Fortinet black logo

Layer-3 interfaces

Copy Link
Copy Doc ID d49b948d-6c99-11eb-9995-00505692583a:626294
Download PDF

Layer-3 interfaces

Fortinet data center switches support loopback interfaces and switch virtual interfaces (SVIs), both of which are described in this chapter.

This chapter covers the following topics:

Loopback interfaces

A loopback interface is a special virtual interface created in software that is not associated with any hardware interface.

Dynamic routing protocols typically use a loopback interface as a reliable IP interface for routing updates. You can assign the loopback IP address to the router rather than the IP address of a specific hardware interface. Services (such as Telnet) can access the router using the loopback IP address, which remains available independent of hardware interfaces status.

No limit exists on the number of loopback interfaces you can create.

A loopback interface does not have an internal VLAN ID or a MAC addresses and always uses a /32 network mask.

Configuring loopback interfaces

Using the GUI:
  1. Go to System > Network > Interface > Loopback.
  2. Select Add Interface.
  3. Enter a name for the loopback interface.
  4. Select Static for the mode and then enter the IP address and netmask in the IP/Netmask field.
  5. Select the protocols allowed to access the loopback interface.
  6. Select the administration status.
  7. Select Add.
Using the CLI:

config system interface

edit "loopback"

set ip 172.168.20.1 255.255.255.255

set allowaccess ping https http ssh telnet

set type loopback

set snmp-index 28

next

end

Switch virtual interfaces

A switch virtual interface (SVI) is a logical interface that is associated with a VLAN and supports routing and switching protocols.

You can assign an IP address to the SVI to enable routing between VLANs. For example, SVIs can route between two different VLANs connected to a switch (no need to connect through a layer-3 router).

Configuring a switch virtual interface

Using the GUI:
  1. Go to System > Network > Interface > VLAN.
  2. Select Add VLAN.
  3. Enter a name for the interface.
  4. Select internal from the Interface drop-down list.
  5. Enter a VLAN identifier in the VLAN ID field.
  6. Select Static for the mode and enter an IP address and netmask in the IP/Netmask field.
  7. Select the administration status.
  8. Select PING, SSH, and TELNET for the Access options.
  9. Select Add.
Using the CLI:

Create a system interface. Give it an IP subnet and an associated VLAN:

config system interface

edit <system interface name>

set ip <IP address and mask>

set vlanid <vlan>

set allowaccess ping ssh telnet

Example SVI configuration

The following is an example CLI configuration for SVI static routing.

In this configuration, Server-1 is connected to switch Port1, and Server-2 is connected to switch Port2. Port1 is a member of VLAN 4000, and Port2 is a member of VLAN 2. Port1 is the gateway for Server-1, and port2 is the gateway for Server-2.

NOTE: For simplicity, assume that both port1 and port are on same switch.

  1. Configure the native VLANs for Port 1 and Port 2:

    config switch interface

    edit port1

    set native-vlan 4000

    edit port2

    set native-vlan 2

    end

  2. Create L3 system interfaces that correspond to Port 1 (VLAN 4000) and Port 2 (VLAN 2):

    config system interface

    edit vlan4000

    set ip 192.168.11.1/24

    set vlanid 4000

    set allowaccess ping ssh telnet

    next

    edit vlan2

    set ip 192.168.10.1/24

    set vlanid 2

    set allowaccess ping ssh telnet

    end

Viewing the SVI configuration

Display the status of SVI configuration using following command:

show system interface [ <system interface name> ]

Layer-3 routing in hardware

In FortiSwitchOS 3.3.0 and later, some FortiSwitch models support hardware-based layer-3 forwarding.

For FortiSwitch models that support Equal Cost Multi-Path (ECMP) (see Feature matrix: FortiSwitchOS 6.4.6), forwarding for all ECMP routes is performed in hardware.

For switch models that support hardware-based layer-3 forwarding but do not support ECMP, only one route to each destination will be hardware-forwarded. If you configure multiple routes to the same destination, you can configure a priority value for each route. Only the route with highest priority will be forwarded by the hardware. If no priority values are assigned to the routes, the most recently configured route is forwarded by the hardware.

Router activity

Logging allows you to review all router activity.

NOTE: Router logs are available only on supported platforms if you have the advanced features license.

