Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiSwitch port features

You can configure the FortiSwitch port feature settings from the FortiGate using the FortiSwitch CLI or web administration GUI.

FortiSwitch ports display

The WiFi & Switch Controller > FortiSwitch Ports page displays port information about each of the managed switches.

The following figure shows the display for a FortiSwitch 248E-FPOE:

Select Faceplates to get the following information:

  • active ports (green)
  • PoE-enabled ports (blue rectangle)
  • FortiLink port (link icon)

If you device has PoE, the Faceplates page displays the total power budget and the actual power currently allocated.

The allocated power displays a blue bar for the used power (currently being consumed) and a green bar for the reserved power (power available for additional devices on the POE ports).

Each entry in the port list displays the following information:

  • Port status (red for down, green for up)
  • Port name
  • If the port is a member of a trunk
  • Access mode
  • Enabled features
  • Native VLAN
  • Allowed VLANs
  • PoE status
  • Device information
  • DHCP snooping status
  • Transceiver information

Configuring ports using the GUI

You can use the WiFi & Switch Controller > FortiSwitch Ports page to do the following with FortiSwitch switch ports:

  • Set the native VLAN and add more VLANs
  • Edit the description of the port
  • Enable or disable the port
  • Set the access mode to network access control (NAC) or normal
  • Enable or disable PoE for the port
  • Enable or disable DHCP snooping (if supported by the port)
  • Enable or disable whether a port is an edge port
  • Enable or disable STP (if supported by the port)
  • Enable or disable loop guard (if supported by the port)
  • Enable or disable STP BPDU guard (if supported by the port)
  • Enable or disable STP root guard (if supported by the port)

Resetting PoE-enabled ports

If you need to reset PoE-enabled ports, go to WiFi & Switch Control > FortiSwitch Ports, right-click on one or more PoE-enabled ports and select Reset PoE from the context menu.

You can also go to WiFi & Switch Control > Managed FortiSwitch and click on a port icon for the FortiSwitch of interest. In the FortiSwitch Ports page, right-click on one or more PoE-enabled ports and select Reset PoE from the context menu.

Configuring ports using the FortiGate CLI

You can configure the following FortiSwitch port settings using the FortiGate CLI:

Configuring port speed and status

Use the following commands to set port speed and other base port settings:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set description <text>

set speed <speed>

set status {down | up}

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port1

set description "First port"

set speed auto

set status up

end

end

Sharing FortiSwitch ports between VDOMs

Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual units that function as multiple independent units. VDOMs provide separate security domains that allow separate zones, user authentication, security policies, routing, and VPN configurations.

FortiSwitch ports can now be shared between VDOMs.

Starting in FortiOS 6.2.0, the following features are supported on FortiSwitch ports shared between VDOMs:

  • POE pre-standard detection (on a per-port basis if the FortiSwitch model supports this feature)
  • Learning limit for dynamic MAC addresses on ports, trunks, and VLANs (if the FortiSwitch unit supports this feature)
  • QoS egress CoS queue policy (if the FortiSwitch unit supports this feature)
  • Port security policy
The following example shows how to share FortiSwitch ports between VDOMs:
  1. In the tenant VDOM named bbb, create a VLAN interface using the following CLI commands (not supported in the GUI):

     

    FG5H0E3917900081 (bbb) #

    config system interface

    edit "bbb-vlan99"

    set vdom "bbb"

    set allowaccess ping

    set device-identification enable

    set role lan

    set snmp-index 58

    set switch-controller-dhcp-snooping enable

    set interface "flink-lag" // this is the FortiLink interface in the root VDOM

    set vlanid 99

    next

    end

     

    config switch-controller global

    set default-virtual-switch-vlan "bbb-vlan99"

    end

     

  2. Go back to the root VDOM. Pick a switch port to share between VDOMs, port10 in this case.

     

    FG5H0E3917900081 (vdom) # edit root

    current vf=root:0

    FG5H0E3917900081 (root) # config switch-controller managed-switch

    FG5H0E3917900081 (managed-switch) # edit S548DF4K15000276

    FG5H0E3917900081 (S548DF4K15000276) # config ports

    FG5H0E3917900081 (ports) # edit port10

    FG5H0E3917900081 (port10) # set export-to bbb

     

    If you want to use the virtual-pool feature instead:

     

    FG5H0E3917900081 (root) # config switch-controller virtual-port-pool

    edit "bbb-pool"

    set description "bbb-vlan-pool"

    end

     

    FG5H0E3917900081 (root) # config switch-controller managed-switch

    FG5H0E3917900081 (managed-switch) # edit S548DF4K15000276

    FG5H0E3917900081 (S548DF4K15000276) # config port

    FG5H0E3917900081 (ports) # edit port11

    FG5H0E3917900081 (port11) # set export-to-pool bbb-pool

     

  3. Go back to the bbb VDOM to claim port11 because it is in the virtual pool but not directly exported to the VDOM yet. (The administrator might want to pre-assign some ports in the tenant VDOM and let the tenant VDOM administrator claim them before they are used.)

     

    FG5H0E3917900081 (bbb) # execute switch-controller virtual-port-pool request S548DF4K15000276 port11

    FG5H0E3917900081 (bbb) # config switch-controller managed-switch // The switch port is now in the bbb VDOM even though there is no FortiLink interface in the bbb VDOM.

    FG5H0E3917900081 (managed-switch) # show

    config switch-controller managed-switch

    edit "S548DF4K15000276"

    set poe-detection-type 1

    set type virtual

    set owner-vdom "root"

    config ports

    edit "port10"

    set poe-capable 1

    set vlan "bbb-vlan99"

    next

    edit "port11"

    set poe-capable 1

    set vlan "bbb-vlan99"

    next

    end

    next

    end

     

  4. Check your configuration on the root VDOM:

     

    FG5H0E3917900081 (port10) # show

    config ports

    edit "port10"

    set poe-capable 1

    set export-to "bbb"

    next

    end

     

    FG5H0E3917900081 (port11) # show

    config ports

    edit "port11"

    set poe-capable 1

    set export-to-pool "bbb-pool"

    set export-to "bbb"

    next

    end

     

  5. Check your configuration on the tenant VDOM:

     

    FG5H0E3917900081 (ports) # show

    config ports

    edit "port10"

    set poe-capable 1

    set vlan "bbb-vlan99"

    next

    edit "port11"

    set poe-capable 1

    set vlan "bbb-vlan99"

    next

    end

     

You can create your own export tags using the following CLI commands:

config switch-controller switch-interface-tag

edit <tag_name>

end

Use the following CLI command to list the contents of a specific VPP:

execute switch-controller virtual-port-pool show-by-pool <VPP_name>

Use the following CLI command to list all VPPs and their contents:

execute switch-controller virtual-port-pool show

NOTE: Shared ports do not support the following features:

  • LLDP
  • STP
  • BPDU guard
  • Root guard
  • DHCP snooping
  • IGMP snooping
  • MCLAG
  • Quarantines

NOTE: After you export a switch port to a pool, if you need to export the switch port to a different pool, you need to exit/abort and then re-enter into the FortiSwitch CLI port configuration.

Dynamic MAC address learning

You can enable or disable dynamic MAC address learning on a port or VLAN. The existing dynamic MAC entries are flushed when you change this setting. If you disable MAC address learning, you can set the behavior for an incoming packet with an unknown MAC address (to drop or forward the packet).

Limiting the number of learned MAC addresses on a FortiSwitch interface

You can limit the number of MAC addresses learned on a FortiSwitch interface (port or VLAN). The limit ranges from 1 to 128. If the limit is set to the default value zero, there is no learning limit.

NOTE: Static MAC addresses are not counted in the limit. The limit refers only to learned MAC addresses.

Use the following CLI commands to limit MAC address learning on a VLAN:

config switch vlan

edit <integer>

set switch-controller-learning-limit <limit>

end

end

For example:

config switch vlan

edit 100

set switch-controller-learning-limit 20

end

end

Use the following CLI commands to limit MAC address learning on a port:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set learning-limit <limit>

next

end

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port3

set learning-limit 50

next

end

end

end

Controlling how long learned MAC addresses are saved

You can change how long learned MAC addresses are stored. By default, each learned MAC address is aged out after 300 seconds. After this amount of time, the inactive MAC address is deleted from the FortiSwitch hardware. The value ranges from 10 to 1000,000 seconds. Set the value to 0 to disable MAC address aging.

config switch-controller global

set mac-aging-interval <10 to 1000000>

end

For example:

config switch-controller global

set mac-aging-interval 500

end

If the mac-aging-interval is disabled by being set to 0, you can still control when inactive MAC addresses are removed from the FortiSwitch hardware. By default, inactive MAC addresses are removed after 24 hours. The value ranges from 0 to 168 hours. Set the value to 0 to use the mac-aging-interval setting to control when inactive MAC addresses are deleted.

config switch-controller global

set mac-retention-period <0 to 168>

end

For example:

config switch-controller global

set mac-retention-period 36

end

Logging violations of the MAC address learning limit

If you want to see the first MAC address that exceeded the learning limit for an interface or VLAN, you can enable the learning-limit violation log for a managed FortiSwitch unit. Only one violation is recorded per interface or VLAN.

