Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

config switch

Use the config switch commands to configure options related to switching functionality:

config switch acl egress

Use this command to configure an access control list (ACL) for an egress policy.

Syntax

config switch acl egress

edit <policy_ID>

set description <string>

set interface <port_name>

set schedule <schedule_name>

set status {active | inactive}

config classifier

set cos <802.1Q CoS value to match>

set dscp <DSCP value to match>

set dst-ip-prefix <IP_address> <mask>

set dst-mac <MAC_address>

set ether-type <integer>

set service <service_ID>

set src-ip-prefix <IP_address> <mask>

set src-mac <MAC_address>

set vlan-id <VLAN_ID>

end

config action

set count {enable | disable}

set drop {enable | disable}

set mirror <mirror_session>

set outer-vlan-tag <integer>

set policer <policer>

set redirect <interface_name>

set remark-dscp <0-63>

end

end

Variable

Description

Default

<policy-id>

Enter the unique ID number of this policy.

No default

description <string>

Enter a description or other information about the policy. The description is limited to 63 characters. Enclose the string in single quotes to enter special characters or spaces.

No default

interface <port_name>

Interface that the policy applies to.

No default

schedule <schedule_name>

Select a schedule for when the ACL policy will be enforced.

The schedule must have been defined already with the config system schedule command.

No default

status {active | inactive}

Make the egress ACL policy active or inactive.

active

config classifier

cos <802.1Q CoS value to match>

Enter the 802.1Q CoS value to match.

No default

dscp <DSCP value to match>

Enter the DSCP value to match.

No default

dst-ip-prefix <IP_address> <mask>

Destination IP address and subnet mask to be matched.

0.0.0.0 0.0.0.0

dst-mac <MAC_address>

Destination MAC address to be matched.

00:00:00:00:00:00

ether-type <integer>

Ethernet type to be matched.

0x0000

service <service_ID>

Service type to be matched.

No default

src-ip-prefix <IP_address> <mask>

Source IP address and subnet mask to be matched.

0.0.0.0 0.0.0.0

src-mac <MAC_address>

Source MAC address to be matched.

00:00:00:00:00:00

vlan-id <VLAN_ID>

VLAN identifier to be matched.

0

config action

count {enable | disable}

Enable or disable the count action.

disable

drop {enable | disable}

Enable or disable the drop action.

disable

mirror <mirror_session>

Mirror session name.

No default

outer-vlan-tag <integer>

Outer VLAN tag.

0

policer <policer>

Identifier of the policer to associate with this policy. To create a policer, see config switch acl policer.

0

redirect <interface_name>

Redirect interface name.

No default

remark-dscp <0-63>

Set the DSCP marking value.

No default

config switch acl ingress

Use this command to configure an ACL for an ingress policy. Starting in FortiSwitchOS 6.2.0, you can create groups for multiple ingress ACLs.

Syntax

config switch acl ingress

edit <policy-id>

set description <string>

set group <group_ID>

set ingress-interface <port > [<port > ... <port >]

set ingress-interface-all {enable | disable}

set schedule <schedule_name>

set status {active | inactive}

config classifier

set cos <802.1Q CoS value to match>

set dscp <DSCP value to match>

set src-mac <mac>

set dst-mac <mac>

set ether-type <integer>

set src-ip-prefix <IP address> <mask>

set dst-ip-prefix <IP address> <mask>

set service <service-id>

set vlan-id <vlan-id>

end

config action

set cos-queue <0 - 7>

set count {enable | disable}

set cpu-cos-queue <integer>

set drop {enable | disable}

set egress-mask {<physical_port_name> | internal}

set mirror <mirror_session>

set outer-vlan-tag <integer>

set policer <policer>

set redirect <interface_name>

set redirect-bcast-cpu {enable | disable}

set redirect-bcast-no-cpu {enable | disable}

set redirect-physical-port <list of physical ports to redirect>

set remark-cos <0-7>

set remark-dscp <0-63>

end

end

Variable

Description

Default

<policy-id>

Enter the unique ID number of this policy.

No default

description <string>

Enter a description or other information about the policy. The description is limited to 63 characters. Enclose the string in single quotes to enter special characters or spaces.

No default

group <group_ID>

Enter the group identifier of the policy. The range of group identifiers varies among the different platforms.

Starting in FortiSwitchOS 6.2.0, you can create groups for multiple ingress ACLs.

1

ingress-interface <port > [<port > ... <port >]

If ingress-interface-all is disabled, enter the interface list to which the policy is bound on the ingress.

No default

ingress-interface-all {enable | disable}

If enabled, policy is bound to all interfaces.

disable

schedule <schedule_name>

Select a schedule for when the ACL policy will be enforced.

The schedule must have been defined already with the config system schedule command.

No default

status {active | inactive}

Make the ingress ACL policy active or inactive.

active

config classifier

cos <802.1Q CoS value to match>

Enter the 802.1Q CoS value to match.

No default

dscp <DSCP value to match>

Enter the DSCP value to match.

No default

src-mac

Enter the source MAC address to be matched.

00:00:00:00:00:00

dst-mac

Enter the destination MAC address to be matched.

00:00:00:00:00:00

ether-type

Enter the Ethernet type to be matched.

0x0000

src-ip-prefix

Enter the source IP address and subnet mask to be matched.

0.0.0.0 0.0.0.0

dst-ip-prefix

Enter the destination IP address and subnet mask to be matched.

0.0.0.0 0.0.0.0

service

Enter the service type to be matched.

No default

vlan-id

Enter the VLAN identifier to be matched.

0

config action

cos-queue <0 - 7>

CoS queue number (0 - 7).

0

count

Enable or disable the count action.

disable

cpu-cos-queue <integer>

CPU CoS queue number. This CoS queue is only used if the packets reach the CPU. Enter set cpu-cos-queue ? to see the value range.

disabled

drop

Enable or disable the drop action.

disable

egress-mask {<physical_port_name> | internal}

List of physical ports to be configured in egress mask.

No default

mirror <mirror_session>

Mirror session name.

No default

outer-vlan-tag

Outer VLAN tag.

4093

policer

Identifier of the policer to associate with this policy. To create a policer, see config switch acl policer.

1

redirect <interface_name>

Redirect interface name.

No default

redirect-bcast-cpu

Redirect broadcast to all ports including the CPU.

disable

redirect-bcast-no-cpu

Redirect broadcast to all ports excluding the CPU.

disable

redirect-physical-port

List of ports to redirect the packet.

No default

remark-cos <0-7>

Set the CoS marking value. The range is 0-7.

No default

remark-dscp <0-63>

Set the DSCP marking value. The range is 0-63.

No default

Examples

In the following example, traffic from VLAN 3 is blocked to a specified destination IP subnet (10.10.0.0/16) but allowed to all other destinations:

config switch acl ingress

edit 1

config action

set count enable

set drop enable

end

config classifier

set dst-ip-prefix 10.10.0.0 255.255.0.0

set vlan-id 3

end

set ingress-interface-all enable

set status inactive

next

edit 2

config classifier

set vlan-id 3

end

set ingress-interface-all enable

set status active

next

end

 

In the following example, packets are classified by matching both the CoS and DSCP values. Both the CoS and DSCP marking values are set:

config switch acl ingress

edit 1

config classifier

set src-mac 11:22:33:aa:bb:cc

set cos 2

set dscp 10

end

config action

set count enable

set remark-cos 4

set remark-dscp 20

end

set ingress-interface port2

set status active

end

config switch acl policer

Use this command to configure an ACL policer for egress or ingress policies.

Syntax

config switch acl policer

edit <policer index>

set description <string>

set guaranteed-bandwidth <bandwidth_value>

set guaranteed-burst <in_bytes>

set maximum-burst <in_bytes>

set type {egress | ingress}

end

Variable

Description

Default

<policer index>

Enter the index for this ACL policer

No default

description <string>

Enter a text description for the policer.

No default

guaranteed-bandwidth <bandwidth_value>

Enter the amount of bandwidth guaranteed to be available for traffic controlled by the policy. The value range is 0 to 16 776 000 Kbits/second.

0

guaranteed-burst <in_bytes>

Guaranteed burst size in bytes (max value = 4294967295)

0

maximum-burst <in_bytes>

Maximum burst size in bytes (max value = 4294967295)

0

type {egress | ingress}

Specify whether the policer is for egress or ingress policies.

ingress

Example

This example shows how to configure an ACL policer for egress policies.

config switch acl policer

edit 1

set description policer1

set guaranteed-bandwidth 8776000

set guaranteed-burst 858993459

set maximum-burst 4294967295

set type egress

end

config switch acl prelookup

Use this command to configure an ACL for a lookup policy.

Syntax

config switch acl prelookup

edit <policy_ID>

set description <string>

set interface <port_name>

set schedule <schedule_name>

set status {active | inactive}

config classifier

set cos <802.1Q CoS value to match>

set dscp <DSCP value to match>

set dst-ip-prefix <IP_address> <mask>

set dst-mac <MAC_address>

set ether-type <integer>

set service <service_ID>

set src-ip-prefix <IP_address> <mask>

set src-mac <MAC_address>

set vlan-id <VLAN_ID>

end

config action

set count {enable | disable}

set cos-queue <0-7>

set drop {enable | disable}

set outer-vlan-tag <integer>

set remark-cos <0-7>

end

end

Variable

Description

Default

<policy-id>

Enter the unique ID number of this policy.

No default

description <string>

Enter a description or other information about the policy. The description is limited to 63 characters. Enclose the string in single quotes to enter special characters or spaces.

No default

interface <port_name>

Interface that the policy applies to.

No default

schedule <schedule_name>

Select a schedule for when the ACL policy will be enforced.

The schedule must have been defined already with the config system schedule command.

No default

status {active | inactive}

Make the prelookup ACL policy active or inactive.

active

config classifier

cos <802.1Q CoS value to match>

Enter the 802.1Q CoS value to match.

No default

dscp <DSCP value to match>

Enter the DSCP value to match.

No default

dst-ip-prefix <IP_address> <mask>

Destination IP address and subnet mask to be matched.

0.0.0.0 0.0.0.0

dst-mac <MAC_address>

Destination MAC address to be matched.

00:00:00:00:00:00

ether-type <integer>

Ethernet type to be matched.

0x0000

service <service_ID>

Service type to be matched.

No default

src-ip-prefix <IP_address> <mask>

Source IP address and subnet mask to be matched.

0.0.0.0 0.0.0.0

src-mac <MAC_address>

Source MAC address to be matched.

00:00:00:00:00:00

vlan-id <VLAN_ID>

VLAN identifier to be matched.

0

config action

count {enable | disable}

Enable or disable the count action.

disable

cos-queue <0-7>

CPU CoS queue number (20-29). Only if packets reach to CPU. The value range is 20-29.

No default

drop {enable | disable}

Enable or disable the drop action.

disable

outer-vlan-tag <integer>

Outer VLAN tag.

0

remark-cos <0-7>

Set the CoS marking value. The range is 0-7.

No default

config switch acl service custom

Use this command to customize one of the ACL services.

Syntax

config switch acl service custom

edit <service name>

set comment <string>

set color <0-32>

set protocol {ICMP | IP | TCP/UDP/SCTP}

set icmptype <0-255>

set icmpcode <0-255>

set protocol-number <IP protocol number>

set sctp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int>-<srcporthigh_int>]

set tcp-portrange <dstportlow_int>[-<dstporthigh_int>:<srcportlow_int>-<srcporthigh_int>]

set udp-portrange <dstportlow_int>[-<dstporthigh_int>:<srcportlow_int>-<srcporthigh_int>]

end

end

Variable

Description

Default

<service name>

Enter the name of this custom service.

No default

comment <string>

Add comments for the custom service.

No default

color <0-32>

Set the icon color to use in the Web-based manager. A value of zero sets the default color (1).

0

protocol {ICMP | IP | TCP/UDP/SCTP}

Select the protocol used by the service.

These protocols are available when explicit-proxy is enabled.

TCP/UDP/SCTP

icmptype <0-255>

If you set the protocol to ICMP, set the ICMP type.

0

icmpcode <0-255>

If you set the protocol to ICMP, set the ICMP code.

0

protocol-number

For an IP service, enter the IP protocol number.

0

sctp-portrange

For SCTP services, enter the destination and source port ranges.

No default

tcp-portrange

For TCP services, enter the destination and source port ranges.

No default

udp-portrange

For UDP services, enter the destination and source port ranges.

No default

Notes:

  • srcport_low and srcport_high can be omitted if the value pair is 1-65535
  • dstport_high can be omitted if dstport_low is equal to dstport_high
  • srcport_low and srcport_high can be omitted if the value pair is 1-65535
  • dstport_high can be omitted if dstport_low is equal to dstport_high

Example

In the following example, Server Message Block (SMB) traffic received on port 1 is mirrored to port 3. SMB protocol uses port 445:

config switch acl service custom

edit "SMB"

set tcp-portrange 445

next

end

config switch acl ingress # apply policy to port 1 ingress and send to port 3

edit 1

set description "cnt_n_mirror_smb"

set ingress-interface "port1"

config action

set count enable

set mirror "port3"

end

config classifier

set service "SMB"

set src-ip-prefix 20.20.20.100 255.255.255.255

set dst-ip-prefix 100.100.100.0 255.255.255.0

end

next

end

config switch acl settings

Use this command to configure the global ACL settings

Syntax

config switch acl settings

set density-mode {disable | enable}

set trunk-load-balance {disable | enable}

end

Variable

Description

Default

density-mode

Enable or disable density mode.

disable

trunk-load-balance

Enable or disable trunk-load-balancing for ACL actions.

enable

Example

The following example configures the global ACL settings:

config switch acl settings

set density-mode enable

set trunk-load-balance enable

end

config switch auto-isl-port-group

Use this command to create a multi-tiered MCLAG trunk when the FortiSwitch unit is managed by a FortiGate unit.

Syntax

config switch auto-isl-port-group

edit <trunk_name>

set members <one or more ports>

end

Example

The following example creates two trunks for a multi-tiered MCLAG:

config switch auto-isl-port-group

edit "mclag-core1"

set members "port1" "port2"

next

edit "mclag-core2"

set members "port3" "port4"

end

config switch auto-network

Use this command to automatically form an inter-switch link (ISL) between two switches.

Syntax

config switch auto-network

set mgmt-vlan <1-4094>

set status {enable | disable}

end

Variable

Description

Default

mgmt-vlan <1-4094>

Set the VLAN to use for the native VLAN on ISL ports and the native VLAN on the internal switch interface.

4094

status {enable | disable}

Enable or disable whether an ISL is automatically formed between two switches.

disable

Example

The following example enables the automatic formation of an ISL between two switches:

config switch auto-network

set mgmt-vlan 200

set status enable

end

config switch global

Use this command to configure system-wide FortiSwitch settings.

Syntax

config switch global

set auto-fortilink-discovery {enable | disable}

set auto-isl {enable | disable}

set auto-isl-port-group <0-9>

set auto-stp-priority {enable | disable}

set dhcp-snooping-database-export {disable | enable}

set dmi-global-all {enable | disable}

set flapguard-retain-trigger {enable | disable}

set flood-unknown-multicast {enable | disable}

set fortilink-heartbeat-timeout <0-300>

set fortilink-p2p-native-vlan <integer>

set fortilink-p2p-tpid <interger>

set fortilink-vlan-optimization {enable | disable}

set forti-trunk-dmac <xx:xx:xx:xx:xx:xx>

set ip-mac-binding {enable | disable}

set l2-memory-check {enable | disable}

set l2-memory-check-interval <number_of_seconds>

set log-mac-limit-violations {enable | disable}

set log-source-guard-violations {enable | disable}

set loop-guard-tx-interval <0-30>

set mac-aging-interval <seconds>

set mac-violation-timer <integer>

set max-frame-size <bytes_int>

set max-path-in-ecmp-group <integer>

set mclag-igmpsnooping-aware {enable | disable}

set mclag-peer-info-timeout <integer>

set mclag-port-base <integer>

set mclag-split-brain-detect {enable | disable}

set mclag-stp-aware {enable | disable}

set mirror-qos <0-7>

set name <string>

set neighbor-discovery-to-cpu {enable | disable}

set packet-buffer-mode {store-forward | cut-through}

set poe-alarm-threshold <threshold (percent of total power budget) above which an alarm event is generated>

set poe-guard-band <integer>

set poe-power-budget <integer>

set poe-power-mode {first-come-first-served | priority}

set poe-pre-standard-detect {disable | enable}

set qos-drop-policy {random-early-detection | taildrop}

set qos-red-probability <integer>

set reserved-mcast-to-cpu {enable | disable}

set source-guard-violation-timer <integer>

set trunk-hash-mode {default| enhanced}

set trunk-hash-unicast-src-port {enable | disable}

set trunk-hash-unkunicast-src-dst {enable | disable}

set virtual-wire-tpid <0x0001-0xfffe>

config port-security

set link-down-auth {no-action | set-unauth}

set mab-reauth {enable | disable}

set max-reauth-attempt <0-15>

set quarantine-vlan {enable | disable}

set reauth-period <1-1440>

set tx-period <12-60>

end

end

Variable

Description

Default

auto-fortilink-discovery {enable | disable}

Enable or disable the capability for the FortiGate unit to automatically discover the FortiLink interface on the switch.

enable

auto-isl {enable | disable}

Enable or disable the capability to automatically form an inter-switch LAG.

enable

auto-isl-port-group <0-9>

Set the ISL port group. The range is 0-9.

0

auto-stp-priority {enable | disable}

Enable or disable the automatic assigned STP switch priortiy.

enable

dhcp-snooping-database-export {disable | enable}

Enable or disable whether the DHCP snooping database is exported to file.

disable

dmi-global-all {enable | disable}

Enable or disable DMI globally.

enable

flapguard-retain-trigger {enable | disable}

Enable this setting to keep the “triggered” status in the output of the diagnose flapguard status command after a switch has been rebooted until the port has been reset with the execute flapguard reset <port_name> command.