To enable router logging:
  1. Go to Log > Config.
  2. Under Event Logging, select Enable and Router.
  3. Select Apply.
To view router logs:
  1. Go to Log > Event Log > Router.
  2. Select Download Router Log to review the entries offline.

Equal cost multi-path (ECMP) routing

ECMP is a forwarding mechanism that enables load-sharing of traffic to multiple paths of equal cost. An ECMP set is formed when the routing table contains multiple next-hop address for the same destination with equal cost. Routes of equal cost have the same preference and metric value. If there is an ECMP set for an active route, the switch uses a hash algorithm to choose one of the next-hop addresses. As input to the hash, the switch uses one or more of the following fields in the packet to be routed:

  • Source IP
  • Destination IP
  • Input port

Configuring ECMP

The switch automatically uses ECMP to choose between equal-cost routes.

This configuration value is system-wide. The source IP address is the default value.

Notes and Restrictions

When you configure a static route with a gateway, the gateway must be in the same IP subnet as the device. Also, the destination subnet cannot match any of device IP subnets in the switch.

When you configure a static route without a gateway, the destination subnet must be in the same IP subnet as the device.

Using the CLI:

config system settings

set ip-ecmp-mode [ source-ip-based ] [ dst-ip-based ] [ port-based ]

end

Example ECMP configuration

The following is an example CLI configuration for ECMP forwarding.

In this configuration, ports 2 and 6 are routed ports. Interfaces I-RED and I-GREEN are routed VLAN interfaces. The remaining ports in the switch are normal layer-2 ports.

  1. Configure native VLANs for ports 2, 6, and 9. Also configure the “internal” interface to allow native VLANs for ports 2, 6, and 9:

    config switch interface

    edit port2

    set native-vlan 10

    edit port6

    set native-vlan 20

    edit port9

    set native-vlan 30

    edit internal

    set allowed-vlans 10,20,30

    end

  2. Configure the system interfaces:

    config system interface

    edit "internal"

    set type physical

    next

    edit "i-blue"

    set ip 1.1.1.1 255.255.255.0

    set allowaccess ping https http ssh snmp telnet

    set vlanid 10

    set interface internal

    next

    edit "i-red"

    set ip 172.16.11.1 255.255.255.0

    set allowaccess ping ssh telnet

    set vlanid 20

    set interface internal

    next

    edit "i-green"

    set ip 172.168.13.1 255.255.255.0

    set allowaccess ping https http ssh snmp telnet

    set vlanid 30

    set interface internal

    next

    end

  3. Configure static routes. This code configures multiple next-hop gateways for the same network:

    config router static

    edit 1

    set device "mgmt"

    set gateway 10.105.0.1

    set status enable

    next

    edit 2

    set device “i-red"

    set dst 8.8.8.0/24

    set gateway 172.16.11.2

    set status enable

    next

    edit 3

    set device "i-green"

    set dst 8.8.8.0/24

    set gateway 172.168.13.2

    set status enable

    next

Viewing ECMP configuration

Display the status of the ECMP configuration using following command:

show system interface [ <system interface name> ]

Bidirectional forwarding detection

FortiSwitchOS v3.4.2 and later supports static bidirectional forwarding detection (BFD), a point-to-point protocol to detect faults in the datapath between the endpoints of an IETF-defined tunnel (such as IP, IP-in-IP, GRE, and MPLS LSP/PW).

BFD defines demand mode and asynchronous mode operation. The FortiSwitch unit supports asynchronous mode. In this mode, the systems periodically send BFD control packets to one another, and if a number of those packets in a row are not received by the other system, the session is declared to be down.

BFD packets are transported using UDP/IP encapsulation and BFD control packets are identified using well-known UDP destination port 3784 (NOTE: BFD echo packets are identified using 3785).

BFD packets are not visible to the intermediate nodes and are generated and processed by the tunnel end systems only.

