<policy-id>

Enter the unique ID number of this policy.

description <string>

Enter a description or other information about the policy. The description is limited to 63 characters. Enclose the string in single quotes to enter special characters or spaces.

filter-id <string>

Enter the filter-id of the policy. NOTE:Changing the name of filter-id after authentication causes errors in the output of the diagnose switch 802-1x status-dacl command when the session is using filter-id.

<ingress_policy_ID>

Enter the ingress policy identifier.

description <string>

Enter a description of the policy.

group <integer>

Enter the group ID of the policy. You can only enter 1.

count {enable | disable}

Enable or disable the count action.

drop {enable | disable}

Enable or disable the drop action.

dst-ip-prefix <IP_address_and_netmask>

Enter the destination IP address and subnet mask to be matched.

dst-mac <MAC_address>

Enter the destination MAC address to be matched.

ether-type <integer>

Enter the Ethernet type to be matched.

service <service_name>

Enter the service name to be matched.

src-ip-prefix <IP_address_and netmask>

Enter the source IP address and subnet mask to be matched.

<policy-id>

Enter the unique ID number of this policy.

description <string>

Enter a description or other information about the policy. The description is limited to 63 characters. Enclose the string in single quotes to enter special characters or spaces.

interface <port_name>

Interface that the policy applies to.

schedule <schedule_name>

Select a schedule for when the ACL policy will be enforced.

The schedule must have been defined already with the config system schedule command.

status {active | inactive}

Make the egress ACL policy active or inactive.

cos <802.1Q CoS value to match>

Enter the 802.1Q CoS value to match.

dscp <DSCP value to match>

Enter the DSCP value to match.

dst-ip-prefix <IP_address> <mask>

Destination IP address and subnet mask to be matched.

dst-mac <MAC_address>

Destination MAC address to be matched.

ether-type <integer>

Ethernet type to be matched.

service <service_ID>

Service type to be matched.

src-ip-prefix <IP_address> <mask>

Source IP address and subnet mask to be matched.

src-mac <MAC_address>

Source MAC address to be matched.

vlan-id <VLAN_ID>

VLAN identifier to be matched.

count {enable | disable}

Enable or disable the count action.

drop {enable | disable}

Enable or disable the drop action.

mirror <mirror_session>

Mirror session name.

outer-vlan-tag <integer>

Outer VLAN tag.

policer <policer>

Identifier of the policer to associate with this policy. To create a policer, see config switch acl policer.

redirect <interface_name>

Redirect interface name.

<policy-id>

Enter the unique ID number of this policy.

description <string>

Enter a description or other information about the policy. The description is limited to 63 characters. Enclose the string in single quotes to enter special characters or spaces.

group <group_ID>

Enter the group identifier of the policy. The range of group identifiers varies among the different platforms.

Starting in FortiSwitchOS 6.2.0, you can create groups for multiple ingress ACLs.

ingress-interface <port > [<port > ... <port >]

If ingress-interface-all is disabled, enter the interface list to which the policy is bound on the ingress.

ingress-interface-all {enable | disable}

If enabled, policy is bound to all interfaces.

schedule <schedule_name>

Select a schedule for when the ACL policy will be enforced.

The schedule must have been defined already with the config system schedule command.

status {active | inactive}

Make the ingress ACL policy active or inactive.

cos <802.1Q CoS value to match>

Enter the 802.1Q CoS value to match.

dscp <DSCP value to match>

Enter the DSCP value to match.

src-mac

Enter the source MAC address to be matched.

dst-mac

Enter the destination MAC address to be matched.

ether-type

Enter the Ethernet type to be matched.

src-ip-prefix

Enter the source IP address and subnet mask to be matched.

dst-ip-prefix

Enter the destination IP address and subnet mask to be matched.

service

Enter the service type to be matched.

vlan-id

Enter the VLAN identifier to be matched.

cos-queue <0 - 7>

CoS queue number (0 - 7).

count

Enable or disable the count action.

cpu-cos-queue <integer>

CPU CoS queue number. This CoS queue is only used if the packets reach the CPU. Enter set cpu-cos-queue ? to see the value range.

drop

Enable or disable the drop action.

egress-mask {<physical_port_name> | internal}

List of physical ports to be configured in egress mask.

mirror <mirror_session>

Mirror session name.

outer-vlan-tag

Outer VLAN tag.

policer

Identifier of the policer to associate with this policy. To create a policer, see config switch acl policer.

redirect <interface_name>

Redirect interface name.

redirect-bcast-cpu

Redirect broadcast to all ports including the CPU.

redirect-bcast-no-cpu

Redirect broadcast to all ports excluding the CPU.

redirect-physical-port

List of ports to redirect the packet.

remark-cos <0-7>

Set the CoS marking value. The range is 0-7.

<policer index>

Enter the index for this ACL policer

description <string>

Enter a text description for the policer.

guaranteed-bandwidth <bandwidth_value>

Enter the amount of bandwidth guaranteed to be available for traffic controlled by the policy. The value range is 0 to 16 776 000 Kbits/second.

guaranteed-burst <in_bytes>

Guaranteed burst size in bytes (max value = 4294967295)

maximum-burst <in_bytes>

Maximum burst size in bytes (max value = 4294967295)

<policy-id>

Enter the unique ID number of this policy.

description <string>

Enter a description or other information about the policy. The description is limited to 63 characters. Enclose the string in single quotes to enter special characters or spaces.

interface <port_name>

Interface that the policy applies to.

schedule <schedule_name>

Select a schedule for when the ACL policy will be enforced.

The schedule must have been defined already with the config system schedule command.

status {active | inactive}

Make the prelookup ACL policy active or inactive.

cos <802.1Q CoS value to match>

Enter the 802.1Q CoS value to match.

dscp <DSCP value to match>

Enter the DSCP value to match.

dst-ip-prefix <IP_address> <mask>

Destination IP address and subnet mask to be matched.

dst-mac <MAC_address>

Destination MAC address to be matched.

ether-type <integer>

Ethernet type to be matched.

service <service_ID>

Service type to be matched.

src-ip-prefix <IP_address> <mask>

Source IP address and subnet mask to be matched.

src-mac <MAC_address>

Source MAC address to be matched.

vlan-id <VLAN_ID>

VLAN identifier to be matched.

count {enable | disable}

Enable or disable the count action.

cos-queue <0-7>

CPU CoS queue number (20-29). Only if packets reach to CPU. The value range is 20-29.

drop {enable | disable}

Enable or disable the drop action.

outer-vlan-tag <integer>

Outer VLAN tag.

<service name>

Enter the name of this custom service.

comment <string>

Add comments for the custom service.

color <0-32>

Set the icon color to use in the Web-based manager. A value of zero sets the default color (1).

protocol {ICMP | IP | TCP/UDP/SCTP}

Select the protocol used by the service.

These protocols are available when explicit-proxy is enabled.

icmptype <0-255>

If you set the protocol to ICMP, set the ICMP type.

icmpcode <0-255>

If you set the protocol to ICMP, set the ICMP code.

protocol-number

For an IP service, enter the IP protocol number.

sctp-portrange

For SCTP services, enter the destination and source port ranges.

tcp-portrange

For TCP services, enter the destination and source port ranges.

density-mode

Enable or disable density mode.

mgmt-vlan <1-4094>

Set the VLAN to use for the native VLAN on ISL ports and the native VLAN on the internal switch interface.

auto-fortilink-discovery {enable | disable}

Enable or disable the capability for the FortiGate unit to automatically discover the FortiLink interface on the switch.

auto-isl {enable | disable}

Enable or disable the capability to automatically form an inter-switch LAG.

auto-isl-port-group <0-9>

Set the ISL port group. The range is 0-9.

auto-stp-priority {enable | disable}

Enable or disable the automatic assigned STP switch priortiy.

dhcp-snooping-database-export {disable | enable}

Enable or disable whether the DHCP snooping database is exported to file.

dmi-global-all {enable | disable}

Enable or disable DMI globally.

flapguard-retain-trigger {enable | disable}

Enable this setting to keep the “triggered” status in the output of the diagnose flapguard status command after a switch has been rebooted until the port has been reset with the execute flapguard reset <port_name> command.