By default, logging is disabled. The most recent violation that occurred on each interface or VLAN is recorded in the system log. After that, no more violations are logged until the log is reset for the triggered interface or VLAN. Only the most recent 128 violations are displayed in the console.

Use the following commands to control the learning-limit violation log and to control how long learned MAC addresses are save:

config switch-controller global

set mac-violation-timer <0-1500>

set log-mac-limit-violations {enable | disable}

end

For example:

config switch-controller global

set mac-violation-timer 1000

set log-mac-limit-violations enable

end

To view the content of the learning-limit violation log for a managed FortiSwitch unit, use one of the following commands:

  • diagnose switch-controller switch-info mac-limit-violations all <FortiSwitch_serial_number>
  • diagnose switch-controller switch-info mac-limit-violations interface <FortiSwitch_serial_number> <port_name>
  • diagnose switch-controller switch-info mac-limit-violations vlan <FortiSwitch_serial_number> <VLAN_ID>

For example, to set the learning-limit violation log for VLAN 5 on a managed FortiSwitch unit:

diagnose switch-controller switch-info mac-limit-violations vlan S124DP3XS12345678 5

To reset the learning-limit violation log for a managed FortiSwitch unit, use one of the following commands:

  • execute switch-controller mac-limit-violation reset all <FortiSwitch_serial_number>
  • execute switch-controller mac-limit-violation reset vlan <FortiSwitch_serial_number> <VLAN_ID>
  • execute switch-controller mac-limit-violation reset interface <FortiSwitch_serial_number> <port_name>

For example, to clear the learning-limit violation log for port 5 of a managed FortiSwitch unit:

execute switch-controller mac-limit-violation reset interface S124DP3XS12345678 port5

Persistent (sticky) MAC addresses

You can make dynamically learned MAC addresses persistent when the status of a FortiSwitch port changes (goes down or up). By default, MAC addresses are not persistent.

Use the following commands to configure the persistence of MAC addresses on an interface:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set sticky-mac {enable | disable}

next

end

You can also save persistent MAC addresses to the FortiSwitch configuration file so that they are automatically loaded when the FortiSwitch unit is rebooted. By default, persistent entries are lost when a FortiSwitch unit is rebooted. Use the following commands to save persistent MAC addresses for a specific interface or all interfaces:

execute switch-controller switch-action sticky-mac save interface <FortiSwitch_serial_number> <port_name>

execute switch-controller switch-action sticky-mac save all <FortiSwitch_serial_number>

Use one of the following commands to delete the persistent MAC addresses instead of saving them in the FortiSwitch configuration file:

execute switch-controller switch-action delete sticky-mac delete-unsaved all <FortiSwitch_serial_number>

execute switch-controller switch-action delete sticky-mac delete-unsaved interface <FortiSwitch_serial_number> <port_name>

Logging changes to MAC addresses

Use the following commands to create syslog entries for when MAC addresses are learned, aged out, and removed:

config switch-controller global

set mac-event-logging enable

end

Configuring the DHCP trust setting

The DHCP blocking feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent this, DHCP blocking filters messages on untrusted ports.

Set the port as a trusted or untrusted DHCP-snooping interface:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set dhcp-snooping {trusted | untrusted}

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port1

set dhcp-snooping trusted

end

end

Configuring PoE

The following PoE CLI commands are available starting in FortiSwitchOS 3.3.0.

Enable PoE on the port

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set poe-status {enable | disable}

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port1

set poe-status enable

end

end

Reset the PoE port

Power over Ethernet (PoE) describes any system that passes electric power along with data on twisted pair Ethernet cabling. Doing this allows a single cable to provide both data connection and electric power to devices (for example, wireless access points, IP cameras, and VoIP phones).

The following command resets PoE on the port:

execute switch-controller poe-reset <FortiSwitch_serial_number> <port_name>

Display general PoE status

get switch-controller <FortiSwitch_serial_number> <port_name>

The following example displays the PoE status for port 6 on the specified switch:

# get switch-controller poe FS108D3W14000967 port6

Port(6) Power:3.90W, Power-Status: Delivering Power

Power-Up Mode: Normal Mode

Remote Power Device Type: IEEE802.3AT PD

Power Class: 4

Defined Max Power: 30.0W, Priority:3

Voltage: 54.00V

Current: 78mA

Configuring edge ports

Use the following commands to enable or disable an interface as an edge port:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set edge-port {enable | disable}

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port1

set edge-port enable

end

end

Configuring STP

Starting with FortiSwitch Release 3.4.2, STP is enabled by default for the non-FortiLink ports on the managed FortiSwitch units. STP is a link-management protocol that ensures a loop-free layer-2 network topology.

NOTE: STP is not supported between a FortiGate unit and a FortiSwitch unit in FortiLink mode.

To configure global STP settings, see Configure STP settings.

Use the following commands to enable or disable STP on FortiSwitch ports:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set stp-state {enabled | disabled}

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port1

set stp-state enabled

end

end

To check the STP configuration on a FortiSwitch, use the following command:

diagnose switch-controller switch-info stp <FortiSwitch_serial_number> <instance_number>

For example:

FG100D3G15817028 # diagnose switch-controller switch-info stp S524DF4K15000024 0
MST Instance Information, primary-Channel:
Instance ID :   0
Switch Priority : 24576
Root MAC Address :    085b0ef195e4
Root Priority:    24576
Root Pathcost:    0
Regional Root MAC Address :   085b0ef195e4
Regional Root Priority:   24576
Regional Root Path Cost:  0
Remaining Hops:       20
This Bridge MAC Address :    085b0ef195e4
This bridge is the root

Port               Speed   Cost       Priority   Role         State       Edge  STP-Status  Loop Protection
________________   ______  _________  _________  ___________  __________  ____  __________  ________

port1              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port2              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port3              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port4              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port5              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port6              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port7              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port8              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port9              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port10             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port11             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port12             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port13             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port14             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port15             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port16             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port17             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port18             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port19             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port20             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port21             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port22             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port23             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port25             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port26             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port27             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port28             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port29             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port30             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
internal           1G      20000      128        DESIGNATED   FORWARDING   YES    DISABLED       NO
__FoRtI1LiNk0__    1G      20000      128        DESIGNATED   FORWARDING   YES    DISABLED       NO

Configuring STP root guard

Root guard protects the interface on which it is enabled from becoming the path to root. When enabled on an interface, superior BPDUs received on that interface are ignored or dropped. Without using root guard, any switch that participates in STP maintains the ability to reroute the path to root. Rerouting might cause your network to transmit large amounts of traffic across suboptimal links or allow a malicious or misconfigured device to pose a security risk by passing core traffic through an insecure device for packet capture or inspection. By enabling root guard on multiple interfaces, you can create a perimeter around your existing paths to root to enforce the specified network topology.

Enable root guard on all ports that should not be root bridges. Do not enable root guard on the root port. You must have STP enabled to be able to use root guard.

Use the following commands to enable or disable STP root guard on FortiSwitch ports:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set stp-root-guard {enabled | disabled}

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port1

set stp-root-guard enabled

end

end

Configuring STP BPDU guard

Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard is enabled on STP edge ports, any BPDUs received cause the ports to go down for a specified number of minutes. The BPDUs are not forwarded, and the network edge is enforced.

There are two prerequisites for using BPDU guard:

  • You must define the port as an edge port with the set edge-port enable command.
  • You must enable STP on the switch interface with the set stp-state enabled command.

You can set how long the port will go down when a BPDU is received for a maximum of 120 minutes. The default port timeout is 5 minutes. If you set the timeout value to 0, the port will not go down when a BPDU is received, but you will have manually reset the port.

