Fortinet white logo
Fortinet white logo

config switch

config switch

Use the config switch commands to configure options related to switching functionality:

config switch acl 802-1X

Use this command to configure an 802.1x RADIUS dynamic ingress policy.

Syntax

config switch acl 802-1X

edit <policy_ID>

set description <string>

set filter-id <string>

config access-list-entry

edit <ingress_policy_ID>

set description <string>

set group <integer>

config action

set count {enable | disable}

set drop {enable | disable}

end

config classifier

set dst-ip-prefix <IP_address_and_netmask>

set dst-mac <MAC_address>

set ether-type <integer>

set service <service_name>

set src-ip-prefix <IP_address_and netmask>

set src-mac <MAC_address>

end

next

end

next

end

Variable

Description

Default

<policy-id>

Enter the unique ID number of this policy.

No default

description <string>

Enter a description or other information about the policy. The description is limited to 63 characters. Enclose the string in single quotes to enter special characters or spaces.

No default

filter-id <string>

Enter the filter-id of the policy. NOTE:Changing the name of filter-id after authentication causes errors in the output of the diagnose switch 802-1x status-dacl command when the session is using filter-id.

No default

config access-list-entry

<ingress_policy_ID>

Enter the ingress policy identifier.

No default

description <string>

Enter a description of the policy.

No default

group <integer>

Enter the group ID of the policy. You can only enter 1.

1

config action

count {enable | disable}

Enable or disable the count action.

disable

drop {enable | disable}

Enable or disable the drop action.

disable

config classifier

dst-ip-prefix <IP_address_and_netmask>

Enter the destination IP address and subnet mask to be matched.

0.0.0.0 0.0.0.0

dst-mac <MAC_address>

Enter the destination MAC address to be matched.

00:00:00:00:00:00

ether-type <integer>

Enter the Ethernet type to be matched.

0x0000

service <service_name>

Enter the service name to be matched.

No default

src-ip-prefix <IP_address_and netmask>

Enter the source IP address and subnet mask to be matched.

0.0.0.0 0.0.0.0

src-mac <MAC_address>

Enter the source MAC address to be matched.

00:00:00:00:00:00

Example

This example shows how to configure an 802.1x RADIUS dynamic ingress policy.

config switch acl 802-1X

edit 1

set description "Test Filter-Id"

set filter-id “Testing”

config access-list-entry

edit 1

set description "Test ACL entry”

config action

set count enable

set drop enable

end

config classifier

set dst-ip-prefix 192.168.0.0 255.255.255.0

set ether-type 0x0800

set service "filter-id-service1"

set src-ip-prefix 192.168.0.0 255.255.255.0

set src-mac 00:00:00:00:00:00

end

next

end

next

end

config switch acl egress

Use this command to configure an access control list (ACL) for an egress policy.

Syntax

config switch acl egress

edit <policy_ID>

set description <string>

set interface <port_name>

set schedule <schedule_name>

set status {active | inactive}

config classifier

set cos <802.1Q CoS value to match>

set dscp <DSCP value to match>

set dst-ip-prefix <IP_address> <mask>

set dst-mac <MAC_address>

set ether-type <integer>

set service <service_ID>

set src-ip-prefix <IP_address> <mask>

set src-mac <MAC_address>

set vlan-id <VLAN_ID>

end

config action

set count {enable | disable}

set count-type {all | green | yellow}

set drop {enable | disable}

set mirror <mirror_session>

set outer-vlan-tag <integer>

set policer <policer>

set redirect <interface_name>

set remark-dscp <0-63>

end

end

Variable

Description

Default

<policy-id>

Enter the unique ID number of this policy.

No default

description <string>

Enter a description or other information about the policy. The description is limited to 63 characters. Enclose the string in single quotes to enter special characters or spaces.

No default

interface <port_name>

Interface that the policy applies to.

No default

schedule <schedule_name>

Select a schedule for when the ACL policy will be enforced.

The schedule must have been defined already with the config system schedule command.

No default

status {active | inactive}

Make the egress ACL policy active or inactive.

active

config classifier

cos <802.1Q CoS value to match>

Enter the 802.1Q CoS value to match.

No default

dscp <DSCP value to match>

Enter the DSCP value to match.

No default

dst-ip-prefix <IP_address> <mask>

Destination IP address and subnet mask to be matched.

0.0.0.0 0.0.0.0

dst-mac <MAC_address>

Destination MAC address to be matched.

00:00:00:00:00:00

ether-type <integer>

Ethernet type to be matched.

0x0000

service <service_ID>

Service type to be matched.

No default

src-ip-prefix <IP_address> <mask>

Source IP address and subnet mask to be matched.

0.0.0.0 0.0.0.0

src-mac <MAC_address>

Source MAC address to be matched.

00:00:00:00:00:00

vlan-id <VLAN_ID>

VLAN identifier to be matched.

0

config action

count {enable | disable}

Enable or disable the count action.

disable

count-type {all | green | yellow}

You can select all to count all egress packets, green to count egress packets if the traffic rate is within the guaranteed information rate, and yellow to count all other egress packets.

No default

drop {enable | disable}

Enable or disable the drop action.

disable

mirror <mirror_session>

Mirror session name.

No default

outer-vlan-tag <integer>

Outer VLAN tag.

0

policer <policer>

Identifier of the policer to associate with this policy. To create a policer, see config switch acl policer.

0

redirect <interface_name>

Redirect interface name.

No default

remark-dscp <0-63>

Set the DSCP marking value.

No default

config switch acl ingress

Use this command to configure an ACL for an ingress policy. Starting in FortiSwitchOS 6.2.0, you can create groups for multiple ingress ACLs. Starting in FortiSwitchOS 7.2.3, IPv6 addresses are supported.

Syntax

config switch acl ingress

edit <policy-id>

set description <string>

set group <group_ID>

set ingress-interface <port > [<port > ... <port >]

set ingress-interface-all {enable | disable}

set schedule <schedule_name>

set status {active | inactive}

config classifier

set cos <802.1Q CoS value to match>

set dscp <DSCP value to match>

set dst-ip-prefix <IPv4_address> <mask>

set dst-ip6-prefix <IPv6_address> <prefix>

set dst-mac <MAC_address>

set ether-type <integer>

set service <service-id>

set src-ip-prefix <IPv4_address> <mask>

set src-ip6-prefix <IPv6_address> <prefix>

set src-mac <MAC_address>

set vlan-id <vlan-id>

end

config action

set cos-queue <0-7>

set count {enable | disable}

set count-type {all | green | yellow | red}

set cpu-cos-queue <integer>

set drop {enable | disable}

set egress-mask {<physical_port_name> | internal}

set mirror <mirror_session>

set outer-vlan-tag <integer>

set policer <policer>

set redirect <interface_name>

set redirect-bcast-cpu {enable | disable}

set redirect-bcast-no-cpu {enable | disable}

set redirect-physical-port <list of physical ports to redirect>

set remark-cos <0-7>

set remark-dscp <0-63>

end

end

Variable

Description

Default

<policy-id>

Enter the unique ID number of this policy.

No default

description <string>

Enter a description or other information about the policy. The description is limited to 63 characters. Enclose the string in single quotes to enter special characters or spaces.

No default

group <group_ID>

Enter the group identifier of the policy. The range of group identifiers varies among the different platforms.

Starting in FortiSwitchOS 6.2.0, you can create groups for multiple ingress ACLs.

NOTE: The group identifier must be 3 or higher to be able to use IPv6 addresses.

1

ingress-interface <port > [<port > ... <port >]

If ingress-interface-all is disabled, enter the interface list to which the policy is bound on the ingress.

No default

ingress-interface-all {enable | disable}

If enabled, policy is bound to all interfaces.

disable

schedule <schedule_name>

Select a schedule for when the ACL policy will be enforced.

The schedule must have been defined already with the config system schedule command.

No default

status {active | inactive}

Make the ingress ACL policy active or inactive.

active

config classifier

cos <802.1Q CoS value to match>

Enter the 802.1Q CoS value to match. The range of values is 0-7.

0

dscp <DSCP value to match>

Enter the DSCP value to match. The range of values is 0-63.

0

dst-ip-prefix <IPv4_address> <mask>

Enter the destination IPv4 address and subnet mask to be matched.

0.0.0.0 0.0.0.0

dst-ip6-prefix <IPv6_address> <prefix>

Enter the destination IPv6 address and prefix to be matched.

NOTE: You must set group to 3 or higher for this option to be available. If you are going to use a dynamic ACL, set group to 4 or higher.

::/0

dst-mac <MAC_address>

Enter the destination MAC address to be matched.

00:00:00:00:00:00

ether-type <integer>

Enter the Ethernet type to be matched. The range of values is 0-65535.

