Layer-3 interfaces
Fortinet data center switches support loopback interfaces and switch virtual interfaces (SVIs), both of which are described in this chapter.
This chapter covers the following topics:
- Loopback interfaces
- Switch virtual interfaces
- Layer-3 routing in hardware
- Equal cost multi-path (ECMP) routing
- Bidirectional forwarding detection
- Unicast reverse-path forwarding (uRPF)
- IP-MAC binding
- Virtual routing and forwarding
Loopback interfaces
A loopback interface is a special virtual interface created in software that is not associated with any hardware interface.
Dynamic routing protocols typically use a loopback interface as a reliable IP interface for routing updates. You can assign the loopback IP address to the router rather than the IP address of a specific hardware interface. Services (such as Telnet) can access the router using the loopback IP address, which remains available independent of hardware interfaces status.
No limit exists on the number of loopback interfaces you can create.
A loopback interface does not have an internal VLAN ID or a MAC addresses and always uses a /32 network mask.
Configuring loopback interfaces
Using the GUI:
- Go to System > Network > Interface > Loopback.
- Select Add Interface.
- Enter a name for the loopback interface.
- Select Static for the mode and then enter the IP address and netmask in the IP/Netmask field.
- Select the protocols allowed to access the loopback interface.
- Select the administration status.
- Select Add.
Using the CLI:
config system interface
edit "loopback"
set ip 172.168.20.1 255.255.255.255
set allowaccess ping https http ssh telnet
set type loopback
set snmp-index 28
next
end
Switch virtual interfaces
A switch virtual interface (or SVI) is a logical interface that is associated with a VLAN and supports routing and switching protocols.
You can assign an IP address to the SVI to enable routing between VLANs. For example, SVIs can route between two different VLANs connected to a switch (no need to connect through a layer-3 router).
Configuring a switch virtual interface
Using the GUI:
- Go to System > Network > Interface > VLAN.
- Select Add VLAN.
- Enter a name for the interface.
- Select internal from the Interface drop-down list.
- Enter a VLAN identifier in the VLAN ID field.
- Select Static for the mode and enter an IP address and netmask in the IP/Netmask field.
- Select the administration status.
- Select PING, SSH, and TELNET for the Access options.
- Select Add.
Using the CLI:
Create a system interface. Give it an IP subnet and an associated VLAN:
config system interface
edit <system interface name>
set ip <IP address and mask>
set vlanid <vlan>
set allowaccess ping ssh telnet
Example SVI configuration
The following is an example CLI configuration for SVI static routing.
In this configuration, Server-1 is connected to switch Port1, and Server-2 is connected to switch Port2. Port1 is a member of VLAN 4000, and Port2 is a member of VLAN 2. Port1 is the gateway for Server-1, and port2 is the gateway for Server-2.
NOTE: For simplicity, assume that both port1 and port are on same switch.
- Configure the native VLANs for Port 1 and Port 2:
config switch interface
edit port1
set native-vlan 4000
edit port2
set native-vlan 2
end
- Create L3 system interfaces that correspond to Port 1 (VLAN 4000) and Port 2 (VLAN 2):
config system interface
edit vlan4000
set ip 192.168.11.1/24
set vlanid 4000
set allowaccess ping ssh telnet
next
edit vlan2
set ip 192.168.10.1/24
set vlanid 2
set allowaccess ping ssh telnet
end
Viewing the SVI configuration
Display the status of SVI configuration using following command:
show system interface [ <system interface name> ]
Layer-3 routing in hardware
In FortiSwitchOS 3.3.0 and later, some FortiSwitch models support hardware-based layer-3 forwarding.
For FortiSwitch models that support Equal Cost Multi-Path (ECMP) (see Feature matrix: FortiSwitchOS 6.4.5), forwarding for all ECMP routes is performed in hardware.
For switch models that support hardware-based layer-3 forwarding but do not support ECMP, only one route to each destination will be hardware-forwarded. If you configure multiple routes to the same destination, you can configure a priority value for each route. Only the route with highest priority will be forwarded by the hardware. If no priority values are assigned to the routes, the most recently configured route is forwarded by the hardware.
Router activity
Logging allows you to review all router activity.
NOTE: Router logs are available only on supported platforms if you have the advanced features license.
To enable router logging:
- Go to Log > Config.
- Under Event Logging, select Enable and Router.
- Select Apply.
To view router logs:
- Go to Log > Event Log > Router.
- Select Download Router Log to review the entries offline.
Equal cost multi-path (ECMP) routing
ECMP is a forwarding mechanism that enables load-sharing of traffic to multiple paths of equal cost. An ECMP set is formed when the routing table contains multiple next-hop address for the same destination with equal cost. Routes of equal cost have the same preference and metric value. If there is an ECMP set for an active route, the switch uses a hash algorithm to choose one of the next-hop addresses. As input to the hash, the switch uses one or more of the following fields in the packet to be routed:
- Source IP
- Destination IP
- Input port
Configuring ECMP
The switch automatically uses ECMP to choose between equal-cost routes.