Disable this setting to reset the “triggered” status when the switch is rebooted.

disable

flood-unknown-multicast {enable | disable}

Enable or disable whether to flood the VLAN with unknown multicast messages.

disable

fortilink-heartbeat-timeout <0-300>

Set how long before the FortiLink heartbeat times out. Set the value to 0 to disable the FortiLink heartbeat.

60

fortilink-p2p-native-vlan <integer>

Specify the native VLAN on the inter-switch link (ISL) when fortilink-p2p is enabled under the config switch physical port command.

4094

fortilink-p2p-tpid <interger>

Set the FortiLink point-to-point TPID value. The range of values is 0x0001 to 0xfffe.

This command is only available in FortiLink mode.

0x8100

fortilink-vlan-optimization {enable | disable}

Enable or disable FortiLink VLAN optimization.

disable

forti-trunk-dmac <xx:xx:xx:xx:xx:xx>

Enter the destination MAC address to be used for FortiTrunk heartbeat packets.

02:80:c2:00:00:02

ip-mac-binding {enable | disable}

Enable or disable IP-MAC binding for the switch

disable

l2-memory-check {enable | disable}

Enable or disable whether FortiSwitchOS checks the size of the layer-2 table. When this feature is enabled, the set l2-memory-check interval command controls the frequency that the table is checked. When the table size is more than 75-percent full or less than 70-percent full, FortiSwitchOS adds a warning to the system log.

disable

l2-memory-check-interval <number_of_seconds>

When l2-memory-check is enabled, FortiSwitchOS checks the size of the layer-2 table at the specified interval. The range of values is 5-86400 seconds.

120

log-mac-limit-violations {enable | disable}

Enable or disable the logging of layer-2 learning limit violations for an interface or VLAN. The most recent violation that occurred on each interface or VLAN is logged. After that, no more violations are logged until the log is reset for the triggered interface or VLAN. Only the most recent 128 violations are displayed in the console.

NOTE: This command is only displayed if your FortiSwitch model supports it.

disable

log-source-guard-violations {enable | disable}

Enable or disable logs for source guard violations on a system-wide level.

disable

loop-guard-tx-interval <0-30>

Enter the loop guard transmit interval. Value range is 1-30. The units is seconds.

3

mac-aging-interval <seconds>

Specify how often the learning-limit violation log is reset. The range is 10 to 1,000,000 seconds. Set to 0 to disable.

300

mac-violation-timer <integer>

How long (in minutes) violations of the layer-2 learning limit are kept in the log. The value range is 0-1500. Set to 0 to disable the timer.

0

max-frame-size <bytes_int>

Set the maximum frame size. The range is 68 to 16360.

NOTE: For non-1xxE FortiSwitch units, this command is under the config switch physical-port command.

9216

max-path-in-ecmp-group <integer>

Set the maximum path in one ECMP group.

8

mclag-igmpsnooping-aware {enable | disable}

Enable this option to synchronize both query ports and group entries across peer MCLAG trunks. This option can be used in standalone mode and in FortiLink mode.

NOTE: For IGMP snooping to work correctly in an MCLAG, you need to use the set mclag-igmpsnooping-aware enable command on all FortiSwitch units in the network topology and use the set igmps-flood-reports enable command on each MCLAG core FortiSwitch unit.

disable

mclag-peer-info-timeout <integer>

Enter the MCLAG peer info timeout. The value range is 30 to 600 seconds.

30

mclag-port-base <integer>

Set the MCLAG port base.

0

mclag-split-brain-detect {enable | disable}

Enable or disable the detection of the MCLAG split-brain state.

disable

mclag-stp-aware {enable | disable}

Enable or disable whether the STP can be used within the MCLAG.

enable

mirror-qos <0-7>

Enter the quality of service (QoS) priority for packets mirrored by this FortiSwitch unit. Applies only to the FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE, FS-1048E, and FS-3032D models.

0

name <string>

Enter a name for the switch.

No default

neighbor-discovery-to-cpu {enable | disable}

Enable or disable the forwarding of reserved multicast packets to the CPU. Applies only to the 200 Series and 400 Series.

enable

packet-buffer-mode {store-forward | cut-through}

Set the switching mode to store-and-forward or cut-through for the main buffer of the FS-1024D, FS-1048D, or FS-3032D model.

store-forward

poe-alarm-threshold <threshold (percent of total power budget) above which an alarm event is generated>

Enter the threshold (a specified percentage of the total power budget) above which an alarm event is generated.

80

poe-guard-band <integer>

Enter the power (W) to reserve in case of a spike in PoE consumption.

19

poe-power-budget <integer>

Set or override the maximum power budget.

400

poe-power-mode {first-come-first-served | priority}

Set the PoE power mode to priority based or first-come, first-served.

priority

poe-pre-standard-detect {disable | enable}

Enable or disable PoE pre-standard detection.

NOTE: PoE pre-standard detection is a global setting for the following FortiSwitch models: FSR-112D-POE, FS-548D-FPOE, FS-524D-FPOE, FS-108D-POE, FS-224D-POE, FS-108E-POE, FS-108E-FPOE, FS-124E-POE, FS-124E-FPOE, 148F-POE, and 148F-FPOE. For the other FortiSwitch PoE models, PoE pre-standard detection is set on each port.

disable

qos-drop-policy {random-early-detection | taildrop}

Set the CoS queue drop policy.
  • taildrop — When the queue is full, new packets are dropped.
  • random-early-detection — As the queue fills, the probability increases that packets will be dropped.
NOTE: This command is available only for the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

taildrop

qos-red-probability <integer>

Set the QoS RED/WRED drop probability. The FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, and FS-124E-FPOE models support 0-100 percent. The FS-148E, FS-148E-POE, and FS-148E-FPOE models support 0-25 percent.

NOTE: This command is available only for the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

12

reserved-mcast-to-cpu {enable | disable}

Enable or disable the forwarding of IPv6 neighbor-discovery packets to the CPU. Applies only to the 200 Series and 400 Series.

enable

source-guard-violation-timer <intebger>

Enter the number of minutes for a global timeout for source guard violations. The range of values is 0-1500. Set this option to 0 to disable it.

This command is only available when log-source-guard-violations is enabled.

0

trunk-hash-mode {default| enhanced}

Set the trunk hash mode to default or enhanced

default

trunk-hash-unicast-src-port {enable | disable}

Enable or disable whether the trunk hashing algorithm for unicast packets uses the source port.

disable

trunk-hash-unkunicast-src-dst {enable | disable}

Enable or disable trunk hash for unknown unicast src-dst.

enable

virtual-wire-tpid <0x0001-0xfffe>

TPID value used by virtual-wires. The value range is from 0x0001 to 0xfffe.

Choose a value unlikely to be seen as a TPID or ethertype in your network.

0xdee5

config port-security

link-down-auth

If a link goes down, this setting determines if the affected devices needs to reauthenticate.
  • set-unauth — revert all devices to the un-authenticated state. Each device will need to reauthenticate.
  • no-action — if reauthenication is not required.

set-unauth

mab-reauth {enable | disable}

Enable or disable whether MAB retries authentication before assigning a device to a guest VLAN for unauthorized users.

disable

max-reauth-attempt

If 802.1x authentication fails, this setting caps the number of attempts that the system will initiate. The range is from 0 to 15 where "0" disables the reauthentication attempts.

3

quarantine-vlan {enable | disable}

Enable or disable quarantine VLAN detection. Enable this setting to use quarantines with 802.1x MAC-based authentication in FortiLink mode.

enable

reauth-period

Defines how often the device needs to reauthenticate. If a session remains active beyond this number of minutes, the system requires the device to reauthenticate.

60

tx-period <12-60>

Specify how many seconds are allowed for the 802.1x reauthentication before it times out.

30

Example

The following example configures system-wide FortiSwitch settings:

config switch global

set auto-isl enable

set dhcp-snooping-database-export enable

set dmi-global-all enable

set ip-mac-binding enable

set loop-guard-tx-interval 15

set mac-aging-interval 150

set max-path-in-ecmp-group 4

set mclag-peer-info-timeout 300

set poe-alarm-threshold 40

set poe-power-mode first-come-first-served

set poe-guard-band 10

set poe-pre-standard-detect enable

set poe-power-budget 200

set trunk-hash-mode enhanced

set trunk-hash-unkunicast-src-dst enable

end

config switch igmp-snooping globals

Use this command to configure global settings for IGMP snooping on the FortiSwitch unit.

Syntax

config switch igmp-snooping globals

set aging-time <integer>

set leave-response-timeout <integer>

set query-interval <10-1200>

end

Variable

Description

Default

aging-time <integer>

The maximum number of seconds to retain a multicast snooping entry for which no packets have been seen (15-3600).

300

leave-response-timeout <integer>

Enter the maximum number of seconds that the switch waits after sending a group-specific query in response to the leave message. The range of values is 1-20.

10

query-interval <10-1200>

Enter the maximum number of seconds between IGMP queries.

120

Example

The following example configures global settings for IGMP snooping on the FortiSwitch unit:

config switch igmp-snooping globals

set aging-time 150

set leave-response-timeout 15

set query-interval 200

end

config switch interface

Use this command to configure FortiSwitch features on an interface.

NOTE: Settings under config qnq are for customer VLANs (C-VLANs). Other settings such as set allowed-vlans, set native-vlan, and set vlan-tpid are for service-provider VLANs (S-VLANs).

Command

config switch interface

edit <interface_name>

set allowed-vlans {vlan1 vlan2 ...}

set arp-inspection-trust {trusted | untrusted}

set auto-discovery-fortilink {enable | disable}

set auto-discovery-fortilink-packet-interval <3-300>

set default-cos <0-7>

set description <string>

set discard-mode {all-tagged | all-untagged | none}

set dhcp-snooping {trusted | untrusted}

set dhcp-snoop-learning-limit-check {disable | enable}

set dhcp-snooping-option82-trust {enable | disable}

set edge-port {enabled | disabled}

set igmp-snooping-flood-reports {enable | disable}

set mcast-snooping-flood-traffic {enable | disable}

set mld-snooping-flood-reports {enable | disable}

set ip-mac-binding {enable | disable | global}

set ip-source-guard {enable | disable}

set learning-limit <1 - 128>

set log-mac-event {enable | disable}

set loop-guard {enabled | disabled}

set loop-guard-timeout <0-120>

set loop-guard-mac-move-threshold <0-100>

set nac {enable | disable}

set native-vlan <vlan_int>

set packet-sampler {enabled | disabled}

set sample-direction {both | rx |tx}

set packet-sample-rate <0-99999>

set private-vlan {disabled | promiscuous sub-vlan}

set ptp-policy {<string> | default}

set qos-policy {<string> | default}

set rpvst-port {enabled | disabled}

set security-groups <security-group-name>

set sflow-counter-interval <0-255>

set snmp-index <integer>

set sticky-mac {disable | enable}

set stp-bpdu-guard {disabled | enabled}

set stp-loop-protection {enabled | disabled}

set stp-root-guard {disabled | enabled}

set stp-state {enabled | disabled}

set trust-dot1p-map <string>

set trust-ip-dscp-map <string>

set untagged-vlans {vlan1 vlan2 ...}

set vlan-mapping-miss-drop {enable | disable}

set vlan-tpid <default | string>

config port-security

set allow-mac-move {enable | disable}

set eap-egress-tagged {enable | disable}

set port-security-mode {none | 802.1X | 802.1X-mac-based | macsec}

set auth-fail-vlan {enable | disable}

set auth-fail-vlanid <VLAN_id>

set authserver-timeout-period <3-15>

set authserver-timeout-vlan {enable | disable}

set authserver-timeout-vlanid <1-4094>

set eap-auto-untagged-vlans {enable | disable}

set eap-passthru {disable | enable}

set framevid-apply {disable | enable}

set guest-auth-delay <integer>

set guest-vlan {enable | disable}

set guest-vlanid <VLAN_id>

set mab-eapol-request <0-10>

set mac-auth-bypass {enable | disable}

set macsec-profile <MACsec_profile_name>

set open-auth {enable | disable}

set quarantine-vlan {enable | disable}

set radius-timeout-overwrite {enable | disable}

next

end

config raguard

edit <ID>

set raguard-policy <name_of_RA_guard_policy>

set vlan-list <list_of_VLANs>

next

end

config qnq

set status {enable | disable}

set add-inner <1-4095>

set edge-type customer

set priority {follow-c-tag | follow-s-tag}

set remove-inner {enable | disable}

set s-tag-priority <0-7>

set vlan-mapping-miss-drop {enable | disable}

config vlan-mapping

edit <id>

set description <string>

set match-c-vlan <1-4094>

set new-s-vlan <1-4094>

next

end

end

config vlan-mapping

edit <id>

set description <string>

set direction {egress | ingress}

set match-s-vlan <1-4094>

set match-c-vlan <1-4094>

set action {add | delete | replace}

set new-s-vlan <1-4094>

next

end

next

end

Variable

Description

Default

<interface_name>

Enter the name of the interface.

No default

allowed-vlans

{vlan1 vlan2 ...}

Enter the names of the VLANs permitted on this interface.

No default

arp-inspection-trust {trusted | untrusted}

Set the interface to trusted or untrusted.

untrusted

auto-discovery-fortilink {enable | disable}

Enable or disable automatically discovery of the port used for FortiLink.

disable

auto-discovery-fortilink-packet-interval <3-300>

Enter the FortiLink packet interval for automatic discovery. The value range is 3 to 300 seconds.

5

default-cos <0-7>

Set the default CoS value for untagged packets. Integer in the range of 0 to 7.

The configured default CoS only applies if you also set trust-dot1p-map on the interface.

NOTE: The set default-cos command is not available on the following FortiSwitch models: 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE, and 248E-FPOE.

0

description <string>

Enter a description of the interface.

No default

discard-mode {all-tagged | all-untagged | none}

Set the discard mode for this interface.

none

dhcp-snooping {trusted | untrusted}

Set the interface to trusted or untrusted.

untrusted

dhcp-snoop-learning-limit-check {disable | enable}

Enable or disable whether there is a limit for how many IP addresses are in the DHCP snooping binding database for this interface.

disable

dhcp-snooping-option82-trust {enable | disable}

Enable or disable (allow/disallow) DHCP packets with option-82 on an untrusted interface.

disable

edge-port {enabled | disabled}

Enable if the port does not have another switch connected to it.

disable

igmp-snooping-flood-reports {enable | disable}

Enable or disable whether to flood IGMP-snooping reports to this interface.

NOTE: For IGMP snooping to work correctly in an MCLAG, you need to use the set mclag-igmpsnooping-aware enable command on all FortiSwitch units in the network topology and use the set igmp-snooping-flood-reports enable command on each MCLAG core FortiSwitch unit.

disable

mcast-snooping-flood-traffic {enable | disable}

Enable or disable whether to flood multicast traffic to this interface.

disable

mld-snooping-flood-reports {enable | disable}

Enable or disable whether to flood MLD-snooping reports to this interface.

disable

ip-mac-binding {enable | disable | global}

Enable or disable IP-MAC binding for this interface. Set the value to 'global', the interface inherits the global ip-mac-binding configuration value.

disable

ip-source-guard {enable | disable}

Enable or disable IP source guard for this interface. After you enable this feature, use the config switch ip-source-guard command to configure it.

disable

learning-limit <1 - 128>

Limit the number of dynamic MAC addresses on this port. The value range is between 0 and 128 (0 = no limit).

NOTE: You cannot set the learning-limit on the internal interface.

0

log-mac-event {enable | disable}

Enable or disable the logging of dynamic MAC address events.

disable

loop-guard {enabled | disabled}

Enable or disable loop guard for this interface.

disabled

loop-guard-timeout <0-120>

After enabling loop guard, set the number of minutes before loop guard resets. Setting this value to 0 means that there is no timeout.

45

loop-guard-mac-move-threshold <0-100>

After enabling loop guard, set the number of MAC address moves per second for this interface. The threshold must be exceeded for 6 consecutive seconds to trigger loop guard.

0

nac {enable | disable}

This command is available only in FortiLink mode. Enable to allow the switch to transmit MAC events to the FortiGate device to imporve network access control (NAC) performance.

disable

native-vlan <vlan_int>

Enter the native (untagged) VLAN for this interface.

1

packet-sampler {enabled | disabled}

Enable or disable packet sampling for flow export.

disabled

sample-direction {both | rx |tx}

Set the sFlow sample direction to monitor received traffic (rx), monitor transmitted traffic (tx), or monitor both.

This option is only available when the packet-sampler is enabled.

both

packet-sample-rate <0-99999>

If packet-sampler is set to enabled, you can change the packet sample rate.

512

private-vlan {disabled | promiscuous | sub-vlan}

Enable private VLAN functionality. 

NOTE: Private VLANs are not supported on the FortiSwitch-28C.

disabled

ptp-policy {<string> | default}

Enter the name of the Precision Time Protocol (PTP) policy.

default

qos-policy {<string> | default}

Enter the name of the QoS egress CoS queue policy.

default

rpvst-port {enabled | disabled}

Enable or disable whether this interface interoperates with per-VLAN spanning tree (PVST).

disabled

security-groups <security-group-name>

Enter the security group name if you are using port-based authentication or MAC-based authentication.

No default

sflow-counter-interval <0-255>

Set the polling interval for the sFlow sampler counter. Set to 0 to disable polling.

0

snmp-index <integer>

Enter the SNMP index for this interface.

Default is the port number

sticky-mac {disable | enable}

Enable or disable whether dynamically learned MAC addresses are persistent when the status of a FortiSwitch port changes (goes down or up).

disable

stp-bpdu-guard {disabled | enabled}

Enable or disable STP BPDU guard protection. To use STP BPDU guard on this interface, you must enable stp-state and edge-port.

disabled

stp-loop-protection {enabled | disabled}

Enable or disable STP loop protection on this interface.

disabled

stp-root-guard {disabled | enabled}

Enable or disable STP root guard protection. To use STP root guard, you must enable stp-state.

disabled

stp-state {enabled | disabled}

Enable or disable Spanning Tree Protocol (STP) on this interface.

enabled

trust-dot1p-map

Whether to trust the dot1p CoS value in the incoming packets. Specify a map to map the CoS value to an egress queue value.