0x0000

service <service-id>

Enter the service type to be matched.

No default

src-ip-prefix <IPv4_address> <mask>

Enter the source IPv4 address and subnet mask to be matched.

0.0.0.0 0.0.0.0

src-ip6-prefix <IPv6_address> <prefix>

Enter the source IPv6 address and prefix to be matched.

NOTE: You must set group to 3 or higher for this option to be available. If you are going to use a dynamic ACL, set group to 4 or higher.

::/0

src-mac <MAC_address>

Enter the source MAC address to be matched.

00:00:00:00:00:00

vlan-id <vlan-id>

Enter the VLAN identifier to be matched. The range of values is 1-4094.

0

config action

cos-queue <0-7>

CoS queue number (0-7).

No default

count

Enable or disable the count action.

disable

count-type {all | green | yellow | red}

You can select all to count all ingress packets, green to count ingress packets if the traffic rate is within the guaranteed information rate, yellow to count ingress packets if they exceed the committed burst size but do not exceed the excess burst size, and red to count all other ingress packets.

No default

cpu-cos-queue <integer>

CPU CoS queue number. This CoS queue is only used if the packets reach the CPU. Enter set cpu-cos-queue ? to see the value range.

disabled

drop

Enable or disable the drop action.

disable

egress-mask {<physical_port_name> | internal}

List of physical ports to be configured in egress mask.

none

mirror <mirror_session>

Mirror session name.

No default

outer-vlan-tag

Outer VLAN tag. The range of values is 1-4094.

0

policer

Identifier of the policer to associate with this policy. To create a policer, see config switch acl policer.

0

redirect <interface_name>

Redirect interface name.

No default

redirect-bcast-cpu

Redirect broadcast to all ports including the CPU.

disable

redirect-bcast-no-cpu

Redirect broadcast to all ports excluding the CPU.

disable

redirect-physical-port

List of ports to redirect the packet.

none

remark-cos <0-7>

Set the CoS marking value. The range is 0-7.

No default

remark-dscp <0-63>

Set the DSCP marking value. The range is 0-63.

No default

Examples

In the following example, traffic from VLAN 3 is blocked to a specified destination IP subnet (10.10.0.0/16) but allowed to all other destinations:

config switch acl ingress

edit 1

config action

set count enable

set drop enable

end

config classifier

set dst-ip-prefix 10.10.0.0 255.255.0.0

set vlan-id 3

end

set ingress-interface-all enable

set status inactive

next

edit 2

config classifier

set vlan-id 3

end

set ingress-interface-all enable

set status active

next

end

In the following example, packets are classified by matching both the CoS and DSCP values. Both the CoS and DSCP marking values are set:

config switch acl ingress

edit 1

config classifier

set src-mac 11:22:33:aa:bb:cc

set cos 2

set dscp 10

end

config action

set count enable

set remark-cos 4

set remark-dscp 20

end

set ingress-interface port2

set status active

end

config switch acl policer

Use this command to configure an ACL policer for egress or ingress policies.

Syntax

config switch acl policer

edit <policer index>

set description <string>

set guaranteed-bandwidth <bandwidth_value>

set guaranteed-burst <in_bytes>

set maximum-burst <in_bytes>

set type {egress | ingress}

end

Variable

Description

Default

<policer index>

Enter the index for this ACL policer

No default

description <string>

Enter a text description for the policer.

No default

guaranteed-bandwidth <bandwidth_value>

Enter the amount of bandwidth guaranteed to be available for traffic controlled by the policy. The value range is 0 to 16 776 000 Kbits/second.

0

guaranteed-burst <in_bytes>

Guaranteed burst size in bytes (max value = 4294967295)

0

maximum-burst <in_bytes>

Maximum burst size in bytes (max value = 4294967295)

0

type {egress | ingress}

Specify whether the policer is for egress or ingress policies.

ingress

Example

This example shows how to configure an ACL policer for egress policies.

config switch acl policer

edit 1

set description policer1

set guaranteed-bandwidth 8776000

set guaranteed-burst 858993459

set maximum-burst 4294967295

set type egress

end

config switch acl prelookup

Use this command to configure an ACL for a lookup policy.

Syntax

config switch acl prelookup

edit <policy_ID>

set description <string>

set interface <port_name>

set interface-all {enable | disable}

set schedule <schedule_name>

set status {active | inactive}

config classifier

set cos <802.1Q CoS value to match>

set dscp <DSCP value to match>

set dst-ip-prefix <IP_address> <mask>

set dst-mac <MAC_address>

set ether-type <integer>

set service <service_ID>

set src-ip-prefix <IP_address> <mask>

set src-mac <MAC_address>

set vlan-id <VLAN_ID>

end

config action

set count {enable | disable}

set cos-queue <0-7>

set drop {enable | disable}

set outer-vlan-tag <integer>

set remark-cos <0-7>

end

end

Variable

Description

Default

<policy-id>

Enter the unique ID number of this policy.

No default

description <string>

Enter a description or other information about the policy. The description is limited to 63 characters. Enclose the string in single quotes to enter special characters or spaces.

No default

interface <port_name>

Select which ingress interface that the policy applies to.

No default

interface-all {enable | disable}

Enable or disable whether the policy applies to all ingress interfaces.

disable

schedule <schedule_name>

Select a schedule for when the ACL policy will be enforced.

The schedule must have been defined already with the config system schedule command.

No default

status {active | inactive}

Make the prelookup ACL policy active or inactive.

active

config classifier

cos <802.1Q CoS value to match>

Enter the 802.1Q CoS value to match.

No default

dscp <DSCP value to match>

Enter the DSCP value to match.

No default

dst-ip-prefix <IP_address> <mask>

Destination IP address and subnet mask to be matched.

0.0.0.0 0.0.0.0

dst-mac <MAC_address>

Destination MAC address to be matched.

00:00:00:00:00:00

ether-type <integer>

Ethernet type to be matched.

0x0000

service <service_ID>

Service type to be matched.

No default

src-ip-prefix <IP_address> <mask>

Source IP address and subnet mask to be matched.

0.0.0.0 0.0.0.0

src-mac <MAC_address>

Source MAC address to be matched.

00:00:00:00:00:00

vlan-id <VLAN_ID>

VLAN identifier to be matched.

0

config action

count {enable | disable}

Enable or disable the count action.

disable

cos-queue <0-7>

CPU CoS queue number (20-29). Only if packets reach to CPU. The value range is 20-29.

No default

drop {enable | disable}

Enable or disable the drop action.

disable

outer-vlan-tag <integer>

Outer VLAN tag.

0

remark-cos <0-7>

Set the CoS marking value. The range is 0-7.

No default

config switch acl service custom

Use this command to customize one of the ACL services.

Syntax

config switch acl service custom

edit <service name>

set comment <string>

set color <0-32>

set protocol {ICMP | IP | TCP/UDP/SCTP}

set icmptype <0-255>

set icmpcode <0-255>

set protocol-number <IP protocol number>

set sctp-portrange <dstportlow_int>[-<dstporthigh_int>:<srcportlow_int>-<srcporthigh_int>]

set tcp-portrange <dstportlow_int>[-<dstporthigh_int>:<srcportlow_int>-<srcporthigh_int>]

set udp-portrange <dstportlow_int>[-<dstporthigh_int>:<srcportlow_int>-<srcporthigh_int>]

end

end

Variable

Description

Default

<service name>

Enter the name of this custom service.

No default

comment <string>

Add comments for the custom service.

No default

color <0-32>

Set the icon color to use in the Web-based manager. A value of zero sets the default color (1).

0

protocol {ICMP | IP | TCP/UDP/SCTP}

Select the protocol used by the service.

These protocols are available when explicit-proxy is enabled.

TCP/UDP/SCTP

icmptype <0-255>

If you set the protocol to ICMP, set the ICMP type.

0

icmpcode <0-255>

If you set the protocol to ICMP, set the ICMP code.

0

protocol-number

For an IP service, enter the IP protocol number.

0

sctp-portrange

For SCTP services, enter the destination and source port ranges.

No default

tcp-portrange

For TCP services, enter the destination and source port ranges.

No default

udp-portrange

For UDP services, enter the destination and source port ranges.