Use the following commands to enable or disable STP BPDU guard on FortiSwitch ports:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set stp-bpdu-guard {enabled | disabled}

set stp-bpdu-guard-time <0-120>

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port1

set stp-bpdu-guard enabled

set stp-bpdu-guard-time 10

end

end

To check the configuration of STP BPDU guard on a FortiSwitch unit, use the following command:

diagnose switch-controller switch-info bpdu-guard-status <FortiSwitch_serial_number>

For example:

FG100D3G15817028 # diagnose switch-controller switch-info bpdu-guard-status S524DF4K15000024
Managed Switch : S524DF4K15000024 0

Portname             State      Status       Timeout(m)    Count    Last-Event
_________________   _______    _________    ___________    _____   _______________

port1              enabled      -              10            0            -
port2              disabled     -              -             -            -
port3              disabled     -              -             -            -
port4              disabled     -              -             -            -
port5              disabled     -              -             -            -
port6              disabled     -              -             -            -
port7              disabled     -              -             -            -
port8              disabled     -              -             -            -
port9              disabled     -              -             -            -
port10             disabled     -              -             -            -
port11             disabled     -              -             -            -
port12             disabled     -              -             -            -
port13             disabled     -              -             -            -
port14             disabled     -              -             -            -
port15             disabled     -              -             -            -
port16             disabled     -              -             -            -
port17             disabled     -              -             -            -
port18             disabled     -              -             -            -
port19             disabled     -              -             -            -
port20             disabled     -              -             -            -
port21             disabled     -              -             -            -
port22             disabled     -              -             -            -
port23             disabled     -              -             -            -
port25             disabled     -              -             -            -
port26             disabled     -              -             -            -
port27             disabled     -              -             -            -
port28             disabled     -              -             -            -
port29             disabled     -              -             -            -
port30             disabled     -              -             -            -
__FoRtI1LiNk0__    disabled     -              -             -            -

Configuring interoperation with per-VLAN RSTP

Starting in FortiOS 6.4.2, managed FortiSwitch units can now interoperate with a network that is running RPVST+. The existing networkʼs configuration can be maintained while adding managed FortiSwitch units as an extended region. By default, interoperation with RPVST+ is disabled.

When an MSTP domain is connected with an RPVST+ domain, FortiSwitch interoperation with the RPVST+ domain works in two ways:

  • If the root bridge for the CIST is within an MSTP region, the boundary FortiSwitch unit of the MSTP region duplicates instance 0 information, creates one BPDU for every VLAN, and sends the BPDUs to the RPVST+ domain.

    In this case, follow this rule: If the root bridge for the CIST is within an MSTP region, VLANs other than VLAN 1 defined in the RPVST+ domains must have their bridge priorities worse (numerically greater) than that of the CIST root bridge within MSTP region.

  • If the root bridge for the CIST is within an RPVST+ domain, the boundary FortiSwitch unit processes only the VLAN 1 information received from the RPVST+ domain. The other BPDUs (VLANs 2 and above) sent from the connected RPVST+ domain are used only for consistency checks.

    In this case, follow this rule: If the root bridge for the CIST is within the RPVST+ domain, the root bridge priority of VLANs other than VLAN 1 within that domain must be better (numerically less) than that of VLAN 1.
To configure interoperation with RPVST+:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set rpvst-port {enabled | disabled}

next

end

 

For example:

FGT-1 (testvdom) # config switch-controller managed-switch

FGT-1 (managed-switch) # edit FS3E32T419000006

FGT-1 (FS3E32T419000006) # config ports

FGT-1 (ports) # edit port5

FGT-1 (port5) # set rpvst-port enabled

FGT-1 (port5) # next

FGT-1 (ports) # end

 

To check your configuration and to diagnose any problems:

diagnose switch-controller switch-info rpvst <FortiSwitch_serial_number> <port_name>

 

For example:

diagnose switch-controller switch-info rpvst FS3E32T419000006 port5

 

 

Configuring loop guard

A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects. Fortinet loop guard helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any downstream loops. Loop guard and STP should be used separately for loop protection. By default, loop guard is disabled on all ports.

Use the following commands to configure loop guard on a FortiSwitch port:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set loop-guard {enabled | disabled}

set loop-guard-timeout <0-120 minutes>

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port1

set loop-guard enabled

set loop-guard-timeout 10

end

end

Configuring LLDP settings

The Fortinet data center switches support the Link Layer Discovery Protocol (LLDP) for transmission and reception wherein the switch will multicast LLDP packets to advertise its identity and capabilities. A switch receives the equivalent information from adjacent layer-2 peers.

Use the following commands to configure LLDP on a FortiSwitch port:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set lldp-status {rx-only | tx-only | tx-rx | disable}

set lldp-profile <profile_name>

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port2

set lldp-status tx-rx

set lldp-profile default

end

end

Configuring IGMP snooping settings

IGMP snooping allows the FortiSwitch to passively listen to the Internet Group Management Protocol (IGMP) network traffic between hosts and routers. The switch uses this information to determine which ports are interested in receiving each multicast feed. FortiSwitch can reduce unnecessary multicast traffic on the LAN by pruning multicast traffic from links that do not contain a multicast listener.

NOTE: When an inter-switch link (ISL) is formed automatically in FortiLink mode, the igmps-flood-reports and igmps-flood-traffic options are disabled by default.

Use the following commands to configure IGMP settings on a FortiSwitch port:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set igmps-flood-reports {enable | disable}

set igmps-flood-traffic {enable | disable}

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port3

set igmps-flood-reports enable

set igmps-flood-traffic enable

end

end

Configuring sFlow

sFlow is a method of monitoring the traffic on your network to identify areas on the network that might impact performance and throughput. With sFlow, you can export truncated packets and interface counters. FortiSwitch implements sFlow version 5 and supports trunks and VLANs.

NOTE: Because sFlow is CPU intensive, Fortinet does not recommend high rates of sampling for long periods.

sFlow uses packet sampling to monitor network traffic. The sFlow agent captures packet information at defined intervals and sends them to an sFlow collector for analysis, providing real-time data analysis. To minimize the impact on network throughput, the information sent is only a sampling of the data.

The sFlow collector is a central server running software that analyzes and reports on network traffic. The sampled packets and counter information, referred to as flow samples and counter samples, respectively, are sent as sFlow datagrams to a collector. Upon receiving the datagrams, the sFlow collector provides real-time analysis and graphing to indicate the source of potential traffic issues. sFlow collector software is available from a number of third-party software vendors. You must configure a FortiGate policy to transmit the samples from the FortiSwitch unit to the sFlow collector.

sFlow can monitor network traffic in two ways:

  • Flow samples—You specify the percentage of packets (one out of n packets) to randomly sample.
  • Counter samples—You specify how often (in seconds) the network device sends interface counters.

Use the following CLI commands to specify the IP address and port for the sFlow collector. By default, the IP address is 0.0.0.0, and the port number is 6343.

config switch-controller sflow

collector-ip <x.x.x.x>

collector-port <port_number>

end

Use the following CLI commands to configure sFlow:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set sflow-sampler {disabled | enabled}

set sflow-sample-rate <0-99999>

set sflow-counter-interval <1-255>

next

next

end

For example:

config switch-controller sflow

collector-ip 1.2.3.4

collector-port 10

end

 

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port5

set sflow-sampler enabled

set sflow-sample-rate 10

set sflow-counter-interval 60

next

next

end

Configuring dynamic ARP inspection (DAI)

DAI prevents man-in-the-middle attacks and IP address spoofing by checking that packets from untrusted ports have valid IP-MAC-address binding. DAI allows only valid ARP requests and responses to be forwarded.

To use DAI, you must first enable the DHCP-snooping feature, enable DAI, and then enable DAI for each VLAN. By default, DAI is disabled on all VLANs.

After enabling DHCP snooping with the set switch-controller-dhcp-snooping enable command, use the following CLI commands to enable DAI and then enable DAI for a VLAN:

config system interface

edit vsw.test

set switch-controller-arp-inpsection {enable | disable}

end

 

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

arp-inspection-trust <untrusted | trusted>

next

end

next

end

 

Use the following CLI command to check DAI statistics for a FortiSwitch unit:

diagnose switch-controller switch-info arp-inspection stats <FortiSwitch_serial_number>

Use the following CLI command to delete DAI statistics for a specific VLAN:

diagnose switch-controller switch-info arp-inspection stats-clear <VLAN_ID> <FortiSwitch_serial_number>

Configuring FortiSwitch port mirroring

The FortiSwitch unit can send a copy of any ingress or egress packet on a port to egress on another port of the same FortiSwitch unit. The original traffic is unaffected. This process is known as port-based mirroring and is typically used for external analysis and capture.

Using remote SPAN (RSPAN) or encapsulated RSPAN (ERSPAN) allows you to send the collected packets across layer-2 domains for analysis. You can have multiple RSPAN sessions but only one ERSPAN session.