No default

trust-ip-dscp-map

Whether to trust the DSCP QoS value in the incoming packets. Specify a map to map the DSCP value to an egress queue value.

No default

untagged-vlans

Select the allowed-vlans to be transmitted without VLAN tags

No default

vlan-mapping-miss-drop {enable | disable}

Enable or disable whether a packet is dropped if the VLAN ID in the packetʼs tag is not defined in the vlan-mapping configuration.

disable

vlan-tpid <default | string>

Select which VLAN TPID profile to use. The default VLAN TPID profile has a value of 0x8100 and cannot be deleted or changed.

NOTE: If you are not using the default VLAN TPID profile, you must have already defined the VLAN TPID profile with the config switch vlan-tpid command.

default

config port-security

allow-mac-move {enable | disable}

Enable on the destination port when an 802.1x client is being moved between ports that are not directly connected to the FortiSwitch unit.

disable

eap-egress-tagged {enable | disable}

When allow-mac-move is enabled, you can enable this option to ensure that egress EAPOL packets are tagged without needing additional checking.

enable

port-security-mode {none | 802.1X | 802.1X-mac-based | macsec}

Set the security mode for the port.

  • 802.1X—Use this setting for port-based authentication.
  • 802.1Xmac-based—Use this setting for MAC-based authentication.
  • macsec—Use this setting for MACsec.

If you change the security mode from none, you must set the security group with the set security-groups command.

none

auth-fail-vlan {enable | disable}

When enabled, the system assigns the auth-fail-vlanid to users who attempted to authenticate but failed to provide valid credentials.

disable

auth-fail-vlanid <VLAN_id>

Enter the VLAN identifier that the system assigns to users who attempted to authenticate but failed to provide valid credentials. This field is mandatory when auth-fail-vlan is enabled.

200

authserver-timeout-period <3-15>

Enter the number of seconds before the authentication server stops trying to authenticate users.

3

authserver-timeout-vlan {enable | disable}

Enable or disable whether users are assigned to the specified VLAN when the authentication server times out.

disable

authserver-timeout-vlanid <1-4094>

Enter the VLAN identifier that the system assigns to users when the authentication server times out. This field is mandatory when authserver-timeout-vlan is enabled.

300

eap-auto-untagged-vlans {enable | disable}

Enable to allow voice traffic with voice VLAN tag at egress.

enable

eap-passthru {disable | enable}

Enable or disable the EAP pass-through mode.

enable

framevid-apply {disable | enable}

Enable or disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

NOTE: For phone and PC configuration only, disable framevid-apply to preserve the native VLAN when the data traffic is expected to be untagged.

enable

guest-auth-delay <integer>

If a device does not attempt to authenticate within this timeframe (in seconds), the guest VLAN is assigned.

5

guest-vlan {enable | disable}

When enabled, the system assigns the guest-vlanid to unauthorized users.

disable

guest-vlanid <VLAN_id>

VLAN identifier. Mandatory field when guest VLAN is enabled.

100

mab-eapol-request <0-10>

Set how many EAP packets are sent to trigger EAP authentication for “silent supplicants” (such as end devices running Windows 7) that send non-EAP packets when they wake up from sleep mode.

To disable this feature, set mab-eapol-request to 0 or disable mac-auth-bypass.

3

mac-auth-bypass {enable | disable}

Enable or disable MAC auth bypass.

disable

macsec-profile <MACsec_profile_name>

If you set the port-security-mode to macsec, specify which MACsec profile to use. Use the config switch macsec profile command to create a MACsec profile.

No default

open-auth {enable | disable}

Enable or disable open authentication (monitor mode) on this interface.

disable

quarantine-vlan {enable | disable}

Enable or disable quarantine VLAN detection. Enable this setting to use quarantines with 802.1x MAC-based authentication in FortiLink mode.

enable

radius-timeout-overwrite {enable | disable}

Enable this option to use the value of the session-timeout attribute. The session-timeout attribute specifies how many seconds of idleness are allowed before the FortiSwitch unit disconnects a session. The value must be more than 60 seconds.

disable

config raguard

<ID>

Enter an identifier for the IPv6 RA-guard configuration.

No default

raguard-policy <name_of_RA_guard_policy>

Enter the name of the RA-guard policy to use for this interface.

The RA-guard policy must be created (with the config switch raguard-policy command) before it is applied to an interface.

No default

vlan-list <list_of_VLANs>

Enter a VLAN or a range of VLANs to apply this policy to. Use less than 4,096 characters for the vlan-list value. Separate the VLANs and VLAN ranges with commans, for example:

1,3-4,6,7,9-100

All allowed VLANs on this port

config qnq

status {enable | disable}

Enable or disable VLAN stacking (QinQ) mode.

disable

add-inner <1-4095>

If the QinQ mode is enabled, add the inner tag for untagged packets upon ingress.

No default

edge-type customer

If the QinQ mode is enabled, the edge type is set to customer.

customer

priority {follow-c-tag | follow-s-tag}

If the QinQ mode is enabled, select whether to follow the priority of the S-tag (service tag) or C-tag (customer tag).

NOTE: This command is not available on the 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE and 248E-FPOE models.

follow-s-tag

remove-inner {enable | disable}

If the QinQ mode is enabled, enable or disable whether the inner tag is removed upon egress.

disable

s-tag-priority <0-7>

If packets follow the priority of the S-tag (service tag), enter the priority value. This option is available only when the priority is set to follow-s-tag.

NOTE: This command is not available on the 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE and 248E-FPOE models.

0

vlan-mapping-miss-drop {enable | disable}

If the QinQ mode is enabled, enable or disable whether a packet is dropped if the VLAN ID in the packetʼs tag is not defined in the vlan-mapping configuration.

disable

<id>

Enter a mapping entry identifier.

No default

description <string>

Enter a description of the mapping entry.

No default

match-c-vlan <1-4094>

Enter a matching customer (inner) VLAN.

0

new-s-vlan <1-4094>

Enter a new service (outer) VLAN.

NOTE: The VLAN must be in the portʼs allowed VLAN list.

This option is only available after you set the value for match-c-vlan.

No default

config vlan-mapping (not available when QinQ is enabled)

<id>

Enter an identifier for the VLAN mapping entry.

No default

description <string>

Enter a description of the VLAN mapping entry.

No default

direction {egress | ingress}

Select the ingress or egress direction.

No default

match-s-vlan <1-4094>

If the direction is set to egress, enter the service (outer) VLAN to match.

0

match-c-vlan <1-4094>

If the direction is set to ingress, enter the customer (inner) VLAN to match.

0

action {add | delete | replace}

Select what happens when the packet is matched:

  • add—When the packet is matched, add the service VLAN. You cannot set the action to add for the egress direction.
  • delete—When the packet is matched, delete the service VLAN. You cannot set the action to delete for the ingress direction.
  • replace—When the packet is matched, replace the customer VLAN or service VLAN.

This option is only available after you set a value for match-c-vlan or match-s-vlan.

No default

new-s-vlan <1-4094>

Set the new service (outer) VLAN.

This option is only available after you set the action to add or replace for the ingress direction or after you set the action to replace for the egress direction.

No default

Example

The following example shows QoS configuration on a trunk interface:

config switch interface

edit "tr1"

set snmp-index 56

set trust-dot1p-map "dot1p_map1"

set default-cos 1

set qos-policy "p1"

next

end

 

The following example shows how to configure 802.1x authentication:

config switch interface

edit "port11"

set native-vlan 200

set snmp-index 11

config port-security

set port-security-mode 802.1X

set auth-fail-vlan enable

set auth-fail-vlanid 301

set authserver-timeout-period 4

set authserver-timeout-vlan enable

set authserver-timeout-vlanid 300

set eap-auto-untagged-vlans enable

set eap-passthru enable

set framevid-apply enable

set guest-auth-delay 5

set guest-vlan enable

set guest-vlanid 401

set mab-eapol-request 0

set mac-auth-bypass disable

set open-auth disable

set quarantine-vlan enable

set radius-timeout-overwrite enable

end

set security-groups "radius1grp"

next

end

config switch ip-mac-binding

Use IP-MAC binding to prevent ARP spoofing.

The port accepts a packet only if the source IP address and source MAC address in the packet match an entry in the IP-MAC binding table.

You can enable or disable IP-MAC binding for the whole switch, and you can override this global setting for each port.

Syntax

config switch ip-mac-binding

edit <sequence_int>

set ip <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>

set mac <xx:xx:xx:xx:xx:xx>

set status {enable | disable}

next

end

Variable

Description

Default

<sequence_int>

Enter a sequence number for the IP-MAC binding entry.

No default

ip <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>

Enter the source IP address and network mask for this rule.

0.0.0.0 0.0.0.0

mac <xx:xx:xx:xx:xx:xx>

Enter the MAC address for this rule.

00:00:00:00:00:00

status {enable | disable}

Enable or disable the IP-MAC binding.

disable

Example

The following example configures the IP-MAC binding for the FortiSwitch unit:

config switch ip-mac-binding

edit 1

set ip 172.168.20.1 255.255.255.255

set mac 00:21:cc:d2:76:72

set status enable

next

end

config switch ip-source-guard

Use this command to configure IP source guard for a port by binding IPv4 addresses to MAC addresses.

Syntax

config switch ip-source-guard

edit <port_name>

config binding-entry

edit <id>

set ip <xxx.xxx.xxx.xxx>

set mac <XX:XX:XX:XX:XX:XX>

next

end

next

end

Variable

Description

Default

<port_name>

Enter the name of the port.

No default

<id>

Enter a unique integer to create a new entry.

No default

ip <xxx.xxx.xxx.xxx>

Required. Enter the IPv4 address to bind to the MAC address. Masks are not supported.

0.0.0.0

mac <XX:XX:XX:XX:XX:XX>

Required. Enter the MAC address to bind to the IPv4 address.

00:00:00:00:00:00

Example

The following example binds an IPv4 address to a MAC address so that traffic from that IP address will be allowed on port4:

config switch ip-source-guard

edit port4

config binding-entry

edit 1

set ip 172.168.20

set mac 00:21:cc:d2:76:72

next

end

next

end

config switch lldp profile

Use this command to configure LLDP profile settings. The LLDP profile contains most of the port-specific configuration. Profiles are designed to provide a central point of configuration for LLDP settings that are likely to be the same for multiple ports.

There are two static LLDP profiles: default and default-auto-isl. These profiles are created automatically. They can be modified but cannot be deleted. The default-auto-isl profile always has auto-isl enabled, and rejects any configurations which attempt to disable it.

Syntax

config switch lldp profile

edit <profile>

set 802.1-tlvs port-vlan-id

set 802.3-tlvs {eee-config | max-frame-size | power-negotiation}

set auto-isl {enable | disable}

set auto-isl-hello-timer <1-30>

set auto-isl-port-group <0-9>

set auto-isl-receive-timeout <3-90>

set auto-mclag-icl {enable | disable}

set med-tlvs (inventory-management | location-identification | network-policy | power-management)

config custom-tlvs

edit <TLVname_str>

set information-string <hex-bytes>

set oui <hex-bytes>

set subtype <integer>

next

config med-location-service

edit address-civic

set status {enable | disable}

set sys-location-id <string>

next

edit coordinates

set status {enable | disable}

set sys-location-id <string>

next

edit elin-number

set status {enable | disable}

set sys-location-id <string>

next

config med-network-policy

edit {guest-voice |  guest-voice-signaling | softphone-voice |

streaming-video | video-conferencing | video-signaling |

voice | voice-signaling}

set status {enable | disable}

set assign-vlan {enable | disable}

set dscp <0 - 63>

set priority <0 - 7>

set vlan <0 - 4094>

next

end

Variable

Description

Default

profile

Enter a name for the LLDP profile.

No default

802.1-tlvs

The only 802.1 TLV that can be enabled or disabled is port-vlan-id. This TLV will send the native VLAN of the port. If the value is changed, the sent value will reflect the updated value.

no TLV enabled

802.3-tlvs {eee-config | max-frame-size | power-negotiation}

Set which 802.3 TLVs are enabled:
  • eee-config—Use this TLV to send the energy-efficient Ethernet (EEE) status of the port.
  • max-frame-size—This TLV will send the maximum frame size value of the port. If the value is changed, the sent value reflects the updated value.
  • power-negotiation—Use this TLV to send the power over Ethernet (PoE) classification of the port.

no TLV enabled

auto-isl

Enable or disable the auto ISL capability.

Disabled

auto-isl-hello-timer <1-30>

Enter a value (in seconds) for the hello timer. The range is 1 to 30.

3

auto-isl-port-group <0-9>

Enter a value for the port group. The range is 0 to 9.

0

auto-isl-receive-timeout

Enter a value (in seconds) for the receive timeout. The range is 3 to 90.

9

auto-mclag-icl {enable | disable}

Enable or disable the MCLAG inter-chassis link.

disable

med-tlvs (inventory-management | location-identification | network-policy | power-management)

Enable the inventory-management TLVs, location-identification TLVs, network-policy TLVs, and/or power-management TLVs.

inventory-management network-policy location-identification

config custom-tlvs

<TLVname_str>

Enter the TLV name.

No default

information-string

Organizationally defined information string. Enter up to 507 bytes in hexadecimal notation.

No default

oui

Organizationally unique identifier. Enter 3 hexadecimal bytes (000000 - FFFFFF). At least one byte must have a non-zero value.

000000

subtype

Organizationally defined subtype. Enter an integer in the range of 0 to 255.

0

config med-location-service

address-civic

Civic address and postal information.

No default

status {enable | disable}

Enable the status to transmit the type-length-value (TLV) if the LLDP-MED profile has been enabled on a port.

disable

sys-location-id <string>

Use the specified location entry that was already entered with the config system location command.

No default

coordinates

Coordinates of the location.

No default

status {enable | disable}

Enable the status to transmit the type-length-value (TLV) if the LLDP-MED profile has been enabled on a port.

disable

sys-location-id <string>

Use the specified location entry that was already entered with the config system location command.

No default

elin-number

Emergency location identifier number (ELIN).

No default

status {enable | disable}

Enable the status to transmit the type-length-value (TLV) if the LLDP-MED profile has been enabled on a port.

disable

sys-location-id <string>

Use the specified location entry that was already entered with the config system location command.

No default

config med-network-policy

{guest-voice |  guest-voice-signaling | softphone-voice | streaming-video | video-conferencing | video-signaling | voice | voice-signaling}

Enter one of the policy type names.

No default

status {enable | disable}

Enable or disable the policy for the policy type.

disable

assign-vlan {enable | disable}

Enable or disable whether the VLAN is added as one of the allowed-vlans for this port.

disable

dscp <0-63>

DSCP value to send.

0

priority <0-7>

CoS priority value to send.

0

vlan <0-4094>

VLAN value to send.

Setting this option to 0 will advertise the network policy as priority tagged, rather than VLAN tagged. Priority tagged network policies are always transmitted, whereas VLAN tagged are only transmitted if the VLAN is present on the switch interface sending the LLDP packet.

0

NOTE: LLDP-MED network policies cannot be deleted or added. To use a policy, the med-tlvs field must include network-policy, and you must set the policy to enabled. The VLAN values on the policy are cross-checked against the VLAN native, allowed, and untagged attributes for any interfaces that contain physical-ports using this profile. The cross-check determines if the policy TLV should be sent (VLAN must be native or allowed), and if the TLV should mark the VLAN as tagged or untagged (VLAN is native, or is in untagged). The network policy TLV is automatically updated when a switch interface changes VLAN configuration, or if a physical port is added to, or removed from, a trunk.

Example

The following example configures an LLDP-MED profile:

config switch lldp profile

edit "Forti670i"

config med-network-policy

edit "voice"

set dscp 46

set priority 5

set status enable

set vlan 400

next

edit "guest-voice"

next

edit "guest-voice-signaling"

next

edit "softphone-voice"

next

edit "video-conferencing"

next

edit "streaming-video"

set dscp 40

set priority 3

set status enable

set vlan 400

next

edit "video-signaling"

next

end

set med-tlvs inventory-management network-policy

next

end

config switch lldp settings

Configure the global LLDP settings.

Syntax

config switch lldp settings

set status {enable| disable}

set tx-hold <1-16>

set tx-interval <5-4095>

set fast-start-interval <0 or 2-5>

set management-interface (internal | <string>)

set device-detection {enable | disable}

end

Variable

Description

Default

status

Enable or disable

Enabled

tx-hold

Number of tx-intervals before the local LLDP data expires. Therefore, the packet TTL (in seconds) is tx-hold times tx-interval. The range for tx-hold is 1 to 16.

4

tx-interval

How often the FortiSwitch transmits the LLDP PDU. The range is 5 to 4095 seconds.

30

fast-start-interval

How often the FortiSwitch transmits the first 4 LLDP packets when a link comes up. The range is 2 to 5 seconds.

Set this variable to zero to disable fast start.

2

management-interface

Primary management interface to be advertised in LLDP and CDP PDUs.

mgmt or internal, depending on FortiSwitch model.

device-detection {enable | disable}

Enable or disable whether LLDP neighbor devices are dynamically detected.

This option is available only in FortiLink mode.

disable

Example

The following example configures the global LLDP settings:

config switch lldp settings

set status enable

set tx-hold 8

set tx-interval 2000

set fast-start-interval 3

set management-interface internal

end

config switch macsec profile

Use these commands to configure a Media Access Control security (MACsec) profile.

