Management ports
This chapter describes how to configure management ports on the FortiSwitch unit.
The following topics are covered:
- Models without a dedicated management port
- Models with a dedicated management port
- Remote access to the management port
- Example configurations
Models without a dedicated management port
For FortiSwitch models without a dedicated management port, configure the internal interface as the management port.
NOTE: For FortiSwitch models without a dedicated management port, the internal interface has a default VLAN ID of 1.
Using the GUI:
First start by editing the default internal interface’s configuration.
- Go to System > Network > Interface > Physical, select Edit for the internal interface.
- In the IP/Netmask field, enter the IP address and netmask.
- Select the appropriate protocols to connect to the interface for administrative access.
- Optional. Select Add IP to add a secondary IP address for the internal interface.
- Select Update to save your changes.
Next, create a new interface to be used for management.
- Go to System > Network > Interface > VLAN and select Add VLAN to create a management VLAN.
- Give the interface an appropriate name.
- Confirm that Interface is set to internal.
- Set a VLAN ID.
- In the IP/Netmask field, enter the IP address and netmask.
- Select the appropriate protocols to connect to the interface for administrative access.
- Optional. Select Add IP to add a secondary IP address for this VLAN.
- Select Add.
Using the CLI:
config system interface
edit internal
set ip <IP_address_and_netmask>
set allowaccess <access_types>
set type physical
set secondary-IP enable
config secondaryip
edit <id>
set ip <IP_address_and_netmask>
set allowaccess <access_types>
next
end
next
edit <vlan name>
set ip <IP_address_and_netmask>
set allowaccess <access_types>
set interface internal
set vlanid <VLAN id>
set secondary-IP enable
config secondaryip
edit <id>
set ip <IP_address_and_netmask>
set allowaccess <access_types>
end
end
Models with a dedicated management port
For FortiSwitch models with a dedicated management port, configure the IP address and allowed access types for the management port.
NOTE: For FortiSwitch models with a dedicated management port, the internal interface has a default VLAN identifier of 4094.
Using the GUI:
- Go to System > Network > Interface > Physical, select Edit for the mgmt interface.
- In the ID field, enter a unique identifier from 1 to 65525.
- In the IP/Netmask field, enter the IP address and netmask.
- Select the appropriate protocols to connect to the interface for administrative access.
- Optional. You can select Remove if you want to delete the default secondary IP address or select Add IP to add a secondary IP address for the management interface.
- Select Update to save your changes.
Using the CLI:
config system interface
edit mgmt
set ip <IP_address_and_netmask>
set allowaccess <access_types>
set type physical
set secondary-IP enable
config secondaryip
edit <id>
set ip <IP_address_and_netmask>
set allowaccess <access_types>
next
end
next
edit internal
set type physical
end
end
Remote access to the management port
To provide remote access to the management port, configure a static route. Set the gateway address to the IP address of the router.
Using the GUI:
- Go to Router > Config > Static and select Add Route.
- Enter an identifier. This is a unique number to identify the static route.
- Select the Status checkbox if it is not selected.
- Set the device to mgmt.
- Set the gateway to the gateway router IP address.
- Select Add.
Using the CLI:
config router static
edit 1
set device mgmt
set gateway <router IP address>
set status enable
end
end
Example configurations
In this example, the internal interface is used as an inbound management interface. Also, the FortiSwitch unit has a default VLAN across all physical ports and its internal port.
Using the internal interface of a FortiSwitch-524D-FPOE
Syntax
config system interface
edit internal
set ip 192.168.1.99 255.255.255.0
set allowaccess ping https http ssh
set type physical
end
end
In this example, an out-of-band management interface is used as the dedicated management port. You can configure the management port for local or remote access.
Out-of-band management on a FortiSwitch-1024D
Option 1: management port with static IP
config system interface
edit mgmt
set mode static
set ip 10.105.142.19 255.255.255.0
set allowaccess ping https http ssh snmp telnet
set type physical
next
edit internal
set type physical
end
end
// optional configuration to allow remote access to the management port
config router static
edit 1
set device mgmt
set gateway 192.168.0.10
set status enable
end
Option 2: management port with IP assigned by DHCP
config system interface
edit mgmt
set mode dhcp
set defaultgw enable // allows remote access
set allowaccess ping https http ssh snmp telnet
set type physical
next
edit internal
set type physical
end