Introduction
This guide provides information about configuring a FortiSwitch unit in standalone mode. In standalone mode, you manage the FortiSwitch unit by connecting directly to the unit, either using the web-based manager (also known as the GUI) or the CLI.
If you will be managing your FortiSwitch unit using a FortiGate unit, refer to the following guide: FortiSwitch Managed by FortiOS 6.4.
This chapter covers the following topics:
- Supported models
- Whatʼs new in FortiSwitchOS 6.4.2
- Feature matrix: FortiSwitchOS 6.4.2
- Before you begin
- How this guide is organized
Supported models
This guide is for all FortiSwitch models that are supported by FortiSwitchOS, which includes all of the D-series and E-series models.
Whatʼs new in FortiSwitchOS 6.4.2
Release 6.4.2 provides the following new features:
- When the DHCP server cannot find an IP pool using the primary IP address, the DHCP server will now check for IP pools using the secondary IP addresses.
- You can now configure a DHCP server by going to System > DHCP.
- You can now view the details of the IPv4 and IPv6 DHCP-snooping server databases by going to Switch > Monitor > DHCP Snooping > Servers.
- You can now view the details of the IPv4 and IPv6 DHCP-snooping client databases by going to Switch > Monitor > DHCP Snooping > Clients.
- Information-request packets are now supported in DHCP snooping (with both IPv4 and IPv6 addresses).
- The
set dhcp-snoop-mode {tracking | blocking}command was removed from under theconfig system globalcommand. - Energy-efficient Ethernet settings are now displayed on the LLDP Neighbors page.
- You can now specify in the GUI whether the energy-efficient Ethernet (EEE) status of a port is sent using LLDP-MED.
- BFD is now disabled by default on the Edit OSPF Interface page.
- Use the new
diagnose debug crashlog readcommand to display the crash log on the console in a readable format. - Use the new
diagnose ip router fwd l3-enable-ip-tracing6 <IPv6_address>command to enable IPv6 host tracing. - The 802.1x-authenticated user name is now reported in the FortiGate traffic log.
- You can now configure a VLAN for users to be assigned to when the authentication server is unavailable. This feature is available with 802.1x port-based authentication and 802.1x MAC-based authentication. It is compatible with MAC authentication bypass (MAB).
config switch interface
edit <interface_name>
config port-security
set port-security-mode {802.1X | 802.1X-mac-based}
set authserver-timeout-period <3-15 seconds>
set authserver-timeout-vlan {enable | disable}
set authserver-timeout-vlanid <1-4094>
end
set security-groups <security-group-name>
next
end
- You can now configure a link monitor to test if the RADIUS server is available:
config user radius
edit <RADIUS_user_name>
set link-monitor {enable | disable}
set link-monitor-interval <5-120 seconds>
next
end
- The link monitor is now supported on the FS-108E, FS-124E, FS-108E-POE, FS-108E-FPOE, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.
- You can now check static and dynamic entries in the IP source guard database by going to Switch > Monitor > IP Source Guard.
- A new column on the Physical Port Interfaces page shows which interfaces have IP source guard enabled.
- You can use the new Reset button to reset BPDU guard (Switch > Monitor > BPDU Guard).
- You can now configure flow export by going to System > Flow Export.
- Bidirectional forwarding detection (BFD) is now supported by OSPF routing for IPv6.
- There are additional authentication protocols and encryption protocols available for SNMP in the GUI and CLI:
- HMAC-SHA-224 authentication protocol
- HMAC-SHA-256 authentication protocol
- HMAC-SHA-384 authentication protocol
- HMAC-SHA-512 authentication protocol
- CFB128-AES-192 symmetric encryption protocol
- CFB128-AES-192-C symmetric encryption protocol (required for certain clients)
- CFB128-AES-256 symmetric encryption protocol
- CFB128-AES-256-C symmetric encryption protocol (required for certain clients)
- You can now specify the quality of service (QoS) priority for mirrored packets on the FortiSwitch unit doing the mirroring.