Disable this setting to reset the “triggered” status when the switch is rebooted.

flood-unknown-multicast {enable | disable}

Enable or disable whether to flood the VLAN with unknown multicast messages.

fortilink-heartbeat-timeout <0-300>

Set how long before the FortiLink heartbeat times out. Set the value to 0 to disable the FortiLink heartbeat.

fortilink-p2p-native-vlan <integer>

Specify the native VLAN on the inter-switch link (ISL) when fortilink-p2p is enabled under the config switch physical port command.

fortilink-p2p-tpid <interger>

Set the FortiLink point-to-point TPID value. The range of values is 0x0001 to 0xfffe.

This command is only available in FortiLink mode.

fortilink-vlan-optimization {enable | disable}

Enable or disable FortiLink VLAN optimization.

forti-trunk-dmac <xx:xx:xx:xx:xx:xx>

Enter the destination MAC address to be used for FortiTrunk heartbeat packets.

ip-mac-binding {enable | disable}

Enable or disable IP-MAC binding for the switch

l2-memory-check {enable | disable}

Enable or disable whether FortiSwitchOS checks the size of the layer-2 table. When this feature is enabled, the set l2-memory-check interval command controls the frequency that the table is checked. When the table size is more than 75-percent full or less than 70-percent full, FortiSwitchOS adds a warning to the system log.

l2-memory-check-interval <number_of_seconds>

When l2-memory-check is enabled, FortiSwitchOS checks the size of the layer-2 table at the specified interval. The range of values is 5-86400 seconds.

log-mac-limit-violations {enable | disable}

Enable or disable the logging of layer-2 learning limit violations for an interface or VLAN. The most recent violation that occurred on each interface or VLAN is logged. After that, no more violations are logged until the log is reset for the triggered interface or VLAN. Only the most recent 128 violations are displayed in the console.

NOTE: This command is only displayed if your FortiSwitch model supports it.

log-source-guard-violations {enable | disable}

Enable or disable logs for source guard violations on a system-wide level.

loop-guard-tx-interval <0-30>

Enter the loop guard transmit interval. Value range is 1-30. The units is seconds.

mac-aging-interval <seconds>

Specify how often the learning-limit violation log is reset. The range is 10 to 1,000,000 seconds. Set to 0 to disable.

mac-violation-timer <integer>

How long (in minutes) violations of the layer-2 learning limit are kept in the log. The value range is 0-1500. Set to 0 to disable the timer.

max-frame-size <bytes_int>

Set the maximum frame size. The range is 68 to 16360.

NOTE: For non-1xxE FortiSwitch units, this command is under the config switch physical-port command.

max-path-in-ecmp-group <integer>

Set the maximum path in one ECMP group.

mclag-igmpsnooping-aware {enable | disable}

Enable this option to synchronize both query ports and group entries across peer MCLAG trunks. This option can be used in standalone mode and in FortiLink mode.

NOTE: For IGMP snooping to work correctly in an MCLAG, you need to use the set mclag-igmpsnooping-aware enable command on all FortiSwitch units in the network topology and use the set igmps-flood-reports enable command on each MCLAG core FortiSwitch unit.

mclag-peer-info-timeout <integer>

Enter the MCLAG peer info timeout. The value range is 30 to 600 seconds.

mclag-port-base <integer>

Set the MCLAG port base.

mclag-split-brain-all-ports-down {enable | disable}

When this option is enabled and a split-brain state occurs, the switch that goes dormant shuts down all ports before going dormant; the state of the ICL trunk ports is not changed.

When this option is disabled and a split-brain state occurs,

the switch that goes dormant does not shut down any ports before going dormant.

This command is only available when mclag-split-brain-detect is enabled.

mclag-split-brain-detect {enable | disable}

Enable or disable the detection of the MCLAG split-brain state.

mclag-split-brain-priority <0-100>

When the split-brain state occurs, the switch with the lowest priority goes dormant. If both switches have the same priority, the switch with the lowest MAC address goes dormant when the split-brain state occurs.

This command is only available when mclag-split-brain-detect is enabled.

mclag-stp-aware {enable | disable}

Enable or disable whether the STP can be used within the MCLAG.

mirror-qos <0-7>

Enter the quality of service (QoS) priority for packets mirrored by this FortiSwitch unit. Applies only to the FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE, FS-1048E, and FS-3032D models.

name <string>

Enter a name for the switch.

neighbor-discovery-to-cpu {enable | disable}

Enable or disable the forwarding of reserved multicast packets to the CPU. Applies only to the 200 Series and 400 Series.

packet-buffer-mode {store-forward | cut-through}

Set the switching mode to store-and-forward or cut-through for the main buffer of the FS-1024D, FS-1048D, or FS-3032D model.

poe-alarm-threshold <threshold (percent of total power budget) above which an alarm event is generated>

Enter the threshold (a specified percentage of the total power budget) above which an alarm event is generated.

poe-guard-band <integer>

Enter the power (W) to reserve in case of a spike in PoE consumption.

poe-power-budget <integer>

Set or override the maximum power budget.

poe-power-mode {first-come-first-served | priority}

Set the PoE power mode to priority based or first-come, first-served.

poe-pre-standard-detect {disable | enable}

Enable or disable PoE pre-standard detection.

NOTE: PoE pre-standard detection is a global setting for the following FortiSwitch models: FSR-112D-POE, FS-548D-FPOE, FS-524D-FPOE, FS-108D-POE, FS-224D-POE, FS-108E-POE, FS-108E-FPOE, FS-124E-POE, FS-124E-FPOE, 148F-POE, and 148F-FPOE. For the other FortiSwitch PoE models, PoE pre-standard detection is set on each port.

qos-drop-policy {random-early-detection | taildrop}

• taildrop — When the queue is full, new packets are dropped.
• random-early-detection — As the queue fills, the probability increases that packets will be dropped.

qos-red-probability <integer>

Set the QoS RED/WRED drop probability. The FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, and FS-124E-FPOE models support 0-100 percent. The FS-148E, FS-148E-POE, and FS-148E-FPOE models support 0-25 percent.

NOTE: This command is available only for the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

reserved-mcast-to-cpu {enable | disable}

Enable or disable the forwarding of IPv6 neighbor-discovery packets to the CPU. Applies only to the 200 Series and 400 Series.

source-guard-violation-timer <intebger>

Enter the number of minutes for a global timeout for source guard violations. The range of values is 0-1500. Set this option to 0 to disable it.

This command is only available when log-source-guard-violations is enabled.

trunk-hash-mode {default| enhanced}

Set the trunk hash mode to default or enhanced

trunk-hash-unicast-src-port {enable | disable}

Enable or disable whether the trunk hashing algorithm for unicast packets uses the source port.

trunk-hash-unkunicast-src-dst {enable | disable}

Enable or disable trunk hash for unknown unicast src-dst.

virtual-wire-tpid <0x0001-0xfffe>

TPID value used by virtual-wires. The value range is from 0x0001 to 0xfffe.

Choose a value unlikely to be seen as a TPID or ethertype in your network.

link-down-auth

• set-unauth — revert all devices to the un-authenticated state. Each device will need to reauthenticate.
• no-action — if reauthenication is not required.

mab-reauth {enable | disable}

Enable or disable whether MAB retries authentication before assigning a device to a guest VLAN for unauthorized users.

max-reauth-attempt

If 802.1x authentication fails, this setting caps the number of attempts that the system will initiate. The range is from 0 to 15 where "0" disables the reauthentication attempts.

quarantine-vlan {enable | disable}

Enable or disable quarantine VLAN detection. Enable this setting to use quarantines with 802.1x MAC-based authentication in FortiLink mode.

reauth-period

Defines how often the device needs to reauthenticate. If a session remains active beyond this number of minutes, the system requires the device to reauthenticate.

aging-time <integer>

The maximum number of seconds to retain a multicast snooping entry for which no packets have been seen (15-3600).

leave-response-timeout <integer>

Enter the maximum number of seconds that the switch waits after sending a group-specific query in response to the leave message. The range of values is 1-20.