No default

Notes:
  • srcport_low and srcport_high can be omitted if the value pair is 1-65535
  • dstport_high can be omitted if dstport_low is equal to dstport_high
  • srcport_low and srcport_high can be omitted if the value pair is 1-65535
  • dstport_high can be omitted if dstport_low is equal to dstport_high

Example

In the following example, Server Message Block (SMB) traffic received on port 1 is mirrored to port 3. SMB protocol uses port 445:

config switch acl service custom

edit "SMB"

set tcp-portrange 445

next

end

config switch acl ingress # apply policy to port 1 ingress and send to port 3

edit 1

set description "cnt_n_mirror_smb"

set ingress-interface "port1"

config action

set count enable

set mirror "port3"

end

config classifier

set service "SMB"

set src-ip-prefix 20.20.20.100 255.255.255.255

set dst-ip-prefix 100.100.100.0 255.255.255.0

end

next

end

config switch acl settings

Use this command to configure the global ACL settings

Syntax

config switch acl settings

set density-mode {disable | enable}

set trunk-load-balance {disable | enable}

end

Variable

Description

Default

density-mode

Enable or disable density mode.

disable

trunk-load-balance

Enable or disable trunk-load-balancing for ACL actions.

enable

Example

The following example configures the global ACL settings:

config switch acl settings

set density-mode enable

set trunk-load-balance enable

end

config switch auto-isl-port-group

Use this command to create a multi-tiered MCLAG trunk when the FortiSwitch unit is managed by a FortiGate unit.

Syntax

config switch auto-isl-port-group

edit <trunk_name>

set members <one or more ports>

end

Example

The following example creates two trunks for a multi-tiered MCLAG:

config switch auto-isl-port-group

edit "mclag-core1"

set members "port1" "port2"

next

edit "mclag-core2"

set members "port3" "port4"

end

config switch auto-network

Use this command to automatically form an inter-switch link (ISL) between two switches.

Note

Starting in FortiSwitchOS 7.2.0, auto-network is enabled by default.

After an execute factoryreset command is executed on a FortiSwitch unit in standalone mode, the auto-network configuration is enabled by default. If you are not using auto-network, you must manually disable it.

Syntax

config switch auto-network

set mgmt-vlan <1-4094>

set status {enable | disable}

end

Variable

Description

Default

mgmt-vlan <1-4094>

Set the VLAN to use for the native VLAN on ISL ports and the native VLAN on the internal switch interface.

4094

status {enable | disable}

Enable or disable whether an ISL is automatically formed between two switches.

enable

Example

The following example enables the automatic formation of an ISL between two switches:

config switch auto-network

set mgmt-vlan 200

set status enable

end

config switch global

Use this command to configure system-wide FortiSwitch settings.

Syntax

config switch global

set allow-mac-move {enable | disable}

set auto-fortilink-discovery {enable | disable}

set auto-isl {enable | disable}

set auto-isl-port-group <0-9>

set auto-stp-priority {enable | disable}

set bpdu-learn {enable | disable}

set dhcp-snooping-database-export {disable | enable}

set dmi-global-all {enable | disable}

set flapguard-retain-trigger {enable | disable}

set flood-unknown-multicast {enable | disable}

set fortilink-heartbeat-timeout <0-300>

set fortilink-p2p-native-vlan <integer>

set fortilink-p2p-tpid <interger>

set fortilink-vlan-optimization {enable | disable}

set forti-trunk-dmac <xx:xx:xx:xx:xx:xx>

set ip-mac-binding {enable | disable}

set l2-memory-check {enable | disable}

set l2-memory-check-interval <number_of_seconds>

set log-mac-limit-violations {enable | disable}

set log-source-guard-violations {enable | disable}

set loop-guard-tx-interval <0-30>

set mac-aging-interval <seconds>

set mac-violation-timer <integer>

set max-frame-size <bytes_int>

set max-path-in-ecmp-group <integer>

set mclag-igmpsnooping-aware {enable | disable}

set mclag-peer-info-timeout <integer>

set mclag-port-base <integer>

set mclag-split-brain-all-ports-down {enable | disable}

set mclag-split-brain-detect {enable | disable}

set mclag-split-brain-priority <0-100>

set mclag-stp-aware {enable | disable}

set mirror-qos <0-7>

set name <string>

set neighbor-discovery-to-cpu {enable | disable}

set packet-buffer-mode {store-forward | cut-through}

set poe-alarm-threshold <threshold (percent of total power budget) above which an alarm event is generated>

set poe-guard-band <integer>

set poe-power-budget <integer>

set poe-power-mode {first-come-first-served | priority}

set poe-pre-standard-detect {disable | enable}

set qos-drop-policy {random-early-detection | taildrop}

set qos-red-probability <integer>

set reserved-mcast-to-cpu {enable | disable}

set source-guard-violation-timer <integer>

set storm-control-monitor {enable | disable}

set storm-control-high-rate <0-65536>

set storm-control-rate-filter <0-100>

set trunk-hash-mode {default| enhanced}

set trunk-hash-unicast-src-port {enable | disable}

set trunk-hash-unkunicast-src-dst {enable | disable}

set virtual-wire-tpid <0x0001-0xfffe>

set vxlan-dport <integer>

set vxlan-sport <integer>

set vxlan-stp-virtual-mac <MAC_address>

set vxlan-stp-virtual-root {enable | disable}

set vxlan-qos-inner-to-outer {copy-to-outer | fixed}

set vxlan-qos-dscp <0-63>

config port-security

set link-down-auth {no-action | set-unauth}

set mab-entry-as {dynamic | static}

set mab-reauth {enable | disable}

set mac-called-station-delimiter {colon | hyphen | none | single-hyphen}

set mac-calling-station-delimiter {colon | hyphen | none | single-hyphen}

set mac-case {lowercase | uppercase}

set mac-password-delimiter {colon | hyphen | none | single-hyphen}

set mac-username-delimiter {colon | hyphen | none | single-hyphen}

set max-reauth-attempt <0-15>

set quarantine-vlan {enable | disable}

set reauth-period <1-1440>

set tx-period <12-60>

end

end

Variable

Description

Default

allow-mac-move {enable | disable}

Enable or disable the capability for the 802.1X client to move between ports that are not directly connected to the FortiSwitch unit without having to delete the 802.1X session.

This command is available only for the FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148F, FS-148F-POE, and FS-148F-FPOE models.

disable

auto-fortilink-discovery {enable | disable}

Enable or disable the capability for the FortiGate device to automatically discover the FortiLink interface on the FortiSwitch unit.

enable

auto-isl {enable | disable}

Enable or disable the capability to automatically form an inter-switch LAG.

enable

auto-isl-port-group <0-9>

Set the ISL port group. The range is 0-9.

0

auto-stp-priority {enable | disable}

Enable or disable the automatic assigned STP switch priortiy.

enable

bpdu-learn {enable | disable}

Enable or disable bridge protocol data unit (BPDU) learning.

NOTE: This command is available on the following FortiSwitch models: FSR-124D, FS-224D-FPOE, FS-224E, FS-224E-POE, FS-248D, FS-248E-POE, FS-248E-FPOE, FS-424D, FS-424D-POE, FS-424D-FPOE, FS-424E, FS-424E-POE, FS-424E-FPOE, FS-424E-Fiber, FS-M426E-FPOE, FS-448D, FS-448D-POE, FS-448D-FPOE, FS-448E, FS-448E-POE, FS-448E-FPOE, FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE, FS-1024D, FS-1048D, FS-1048E, FS-3032D, and FS-3032E.

enable

dhcp-snooping-database-export {disable | enable}

Enable or disable whether the DHCP snooping database is exported to file.

disable

dmi-global-all {enable | disable}

Enable or disable DMI globally.

enable

flapguard-retain-trigger {enable | disable}

Enable this setting to keep the “triggered” status in the output of the diagnose flapguard status command after a switch has been rebooted until the port has been reset with the execute flapguard reset <port_name> command.

Disable this setting to reset the “triggered” status when the switch is rebooted.

disable

flood-unknown-multicast {enable | disable}

Enable or disable whether to flood the VLAN with unknown multicast messages.

disable

fortilink-heartbeat-timeout <0-300>

Set how long before the FortiLink heartbeat times out. Set the value to 0 to disable the FortiLink heartbeat.

60

fortilink-p2p-native-vlan <integer>

Specify the native VLAN on the inter-switch link (ISL) when fortilink-p2p is enabled under the config switch physical port command.

4094

fortilink-p2p-tpid <interger>

Set the FortiLink point-to-point TPID value. The range of values is 0x0001 to 0xfffe.

This command is only available in FortiLink mode.

0x8100

fortilink-vlan-optimization {enable | disable}

Enable or disable FortiLink VLAN optimization.

disable

forti-trunk-dmac <xx:xx:xx:xx:xx:xx>

Enter the destination MAC address to be used for FortiTrunk heartbeat packets.

02:80:c2:00:00:02

ip-mac-binding {enable | disable}

Enable or disable IP-MAC binding for the switch

disable

l2-memory-check {enable | disable}

Enable or disable whether FortiSwitchOS checks the size of the layer-2 table. When this feature is enabled, the set l2-memory-check interval command controls the frequency that the table is checked. When the table size is more than 75-percent full or less than 70-percent full, FortiSwitchOS adds a warning to the system log.

disable

l2-memory-check-interval <number_of_seconds>

When l2-memory-check is enabled, FortiSwitchOS checks the size of the layer-2 table at the specified interval. The range of values is 5-86400 seconds.