- A new Valid column on the Local Certificates page, Remote Certificates page, and Certificate Authorities page indicates whether the certificate has expired. The Valid column replaces the Status column.
- All users who have write permission in the Admin Users category can now upgrade FortiSwitch firmware images using the GUI and REST API.
- Users with read and write permissions can now use the execute and monitor REST API endpoints.
- A new REST API endpoint uses a Fortinet certificate to sign user-specified data (
/api/v2/execute/sign/data). - Two new REST API endpoints retrieve the details of the IPv6 DHCP-snooping client database and IPv6 DHCP-snooping server database:
/api/v2/monitor/switch/dhcp-snooping-client6-db/api/v2/monitor/switch/dhcp-snooping-server6-db
Refer to Feature matrix: FortiSwitchOS 6.4.2 for details about the features supported on each FortiSwitch model.
Feature matrix: FortiSwitchOS 6.4.2
The following table lists the FortiSwitch features in Release 6.4.2 that are supported on each series of FortiSwitch models. All features are available in Release 6.4.2, unless otherwise stated.
|
Feature |
GUI supported |
112D-POE |
FSR-124D |
1xxE |
4xxE |
200 Series, 400 Series |
500 Series |
1024D, 1048D, 1048E |
3032D, 3032E |
|---|---|---|---|---|---|---|---|---|---|
|
Management and Configuration |
|||||||||
|
CPLD software upgrade support for OS |
— |
— |
— |
— |
— |
— |
— |
1024D, 1048D |
— |
|
Firmware image rotation (dual-firmware image support) |
— |
✓ |
✓ |
148E, 148E-POE |
✓ |
✓ |
✓ |
✓ |
✓ |
|
HTTP REST APIs for configuration and monitoring |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Support for switch SNMP OID |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
IP conflict detection and notification |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
FortiSwitch Cloud configuration |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Auto topology |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Security and Visibility |
|||||||||
|
802.1x port mode |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
802.1x MAC-based security mode |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
User-based (802.1x) VLAN assignment |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
802.1x enhancements, including MAB |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
MAB reauthentication disabled |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
open-auth mode |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Support of the RADIUS accounting server |
Partial |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Support of RADIUS CoA and disconnect messages |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
EAP Pass-Through |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Network device detection |
— |
— |
✓ |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
|
IP-MAC binding |
✓ |
— |
— |
— |
— |
— |
✓ |
✓ |
✓ |
|
sFlow |
✓ |
✓ |
✓ |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Flow export |
✓ |
— |
✓ |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
|
ACL |
— |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Multistage ACL |
— |
— |
— |
— |
— |
— |
✓ |
✓ |
✓ |
|
Multiple ingress ACLs |
— |
— |
✓ |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Schedule for ACLs |
— |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
DHCP snooping |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
DHCPv6 snooping |
✓ |
— |
— |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Allowed DHCP server list |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
IP source guard |
✓ |
— |
✓ |
— |
✓ |
✓ |
— |
— |
— |
|
Dynamic ARP inspection |
✓ |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
ARP timeout value |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Access VLANs |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
RMON group 1 |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Reliable syslog (RFC 6587) |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Packet capture |
— |
— |
✓ |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Layer 2 |
|||||||||
|
Link aggregation group size (maximum number of ports) (See Note 2.) |
✓ |
8 |
8 |
8 |
8 |
8 |
24/48 |
24/48 |
24, 64 |
|
LAG min-max-bundle |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
IPv6 RA guard |
— |
— |
— |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
|
IGMP snooping |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
IGMP proxy |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
IGMP querier |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
LLDP-MED |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
LLDP-MED: ELIN support |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Per-port max for learned MACs |
— |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
— |
— |
|
MAC learning limit (See Note 4.) |
— |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
— |
— |
|
Learning limit violation log (See Note 4.) |
— |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
— |
— |
|