<interface_name>

Enter the name of the interface.

allowed-vlans

{vlan1 vlan2 ...}

Enter the names of the VLANs permitted on this interface.

arp-inspection-trust {trusted | untrusted}

Set the interface to trusted or untrusted.

auto-discovery-fortilink {enable | disable}

Enable or disable automatically discovery of the port used for FortiLink.

auto-discovery-fortilink-packet-interval <3-300>

Enter the FortiLink packet interval for automatic discovery. The value range is 3 to 300 seconds.

default-cos <0-7>

Set the default CoS value for untagged packets. Integer in the range of 0 to 7.

The configured default CoS only applies if you also set trust-dot1p-map on the interface.

NOTE: The set default-cos command is not available on the following FortiSwitch models: 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE, and 248E-FPOE.

description <string>

Enter a description of the interface.

discard-mode {all-tagged | all-untagged | none}

Set the discard mode for this interface.

dhcp-snooping {trusted | untrusted}

Set the interface to trusted or untrusted.

dhcp-snoop-learning-limit-check {disable | enable}

Enable or disable whether there is a limit for how many IP addresses are in the DHCP snooping binding database for this interface.

dhcp-snooping-option82-trust {enable | disable}

Enable or disable (allow/disallow) DHCP packets with option-82 on an untrusted interface.

edge-port {enabled | disabled}

Enable if the port does not have another switch connected to it.

igmp-snooping-flood-reports {enable | disable}

Enable or disable whether to flood IGMP-snooping reports to this interface.

NOTE: For IGMP snooping to work correctly in an MCLAG, you need to use the set mclag-igmpsnooping-aware enable command on all FortiSwitch units in the network topology and use the set igmp-snooping-flood-reports enable command on each MCLAG core FortiSwitch unit.

mcast-snooping-flood-traffic {enable | disable}

Enable or disable whether to flood multicast traffic to this interface.

mld-snooping-flood-reports {enable | disable}

Enable or disable whether to flood MLD-snooping reports to this interface.

ip-mac-binding {enable | disable | global}

Enable or disable IP-MAC binding for this interface. Set the value to 'global', the interface inherits the global ip-mac-binding configuration value.

ip-source-guard {enable | disable}

Enable or disable IP source guard for this interface. After you enable this feature, use the config switch ip-source-guard command to configure it.

learning-limit <0 - 128>

Limit the number of dynamic MAC addresses on this port.

The value range is 0 and 128. Setting the learning-limit to 0 means that there is no limit to the number of MAC addresses learned.

NOTE: You cannot set the learning-limit on the internal interface.

learning-limit-action {none | shutdown}

When the leaning-limit is exceeded, select none to take no action or select shutdown to disable this interface. The learning-limit-action applies only to physical switch port interfaces, not to trunks or VLANs.

The learning-limit-action is available only when learning-limit has been set to 1-128.

log-mac-event {enable | disable}

Enable or disable the logging of dynamic MAC address events.

loop-guard {enabled | disabled}

Enable or disable loop guard for this interface.

loop-guard-timeout <0-120>

After enabling loop guard, set the number of minutes before loop guard resets. Setting this value to 0 means that there is no timeout.

loop-guard-mac-move-threshold <0-100>

After enabling loop guard, set the number of MAC address moves per second for this interface. The threshold must be exceeded for 6 consecutive seconds to trigger loop guard.

nac {enable | disable}

This command is available only in FortiLink mode. Enable to allow the switch to transmit MAC events to the FortiGate device to imporve network access control (NAC) performance.

native-vlan <vlan_int>

Enter the native (untagged) VLAN for this interface.

packet-sampler {enabled | disabled}

Enable or disable packet sampling for flow export.

sample-direction {both | rx |tx}

Set the sFlow sample direction to monitor received traffic (rx), monitor transmitted traffic (tx), or monitor both.

This option is only available when the packet-sampler is enabled.

packet-sample-rate <0-99999>

If packet-sampler is set to enabled, you can change the packet sample rate.

private-vlan {disabled | promiscuous | sub-vlan}

Enable private VLAN functionality.

NOTE: Private VLANs are not supported on the FortiSwitch-28C.

ptp-policy {<string> | default}

Enter the name of the Precision Time Protocol (PTP) policy.

qos-policy {<string> | default}

Enter the name of the QoS egress CoS queue policy.

rpvst-port {enabled | disabled}

Enable or disable whether this interface interoperates with per-VLAN spanning tree (PVST).

security-groups <security-group-name>

Enter the security group name if you are using port-based authentication or MAC-based authentication.

sflow-counter-interval <0-255>

Set the polling interval for the sFlow sampler counter. Set to 0 to disable polling.

snmp-index <integer>

Enter the SNMP index for this interface.

sticky-mac {disable | enable}

Enable or disable whether dynamically learned MAC addresses are persistent when the status of a FortiSwitch port changes (goes down or up).

stp-bpdu-guard {disabled | enabled}

Enable or disable STP BPDU guard protection. To use STP BPDU guard on this interface, you must enable stp-state and edge-port.

stp-loop-protection {enabled | disabled}

Enable or disable STP loop protection on this interface.

stp-root-guard {disabled | enabled}

Enable or disable STP root guard protection. To use STP root guard, you must enable stp-state.

stp-state {enabled | disabled}

Enable or disable Spanning Tree Protocol (STP) on this interface.

trust-dot1p-map

Whether to trust the dot1p CoS value in the incoming packets. Specify a map to map the CoS value to an egress queue value.

trust-ip-dscp-map

Whether to trust the DSCP QoS value in the incoming packets. Specify a map to map the DSCP value to an egress queue value.

untagged-vlans

Select the allowed-vlans to be transmitted without VLAN tags

vlan-mapping-miss-drop {enable | disable}

Enable or disable whether a packet is dropped if the VLAN ID in the packetʼs tag is not defined in the vlan-mapping configuration.

vlan-tpid <default | string>

Select which VLAN TPID profile to use. The default VLAN TPID profile has a value of 0x8100 and cannot be deleted or changed.

NOTE: If you are not using the default VLAN TPID profile, you must have already defined the VLAN TPID profile with the config switch vlan-tpid command.

allow-mac-move {enable | disable}

Enable on the destination port when an 802.1x client is being moved between ports that are not directly connected to the FortiSwitch unit.

eap-egress-tagged {enable | disable}

When allow-mac-move is enabled, you can enable this option to ensure that egress EAPOL packets are tagged without needing additional checking.

port-security-mode {none | 802.1X | 802.1X-mac-based | macsec}

Set the security mode for the port.

• 802.1X—Use this setting for port-based authentication.
• 802.1Xmac-based—Use this setting for MAC-based authentication.
• macsec—Use this setting for MACsec.

If you change the security mode from none, you must set the security group with the set security-groups command.

auth-fail-vlan {enable | disable}

When enabled, the system assigns the auth-fail-vlanid to users who attempted to authenticate but failed to provide valid credentials.

auth-fail-vlanid <VLAN_id>

Enter the VLAN identifier that the system assigns to users who attempted to authenticate but failed to provide valid credentials. This field is mandatory when auth-fail-vlan is enabled.

authserver-timeout-period <3-15>

Enter the number of seconds before the authentication server stops trying to authenticate users.

authserver-timeout-vlan {enable | disable}

Enable or disable whether users are assigned to the specified VLAN when the authentication server times out.

authserver-timeout-vlanid <1-4094>

Enter the VLAN identifier that the system assigns to users when the authentication server times out. This field is mandatory when authserver-timeout-vlan is enabled.

dacl {enable | disable}

Enable or disable the dynamic access control list (DACL) on this interface.

eap-auto-untagged-vlans {enable | disable}

Enable to allow voice traffic with voice VLAN tag at egress.

eap-passthru {disable | enable}

Enable or disable the EAP pass-through mode.

framevid-apply {disable | enable}

Enable or disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

NOTE: For phone and PC configuration only, disable framevid-apply to preserve the native VLAN when the data traffic is expected to be untagged.

guest-auth-delay <integer>

If a device does not attempt to authenticate within this timeframe (in seconds), the guest VLAN is assigned.

guest-vlan {enable | disable}

When enabled, the system assigns the guest-vlanid to unauthorized users.

guest-vlanid <VLAN_id>

VLAN identifier. Mandatory field when guest VLAN is enabled.

mab-eapol-request <0-10>

Set how many EAP packets are sent to trigger EAP authentication for “silent supplicants” (such as end devices running Windows 7) that send non-EAP packets when they wake up from sleep mode.