In RSPAN mode, traffic is encapsulated in VLAN 4092. The FortiSwitch unit assigns the uplink port and the dst port. The switching functionality is enabled on the dst interface when mirroring.

NOTE: RSPAN is supported on FSR-112D-POE and on platforms 2xx and higher.

In ERSPAN mode, traffic is encapsulated in Ethernet, IPv4, and generic routing encapsulation (GRE) headers. By focusing on traffic to and from specified ports and traffic to a specified MAC or IP address, ERSPAN reduces the amount of traffic being mirrored. The ERSPAN traffic is sent to a specified IP address, which must be reachable by IPv4 ICMP ping. If no IP address is specified, the traffic is not mirrored.

NOTE: ERSPAN is supported on platforms 2xx and higher. ERSPAN cannot be used with the other FortiSwitch port-mirroring method.

To configure FortiSwitch port-based mirroring:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config mirror

edit <mirror_name>

set status {active | inactive} // Required

set dst <port_name> // Required

set switching-packet {enable | disable}

set src-ingress <port_name>

set src-egress <port_name>

next

end

next

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config mirror

edit 2

set status active

set dst port1

set switching-packet enable

set src-ingress port2 port3

set src-egress port4 port5

next

end

next

To configure FortiSwitch RSPAN:

config switch-controller traffic-sniffer

set mode rspan

config target-mac

edit <MM:MM:MM:SS:SS:SS> // mirror traffic sent FROM this source MAC address

set description <string>

end

config target-ip

edit <xxx.xxx.xxx.xxx> // mirror traffic sent FROM this source IP address

set description <string>

end

config target-port

edit <FortiSwitch_serial_number>

set description <string>

set in-ports <portx porty portz ...> // mirror any traffic sent to these ports

set out-ports <portx porty portz ...> // mirror any traffic sent from these ports

end

end

For example:

config switch-controller traffic-sniffer

set mode rspan

config target-mac

edit 00:00:00:aa:bb:cc

set description MACtarget1

end

config target-ip

edit 10.254.254.192

set description IPtarget1

end

config target-port

edit S524DF4K15000024

set description PortTargets1

set in-ports port5 port6 port7

set out-ports port10

end

end

To configure FortiSwitch ERSPAN:

config switch-controller traffic-sniffer

set mode erspan-auto

set erspan-ip <xxx.xxx.xxx.xxx> // IPv4 address where ERSPAN traffic is sent

config target-mac

edit <MM:MM:MM:SS:SS:SS> // mirror traffic sent to this MAC address

set description <string>

end

config target-ip

edit <xxx.xxx.xxx.xxx> // mirror traffic sent to this IPv4 address

set description <string>

end

config target-port

edit <FortiSwitch_serial_number>

set description <string>

set in-ports <portx porty portz ...> // mirror traffic sent to these ports

set out-ports <portx porty portz ...> // mirror traffic sent from these ports

end

end

For example:

config switch-controller traffic-sniffer

set mode erspan-auto

set erspan-ip 10.254.254.254

config target-mac

edit 00:00:00:aa:bb:cc

set description MACtarget1

end

config target-ip

edit 10.254.254.192

set description IPtarget1

end

config target-port

edit S524DF4K15000024

set description PortTargets1

set in-ports port5 port6 port7

set out-ports port10

end

end

To disable FortiSwitch port mirroring:

config switch-controller traffic-sniffer

set mode none

end

Configuring FortiSwitch split ports (phy-mode) in FortiLink mode

On some FortiSwitch models that provide QSFP (quad small form-factor pluggable) interfaces, you can install a breakout cable to convert one interface into four interfaces. See the list of supported FortiSwitch models in the notes in this section.

FortiLink mode supports the FortiSwitch split-port configuration:

Notes
  • Splitting ports is not supported when a FortiSwitch unit is managed through layer 3.
  • Split ports are not configured for pre-configured FortiSwitch units.
  • Splitting ports is supported on the following FortiSwitch models:
    • 3032D (ports 5 to 28 are splittable)
    • 3032E (Ports can be split into 4 x 25G when configured in 100G QSFP28 mode or can be split into 4 x 10G when configured in 40G QSFP mode. Use the set <port_name>-phy-mode disabled command to disable some 100G ports to allow up to sixty 25G, 10G, or 1G ports.)
    • 524D, 524D-FPOE (ports 29 and 30 are splittable)
    • 548D, 548D-FPOE (ports 53 and 54 are splittable)
    • 1048E (In the 4 x 100G configuration, ports 49, 50, 51, and 52 are splittable as 4 x 25G.)
    • 1048E (In the 6 x 40G configuration, ports 49, 50, 51, 52, 53, 54 are splittable as 4 x 10G.)

    Use the set port-configuration ? command to check which ports are supported for each model.

  • Currently, the maximum number of ports supported in software is 64 (including the management port). Therefore, only 10 QSFP ports can be split. This limitation applies to all of the models, but only the 3032D and the 1048E models have enough ports to encounter this limit.

Configuring split ports on a previously discovered FortiSwitch unit

  1. On the FortiSwitch unit, configure the split ports. See Configuring a split port on the FortiSwitch unit.
  2. Restart the FortiSwitch unit.
  3. Remove the FortiSwitch from being managed:

    config switch-controller managed-switch

    delete <FortiSwitch_serial_number>

    end

  4. Discover the FortiSwitch unit.
  5. Authorize the FortiSwitch unit.

Configuring split ports with a new FortiSwitch unit

  1. Discover the FortiSwitch unit.
  2. Authorize the FortiSwitch unit.
  3. Restart the FortiSwitch unit.
  4. On the FortiSwitch unit, configure the split ports. See Configuring a split port on the FortiSwitch unit.
  5. Restart the FortiSwitch unit.
  6. Remove the FortiSwitch from being managed:

    config switch-controller managed-switch

    delete <FortiSwitch_serial_number>

    end

  7. Discover the FortiSwitch unit.
  8. Authorize the FortiSwitch unit.

Configuring a split port on the FortiSwitch unit

Use the following commands to configure a split port:

config switch phy-mode

set port-configuration <default | disable-port54 | disable-port41-48 | 4x100G | 6x40G>

set <port_name>-phy-mode <1x40G | 4x10G>

...

(one entry for each port that supports split port)

end

The following settings are available:

  • disable-port54—For 548D and 548D-FPOE, only port 53 is splittable; port 54 is unavailable.
  • disable-port41-48—For 548D and 548D-FPOE, ports 41 to 48 are unavailable, but you can configure ports 53 and 54 in split-port mode.
  • 4x100G—For 1048E, enable the maximum speed (100G) of ports 49 through 52. Ports 53 and 54 are disabled.
  • 6x40G—For 1048E, enable the maximum speed (40G) of ports 49 through 54.

In the following example, a FortiSwitch 3032D is configured with ports 10, 14, and 28 set to 4x10G:

config switch phy-mode

set port5-phy-mode 1x40G

set port6-phy-mode 1x40G

set port7-phy-mode 1x40G

set port8-phy-mode 1x40G

set port9-phy-mode 1x40G

set port10-phy-mode 4x10G

set port11-phy-mode 1x40G

set port12-phy-mode 1x40G

set port13-phy-mode 1x40G

set port14-phy-mode 4x10G

set port15-phy-mode 1x40G

set port16-phy-mode 1x40G

set port17-phy-mode 1x40G

set port18-phy-mode 1x40G

set port19-phy-mode 1x40G

set port20-phy-mode 1x40G

set port21-phy-mode 1x40G

set port22-phy-mode 1x40G

set port23-phy-mode 1x40G

set port24-phy-mode 1x40G

set port25-phy-mode 1x40G

set port26-phy-mode 1x40G

set port27-phy-mode 1x40G

set port28-phy-mode 4x10G

end

The system applies the configuration only after you enter the end command, displaying the following message:

This change will cause a ports to be added and removed, this will cause loss of configuration on removed ports. The system will have to reboot to apply this change.

Do you want to continue? (y/n)y

To configure one of the split ports, use the notation ".x" to specify the split port:

config switch physical-port

edit "port1"

set lldp-profile "default-auto-isl"

set speed 40000full

next

edit "port2"

set lldp-profile "default-auto-isl"

set speed 40000full

next

edit "port3"

set lldp-profile "default-auto-isl"

set speed 40000full

next

edit "port4"

set lldp-profile "default-auto-isl"

set speed 40000full

next

edit "port5.1"

set speed 10000full

next

edit "port5.2"

set speed 10000full

next

edit "port5.3"

set speed 10000full

next

edit "port5.4"

set speed 10000full

next

end

FortiSwitch port features

You can configure the FortiSwitch port feature settings from the FortiGate using the FortiSwitch CLI or web administration GUI.