Configuring BFD

Use the following steps to configure BFD:

  1. Configure the following values in the system interface:
    • Enable BFD: Set to enable or set to global to inherit the global configuration value.
    • Desired min TX interval: This is the minimum interval that the local system would like to use between transmission of BFD control packets. Value range is 200 ms – 30,000 ms. Default value is 250.
    • Required min RX interval: This is the minimum interval that the local system can support between receipt of BFD control packets. If you set this value to zero, the remote system will not transmit BFD control packets. The value range is 200 ms – 30000 ms. The default value is 250.
    • Detect multi: This is the detection time multiplier. The negotiated transmit interval multiplied by this value is the Detection Time for the receiving system. The value range is 1 – 20. The default is 3.
  2. Enable BFD in the static router configuration.
Using the CLI:

config system interface

edit <system interface name>

set bfd {enable| disable | global}

set bfd–desired-min-tx <number of ms>

set bfd-required-min-rx <number of ms>

set bfd-detect-multi [1…20]

next

config router static

edit 1

set bfd enable

set status enable

Viewing BFD configuration

Using the GUI:

Go to Router > Monitor > BFD Neighbor.

Using the CLI:

To display the status of BFD sessions:

get router info bfd neighbor [ <IP address of neighbor>]

OurAddr         NeighAddr       LD/RD   State   Int
192.168.15.2 192.168.15.1 1/4 UP vlan2000
192.168.16.2 192.168.16.1 2/2 UP vlan2001

To filter the command output:

get router info bfd neighbor [<BFD_local_IPv4_address>] [<BFD_peer_interface>]

Unicast reverse-path forwarding (uRPF)

RPF, also called anti-spoofing, prevents an IP packet from being forwarded if its source IP address does not belong to a locally attached subnet (local interface) or is not part of the routing between the FortiSwitch unit and another source (such as a static route, RIP, OSPF, or BGP).

In unicast RPF, the router not only looks up the destination information but it also looks up the source information to ensure that it exists. If no source is found, that packet is dropped because the router assumes it is an error or an attack on the network.

There are two uRPF modes:

  • Strict—The packet must be received on the same interface that the router uses to forward the return packet. In this mode, asymmetric routing paths in the network might cause legitimate traffic to be dropped.
  • Loose—The routing table must include the source IP address of the packet. If you disable the src-check-allow-default option, the packet is dropped if the source IP address is not found in the routing table. If you enable the src-check-allow-default option, the packet is allowed even if the source IP address is not found in the routing table, but the default route is found in the routing table.

Configuring uRPF

By default, uRPF is disabled. You must enable it on each interface that you want protected.

config system interface

edit <interface_name>

set src-check {disable | loose | strict}

set src-check-allow-default {enable | disable} // This option is available only when src-check is set to loose.

end

IP-MAC binding

Use IP-MAC binding to prevent ARP spoofing.

The port accepts a packet only if the source IP address and source MAC address in the packet match an entry in the IP-MAC binding table.

You can enable/disable IP-MAC binding for the whole switch, and you can override this global setting for each port.

Configuring IP-MAC binding

Use the following steps to configure IP-MAC binding:

  1. Enable the IP-MAC binding global setting.
  2. Create the IP-MAC bindings. You can activate each binding individually.
  3. Set each port to follow the global setting. You can also override the global setting for individual ports by enabling or disabling IP-MAC binding for the port.
Using the GUI:

Create the IP-MAC binding:

  1. Go to Switch > IP MAC Binding.
  2. Select Add IP MAC Binding to create a new binding.
  3. Select Status.
  4. Enter the IP address and netmask.
  5. Enter the MAC address.
  6. Select Add.
Using the CLI:

config switch global

set ip-mac-binding [enable| disable]

config switch ip-mac-binding

edit 1

set ip <IP address and network mask>

set mac <MAC address>

set status (enable| disable)

next

end

config switch interface

edit <port>

set ip-mac-binding (enable| disable | global)

edit <trunk name>

set ip-mac-binding (enable| disable | global)

Notes
  • For a switch port, the default IP-MAC binding value is disabled.
  • When you configure a trunk, the trunk follows the global value by default. You can also explicitly enable or disable IP-MAC binding for a trunk, as shown in the CLI configuration.
  • When you add member ports to the trunk, all ports take on the trunk setting. If you later remove a port from the trunk group, the port is reset to the default value (disabled).
  • No duplicate entries are allowed in the mapping table.
  • Rules are disabled by default. You need to explicitly enable each rule.
  • The mapping table holds up to 1024 rules.

