 and remains enabled on port3.

Previous
Next