Fortinet black logo

Administration Guide

Introduction

Copy Link
Copy Doc ID 62d32790-0451-11ec-8f3f-00505692583a:755567
Download PDF

Introduction

This guide provides information about configuring a FortiSwitch unit in standalone mode. In standalone mode, you manage the FortiSwitch unit by connecting directly to the unit, either using the web-based manager (also known as the GUI) or the CLI.

If you will be managing your FortiSwitch unit using a FortiGate unit, refer to the following guide: FortiSwitch Devices Managed by FortiOS 7.0.

This section covers the following topics:

Supported models

This guide is for all FortiSwitch models that are supported by FortiSwitchOS, which includes all of the D-series, E-series, and F-series models.

Whatʼs new in FortiSwitchOS 7.0.2

Release 7.0.2 provides the following new features:

  • New commands allow you to specify which IGMP-snooping and MLD-snooping groups are cleared:
    • execute clear switch igmp-snooping all
    • execute clear switch igmp-snooping group <multicast_IPv4_address>
    • execute clear switch igmp-snooping interface <interface_name>
    • execute clear switch igmp-snooping vlan <VLAN_ID>
    • execute clear switch mld-snooping all
    • execute clear switch mld-snooping group <multicast_IPv6_address>
    • execute clear switch mld-snooping interface <interface_name>
    • execute clear switch mld-snooping vlan <VLAN_ID>
    You can also combine the commands for more control.
  • You can now sort each column on the Log > Entries page.
  • As part of the existing support for RFC 1493, the following OIDs have been added:

    Name

    OID

    dot1dBaseBridgeAddress.1.3.6.1.2.1.17.1.1.0
    dot1dBaseNumPorts.1.3.6.1.2.1.17.1.2.0
    dot1dBaseType.1.3.6.1.2.1.17.1.3.0
    dot1dTpFdbTable
    TpFdbAddress
    TpFdbPort
    TpfdbStatus
    .1.3.6.1.2.1.17.4.3
    .1.3.6.1.2.1.17.4.3.1.1
    .1.3.6.1.2.1.17.4.3.1.2
    .1.3.6.1.2.1.17.4.3.1.3
    dot1dBasePortTable
    BasePort
    BasePortIfIndex
    basePortCircuit
    .1.3.6.1.2.1.17.1.4
    .1.3.6.1.2.1.17.1.4.1.1
    .1.3.6.1.2.1.17.1.4.1.2
    .1.3.6.1.2.1.17.1.4.1.3

    NOTE: dot1dbasePortDelayeExceededDiscards (.1.3.6.1.2.1.17.1.4.1.4) and dot1dBasePortMtuExceededDiscards (.1.3.6.1.2.1.17.1.4.1.5) are not supported.

  • When DHCP snooping is enabled and a DHCP server is detected on an untrusted interface, a log entry is generated, either “A rogue DHCPv6 server has been detected on the interface” or “A rogue DHCP server has been detected on the interface.”
  • You can now use RADIUS attributes to configure dynamic access control lists (DACLs) on 802.1x ports. DACLS are configured on a switch or saved on a RADIUS server. You can use DACLs to control traffic per user session or per port for switch ports directly connected to user clients. DACLs apply to hardware only when 802.1x authentication is successful.
  • You can now specify the outer VLAN tag and COS queue number when configuring the access control list (ACL) policies on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, FS-148E-POE, FS-148F, FS-148F-POE, FS-148F-FPOE, FS-124F, FS-124F-POE, and FS-124F-FPOE models.
  • You can now enable or disable the learning-limit violation log in the GUI (Switch > MAC Limit).

  • The MAC learning limit and the MAC learning limit violation log are now supported on the FSR-112D-POE.
  • You can now specify that, when the MAC learning limit is exceeded, the interface that it is configured on will be disabled.
  • You can now receive an SNMP trap message when the MAC learning limit is exceeded.
  • NAC LAN segments are now supported on the FS-148F, FS-148F-POE, and FS-148F-FPOE models in FortiLink mode. FortiOS 7.0.1 or higher is required.
  • You can now specify a range of multicast group addresses (IPv4) when configuring a Protocol Independent Multicast (PIM) multicast flow.
  • The output of the diagnose test authserver radius command now includes the configured attribute-value pairs (AVPs).
  • When you test the user credentials for a RADIUS server in the GUI (System > Authentication > RADIUS), the configured AVPs are now returned, along with the status of the connection and user credentials.
  • You can now view if a module supports the diagnostic monitoring interface (DMI):
    • The output of the get switch modules status command reports if a module does not support DMI.
    • There is a new DMI column on the Module Summary page (Switch > Monitor > Modules).

Refer to the FortiSwitch feature matrix for details about the features supported by each FortiSwitch model.

Before you begin

Before you start administrating your FortiSwitch unit, it is assumed that you have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your FortiSwitch model and have administrative access to the FortiSwitch unit’s GUI and CLI.