Syntax

config switch macsec profile

edit <profile_name>

set cipher_suite GCM_AES_128

set confident-offset {0 | 30 | 50}

set encrypt-traffic {enable | disable}

set include-macsec-sci {enable | disable}

set include-mka-icv-ind enable

set macsec-mode static-cak

set macsec-validate strict

set mka-priority <0-255>

set replay-protect {enable | disable}

set replay-window <0-16777215>

set status {enable | disable}

config mka-psk

edit <pre-shared key name>

set crypto-alg AES_128_CMAC

set mka-cak <string>

set mka-ckn <string>

set status active

next

end

config traffic-policy

edit <traffic_policy_name>

set security-policy must-secure

set status enable

next

end

next

end

Variable

Description

Default

<profile_name> Enter a name for the MACsec profile. No default
cipher_suite GCM_AES_128 Only the GCM-AES-128 cipher suite is available currently for encryption. GCM_AES_128
confident-offset {0 | 30 | 50} Select the number of bytes for the MACsec traffic confidentiality offset. Selecting 0 means that all of the MACsec traffic is encrypted. Selecting 30 or 50 bytes means that the first 30 or 50 bytes of MACsec traffic are not encrypted. 0
encrypt-traffic {enable | disable} Enable or disable whether MACsec traffic is encrypted. enable
include-macsec-sci {enable | disable} Enable or disable whether to include the MACsec transmit secure channel identifier (SCI). enable
include-mka-icv-ind enable The MACsec Key Agreement (MKA) integrity check value (ICV) indicator is always included. enable
macsec-mode static-cak The MACsec mode is always static connectivity association key (CAK). static-cak
macsec-validate strict The MACsec validation is always strict. strict
mka-priority <0-255> Enter the MACsec MKA priority. 255
replay-protect {enable | disable} Enable or disable MACsec replay protection. MACsec replay protection drops packets that arrive out of sequence, depending on the replay-window value. disable
replay-window <0-16777215>

Enter the number of packets for the MACsec replay window size. If two packets arrive with the difference between their packet identifiers more then the replay window size, the most recent packet of the two is dropped. The range is 0-16777215 packets. Enter 0 to ensure that all packets arrive in order without any repeats.

32
status {enable | disable} Enable or disable this MACsec profile. enable
config mka-psk Configure the MACsec MKA pre-shared key.
<pre-shared key name> Enter a name for this MACsec MKA pre-shared key configuration. No default
crypto-alg AES_128_CMAC Only the AES_128_CMAC algorithm is available for encrypting the pre-shared key. AES_128_CMAC
mka-cak <string>

Enter the string of hexadecimal digits for the connectivity association key (CAK). The string can be up to 32-bytes long.

No default
mka-ckn <string>

Enter the string of hexadecimal digits for the connectivity association name (CKN). The string can be 1-byte to 64-bytes long.

No default
status active

The status of the pre-shared key pair is always active.

active

config traffic-policy

Configure the MACsec traffic policy.

<traffic_policy_name>

Enter a name for this MACsec traffic policy.

No default

security-policy must-secure

The policy must secure traffic for MACsec.

must-secure

status enable

The status of this MACsec traffic policy is always enabled.

enable

Example

This example configures a MACsec profile.

config switch macsec profile

edit "2"

set cipher_suite GCM_AES_128

set confident-offset 0

set encrypt-traffic enable

set include-macsec-sci enable

set include-mka-icv-ind enable

set macsec-mode static-cak

set macsec-validate strict

set mka-priority 199

config mka-psk

edit "2"

set crypto-alg AES_128_CMAC

set mka-cak "0123456789ABCDEF0123456789ABCDEE"

set mka-ckn "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333436"

set status active

next

end

set replay-protect disable

set replay-window 32

set status enable

config traffic-policy

edit "2"

set security-policy must-secure

set status enable

next

end

next

end

config switch mirror

Use these commands to configure the packet mirror. Packet mirroring allows you to collect packets on specified ports and then send them to another port to be collected and analyzed.

Syntax

config switch mirror

edit <mirror session name>

set dst <interface>

set encap-gre-protocol <hexadecimal_integer>

set encap-ipv4-src <IPv4_address>

set encap-ipv4-tos <hexadecimal_integer>

set encap-ipv4-ttl <0-255>

set encap-mac-dst <MAC_address>

set encap-mac-src <MAC_address>

set encap-vlan {tagged | untagged}

set encap-vlan-cfi <0-1>

set encap-vlan-id <1-4094>

set encap-vlan-priority <0-7>

set encap-vlan-tpid <0x0001-0xfffe>

set erspan-collector-ip <IPv4_address>

set mode {ERSPAN-auto | ERSPAN-manual | RSPAN | SPAN}

set rspan-ip <IPv4_address>

set src-egress <interface_name>

set src-ingress <interface_name>

set status {active | inactive}

set strip-mirrored-traffic-tags {disable | enable}

set switching-packet {enable | disable}

end

Variable

Description

Default

<mirror session name>

Enter the name of the mirror session to edit (or enter a new mirror session name).

No default

dst <interface>

Required when the mode is set to ERSPAN-manual, RSPAN (when the switch is not in FortiLink mode), or SPAN.

On FortiSwitch models that support RSPAN and ERSPAN, set the trunk or physical port that will act as a mirror. The physical port cannot be part of a trunk.

On FortiSwitch models that do not support RSPAN and ERSPAN, set the physical port that will act as a mirror. The physical port can be part of a trunk.

No default

encap-gre-protocol <hexadecimal_integer>

Set the protocol value in the ERSPAN GRE header.

This option is available when the mode is ERSPAN-auto or ERSPAN-manual.

0x88be

encap-ipv4-src <IPv4_address>

Required when the mode is set to ERSPAN-manual and the status is active.

Set the IPv4 source address in the ERSPAN IP header. The range is 0.0.0.1-255.255.255.254.

This option is available when the mode is ERSPAN-manual.

0.0.0.0

encap-ipv4-tos <hexadecimal_integer>

Set the type of service (ToS) value or enter the DSCP and ECN values in the ERSPAN IP header.

This option is available when the mode is ERSPAN-auto or ERSPAN-manual.

0x00

encap-ipv4-ttl <0-255>

Set the IPv4 time-to-live (TTL) value in the ERSPAN IP header.

This option is available when the mode is ERSPAN-auto or ERSPAN-manual.

16

encap-mac-dst <MAC_address>

Required when the mode is set to ERSPAN-manual and the status is active.

Set the MAC address of the next-hop or gateway on the path to the ERSPAN collector IP address. The range is 00:00:00:00:00:01-FF:FF:FF:FF:FF:FF.

This option is available only when the mode is ERSPAN-manual.

00:00:00:00:00:00

encap-mac-src <MAC_address>

Required when the mode is set to ERSPAN-manual and the status is active.

Set the source MAC address in the ERSPAN Ethernet header. The range is 00:00:00:00:00:01-FF:FF:FF:FF:FF:FE.

This option is available when the mode is ERSPAN-manual.

00:00:00:00:00:00

encap-vlan {tagged | untagged}

Set the status of ERSPAN encapsulation headers to tagged or untagged to control whether the VLAN header is added to the encapsulated traffic.

This option is available if the mode is ERSPAN-manual.

untagged

encap-vlan-cfi <0-1>

Set the canonical format identifier (CFI) or drop eligible indicator (DEI) bit in the ERSPAN or RSPAN VLAN header.

This option is available when the mode is RSPAN or ERSPAN-auto. This option is available for the ERSPAN-manual mode if encap-vlan is set to tagged.

When the mode is RSPAN, this option is not available on the 248D, 248D-POE, 248D-FPOE,248E, 248E-POE, 248E-FPOE, 448D, 448D-POE, and 448D-FPOE models.

0

encap-vlan-id <1-4094>

Set the VLAN identifier in the ERSPAN or RSPAN VLAN header.

This option is available when the mode is RSPAN. This option is available for the ERSPAN-manual mode if encap-vlan is set to tagged.

1

encap-vlan-priority <0-7>

Set the class of service (CoS) bits in the ERSPAN or RSPAN VLAN header.

This option is available when the mode is RSPAN or ERSPAN-auto. This option is available for the ERSPAN-manual mode if encap-vlan is set to tagged.

When the mode is RSPAN, this option is not available on the 248D, 248D-POE, 248D-FPOE,248E, 248E-POE, 248E-FPOE, 448D, 448D-POE, and 448D-FPOE models.

0

encap-vlan-tpid <0x0001-0xfffe>

Set the tag protocol identifier (TPID) for the encapsulating VLAN header. The default value, 0x8100, is for an IEEE 802.1Q-tagged frame.

This option is available when the mode is RSPAN or ERSPAN-auto. This option is available for the ERSPAN-manual mode if encap-vlan is set to tagged.

0x8100

erspan-collector-ip <IPv4_address>

Required when the status is active and the mode is set to ERSPAN-auto or ERSPAN-manual.

Set the IPv4 address for the ERSPAN collector. The range is 0.0.0.1-255.255.255.255.

This option is available only when the mode is ERSPAN-auto or ERSPAN-manual.

0.0.0.0

mode {ERSPAN-auto | ERSPAN-manual | RSPAN | SPAN}

Select the mirroring mode:

  • ERSPAN-auto—Mirror traffic to the specified destination interface using ERSPAN encapsulation. The header contents are automatically configured.
  • ERSPAN-manual—Mirror traffic to the specified destination interface using ERSPAN encapsulation. The header contents are manually configured.
  • RSPAN—Mirror traffic to the specified destination interface using RSPAN encapsulation.
  • SPAN—Mirror traffic to the specified destination interface without encapsulation.

SPAN is supported on all FortiSwitch models. RSPAN and ERSPAN are supported on 124D, 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE, 248E-FPOE, 524D, 524D-FPOE, 548D, 548D-FPOE, 1024D, 1048D, 1048E, 3032D, and 3032E.

SPAN

rspan-ip <IPv4_address>

Required when the mode is RSPAN, the status is active, and the switch is in FortiLink mode.

Enter the destination IP address for the RSPAN collector. The range is 0.0.0.1-255.255.255.255.

This option is available only when the mode is RSPAN and the switch is in FortiLink mode.

0.0.0.0

src-egress <interface_name>

Optional. Set the source egress physical ports that will be mirrored. Only one active egress mirror session is allowed.

No default

src-ingress <interface_name>

Optional. Specify the source ingress physical ports that will be mirrored.

No default

status {active | inactive}

Set the mirror session to active or inactive.

inactive

strip-mirrored-traffic-tags {disable | enable}

Enable or disable the removal of VLAN tags from mirrored traffic.

This option is available if the mode is ERSPAN-auto or ERSPAN-manual.

disable

switching-packet {enable | disable}

Enable or disable the switching functionality on the dst interface when mirroring.

disable

Example

The following example configures a port mirror:

config switch mirror

edit "m1"

set mode SPAN

set dst "port5"

set src-egress "port2" "port3"

set src-ingress "port2" "port4"

set status active

set switching-packet enable

end

config switch mld-snooping globals

Use this command to configure global settings for Multicast Listener Discovery (MLD) snooping on the FortiSwitch unit.

Syntax

config switch mld-snooping globals

set aging-time <integer>

set leave-response-timeout <integer>

set query-interval <10-1200>

end

Variable

Description

Default

aging-time <integer>

The maximum number of seconds to retain a multicast snooping entry for which no packets have been seen (15-3600).

300

leave-response-timeout <integer>

Enter the maximum number of seconds that the switch waits after sending a group-specific query in response to the leave message. The range of values is 1-20.

10

query-interval <10-1200>

Enter the maximum number of seconds between MLD queries.

125

Example

The following example configures the global settings for MLD snooping on the FortiSwitch unit:

config switch mld-snooping globals

set aging-time 150

set leave-response-timeout 15

set query-interval 200

end

config switch mrp profile

Use this command to configure a Media Redundancy Protocol (MRP) profile.

Syntax

config switch mrp profile

edit <MRP_profile_name>

set default-test-interval <30-50 ms>

set short-test-interval <10-30 ms>

set test-monitoring-count <1-5>

set topology-change-interval <10-20 ms>

set topology-change-repeat-count <1-5>

next

end

Variable

Description

Default

<MRP_profile_name> Enter a name for the MRP profile. No default
default-test-interval <30-50 ms> Enter the default number of milliseconds between sending MRP_Test frames. 50
short-test-interval <10-30 ms> Enter the number of milliseconds before sending MRP_Test frames after link changes in the ring. 30

test-monitoring-count <1-5>

Enter the number of MRP_Test frames received that are monitored.

5

topology-change-interval <10-20 ms>

Enter the number of milliseconds between sending MRP_TopologyChange frames.

20

topology-change-repeat-count <1-5>

Enter the number of repeated MRP_TopologyChange frames that are transmitted.

3

config switch mrp settings

Use this command to configure the Media Redundancy Protocol (MRP) settings.

Syntax

config switch mrp settings

set status {disable | enable}

set role {automanager | client}

set domain-id <32_hexadecimal_digits>

set domain-name <domain_name>

set vlan-id <1-4094>

set priority <0-65535>

set ring-port1 <port_name>

set ring-port2 <port_name>

set profile-name {500ms | <custom_profile_name>}

end

Variable

Description

Default

status {disable | enable} Enable or disable MRP. disable
role {automanager | client} Select whether the switch acts as an MRP client or an MRP automanager. client
domain-id <32_hexadecimal_digits> Enter a universally unique identifier to represent the MRP ring. FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF
domain-name <domain_name> Enter a unique logical name for the MRP domain identifier. domain1
vlan-id <1-4094> Optional. Enter the VLAN identifier for sending MRP frames. If you set this option to a different value than 1, the VLAN must be created before it is assiged to the MRP ring. 1
priority <0-65535> Enter the priority of the MRP manager. The highest priority is 0, and the lowest priority is 65535. 40960

ring-port1 <port_name>

The physical port that serves as the first ring port.

No default

ring-port2 <port_name>

The physical port that serves as the second ring port.

No default

profile-name {500ms | <custom_profile_name>}

A unique MRP profile name.

500ms

config switch network-monitor directed

Use this command to configure a static entry for network monitoring on the FortiSwitch unit.

Syntax

config switch network-monitor directed

edit <unused network monitor>

set monitor-mac <xx:xx:xx:xx:xx:xx>

end

Variable

Description

Default

<unused network monitor>

Enter the number of an unused network monitor.

No default

monitor-mac <xx:xx:xx:xx:xx:xx>

Enter the MAC address to be monitored.

00:00:00:00:00:00

Example

The following example specifies a MAC address to be monitored:

config switch network-monitor directed

edit 1

set monitor-mac 00:25:00:61:64:6d

next

end

config switch network-monitor settings

Use this command to configure global settings for network monitoring on the FortiSwitch unit.

Syntax

config switch network-monitor settings

set db-aging-interval <integer>

set status {disable | enable}

set survey-mode {disable | enable}

set survey-mode-interval <integer>

end

Variable

Description

Default

db-aging-interval <integer>

Enter the network monitor database aging interval. The value range is 3600-86400 seconds. Set the option to 0 to disable it.

3600

status {disable | enable}

Enable or disable the network monitor.

disable

survey-mode {disable | enable}

Enable or disable the network monitor survey mode.

disable

survey-mode-interval <integer>

Enter the duration for which a network monitor is programmed in hardware in the survey mode. The value range is 120-3600 seconds.

120

Example

The following example starts network monitoring in survey mode:

config switch network-monitor settings

set status enable

set survey-mode enable

set survey-mode-interval 480

end

config switch phy-mode

On FortiSwitch models that provide 40G QSFP (quad small form-factor pluggable) interfaces, you can install a breakout cable to convert one 40G interface into four 10G interfaces. Use this command to configure split ports.

Notes

  • Splitting ports is supported on the following FortiSwitch models:
    • 3032D (ports 5 to 28 are splittable)
    • 3032E (Ports can be split into 4 x 25G when configured in 100G QSFP28 mode or can be split into 4 x 10G when configured in 40G QSFP mode. Use the set <port-name>-phy-mode disabled command to disable some 100G ports to allow up to sixty 25G, 10G, or 1G ports.)
    • 524D, 524D-FPOE (ports 29 and 30 are splittable)
    • 548D, 548D-FPOE (ports 53 and 54 are splittable)
    • 1048E (In the 4 x 100G configuration, ports 49, 50, 51, and 52 are splittable as 4 x 25G, 4 x 10G, 4 x 1G, or 2 x 50G. Only two of the available ports can be split.)
    • 1048E (In the 4 x 4 x 25G configuration, ports 49, 50, 51, and 52 are splittable as 4 x 4 x 25G or 2 x 50G. All four ports can be split, but ports 47 and 48 are disabled.)
    • 1048E (In the 6 x 40G configuration, ports 49, 50, 51, 52, 53, 54 are splittable as 4 x 10G or 4 x 1G.)

    Use the set port-configuration ? command to check which ports are supported for each model.

  • Currently, the maximum number of ports supported in software is 64 (including the management port). Therefore, only 10 QSFP ports can be split. This limitation applies to all of the models, but only the 3032D and the 1048E models have enough ports to encounter this limit.
  • Starting in FortiOS 6.2.0, splitting ports is supported in FortiLink mode (that is, the FortiSwitch unit managed by a FortiGate unit).
  • Starting in FortiSwitchOS 6.4.0, FC-FEC (cl74) is enabled as the default setting for ports that have been split to 4x25G. Use the following commands to change the setting:

config switch physical-port

edit <split_port_name>

set fec-state {cl74 | disabled}

end

Syntax

config switch phy-mode

set port-configuration {default | disable-port54 | disable-port41-48 | 4x100G | 6x40G | 4x4x25G}

set {<port-name>-phy-mode <single-port| 4x25G | 4x10G | 4x1G | 2x50G}

...

end

Variable

Description

Default

port-configuration {default | disable-port54 | disable-port41-48 | 4x100G | 6x40G | 4x4x25G}

For 548D and 548D-FPOE, set this option to disable-port54 if only port 53 is splittable and port 54 is unavailable.

For 548D and 548D-FPOE, set this option to disable-port41-48 if ports 41 to 48 are unavailable, but ports 53 and 54 are splittable.