120

log-mac-limit-violations {enable | disable}

Enable or disable the logging of layer-2 learning limit violations for an interface or VLAN. The most recent violation that occurred on each interface or VLAN is logged. After that, no more violations are logged until the log is reset for the triggered interface or VLAN. Only the most recent 128 violations are displayed in the console.

NOTE: This command is only displayed if your FortiSwitch model supports it.

disable

log-source-guard-violations {enable | disable}

Enable or disable logs for source guard violations on a system-wide level.

disable

loop-guard-tx-interval <0-30>

Enter the loop guard transmit interval. Value range is 1-30. The units is seconds.

3

mac-aging-interval <seconds>

Specify how often the learning-limit violation log is reset. The range is 10 to 1,000,000 seconds. Set to 0 to disable.

300

mac-violation-timer <integer>

How long (in minutes) violations of the layer-2 learning limit are kept in the log. The value range is 0-1500. Set to 0 to disable the timer.

0

max-frame-size <bytes_int>

Set the maximum frame size. The range and default depend on the switch model. See the FortiSwitchOS feature matrix.

NOTE: If you are not using the FS-1xxE, FS-1xxF, or FS-110G-FPOE models, this command is under the config switch physical-port command.

Varies

max-path-in-ecmp-group <integer>

Set the maximum path in one ECMP group.

8

mclag-igmpsnooping-aware {enable | disable}

Enable this option to synchronize both query ports and group entries across peer MCLAG trunks. This option can be used in standalone mode and in FortiLink mode.

NOTE: For IGMP snooping to work correctly in an MCLAG, you need to use the set mclag-igmpsnooping-aware enable command on all FortiSwitch units in the network topology and use the set igmps-flood-reports enable command on each MCLAG core FortiSwitch unit.

disable

mclag-peer-info-timeout <integer>

Enter the MCLAG peer info timeout. The value range is 30 to 600 seconds.

30

mclag-port-base <integer>

Set the MCLAG port base.

0

mclag-split-brain-all-ports-down {enable | disable}

When this option is enabled and a split-brain state occurs, the switch that goes dormant shuts down all ports before going dormant; the state of the ICL trunk ports is not changed.

When this option is disabled and a split-brain state occurs,

the switch that goes dormant does not shut down any ports before going dormant.

This command is only available when mclag-split-brain-detect is enabled.

disable

mclag-split-brain-detect {enable | disable}

Enable or disable the detection of the MCLAG split-brain state.

disable

mclag-split-brain-priority <0-100>

When the split-brain state occurs, the switch with the lowest priority goes dormant. If both switches have the same priority, the switch with the lowest MAC address goes dormant when the split-brain state occurs.

This command is only available when mclag-split-brain-detect is enabled.

50

mclag-stp-aware {enable | disable}

Enable or disable whether the STP can be used within the MCLAG.

enable

mirror-qos <0-7>

Enter the quality of service (QoS) priority for packets mirrored by this FortiSwitch unit. Applies only to the FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE, FS-1048E, and FS-3032D models.

0

name <string>

Enter a name for the switch.

No default

neighbor-discovery-to-cpu {enable | disable}

Enable or disable the forwarding of reserved multicast packets to the CPU. Applies only to the 200 Series and 400 Series.

enable

packet-buffer-mode {store-forward | cut-through}

Set the switching mode to store-and-forward or cut-through for the main buffer of the FS-1024D, FS-1048D, or FS-3032D model.

store-forward

poe-alarm-threshold <threshold (percent of total power budget) above which an alarm event is generated>

Enter the threshold (a specified percentage of the total power budget) above which an alarm event is generated.

80

poe-guard-band <integer>

Enter the power (W) to reserve in case of a spike in PoE consumption.

19

poe-power-budget <integer>

Set or override the maximum power budget.

400

poe-power-mode {first-come-first-served | priority}

Set the PoE power mode to priority based or first-come, first-served.

priority

poe-pre-standard-detect {disable | enable}

Enable or disable PoE pre-standard detection.

NOTE: PoE pre-standard detection is a global setting for the following FortiSwitch models: FSR-112D-POE, FS-548D-FPOE, FS-524D-FPOE, FS-108D-POE, FS-224D-POE, FS-108E-POE, FS-108E-FPOE, FS-124E-POE, FS-124E-FPOE, 148F-POE, and 148F-FPOE. For the other FortiSwitch PoE models, PoE pre-standard detection is set on each port.

disable

qos-drop-policy {random-early-detection | taildrop}

Set the CoS queue drop policy.
  • taildrop — When the queue is full, new packets are dropped.
  • random-early-detection — As the queue fills, the probability increases that packets will be dropped.
NOTE: This command is available only for the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

taildrop

qos-red-probability <integer>

Set the QoS RED/WRED drop probability. The FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, and FS-124E-FPOE models support 0-100 percent. The FS-148E, FS-148E-POE, and FS-148E-FPOE models support 0-25 percent.

NOTE: This command is available only for the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

12

reserved-mcast-to-cpu {enable | disable}

Enable or disable the forwarding of IPv6 neighbor-discovery packets to the CPU. Applies only to the 200 Series and 400 Series.

enable

source-guard-violation-timer <intebger>

Enter the number of minutes for a global timeout for source guard violations. The range of values is 0-1500. Set this option to 0 to disable it.

This command is only available when log-source-guard-violations is enabled.

0

storm-control-monitor {enable | disable}

Enable or disable storm-control monitoring.

disable

storm-control-high-rate <0-65536>

When this rate (in dropped packets per second) is exceeded, a log message is generated.

This command is only available when storm-control-monitor is enabled.

300

storm-control-rate-filter <0-100>

Set the percentage for how sensitive storm-control monitoring is to changes in the storm-control-high-rate. Higher percentages mean that the storm-control monitoring is more sensitive to changes in the storm-control-high-rate.

This command is only available when storm-control-monitor is enabled.

20

trunk-hash-mode {default| enhanced}

Set the trunk hash mode to default or enhanced

default

trunk-hash-unicast-src-port {enable | disable}

Enable or disable whether the trunk hashing algorithm for unicast packets uses the source port.

disable

trunk-hash-unkunicast-src-dst {enable | disable}

Enable or disable trunk hash for unknown unicast src-dst.

enable

virtual-wire-tpid <0x0001-0xfffe>

TPID value used by virtual-wires. The value range is from 0x0001 to 0xfffe.

Choose a value unlikely to be seen as a TPID or ethertype in your network.

0xdee5

vxlan-dport <integer >

Set the VXLAN destination UDP port. The range of values is 1-65535.

4789

vxlan-sport <integer>

Set the VXLAN source UDP port. The range of values is 1-65535.

0

vxlan-stp-virtual-mac <MAC_address>

Set the MAC address for the virtual STP root.

This option is available only when vxlan-stp-virtual-root is enabled.

08:5B:0E:00:00:00

vxlan-stp-virtual-root {enable | disable}

When this option is enabled, the local switch automatically becomes the STP root for STP instances that contain the configured VXLANʼs access VLAN. When this option is disabled, the local switch does not automatically become the STP root for STP instances that contain the configured VXLANʼs access VLAN.

disable

vxlan-qos-inner-to-outer {copy-to-outer | fixed}

Select how the differential service code point (DSCP) is determined:

  • copy-to-outer—Copy the DSCP value from the inner header to the outer header.

  • fixed—Use a fixed DSCP value in the IP header of the outer encapsulation. Specify the fixed value with the set vxlan-qos-dscp command.

copy-to-outer

vxlan-qos-dscp <0-63>

Specify the fixed DSCP value in the IP header of the outer encapsulation.

This command is available only when vxlan-qos-inner-to-outer is set to fixed.

0

config port-security

link-down-auth

If a link goes down, this setting determines if the affected devices needs to reauthenticate.
  • set-unauth—revert all devices to the un-authenticated state. Each device will need to reauthenticate.
  • no-action— if reauthenication is not required.

set-unauth

mab-entry-as {dynamic | static}

Configure the MAC authentication bypass (MAB) MAC entries as static or dynamic:

  • In static mode, MAB sessions are kept until the link goes down or the MAB sessions are manually deleted with the CLI.