To disable this feature, set mab-eapol-request to 0 or disable mac-auth-bypass.

mac-auth-bypass {enable | disable}

Enable or disable MAC auth bypass.

macsec-profile <MACsec_profile_name>

If you set the port-security-mode to macsec, specify which MACsec profile to use. Use the config switch macsec profile command to create a MACsec profile.

open-auth {enable | disable}

Enable or disable open authentication (monitor mode) on this interface.

quarantine-vlan {enable | disable}

Enable or disable quarantine VLAN detection. Enable this setting to use quarantines with 802.1x MAC-based authentication in FortiLink mode.

radius-timeout-overwrite {enable | disable}

Enable this option to use the value of the session-timeout attribute. The session-timeout attribute specifies how many seconds of idleness are allowed before the FortiSwitch unit disconnects a session. The value must be more than 60 seconds.

<ID>

Enter an identifier for the IPv6 RA-guard configuration.

raguard-policy <name_of_RA_guard_policy>

Enter the name of the RA-guard policy to use for this interface.

The RA-guard policy must be created (with the config switch raguard-policy command) before it is applied to an interface.

vlan-list <list_of_VLANs>

Enter a VLAN or a range of VLANs to apply this policy to. Use less than 4,096 characters for the vlan-list value. Separate the VLANs and VLAN ranges with commans, for example:

1,3-4,6,7,9-100

status {enable | disable}

Enable or disable VLAN stacking (QnQ) mode.

add-inner <1-4095>

If the QnQ mode is enabled, add the inner tag for untagged packets upon ingress.

edge-type customer

If the QnQ mode is enabled, the edge type is set to customer.

priority {follow-c-tag | follow-s-tag}

If the QnQ mode is enabled, select whether to follow the priority of the S-tag (service tag) or C-tag (customer tag).

NOTE: This command is not available on the 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE and 248E-FPOE models.

remove-inner {enable | disable}

If the QnQ mode is enabled, enable or disable whether the inner tag is removed upon egress.

s-tag-priority <0-7>

If packets follow the priority of the S-tag (service tag), enter the priority value. This option is available only when the priority is set to follow-s-tag.

NOTE: This command is not available on the 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE and 248E-FPOE models.

vlan-mapping-miss-drop {enable | disable}

If the QnQ mode is enabled, enable or disable whether a packet is dropped if the VLAN ID in the packetʼs tag is not defined in the vlan-mapping configuration.

<id>

Enter a mapping entry identifier.

description <string>

Enter a description of the mapping entry.

match-c-vlan <1-4094>

Enter a matching customer (inner) VLAN.

new-s-vlan <1-4094>

Enter a new service (outer) VLAN.

NOTE: The VLAN must be in the portʼs allowed VLAN list.

This option is only available after you set the value for match-c-vlan.

<id>

Enter an identifier for the VLAN mapping entry.

description <string>

Enter a description of the VLAN mapping entry.

direction {egress | ingress}

Select the ingress or egress direction.

match-s-vlan <1-4094>

If the direction is set to egress, enter the service (outer) VLAN to match.

match-c-vlan <1-4094>

If the direction is set to ingress, enter the customer (inner) VLAN to match.

action {add | delete | replace}

Select what happens when the packet is matched:

• add—When the packet is matched, add the service VLAN. You cannot set the action to add for the egress direction.
• delete—When the packet is matched, delete the service VLAN. You cannot set the action to delete for the ingress direction.
• replace—When the packet is matched, replace the customer VLAN or service VLAN.

This option is only available after you set a value for match-c-vlan or match-s-vlan.

<sequence_int>

Enter a sequence number for the IP-MAC binding entry.

ip <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>

Enter the source IP address and network mask for this rule.

mac <xx:xx:xx:xx:xx:xx>

Enter the MAC address for this rule.

<port_name>

Enter the name of the port.

<id>

Enter a unique integer to create a new entry.

ip <xxx.xxx.xxx.xxx>

Required. Enter the IPv4 address to bind to the MAC address. Masks are not supported.

profile

Enter a name for the LLDP profile.

802.1-tlvs

The only 802.1 TLV that can be enabled or disabled is port-vlan-id. This TLV will send the native VLAN of the port. If the value is changed, the sent value will reflect the updated value.

802.3-tlvs {eee-config | max-frame-size | power-negotiation}

• eee-config—Use this TLV to send the energy-efficient Ethernet (EEE) status of the port.
• max-frame-size—This TLV will send the maximum frame size value of the port. If the value is changed, the sent value reflects the updated value.
• power-negotiation—Use this TLV to send the power over Ethernet (PoE) classification of the port.

auto-isl

Enable or disable the auto ISL capability.

auto-isl-hello-timer <1-30>

Enter a value (in seconds) for the hello timer. The range is 1 to 30.

auto-isl-port-group <0-9>

Enter a value for the port group. The range is 0 to 9.

auto-isl-receive-timeout

Enter a value (in seconds) for the receive timeout. The range is 3 to 90.

auto-mclag-icl {enable | disable}

Enable or disable the MCLAG inter-chassis link.

med-tlvs (inventory-management | location-identification | network-policy | power-management)

Enable the inventory-management TLVs, location-identification TLVs, network-policy TLVs, and/or power-management TLVs.

<TLVname_str>

Enter the TLV name.

information-string

Organizationally defined information string. Enter up to 507 bytes in hexadecimal notation.

oui

Organizationally unique identifier. Enter 3 hexadecimal bytes (000000 - FFFFFF). At least one byte must have a non-zero value.

subtype

Organizationally defined subtype. Enter an integer in the range of 0 to 255.

address-civic

Civic address and postal information.

status {enable | disable}

Enable the status to transmit the type-length-value (TLV) if the LLDP-MED profile has been enabled on a port.

sys-location-id <string>

Use the specified location entry that was already entered with the config system location command.

coordinates

Coordinates of the location.

status {enable | disable}

Enable the status to transmit the type-length-value (TLV) if the LLDP-MED profile has been enabled on a port.

sys-location-id <string>

Use the specified location entry that was already entered with the config system location command.

elin-number

Emergency location identifier number (ELIN).

status {enable | disable}

Enable the status to transmit the type-length-value (TLV) if the LLDP-MED profile has been enabled on a port.

sys-location-id <string>

Use the specified location entry that was already entered with the config system location command.

{guest-voice | guest-voice-signaling | softphone-voice | streaming-video | video-conferencing | video-signaling | voice | voice-signaling}

Enter one of the policy type names.

status {enable | disable}

Enable or disable the policy for the policy type.

assign-vlan {enable | disable}

Enable or disable whether the VLAN is added as one of the allowed-vlans for this port.

dscp <0-63>

DSCP value to send.

priority <0-7>

CoS priority value to send.

status

Enable or disable

tx-hold

Number of tx-intervals before the local LLDP data expires. Therefore, the packet TTL (in seconds) is tx-hold times tx-interval. The range for tx-hold is 1 to 16.

tx-interval

How often the FortiSwitch transmits the LLDP PDU. The range is 5 to 4095 seconds.

fast-start-interval

How often the FortiSwitch transmits the first 4 LLDP packets when a link comes up. The range is 2 to 5 seconds.

Set this variable to zero to disable fast start.

management-interface

Primary management interface to be advertised in LLDP and CDP PDUs.

Enter the number of packets for the MACsec replay window size. If two packets arrive with the difference between their packet identifiers more then the replay window size, the most recent packet of the two is dropped. The range is 0-16777215 packets. Enter 0 to ensure that all packets arrive in order without any repeats.

Enter the string of hexadecimal digits for the connectivity association key (CAK). The string can be up to 32-bytes long.