For 1048E, set this option to 4x100G to enable the maximum speed (100G) of ports 49 through 52. Ports 53 and 54 are disabled.

For 1048E, set this option to 6x40G to enable the maximum speed (40G) of ports 49 through 54.

For 1048E, set this option to 4x4x25G to enable the maximum speed (25G) of ports 49 through 52. Ports 47 and 48 are disabled.

default

port<number>-phy-mode {<port-name>-phy-mode <single-port| 4x25G | 4x10G | 4x1G | 2x50G}

Use one entry for each port that supports split ports.

Set this option to single-port to use the port at the full base speed without splitting it.

For 100G QSFP only, set this option to 4x25G to split one port into four subports of 25 Gbps each.

For 40G or 100G QSFP only, set this option to 4x10G to split one port into four subports of 10Gbps each.

For 40G or 100G QSFP only, set this option to 4x1G to split one port into four subports of 1 Gbps each.

For 100G QSFP only, set this option to 2x50G to split one port into two subports of 50 Gbps each.

1x40G

Example

In the following example, a FortiSwitch 3032D is configured with ports 10, 14, and 28 set to 4x10G:

config switch phy-mode

set port5-phy-mode 1x40G

set port6-phy-mode 1x40G

set port7-phy-mode 1x40G

set port8-phy-mode 1x40G

set port9-phy-mode 1x40G

set port10-phy-mode 4x10G

set port11-phy-mode 1x40G

set port12-phy-mode 1x40G

set port13-phy-mode 1x40G

set port14-phy-mode 4x10G

set port15-phy-mode 1x40G

set port16-phy-mode 1x40G

set port17-phy-mode 1x40G

set port18-phy-mode 1x40G

set port19-phy-mode 1x40G

set port20-phy-mode 1x40G

set port21-phy-mode 1x40G

set port22-phy-mode 1x40G

set port23-phy-mode 1x40G

set port24-phy-mode 1x40G

set port25-phy-mode 1x40G

set port26-phy-mode 1x40G

set port27-phy-mode 1x40G

set port28-phy-mode 4x10G

end

 

In the following example, a FortiSwitch 1048E model is configured so that each port is split into four subports of 25 Gbps each.

config switch phy-mode

set port-configuration 4x4x25G

set port49-phy-mode 4x25G

set port50-phy-mode 4x25G

set port51-phy-mode 4x25G

set port52-phy-mode 4x25G

end

config switch physical-port

Use this command to configure a physical port.

Syntax

config switch physical-port

edit <port_name>

set cdp-status {disable | rx-only | tx-only | tx-rx}

set description <description_str>

set dmi-status {disable | enable | global}

set egress-drop-mode {disabled | enabled}

set energy-efficient-ethernet {enable | disable}

set eee-tx-idle-time <integer>

set eee-tx-wake-time <integer>

set fec-state {cl74 | cl91 | detect-by-module | disabled}

set flapguard {enabled | disabled}

set flap-duration <5-300>

set flap-rate <1-30>

set flap-timeout <0-120>

set flow-control {tx | rx | both | disable}

set fortilink-p2p {enable | disable}

set pause-meter-rate <integer>

set pause-resume {25% | 50% | 75%}

set l2-learning {enable | disable}

set lldp-profile <profile name>

set lldp-status {tx-only | rx-only | tx-rx | disable}

set loopback {disable | local | remote}

set max-frame-size <bytes_int>

set poe-port-mode {IEEE802_3AF | IEEE802_3AT}

set poe-port-priority {critical-priority | high-priority | low-priority}

set poe-pre-standard-detect {disable | enable}

set poe-status {enable | disable}

set priority-based-flow-control {enable | disable}

set qsfp-low-power-mode {enabled | disabled}

set speed <speed_str>

set status {down | up}

set storm-control-mode {disabled | global | override}

config storm-control

set broadcast {enable | disable}

set burst-size-level <0-4>

set rate [0 | 2-10000000]

set unknown-multicast {enable | disable}

set unknown-unicast {enable | disable}

end

Variable

Description

Default

<port_name>

Enter the port name.

No default

cdp-status {disable | rx-only | tx-only | tx-rx}

Set the CDP transmit and receive status (LLDP must be enabled in LLDP settings).
  • disable disables CDP transmit and receive.
  • rx-only enables CDP as receive only.
  • tx-only enables CDP as transmit only.
  • tx-rx enables CDP transmit and receive.

disable

description <description_str>

Optionally enter a description.

No default

dmi-status

Enable or disable DMI access. Set to global to use the global switch setting.

global

egress-drop-mode {disabled | enabled>

Enable or disable egress drop.

enabled

energy-efficient-ethernet {enable | disable}

Enable or disable energy-efficient Ethernet.

disable

eee-tx-idle-time <integer>

Enter the number of microseconds that circuits are turned off to save power. The range is 0-2560 microseconds. This option is available only if energy-efficient-ethernet is enabled.

60

eee-tx-wake-time <integer>

Enter the number of microseconds during which no data is transmitted while the circuits that were turned off are being restarted. The range is 0-2560 microseconds. This option is available only if energy-efficient-ethernet is enabled.

30

fec-state {cl74 | cl91 | detect-by-module | disabled}

Set the Forward Error Correction (FEC) state:

  • cl74—Enable Clause 74 RS-FEC, which only applies to 25 Gbps.
  • cl91—Enable Clause 91 RS-FEC, which only applies to 100 Gbps.
  • detect-by-module—Automatically detect whether FEC is supported by the module. This option applies to the 25G and 100G ports of the FS-1048E and FS-3032E models.
  • disabled—Disable FEC.

detect-by-module

flapguard {enabled | disabled}

Enable or disable flap guard for this port.

disabled

flap-duration <5-300>

After enabling the port flap guard, set the number of seconds during which the flap rate is counted.

30

flap-rate <1-30>

After enabling the port flap guard, set how many times that a portʼs status changes during a specified number of seconds before the flap guard is triggered.

5

flap-timeout <0-120>

After enabling the port flap guard, set the number of minutes before flap guard resets. Setting this value to 0 means that there is no timeout.

0

flow-control {tx | rx | both | disable}

Set flow control:
  • tx—Enable transmit pause only.
  • rx—Enable receive pause only.
  • both—Enable both transmit and receive pause.
  • disable—Disable flow control.

disable

fortilink-p2p {enable | disable}

Enable or disable running FortiLink mode over a point-to-point layer-2 network.

disable

pause-meter-rate <integer>

Enter the number of kilobits for the ingress metering rate. The range is 64 to 2147483647. Set to 0 to disable. Available if flow-control is set to tx.

0

pause-resume {25% | 50% | 75%}

Enter the percentage of the threshold to resume traffic to the ingress port. Available if flow-control is set to tx and pause-meter-rate is set to a nonzero value.

75%

l2-learning

Enable or disable dynamic IP learning for this interface

enabled

lldp-profile

Enter the LLDP profile name for this port.

default

lldp-status

Set LLDP status for this port:
  • tx-only — enable transmit only
  • rx-only — enable receive only
  • tx-rx — enable both transmit and receive
  • disable — disable LLDP 

tx-rx

loopback {disable | local | remote}

Set whether the physical port loops back on itself, either locally or remotely:
  • Select local for a physical-layer loopback. If the hardware does not support a physical-layer loopback, a MAC-address loopback is used instead.
  • Select remote for a physical-layer lineside loopback.

disable

max-frame-size <bytes_int>

Set the maximum frame size. The range is 68 to 16360.

NOTE: For the eight models in the 1xxE series, this command is under the config switch global command.

9216

poe-port-mode {IEEE802_3AF | IEEE802_3AT}

Set the PoE port mode to IEEE802.3AFor IEEE802.3AT.

IEEE802_3AT

poe-port-priority {critical-priority | high-priority | low-priority}

Set the port priority. If there is not enough power, power is alloted first to critical-priority ports, then to high-priority ports, and then to low-priority ports.

low-priority

poe-pre-standard-detect {disable | enable}

Enable or disable PoE pre-standard detection.

NOTE: PoE pre-standard detection is a global setting for the following FortiSwitch models: FSR-112D-POE, FS-548D-FPOE, FS-524D-FPOE, FS-108D-POE, FS-224D-POE, FS-108E-POE, FS-108E-FPOE, FS-124E-POE, FS-124E-FPOE, 148F-POE, and 148F-FPOE. For the other FortiSwitch PoE models, PoE pre-standard detection is set on each port.

disable

poe-status {enable | disable}

Enable Power over Ethernet. This option is only available with the FortiSwitch-324B-POE.

enable

priority-based-flow-control {enable | disable}

Enable priority-based flow control to avoid frame loss by stopping incoming traffic when a queue is congested. When priority-based flow control is disabled, 802.3 flow control can be used.

disable

qsfp-low-power-mode {enabled | disabled}

Enable or disable the low-power mode on FortiSwitch models with QSFP (quad small form-factor pluggable) ports.

disabled

speed <speed_str>

Set the speed of this port. Values depend on the switch model and port. For example:

  • 1000auto—Auto-negotiation (1 Gbps full-duplex only).
  • 100full—100 Mbps full-duplex.
  • 100half—100 Mbps half-duplex.
  • 10full—10 Mbps full-duplex.
  • 10half—10 Mbps half-duplex.
  • auto—Auto-negotiation.
  • 10000cr—10 Gbps copper interface.
  • 10000full—10 Gbps full-duplex.
  • 10000sr—10 Gbps SFI interface.
  • 1000full—1 Gbps full-duplex.
  • auto-module—Maximum speed supported by module.

auto

status {down | up}

Set the administrative status of this interface: up or down.

up

storm-control-mode {disabled | global | override}

By default, you configure storm control on a system-wide level. Set this option to override if you want to configure storm control on a per-port level using the config storm-control command, which is only available when the storm-control-mode is set to override. Set this option to disabled to deactivate port-level storm-control configuration.

global

config storm-control

broadcast {enable | disable}

Enable or disable storm control for broadcast traffic.

disable

burst-size-level <0-4>

Set the burst-size level for storm control. Use a higher number to handle bursty traffic. The maximum number of packets or bytes allowed for each burst-size level depends on the switch model.

NOTE: This command is not available for the FS-108E, FS-108E-POE, FS-108-FPOE, FS-124E, FS-124E-POE, and FS-124E-FPOE models.

0

rate [0 | 2-10000000]

Specify the rate as packets-per-second. If you set the rate to zero, the system drops all packets (for the enabled traffic types).

500

unknown-multicast {enable | disable}

Enable or disable storm control for unknown multicast traffic.

disable

unknown-unicast {enable | disable}

Enable or disable storm control for unknown unicast traffic.

disable

Example

In the following example, port 4 is configured:

config switch physical-port

edit "port4"

set lldp-profile "Forti670i"

set speed auto

next

end

config switch ptp policy

Use this command to configure the Precision Time Protocol (PTP) policy.

Syntax

config switch ptp policy

edit {default | <policy_name>}

set status {enable | disable}

next

end

Variable

Description

Default

{default | <policy_name>}

Enter the name of the PTP policy or ue the default PTP policy.

No default

status {enable | disable}

Enable or disable the PTP policy. The PTP policy will not take effect until the mode is set under the config switch ptp settings command.

disable

Example

config switch ptp policy

edit "newptp"

set status enable

next

end

config switch ptp settings

Use this command to configure the Precision Time Protocol (PTP) global settings.

Syntax

config switch ptp settings

set mode {disable | transparent-e2e | transparent-p2p}

end

Variable

Description

Default

mode {disable | transparent-e2e | transparent-p2p}

Enable or disable the PTP mode:
  • disable—Disable the PTP mode. The packets are forwarded without changes to the correction field.
  • transparent-e2e—Enable the end-to-end transparent clock.
  • transparent-p2p—Enable the peer-to-peer transparent clock.

disable

Example

config switch ptp settings

set mode transparent-e2e

end

config switch qos dot1p-map

Use this command to configure a dot1p map. A dot1p map defines a mapping between IEEE 802.1p CoS values (from incoming packets on a trusted interface) and the egress queue values. For an example, see Appendix: FortiSwitch QoS template.

NOTE: You can configure only one dot1p map per switch on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

Syntax

config switch qos dot1p-map

edit <dot1p map name>

set description <text>

set [priority-0|priority-1|priority-2|...priority-7] <queue number>

set egress-pri-tagging {disable | enable}

next

end

Variable

Description

Default

<dot1p map name>

Enter the name of a dot1p map.

No default

<text>

Enter a description of the dot1p map.

No default

[priority-0|priority-1|priority-2|...priority-7] <queue number>

Set the priority of each queue.

queue-0

egress-pri-tagging {disable | enable}

Enable or disable priority tagging on outgoing frames.

NOTE: This command is not available on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

disable

Example

config switch qos dot1p-map

edit "test1"

set priority-0 queue-2

set priority-1 queue-0

set priority-2 queue-1

set priority-3 queue-3

set priority-4 queue-4

set priority-5 queue-5

set priority-6 queue-6

set priority-7 queue-7

set egress-pri-tagging enable

next

end

 

Values that are not explicitly included in the map will follow the default mapping, which maps each priority (0-7) to queue 0.

If an incoming packet contains no CoS value, the switch assigns a CoS value of zero. Use the set default-cos <interface> command to configure a different default CoS value. The valid range is from 0 to 7. The configured default CoS only applies if you also set trust-dot1p-map on the interface.

config switch qos ip-dscp-map

Use this command to configure a DSCP map. A DSCP map defines a mapping between IP Precedence or Differentiated Services Code Point (DSCP) values and the egress queue values. For an example, see Appendix: FortiSwitch QoS template.

NOTE: You can configure only one DSCP map per switch on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

Syntax

config switch qos ip-dscp-map

edit <ip-dscp map name>

set description <text>

config map

edit <entry-name>

set diffserv [ [ AF11 | AF12 | AF13 | AF21 | AF22 | AF23 | AF31 | AF32 | AF33 | AF41 | AF42 | AF43 | CS0 | CS1 | CS2 | CS3 | CS4 | CS5 | CS6 | CS7 | EF ]

set ip-precedence [ Network Control | Internetwork Control | Critic/ECP | Flash Override | Flash, Immediate | Priority | Routine ]

set value <dscp raw value>

set cos-queue <queue number>

next

end

next

end

Variable

Description

Default

<ip-dscp map name>

Enter the name of a DSCP map.

No default

<text>

Enter a description of the DSCP map.

No default

<entry-name>

Enter a unique integer to create a new entry.

No default

diffserv [ [ AF11 | AF12 | AF13 | AF21 | AF22 | AF23 | AF31 | AF32 | AF33 | AF41 | AF42 | AF43 | CS0 | CS1 | CS2 | CS3 | CS4 | CS5 | CS6 | CS7 | EF ]

Set the differentiated service.

No default

ip-precedence [ Network Control | Internetwork Control | Critic/ECP | Flash Override | Flash, Immediate | Priority | Routine ]

Set the IP precedence.

No default

value <dscp raw value>

enter the raw value of DSCP (0-63).

No default

cos-queue <queue number>

Enter the CoS queue number.

0

Example

The following example defines a mapping for two of the DSCP values:

config switch qos ip-dscp-map

edit "m1"

config map

edit "e1"

set cos-queue 0

set ip-precedence Immediate

next

edit "e2"

set cos-queue 3

set value 13

next

end

next

end

 

Values that are not explicitly included in the map will follow the default mapping, which assigns queue 0 for all DSCP values.

config switch qos qos-policy

Use this command to configure QoS policies. For an example, see Appendix: FortiSwitch QoS template.

In a QoS policy, you set the scheduling mode (Strict, Round Robin, Weighted Round Robin) for the policy, and configure one or more CoS queues.

Syntax

config switch qos qos-policy

edit <policy_name>

set rate-by {kbps | percent}

set schedule {strict | round-robin | weighted}

config cos-queue

edit [queue-0 ... queue-7]

set description <text>

set drop-policy {taildrop | weighted-random-early-detection}

set ecn {enable | disable}

set max-rate <rate kbps>

set min-rate <rate kbps>

set max-rate-percent <percentage>

set min-rate-percent <percentage>

set weight <value>

set wred-slope <value>

next

end

next

end

Variable

Description

Default

<policy_name>

Enter the name of the QoS policy.

No default

rate-by {kbps | percent}

Set whether the CoS queue rate is measured in kbps or by percentage.

kbps

schedule {strict | round-robin | weighted}

Set the CoS queue scheduling.
  • strict—The queues are served in descending order (of queue number), so higher number queues receive higher priority. The purpose of the strict scheduling mode is to provide lower latency service to higher classes of traffic. However, if the interface experiences congestion, the lower priority traffic could be starved.
  • round-robin— In round robin mode, the scheduler visits each backlogged queue, servicing a single packet from each queue before moving on to the next one. The purpose of round robin scheduling is to provide fair access to the egress port bandwidth.
  • weighted— Each of the eight egress queues is assigned a weight value ranging from 0 to 63. The purpose of weighted round robin scheduling is to provide prioritized access to the egress port bandwidth, such that queues with higher weight get more of the bandwidth, but lower priority traffic is not starved.

round-robin

[queue-0 ... queue-7]

Set the CoS queue to update.

No default

description <text>

Enter a description of the CoS queue.

No default

drop-policy {taildrop | weighted-random-early-detection}

Set the CoS queue drop policy.
  • taildrop—When the queue is full, new packets are dropped.
  • weighted-random-early-detection—When the queue reaches the packet-dropping threshold, packets start getting dropped randomly based on the probability defined in the wred-slope setting.
NOTE: For the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models, set the CoS queue drop policy under the config switch global command.

taildrop

set ecn {enable | disable}

If you select random early detection in the CLI, you can enable explicit congestion notification (ECN) marking to indicate that congestion is occuring without just dropping packets. If you disable this option, the normal queue drop policy applies.

disable

max-rate <rate kbps>

If you set the rate-by to kbps, enter the maximum rate in kbps. Set the value to 0 to disable.