  • In dynamic mode, MAB sessions are treated the same way as dynamically learned MAC addresses.

static

mab-reauth {enable | disable}

Enable or disable whether MAB retries authentication before assigning a device to a guest VLAN for unauthorized users.

disable

mac-called-station-delimiter {colon | hyphen | none | single-hyphen}

Select which delimiter is used for the Called-Station-Id attribute or select none for no delimiter:

  • colon

  • hyphen

  • single-hyphen

hyphen

mac-calling-station-delimiter {colon | hyphen | none | single-hyphen}

Select which delimiter is used for the Calling-Station-Id attribute or select none for no delimiter:

  • colon

  • hyphen

  • single-hyphen

hyphen

mac-case {lowercase | uppercase}

Select whether MAC addresses use lowercase or uppercase letters.

lowercase

mac-password-delimiter {colon | hyphen | none | single-hyphen}

Select which delimiter is used for the User-Password attribute or select none for no delimiter:

  • colon

  • hyphen

  • single-hyphen

hyphen

mac-username-delimiter {colon | hyphen | none | single-hyphen}

Select which delimiter is used for the User-Name attribute or select none for no delimiter:

  • colon

  • hyphen

  • single-hyphen

hyphen

max-reauth-attempt

If 802.1x authentication fails, this setting caps the number of attempts that the system will initiate. The range is from 0 to 15 where "0" disables the reauthentication attempts.

3

quarantine-vlan {enable | disable}

Enable or disable quarantine VLAN detection. Enable this setting to use quarantines with 802.1x MAC-based authentication in FortiLink mode.

enable

reauth-period

Defines how often the device needs to reauthenticate. If a session remains active beyond this number of minutes, the system requires the device to reauthenticate.

60

tx-period <12-60>

Specify how many seconds are allowed for the 802.1x reauthentication before it times out.

30

Example

The following example configures system-wide FortiSwitch settings:

config switch global

set auto-isl enable

set dhcp-snooping-database-export enable

set dmi-global-all enable

set ip-mac-binding enable

set loop-guard-tx-interval 15

set mac-aging-interval 150

set max-path-in-ecmp-group 4

set mclag-peer-info-timeout 300

set poe-alarm-threshold 40

set poe-power-mode first-come-first-served

set poe-guard-band 10

set poe-pre-standard-detect enable

set poe-power-budget 200

set trunk-hash-mode enhanced

set trunk-hash-unkunicast-src-dst enable

end

config switch hsr ring

Use this command to configure a High-Availability Seamless Redundancy (HSR) ring.

Syntax

config switch hsr ring

edit {1 | 2}

set status {enable | disable}

set ring-port-pair <physical_port_pair>

set redbox-mode hsr-san

set vlan-id <1-4094>

set vlan-id-cos <0-7>

set vlan-id-tagged {enable | disable}

set hsr-internal-vlan <VLAN_ID>

next

end

Variable

Description

Default

status {enable | disable} Enable or disable this HSR ring. disable
ring-port-pair <physical_port_pair> Select which port A and port B pair to use for this HSR ring. Enter set ring-port-pair ? to see the available physical port pairs. No default

redbox-mode hsr-san

HSR-SAN is currenly the only RedBox operation mode supported.

hsr-san

vlan-id <1-4094>

Enter the VLAN identifier of the supervision frame.

This option is available only when vlan-id-tagged is set to enable.

1

vlan-id-cos <0-7>

Enter the class of service (CoS) value to be set in the VLAN tag of the supervision frame.

This option is available only when vlan-id-tagged is set to enable.

0

vlan-id-tagged {enable | disable}

Enable or disable supervision frame VLAN ID tagging.

disable

hsr-internal-vlan <2-4094>

Assign all MAC addresses of this HSR ring to this internal VLAN ID.

NOTE: If you are using an HSR ring and a PRP channel in your network, you need to change the default value so that each HSR ring and PRP channel is in a different internal VLAN.

No default

Example

The following example configures an HSR ring:

config switch hsr ring

edit 1

set status enable

set ring-port-pair port7-port8

next

end

config switch hsr settings

Use this command to configure HSR settings.

Syntax

config switch hsr settings

set mac-da <0-255>

set life-check-interval <2-60 seconds>

end

Variable

Description

Default

mac-da <0-255>

Specify the last 8 bits of the HSR supervision frame MAC destination address (DA).

0

life-check-interval <2-60 seconds>

Specify how often (in seconds) the HSR supervision frame is generated for each MAC address in the VDAN table.

2

Example

The following example configures the HSR settings:

config switch hsr settings

set mac-da 100

set life-check-interval 30

end

config switch igmp-snooping globals

Use this command to configure global settings for IGMP snooping on the FortiSwitch unit.

Syntax

config switch igmp-snooping globals

set aging-time <1-20>

set leave-response-timeout <integer>

set lookup-mode {L2 | L3}

set query-interval <10-1200>

set query-max-response-timeout <100-32768>

end

Variable

Description

Default

aging-time <integer>

The maximum number of seconds to retain a multicast snooping entry for which no packets have been seen (15-3600).

300

leave-response-timeout <1-20>

Enter the maximum number of seconds that the switch waits after sending a group-specific query in response to the leave message.

10

lookup-mode {L2 | L3}

Select whether IMGP groups are looked up by their IP addresses or their MAC addresses:

  • L2—Look up IGMP groups in the MAC address table. Set the lookup-mode to L2 for the FS-1024E, FS-T1024E, FS-T1024F-FPOE, FS-2048F, and FS-1048E models so that IGMP groups with TTL=1 streams are not dropped.

  • L3—Look up IGMP groups in the IP multicast address table.

L3

query-interval <10-1200>

Enter the maximum number of seconds between IGMP queries.

120

query-max-response-timeout <100-32768>

Enter the maximum number of milliseconds that a host waits for responses to a general query message.

10000

Example

The following example configures global settings for IGMP snooping on the FortiSwitch unit:

config switch igmp-snooping globals

set aging-time 150

set leave-response-timeout 15

set query-interval 200

end

config switch interface

Use this command to configure FortiSwitch features on an interface.

NOTE: Settings under config qnq are for customer VLANs (C-VLANs). Other settings such as set allowed-vlans, set native-vlan, and set vlan-tpid are for service-provider VLANs (S-VLANs).