Enter the string of hexadecimal digits for the connectivity association name (CKN). The string can be 1-byte to 64-bytes long.

The status of the pre-shared key pair is always active.

config traffic-policy

<traffic_policy_name>

Enter a name for this MACsec traffic policy.

security-policy must-secure

The policy must secure traffic for MACsec.

<mirror session name>

Enter the name of the mirror session to edit (or enter a new mirror session name).

dst <interface>

Required when the mode is set to ERSPAN-manual, RSPAN (when the switch is not in FortiLink mode), or SPAN.

On FortiSwitch models that support RSPAN and ERSPAN, set the trunk or physical port that will act as a mirror. The physical port cannot be part of a trunk.

On FortiSwitch models that do not support RSPAN and ERSPAN, set the physical port that will act as a mirror. The physical port can be part of a trunk.

encap-gre-protocol <hexadecimal_integer>

Set the protocol value in the ERSPAN GRE header.

This option is available when the mode is ERSPAN-auto or ERSPAN-manual.

encap-ipv4-src <IPv4_address>

Required when the mode is set to ERSPAN-manual and the status is active.

Set the IPv4 source address in the ERSPAN IP header. The range is 0.0.0.1-255.255.255.254.

This option is available when the mode is ERSPAN-manual.

encap-ipv4-tos <hexadecimal_integer>

Set the type of service (ToS) value or enter the DSCP and ECN values in the ERSPAN IP header.

This option is available when the mode is ERSPAN-auto or ERSPAN-manual.

encap-ipv4-ttl <0-255>

Set the IPv4 time-to-live (TTL) value in the ERSPAN IP header.

This option is available when the mode is ERSPAN-auto or ERSPAN-manual.

encap-mac-dst <MAC_address>

Required when the mode is set to ERSPAN-manual and the status is active.

Set the MAC address of the next-hop or gateway on the path to the ERSPAN collector IP address. The range is 00:00:00:00:00:01-FF:FF:FF:FF:FF:FF.

This option is available only when the mode is ERSPAN-manual.

encap-mac-src <MAC_address>

Required when the mode is set to ERSPAN-manual and the status is active.

Set the source MAC address in the ERSPAN Ethernet header. The range is 00:00:00:00:00:01-FF:FF:FF:FF:FF:FE.

This option is available when the mode is ERSPAN-manual.

encap-vlan {tagged | untagged}

Set the status of ERSPAN encapsulation headers to tagged or untagged to control whether the VLAN header is added to the encapsulated traffic.

This option is available if the mode is ERSPAN-manual.

encap-vlan-cfi <0-1>

Set the canonical format identifier (CFI) or drop eligible indicator (DEI) bit in the ERSPAN or RSPAN VLAN header.

This option is available when the mode is RSPAN or ERSPAN-auto. This option is available for the ERSPAN-manual mode if encap-vlan is set to tagged.

When the mode is RSPAN, this option is not available on the 248D, 248D-POE, 248D-FPOE,248E, 248E-POE, 248E-FPOE, 448D, 448D-POE, and 448D-FPOE models.

encap-vlan-id <1-4094>

Set the VLAN identifier in the ERSPAN or RSPAN VLAN header.

This option is available when the mode is RSPAN. This option is available for the ERSPAN-manual mode if encap-vlan is set to tagged.

encap-vlan-priority <0-7>

Set the class of service (CoS) bits in the ERSPAN or RSPAN VLAN header.

This option is available when the mode is RSPAN or ERSPAN-auto. This option is available for the ERSPAN-manual mode if encap-vlan is set to tagged.

When the mode is RSPAN, this option is not available on the 248D, 248D-POE, 248D-FPOE,248E, 248E-POE, 248E-FPOE, 448D, 448D-POE, and 448D-FPOE models.

encap-vlan-tpid <0x0001-0xfffe>

Set the tag protocol identifier (TPID) for the encapsulating VLAN header. The default value, 0x8100, is for an IEEE 802.1Q-tagged frame.

This option is available when the mode is RSPAN or ERSPAN-auto. This option is available for the ERSPAN-manual mode if encap-vlan is set to tagged.

erspan-collector-ip <IPv4_address>

Required when the status is active and the mode is set to ERSPAN-auto or ERSPAN-manual.

Set the IPv4 address for the ERSPAN collector. The range is 0.0.0.1-255.255.255.255.

This option is available only when the mode is ERSPAN-auto or ERSPAN-manual.

mode {ERSPAN-auto | ERSPAN-manual | RSPAN | SPAN}

Select the mirroring mode:

• ERSPAN-auto—Mirror traffic to the specified destination interface using ERSPAN encapsulation. The header contents are automatically configured.
• ERSPAN-manual—Mirror traffic to the specified destination interface using ERSPAN encapsulation. The header contents are manually configured.
• RSPAN—Mirror traffic to the specified destination interface using RSPAN encapsulation.
• SPAN—Mirror traffic to the specified destination interface without encapsulation.

SPAN is supported on all FortiSwitch models. RSPAN and ERSPAN are supported on 124D, 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE, 248E-FPOE, 524D, 524D-FPOE, 548D, 548D-FPOE, 1024D, 1048D, 1048E, 3032D, and 3032E.

rspan-ip <IPv4_address>

Required when the mode is RSPAN, the status is active, and the switch is in FortiLink mode.

Enter the destination IP address for the RSPAN collector. The range is 0.0.0.1-255.255.255.255.

This option is available only when the mode is RSPAN and the switch is in FortiLink mode.

src-egress <interface_name>

Optional. Set the source egress physical ports that will be mirrored. Only one active egress mirror session is allowed.

src-ingress <interface_name>

Optional. Specify the source ingress physical ports that will be mirrored.

status {active | inactive}

Set the mirror session to active or inactive.

strip-mirrored-traffic-tags {disable | enable}

Enable or disable the removal of VLAN tags from mirrored traffic.

This option is available if the mode is ERSPAN-auto or ERSPAN-manual.

aging-time <integer>

The maximum number of seconds to retain a multicast snooping entry for which no packets have been seen (15-3600).

leave-response-timeout <integer>

Enter the maximum number of seconds that the switch waits after sending a group-specific query in response to the leave message. The range of values is 1-20.

test-monitoring-count <1-5>

Enter the number of MRP_Test frames received that are monitored.

topology-change-interval <10-20 ms>

Enter the number of milliseconds between sending MRP_TopologyChange frames.

ring-port1 <port_name>

The physical port that serves as the first ring port.

ring-port2 <port_name>

The physical port that serves as the second ring port.

<unused network monitor>

Enter the number of an unused network monitor.

db-aging-interval <integer>

Enter the network monitor database aging interval. The value range is 3600-86400 seconds. Set the option to 0 to disable it.

status {disable | enable}

Enable or disable the network monitor.

survey-mode {disable | enable}

Enable or disable the network monitor survey mode.

port-configuration {default | disable-port54 | disable-port41-48 | 4x100G | 6x40G | 4x4x25G}

For 548D and 548D-FPOE, set this option to disable-port54 if only port 53 is splittable and port 54 is unavailable.

For 548D and 548D-FPOE, set this option to disable-port41-48 if ports 41 to 48 are unavailable, but ports 53 and 54 are splittable.

For 1048E, set this option to 4x100G to enable the maximum speed (100G) of ports 49 through 52. Ports 53 and 54 are disabled.

For 1048E, set this option to 6x40G to enable the maximum speed (40G) of ports 49 through 54.

For 1048E, set this option to 4x4x25G to enable the maximum speed (25G) of ports 49 through 52. Ports 47 and 48 are disabled.

