Fortinet black logo

Management ports

Copy Link
Copy Doc ID d49b948d-6c99-11eb-9995-00505692583a:95389
Download PDF

Management ports

This chapter describes how to configure management ports on the FortiSwitch unit.

The following topics are covered:

Models without a dedicated management port

For FortiSwitch models without a dedicated management port, configure the internal interface as the management port.

NOTE: For FortiSwitch models without a dedicated management port, the internal interface has a default VLAN ID of 1.

Using the GUI:

First start by editing the default internal interface’s configuration.

  1. Go to System > Network > Interface > Physical, select Edit for the internal interface.


  2. In the IP/Netmask field, enter the IP address and netmask.
  3. Select the appropriate protocols to connect to the interface for administrative access.
  4. Optional. Select Add IP to add a secondary IP address for the internal interface.
  5. Select Update to save your changes.

Next, create a new interface to be used for management.

  1. Go to System > Network > Interface > VLAN and select Add VLAN to create a management VLAN.


  2. Give the interface an appropriate name.
  3. Confirm that Interface is set to internal.
  4. Set a VLAN ID.
  5. In the IP/Netmask field, enter the IP address and netmask.
  6. Select the appropriate protocols to connect to the interface for administrative access.
  7. Optional. Select Add IP to add a secondary IP address for this VLAN.
  8. Select Add.
Using the CLI:

config system interface

edit internal

set ip <IP_address_and_netmask>

set allowaccess <access_types>

set type physical

set secondary-IP enable

config secondaryip

edit <id>

set ip <IP_address_and_netmask>

set allowaccess <access_types>

next

end

next

edit <vlan name>

set ip <IP_address_and_netmask>

set allowaccess <access_types>

set interface internal

set vlanid <VLAN id>

set secondary-IP enable

config secondaryip

edit <id>

set ip <IP_address_and_netmask>

set allowaccess <access_types>

end

end

Models with a dedicated management port

For FortiSwitch models with a dedicated management port, configure the IP address and allowed access types for the management port.

NOTE: For FortiSwitch models with a dedicated management port, the internal interface has a default VLAN identifier of 4094.

Using the GUI:
  1. Go to System > Network > Interface > Physical, select Edit for the mgmt interface.


  2. In the ID field, enter a unique identifier from 1 to 65525.
  3. In the IP/Netmask field, enter the IP address and netmask.
  4. Select the appropriate protocols to connect to the interface for administrative access.
  5. Optional. You can select Remove if you want to delete the default secondary IP address or select Add IP to add a secondary IP address for the management interface.
  6. Select Update to save your changes.
Using the CLI:

config system interface

edit mgmt

set ip <IP_address_and_netmask>

set allowaccess <access_types>

set type physical

set secondary-IP enable

config secondaryip

edit <id>

set ip <IP_address_and_netmask>

set allowaccess <access_types>

next

end

next

edit internal

set type physical

end

end

Remote access to the management port

To provide remote access to the management port, configure a static route. Set the gateway address to the IP address of the router.

Using the GUI:
  1. Go to Router > Config > Static and select Add Route.


  2. Enter an identifier. This is a unique number to identify the static route.
  3. Select the Status checkbox if it is not selected.
  4. Set the device to mgmt.
  5. Set the gateway to the gateway router IP address.
  6. Select Add.
Using the CLI:

config router static

edit 1

set device mgmt

set gateway <router IP address>

set status enable

end

end

Example configurations

In this example, the internal interface is used as an inbound management interface. Also, the FortiSwitch unit has a default VLAN across all physical ports and its internal port.

Using the internal interface of a FortiSwitch-524D-FPOE

Syntax

config system interface

edit internal

set ip 192.168.1.99 255.255.255.0

set allowaccess ping https http ssh

set type physical

end

end

In this example, an out-of-band management interface is used as the dedicated management port. You can configure the management port for local or remote access.

Out-of-band management on a FortiSwitch-1024D

Option 1: management port with static IP

config system interface

edit mgmt

set mode static

set ip 10.105.142.19 255.255.255.0

set allowaccess ping https http ssh snmp telnet

set type physical

next

edit internal

set type physical

end

end

// optional configuration to allow remote access to the management port

config router static

edit 1

set device mgmt

set gateway 192.168.0.10

set status enable

end

Option 2: management port with IP assigned by DHCP

config system interface

edit mgmt

set mode dhcp

set defaultgw enable // allows remote access

set allowaccess ping https http ssh snmp telnet

set type physical

next

edit internal

set type physical

end

Management ports

This chapter describes how to configure management ports on the FortiSwitch unit.