set mac-violation-timer |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Sticky MAC |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Total MAC entries |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
MSTP instances |
— |
0-15 |
0-15 |
0-15 |
0-15 |
0-15 |
0-32 |
0-32 |
0-32 |
|
STP root guard |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
STP BPDU guard |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Rapid PVST interoperation |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
'forced-untagged' or 'force-tagged' setting on switch interfaces |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Private VLANs |
✓ |
— |
✓ |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Multi-stage load balancing |
— |
— |
— |
— |
— |
— |
— |
✓ |
✓ |
|
Priority-based flow control |
— |
— |
— |
— |
— |
— |
✓ |
✓ |
✓ |
|
Ingress pause metering |
— |
— |
— |
— |
✓ |
✓ |
✓ |
✓ |
3032D |
|
Storm control |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Per-port storm control |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
MAC/IP/protocol-based VLAN assignment |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Virtual wire |
✓ |
— |
✓ |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Loop guard |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Percentage rate control |
✓ |
— |
✓ |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
|
VLAN stacking (QinQ) |
— |
— |
✓ |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
|
VLAN mapping |
— |
— |
✓ |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
|
SPAN |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
RSPAN and ERSPAN |
✓ |
RSPAN |
✓ |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Flow control |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Layer 3 |
|||||||||
|
Link monitor |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Static routing (v4|v6) |
✓ |
— |
✓ |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Hardware routing offload (v4|v6) |
✓ |
— |
✓ |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Software routing only |
✓ |
✓ |
— |
✓ |
— |
— |
— |
— |
— |
|
OSPF (v4|v6) (See Note 3.) |
✓ |
— |
— |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
|
RIP (See Note 3.) |
✓ |
— |
— |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
|
VRRP (v4|v6) (See Note 3.) |
✓ |
— |
— |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
|
BGP (See Note 3.) |
— |
— |
— |
— |
— |
— |
✓ |
✓ |
✓ |
|
IS-IS (See Note 3.) |
— |
— |
— |
— |
— |
— |
✓ |
✓ |
✓ |
|
PIM (See Note 3.) |
— |
— |
— |
— |
— |
— |
✓ |
✓ |
✓ |
|
Hardware-based ECMP |
— |
— |
— |
— |
— |
— |
✓ |
✓ |
✓ |
|
Static BFD |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
uRPF |
— |
— |
— |
— |
— |
— |
✓ |
✓ |
✓ |
|
DHCP relay feature |
✓ |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
DHCP server |
✓ |
— |
— |
— |
✓ |
4xx only |
✓ |
✓ |
✓ |
|
High Availability |
|||||||||
|
MCLAG (multichassis link aggregation) |
Partial |
— |
— |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
|
STP supported in MCLAGs |
— |
— |
— |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
|
IGMP snooping support in MCLAG |
✓ |
— |
— |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Quality of Service |
|||||||||
|
802.1p support, including priority queuing trunk and WRED |
✓ |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
QoS queue counters |
— |
— |
✓ |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
|
QoS marking |
— |
— |
✓ |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Summary of configured queue mappings |
✓ |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Egress priority tagging |
— |
— |
✓ |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
|
ECN |
— |
— |
— |
— |
✓ |
— |
✓ |
✓ |
✓ |
|
Miscellaneous |
|||||||||
|
PoE-pre-standard detection (See Note 1.) |
— |
✓ |
✓ |
FS-1xxE POE |
✓ |
✓ |
✓ |
— |
— |
|
PoE modes support: first come, first served or priority based (PoE models) |
— |
✓ |
✓ |
FS-1xxE POE |
✓ |
✓ |
✓ |
— |
— |
|
Control of temperature alerts |
— |
✓ |
✓ |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Split port (See Note 6.) |
Partial |
— |
— |
— |
— |
— |
✓ |
1048E |
✓ |
|
TDR (time-domain reflectometer)/cable diagnostics support |
✓ |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
— |
— |
|
Auto module max speed detection and notification |
✓ |
— |
— |
— |
— |
— |
✓ |
✓ |
— |
|
Monitor system temperature (threshold configuration and SNMP trap support) |
— |
✓ |
✓ |
FS-124E-POE, FS-124E-FPOE, FS-148E, FS-148E-POE |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Cut-through switching |
— |
— |
— |
— |
— |
— |
— |
✓ |
✓ |
|
Add CLI to show the details of port statistics |
— |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Configuration of the QSFP low-power mode |
— |
— |
— |
— |
— |
— |
✓ |
1048D, 1048E |
✓ |
|
Energy-efficient Ethernet |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
— |
— |
|
PHY Forward Error Correction (see Note 5) |
— |
— |
— |
— |
— |
— |
— |
1048E |
3032E |
|
PTP transparent clock |
— |
— |
— |
— |
✓ |
✓ |
✓ |
1048E |
✓ |
Notes
- PoE features are applicable only to the model numbers with a POE or FPOE suffix.