FortiSwitch ports display

The WiFi & Switch Controller > FortiSwitch Ports page displays port information about each of the managed switches.

The following figure shows the display for a FortiSwitch 248E-FPOE:

Select Faceplates to get the following information:

  • active ports (green)
  • PoE-enabled ports (blue rectangle)
  • FortiLink port (link icon)

If you device has PoE, the Faceplates page displays the total power budget and the actual power currently allocated.

The allocated power displays a blue bar for the used power (currently being consumed) and a green bar for the reserved power (power available for additional devices on the POE ports).

Each entry in the port list displays the following information:

  • Port status (red for down, green for up)
  • Port name
  • If the port is a member of a trunk
  • Access mode
  • Enabled features
  • Native VLAN
  • Allowed VLANs
  • PoE status
  • Device information
  • DHCP snooping status
  • Transceiver information

Configuring ports using the GUI

You can use the WiFi & Switch Controller > FortiSwitch Ports page to do the following with FortiSwitch switch ports:

  • Set the native VLAN and add more VLANs
  • Edit the description of the port
  • Enable or disable the port
  • Set the access mode to network access control (NAC) or normal
  • Enable or disable PoE for the port
  • Enable or disable DHCP snooping (if supported by the port)
  • Enable or disable whether a port is an edge port
  • Enable or disable STP (if supported by the port)
  • Enable or disable loop guard (if supported by the port)
  • Enable or disable STP BPDU guard (if supported by the port)
  • Enable or disable STP root guard (if supported by the port)

Resetting PoE-enabled ports

If you need to reset PoE-enabled ports, go to WiFi & Switch Control > FortiSwitch Ports, right-click on one or more PoE-enabled ports and select Reset PoE from the context menu.

You can also go to WiFi & Switch Control > Managed FortiSwitch and click on a port icon for the FortiSwitch of interest. In the FortiSwitch Ports page, right-click on one or more PoE-enabled ports and select Reset PoE from the context menu.

Configuring ports using the FortiGate CLI

You can configure the following FortiSwitch port settings using the FortiGate CLI:

Configuring port speed and status

Use the following commands to set port speed and other base port settings:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set description <text>

set speed <speed>

set status {down | up}

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port1

set description "First port"

set speed auto

set status up

end

end

Sharing FortiSwitch ports between VDOMs

Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual units that function as multiple independent units. VDOMs provide separate security domains that allow separate zones, user authentication, security policies, routing, and VPN configurations.

FortiSwitch ports can now be shared between VDOMs.

Starting in FortiOS 6.2.0, the following features are supported on FortiSwitch ports shared between VDOMs:

  • POE pre-standard detection (on a per-port basis if the FortiSwitch model supports this feature)
  • Learning limit for dynamic MAC addresses on ports, trunks, and VLANs (if the FortiSwitch unit supports this feature)
  • QoS egress CoS queue policy (if the FortiSwitch unit supports this feature)
  • Port security policy
The following example shows how to share FortiSwitch ports between VDOMs:
  1. In the tenant VDOM named bbb, create a VLAN interface using the following CLI commands (not supported in the GUI):

     

    FG5H0E3917900081 (bbb) #

    config system interface

    edit "bbb-vlan99"

    set vdom "bbb"

    set allowaccess ping

    set device-identification enable

    set role lan

    set snmp-index 58

    set switch-controller-dhcp-snooping enable

    set interface "flink-lag" // this is the FortiLink interface in the root VDOM

    set vlanid 99

    next

    end

     

    config switch-controller global

    set default-virtual-switch-vlan "bbb-vlan99"

    end

     

  2. Go back to the root VDOM. Pick a switch port to share between VDOMs, port10 in this case.

     

    FG5H0E3917900081 (vdom) # edit root

    current vf=root:0

    FG5H0E3917900081 (root) # config switch-controller managed-switch

    FG5H0E3917900081 (managed-switch) # edit S548DF4K15000276

    FG5H0E3917900081 (S548DF4K15000276) # config ports

    FG5H0E3917900081 (ports) # edit port10

    FG5H0E3917900081 (port10) # set export-to bbb

     

    If you want to use the virtual-pool feature instead:

     

    FG5H0E3917900081 (root) # config switch-controller virtual-port-pool

    edit "bbb-pool"

    set description "bbb-vlan-pool"

    end

     

    FG5H0E3917900081 (root) # config switch-controller managed-switch

    FG5H0E3917900081 (managed-switch) # edit S548DF4K15000276

    FG5H0E3917900081 (S548DF4K15000276) # config port

    FG5H0E3917900081 (ports) # edit port11

    FG5H0E3917900081 (port11) # set export-to-pool bbb-pool

     

  3. Go back to the bbb VDOM to claim port11 because it is in the virtual pool but not directly exported to the VDOM yet. (The administrator might want to pre-assign some ports in the tenant VDOM and let the tenant VDOM administrator claim them before they are used.)

     

    FG5H0E3917900081 (bbb) # execute switch-controller virtual-port-pool request S548DF4K15000276 port11

    FG5H0E3917900081 (bbb) # config switch-controller managed-switch // The switch port is now in the bbb VDOM even though there is no FortiLink interface in the bbb VDOM.

    FG5H0E3917900081 (managed-switch) # show

    config switch-controller managed-switch

    edit "S548DF4K15000276"

    set poe-detection-type 1

    set type virtual

    set owner-vdom "root"

    config ports

    edit "port10"

    set poe-capable 1

    set vlan "bbb-vlan99"

    next

    edit "port11"

    set poe-capable 1

    set vlan "bbb-vlan99"

    next

    end

    next

    end

     

  4. Check your configuration on the root VDOM:

     

    FG5H0E3917900081 (port10) # show

    config ports

    edit "port10"

    set poe-capable 1

    set export-to "bbb"

    next

    end

     

    FG5H0E3917900081 (port11) # show

    config ports

    edit "port11"

    set poe-capable 1

    set export-to-pool "bbb-pool"

    set export-to "bbb"

    next

    end

     

  5. Check your configuration on the tenant VDOM:

     

    FG5H0E3917900081 (ports) # show

    config ports

    edit "port10"

    set poe-capable 1

    set vlan "bbb-vlan99"

    next

    edit "port11"

    set poe-capable 1

    set vlan "bbb-vlan99"

    next

    end

     

You can create your own export tags using the following CLI commands:

config switch-controller switch-interface-tag

edit <tag_name>

end

Use the following CLI command to list the contents of a specific VPP:

execute switch-controller virtual-port-pool show-by-pool <VPP_name>

Use the following CLI command to list all VPPs and their contents:

execute switch-controller virtual-port-pool show

NOTE: Shared ports do not support the following features:

  • LLDP
  • STP
  • BPDU guard
  • Root guard
  • DHCP snooping
  • IGMP snooping
  • MCLAG
  • Quarantines

NOTE: After you export a switch port to a pool, if you need to export the switch port to a different pool, you need to exit/abort and then re-enter into the FortiSwitch CLI port configuration.

Dynamic MAC address learning

You can enable or disable dynamic MAC address learning on a port or VLAN. The existing dynamic MAC entries are flushed when you change this setting. If you disable MAC address learning, you can set the behavior for an incoming packet with an unknown MAC address (to drop or forward the packet).

Limiting the number of learned MAC addresses on a FortiSwitch interface

You can limit the number of MAC addresses learned on a FortiSwitch interface (port or VLAN). The limit ranges from 1 to 128. If the limit is set to the default value zero, there is no learning limit.

NOTE: Static MAC addresses are not counted in the limit. The limit refers only to learned MAC addresses.

Use the following CLI commands to limit MAC address learning on a VLAN:

config switch vlan

edit <integer>

set switch-controller-learning-limit <limit>

end

end

For example:

config switch vlan

edit 100

set switch-controller-learning-limit 20

end

end

Use the following CLI commands to limit MAC address learning on a port:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set learning-limit <limit>

next

end

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port3

set learning-limit 50

next

end

end

end

Controlling how long learned MAC addresses are saved

You can change how long learned MAC addresses are stored. By default, each learned MAC address is aged out after 300 seconds. After this amount of time, the inactive MAC address is deleted from the FortiSwitch hardware. The value ranges from 10 to 1000,000 seconds. Set the value to 0 to disable MAC address aging.

config switch-controller global

set mac-aging-interval <10 to 1000000>

end

For example:

config switch-controller global

set mac-aging-interval 500

end

If the mac-aging-interval is disabled by being set to 0, you can still control when inactive MAC addresses are removed from the FortiSwitch hardware. By default, inactive MAC addresses are removed after 24 hours. The value ranges from 0 to 168 hours. Set the value to 0 to use the mac-aging-interval setting to control when inactive MAC addresses are deleted.

config switch-controller global

set mac-retention-period <0 to 168>

end

For example:

config switch-controller global

set mac-retention-period 36

end

Logging violations of the MAC address learning limit

If you want to see the first MAC address that exceeded the learning limit for an interface or VLAN, you can enable the learning-limit violation log for a managed FortiSwitch unit. Only one violation is recorded per interface or VLAN.