NOTE: For the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models, the switch rounds the max-rate value to the nearest multiple of 16 internally. If the rounding result is 0, max-rate is disabled internally.

0

min-rate <rate kbps>

If you set the rate-by to kbps, enter the minimum rate in kbps. Set the value to 0 to disable.

NOTE: This command is not available on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

0

max-rate-percent <percentage>

If you set the rate-by to percent, enter the maximum rate as a percentage of the link speed.

0

min-rate-percent <percentage>

If you set the rate-by to percent, enter the minimum rate as a percentage of the link speed.

NOTE: This command is not available on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

0

weight <value>

Enter the weight of weighted round robin scheduling. (applicable if the policy schedule is weighted )

1

wred-slope <value>

Enter the slope of WRED drop probability.

NOTE: For the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models, set the QoS RED/WRED drop probability under the config switch global command.

45

Example

The following example defines a QoS policy for queue 0:

config switch qos qos-policy

edit policy1

set rate-by kbps

set schedule weighted

config cos-queue

edit queue-0

set description "QoS policy for queue 0"

set drop-policy weighted-random-early-detection

set max-rate 20

set min-rate 10

set weight 5

set wred-slope 15

end

end

config switch quarantine

NOTE: This command is available only in FortiLink mode.

Us this command to specify which MAC addresses to quarantine on the FortiSwitch unit.

Syntax

config switch quarantine

edit <MAC_address_to_quarantine>

set cos-queue <0-7>

set description <string>

set drop {enable | disable}

set policer <integer>

end

Variable

Description

Default

<MAC_address_to_quarantine>

Enter the MAC address to quarantine.

No default

cos-queue <0-7>

Set the class-of-service queue for the quarantined device traffic. Use the unset cos-queue command to disable this setting.

No default

description <string>

Enter an optional description of the quarantined MAC address.

No default

drop {enable | disable}

Enable or disable whether quarantined device traffic is dropped.

disable

policer <integer>

Set the ACL policer for the quarantined device traffic.

0

config switch raguard-policy

Use this command to specify the criteria that router advertisement (RA) messages must match before the RA messages are forwarded. If the RA messages match the criteria in the RA-guard policy, they are forwarded. If the RA messages do not match the criteria in the RA-guard policy, they are dropped.

IPv6 RA guard is supported on 2xx models and higher.

Syntax

config switch raguard-policy

edit <RA-guard policy name>

set device-role {host | router}

set managed-flag {Off | On}

set other-flag {Off | On}

set max-hop-limit <0-255>

set min-hop-limit <0-255>

set max-router-preference {high | medium | low}

set match-src-addr <name_of_IPv6_access_list>

set match-prefix <name_of_IPv6_prefix_list>

next

end

Variable

Description

Default

<RA-guard policy name>

Enter the name of the RA-guard policy.

No default

device-role {host | router}

Set whether this policy applies to hosts or routers. If this option is set to host, all RA messages are dropped. If this option is set to router, the policy checks the other specified criteria.

host

managed-flag {Off | On}

Set to On for the policy to accept RA messages that are flagged with the M (managed address configuration) flag; if the RA messages are not flagged, they are dropped.

Set to Off for the policy to accept RA messages that arenot flagged with the M flag; if the RA messages are flagged, they are dropped.

If this option is not set, the policy skips this check.

No default

other-flag {Off | On}

Set to On for the policy to accept RA messages that are flagged with the O (other configuration) flag; if the RA messages are not flagged, they are dropped.

Set to Off for the policy to accept RA messages that arenot flagged with the O flag; if the RA messages are flagged, they are dropped.

If this option is not set, the policy skips this check.

No default

max-hop-limit <0-255>

Enter the maximum hop number for the policy to accept RA messages with a hop number equal or less than this value.

If this option is not set, the policy skips this check.

0

min-hop-limit <0-255>

Enter the minimum hop number for the policy to accept RA messages with a hop number equal or more than this value.

If this option is not set, the policy skips this check.

0

max-router-preference {high | medium | low}

Set the default router preference for the policy to accept RA messages with the router preference equal or less than this setting. When the router preference of RA messages is not set as high, medium, or low, RA guard acts as if the router preference was set to medium.

If this option is not set, the policy skips this check.

No default

match-src-addr <name_of_IPv6_access_list>

Enter the name of the IPv6 access list for the policy to check if the source IPv6 address of the RA message matches an allowed address. The IPv6 access list must be created (with the config router access-list6 command) before it is used in a policy.

No default

match-prefix <name_of_IPv6_prefix_list>

Enter the name of the IPv6 prefix list for the policy to check if the IPv6 address prefix of the RA message matches an allowed prefix. The IPv6 prefix list must be created (with the config router prefix-list6 command) before it is used in a policy.

No default

Example

The following example creates an IPv6 RA-guard policy:

config switch raguard-policy

edit RApolicy1

set device-role router

set managed-flag On

set other-flag On

set max-hop-limit 100

set min-hop-limit 5

set max-router-preference medium

set match-src-addr accesslist1

set match-prefix prefixlist1

next

end

config switch security-feature

Use this command to configure security checks for incoming TCP/UDP packets. The packet is dropped if the system detects the specified condition.

Syntax (for models FS108D-POE, FS112D-POE, FS224D-POE)

config switch security-feature

set tcp-syn-data {enable | disable}

set tcp-udp-port-zero {enable | disable}

set tcp_flag_zero {enable | disable}

set tcp_flag_FUP {enable | disable}

set tcp_flag_SF {enable | disable}

set tcp_flag_SR {enable | disable}

set tcp_frag_ipv4_icmp {enable | disable}

set tcp_arp_mac_mismatch {enable | disable}

end

Variable

Description

Default

tcp-syn-data

TCP SYN packet contains additional data (possible DoS attack).

disable

tcp-udp-port-zero

TCP or UDP packet has source or destination port set to zero.

disable

tcp_flag_zero

TCP packet with all flags set to zero.

disable

tcp_flag_FUP

TCP packet with FIN, URG and PSH flag set.

disable

tcp_flag_SF

TCP packet with SYN and FIN flag set.

disable

tcp_flag_SR

TCP packet with SYN and RST flag set.

disable

tcp_frag_ipv4_icmp

Fragmented ICMPv4 packet.

disable

tcp_arp_mac_mismatch

ARP packet with MAC source address mismatch between the Layer 2 header and the ARP packet payload.

disable

Syntax (for all other models)

config switch security-feature

set sip-eq-dip {enable | disable}

set tcp-flag {enable | disable}

set tcp-port-eq {enable | disable}

set tcp-flag-FUP {enable | disable}

set tcp-flag-SF {enable | disable}

set v4-first-frag {enable | disable}

set udp-port-eq {enable | disable}

set tcp-hdr-partial {enable | disable}

set macsa-eq-macda {enable | disable}

set allow-mcast-sa {enable | disable}

set allow-sa-mac-all-zero {enable | disable}

end

Variable

Description

Default

sip-eq-dip

TCP packet with a source IP address equal to the destination IP address.

disable

tcp_flag

DoS attack checking for TCP flags.

disable

tcp-port-eq

TCP packet with source and destination TCP ports equal.

disable

tcp-flag-FUP

TCP packet with FIN, URG and PSH flags set, and sequence number is zero.

disable

tcp-flag-SF

TCP packet with SYN and FIN flag set.

disable

v4-first-frag

DoS attack checking for IPv4 first fragment.

disable

udp-port-eq

IP packet with source and destination UDP ports equal.

disable

tcp-hdr-partial

TCP packet with partial header.

disable

macsa-eq-macda

Packet with source MAC address equal to destination MAC address.

disable

allow-mcast-sa

Ethernet packet whose source MAC address is multicast.

enable

allow-sa-mac-all-zero

Ethernet packet whose source MAC address is all zeros.

enable

Example

The following example configures security checks for incoming TCP/UDP packets:

config switch security-feature

set sip-eq-di enable

set tcp-flag enable

set tcp-port-eq enable

set tcp-flag-FUP enable

set tcp-flag-SF enable

set v4-first-frag enable

set udp-port-eq enable

set tcp-hdr-partial enable

set macsa-eq-macda enable

set allow-mcast-sa disable

set allow-sa-mac-all-zero disable

end

config switch static-mac

Use this command to configure one (or more) static MAC address on an interface.

Syntax

config switch static-mac

edit <sequence number>

set description <optional_string>

set interface <interface_name>

set mac <static_MAC_address>

set type {sticky | static}

set vlan-id <1-4095>

end

Variable

Description

Default

<sequence number>

Enter a sequence number.

No default

description <optional_string>

Optional. Enter a description of the static MAC address.

No default

interface <interface_name>

Enter the interface name.

No default

mac <static_MAC_address>

Enter the static MAC address.

00:00:00:00:00:00

type {sticky | static}

Set the MAC address as a persistent (sticky) addres or a static address.

static

vlan-id <1-4095>

Enter the VLAN identifier.

1

Example

config switch static-mac

edit 1

set description "first static MAC address"

set interface port10

set mac d6:dd:25:be:2c:43

set type static

set vlan-id 10

end

config switch storm-control

Use this command to configure storm control.

Syntax

config switch storm-control

set broadcast {enable | disable}

set burst-size-level <0-4>

set rate [0 | 2-10000000]

set unknown-multicast {enable | disable}

set unknown-unicast {enable | disable}

end

Variable

Description

Default

broadcast {enable | disable}

Enable or disable storm control for broadcast traffic.

disable

burst-size-level <0-4>

Set the burst-size level for storm control. Use a higher number to handle bursty traffic. The maximum number of packets or bytes allowed for each burst-size level depends on the switch model.

0

rate [0 | 2-10000000]

Specify the rate as packets-per-second. If you set the rate to zero, the system drops all packets (for the enabled traffic types).

500

unknown-multicast {enable | disable}

Enable or disable storm control for unknown multicast traffic.

disable

unknown-unicast {enable | disable}

Enable or disable storm control for unknown unicast traffic.

disable

Example

config switch storm-control

set broadcast enable

set burst-size-level 2

set rate 1000

set unknown-multicast enable

set unknown-unicast enable

end

config switch stp instance

Use this command to configure an STP instance.

Syntax

config switch stp instance

edit <instance_id>

set priority <priority_int>

set vlan-range <vlan_map>

config stp-port

edit <port name>

set cost <cost_int>

set priority <priority_int>

end

end

Variable

Description

Default

<instance_id>

Enter an instance identifier. The range is 0-32 for 5xx models and higher. For all other models, the range is 0 - 15.

No default

priority <priority_int>

Set the STP priority. The acceptable priority values are 0, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 4096, 40960, 45056, 49152, 53248, 57344, 61440, and 8192.

32768

vlan-range <vlan_map>

Enter the VLANs to which STP applies. <vlan_map> is a comma-separated list of VLAN IDs or VLAN ID ranges, for example “1,3-4,6,7,9-100” .

No default

config stp-port

<port name>

Enter the name of the port.

No default

cost <cost_int>

Enter the cost of using this interface. Use set cost ? for suggested cost values based on link speed.

0

priority <priority_int>

Enter the priority of this interface. Use set priority ? to list the acceptable priority values.

128

Example

config switch stp instance

edit "1"

set priority 8192

config stp-port

edit "port18"

set cost 0

set priority 128

next

edit "port19"

set cost 0

set priority 128

next

end

set vlan-range 5 7 11-20

end

config switch stp settings

Use this command to configure STP settings.

Syntax

config switch stp settings

set flood {enable | disable}

set forward-time <fseconds_int>

set hello-time <hseconds_int>

set max-age <age>

set max-hops <hops_int>

set mclag-stp-bpdu {both | single}

set name <name_str>

set revision <rev_int>

set status {enable | disable}

end

Variable

Description

Default

flood {enable | disable}

Set to enable if you want the STP packets arriving at any port to pass through the switch without being processed. Set to disable if you want to block STP packets arriving at any port.

This command is available only when status is set to disable.

disable

forward-time <fseconds_int>

Enter the forwarding delay in seconds. Range 4 to 30.

15

hello-time <hseconds_int>

Enter the hello time in seconds. Range 1 to 10.

2

max-age <age>

Enter the maximum age. Range 6 to 40.

20

max-hops <hops_int>

Enter the maximum number of hops. Range 1 to 40.

20

mclag-stp-bpdu {both | single}

Set to both to allow both core switches of an MCLAG to transmit STP BPDUs. Set to single to prevent both core switches of an MCLAG from transmitting STP BPDUs.

both

name <name_str>

Enter a string value for the name.

No default

revision <rev_int>

Range 0 to 65535.

0

status {enable | disable}

Enable or disable status report.

enable

Example

config switch stp settings

set forward-time 15

set hello-time 5

set max-age 20

set max-hops 20

set name "region1"

set revision 1

set status enable

end

config switch trunk

Use this command to configure link aggregation.

Syntax

config switch trunk

edit <trunk name>

set aggregator-mode {bandwidth | count}

set auto-isl <integer>

set bundle [enable|disable]

set min_bundle <integer>

set max_bundle <integer>

set description <description_str>

set fortilink <integer>

set isl-fortilink <integer>

set lacp-speed {slow | fast}

set mclag {disable | enable}

set mclag-icl {disable | enable}

set member-withdrawal-behavior {block | forward}

set members <intf1 ... intfn>

set mode {fortinet-trunk | lacp-active | lacp-passive | static}

set port-selection-criteria {src-ip | src-mac | dst-ip | dst-mac | src-dst-ip | src-dst-mac}

set static-isl {enable | disable}

set static-isl-auto-vlan {enable | disable}

end

Variable

Description

Default

<trunk name>

Enter a name for the trunk.

No default

aggregator-mode {bandwidth | count}

Select how an aggregator groups ports when the trunk is in LACP mode. Select bandwidth to group ports into the aggregator with the largest bandwidth. Select count to group ports into the aggregator with the most ports.

bandwidth

auto-isl <integer>

Automatically forms an ISL-encapsulated trunk, up to the specified maximum size.

0

bundle [enable|disable]

Enable or disable bundling

disable

min_bundle

Set the minimum size of the bundle. This option is available only when bundle has been enabled.

1

max_bundle

Set the maximum size of the bundle. This option is available only when bundle has been enabled.

24

description <description_str>

Optionally, enter a description.

No default

fortilink <integer>

Set the FortiLink trunk.

0

isl-fortilink <integer>

Set the ISL FortiLink trunk.

0

lacp-speed {slow | fast}

Select fast to send an LACP message every second. Select slow to send an LACP message every 30 seconds.

slow

mclag {disable | enable}

Enable or disable multichassis LAG (MCLAG).

disable

mclag-icl {disable | enable}

Enable or disable the MCLAG inter-chassis link (ICL).

disable

member-withdrawal-behavior {block | forward}

Select how the port behaves after it withdraws because of loss-of-control packets.

block

members <intf1 ... intfn>

Enter the names of the interfaces that belong to this trunk. Separate the names with spaces.

No default

mode {fortinet-trunk | lacp-active | lacp-passive | static}

Select the link aggregation mode:
  • fortinet-trunk—use heartbeat packets to detect whether trunk members are available.
  • lacp-active—use active LACP 802.3ad aggregation
  • lacp-passive—use passive LACP 802.3ad aggregation
  • static—use static aggregation, ignoring and not sending control messages

static

port-selection-criteria {src-ip | src-mac | dst-ip | dst-mac | src-dst-ip | src-dst-mac}

Select the port selection criteria:
  • src-ip—source IP address
  • src-mac—source MAC address
  • dst-ip—destination IP address
  • dst-mac—destination MAC address
  • src-dst-ip—both source and destination IP addresses
  • src-dst-mac—both source and destination MAC addresses

src-dst-ip

static-isl {enable | disable}

Available only in FortiLink mode. Enable to manually create an inter-switch link (ISL) trunk.

default

static-isl-auto-vlan {enable | disable}

Available only in FortiLink mode. Enable or disable automatic VLAN configuration on the ISL.

default

Heartbeat Trunk

When you set the trunk mode to fortinet-trunk, the following configuration fields are available:

config switch trunk

edit hb-trunk

set mode fortinet-trunk

set port-selection-criteria {src-ip | src-mac | dst-ip | dst-mac | src-dst-ip | src-dst-mac}

set description <description_str>

set members <port> [<port>] ... [<port>]

set member-withdrawal-behavior {block | forward}

set max-miss-heartbeats <3-32>

set hb-out-vlan <int>

set hb-in-vlan <int>

set hb-src-ip <x.x.x.x>

set hb-dst-ip <x.x.x.x>

set hb-src-udp-port <int>

set hb-dst-udp-port <int>

set hb-verify {enable | disable}

end

Variable

Description

Default

port-selection-criteria {src-ip | src-mac | dst-ip | dst-mac | src-dst-ip | src-dst-mac}

Select the port selection criteria:
  • src-ip — source IP address
  • src-mac — source MAC address
  • dst-ip — destination IP address
  • dst-mac — destination MAC address
  • src-dst-ip — both source and destination IP addresses
  • src-dst-mac — both source and destination MAC addresses

src-dst-ip

description <description_str>

Optionally, enter a description.

No default

members <port> [<port>] ... [<port>]

Enter the names of the ports that belong to this trunk. Separate the names with spaces.

No default

member-withdrawal-behavior {block | forward}

Set the port behavior after it withdraws because of the loss of control packets.

block

max-miss-heartbeats <3-32>

Enter the maximum number of heartbeat messages that can be lost before the FortiGate is deemed to be unavailable. Set a value between 3 and 32.

10

hb-out-vlan

Enter the outgoing VLAN value.

0

hb-in-vlan

Enter the incoming VLAN value.

0

hb-src-ip

Enter the source IP address for the heartbeat packet.

0.0.0.0

hb-dst-ip

Enter the destination IP address for the heartbeat packet.

0.0.0.0

hb-src-udp-port

Enter the source UDP port value for the heartbeat packet.