Viewing IP-MAC binding configuration

Display the status of IP-MAC binding using the following command:

show switch ip-mac-binding <entry number>

Virtual routing and forwarding

NOTE: This feature is supported only on the SVI.

You can use the virtual routing and forwarding (VRF) feature to create multiple routing tables within the same router.

Use the following steps to configure VRF:

  1. Create a VRF instance.
  2. Assign the VRF instance to a switch virtual interface (SVI).
  3. Assign theVRF instance to an IPv4 or IPv6 static route.
  4. Check the VRF configuration.

1. Create a VRF instance

You create a VRF instance by assigning a name and an identifier.

  • The VRF name cannot match any SVI name.
  • The VRF identifier is a number in the range of 1-1023, except for 252, 253, 254, and 255. You cannot assign the same VRF identifier to more than one VRF instance. After the VRF instance is created, the VRF identifier cannot be changed.

config router vrf

edit <string>

set vrfid <VRF_ID>

end

For example:

config router vrf

edit vrfv4

set vrfid 1

next

edit vrfv6

set vrfid 2

next

end

2. Assign the VRF instance to a SVI

You assign the VRF instance to an SVI when you create the SVI. After the SVI is created, the VRF instance cannot be changed or unset.

You can assign the same VRF instance to more than one SVI. The VRF instance cannot be assigned to an internal SVI.

config system interface

edit <interface_name>

set vrf <string>

end

For example:

config system interface

edit v40

set vlanid 40

set vrf vrfv4

next

edit v50

set vlanid 50

set vrf vrfv4

next

end

3. Assign the VRF instance to a static route

You assign the VRF instance to an IPv4 or IPv6 static route when you create the static route. After the static route is created, the VRF instance cannot be changed or unset.

You can assign the same VRF instance to more than one static route.

config router static

edit <seq-num>

set vrf <string>

end

config router static6

edit <seq-num>

set vrf <string>

end

For example:

config router static

edit 1

set device mgmt

set gateway 192.168.0.10

set status enable

set vrf vrfv4

end

config router static6

edit 2

set dst 5555::/64

set gateway 4000::2

set status enable

set vrf vrfv6

end

4. Check the VRF configuration

Use the following commands to check the VRF configuration:

  • get router info routing-table all
  • get router info6 routing-table

Layer-3 interfaces

Fortinet data center switches support loopback interfaces and switch virtual interfaces (SVIs), both of which are described in this chapter.

This chapter covers the following topics:

Loopback interfaces

A loopback interface is a special virtual interface created in software that is not associated with any hardware interface.

Dynamic routing protocols typically use a loopback interface as a reliable IP interface for routing updates. You can assign the loopback IP address to the router rather than the IP address of a specific hardware interface. Services (such as Telnet) can access the router using the loopback IP address, which remains available independent of hardware interfaces status.

No limit exists on the number of loopback interfaces you can create.

A loopback interface does not have an internal VLAN ID or a MAC addresses and always uses a /32 network mask.

Configuring loopback interfaces

Using the GUI:
  1. Go to System > Network > Interface > Loopback.
  2. Select Add Interface.
  3. Enter a name for the loopback interface.
  4. Select Static for the mode and then enter the IP address and netmask in the IP/Netmask field.
  5. Select the protocols allowed to access the loopback interface.
  6. Select the administration status.
  7. Select Add.
Using the CLI:

config system interface

edit "loopback"

set ip 172.168.20.1 255.255.255.255

set allowaccess ping https http ssh telnet

set type loopback

set snmp-index 28

next

end

Switch virtual interfaces

A switch virtual interface (SVI) is a logical interface that is associated with a VLAN and supports routing and switching protocols.

You can assign an IP address to the SVI to enable routing between VLANs. For example, SVIs can route between two different VLANs connected to a switch (no need to connect through a layer-3 router).

Configuring a switch virtual interface

Using the GUI:
  1. Go to System > Network > Interface > VLAN.
  2. Select Add VLAN.
  3. Enter a name for the interface.
  4. Select internal from the Interface drop-down list.
  5. Enter a VLAN identifier in the VLAN ID field.
  6. Select Static for the mode and enter an IP address and netmask in the IP/Netmask field.
  7. Select the administration status.
  8. Select PING, SSH, and TELNET for the Access options.
  9. Select Add.
Using the CLI:

Create a system interface. Give it an IP subnet and an associated VLAN:

config system interface

edit <system interface name>

set ip <IP address and mask>

set vlanid <vlan>

set allowaccess ping ssh telnet

Example SVI configuration

The following is an example CLI configuration for SVI static routing.