By default, logging is disabled. The most recent violation that occurred on each interface or VLAN is recorded in the system log. After that, no more violations are logged until the log is reset for the triggered interface or VLAN. Only the most recent 128 violations are displayed in the console.

Use the following commands to control the learning-limit violation log and to control how long learned MAC addresses are save:

config switch-controller global

set mac-violation-timer <0-1500>

set log-mac-limit-violations {enable | disable}

end

For example:

config switch-controller global

set mac-violation-timer 1000

set log-mac-limit-violations enable

end

To view the content of the learning-limit violation log for a managed FortiSwitch unit, use one of the following commands:

  • diagnose switch-controller switch-info mac-limit-violations all <FortiSwitch_serial_number>
  • diagnose switch-controller switch-info mac-limit-violations interface <FortiSwitch_serial_number> <port_name>
  • diagnose switch-controller switch-info mac-limit-violations vlan <FortiSwitch_serial_number> <VLAN_ID>

For example, to set the learning-limit violation log for VLAN 5 on a managed FortiSwitch unit:

diagnose switch-controller switch-info mac-limit-violations vlan S124DP3XS12345678 5

To reset the learning-limit violation log for a managed FortiSwitch unit, use one of the following commands:

  • execute switch-controller mac-limit-violation reset all <FortiSwitch_serial_number>
  • execute switch-controller mac-limit-violation reset vlan <FortiSwitch_serial_number> <VLAN_ID>
  • execute switch-controller mac-limit-violation reset interface <FortiSwitch_serial_number> <port_name>

For example, to clear the learning-limit violation log for port 5 of a managed FortiSwitch unit:

execute switch-controller mac-limit-violation reset interface S124DP3XS12345678 port5

Persistent (sticky) MAC addresses

You can make dynamically learned MAC addresses persistent when the status of a FortiSwitch port changes (goes down or up). By default, MAC addresses are not persistent.

Use the following commands to configure the persistence of MAC addresses on an interface:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set sticky-mac {enable | disable}

next

end

You can also save persistent MAC addresses to the FortiSwitch configuration file so that they are automatically loaded when the FortiSwitch unit is rebooted. By default, persistent entries are lost when a FortiSwitch unit is rebooted. Use the following commands to save persistent MAC addresses for a specific interface or all interfaces:

execute switch-controller switch-action sticky-mac save interface <FortiSwitch_serial_number> <port_name>

execute switch-controller switch-action sticky-mac save all <FortiSwitch_serial_number>

Use one of the following commands to delete the persistent MAC addresses instead of saving them in the FortiSwitch configuration file:

execute switch-controller switch-action delete sticky-mac delete-unsaved all <FortiSwitch_serial_number>

execute switch-controller switch-action delete sticky-mac delete-unsaved interface <FortiSwitch_serial_number> <port_name>

Logging changes to MAC addresses

Use the following commands to create syslog entries for when MAC addresses are learned, aged out, and removed:

config switch-controller global

set mac-event-logging enable

end

Configuring the DHCP trust setting

The DHCP blocking feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent this, DHCP blocking filters messages on untrusted ports.

Set the port as a trusted or untrusted DHCP-snooping interface:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set dhcp-snooping {trusted | untrusted}

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port1

set dhcp-snooping trusted

end

end

Configuring PoE

The following PoE CLI commands are available starting in FortiSwitchOS 3.3.0.

Enable PoE on the port

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set poe-status {enable | disable}

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port1

set poe-status enable

end

end

Reset the PoE port

Power over Ethernet (PoE) describes any system that passes electric power along with data on twisted pair Ethernet cabling. Doing this allows a single cable to provide both data connection and electric power to devices (for example, wireless access points, IP cameras, and VoIP phones).

The following command resets PoE on the port:

execute switch-controller poe-reset <FortiSwitch_serial_number> <port_name>

Display general PoE status

get switch-controller <FortiSwitch_serial_number> <port_name>

The following example displays the PoE status for port 6 on the specified switch:

# get switch-controller poe FS108D3W14000967 port6

Port(6) Power:3.90W, Power-Status: Delivering Power

Power-Up Mode: Normal Mode

Remote Power Device Type: IEEE802.3AT PD

Power Class: 4

Defined Max Power: 30.0W, Priority:3

Voltage: 54.00V

Current: 78mA

Configuring edge ports

Use the following commands to enable or disable an interface as an edge port:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set edge-port {enable | disable}

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port1

set edge-port enable

end

end

Configuring STP

Starting with FortiSwitch Release 3.4.2, STP is enabled by default for the non-FortiLink ports on the managed FortiSwitch units. STP is a link-management protocol that ensures a loop-free layer-2 network topology.

NOTE: STP is not supported between a FortiGate unit and a FortiSwitch unit in FortiLink mode.

To configure global STP settings, see Configure STP settings.

Use the following commands to enable or disable STP on FortiSwitch ports:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set stp-state {enabled | disabled}

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port1

set stp-state enabled

end

end

To check the STP configuration on a FortiSwitch, use the following command:

diagnose switch-controller switch-info stp <FortiSwitch_serial_number> <instance_number>

For example:

FG100D3G15817028 # diagnose switch-controller switch-info stp S524DF4K15000024 0
MST Instance Information, primary-Channel:
Instance ID :   0
Switch Priority : 24576
Root MAC Address :    085b0ef195e4
Root Priority:    24576
Root Pathcost:    0
Regional Root MAC Address :   085b0ef195e4
Regional Root Priority:   24576
Regional Root Path Cost:  0
Remaining Hops:       20
This Bridge MAC Address :    085b0ef195e4
This bridge is the root

Port               Speed   Cost       Priority   Role         State       Edge  STP-Status  Loop Protection
________________   ______  _________  _________  ___________  __________  ____  __________  ________

port1              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port2              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port3              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port4              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port5              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port6              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port7              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port8              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port9              -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port10             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port11             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port12             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port13             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port14             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port15             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port16             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port17             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port18             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port19             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port20             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port21             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port22             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port23             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port25             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port26             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port27             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port28             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port29             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
port30             -       200000000  128        DISABLED     DISCARDING   YES    ENABLED        NO
internal           1G      20000      128        DESIGNATED   FORWARDING   YES    DISABLED       NO
__FoRtI1LiNk0__    1G      20000      128        DESIGNATED   FORWARDING   YES    DISABLED       NO

Configuring STP root guard

Root guard protects the interface on which it is enabled from becoming the path to root. When enabled on an interface, superior BPDUs received on that interface are ignored or dropped. Without using root guard, any switch that participates in STP maintains the ability to reroute the path to root. Rerouting might cause your network to transmit large amounts of traffic across suboptimal links or allow a malicious or misconfigured device to pose a security risk by passing core traffic through an insecure device for packet capture or inspection. By enabling root guard on multiple interfaces, you can create a perimeter around your existing paths to root to enforce the specified network topology.

Enable root guard on all ports that should not be root bridges. Do not enable root guard on the root port. You must have STP enabled to be able to use root guard.

Use the following commands to enable or disable STP root guard on FortiSwitch ports:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set stp-root-guard {enabled | disabled}

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port1

set stp-root-guard enabled

end

end

Configuring STP BPDU guard

Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard is enabled on STP edge ports, any BPDUs received cause the ports to go down for a specified number of minutes. The BPDUs are not forwarded, and the network edge is enforced.

There are two prerequisites for using BPDU guard:

  • You must define the port as an edge port with the set edge-port enable command.
  • You must enable STP on the switch interface with the set stp-state enabled command.

You can set how long the port will go down when a BPDU is received for a maximum of 120 minutes. The default port timeout is 5 minutes. If you set the timeout value to 0, the port will not go down when a BPDU is received, but you will have manually reset the port.