<port_name>

Enter the port name.

cdp-status {disable | rx-only | tx-only | tx-rx}

• disable disables CDP transmit and receive.
• rx-only enables CDP as receive only.
• tx-only enables CDP as transmit only.
• tx-rx enables CDP transmit and receive.

description <description_str>

Optionally enter a description.

dmi-status

Enable or disable DMI access. Set to global to use the global switch setting.

egress-drop-mode {disabled | enabled>

Enable or disable egress drop.

energy-efficient-ethernet {enable | disable}

Enable or disable energy-efficient Ethernet.

eee-tx-idle-time <integer>

Enter the number of microseconds that circuits are turned off to save power. The range is 0-2560 microseconds. This option is available only if energy-efficient-ethernet is enabled.

eee-tx-wake-time <integer>

Enter the number of microseconds during which no data is transmitted while the circuits that were turned off are being restarted. The range is 0-2560 microseconds. This option is available only if energy-efficient-ethernet is enabled.

fec-state {cl74 | cl91 | detect-by-module | disabled}

Set the Forward Error Correction (FEC) state:

• cl74—Enable Clause 74 RS-FEC, which only applies to 25 Gbps.
• cl91—Enable Clause 91 RS-FEC, which only applies to 100 Gbps.
• detect-by-module—Automatically detect whether FEC is supported by the module. This option applies to the 25G and 100G ports of the FS-1048E and FS-3032E models; this option also applies to the split ports of the FS-1048E and FS-3032E models.
• disabled—Disable FEC.

flapguard {enabled | disabled}

Enable or disable flap guard for this port.

flap-duration <5-300>

After enabling the port flap guard, set the number of seconds during which the flap rate is counted.

flap-rate <1-30>

After enabling the port flap guard, set how many times that a portʼs status changes during a specified number of seconds before the flap guard is triggered.

flap-timeout <0-120>

After enabling the port flap guard, set the number of minutes before flap guard resets. Setting this value to 0 means that there is no timeout.

flow-control {tx | rx | both | disable}

• tx—Enable transmit pause only.
• rx—Enable receive pause only.
• both—Enable both transmit and receive pause.
• disable—Disable flow control.

fortilink-p2p {enable | disable}

Enable or disable running FortiLink mode over a point-to-point layer-2 network.

pause-meter-rate <integer>

Enter the number of kilobits for the ingress metering rate. The range is 64 to 2147483647. Set to 0 to disable. Available if flow-control is set to tx.

pause-resume {25% | 50% | 75%}

Enter the percentage of the threshold to resume traffic to the ingress port. Available if flow-control is set to tx and pause-meter-rate is set to a nonzero value.

l2-learning

Enable or disable dynamic IP learning for this interface

l2-sa-unknown {drop | forward}

Drop or forward unknown (SMAC) packets when dynamic MAC address learning is disabled.

lldp-profile

Enter the LLDP profile name for this port.

lldp-status

• tx-only — enable transmit only
• rx-only — enable receive only
• tx-rx — enable both transmit and receive
• disable — disable LLDP

loopback {disable | local | remote}

• Select local for a physical-layer loopback. If the hardware does not support a physical-layer loopback, a MAC-address loopback is used instead.
• Select remote for a physical-layer lineside loopback.

max-frame-size <bytes_int>

Set the maximum frame size. The range is 68 to 16360.

NOTE: For the eight models in the 1xxE series, this command is under the config switch global command.

poe-port-mode {IEEE802_3AF | IEEE802_3AT}

Set the PoE port mode to IEEE802.3AFor IEEE802.3AT.

poe-port-priority {critical-priority | high-priority | low-priority}

Set the port priority. If there is not enough power, power is alloted first to critical-priority ports, then to high-priority ports, and then to low-priority ports.

poe-pre-standard-detect {disable | enable}

Enable or disable PoE pre-standard detection.

NOTE: PoE pre-standard detection is a global setting for the following FortiSwitch models: FSR-112D-POE, FS-548D-FPOE, FS-524D-FPOE, FS-108D-POE, FS-224D-POE, FS-108E-POE, FS-108E-FPOE, FS-124E-POE, FS-124E-FPOE, 148F-POE, and 148F-FPOE. For the other FortiSwitch PoE models, PoE pre-standard detection is set on each port.

poe-status {enable | disable}

Enable Power over Ethernet. This option is only available with the FortiSwitch-324B-POE.

priority-based-flow-control {enable | disable}

Enable priority-based flow control to avoid frame loss by stopping incoming traffic when a queue is congested. When priority-based flow control is disabled, 802.3 flow control can be used.

qsfp-low-power-mode {enabled | disabled}

Enable or disable the low-power mode on FortiSwitch models with QSFP (quad small form-factor pluggable) ports.

speed <speed_str>

Set the speed of this port. Values depend on the switch model and port. For example:

• 1000auto—Auto-negotiation (1 Gbps full-duplex only).
• 100full—100 Mbps full-duplex.
• 100half—100 Mbps half-duplex.
• 10full—10 Mbps full-duplex.
• 10half—10 Mbps half-duplex.
• auto—Auto-negotiation.
• 10000cr—10 Gbps copper interface.
• 10000full—10 Gbps full-duplex.
• 10000sr—10 Gbps SFI interface.
• 1000full—1 Gbps full-duplex.
• auto-module—Maximum speed supported by module.

status {down | up}

Set the administrative status of this interface: up or down.

storm-control-mode {disabled | global | override}

By default, you configure storm control on a system-wide level. Set this option to override if you want to configure storm control on a per-port level using the config storm-control command, which is only available when the storm-control-mode is set to override. Set this option to disabled to deactivate port-level storm-control configuration.

broadcast {enable | disable}

Enable or disable storm control for broadcast traffic.

burst-size-level <0-4>

Set the burst-size level for storm control. Use a higher number to handle bursty traffic. The maximum number of packets or bytes allowed for each burst-size level depends on the switch model.

NOTE: This command is not available for the FS-108E, FS-108E-POE, FS-108-FPOE, FS-124E, FS-124E-POE, and FS-124E-FPOE models.

rate [0 | 2-10000000]

Specify the rate as packets-per-second. If you set the rate to zero, the system drops all packets (for the enabled traffic types).

unknown-multicast {enable | disable}

Enable or disable storm control for unknown multicast traffic.

{default | <policy_name>}

Enter the name of the PTP policy or ue the default PTP policy.

<dot1p map name>

Enter the name of a dot1p map.

<text>

Enter a description of the dot1p map.

[priority-0|priority-1|priority-2|...priority-7] <queue number>

Set the priority of each queue.

<ip-dscp map name>

Enter the name of a DSCP map.

<text>

Enter a description of the DSCP map.

<entry-name>

Enter a unique integer to create a new entry.

diffserv [ [ AF11 | AF12 | AF13 | AF21 | AF22 | AF23 | AF31 | AF32 | AF33 | AF41 | AF42 | AF43 | CS0 | CS1 | CS2 | CS3 | CS4 | CS5 | CS6 | CS7 | EF ]

Set the differentiated service.

ip-precedence [ Network Control | Internetwork Control | Critic/ECP | Flash Override | Flash, Immediate | Priority | Routine ]

Set the IP precedence.

value <dscp raw value>

enter the raw value of DSCP (0-63).

<policy_name>

Enter the name of the QoS policy.

rate-by {kbps | percent}

Set whether the CoS queue rate is measured in kbps or by percentage.

schedule {strict | round-robin | weighted}

• strict—The queues are served in descending order (of queue number), so higher number queues receive higher priority. The purpose of the strict scheduling mode is to provide lower latency service to higher classes of traffic. However, if the interface experiences congestion, the lower priority traffic could be starved.
• round-robin— In round robin mode, the scheduler visits each backlogged queue, servicing a single packet from each queue before moving on to the next one. The purpose of round robin scheduling is to provide fair access to the egress port bandwidth.
• weighted— Each of the eight egress queues is assigned a weight value ranging from 0 to 63. The purpose of weighted round robin scheduling is to provide prioritized access to the egress port bandwidth, such that queues with higher weight get more of the bandwidth, but lower priority traffic is not starved.

[queue-0 ... queue-7]

Set the CoS queue to update.

description <text>

Enter a description of the CoS queue.

drop-policy {taildrop | weighted-random-early-detection}

• taildrop—When the queue is full, new packets are dropped.
• weighted-random-early-detection—When the queue reaches the packet-dropping threshold, packets start getting dropped randomly based on the probability defined in the wred-slope setting.

set ecn {enable | disable}

If you select random early detection in the CLI, you can enable explicit congestion notification (ECN) marking to indicate that congestion is occuring without just dropping packets. If you disable this option, the normal queue drop policy applies.

max-rate <rate kbps>

If you set the rate-by to kbps, enter the maximum rate in kbps. Set the value to 0 to disable.