In this configuration, Server-1 is connected to switch Port1, and Server-2 is connected to switch Port2. Port1 is a member of VLAN 4000, and Port2 is a member of VLAN 2. Port1 is the gateway for Server-1, and port2 is the gateway for Server-2.

NOTE: For simplicity, assume that both port1 and port are on same switch.

  1. Configure the native VLANs for Port 1 and Port 2:

    config switch interface

    edit port1

    set native-vlan 4000

    edit port2

    set native-vlan 2

    end

  2. Create L3 system interfaces that correspond to Port 1 (VLAN 4000) and Port 2 (VLAN 2):

    config system interface

    edit vlan4000

    set ip 192.168.11.1/24

    set vlanid 4000

    set allowaccess ping ssh telnet

    next

    edit vlan2

    set ip 192.168.10.1/24

    set vlanid 2

    set allowaccess ping ssh telnet

    end

Viewing the SVI configuration

Display the status of SVI configuration using following command:

show system interface [ <system interface name> ]

Layer-3 routing in hardware

In FortiSwitchOS 3.3.0 and later, some FortiSwitch models support hardware-based layer-3 forwarding.

For FortiSwitch models that support Equal Cost Multi-Path (ECMP) (see Feature matrix: FortiSwitchOS 6.4.6), forwarding for all ECMP routes is performed in hardware.

For switch models that support hardware-based layer-3 forwarding but do not support ECMP, only one route to each destination will be hardware-forwarded. If you configure multiple routes to the same destination, you can configure a priority value for each route. Only the route with highest priority will be forwarded by the hardware. If no priority values are assigned to the routes, the most recently configured route is forwarded by the hardware.

Router activity

Logging allows you to review all router activity.

NOTE: Router logs are available only on supported platforms if you have the advanced features license.

To enable router logging:
  1. Go to Log > Config.
  2. Under Event Logging, select Enable and Router.
  3. Select Apply.
To view router logs:
  1. Go to Log > Event Log > Router.
  2. Select Download Router Log to review the entries offline.

Equal cost multi-path (ECMP) routing

ECMP is a forwarding mechanism that enables load-sharing of traffic to multiple paths of equal cost. An ECMP set is formed when the routing table contains multiple next-hop address for the same destination with equal cost. Routes of equal cost have the same preference and metric value. If there is an ECMP set for an active route, the switch uses a hash algorithm to choose one of the next-hop addresses. As input to the hash, the switch uses one or more of the following fields in the packet to be routed:

  • Source IP
  • Destination IP
  • Input port

Configuring ECMP

The switch automatically uses ECMP to choose between equal-cost routes.

This configuration value is system-wide. The source IP address is the default value.

Notes and Restrictions

When you configure a static route with a gateway, the gateway must be in the same IP subnet as the device. Also, the destination subnet cannot match any of device IP subnets in the switch.

When you configure a static route without a gateway, the destination subnet must be in the same IP subnet as the device.

Using the CLI:

config system settings

set ip-ecmp-mode [ source-ip-based ] [ dst-ip-based ] [ port-based ]

end

Example ECMP configuration

The following is an example CLI configuration for ECMP forwarding.

In this configuration, ports 2 and 6 are routed ports. Interfaces I-RED and I-GREEN are routed VLAN interfaces. The remaining ports in the switch are normal layer-2 ports.

  1. Configure native VLANs for ports 2, 6, and 9. Also configure the “internal” interface to allow native VLANs for ports 2, 6, and 9:

    config switch interface

    edit port2

    set native-vlan 10

    edit port6

    set native-vlan 20

    edit port9

    set native-vlan 30

    edit internal

    set allowed-vlans 10,20,30

    end

  2. Configure the system interfaces:

    config system interface

    edit "internal"

    set type physical

    next

    edit "i-blue"

    set ip 1.1.1.1 255.255.255.0

    set allowaccess ping https http ssh snmp telnet

    set vlanid 10

    set interface internal

    next

    edit "i-red"