Use the following commands to enable or disable STP BPDU guard on FortiSwitch ports:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set stp-bpdu-guard {enabled | disabled}

set stp-bpdu-guard-time <0-120>

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port1

set stp-bpdu-guard enabled

set stp-bpdu-guard-time 10

end

end

To check the configuration of STP BPDU guard on a FortiSwitch unit, use the following command:

diagnose switch-controller switch-info bpdu-guard-status <FortiSwitch_serial_number>

For example:

FG100D3G15817028 # diagnose switch-controller switch-info bpdu-guard-status S524DF4K15000024
Managed Switch : S524DF4K15000024 0

Portname             State      Status       Timeout(m)    Count    Last-Event
_________________   _______    _________    ___________    _____   _______________

port1              enabled      -              10            0            -
port2              disabled     -              -             -            -
port3              disabled     -              -             -            -
port4              disabled     -              -             -            -
port5              disabled     -              -             -            -
port6              disabled     -              -             -            -
port7              disabled     -              -             -            -
port8              disabled     -              -             -            -
port9              disabled     -              -             -            -
port10             disabled     -              -             -            -
port11             disabled     -              -             -            -
port12             disabled     -              -             -            -
port13             disabled     -              -             -            -
port14             disabled     -              -             -            -
port15             disabled     -              -             -            -
port16             disabled     -              -             -            -
port17             disabled     -              -             -            -
port18             disabled     -              -             -            -
port19             disabled     -              -             -            -
port20             disabled     -              -             -            -
port21             disabled     -              -             -            -
port22             disabled     -              -             -            -
port23             disabled     -              -             -            -
port25             disabled     -              -             -            -
port26             disabled     -              -             -            -
port27             disabled     -              -             -            -
port28             disabled     -              -             -            -
port29             disabled     -              -             -            -
port30             disabled     -              -             -            -
__FoRtI1LiNk0__    disabled     -              -             -            -

Configuring interoperation with per-VLAN RSTP

Starting in FortiOS 6.4.2, managed FortiSwitch units can now interoperate with a network that is running RPVST+. The existing networkʼs configuration can be maintained while adding managed FortiSwitch units as an extended region. By default, interoperation with RPVST+ is disabled.

When an MSTP domain is connected with an RPVST+ domain, FortiSwitch interoperation with the RPVST+ domain works in two ways:

  • If the root bridge for the CIST is within an MSTP region, the boundary FortiSwitch unit of the MSTP region duplicates instance 0 information, creates one BPDU for every VLAN, and sends the BPDUs to the RPVST+ domain.

    In this case, follow this rule: If the root bridge for the CIST is within an MSTP region, VLANs other than VLAN 1 defined in the RPVST+ domains must have their bridge priorities worse (numerically greater) than that of the CIST root bridge within MSTP region.

  • If the root bridge for the CIST is within an RPVST+ domain, the boundary FortiSwitch unit processes only the VLAN 1 information received from the RPVST+ domain. The other BPDUs (VLANs 2 and above) sent from the connected RPVST+ domain are used only for consistency checks.

    In this case, follow this rule: If the root bridge for the CIST is within the RPVST+ domain, the root bridge priority of VLANs other than VLAN 1 within that domain must be better (numerically less) than that of VLAN 1.
To configure interoperation with RPVST+:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set rpvst-port {enabled | disabled}

next

end

 

For example:

FGT-1 (testvdom) # config switch-controller managed-switch

FGT-1 (managed-switch) # edit FS3E32T419000006

FGT-1 (FS3E32T419000006) # config ports

FGT-1 (ports) # edit port5

FGT-1 (port5) # set rpvst-port enabled

FGT-1 (port5) # next

FGT-1 (ports) # end

 

To check your configuration and to diagnose any problems:

diagnose switch-controller switch-info rpvst <FortiSwitch_serial_number> <port_name>

 

For example:

diagnose switch-controller switch-info rpvst FS3E32T419000006 port5

 

 

Configuring loop guard

A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects. Fortinet loop guard helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any downstream loops. Loop guard and STP should be used separately for loop protection. By default, loop guard is disabled on all ports.

Use the following commands to configure loop guard on a FortiSwitch port:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set loop-guard {enabled | disabled}

set loop-guard-timeout <0-120 minutes>

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port1

set loop-guard enabled

set loop-guard-timeout 10

end

end

Configuring LLDP settings

The Fortinet data center switches support the Link Layer Discovery Protocol (LLDP) for transmission and reception wherein the switch will multicast LLDP packets to advertise its identity and capabilities. A switch receives the equivalent information from adjacent layer-2 peers.

Use the following commands to configure LLDP on a FortiSwitch port:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set lldp-status {rx-only | tx-only | tx-rx | disable}

set lldp-profile <profile_name>

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port2

set lldp-status tx-rx

set lldp-profile default

end

end

Configuring IGMP snooping settings

IGMP snooping allows the FortiSwitch to passively listen to the Internet Group Management Protocol (IGMP) network traffic between hosts and routers. The switch uses this information to determine which ports are interested in receiving each multicast feed. FortiSwitch can reduce unnecessary multicast traffic on the LAN by pruning multicast traffic from links that do not contain a multicast listener.

NOTE: When an inter-switch link (ISL) is formed automatically in FortiLink mode, the igmps-flood-reports and igmps-flood-traffic options are disabled by default.

Use the following commands to configure IGMP settings on a FortiSwitch port:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set igmps-flood-reports {enable | disable}

set igmps-flood-traffic {enable | disable}

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port3

set igmps-flood-reports enable

set igmps-flood-traffic enable

end

end

Configuring sFlow

sFlow is a method of monitoring the traffic on your network to identify areas on the network that might impact performance and throughput. With sFlow, you can export truncated packets and interface counters. FortiSwitch implements sFlow version 5 and supports trunks and VLANs.

NOTE: Because sFlow is CPU intensive, Fortinet does not recommend high rates of sampling for long periods.

sFlow uses packet sampling to monitor network traffic. The sFlow agent captures packet information at defined intervals and sends them to an sFlow collector for analysis, providing real-time data analysis. To minimize the impact on network throughput, the information sent is only a sampling of the data.

The sFlow collector is a central server running software that analyzes and reports on network traffic. The sampled packets and counter information, referred to as flow samples and counter samples, respectively, are sent as sFlow datagrams to a collector. Upon receiving the datagrams, the sFlow collector provides real-time analysis and graphing to indicate the source of potential traffic issues. sFlow collector software is available from a number of third-party software vendors. You must configure a FortiGate policy to transmit the samples from the FortiSwitch unit to the sFlow collector.

sFlow can monitor network traffic in two ways:

  • Flow samples—You specify the percentage of packets (one out of n packets) to randomly sample.
  • Counter samples—You specify how often (in seconds) the network device sends interface counters.

Use the following CLI commands to specify the IP address and port for the sFlow collector. By default, the IP address is 0.0.0.0, and the port number is 6343.

config switch-controller sflow

collector-ip <x.x.x.x>

collector-port <port_number>

end

Use the following CLI commands to configure sFlow:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set sflow-sampler {disabled | enabled}

set sflow-sample-rate <0-99999>

set sflow-counter-interval <1-255>

next

next

end

For example:

config switch-controller sflow

collector-ip 1.2.3.4

collector-port 10

end

 

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port5

set sflow-sampler enabled

set sflow-sample-rate 10

set sflow-counter-interval 60

next

next

end

Configuring dynamic ARP inspection (DAI)

DAI prevents man-in-the-middle attacks and IP address spoofing by checking that packets from untrusted ports have valid IP-MAC-address binding. DAI allows only valid ARP requests and responses to be forwarded.

To use DAI, you must first enable the DHCP-snooping feature, enable DAI, and then enable DAI for each VLAN. By default, DAI is disabled on all VLANs.

After enabling DHCP snooping with the set switch-controller-dhcp-snooping enable command, use the following CLI commands to enable DAI and then enable DAI for a VLAN:

config system interface

edit vsw.test

set switch-controller-arp-inpsection {enable | disable}

end

 

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

arp-inspection-trust <untrusted | trusted>

next

end

next

end

 

Use the following CLI command to check DAI statistics for a FortiSwitch unit:

diagnose switch-controller switch-info arp-inspection stats <FortiSwitch_serial_number>

Use the following CLI command to delete DAI statistics for a specific VLAN:

diagnose switch-controller switch-info arp-inspection stats-clear <VLAN_ID> <FortiSwitch_serial_number>

Configuring FortiSwitch port mirroring

The FortiSwitch unit can send a copy of any ingress or egress packet on a port to egress on another port of the same FortiSwitch unit. The original traffic is unaffected. This process is known as port-based mirroring and is typically used for external analysis and capture.

Using remote SPAN (RSPAN) or encapsulated RSPAN (ERSPAN) allows you to send the collected packets across layer-2 domains for analysis. You can have multiple RSPAN sessions but only one ERSPAN session.