This configuration value is system-wide. The source IP address is the default value.
Notes and Restrictions
When you configure a static route with a gateway, the gateway must be in the same IP subnet as the device. Also, the destination subnet cannot match any of device IP subnets in the switch.
When you configure a static route without a gateway, the destination subnet must be in the same IP subnet as the device.
Using the CLI:
config system settings
set ip-ecmp-mode [ source-ip-based ] [ dst-ip-based ] [ port-based ]
end
Example ECMP configuration
The following is an example CLI configuration for ECMP forwarding.
In this configuration, ports 2 and 6 are routed ports. Interfaces I-RED and I-GREEN are routed VLAN interfaces. The remaining ports in the switch are normal layer-2 ports.
- Configure native VLANs for ports 2, 6, and 9. Also configure the “internal” interface to allow native VLANs for ports 2, 6, and 9:
config switch interface
edit port2
set native-vlan 10
edit port6
set native-vlan 20
edit port9
set native-vlan 30
edit internal
set allowed-vlans 10,20,30
end
- Configure the system interfaces:
config system interface
edit "internal"
set type physical
next
edit "i-blue"
set ip 1.1.1.1 255.255.255.0
set allowaccess ping https http ssh snmp telnet
set vlanid 10
set interface internal
next
edit "i-red"
set ip 172.16.11.1 255.255.255.0
set allowaccess ping ssh telnet
set vlanid 20
set interface internal
next
edit "i-green"
set ip 172.168.13.1 255.255.255.0
set allowaccess ping https http ssh snmp telnet
set vlanid 30
set interface internal
next
end
- Configure static routes. This code configures multiple next-hop gateways for the same network:
config router static
edit 1
set device "mgmt"
set gateway 10.105.0.1
set status enable
next
edit 2
set device “i-red"
set dst 8.8.8.0/24
set gateway 172.16.11.2
set status enable
next
edit 3
set device "i-green"
set dst 8.8.8.0/24
set gateway 172.168.13.2
set status enable
next
Viewing ECMP configuration
Display the status of the ECMP configuration using following command:
show system interface [ <system interface name> ]
Bidirectional forwarding detection
FortiSwitchOS v3.4.2 and later supports static bidirectional forwarding detection (BFD), a point-to-point protocol to detect faults in the datapath between the endpoints of an IETF-defined tunnel (such as IP, IP-in-IP, GRE, and MPLS LSP/PW).
BFD defines demand mode and asynchronous mode operation. The FortiSwitch unit supports asynchronous mode. In this mode, the systems periodically send BFD control packets to one another, and if a number of those packets in a row are not received by the other system, the session is declared to be down.
BFD packets are transported using UDP/IP encapsulation and BFD control packets are identified using well-known UDP destination port 3784 (NOTE: BFD echo packets are identified using 3785).
BFD packets are not visible to the intermediate nodes and are generated and processed by the tunnel end systems only.
Configuring BFD
Use the following steps to configure BFD:
- Configure the following values in the system interface:
- Enable BFD: Set to enable or set to global to inherit the global configuration value.
- Desired min TX interval: This is the minimum interval that the local system would like to use between transmission of BFD control packets. Value range is 200 ms – 30,000 ms. Default value is 250.
- Required min RX interval: This is the minimum interval that the local system can support between receipt of BFD control packets. If you set this value to zero, the remote system will not transmit BFD control packets. The value range is 200 ms – 30000 ms. The default value is 250.
- Detect multi: This is the detection time multiplier. The negotiated transmit interval multiplied by this value is the Detection Time for the receiving system. The value range is 1 – 20. The default is 3.
- Enable BFD in the static router configuration.
Using the CLI:
config system interface
edit <system interface name>
set bfd {enable| disable | global}
set bfd–desired-min-tx <number of ms>
set bfd-required-min-rx <number of ms>
set bfd-detect-multi [1…20]
next
config router static
edit 1
set bfd enable
set status enable
Viewing BFD configuration
Using the GUI:
Go to Router > Monitor > BFD Neighbor.
Using the CLI:
To display the status of BFD sessions:
get router info bfd neighbor [ <IP address of neighbor>]
OurAddr NeighAddr LD/RD State Int
192.168.15.2 192.168.15.1 1/4 UP vlan2000
192.168.16.2 192.168.16.1 2/2 UP vlan2001
To filter the command output:
get router info bfd neighbor [<BFD_local_IPv4_address>] [<BFD_peer_interface>]
Unicast reverse-path forwarding (uRPF)
RPF, also called anti-spoofing, prevents an IP packet from being forwarded if its source IP address does not belong to a locally attached subnet (local interface) or is not part of the routing between the FortiSwitch unit and another source (such as a static route, RIP, OSPF, or BGP).