    set ip 172.16.11.1 255.255.255.0

    set allowaccess ping ssh telnet

    set vlanid 20

    set interface internal

    next

    edit "i-green"

    set ip 172.168.13.1 255.255.255.0

    set allowaccess ping https http ssh snmp telnet

    set vlanid 30

    set interface internal

    next

    end

  3. Configure static routes. This code configures multiple next-hop gateways for the same network:

    config router static

    edit 1

    set device "mgmt"

    set gateway 10.105.0.1

    set status enable

    next

    edit 2

    set device “i-red"

    set dst 8.8.8.0/24

    set gateway 172.16.11.2

    set status enable

    next

    edit 3

    set device "i-green"

    set dst 8.8.8.0/24

    set gateway 172.168.13.2

    set status enable

    next

Viewing ECMP configuration

Display the status of the ECMP configuration using following command:

show system interface [ <system interface name> ]

Bidirectional forwarding detection

FortiSwitchOS v3.4.2 and later supports static bidirectional forwarding detection (BFD), a point-to-point protocol to detect faults in the datapath between the endpoints of an IETF-defined tunnel (such as IP, IP-in-IP, GRE, and MPLS LSP/PW).

BFD defines demand mode and asynchronous mode operation. The FortiSwitch unit supports asynchronous mode. In this mode, the systems periodically send BFD control packets to one another, and if a number of those packets in a row are not received by the other system, the session is declared to be down.

BFD packets are transported using UDP/IP encapsulation and BFD control packets are identified using well-known UDP destination port 3784 (NOTE: BFD echo packets are identified using 3785).

BFD packets are not visible to the intermediate nodes and are generated and processed by the tunnel end systems only.

Configuring BFD

Use the following steps to configure BFD:

  1. Configure the following values in the system interface:
    • Enable BFD: Set to enable or set to global to inherit the global configuration value.
    • Desired min TX interval: This is the minimum interval that the local system would like to use between transmission of BFD control packets. Value range is 200 ms – 30,000 ms. Default value is 250.
    • Required min RX interval: This is the minimum interval that the local system can support between receipt of BFD control packets. If you set this value to zero, the remote system will not transmit BFD control packets. The value range is 200 ms – 30000 ms. The default value is 250.
    • Detect multi: This is the detection time multiplier. The negotiated transmit interval multiplied by this value is the Detection Time for the receiving system. The value range is 1 – 20. The default is 3.
  2. Enable BFD in the static router configuration.
Using the CLI:

config system interface

edit <system interface name>

set bfd {enable| disable | global}

set bfd–desired-min-tx <number of ms>

set bfd-required-min-rx <number of ms>

set bfd-detect-multi [1…20]

next

config router static

edit 1

set bfd enable

set status enable

Viewing BFD configuration

Using the GUI:

Go to Router > Monitor > BFD Neighbor.

Using the CLI:

To display the status of BFD sessions:

get router info bfd neighbor [ <IP address of neighbor>]

OurAddr         NeighAddr       LD/RD   State   Int
192.168.15.2 192.168.15.1 1/4 UP vlan2000
192.168.16.2 192.168.16.1 2/2 UP vlan2001

To filter the command output:

get router info bfd neighbor [<BFD_local_IPv4_address>] [<BFD_peer_interface>]

Unicast reverse-path forwarding (uRPF)

RPF, also called anti-spoofing, prevents an IP packet from being forwarded if its source IP address does not belong to a locally attached subnet (local interface) or is not part of the routing between the FortiSwitch unit and another source (such as a static route, RIP, OSPF, or BGP).

In unicast RPF, the router not only looks up the destination information but it also looks up the source information to ensure that it exists. If no source is found, that packet is dropped because the router assumes it is an error or an attack on the network.

There are two uRPF modes:

  • Strict—The packet must be received on the same interface that the router uses to forward the return packet. In this mode, asymmetric routing paths in the network might cause legitimate traffic to be dropped.
  • Loose—The routing table must include the source IP address of the packet. If you disable the src-check-allow-default option, the packet is dropped if the source IP address is not found in the routing table. If you enable the src-check-allow-default option, the packet is allowed even if the source IP address is not found in the routing table, but the default route is found in the routing table.