In RSPAN mode, traffic is encapsulated in VLAN 4092. The FortiSwitch unit assigns the uplink port and the dst port. The switching functionality is enabled on the dst interface when mirroring.

NOTE: RSPAN is supported on FSR-112D-POE and on platforms 2xx and higher.

In ERSPAN mode, traffic is encapsulated in Ethernet, IPv4, and generic routing encapsulation (GRE) headers. By focusing on traffic to and from specified ports and traffic to a specified MAC or IP address, ERSPAN reduces the amount of traffic being mirrored. The ERSPAN traffic is sent to a specified IP address, which must be reachable by IPv4 ICMP ping. If no IP address is specified, the traffic is not mirrored.

NOTE: ERSPAN is supported on platforms 2xx and higher. ERSPAN cannot be used with the other FortiSwitch port-mirroring method.

To configure FortiSwitch port-based mirroring:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config mirror

edit <mirror_name>

set status {active | inactive} // Required

set dst <port_name> // Required

set switching-packet {enable | disable}

set src-ingress <port_name>

set src-egress <port_name>

next

end

next

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config mirror

edit 2

set status active

set dst port1

set switching-packet enable

set src-ingress port2 port3

set src-egress port4 port5

next

end

next

To configure FortiSwitch RSPAN:

config switch-controller traffic-sniffer

set mode rspan

config target-mac

edit <MM:MM:MM:SS:SS:SS> // mirror traffic sent FROM this source MAC address

set description <string>

end

config target-ip

edit <xxx.xxx.xxx.xxx> // mirror traffic sent FROM this source IP address

set description <string>

end

config target-port

edit <FortiSwitch_serial_number>

set description <string>

set in-ports <portx porty portz ...> // mirror any traffic sent to these ports

set out-ports <portx porty portz ...> // mirror any traffic sent from these ports

end

end

For example:

config switch-controller traffic-sniffer

set mode rspan

config target-mac

edit 00:00:00:aa:bb:cc

set description MACtarget1

end

config target-ip

edit 10.254.254.192

set description IPtarget1

end

config target-port

edit S524DF4K15000024

set description PortTargets1

set in-ports port5 port6 port7

set out-ports port10

end

end

To configure FortiSwitch ERSPAN:

config switch-controller traffic-sniffer

set mode erspan-auto

set erspan-ip <xxx.xxx.xxx.xxx> // IPv4 address where ERSPAN traffic is sent

config target-mac

edit <MM:MM:MM:SS:SS:SS> // mirror traffic sent to this MAC address

set description <string>

end

config target-ip

edit <xxx.xxx.xxx.xxx> // mirror traffic sent to this IPv4 address

set description <string>

end

config target-port

edit <FortiSwitch_serial_number>

set description <string>

set in-ports <portx porty portz ...> // mirror traffic sent to these ports

set out-ports <portx porty portz ...> // mirror traffic sent from these ports

end

end

For example:

config switch-controller traffic-sniffer

set mode erspan-auto

set erspan-ip 10.254.254.254

config target-mac

edit 00:00:00:aa:bb:cc

set description MACtarget1

end

config target-ip

edit 10.254.254.192

set description IPtarget1

end

config target-port

edit S524DF4K15000024

set description PortTargets1

set in-ports port5 port6 port7

set out-ports port10

end

end

To disable FortiSwitch port mirroring:

config switch-controller traffic-sniffer

set mode none

end

Configuring FortiSwitch split ports (phy-mode) in FortiLink mode

On some FortiSwitch models that provide QSFP (quad small form-factor pluggable) interfaces, you can install a breakout cable to convert one interface into four interfaces. See the list of supported FortiSwitch models in the notes in this section.

FortiLink mode supports the FortiSwitch split-port configuration:

Notes
  • Splitting ports is not supported when a FortiSwitch unit is managed through layer 3.
  • Split ports are not configured for pre-configured FortiSwitch units.
  • Splitting ports is supported on the following FortiSwitch models:
    • 3032D (ports 5 to 28 are splittable)
    • 3032E (Ports can be split into 4 x 25G when configured in 100G QSFP28 mode or can be split into 4 x 10G when configured in 40G QSFP mode. Use the set <port_name>-phy-mode disabled command to disable some 100G ports to allow up to sixty 25G, 10G, or 1G ports.)
    • 524D, 524D-FPOE (ports 29 and 30 are splittable)
    • 548D, 548D-FPOE (ports 53 and 54 are splittable)
    • 1048E (In the 4 x 100G configuration, ports 49, 50, 51, and 52 are splittable as 4 x 25G.)
    • 1048E (In the 6 x 40G configuration, ports 49, 50, 51, 52, 53, 54 are splittable as 4 x 10G.)

    Use the set port-configuration ? command to check which ports are supported for each model.

  • Currently, the maximum number of ports supported in software is 64 (including the management port). Therefore, only 10 QSFP ports can be split. This limitation applies to all of the models, but only the 3032D and the 1048E models have enough ports to encounter this limit.

Configuring split ports on a previously discovered FortiSwitch unit

  1. On the FortiSwitch unit, configure the split ports. See Configuring a split port on the FortiSwitch unit.
  2. Restart the FortiSwitch unit.
  3. Remove the FortiSwitch from being managed:

    config switch-controller managed-switch

    delete <FortiSwitch_serial_number>

    end

  4. Discover the FortiSwitch unit.
  5. Authorize the FortiSwitch unit.

Configuring split ports with a new FortiSwitch unit

  1. Discover the FortiSwitch unit.
  2. Authorize the FortiSwitch unit.
  3. Restart the FortiSwitch unit.
  4. On the FortiSwitch unit, configure the split ports. See Configuring a split port on the FortiSwitch unit.
  5. Restart the FortiSwitch unit.
  6. Remove the FortiSwitch from being managed:

    config switch-controller managed-switch

    delete <FortiSwitch_serial_number>

    end

  7. Discover the FortiSwitch unit.
  8. Authorize the FortiSwitch unit.

Configuring a split port on the FortiSwitch unit

Use the following commands to configure a split port:

config switch phy-mode

set port-configuration <default | disable-port54 | disable-port41-48 | 4x100G | 6x40G>

set <port_name>-phy-mode <1x40G | 4x10G>

...

(one entry for each port that supports split port)

end

The following settings are available:

  • disable-port54—For 548D and 548D-FPOE, only port 53 is splittable; port 54 is unavailable.
  • disable-port41-48—For 548D and 548D-FPOE, ports 41 to 48 are unavailable, but you can configure ports 53 and 54 in split-port mode.
  • 4x100G—For 1048E, enable the maximum speed (100G) of ports 49 through 52. Ports 53 and 54 are disabled.
  • 6x40G—For 1048E, enable the maximum speed (40G) of ports 49 through 54.

In the following example, a FortiSwitch 3032D is configured with ports 10, 14, and 28 set to 4x10G:

config switch phy-mode

set port5-phy-mode 1x40G

set port6-phy-mode 1x40G

set port7-phy-mode 1x40G

set port8-phy-mode 1x40G

set port9-phy-mode 1x40G

set port10-phy-mode 4x10G

set port11-phy-mode 1x40G

set port12-phy-mode 1x40G

set port13-phy-mode 1x40G

set port14-phy-mode 4x10G

set port15-phy-mode 1x40G

set port16-phy-mode 1x40G

set port17-phy-mode 1x40G

set port18-phy-mode 1x40G

set port19-phy-mode 1x40G

set port20-phy-mode 1x40G

set port21-phy-mode 1x40G

set port22-phy-mode 1x40G

set port23-phy-mode 1x40G

set port24-phy-mode 1x40G

set port25-phy-mode 1x40G

set port26-phy-mode 1x40G

set port27-phy-mode 1x40G

set port28-phy-mode 4x10G

end

The system applies the configuration only after you enter the end command, displaying the following message:

This change will cause a ports to be added and removed, this will cause loss of configuration on removed ports. The system will have to reboot to apply this change.

Do you want to continue? (y/n)y

To configure one of the split ports, use the notation ".x" to specify the split port:

config switch physical-port

edit "port1"

set lldp-profile "default-auto-isl"

set speed 40000full

next

edit "port2"

set lldp-profile "default-auto-isl"

set speed 40000full

next

edit "port3"

set lldp-profile "default-auto-isl"

set speed 40000full

next

edit "port4"

set lldp-profile "default-auto-isl"

set speed 40000full

next

edit "port5.1"

set speed 10000full

next

edit "port5.2"

set speed 10000full

next

edit "port5.3"

set speed 10000full

next

edit "port5.4"

set speed 10000full

next

end