Connectivity Fault Management

Some FortiGate hardware models support Connectivity Fault Management (CFM) technology. With CFM, administrators can easily diagnose and resolve issues in Ethernet networks. CFM provides tools for monitoring, testing, and verifying the connectivity and performance of network segments.

The following platforms support CFM:

FortiGate	FG-40F, FG-40F-3G4G, FG-60F, FG-61E, FG-61F, FG-81F, FG-90E-POE, FG-100F, FG-101F, FG-200E, FG-1100E
FortiWiFi	FWF-40F, FWF-60F, FWF-61F

Use the config ethernet-oam cfm command to configure the CFM protocol.

config ethernet-oam cfm
    edit <domain-id>
        set domain-name <string>
        set domain-level <integer>
        config service
            edit <service-id>
                set service-name <string>
                set interface "<string>"
                set mepid <integer>
                set message-interval <integer>
                set cos <integer>
                set sender-id Hostname {none | Hostname}
            next
        end
    next
end

<domain-id>	Specify the domain ID for the Ethernet layer operation, administration, and management (OAM) protocol. A unique domain ID is used to communicate with other peers under the same domain ID and domain level.
domain-level <integer>	Specify the OAM maintenance level (0 to 7, with 0 being the smallest and 7 being the largest). A unique domain level is used to communicate with other devices under the same domain ID and domain level.
domain-name <string>	Specify the OAM domain name or maintenance domain identifier (MDID). Other peer devices recognize the domain name. All devices in the same domain with the same service level can communicate with each other.

A domain can provide multiple services. Each service uses a special service ID. The following items describe a service:

<service-id>	Specify the ID for the service.
service-name <string>	Specify the name of the service.
interface <string>	Specify the name of the VLAN interface where the service is enabled. The service is associated with a particular VLAN network port and can't be accessed by other network ports.
mepid <integer>	Specify the unique ID of the maintenance association endpoints (MEP) (1 - 8191). The service is associated with a unique MEP ID and can't respond to other service requests of a different MEP ID.
message interval <integer>	Specify the continuity-check message frequency interval in milliseconds. Determines how long to send a continuity-check message to determine whether the service is alive.
cos <integer>	Specify the class of service (COS) bit for continuity-check messages (0 to 7). CoS is an optional, special bit in the packet of continuity-check messages.
sender-id {none | hostname}	Specify the type, length, value (TLV) sender ID: none: indicates no sender ID. hostname: uses the Fortinet production name of the device as the sender ID, for example, FortiGate-80F. The sender ID is an optional column that includes a hostname in the packet of continuity-check messages.

The following diagnose commands can be used with this feature:

diagnose ethernet-oam cfmpeer	Locate peers configured with config ethernet-oam cfm that are using the CFM Continuity Check Protocol (CCP) protocol to connect to the CCP daemon (CCD).
diagnose debug application cfmd {enable | disable}	Enable or disable debugging messages of the CFM protocol. enable: enable debugging messages for the CFM protocol. Messages appear on the console. disable: disable debugging messages.

The following execute commands can be used with this feature:

execute ethernet ping	Check if an interface has a peer with mac address and level available under CFM support.
execute ethernet traceroute	Check the Ethernet traceroute with the peer FortiGate. The traceroute is instructed to achieve a peer through an interface with mac_address and level available under CFM support.

Example

In this example, an interface (vlan101) connects FortiGate 81F to FortiGate 101F. CFM is configured for the interface (vlan101) on the FortiGate 81F. All steps are performed on the FortiGate 101F.

Because this feature is based on IEEE 802.1Q, an IP address is not needed to connect the interface.

To configure and use CFM :

1. Configure CFM for the interface named vlan101:

   config ethernet-oam cfm
       edit 1
           set domain-name cfm-test
           set domain-level 1
           config service
               edit 1
                   set service-name vlan-101
                   set interface "vlan101"
                   set mepid 101
                   set message-interval 10000
                   set cos 7
                   set sender-id Hostname
               next
           end
       next
   end

2. On the FortiGate 101F, show the peers connecting to the device:

   # diagnose ethernet-oam cfmpeer
   wait for the responses from CCD daemons ...
   
   ========                MEPs (pid 11251)               ========
   ======== domain_name: cfm-test service_name: vlan-101 mepid: 101 ========
   1  MAC = e0:23:ff:9b:07:0a, state = UP, mdlevel = 1, domain_name = cfm-test, service_name = vlan-101, mepid = 81, TLV_port_status = PsUP, TLV_interface_status = isUp
   ========                     END                    ========

3. On FortiGate 101F, check whether the interface has a peer under CFM support:

   # execute ethernet ping vlan101 1 5 e0:23:ff:9b:07:0a
   Sending CFM LBM to e0:23:ff:9b:07:0a
   64 bytes from e0:23:ff:9b:07:0a, sequence 422603820, 1 ms
   64 bytes from e0:23:ff:9b:07:0a, sequence 422603821, 1 ms
   64 bytes from e0:23:ff:9b:07:0a, sequence 422603822, 1 ms
   64 bytes from e0:23:ff:9b:07:0a, sequence 422603823, 1 ms
   64 bytes from e0:23:ff:9b:07:0a, sequence 422603824, 1 ms

4. Execute the Ethernet traceroute:

   # execute ethernet traceroute vlan101 1 e0:23:ff:9b:07:0a
   Sending CFM LTM probe to e0:23:ff:9b:07:0a
   ethtrace_main: flags = 0, usefdbonly = 0
   ttl 1: LTM with id 984984516
   cfm_matchltr - 384
   cfm_matchltr - 404
           reply from e0:23:ff:9b:07:0a, id=984984516, ttl=0, RlyHit