0

hb-dst-udp-port

Enter the destination UDP port value for the heartbeat packet.

0

hb-verify

Enable or disable heartbeat packet verification.

disable

Example

The following example creates trunk tr1 with heartbeat capability:

config switch trunk

edit "tr1"

set mode fortinet-trunk

set members "port1" "port2"

set hb-out-vlan 300

set hb-in-vlan 500

set hb-src-ip 10.105.7.200

set hb-dst-ip 10.105.7.199

set hb-src-udp-port 12345

set hb-dst-udp-port 54321

set hb-verify enable

next

end

config switch virtual-wire

Use this command to forward traffic between two ports with minimal filtering or packet modifications. The VLAN setting is optional.

NOTE: Virtual-wire ports will not be able to transmit or receive packets from other members of the VLAN or other virtual-wires that use the same VLAN. The VLAN should not have complex configurations such as private VLAN.

Syntax

config switch virtual-wire

edit <id>

set first-member <port>

set second-member <port>

set vlan <1-4095>

next

end

Variable

Description

Default

<id>

Enter a unique integer to create a new entry.

No default

first-member <port>

first member in the virtual-wire pair

No default

second-member <port>

second member in the virtual-wire pair

No default

vlan <1-4095>

VLAN used. The VLAN can be shared between virtual-wires and non-virtual-wire ports

4011

Example

The following example creates a virtual wire between ports 7 and 8:

config switch virtual-wire

edit 1

set first-member "port7"

set second-member "port8"

set vlan 70

next

end

config switch vlan

Use this command to configure VLANs.

Syntax

config switch vlan

edit <vlan id>

set access-vlan {enable | disable}

set cos-queue <0-7>

set description <description_str>

set dhcp-snooping {enable | disable}

set dhcp-snooping-verify-mac {enable | disable}

set dhcp-snooping-option82 {enable | disable}

set arp-inspection {enable | disable}

set dhcp6-snooping {enable | disable}

set igmp-snooping {enable | disable}

set igmp-snooping-querier {enable | disable}

set igmp-snooping-querier-addr <IPv4_address>

set igmp-snooping-querier-version {2|3}

set igmp-snooping-fast-leave {enable | disable}

set igmp-snooping-proxy {enable | disable}

set learning {enable | disable}

set learning-limit <integer>

set mld-snooping {enable | disable}

set mld-snooping-fast-leave {enable | disable}

set mld-snooping-querier {enable | disable}

set mld-snooping-querier-addr <IPv6_address>

set mld-snooping-proxy {enable | disable}

set policer <integer>

set private-vlan {enable | disable}

set isolated-vlan <integer>

set community-vlans <vlan_map>

set rspan-mode {enable | disable}

config igmp-snooping-static-group

edit <group_name>

set mcast-addr <IPv4_address>

set members <interface_name1> <interface_name2>...

end

config mld-snooping-static-group

edit <group_name>

set mcast-addr <IPv6_address>

set members <interface_name1> <interface_name2>...

end

config member-by-mac

config member-by-ipv4

config member-by-ipv6

config member-by-proto

config dhcp-server-access-list

end

Variable

Description

Default

<vlan id>

Enter a VLAN identifier.

No default

access-vlan {enable | disable}

Set to enable to block FortiSwitch port-to-port traffic on this VLAN while allowing traffic to and from the FortiGate unit. Set to disable to allow normal VLAN traffic.

disable

cos-queue <0-7>

Specify which class of service (CoS) queue is used for traffic on this VLAN or use the unset cos-queue command to disable this setting.

This command is available only in in FortiLink mode.

No default

description <description_str>

Optionally, enter a description.

If the Tunnel-Private-Group-Id attribute on the RADIUS server was set to the VLAN name, set the description to the same string. For example:

set description "newvlan"

No default

dhcp-snooping {enable | disable}

Enable or disable IPv4 DHCP snooping for this VLAN.

disable

dhcp-snooping-verify-mac {enable | disable}

Enable or disable whether to verify the source MAC address. This field is available only if dhcp-snooping is enabled.

disable

dhcp-snooping-option82 {enable | disable}

Enable or disable whether to insert option-82 fields. This field is available only if dhcp-snooping is enabled.

disable

arp-inspection {enable | disable}

Enable or disable dynamic ARP inspection.

disable

dhcp6-snooping {enable | disable}

Enable or disable IPv6 DHCP snooping for this VLAN.

disable

igmp-snooping {enable | disable}

Enable or disable IGMP snooping on the VLAN.

disable

igmp-snooping-fast-leave {enable | disable}

Enable or disable IGMP-snooping fast leave on this VLAN. This field is only available if igmp-snooping is enabled.

enable

igmp-snooping-querier {enable | disable}

Enable or disable whether periodic IGMP-snooping queries are sent to get IGMP reports. This field is only available if igmp-snooping is enabled.

disable

igmp-snooping-querier-addr <IPv4_address>

Optional. Enter the IPv4 address for the IGMP-snooping querier. This field if only available if igmp-snooping and igmp-snooping-querier are enabled.

0.0.0.0

igmp-snooping-querier-version {2|3}

Select whether to use the IGMP-snooping querier version 2 or version 3.

2

igmp-snooping proxy {enable | disable}

Enable or disable the IGMP-snooping proxy on this VLAN. When the IGMP-snooping proxy is enabled, this VLAN sends IGMP reports. This field is only available if igmp-snooping is enabled.

disable

learning {enable | disable}

Enable or disable layer-2 learning on this VLAN.

enable

learning-limit <integer>

Limit the number of dynamic MAC addresses on this VLAN. The per-VLAN MAC address learning limit is between 1 and 128. Set the value to 0 for no limit.

0

mld-snooping {enable | disable}

Enable or disable Multicast Listener Discovery (MLD) snooping for the this VLAN.

disable

mld-snooping-fast-leave {enable | disable}

Enable or disable MLD-snooping fast leave on this VLAN. This field is only available if mld-snooping is enabled.

enable

mld-snooping-querier {enable | disable}

Enable or disable whether periodic MLD-snooping queries are sent to get MLD reports. This field is only available if mld-snooping is enabled.

disable

mld-snooping-querier-addr <IPv6_address>

Optional. Enter the IPv6 address for the MLD-snooping querier. This field if only available if mld-snooping is enabled.

::

mld-snooping-proxy {enable | disable}

Enable or disable the MLD-snooping proxy on this VLAN. When the MLD-snooping proxy is enabled, this VLAN sends MLD reports. This field is only available if mld-snooping is enabled.

disable

policer <integer>

Set the policer for the traffic on this VLAN.

This command is available only in in FortiLink mode.

0

private-vlan {enable | disable}

Set to enable if this is a private VLAN.

disable

isolated-vlan <integer>

(Valid if private VLAN is enabled) Enter the isolated VLAN.

0

community-vlans <vlan_map>

(Valid if private VLAN is enabled) Enter the communities within this private VLAN. Enter single VLANs or ranges of VLANS separated by commas without white space. For example: 1,3-4,6,7,9-100

No default

rspan-mode {enable | disable}

Enable or disable port mirroring using the remote switch port analyzer (RSPAN) on this VLAN.

disable

config igmp-snooping-static-group

<group_name>

Enter the IGMP static group name.

No default

mcast-addr <IPv4_address>

Enter the IPv4 multicast address for the IGMP static group.

0.0.0.0

members <interface_name1> <interface_name2>...

Enter the interfaces that belong to the IGMP static group.

No default

config mld-snooping-static-group

<group_name>

Enter the MLD static group name.

No default

mcast-addr <IPv6_address>

Enter the IPv6 multicast address for the MLD static group.

No default

members <interface_name1> <interface_name2>...

Enter the interfaces that belong to the MLD static group.

No default

config member-by

Use this command to assign VLANs based on specific fields in the packet (source MAC address, source IP address, or layer-2 protocol).

config switch vlan

edit <vlan id>

config member-by-mac

edit <id>

set mac XX:XX:XX:XX:XX:XX

set description <128 byte string>

next

end

config member-by-ipv4

edit <id>

set address a.b.c.d/e

set description <128-byte string>

next

end

config member-by-ipv6

edit <id>

set prefix xx:xx:xx:xx::/prefix

set description <128-byte string>

next

end

config member-by-proto

edit <id>

set frametypes {ethernet2 | 802.3d | llc}

set protocol <6-digit hex value>

end

Variable

Description

Default

config member-by-mac

edit <id>

For a new entry, enter an unused ID.

No default

mac XX:XX:XX:XX:XX:XX

Enter a MAC address. If the source MAC address of an incoming packet matches this value, the associated VLAN will be assigned to the packet.

00:00:00:00:00:00

description

Enter up to 128 characters.

No default

config member-by-ipv4

edit <id>

For a new entry, enter an unused ID.

No default

address a.b.c.d/e

Enter an IPv4 address and network mask. If the source IP address of an incoming packet matches this value, the associated VLAN will be assigned to the packet. The subnet mask must be a value in the range of 1-32.

0.0.0.0 0.0.0.0

description

Enter up to 128 characters.

No default

config member-by-ipv6

edit <id>

For a new entry, enter an unused ID.

No default

prefix xx:xx:xx:xx::/prefix

Enter an IPv6 prefix. If the source IP address of an incoming packet matches this value, the associated VLAN will be assigned to the packet. The /prefix must in the range of 1-64.

::/0

description

Enter up to 128 characters.

No default

config member-by-proto

edit <id>

For a new entry, enter an unused ID.

No default

frametypes {ethernet2 | 802.3d | llc}

Enter one or more Ethernet frame type. Set this value to llc for logical link control. Set this value to 802.3d for 802.3d and SNAP.

ethernet2 802.3d llc

protocol <6-digit hex value>

Enter an Ethernet protocol value If the frametype and Ethernet protocol value of an incoming packet matches these values, the associated VLAN will be assigned to the packet. The value range is 0-65535.

0x0000

Example

The following example configures a VLAN:

config switch vlan

edit 100

config member-by-mac

edit 1

set description "pc2"

set mac 00:21:cc:d2:76:72

next

end

end

end

 

The following example configures the IGMP-snooping querier:

config switch vlan

edit 100

set igmp-snooping enable

set igmp-snooping-querier enable

set igmp-snooping-querier-addr 1.2.3.4

set igmp-snooping-querier-version 3

next

end

config dhcp-server-access-list

Use this command to create a list of DHCP servers that DHCP snooping will include in the allowed server list. This list is used only if the set dhcp-server-access-list command has been enabled; see config system global.

config switch vlan

edit <vlan id>

set dhcp-snooping enable

set dhcp6-snooping enable

config dhcp-server-access-list

edit <string>

set server-ip <xxx.xxx.xxx.xxx>

set server-ip6 <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx>

next

end

next

end

Variable

Description

Default

edit <vlan id>

Enter a VLAN identifier.

No default

dhcp-snooping enable

Enable for IPv4 DHCP snooping.

The config dhcp-server-access-list command is available only after DHCP snooping (IPv4 or IPv6) has been enabled for that VLAN.

disable

dhcp6-snooping enable

Enable for IPv6 DHCP snooping.

The config dhcp-server-access-list command is available only after DHCP snooping (IPv4 or IPv6) has been enabled for that VLAN.

disable

edit <string>

Enter name of DHCP server access list

No default

server-ip <xxx.xxx.xxx.xxx>

If you enabled IPv4 DHCP snooping, enter Class A, B, or C IPv4 address for the DHCP server.

0.0.0.0

server-ip6 <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx>

If you enabled IPv6 DHCP snooping, enter the IPv6 address for the DHCP server.

No default

Example

The following example configures IPv4 DHCP snooping to include the specified DHCP server in the allowed server list:

config switch vlan

edit 100

set dhcp-snooping enable

config dhcp-server-access-list

edit "DHCPserver1"

set server-ip 128.8.0.0

next

end

next

end

 

The following example configures IPv6 DHCP snooping to include the specified DHCP server in the allowed server list:

config switch vlan

edit 100

set dhcp6-snooping enable

config dhcp-server-access-list

edit "DHCPserver1"

set server-ip6 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234

next

end

next

end

config switch vlan-tpid

Use this command to configure the VLAN TPID profile for VLAN stacking (QinQ). Each VLAN TPID profile contains one value for the EtherType field.

The FortiSwitch unit supports a maximum of four VLAN TPID profiles, including the default (0x8100). The default VLAN TPID profile (0x8100) cannot be deleted or changed.

To configure VLAN stacking and to select which VLAN TPID profile to use, see config switch interface.

Syntax

config switch vlan-tpid

edit <VLAN_TPID_profile_name>

set ether-type <0x0001-0xfffe>

next

end

Variable

Description

Default

<VLAN_TPID_profile_name>

Enter a name for the VLAN TPID profile name.

No default

ether-type <0x0001-0xfffe>

Enter a hexadecimal value for the EtherType field.

0x8100

config switch

Use the config switch commands to configure options related to switching functionality:

config switch acl egress

Use this command to configure an access control list (ACL) for an egress policy.

Syntax

config switch acl egress

edit <policy_ID>

set description <string>

set interface <port_name>

set schedule <schedule_name>

set status {active | inactive}

config classifier

set cos <802.1Q CoS value to match>

set dscp <DSCP value to match>

set dst-ip-prefix <IP_address> <mask>

set dst-mac <MAC_address>

set ether-type <integer>

set service <service_ID>

set src-ip-prefix <IP_address> <mask>

set src-mac <MAC_address>

set vlan-id <VLAN_ID>

end

config action

set count {enable | disable}

set drop {enable | disable}

set mirror <mirror_session>

set outer-vlan-tag <integer>

set policer <policer>

set redirect <interface_name>

set remark-dscp <0-63>

end

end

Variable

Description

Default

<policy-id>

Enter the unique ID number of this policy.

No default

description <string>

Enter a description or other information about the policy. The description is limited to 63 characters. Enclose the string in single quotes to enter special characters or spaces.

No default

interface <port_name>

Interface that the policy applies to.

No default

schedule <schedule_name>

Select a schedule for when the ACL policy will be enforced.

The schedule must have been defined already with the config system schedule command.

No default

status {active | inactive}

Make the egress ACL policy active or inactive.

active

config classifier

cos <802.1Q CoS value to match>

Enter the 802.1Q CoS value to match.

No default

dscp <DSCP value to match>

Enter the DSCP value to match.

No default

dst-ip-prefix <IP_address> <mask>

Destination IP address and subnet mask to be matched.

0.0.0.0 0.0.0.0

dst-mac <MAC_address>

Destination MAC address to be matched.

00:00:00:00:00:00

ether-type <integer>

Ethernet type to be matched.

0x0000

service <service_ID>

Service type to be matched.

No default

src-ip-prefix <IP_address> <mask>

Source IP address and subnet mask to be matched.

0.0.0.0 0.0.0.0

src-mac <MAC_address>

Source MAC address to be matched.

00:00:00:00:00:00

vlan-id <VLAN_ID>

VLAN identifier to be matched.

0

config action

count {enable | disable}

Enable or disable the count action.

disable

drop {enable | disable}

Enable or disable the drop action.

disable

mirror <mirror_session>

Mirror session name.

No default

outer-vlan-tag <integer>

Outer VLAN tag.

0

policer <policer>

Identifier of the policer to associate with this policy. To create a policer, see config switch acl policer.

0

redirect <interface_name>

Redirect interface name.

No default

remark-dscp <0-63>

Set the DSCP marking value.

No default

config switch acl ingress

Use this command to configure an ACL for an ingress policy. Starting in FortiSwitchOS 6.2.0, you can create groups for multiple ingress ACLs.

Syntax

config switch acl ingress

edit <policy-id>

set description <string>

set group <group_ID>

set ingress-interface <port > [<port > ... <port >]

set ingress-interface-all {enable | disable}

set schedule <schedule_name>

set status {active | inactive}

config classifier

set cos <802.1Q CoS value to match>

set dscp <DSCP value to match>

set src-mac <mac>

set dst-mac <mac>

set ether-type <integer>

set src-ip-prefix <IP address> <mask>

set dst-ip-prefix <IP address> <mask>

set service <service-id>

set vlan-id <vlan-id>

end

config action

set cos-queue <0 - 7>

set count {enable | disable}

set cpu-cos-queue <integer>

set drop {enable | disable}

set egress-mask {<physical_port_name> | internal}

set mirror <mirror_session>

set outer-vlan-tag <integer>

set policer <policer>

set redirect <interface_name>

set redirect-bcast-cpu {enable | disable}

set redirect-bcast-no-cpu {enable | disable}

set redirect-physical-port <list of physical ports to redirect>

set remark-cos <0-7>

set remark-dscp <0-63>

end

end

Variable

Description

Default

<policy-id>

Enter the unique ID number of this policy.

No default

description <string>

Enter a description or other information about the policy. The description is limited to 63 characters. Enclose the string in single quotes to enter special characters or spaces.

No default

group <group_ID>

Enter the group identifier of the policy. The range of group identifiers varies among the different platforms.

Starting in FortiSwitchOS 6.2.0, you can create groups for multiple ingress ACLs.

1

ingress-interface <port > [<port > ... <port >]

If ingress-interface-all is disabled, enter the interface list to which the policy is bound on the ingress.

No default

ingress-interface-all {enable | disable}

If enabled, policy is bound to all interfaces.

disable

schedule <schedule_name>

Select a schedule for when the ACL policy will be enforced.

The schedule must have been defined already with the config system schedule command.

No default

status {active | inactive}

Make the ingress ACL policy active or inactive.

active

config classifier

cos <802.1Q CoS value to match>

Enter the 802.1Q CoS value to match.

No default

dscp <DSCP value to match>

Enter the DSCP value to match.

No default

src-mac

Enter the source MAC address to be matched.

00:00:00:00:00:00

dst-mac

Enter the destination MAC address to be matched.

00:00:00:00:00:00

ether-type

Enter the Ethernet type to be matched.

0x0000

src-ip-prefix

Enter the source IP address and subnet mask to be matched.