NOTE: For the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models, the switch rounds the max-rate value to the nearest multiple of 16 internally. If the rounding result is 0, max-rate is disabled internally.

min-rate <rate kbps>

If you set the rate-by to kbps, enter the minimum rate in kbps. Set the value to 0 to disable.

NOTE: This command is not available on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

max-rate-percent <percentage>

If you set the rate-by to percent, enter the maximum rate as a percentage of the link speed.

min-rate-percent <percentage>

If you set the rate-by to percent, enter the minimum rate as a percentage of the link speed.

NOTE: This command is not available on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

weight <value>

Enter the weight of weighted round robin scheduling. (applicable if the policy schedule is weighted )

<MAC_address_to_quarantine>

Enter the MAC address to quarantine.

cos-queue <0-7>

Set the class-of-service queue for the quarantined device traffic. Use the unset cos-queue command to disable this setting.

description <string>

Enter an optional description of the quarantined MAC address.

drop {enable | disable}

Enable or disable whether quarantined device traffic is dropped.

<RA-guard policy name>

Enter the name of the RA-guard policy.

device-role {host | router}

Set whether this policy applies to hosts or routers. If this option is set to host, all RA messages are dropped. If this option is set to router, the policy checks the other specified criteria.

managed-flag {Off | On}

Set to On for the policy to accept RA messages that are flagged with the M (managed address configuration) flag; if the RA messages are not flagged, they are dropped.

Set to Off for the policy to accept RA messages that arenot flagged with the M flag; if the RA messages are flagged, they are dropped.

If this option is not set, the policy skips this check.

other-flag {Off | On}

Set to On for the policy to accept RA messages that are flagged with the O (other configuration) flag; if the RA messages are not flagged, they are dropped.

Set to Off for the policy to accept RA messages that arenot flagged with the O flag; if the RA messages are flagged, they are dropped.

If this option is not set, the policy skips this check.

max-hop-limit <0-255>

Enter the maximum hop number for the policy to accept RA messages with a hop number equal or less than this value.

If this option is not set, the policy skips this check.

min-hop-limit <0-255>

Enter the minimum hop number for the policy to accept RA messages with a hop number equal or more than this value.

If this option is not set, the policy skips this check.

max-router-preference {high | medium | low}

Set the default router preference for the policy to accept RA messages with the router preference equal or less than this setting. When the router preference of RA messages is not set as high, medium, or low, RA guard acts as if the router preference was set to medium.

If this option is not set, the policy skips this check.

match-src-addr <name_of_IPv6_access_list>

Enter the name of the IPv6 access list for the policy to check if the source IPv6 address of the RA message matches an allowed address. The IPv6 access list must be created (with the config router access-list6 command) before it is used in a policy.

tcp-syn-data

TCP SYN packet contains additional data (possible DoS attack).

tcp-udp-port-zero

TCP or UDP packet has source or destination port set to zero.

tcp_flag_zero

TCP packet with all flags set to zero.

tcp_flag_FUP

TCP packet with FIN, URG and PSH flag set.

tcp_flag_SF

TCP packet with SYN and FIN flag set.

tcp_flag_SR

TCP packet with SYN and RST flag set.

tcp_frag_ipv4_icmp

Fragmented ICMPv4 packet.

sip-eq-dip

TCP packet with a source IP address equal to the destination IP address.

tcp_flag

DoS attack checking for TCP flags.

tcp-port-eq

TCP packet with source and destination TCP ports equal.

tcp-flag-FUP

TCP packet with FIN, URG and PSH flags set, and sequence number is zero.

tcp-flag-SF

TCP packet with SYN and FIN flag set.

v4-first-frag

DoS attack checking for IPv4 first fragment.

udp-port-eq

IP packet with source and destination UDP ports equal.

tcp-hdr-partial

TCP packet with partial header.

macsa-eq-macda

Packet with source MAC address equal to destination MAC address.

allow-mcast-sa

Ethernet packet whose source MAC address is multicast.

<sequence number>

Enter a sequence number.

description <optional_string>

Optional. Enter a description of the static MAC address.

interface <interface_name>

Enter the interface name.

mac <static_MAC_address>

Enter the static MAC address.

type {sticky | static}

Set the MAC address as a persistent (sticky) addres or a static address.

broadcast {enable | disable}

Enable or disable storm control for broadcast traffic.

burst-size-level <0-4>

Set the burst-size level for storm control. Use a higher number to handle bursty traffic. The maximum number of packets or bytes allowed for each burst-size level depends on the switch model.

rate [0 | 2-10000000]

Specify the rate as packets-per-second. If you set the rate to zero, the system drops all packets (for the enabled traffic types).

unknown-multicast {enable | disable}

Enable or disable storm control for unknown multicast traffic.

<instance_id>

Enter an instance identifier. The range is 0-32 for 5xx models and higher. For all other models, the range is 0 - 15.

priority <priority_int>

Set the STP priority. The acceptable priority values are 0, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 4096, 40960, 45056, 49152, 53248, 57344, 61440, and 8192.

vlan-range <vlan_map>

Enter the VLANs to which STP applies. <vlan_map> is a comma-separated list of VLAN IDs or VLAN ID ranges, for example “1,3-4,6,7,9-100” .

<port name>

Enter the name of the port.

cost <cost_int>

Enter the cost of using this interface. Use set cost ? for suggested cost values based on link speed.

flood {enable | disable}

Set to enable if you want the STP packets arriving at any port to pass through the switch without being processed. Set to disable if you want to block STP packets arriving at any port.

This command is available only when status is set to disable.

forward-time <fseconds_int>

Enter the forwarding delay in seconds. Range 4 to 30.

hello-time <hseconds_int>

Enter the hello time in seconds. Range 1 to 10.

max-age <age>

Enter the maximum age. Range 6 to 40.

max-hops <hops_int>

Enter the maximum number of hops. Range 1 to 40.

mclag-stp-bpdu {both | single}

Set to both to allow both core switches of an MCLAG to transmit STP BPDUs. Set to single to prevent both core switches of an MCLAG from transmitting STP BPDUs.

name <name_str>

Enter a string value for the name.

revision <rev_int>

Range 0 to 65535.

<trunk name>

Enter a name for the trunk.

aggregator-mode {bandwidth | count}

Select how an aggregator groups ports when the trunk is in LACP mode. Select bandwidth to group ports into the aggregator with the largest bandwidth. Select count to group ports into the aggregator with the most ports.

auto-isl <integer>

Automatically forms an ISL-encapsulated trunk, up to the specified maximum size.

bundle [enable|disable]

Enable or disable bundling

min_bundle

Set the minimum size of the bundle. This option is available only when bundle has been enabled.

max_bundle

Set the maximum size of the bundle. This option is available only when bundle has been enabled.

description <description_str>

Optionally, enter a description.

fortilink <integer>

Set the FortiLink trunk.

isl-fortilink <integer>

Set the ISL FortiLink trunk.

lacp-speed {slow | fast}

Select fast to send an LACP message every second. Select slow to send an LACP message every 30 seconds.

mclag {disable | enable}

Enable or disable multichassis LAG (MCLAG).

mclag-icl {disable | enable}

Enable or disable the MCLAG inter-chassis link (ICL).

member-withdrawal-behavior {block | forward}

Select how the port behaves after it withdraws because of loss-of-control packets.

members <intf1 ... intfn>

Enter the names of the interfaces that belong to this trunk. Separate the names with spaces.

mode {fortinet-trunk | lacp-active | lacp-passive | static}

• fortinet-trunk—use heartbeat packets to detect whether trunk members are available.
• lacp-active—use active LACP 802.3ad aggregation
• lacp-passive—use passive LACP 802.3ad aggregation
• static—use static aggregation, ignoring and not sending control messages

port-selection-criteria {src-ip | src-mac | dst-ip | dst-mac | src-dst-ip | src-dst-mac}