Configuring uRPF

By default, uRPF is disabled. You must enable it on each interface that you want protected.

config system interface

edit <interface_name>

set src-check {disable | loose | strict}

set src-check-allow-default {enable | disable} // This option is available only when src-check is set to loose.

end

IP-MAC binding

Use IP-MAC binding to prevent ARP spoofing.

The port accepts a packet only if the source IP address and source MAC address in the packet match an entry in the IP-MAC binding table.

You can enable/disable IP-MAC binding for the whole switch, and you can override this global setting for each port.

Configuring IP-MAC binding

Use the following steps to configure IP-MAC binding:

  1. Enable the IP-MAC binding global setting.
  2. Create the IP-MAC bindings. You can activate each binding individually.
  3. Set each port to follow the global setting. You can also override the global setting for individual ports by enabling or disabling IP-MAC binding for the port.
Using the GUI:

Create the IP-MAC binding:

  1. Go to Switch > IP MAC Binding.
  2. Select Add IP MAC Binding to create a new binding.
  3. Select Status.
  4. Enter the IP address and netmask.
  5. Enter the MAC address.
  6. Select Add.
Using the CLI:

config switch global

set ip-mac-binding [enable| disable]

config switch ip-mac-binding

edit 1

set ip <IP address and network mask>

set mac <MAC address>

set status (enable| disable)

next

end

config switch interface

edit <port>

set ip-mac-binding (enable| disable | global)

edit <trunk name>

set ip-mac-binding (enable| disable | global)

Notes
  • For a switch port, the default IP-MAC binding value is disabled.
  • When you configure a trunk, the trunk follows the global value by default. You can also explicitly enable or disable IP-MAC binding for a trunk, as shown in the CLI configuration.
  • When you add member ports to the trunk, all ports take on the trunk setting. If you later remove a port from the trunk group, the port is reset to the default value (disabled).
  • No duplicate entries are allowed in the mapping table.
  • Rules are disabled by default. You need to explicitly enable each rule.
  • The mapping table holds up to 1024 rules.

Viewing IP-MAC binding configuration

Display the status of IP-MAC binding using the following command:

show switch ip-mac-binding <entry number>

Virtual routing and forwarding

NOTE: This feature is supported only on the SVI.

You can use the virtual routing and forwarding (VRF) feature to create multiple routing tables within the same router.

Use the following steps to configure VRF:

  1. Create a VRF instance.
  2. Assign the VRF instance to a switch virtual interface (SVI).
  3. Assign theVRF instance to an IPv4 or IPv6 static route.
  4. Check the VRF configuration.

1. Create a VRF instance

You create a VRF instance by assigning a name and an identifier.

  • The VRF name cannot match any SVI name.
  • The VRF identifier is a number in the range of 1-1023, except for 252, 253, 254, and 255. You cannot assign the same VRF identifier to more than one VRF instance. After the VRF instance is created, the VRF identifier cannot be changed.

config router vrf

edit <string>

set vrfid <VRF_ID>

end

For example:

config router vrf

edit vrfv4

set vrfid 1

next

edit vrfv6

set vrfid 2

next

end

2. Assign the VRF instance to a SVI

You assign the VRF instance to an SVI when you create the SVI. After the SVI is created, the VRF instance cannot be changed or unset.

You can assign the same VRF instance to more than one SVI. The VRF instance cannot be assigned to an internal SVI.

config system interface

edit <interface_name>

set vrf <string>

end

For example:

config system interface

edit v40

set vlanid 40

set vrf vrfv4

next

edit v50

set vlanid 50

set vrf vrfv4

next

end

3. Assign the VRF instance to a static route

You assign the VRF instance to an IPv4 or IPv6 static route when you create the static route. After the static route is created, the VRF instance cannot be changed or unset.

You can assign the same VRF instance to more than one static route.

config router static

edit <seq-num>

set vrf <string>

end

config router static6

edit <seq-num>

set vrf <string>

end

For example:

config router static

edit 1

set device mgmt

set gateway 192.168.0.10

set status enable

set vrf vrfv4

end

config router static6

edit 2

set dst 5555::/64

set gateway 4000::2

set status enable

set vrf vrfv6

end

4. Check the VRF configuration

Use the following commands to check the VRF configuration:

  • get router info routing-table all
  • get router info6 routing-table