Syntax

config switch interface

edit <interface_name>

set allowed-vlans {vlan1 vlan2 ...}

set arp-inspection-trust {trusted | untrusted}

set auto-discovery-fortilink-packet-interval <3-300>

set default-cos <0-7>

set description <string>

set discard-mode {all-tagged | all-untagged | none}

set dhcp-snooping {trusted | untrusted}

set dhcp-snoop-learning-limit <1-16000>

set dhcp-snoop-learning-limit-check {disable | enable}

set dhcp-snooping-option82-trust {enable | disable}

set edge-port {enabled | disabled}

set force-egr-prio-tag {enable | disable}

set igmp-snooping-flood-reports {enable | disable}

set mcast-snooping-flood-traffic {enable | disable}

set mld-snooping-flood-reports {enable | disable}

set ip-mac-binding {enable | disable | global}

set ip-source-guard {enable | disable}

set learning-limit <0-128>

set learning-limit-action {none | shutdown}

set log-mac-event {enable | disable}

set loop-guard {enabled | disabled}

set loop-guard-timeout <0-120>

set loop-guard-mac-move-threshold <0-100>

set nac {enable | disable}

set native-vlan <vlan_int>

set packet-sampler {enabled | disabled}

set sample-direction {both | rx |tx}

set packet-sample-rate <0-99999>

set private-vlan {disabled | promiscuous sub-vlan}

set ptp-policy {<string> | default}

set ptp-status {enable | disable}

set qos-policy {<string> | default}

set rpvst-port {enabled | disabled}

set security-groups <security-group-name>

set sflow-counter-interval <0-255>

set snmp-index <integer>

set sticky-mac {disable | enable}

set stp-bpdu-guard {disabled | enabled}

set stp-loop-protection {enabled | disabled}

set stp-root-guard {disabled | enabled}

set stp-state {enabled | disabled}

set trust-dot1p-map <string>

set trust-ip-dscp-map <string>

set untagged-vlans {vlan1 vlan2 ...}

set vlan-mapping-miss-drop {enable | disable}

set vlan-tpid <default | string>

config dhcp-snoop-option82-override

edit <VLAN_ID>

set remote-id <string>

set circuit-id <string>

next

end

config port-security

set {allow-mac-move-from | allow-mac-move-to} {enable | disable}

set eap-egress-tagged {enable | disable}

set port-security-mode {none | 802.1X | 802.1X-mac-based}

set auth-fail-vlan {enable | disable}

set auth-fail-vlanid <VLAN_id>

set auth-order {MAB | MAB-dot1x | dot1x-MAB}

set auth-priority {MAB-dot1x | dot1x-MAB | legacy}

set authserver-timeout-period <3-15>

set authserver-timeout-tagged {disable | lldp-voice | static}

set authserver-timeout-tagged-vlanid <1-4094>

set authserver-timeout-vlan {enable | disable}

set authserver-timeout-vlanid <1-4094>

set dacl {enable | disable}

set eap-auto-untagged-vlans {enable | disable}

set eap-passthru {disable | enable}

set framevid-apply {disable | enable}

set guest-auth-delay <integer>

set guest-vlan {enable | disable}

set guest-vlanid <VLAN_id>

set mab-eapol-request <0-10>

set mac-auth-bypass {enable | disable}

set open-auth {enable | disable}

set quarantine-vlan {enable | disable}

set radius-timeout-overwrite {enable | disable}

next

end

config raguard

edit <ID>

set raguard-policy <name_of_RA_guard_policy>

set vlan-list <list_of_VLANs>

next

end

config qnq

set status {enable | disable}

set edge-type customer

set vlan-mapping-miss-drop {enable | disable}

set add-inner <1-4095>

set remove-inner {enable | disable}

set native-c-vlan <1-4094>

set allowed-c-vlan <list_of_VLANs>

set priority {follow-c-tag | follow-s-tag}

set s-tag-priority <0-7>

config vlan-mapping

edit <id>

set description <string>

set match-c-vlan <1-4094>

set new-s-vlan <1-4094>

next

end

end

config vlan-mapping

edit <id>

set description <string>

set direction {egress | ingress}

set match-s-vlan <1-4094>

set match-c-vlan <1-4094>

set action {add | delete | replace}

set new-s-vlan <1-4094>

next

end

next

end

Variable

Description

Default

<interface_name>

Enter the name of the interface.

No default

allowed-vlans

{vlan1 vlan2 ...}

Enter the names of the VLANs permitted on this interface.

No default

arp-inspection-trust {trusted | untrusted}

Set the interface to trusted or untrusted.

untrusted

auto-discovery-fortilink-packet-interval <3-300>

Enter the FortiLink packet interval for automatic discovery. The value range is 3 to 300 seconds.

5

default-cos <0-7>

Set the default CoS value for untagged packets. Integer in the range of 0 to 7.

The configured default CoS only applies if you also set trust-dot1p-map on the interface.

NOTE: The set default-cos command is not available on the following FortiSwitch models: 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE, and 248E-FPOE.

0

description <string>

Enter a description of the interface.

No default

discard-mode {all-tagged | all-untagged | none}

Set the discard mode for this interface.

none

dhcp-snooping {trusted | untrusted}

Set the interface to trusted or untrusted.

untrusted

dhcp-snoop-learning-limit <1-16000>

Set the maximum number of IP addresses learned on this interface for the DHCP-snooping binding database.

The set dhcp-snoop-learning-limit command is available only when dhcp-snoop-learning-limit-check is enabled.

5

dhcp-snoop-learning-limit-check {disable | enable}

Enable or disable whether there is a limit for how many IP addresses are in the DHCP-snooping binding database for this interface.

disable

dhcp-snooping-option82-trust {enable | disable}

Enable or disable (allow/disallow) DHCP packets with option-82 on an untrusted interface.

disable

edge-port {enabled | disabled}

Enable if the port does not have another switch connected to it.

disable

force-egr-prio-tag {enable | disable}

NOTE: This command is only for the FS-1xxE, FS-1xx, and FS-110G-FPOE models.

Enable or disable the forced priority tagging on egress ports.

  • enable—When the allowed-vlans command is set on a port, all egress traffic will have the priority tag of vlan=0.

    This command is most useful when the port is acting as an access port for native traffic only.

  • disable—Priority tagging is not forced on egress ports.

disable

igmp-snooping-flood-reports {enable | disable}

Enable or disable whether to flood IGMP-snooping reports to this interface.

NOTE: For IGMP snooping to work correctly in an MCLAG, you need to use the set mclag-igmpsnooping-aware enable command on all FortiSwitch units in the network topology and use the set igmp-snooping-flood-reports enable command on each MCLAG core FortiSwitch unit.

disable

mcast-snooping-flood-traffic {enable | disable}

Enable or disable whether to flood multicast traffic to this interface.

disable

mld-snooping-flood-reports {enable | disable}

Enable or disable whether to flood MLD-snooping reports to this interface.

disable

ip-mac-binding {enable | disable | global}

Enable or disable IP-MAC binding for this interface. Set the value to 'global', the interface inherits the global ip-mac-binding configuration value.

disable

ip-source-guard {enable | disable}

Enable or disable IP source guard for this interface. After you enable this feature, use the config switch ip-source-guard command to configure it.

disable

learning-limit <0 - 128>

Limit the number of dynamic MAC addresses on this port.

The value range is 0 and 128. Setting the learning-limit to 0 means that there is no limit to the number of MAC addresses learned.

NOTE: You cannot set the learning-limit on the internal interface.

0

learning-limit-action {none | shutdown}

When the leaning-limit is exceeded, select none to take no action or select shutdown to disable this interface. The learning-limit-action applies only to physical switch port interfaces, not to trunks or VLANs.

The learning-limit-action is available only when learning-limit has been set to 1-128.

none

log-mac-event {enable | disable}

Enable or disable the logging of dynamic MAC address events.

disable

loop-guard {enabled | disabled}

Enable or disable loop guard for this interface.

disabled

loop-guard-timeout <0-120>

After enabling loop guard, set the number of minutes before loop guard resets. Setting this value to 0 means that there is no timeout.

45

loop-guard-mac-move-threshold <0-100>

After enabling loop guard, set the number of MAC address moves per second for this interface. The threshold must be exceeded for 6 consecutive seconds to trigger loop guard.

0

nac {enable | disable}

This command is available only in FortiLink mode. Enable to allow the switch to transmit MAC events to the FortiGate device to imporve network access control (NAC) performance.

disable

native-vlan <vlan_int>

Enter the native (untagged) VLAN for this interface.

1

packet-sampler {enabled | disabled}

Enable or disable packet sampling for flow export.

disabled

sample-direction {both | rx |tx}

Set the sFlow sample direction to monitor received traffic (rx), monitor transmitted traffic (tx), or monitor both.

This option is only available when the packet-sampler is enabled.

both

packet-sample-rate <0-99999>

If packet-sampler is set to enabled, you can change the packet sample rate.

512

private-vlan {disabled | promiscuous | sub-vlan}

Enable private VLAN functionality.

NOTE: Private VLANs are not supported on the FortiSwitch-28C.

disabled

ptp-policy {<string> | default}

Enter the name of the Precision Time Protocol (PTP) policy to appy to this port.

default

ptp-status {enable | disable}

Enable or disable PTP on this port.

enable

qos-policy {<string> | default}

Enter the name of the QoS egress CoS queue policy.

default

rpvst-port {enabled | disabled}

Enable or disable whether this interface interoperates with per-VLAN spanning tree (PVST).

disabled

security-groups <security-group-name>

Enter the security group name if you are using port-based authentication or MAC-based authentication.

No default

sflow-counter-interval <0-255>

Set the polling interval for the sFlow sampler counter. Set to 0 to disable polling.

0

snmp-index <integer>

Enter the SNMP index for this interface.

Default is the port number

sticky-mac {disable | enable}

Enable or disable whether dynamically learned MAC addresses are persistent when the status of a FortiSwitch port changes (goes down or up).

disable

stp-bpdu-guard {disabled | enabled}

Enable or disable STP BPDU guard protection. To use STP BPDU guard on this interface, you must enable stp-state and edge-port.

disabled

stp-loop-protection {enabled | disabled}

Enable or disable STP loop protection on this interface.

disabled

stp-root-guard {disabled | enabled}

Enable or disable STP root guard protection. To use STP root guard, you must enable stp-state.

disabled

stp-state {enabled | disabled}

Enable or disable Spanning Tree Protocol (STP) on this interface.

enabled

trust-dot1p-map

Whether to trust the dot1p CoS value in the incoming packets. Specify a map to map the CoS value to an egress queue value.

No default

trust-ip-dscp-map

Whether to trust the DSCP QoS value in the incoming packets. Specify a map to map the DSCP value to an egress queue value.

No default

untagged-vlans

Select the allowed-vlans to be transmitted without VLAN tags

No default

vlan-mapping-miss-drop {enable | disable}

Enable or disable whether a packet is dropped if the VLAN ID in the packetʼs tag is not defined in the vlan-mapping configuration.

disable

vlan-tpid <default | string>

Select which VLAN TPID profile to use. The default VLAN TPID profile has a value of 0x8100 and cannot be deleted or changed.

NOTE: If you are not using the default VLAN TPID profile, you must have already defined the VLAN TPID profile with the config switch vlan-tpid command.

default

config dhcp-snoop-option82-override

<VLAN_ID>

Select the VLAN identifier.