- 24-port LAG is applicable to 524D, 524-FPOE, 1024D, and 3032D models. 48-port LAG is applicable to 548D, 548-FPOE, and 1048D models.
- To use the dynamic layer-3 protocols, you must have an advanced features license.
- The per-VLAN MAC learning limit and per-trunk MAC learning limit are not supported on the 448D/448D-POE/448D-FPOE/248E-POE/248E-FPOE/248D series.
- Supported only in 100G mode (clause 91).
- On the 3032E, you can split one port at the full base speed, split one port into four sub-ports of 25 Gbps each (100G QSFP only), or split one port into four sub-ports of 10 Gbps each (40G or 100G QSFP).
Before you begin
Before you start administrating your FortiSwitch unit, it is assumed that you have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your FortiSwitch model and have administrative access to the FortiSwitch unit’s GUI and CLI.
How this guide is organized
This guide is organized into the following chapters:
- Management ports describes how to configure the management ports.
- Configuring administrator tasks describes how to configure the date and time, admin users, and remote authentication servers.
- Configuring SNMP describes how to monitor hardware on your network.
- Global system and switch settings describes the initial configuration of your FortiSwitch unit.
- Physical port settings describes how to configure the physical ports.
- Layer-2 interfaces describes how to configure layer-2 interfaces.
- VLANs and VLAN tagging describes how to configure VLANs and describes the packet flow for VLAN tagged and untagged packets.
- Spanning Tree Protocol describes how to configure MSTP.
- Link aggregation groups describes how to configure link aggregation groups.
- MCLAG describes how to configure MCLAG.
- Multi-stage load balance describes how to configure multi-stage load balancing on a set of FortiGate units.
- LLDP-MED describes how to configure LLDP-MED settings.
- MAC/IP/protocol-based VLANs describes how to configure MAC/IP/protocol-based VLANs.
- Mirroring describes how to configure port mirroring.
- Access control lists describes how to configure ACLs.
- Storm control describes how to configure storm control.
- DHCP snooping describes how to configure DHCP snooping.
- IP source guard describes how to configure IP source guard.
- Dynamic ARP inspection describes how to configure dynamic ARP inspection.
- IGMP snooping describes how to configure IGMP snooping.
- Private VLANs describes how to create and manage private virtual local area networks (VLANs).
- Quality of service describes how to configure QoS.
- sFlow describes how to configure sFlow.
- Feature licensing describes feature licenses.
- Layer-3 interfaces describes how to configure routed ports, routed VLAN interfaces, switch virtual interfaces, and related features.
- DHCP server and relay describes how to configure DHCP servers and relays.
- OSPF routing describes how to configure OSPF routing.
- RIP routing describes how to configure RIP routing.
- VRRP describes how to configure VRRP.
- BGP routing describes how to configure BGP routing.
- PIM routing describes how to configure PIM routing.
- IS-IS routing describes how to configure IS-IS routing.
- Users and user groups describes how to configure users and user groups.
- 802.1x authentication describes how to configure 802.1x authentication (to RADIUS servers).
- TACACS describes how to configure TACACS authentication.
- Troubleshooting and support describes ways to gather more details and to solve problems.
- Deployment scenario describes an example configuration.
- Appendix: FortiSwitch-supported RFCs lists RFCs that are supported by FortiSwitchOS.