Fortinet white logo
Fortinet white logo

FortiLink Guide

Configuring flap guard

Configuring flap guard

A flapping port is a port that changes status rapidly from up to down. A flapping port can create instability in protocols such as Spanning Tree Protocol (STP). If a port is flapping, STP must continually recalculate the role for each port. Flap guard also prevents unwanted access to the physical ports.

Flap guard detects how many times a port changes status during a specified number of seconds, and the system shuts down the port if necessary. You can manually reset the port and restore it to the active state.

Flap guard is configured and enabled on each port through the switch controller. The default setting is disabled.

The flap rate counts how many times a port changes status during a specified number of seconds. The range is 1 to 30 with a default setting of 5.

The flap duration is the number of seconds during which the flap rate is counted. The range is 5 to 300 seconds with a default setting of 30 seconds.

The flap timeout is the number of minutes before the flap guard is reset. The range is 0 to 120 minutes. The default setting of 0 means that there is no timeout.

Note
  • If a triggered port times out while the switch is in a down state, the port is initially in a triggered state until the switch has fully booted up and calculated that the timeout has occurred.
  • The following models do not store time across reboot; therefore, any triggered port is initially in a triggered state until the switch has fully booted up—at which point the trigger is cleared:
    • FS-1xxE
    • FS-2xxD/E
    • FS-4xxD
    • FS-4xxE
To configure flap guard on a port through the switch controller:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set flapguard {enable | disable}

set flap-rate <1-30>

set flap-duration <5-300 seconds>

set flap-timeout <0-120 minutes>

next

end

end

For example:

config switch-controller managed-switch

edit S424ENTF19000007

config ports

edit port10

set flapguard enable

set flap-rate 15

set flap-duration 100

set flap-timeout 30

next

end

end

Resetting a port

After flap guard detects that a port is changing status rapidly and the system shuts down the port, you can reset the port and restore it to service.

To reset a port:

execute switch-controller flapguard reset <FortiSwitch_serial_number> <port_name>

For example:

execute switch-controller flapguard reset S424ENTF19000007 port10

Viewing the flap-guard configuration

To display flap-guard information for all ports of a FortiSwitch unit:

diagnose switch-controller switch-info flapguard status <FortiSwitch_serial_number>

For example:

diagnose switch-controller switch-info flapguard status S424ENTF19000007

Configuring flap guard

Configuring flap guard

A flapping port is a port that changes status rapidly from up to down. A flapping port can create instability in protocols such as Spanning Tree Protocol (STP). If a port is flapping, STP must continually recalculate the role for each port. Flap guard also prevents unwanted access to the physical ports.

Flap guard detects how many times a port changes status during a specified number of seconds, and the system shuts down the port if necessary. You can manually reset the port and restore it to the active state.

Flap guard is configured and enabled on each port through the switch controller. The default setting is disabled.

The flap rate counts how many times a port changes status during a specified number of seconds. The range is 1 to 30 with a default setting of 5.

The flap duration is the number of seconds during which the flap rate is counted. The range is 5 to 300 seconds with a default setting of 30 seconds.

The flap timeout is the number of minutes before the flap guard is reset. The range is 0 to 120 minutes. The default setting of 0 means that there is no timeout.

Note
  • If a triggered port times out while the switch is in a down state, the port is initially in a triggered state until the switch has fully booted up and calculated that the timeout has occurred.
  • The following models do not store time across reboot; therefore, any triggered port is initially in a triggered state until the switch has fully booted up—at which point the trigger is cleared:
    • FS-1xxE
    • FS-2xxD/E
    • FS-4xxD
    • FS-4xxE
To configure flap guard on a port through the switch controller:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set flapguard {enable | disable}

set flap-rate <1-30>

set flap-duration <5-300 seconds>

set flap-timeout <0-120 minutes>

next

end

end

For example:

config switch-controller managed-switch

edit S424ENTF19000007

config ports

edit port10

set flapguard enable

set flap-rate 15

set flap-duration 100

set flap-timeout 30

next

end

end

Resetting a port

After flap guard detects that a port is changing status rapidly and the system shuts down the port, you can reset the port and restore it to service.

To reset a port:

execute switch-controller flapguard reset <FortiSwitch_serial_number> <port_name>

For example:

execute switch-controller flapguard reset S424ENTF19000007 port10

Viewing the flap-guard configuration

To display flap-guard information for all ports of a FortiSwitch unit:

diagnose switch-controller switch-info flapguard status <FortiSwitch_serial_number>

For example:

diagnose switch-controller switch-info flapguard status S424ENTF19000007