No default

remote-id <string>

Enter the plain text string to use in the Remote ID field instead of the global value.

The plain text string can be a maximum of 256 characters long. The combined length of the remote-id and circuit-id text strings can be a maximum of 256 characters long.

No default

circuit-id <string>

Enter the plain text string to use in the Circuit ID field instead of the global value.

The plain text string can be a maximum of 256 characters long. The combined length of the remote-id and circuit-id text strings can be a maximum of 256 characters long.

No default

config port-security

{allow-mac-move-from | allow-mac-move-to} {enable | disable}

Depending on the FortiSwitch model, you will see one of these commands:

  • allow-mac-move-from—Enable on the source port when an 802.1x client is being moved between ports that are not directly connected to the FortiSwitch unit. This command is available only for the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

  • allow-mac-move-to—Enable on the destination port when an 802.1x client is being moved between ports that are not directly connected to the FortiSwitch unit. This command is available only for FSR-124D, 200 Series, FS-4xxE, 500 Series, FS-1024D, FS-1024E, FS-T1024E, FS-1048E, and FS-3032E.

disable

eap-egress-tagged {enable | disable}

When allow-mac-move is enabled, you can enable this option to ensure that egress EAPOL packets are tagged without needing additional checking.

enable

port-security-mode {none | 802.1X | 802.1X-mac-based}

Set the security mode for the port.

  • 802.1X—Use this setting for port-based authentication.
  • 802.1X-mac-based—Use this setting for MAC-based authentication.

If you change the security mode to 802.1X or 802.1X-mac-based, you must set the security group with the set security-groups command.

none

auth-fail-vlan {enable | disable}

When enabled, the system assigns the auth-fail-vlanid to users who attempted to authenticate but failed to provide valid credentials.

disable

auth-fail-vlanid <VLAN_id>

Enter the VLAN identifier that the system assigns to users who attempted to authenticate but failed to provide valid credentials. This field is mandatory when auth-fail-vlan is enabled.

200

auth-order {MAB | MAB-dot1x | dot1x-MAB}

This command is available only when the set mac-auth-bypass command is enabled.

Select one of the authentication order modes:

  • MAB—In the MAB-only authentication mode, the FortiSwitch unit performs MAB authentication without performing EAP authentication. EAP packets are not sent.

  • MAB-dot1x—This command has been added for future use. It currently has no effect on authentication.

  • dot1x-MAB—This command has been added for future use. It currently has no effect on authentication.

MAB-dot1x

auth-priority {MAB-dot1x | dot1x-MAB | legacy}

Select the priority of MAC authentication bypass (MAB) authentication and EAP 802.1X authentication.

  • MAB-dot1x—The switch tries MAB authentication first and then EAP 802.1X authentication if MAB authentication fails. If EAP 802.1X authentication also fails, users are assigned to the auth-fail-vlanid VLAN if it is configured.

  • dot1x-MAB—The switch tries EAP 802.1X authentication first and then MAB authentication if EAP 802.1X fails. If MAB authentication also fails, users are assigned to the auth-fail-vlanid VLAN if it is configured.

  • legacy—The switch tries EAP 802.1X authentication and MAB authentication in the order that they are received with EAP 802.1X authentication having absolute priority. If authentication fails, users are assigned to a guest VLAN if it has been configured. There is no time delay involved.

This commands is available only when the set mac-auth-bypass command is enabled.

legacy

authserver-timeout-period <3-15>

Enter the number of seconds before the authentication server stops trying to authenticate users.

3

authserver-timeout-tagged {disable | lldp-voice | static}

Select whether users are assigned to the specified VLAN when the authentication server times out:

  • disable—Users are not assigned to a specified VLAN when the authentication server times out.

  • lldp-voice—Users are assigned to the VLAN specified in the set lldp-profile command (under config switch physical-port).

  • static—Users are assigned to the tagged VLAN specified in the set authserver-timeout-tagged-vlanid command.

disable

authserver-timeout-tagged-vlanid <1-4094>

Enter the identifier for the tagged VLAN that the system assigns to users when the authentication server times out.

300

authserver-timeout-vlan {enable | disable}

Enable or disable whether users are assigned to the specified VLAN when the authentication server times out.

disable

authserver-timeout-vlanid <1-4094>

Enter the identifier for the untagged VLAN that the system assigns to users when the authentication server times out. This field is mandatory when authserver-timeout-vlan is enabled.

300

dacl {enable | disable}

Enable or disable the dynamic access control list (DACL) on this interface.

disable

eap-auto-untagged-vlans {enable | disable}

Enable to allow voice traffic with voice VLAN tag at egress.

enable

eap-passthru {disable | enable}

Enable or disable the EAP pass-through mode.

enable

framevid-apply {disable | enable}

Enable or disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

NOTE: For phone and PC configuration only, disable framevid-apply to preserve the native VLAN when the data traffic is expected to be untagged.

enable

guest-auth-delay <integer>

If a device does not attempt to authenticate within this timeframe (in seconds), the guest VLAN is assigned.

5

guest-vlan {enable | disable}

When enabled, the system assigns the guest-vlanid to unauthorized users.

disable

guest-vlanid <VLAN_id>

VLAN identifier. Mandatory field when guest VLAN is enabled.

100

mab-eapol-request <0-10>

Set how many EAP packets are sent to trigger EAP authentication for “silent supplicants” (such as end devices running Windows 7) that send non-EAP packets when they wake up from sleep mode.

To disable this feature, set mab-eapol-request to 0 or disable mac-auth-bypass.

3

mac-auth-bypass {enable | disable}

Enable or disable MAC authentication bypass (MAB). If you enable MAB on the port, the system will use the device MAC address as the user name and password for authentication.

disable

open-auth {enable | disable}

Enable or disable open authentication (monitor mode) on this interface.

disable

quarantine-vlan {enable | disable}

Enable or disable quarantine VLAN detection. Enable this setting to use quarantines with 802.1x MAC-based authentication in FortiLink mode.

enable

radius-timeout-overwrite {enable | disable}

Enable this option to use the value of the session-timeout attribute. The session-timeout attribute specifies how many seconds of idleness are allowed before the FortiSwitch unit disconnects a session. The value must be more than 60 seconds.

disable

config raguard

<ID>

Enter an identifier for the IPv6 RA-guard configuration.

No default

raguard-policy <name_of_RA_guard_policy>

Enter the name of the RA-guard policy to use for this interface.

The RA-guard policy must be created (with the config switch raguard-policy command) before it is applied to an interface.

No default

vlan-list <list_of_VLANs>

Enter a VLAN or a range of VLANs to apply this policy to. Use less than 4,096 characters for the vlan-list value. Separate the VLANs and VLAN ranges with commans, for example:

1,3-4,6,7,9-100

All allowed VLANs on this port

config qnq

status {enable | disable}

Enable this setting to use the VLAN stacking (QnQ) mode.

disable

edge-type customer

If the QnQ mode is enabled, the edge type is set to customer.

customer

vlan-mapping-miss-drop {enable | disable}

If the QnQ mode is enabled, enable or disable whether a frame is dropped if the VLAN ID in the frameʼs tag is not defined in the vlan-mapping configuration. This option is available only when allowed-c-vlan has not been set.

disable

add-inner <1-4095>

If the QnQ mode is enabled, add the inner tag for untagged frames upon ingress.

No default

remove-inner {enable | disable}

If the QnQ mode is enabled, enable or disable whether the inner tag is removed upon egress.

disable

native-c-vlan <1-4094>

Specify the native C VLAN (1-4094) for untagged packets. When you specify a value for native-c-vlan, FortiSwitchOS adds the native inner tag to untagged frames upon ingress and removes the native inner tag at egress.

No default

allowed-c-vlan <list_of_VLANs>

Specify single VLANs or ranges of VLANs. Use a comma to separate values without any spaces. The allowed-c-vlan applies to both ingress and egress. You must use less than 4,096 characters to list the VLANs. This option is available only when vlan-mapping-miss-drop is disabled.

No default

priority {follow-c-tag | follow-s-tag}

If the QnQ mode is enabled, select whether to follow the priority of the S-tag (service tag) or C-tag (customer tag).

NOTE: This command is not available on the 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE and 248E-FPOE models.

follow-s-tag

s-tag-priority <0-7>

If frames follow the priority of the S-tag (service tag), enter the priority value. This option is available only when the priority is set to follow-s-tag.

NOTE: This command is not available on the 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE and 248E-FPOE models.

0

config vlan-mapping (options available when QnQ is enabled)

<id>

Enter a mapping entry identifier.

No default

description <string>

Enter a description of the mapping entry.

No default

match-c-vlan <1-4094>

Enter a matching customer (inner) VLAN.