• src-ip—source IP address
• src-mac—source MAC address
• dst-ip—destination IP address
• dst-mac—destination MAC address
• src-dst-ip—both source and destination IP addresses
• src-dst-mac—both source and destination MAC addresses

static-isl {enable | disable}

Available only in FortiLink mode. Enable to manually create an inter-switch link (ISL) trunk.

port-selection-criteria {src-ip | src-mac | dst-ip | dst-mac | src-dst-ip | src-dst-mac}

• src-ip — source IP address
• src-mac — source MAC address
• dst-ip — destination IP address
• dst-mac — destination MAC address
• src-dst-ip — both source and destination IP addresses
• src-dst-mac — both source and destination MAC addresses

description <description_str>

Optionally, enter a description.

members <port> [<port>] ... [<port>]

Enter the names of the ports that belong to this trunk. Separate the names with spaces.

member-withdrawal-behavior {block | forward}

Set the port behavior after it withdraws because of the loss of control packets.

max-miss-heartbeats <3-32>

Enter the maximum number of heartbeat messages that can be lost before the FortiGate is deemed to be unavailable. Set a value between 3 and 32.

hb-out-vlan

Enter the outgoing VLAN value.

hb-in-vlan

Enter the incoming VLAN value.

hb-src-ip

Enter the source IP address for the heartbeat packet.

hb-dst-ip

Enter the destination IP address for the heartbeat packet.

hb-src-udp-port

Enter the source UDP port value for the heartbeat packet.

hb-dst-udp-port

Enter the destination UDP port value for the heartbeat packet.

<id>

Enter a unique integer to create a new entry.

first-member <port>

first member in the virtual-wire pair

second-member <port>

second member in the virtual-wire pair

<vlan id>

Enter a VLAN identifier.

access-vlan {enable | disable}

Set to enable to block FortiSwitch port-to-port traffic on this VLAN while allowing traffic to and from the FortiGate unit. Set to disable to allow normal VLAN traffic.

cos-queue <0-7>

Specify which class of service (CoS) queue is used for traffic on this VLAN or use the unset cos-queue command to disable this setting.

This command is available only in in FortiLink mode.

description <description_str>

Optionally, enter a description.

If the Tunnel-Private-Group-Id attribute on the RADIUS server was set to the VLAN name, set the description to the same string. For example:

set description "newvlan"

dhcp-snooping {enable | disable}

Enable or disable IPv4 DHCP snooping for this VLAN.

dhcp-snooping-verify-mac {enable | disable}

Enable or disable whether to verify the source MAC address. This field is available only if dhcp-snooping is enabled.

dhcp-snooping-option82 {enable | disable}

Enable or disable whether to insert option-82 fields. This field is available only if dhcp-snooping is enabled.

arp-inspection {enable | disable}

Enable or disable dynamic ARP inspection.

dhcp6-snooping {enable | disable}

Enable or disable IPv6 DHCP snooping for this VLAN.

igmp-snooping {enable | disable}

Enable or disable IGMP snooping on the VLAN.

igmp-snooping-fast-leave {enable | disable}

Enable or disable IGMP-snooping fast leave on this VLAN. This field is only available if igmp-snooping is enabled.

igmp-snooping-querier {enable | disable}

Enable or disable whether periodic IGMP-snooping queries are sent to get IGMP reports. This field is only available if igmp-snooping is enabled.

igmp-snooping-querier-addr <IPv4_address>

Optional. Enter the IPv4 address for the IGMP-snooping querier. This field if only available if igmp-snooping and igmp-snooping-querier are enabled.

igmp-snooping-querier-version {2|3}

Select whether to use the IGMP-snooping querier version 2 or version 3.

igmp-snooping proxy {enable | disable}

Enable or disable the IGMP-snooping proxy on this VLAN. When the IGMP-snooping proxy is enabled, this VLAN sends IGMP reports. This field is only available if igmp-snooping is enabled.

lan-segment {enable | disable}

Enable or disable the use of LAN segments.

lan-subvlans <VLAN_identifiers>

Enter the VLAN identifiers to assign to the LAN segment. You can enter single VLANs or ranges of VLANs, separated by commas without white space. For example: “1,2-4,5,7,9-100”. The value must be less than 4,096 characters. This field is only available if lan-segment is enabled.

learning {enable | disable}

Enable or disable layer-2 learning on this VLAN.

learning-limit <integer>

Limit the number of dynamic MAC addresses on this VLAN. The per-VLAN MAC address learning limit is between 1 and 128. Set the value to 0 for no limit.

mld-snooping {enable | disable}

Enable or disable Multicast Listener Discovery (MLD) snooping for the this VLAN.

mld-snooping-fast-leave {enable | disable}

Enable or disable MLD-snooping fast leave on this VLAN. This field is only available if mld-snooping is enabled.

mld-snooping-querier {enable | disable}

Enable or disable whether periodic MLD-snooping queries are sent to get MLD reports. This field is only available if mld-snooping is enabled.

mld-snooping-querier-addr <IPv6_address>

Optional. Enter the IPv6 address for the MLD-snooping querier. This field if only available if mld-snooping is enabled.

mld-snooping-proxy {enable | disable}

Enable or disable the MLD-snooping proxy on this VLAN. When the MLD-snooping proxy is enabled, this VLAN sends MLD reports. This field is only available if mld-snooping is enabled.

policer <integer>

Set the policer for the traffic on this VLAN.

This command is available only in in FortiLink mode.

private-vlan {enable | disable}

Set to enable if this is a private VLAN.

isolated-vlan <integer>

(Valid if private VLAN is enabled) Enter the isolated VLAN.

community-vlans <vlan_map>

(Valid if private VLAN is enabled) Enter the communities within this private VLAN. Enter single VLANs or ranges of VLANS separated by commas without white space. For example: 1,3-4,6,7,9-100

rspan-mode {enable | disable}

Enable or disable port mirroring using the remote switch port analyzer (RSPAN) on this VLAN.

<group_name>

Enter the IGMP static group name.

mcast-addr <IPv4_address>

Enter the IPv4 multicast address for the IGMP static group.

members <interface_name1> <interface_name2>...

Enter the interfaces that belong to the IGMP static group.

<group_name>

Enter the MLD static group name.

mcast-addr <IPv6_address>

Enter the IPv6 multicast address for the MLD static group.

edit <id>

For a new entry, enter an unused ID.

mac XX:XX:XX:XX:XX:XX

Enter a MAC address. If the source MAC address of an incoming packet matches this value, the associated VLAN will be assigned to the packet.

description

Enter up to 128 characters.

edit <id>

For a new entry, enter an unused ID.

address a.b.c.d/e

Enter an IPv4 address and network mask. If the source IP address of an incoming packet matches this value, the associated VLAN will be assigned to the packet. The subnet mask must be a value in the range of 1-32.

description

Enter up to 128 characters.

edit <id>

For a new entry, enter an unused ID.

prefix xx:xx:xx:xx::/prefix

Enter an IPv6 prefix. If the source IP address of an incoming packet matches this value, the associated VLAN will be assigned to the packet. The /prefix must in the range of 1-64.

description

Enter up to 128 characters.

edit <id>

For a new entry, enter an unused ID.

frametypes {ethernet2 | 802.3d | llc}

Enter one or more Ethernet frame type. Set this value to llc for logical link control. Set this value to 802.3d for 802.3d and SNAP.

edit <vlan id>

Enter a VLAN identifier.

dhcp-snooping enable

Enable for IPv4 DHCP snooping.

The config dhcp-server-access-list command is available only after DHCP snooping (IPv4 or IPv6) has been enabled for that VLAN.

dhcp6-snooping enable

Enable for IPv6 DHCP snooping.

The config dhcp-server-access-list command is available only after DHCP snooping (IPv4 or IPv6) has been enabled for that VLAN.

edit <string>

Enter name of DHCP server access list

server-ip <xxx.xxx.xxx.xxx>

If you enabled IPv4 DHCP snooping, enter Class A, B, or C IPv4 address for the DHCP server.

<VLAN_TPID_profile_name>

Enter a name for the VLAN TPID profile name.