Introduction

This guide provides information about configuring a FortiSwitch unit in standalone mode. In standalone mode, you manage the FortiSwitch unit by connecting directly to the unit, either using the web-based manager (also known as the GUI) or the CLI.

If you will be managing your FortiSwitch unit using a FortiGate unit, refer to the following guide: FortiSwitch Devices Managed by FortiOS 7.0.

This section covers the following topics:

Supported models

This guide is for all FortiSwitch models that are supported by FortiSwitchOS, which includes all of the D-series, E-series, and F-series models.

Whatʼs new in FortiSwitchOS 7.0.2

Release 7.0.2 provides the following new features:

  • New commands allow you to specify which IGMP-snooping and MLD-snooping groups are cleared:
    • execute clear switch igmp-snooping all
    • execute clear switch igmp-snooping group <multicast_IPv4_address>
    • execute clear switch igmp-snooping interface <interface_name>
    • execute clear switch igmp-snooping vlan <VLAN_ID>
    • execute clear switch mld-snooping all
    • execute clear switch mld-snooping group <multicast_IPv6_address>
    • execute clear switch mld-snooping interface <interface_name>
    • execute clear switch mld-snooping vlan <VLAN_ID>
    You can also combine the commands for more control.
  • You can now sort each column on the Log > Entries page.
  • As part of the existing support for RFC 1493, the following OIDs have been added:

    Name

    OID

    dot1dBaseBridgeAddress.1.3.6.1.2.1.17.1.1.0
    dot1dBaseNumPorts.1.3.6.1.2.1.17.1.2.0
    dot1dBaseType.1.3.6.1.2.1.17.1.3.0
    dot1dTpFdbTable
    TpFdbAddress
    TpFdbPort
    TpfdbStatus
    .1.3.6.1.2.1.17.4.3
    .1.3.6.1.2.1.17.4.3.1.1
    .1.3.6.1.2.1.17.4.3.1.2
    .1.3.6.1.2.1.17.4.3.1.3
    dot1dBasePortTable
    BasePort
    BasePortIfIndex
    basePortCircuit
    .1.3.6.1.2.1.17.1.4
    .1.3.6.1.2.1.17.1.4.1.1
    .1.3.6.1.2.1.17.1.4.1.2
    .1.3.6.1.2.1.17.1.4.1.3

    NOTE: dot1dbasePortDelayeExceededDiscards (.1.3.6.1.2.1.17.1.4.1.4) and dot1dBasePortMtuExceededDiscards (.1.3.6.1.2.1.17.1.4.1.5) are not supported.

  • When DHCP snooping is enabled and a DHCP server is detected on an untrusted interface, a log entry is generated, either “A rogue DHCPv6 server has been detected on the interface” or “A rogue DHCP server has been detected on the interface.”
  • You can now use RADIUS attributes to configure dynamic access control lists (DACLs) on 802.1x ports. DACLS are configured on a switch or saved on a RADIUS server. You can use DACLs to control traffic per user session or per port for switch ports directly connected to user clients. DACLs apply to hardware only when 802.1x authentication is successful.
  • You can now specify the outer VLAN tag and COS queue number when configuring the access control list (ACL) policies on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, FS-148E-POE, FS-148F, FS-148F-POE, FS-148F-FPOE, FS-124F, FS-124F-POE, and FS-124F-FPOE models.
  • You can now enable or disable the learning-limit violation log in the GUI (Switch > MAC Limit).

  • The MAC learning limit and the MAC learning limit violation log are now supported on the FSR-112D-POE.
  • You can now specify that, when the MAC learning limit is exceeded, the interface that it is configured on will be disabled.
  • You can now receive an SNMP trap message when the MAC learning limit is exceeded.
  • NAC LAN segments are now supported on the FS-148F, FS-148F-POE, and FS-148F-FPOE models in FortiLink mode. FortiOS 7.0.1 or higher is required.
  • You can now specify a range of multicast group addresses (IPv4) when configuring a Protocol Independent Multicast (PIM) multicast flow.
  • The output of the diagnose test authserver radius command now includes the configured attribute-value pairs (AVPs).
  • When you test the user credentials for a RADIUS server in the GUI (System > Authentication > RADIUS), the configured AVPs are now returned, along with the status of the connection and user credentials.
  • You can now view if a module supports the diagnostic monitoring interface (DMI):
    • The output of the get switch modules status command reports if a module does not support DMI.
    • There is a new DMI column on the Module Summary page (Switch > Monitor > Modules).

Refer to the FortiSwitch feature matrix for details about the features supported by each FortiSwitch model.

Before you begin

Before you start administrating your FortiSwitch unit, it is assumed that you have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your FortiSwitch model and have administrative access to the FortiSwitch unit’s GUI and CLI.