Enhance port-level control for STP and 802.1x authentication 7.4.2
|
This information is also available in the FortiOS 7.4 Administration Guide: |
FortiOS now provides the capability to enable or disable Spanning Tree Protocol (STP) and 802.1x authentication on a per-port basis, granting administrators precise management over what ports necessitate STP and 802.1x.
After ports are added to a virtual switch with STP enabled, a new option is available to enable or disable STP for each member port:
config system interface
edit <port>
set stp-edge {enable | disable}
next
end
|
set stp-edge {enable | disable} |
The Specify whether the port supports STP:
|
After ports are added to a virtual switch with 802.1x authentication enabled, a new option is available to enable or disable 802.1x authentication for each member port:
config system interface
edit <port>
set security-8021x-member-mode {enable | disable}
next
end
|
set security-8021x-member-mode {enable | disable} |
The Specify whether the port uses 802.1x authentication:
|
Example 1
In this example, FortiGate is connected to two switches, and a virtual switch named hw1 is configured with two port members: port3 and port5. STP is enabled for port3 and disabled for port5. Any STP sent to port5 is silently ignored. Port3 remains enabled for STP.
To configure STP for individual ports:
-
Configure a virtual switch to use port3 and port5:
config system virtual-switch edit "hw1" set physical-switch "sw0" config port edit "port3" next edit "port5" next end next end -
Enable STP for the virtual switch:
config system interface edit "hw1" set vdom "vdom1" set ip 6.6.6.1 255.255.255.0 set allowaccess ping https ssh set type hard-switch set stp enable set device-identification enable set lldp-transmission enable set role lan set snmp-index 55 set ip-managed-by-fortiipam disable next end -
Disable STP on port5 by enabling it as an STP edge port:
config system interface edit "port5" set vdom "vdom1" set type physical set stp-edge enable set snmp-index 9 next endPort5 is enabled as an edge port with STP disabled. Port3 remains enabled for STP.
Example 2
In this example, FortiGate is connected to two switches, and a virtual switch named hw1 is configured with two port members: port3 and port5. 802.1x authentication is enabled for port3 and disabled for port5.
To configure 802.1x authentication for individual ports:
-
Configure a virtual switch to use port3 and port5:
config system virtual-switch edit "hw1" set physical-switch "sw0" config port edit "port3" next edit "port5" next end next end -
Enable 802.1x authentication for the virtual switch:
config system interface edit "hw1" set vdom "vdom1" set ip 6.6.6.1 255.255.255.0 set allowaccess ping https ssh set type hard-switch set security-mode 802.1X set security-groups "group_radius" set device-identification enable set lldp-transmission enable set role lan set snmp-index 55 set ip-managed-by-fortiipam disable next end -
Disable 802.1x authentication on port5:
config system interface edit "port5" set vdom "vdom1" set type physical set security-8021x-member-mode disable set snmp-index 9 next end802.1x authentication is disabled on port5 and remains enabled on port3.