0.0.0.0 0.0.0.0

dst-ip-prefix

Enter the destination IP address and subnet mask to be matched.

0.0.0.0 0.0.0.0

service

Enter the service type to be matched.

No default

vlan-id

Enter the VLAN identifier to be matched.

0

config action

cos-queue <0 - 7>

CoS queue number (0 - 7).

0

count

Enable or disable the count action.

disable

cpu-cos-queue <integer>

CPU CoS queue number. This CoS queue is only used if the packets reach the CPU. Enter set cpu-cos-queue ? to see the value range.

disabled

drop

Enable or disable the drop action.

disable

egress-mask {<physical_port_name> | internal}

List of physical ports to be configured in egress mask.

No default

mirror <mirror_session>

Mirror session name.

No default

outer-vlan-tag

Outer VLAN tag.

4093

policer

Identifier of the policer to associate with this policy. To create a policer, see config switch acl policer.

1

redirect <interface_name>

Redirect interface name.

No default

redirect-bcast-cpu

Redirect broadcast to all ports including the CPU.

disable

redirect-bcast-no-cpu

Redirect broadcast to all ports excluding the CPU.

disable

redirect-physical-port

List of ports to redirect the packet.

No default

remark-cos <0-7>

Set the CoS marking value. The range is 0-7.

No default

remark-dscp <0-63>

Set the DSCP marking value. The range is 0-63.

No default

Examples

In the following example, traffic from VLAN 3 is blocked to a specified destination IP subnet (10.10.0.0/16) but allowed to all other destinations:

config switch acl ingress

edit 1

config action

set count enable

set drop enable

end

config classifier

set dst-ip-prefix 10.10.0.0 255.255.0.0

set vlan-id 3

end

set ingress-interface-all enable

set status inactive

next

edit 2

config classifier

set vlan-id 3

end

set ingress-interface-all enable

set status active

next

end

 

In the following example, packets are classified by matching both the CoS and DSCP values. Both the CoS and DSCP marking values are set:

config switch acl ingress

edit 1

config classifier

set src-mac 11:22:33:aa:bb:cc

set cos 2

set dscp 10

end

config action

set count enable

set remark-cos 4

set remark-dscp 20

end

set ingress-interface port2

set status active

end

config switch acl policer

Use this command to configure an ACL policer for egress or ingress policies.

Syntax

config switch acl policer

edit <policer index>

set description <string>

set guaranteed-bandwidth <bandwidth_value>

set guaranteed-burst <in_bytes>

set maximum-burst <in_bytes>

set type {egress | ingress}

end

Variable

Description

Default

<policer index>

Enter the index for this ACL policer

No default

description <string>

Enter a text description for the policer.

No default

guaranteed-bandwidth <bandwidth_value>

Enter the amount of bandwidth guaranteed to be available for traffic controlled by the policy. The value range is 0 to 16 776 000 Kbits/second.

0

guaranteed-burst <in_bytes>

Guaranteed burst size in bytes (max value = 4294967295)

0

maximum-burst <in_bytes>

Maximum burst size in bytes (max value = 4294967295)

0

type {egress | ingress}

Specify whether the policer is for egress or ingress policies.

ingress

Example

This example shows how to configure an ACL policer for egress policies.

config switch acl policer

edit 1

set description policer1

set guaranteed-bandwidth 8776000

set guaranteed-burst 858993459

set maximum-burst 4294967295

set type egress

end

config switch acl prelookup

Use this command to configure an ACL for a lookup policy.

Syntax

config switch acl prelookup

edit <policy_ID>

set description <string>

set interface <port_name>

set schedule <schedule_name>

set status {active | inactive}

config classifier

set cos <802.1Q CoS value to match>

set dscp <DSCP value to match>

set dst-ip-prefix <IP_address> <mask>

set dst-mac <MAC_address>

set ether-type <integer>

set service <service_ID>

set src-ip-prefix <IP_address> <mask>

set src-mac <MAC_address>

set vlan-id <VLAN_ID>

end

config action

set count {enable | disable}

set cos-queue <0-7>

set drop {enable | disable}

set outer-vlan-tag <integer>

set remark-cos <0-7>

end

end

Variable

Description

Default

<policy-id>

Enter the unique ID number of this policy.

No default

description <string>

Enter a description or other information about the policy. The description is limited to 63 characters. Enclose the string in single quotes to enter special characters or spaces.

No default

interface <port_name>

Interface that the policy applies to.

No default

schedule <schedule_name>

Select a schedule for when the ACL policy will be enforced.

The schedule must have been defined already with the config system schedule command.

No default

status {active | inactive}

Make the prelookup ACL policy active or inactive.

active

config classifier

cos <802.1Q CoS value to match>

Enter the 802.1Q CoS value to match.

No default

dscp <DSCP value to match>

Enter the DSCP value to match.

No default

dst-ip-prefix <IP_address> <mask>

Destination IP address and subnet mask to be matched.

0.0.0.0 0.0.0.0

dst-mac <MAC_address>

Destination MAC address to be matched.

00:00:00:00:00:00

ether-type <integer>

Ethernet type to be matched.

0x0000

service <service_ID>

Service type to be matched.

No default

src-ip-prefix <IP_address> <mask>

Source IP address and subnet mask to be matched.

0.0.0.0 0.0.0.0

src-mac <MAC_address>

Source MAC address to be matched.

00:00:00:00:00:00

vlan-id <VLAN_ID>

VLAN identifier to be matched.

0

config action

count {enable | disable}

Enable or disable the count action.

disable

cos-queue <0-7>

CPU CoS queue number (20-29). Only if packets reach to CPU. The value range is 20-29.

No default

drop {enable | disable}

Enable or disable the drop action.

disable

outer-vlan-tag <integer>

Outer VLAN tag.

0

remark-cos <0-7>

Set the CoS marking value. The range is 0-7.

No default

config switch acl service custom

Use this command to customize one of the ACL services.

Syntax

config switch acl service custom

edit <service name>

set comment <string>

set color <0-32>

set protocol {ICMP | IP | TCP/UDP/SCTP}

set icmptype <0-255>

set icmpcode <0-255>

set protocol-number <IP protocol number>

set sctp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int>-<srcporthigh_int>]

set tcp-portrange <dstportlow_int>[-<dstporthigh_int>:<srcportlow_int>-<srcporthigh_int>]

set udp-portrange <dstportlow_int>[-<dstporthigh_int>:<srcportlow_int>-<srcporthigh_int>]

end

end

Variable

Description

Default

<service name>

Enter the name of this custom service.

No default

comment <string>

Add comments for the custom service.

No default

color <0-32>

Set the icon color to use in the Web-based manager. A value of zero sets the default color (1).

0

protocol {ICMP | IP | TCP/UDP/SCTP}

Select the protocol used by the service.

These protocols are available when explicit-proxy is enabled.

TCP/UDP/SCTP

icmptype <0-255>

If you set the protocol to ICMP, set the ICMP type.

0

icmpcode <0-255>

If you set the protocol to ICMP, set the ICMP code.

0

protocol-number

For an IP service, enter the IP protocol number.

0

sctp-portrange

For SCTP services, enter the destination and source port ranges.

No default

tcp-portrange

For TCP services, enter the destination and source port ranges.

No default

udp-portrange

For UDP services, enter the destination and source port ranges.

No default

Notes:

  • srcport_low and srcport_high can be omitted if the value pair is 1-65535
  • dstport_high can be omitted if dstport_low is equal to dstport_high
  • srcport_low and srcport_high can be omitted if the value pair is 1-65535
  • dstport_high can be omitted if dstport_low is equal to dstport_high

Example

In the following example, Server Message Block (SMB) traffic received on port 1 is mirrored to port 3. SMB protocol uses port 445:

config switch acl service custom

edit "SMB"

set tcp-portrange 445

next

end

config switch acl ingress # apply policy to port 1 ingress and send to port 3

edit 1

set description "cnt_n_mirror_smb"

set ingress-interface "port1"

config action

set count enable

set mirror "port3"

end

config classifier

set service "SMB"

set src-ip-prefix 20.20.20.100 255.255.255.255

set dst-ip-prefix 100.100.100.0 255.255.255.0

end

next

end

config switch acl settings

Use this command to configure the global ACL settings

Syntax

config switch acl settings

set density-mode {disable | enable}

set trunk-load-balance {disable | enable}

end

Variable

Description

Default

density-mode

Enable or disable density mode.

disable

trunk-load-balance

Enable or disable trunk-load-balancing for ACL actions.

enable

Example

The following example configures the global ACL settings:

config switch acl settings

set density-mode enable

set trunk-load-balance enable

end

config switch auto-isl-port-group

Use this command to create a multi-tiered MCLAG trunk when the FortiSwitch unit is managed by a FortiGate unit.

Syntax

config switch auto-isl-port-group

edit <trunk_name>

set members <one or more ports>

end

Example

The following example creates two trunks for a multi-tiered MCLAG:

config switch auto-isl-port-group

edit "mclag-core1"

set members "port1" "port2"

next

edit "mclag-core2"

set members "port3" "port4"

end

config switch auto-network

Use this command to automatically form an inter-switch link (ISL) between two switches.

Syntax

config switch auto-network

set mgmt-vlan <1-4094>

set status {enable | disable}

end

Variable

Description

Default

mgmt-vlan <1-4094>

Set the VLAN to use for the native VLAN on ISL ports and the native VLAN on the internal switch interface.

4094

status {enable | disable}

Enable or disable whether an ISL is automatically formed between two switches.

disable

Example

The following example enables the automatic formation of an ISL between two switches:

config switch auto-network

set mgmt-vlan 200

set status enable

end

config switch global

Use this command to configure system-wide FortiSwitch settings.

Syntax

config switch global

set auto-fortilink-discovery {enable | disable}

set auto-isl {enable | disable}

set auto-isl-port-group <0-9>

set auto-stp-priority {enable | disable}

set dhcp-snooping-database-export {disable | enable}

set dmi-global-all {enable | disable}

set flapguard-retain-trigger {enable | disable}

set flood-unknown-multicast {enable | disable}

set fortilink-heartbeat-timeout <0-300>

set fortilink-p2p-native-vlan <integer>

set fortilink-p2p-tpid <interger>

set fortilink-vlan-optimization {enable | disable}

set forti-trunk-dmac <xx:xx:xx:xx:xx:xx>

set ip-mac-binding {enable | disable}

set l2-memory-check {enable | disable}

set l2-memory-check-interval <number_of_seconds>

set log-mac-limit-violations {enable | disable}

set log-source-guard-violations {enable | disable}

set loop-guard-tx-interval <0-30>

set mac-aging-interval <seconds>

set mac-violation-timer <integer>

set max-frame-size <bytes_int>

set max-path-in-ecmp-group <integer>

set mclag-igmpsnooping-aware {enable | disable}

set mclag-peer-info-timeout <integer>

set mclag-port-base <integer>

set mclag-split-brain-detect {enable | disable}

set mclag-stp-aware {enable | disable}

set mirror-qos <0-7>

set name <string>

set neighbor-discovery-to-cpu {enable | disable}

set packet-buffer-mode {store-forward | cut-through}

set poe-alarm-threshold <threshold (percent of total power budget) above which an alarm event is generated>

set poe-guard-band <integer>

set poe-power-budget <integer>

set poe-power-mode {first-come-first-served | priority}

set poe-pre-standard-detect {disable | enable}

set qos-drop-policy {random-early-detection | taildrop}

set qos-red-probability <integer>

set reserved-mcast-to-cpu {enable | disable}

set source-guard-violation-timer <integer>

set trunk-hash-mode {default| enhanced}

set trunk-hash-unicast-src-port {enable | disable}

set trunk-hash-unkunicast-src-dst {enable | disable}

set virtual-wire-tpid <0x0001-0xfffe>

config port-security

set link-down-auth {no-action | set-unauth}

set mab-reauth {enable | disable}

set max-reauth-attempt <0-15>

set quarantine-vlan {enable | disable}

set reauth-period <1-1440>

set tx-period <12-60>

end

end

Variable

Description

Default

auto-fortilink-discovery {enable | disable}

Enable or disable the capability for the FortiGate unit to automatically discover the FortiLink interface on the switch.

enable

auto-isl {enable | disable}

Enable or disable the capability to automatically form an inter-switch LAG.

enable

auto-isl-port-group <0-9>

Set the ISL port group. The range is 0-9.

0

auto-stp-priority {enable | disable}

Enable or disable the automatic assigned STP switch priortiy.

enable

dhcp-snooping-database-export {disable | enable}

Enable or disable whether the DHCP snooping database is exported to file.

disable

dmi-global-all {enable | disable}

Enable or disable DMI globally.

enable

flapguard-retain-trigger {enable | disable}

Enable this setting to keep the “triggered” status in the output of the diagnose flapguard status command after a switch has been rebooted until the port has been reset with the execute flapguard reset <port_name> command.

Disable this setting to reset the “triggered” status when the switch is rebooted.

disable

flood-unknown-multicast {enable | disable}

Enable or disable whether to flood the VLAN with unknown multicast messages.

disable

fortilink-heartbeat-timeout <0-300>

Set how long before the FortiLink heartbeat times out. Set the value to 0 to disable the FortiLink heartbeat.

60

fortilink-p2p-native-vlan <integer>

Specify the native VLAN on the inter-switch link (ISL) when fortilink-p2p is enabled under the config switch physical port command.

4094

fortilink-p2p-tpid <interger>

Set the FortiLink point-to-point TPID value. The range of values is 0x0001 to 0xfffe.

This command is only available in FortiLink mode.

0x8100

fortilink-vlan-optimization {enable | disable}

Enable or disable FortiLink VLAN optimization.

disable

forti-trunk-dmac <xx:xx:xx:xx:xx:xx>

Enter the destination MAC address to be used for FortiTrunk heartbeat packets.

02:80:c2:00:00:02

ip-mac-binding {enable | disable}

Enable or disable IP-MAC binding for the switch

disable

l2-memory-check {enable | disable}

Enable or disable whether FortiSwitchOS checks the size of the layer-2 table. When this feature is enabled, the set l2-memory-check interval command controls the frequency that the table is checked. When the table size is more than 75-percent full or less than 70-percent full, FortiSwitchOS adds a warning to the system log.

disable

l2-memory-check-interval <number_of_seconds>

When l2-memory-check is enabled, FortiSwitchOS checks the size of the layer-2 table at the specified interval. The range of values is 5-86400 seconds.

120

log-mac-limit-violations {enable | disable}

Enable or disable the logging of layer-2 learning limit violations for an interface or VLAN. The most recent violation that occurred on each interface or VLAN is logged. After that, no more violations are logged until the log is reset for the triggered interface or VLAN. Only the most recent 128 violations are displayed in the console.

NOTE: This command is only displayed if your FortiSwitch model supports it.

disable

log-source-guard-violations {enable | disable}

Enable or disable logs for source guard violations on a system-wide level.

disable

loop-guard-tx-interval <0-30>

Enter the loop guard transmit interval. Value range is 1-30. The units is seconds.

3

mac-aging-interval <seconds>

Specify how often the learning-limit violation log is reset. The range is 10 to 1,000,000 seconds. Set to 0 to disable.

300

mac-violation-timer <integer>

How long (in minutes) violations of the layer-2 learning limit are kept in the log. The value range is 0-1500. Set to 0 to disable the timer.

0

max-frame-size <bytes_int>

Set the maximum frame size. The range is 68 to 16360.

NOTE: For non-1xxE FortiSwitch units, this command is under the config switch physical-port command.

9216

max-path-in-ecmp-group <integer>

Set the maximum path in one ECMP group.

8

mclag-igmpsnooping-aware {enable | disable}

Enable this option to synchronize both query ports and group entries across peer MCLAG trunks. This option can be used in standalone mode and in FortiLink mode.

NOTE: For IGMP snooping to work correctly in an MCLAG, you need to use the set mclag-igmpsnooping-aware enable command on all FortiSwitch units in the network topology and use the set igmps-flood-reports enable command on each MCLAG core FortiSwitch unit.

disable

mclag-peer-info-timeout <integer>

Enter the MCLAG peer info timeout. The value range is 30 to 600 seconds.

30

mclag-port-base <integer>

Set the MCLAG port base.

0

mclag-split-brain-detect {enable | disable}

Enable or disable the detection of the MCLAG split-brain state.

disable

mclag-stp-aware {enable | disable}

Enable or disable whether the STP can be used within the MCLAG.

enable

mirror-qos <0-7>

Enter the quality of service (QoS) priority for packets mirrored by this FortiSwitch unit. Applies only to the FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE, FS-1048E, and FS-3032D models.

0

name <string>

Enter a name for the switch.

No default

neighbor-discovery-to-cpu {enable | disable}

Enable or disable the forwarding of reserved multicast packets to the CPU. Applies only to the 200 Series and 400 Series.

enable

packet-buffer-mode {store-forward | cut-through}

Set the switching mode to store-and-forward or cut-through for the main buffer of the FS-1024D, FS-1048D, or FS-3032D model.

store-forward

poe-alarm-threshold <threshold (percent of total power budget) above which an alarm event is generated>

Enter the threshold (a specified percentage of the total power budget) above which an alarm event is generated.

80

poe-guard-band <integer>

Enter the power (W) to reserve in case of a spike in PoE consumption.

19

poe-power-budget <integer>

Set or override the maximum power budget.

400

poe-power-mode {first-come-first-served | priority}

Set the PoE power mode to priority based or first-come, first-served.

priority

poe-pre-standard-detect {disable | enable}

Enable or disable PoE pre-standard detection.

NOTE: PoE pre-standard detection is a global setting for the following FortiSwitch models: FSR-112D-POE, FS-548D-FPOE, FS-524D-FPOE, FS-108D-POE, FS-224D-POE, FS-108E-POE, FS-108E-FPOE, FS-124E-POE, FS-124E-FPOE, 148F-POE, and 148F-FPOE. For the other FortiSwitch PoE models, PoE pre-standard detection is set on each port.

disable