In unicast RPF, the router not only looks up the destination information but it also looks up the source information to ensure that it exists. If no source is found, that packet is dropped because the router assumes it is an error or an attack on the network.
There are two uRPF modes:
- Strict—The packet must be received on the same interface that the router uses to forward the return packet. In this mode, asymmetric routing paths in the network might cause legitimate traffic to be dropped.
- Loose—The routing table must include the source IP address of the packet. If you disable the
src-check-allow-default
option, the packet is dropped if the source IP address is not found in the routing table. If you enable thesrc-check-allow-default
option, the packet is allowed even if the source IP address is not found in the routing table, but the default route is found in the routing table.
Configuring uRPF
By default, uRPF is disabled. You must enable it on each interface that you want protected.
config system interface
edit <interface_name>
set src-check {disable | loose | strict}
set src-check-allow-default {enable | disable} // This option is available only when src-check is set to loose.
end
IP-MAC binding
Use IP-MAC binding to prevent ARP spoofing.
The port accepts a packet only if the source IP address and source MAC address in the packet match an entry in the IP-MAC binding table.
You can enable/disable IP-MAC binding for the whole switch, and you can override this global setting for each port.
Configuring IP-MAC binding
Use the following steps to configure IP-MAC binding:
- Enable the IP-MAC binding global setting.
- Create the IP-MAC bindings. You can activate each binding individually.
- Set each port to follow the global setting. You can also override the global setting for individual ports by enabling or disabling IP-MAC binding for the port.
Using the GUI:
Create the IP-MAC binding:
- Go to Switch > IP MAC Binding.
- Select Add IP MAC Binding to create a new binding.
- Select Status.
- Enter the IP address and netmask.
- Enter the MAC address.
- Select Add.
Using the CLI:
config switch global
set ip-mac-binding [enable| disable]
config switch ip-mac-binding
edit 1
set ip <IP address and network mask>
set mac <MAC address>
set status (enable| disable)
next
end
config switch interface
edit <port>
set ip-mac-binding (enable| disable | global)
edit <trunk name>
set ip-mac-binding (enable| disable | global)
Notes
- For a switch port, the default IP-MAC binding value is disabled.
- When you configure a trunk, the trunk follows the global value by default. You can also explicitly enable or disable IP-MAC binding for a trunk, as shown in the CLI configuration.
- When you add member ports to the trunk, all ports take on the trunk setting. If you later remove a port from the trunk group, the port is reset to the default value (disabled).
- No duplicate entries are allowed in the mapping table.
- Rules are disabled by default. You need to explicitly enable each rule.
- The mapping table holds up to 1024 rules.
Viewing IP-MAC binding configuration
Display the status of IP-MAC binding using the following command:
show switch ip-mac-binding <entry number>
Virtual routing and forwarding
You can use the virtual routing and forwarding (VRF) feature to create multiple routing tables within the same router.
Use the following steps to configure VRF:
- Create a VRF instance.
- Assign the VRF instance to a switch virtual interface (SVI).
- Assign theVRF instance to an IPv4 or IPv6 static route.
- Check the VRF configuration.
1. Create a VRF instance
You create a VRF instance by assigning a name and an identifier.
- The VRF name cannot match any SVI name.
- The VRF identifier is a number in the range of 1-1023, except for 252, 253, 254, and 255. You cannot assign the same VRF identifier to more than one VRF instance. After the VRF instance is created, the VRF identifier cannot be changed.
config router vrf
edit <string>
set vrfid <VRF_ID>
end
For example:
config router vrf
edit vrfv4
set vrfid 1
next
edit vrfv6
set vrfid 2
next
end
2. Assign the VRF instance to a SVI
You assign the VRF instance to an SVI when you create the SVI. After the SVI is created, the VRF instance cannot be changed or unset.
You can assign the same VRF instance to more than one SVI. The VRF instance cannot be assigned to an internal SVI.
config system interface
edit <interface_name>
set vrf <string>
end
For example:
config system interface
edit v40
set vlanid 40
set vrf vrfv4
next
edit v50
set vlanid 50
set vrf vrfv4
next
end
3. Assign the VRF instance to a static route
You assign the VRF instance to an IPv4 or IPv6 static route when you create the static route. After the static route is created, the VRF instance cannot be changed or unset.
You can assign the same VRF instance to more than one static route.
config router static
edit <seq-num>
set vrf <string>
end
config router static6
edit <seq-num>
set vrf <string>
end
For example:
config router static
edit 1
set device mgmt
set gateway 192.168.0.10
set status enable
set vrf vrfv4
end
config router static6
edit 2
set dst 5555::/64
set gateway 4000::2
set status enable
set vrf vrfv6
end
4. Check the VRF configuration
Use the following commands to check the VRF configuration:
-
get router info routing-table all
-
get router info6 routing-table