The following topics are covered:

Models without a dedicated management port

For FortiSwitch models without a dedicated management port, configure the internal interface as the management port.

NOTE: For FortiSwitch models without a dedicated management port, the internal interface has a default VLAN ID of 1.

Using the GUI:

First start by editing the default internal interface’s configuration.

  1. Go to System > Network > Interface > Physical, select Edit for the internal interface.


  2. In the IP/Netmask field, enter the IP address and netmask.
  3. Select the appropriate protocols to connect to the interface for administrative access.
  4. Optional. Select Add IP to add a secondary IP address for the internal interface.
  5. Select Update to save your changes.

Next, create a new interface to be used for management.

  1. Go to System > Network > Interface > VLAN and select Add VLAN to create a management VLAN.


  2. Give the interface an appropriate name.
  3. Confirm that Interface is set to internal.
  4. Set a VLAN ID.
  5. In the IP/Netmask field, enter the IP address and netmask.
  6. Select the appropriate protocols to connect to the interface for administrative access.
  7. Optional. Select Add IP to add a secondary IP address for this VLAN.
  8. Select Add.
Using the CLI:

config system interface

edit internal

set ip <IP_address_and_netmask>

set allowaccess <access_types>

set type physical

set secondary-IP enable

config secondaryip

edit <id>

set ip <IP_address_and_netmask>

set allowaccess <access_types>

next

end

next

edit <vlan name>

set ip <IP_address_and_netmask>

set allowaccess <access_types>

set interface internal

set vlanid <VLAN id>

set secondary-IP enable

config secondaryip

edit <id>

set ip <IP_address_and_netmask>

set allowaccess <access_types>

end

end

Models with a dedicated management port

For FortiSwitch models with a dedicated management port, configure the IP address and allowed access types for the management port.

NOTE: For FortiSwitch models with a dedicated management port, the internal interface has a default VLAN identifier of 4094.

Using the GUI:
  1. Go to System > Network > Interface > Physical, select Edit for the mgmt interface.


  2. In the ID field, enter a unique identifier from 1 to 65525.
  3. In the IP/Netmask field, enter the IP address and netmask.
  4. Select the appropriate protocols to connect to the interface for administrative access.
  5. Optional. You can select Remove if you want to delete the default secondary IP address or select Add IP to add a secondary IP address for the management interface.
  6. Select Update to save your changes.
Using the CLI:

config system interface

edit mgmt

set ip <IP_address_and_netmask>

set allowaccess <access_types>

set type physical

set secondary-IP enable

config secondaryip

edit <id>

set ip <IP_address_and_netmask>

set allowaccess <access_types>

next

end

next

edit internal

set type physical

end

end

Remote access to the management port

To provide remote access to the management port, configure a static route. Set the gateway address to the IP address of the router.

Using the GUI:
  1. Go to Router > Config > Static and select Add Route.


  2. Enter an identifier. This is a unique number to identify the static route.
  3. Select the Status checkbox if it is not selected.
  4. Set the device to mgmt.
  5. Set the gateway to the gateway router IP address.
  6. Select Add.
Using the CLI:

config router static

edit 1

set device mgmt

set gateway <router IP address>

set status enable

end

end

Example configurations

In this example, the internal interface is used as an inbound management interface. Also, the FortiSwitch unit has a default VLAN across all physical ports and its internal port.

Using the internal interface of a FortiSwitch-524D-FPOE

Syntax

config system interface

edit internal

set ip 192.168.1.99 255.255.255.0

set allowaccess ping https http ssh

set type physical

end

end

In this example, an out-of-band management interface is used as the dedicated management port. You can configure the management port for local or remote access.

Out-of-band management on a FortiSwitch-1024D

Option 1: management port with static IP

config system interface

edit mgmt

set mode static

set ip 10.105.142.19 255.255.255.0

set allowaccess ping https http ssh snmp telnet

set type physical

next

edit internal

set type physical

end

end

// optional configuration to allow remote access to the management port

config router static

edit 1

set device mgmt

set gateway 192.168.0.10

set status enable

end

Option 2: management port with IP assigned by DHCP

config system interface

edit mgmt

set mode dhcp

set defaultgw enable // allows remote access

set allowaccess ping https http ssh snmp telnet

set type physical

next

edit internal

set type physical

end