0

new-s-vlan <1-4094>

Enter a new service (outer) VLAN.

NOTE: The VLAN must be in the portʼs allowed VLAN list.

This option is only available after you set the value for match-c-vlan.

No default

config vlan-mapping (options available when QnQ is disabled)

<id>

Enter an identifier for the VLAN mapping entry.

No default

description <string>

Enter a description of the VLAN mapping entry.

No default

direction {egress | ingress}

Select the ingress or egress direction.

No default

match-s-vlan <1-4094>

If the direction is set to egress, enter the service (outer) VLAN to match.

0

match-c-vlan <1-4094>

If the direction is set to ingress, enter the customer (inner) VLAN to match.

0

action {add | delete | replace}

Select what happens when the packet is matched:

  • add—When the packet is matched, add the service VLAN. You cannot set the action to add for the egress direction.
  • delete—When the packet is matched, delete the service VLAN. You cannot set the action to delete for the ingress direction.
  • replace—When the packet is matched, replace the customer VLAN or service VLAN.

This option is only available after you set a value for match-c-vlan or match-s-vlan.

No default

new-s-vlan <1-4094>

Set the new service (outer) VLAN.

This option is only available after you set the action to add or replace for the ingress direction or after you set the action to replace for the egress direction.

No default

Example

The following example shows QoS configuration on a trunk interface:

config switch interface

edit "tr1"

set snmp-index 56

set trust-dot1p-map "dot1p_map1"

set default-cos 1

set qos-policy "p1"

next

end

The following example shows how to configure 802.1x authentication:

config switch interface

edit "port11"

set native-vlan 200

set snmp-index 11

config port-security

set port-security-mode 802.1X

set auth-fail-vlan enable

set auth-fail-vlanid 301

set authserver-timeout-period 4

set authserver-timeout-vlan enable

set authserver-timeout-vlanid 300

set eap-auto-untagged-vlans enable

set eap-passthru enable

set framevid-apply enable

set guest-auth-delay 5

set guest-vlan enable

set guest-vlanid 401

set mab-eapol-request 0

set mac-auth-bypass disable

set open-auth disable

set quarantine-vlan enable

set radius-timeout-overwrite enable

end

set security-groups "radius1grp"

next

end

config switch ip-mac-binding

Use IP-MAC binding to prevent ARP spoofing.

The port accepts a packet only if the source IP address and source MAC address in the packet match an entry in the IP-MAC binding table.

You can enable or disable IP-MAC binding for the whole switch, and you can override this global setting for each port.

Syntax

config switch ip-mac-binding

edit <sequence_int>

set ip <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>

set mac <xx:xx:xx:xx:xx:xx>

set status {enable | disable}

next

end

Variable

Description

Default

<sequence_int>

Enter a sequence number for the IP-MAC binding entry.

No default

ip <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>

Enter the source IP address and network mask for this rule.

0.0.0.0 0.0.0.0

mac <xx:xx:xx:xx:xx:xx>

Enter the MAC address for this rule.

00:00:00:00:00:00

status {enable | disable}

Enable or disable the IP-MAC binding.

disable

Example

The following example configures the IP-MAC binding for the FortiSwitch unit:

config switch ip-mac-binding

edit 1

set ip 172.168.20.1 255.255.255.255

set mac 00:21:cc:d2:76:72

set status enable

next

end

config switch ip-source-guard

Use this command to configure IP source guard for a port by binding IPv4 addresses to MAC addresses.

Syntax

config switch ip-source-guard

edit <port_name>

config binding-entry

edit <id>

set ip <xxx.xxx.xxx.xxx>

set mac <XX:XX:XX:XX:XX:XX>

next

end

next

end

Variable

Description

Default

<port_name>

Enter the name of the port.

No default

<id>

Enter a unique integer to create a new entry.

No default

ip <xxx.xxx.xxx.xxx>

Required. Enter the IPv4 address to bind to the MAC address. Masks are not supported.

0.0.0.0

mac <XX:XX:XX:XX:XX:XX>

Required. Enter the MAC address to bind to the IPv4 address.

00:00:00:00:00:00

Example

The following example binds an IPv4 address to a MAC address so that traffic from that IP address will be allowed on port4:

config switch ip-source-guard

edit port4

config binding-entry

edit 1

set ip 172.168.20

set mac 00:21:cc:d2:76:72

next

end

next

end

config switch lldp profile

Use this command to configure LLDP profile settings. The LLDP profile contains most of the port-specific configuration. Profiles are designed to provide a central point of configuration for LLDP settings that are likely to be the same for multiple ports.

There are two static LLDP profiles: default and default-auto-isl. These profiles are created automatically. They can be modified but cannot be deleted. The default-auto-isl profile always has auto-isl enabled, and rejects any configurations which attempt to disable it.

Syntax

config switch lldp profile

edit <profile>

set 802.1-tlvs {port-vlan-id | vlan-name}

set 802.3-tlvs {eee-config | max-frame-size | power-negotiation}

set auto-isl {enable | disable}

set auto-isl-auth {legacy | strict | relax}

set auto-isl-auth-encrypt {mixed | must | none}

set auto-isl-auth-identity <string>

set auto-isl-auth-macsec-profile default-macsec-auto-isl

set auto-isl-auth-reauth <0-3600>

set auto-isl-auth-user <string>

set auto-isl-hello-timer <1-30>

set auto-isl-port-group <0-9>

set auto-isl-receive-timeout <3-90>

set auto-mclag-icl {enable | disable}

set med-tlvs (inventory-management | location-identification | network-policy | power-management)

set vlan-name-map <single_VLANs_or_VLAN_ranges>

config custom-tlvs

edit <TLVname_str>

set information-string <hex-bytes>

set oui <hex-bytes>

set subtype <integer>

next

config med-location-service

edit address-civic

set status {enable | disable}

set sys-location-id <string>

next

edit coordinates

set status {enable | disable}

set sys-location-id <string>

next

edit elin-number

set status {enable | disable}

set sys-location-id <string>

next

config med-network-policy

edit {guest-voice | guest-voice-signaling | softphone-voice |

streaming-video | video-conferencing | video-signaling |

voice | voice-signaling}

set status {enable | disable}

set assign-vlan {enable | disable}

set dscp <0 - 63>

set priority <0 - 7>

set vlan <0 - 4094>

next

end

Variable

Description

Default

profile

Enter a name for the LLDP profile.

No default

802.1-tlvs {port-vlan-id | vlan-name}

The port-vlan-id TLV will send the native VLAN of the port. If the value is changed, the sent value will reflect the updated value.

The vlan-name TLV sends the VLAN descriptions that are configured in the set description command under config switch vlan.

No default

802.3-tlvs {eee-config | max-frame-size | power-negotiation}

Set which 802.3 TLVs are enabled:
  • eee-config—Use this TLV to send the energy-efficient Ethernet (EEE) status of the port.
  • max-frame-size—This TLV will send the maximum frame size value of the port. If the value is changed, the sent value reflects the updated value.
  • power-negotiation—Use this TLV to send the power over Ethernet (PoE) classification of the port.

no TLV enabled

auto-isl

Enable or disable the auto ISL capability.

Disabled

auto-isl-auth {legacy | strict | relax}

Select the authentication mode:

  • legacy—This mode is the default. There is no authentication.

  • strict—If authentication succeeds, FortiOS forms a secure ISL trunk. If authentication fails, no ISL trunk is formed.

  • relax—If authentication succeeds, FortiOS forms a secure ISL trunk. If authentication fails, FortiOS forms a restricted ISL trunk.

legacy

auto-isl-auth-encrypt {mixed | must | none}

Select the encryption mode:

  • mixed—FortiOS enables MACsec on the ISL trunk ports that support MACsec; the ISL trunk members act as encrypted links. FortiOS disables MACsec on the ISL members that do not support MACsec; these ISL trunk members act as unencrypted links.

  • must—FortiOS enables MACsec on all ISL trunk members. If the port supports MACsec, the port acts as an encrypted link. If the port does not support MACsec, the port is removed from the ISL trunk, but the port still functions as a user port.

  • none—There is no encryption, and FortiOS does not enable MACsec on the ISL trunk members.

This option is available when auto-isl-auth is set to strict or relax.

none

auto-isl-auth-identity <string>

Enter the identity, such as fortilink.

This option is available when auto-isl-auth is set to strict or relax.

No default

auto-isl-auth-macsec-profile default-macsec-auto-isl

Use the default-macsec-auto-isl profile.

This option is available when auto-isl-auth-encrypt is set to mixed or must.

default-macsec-auto-isl

auto-isl-auth-reauth <0-3600>

Enter the reauthentication period in minutes.

This option is available when auto-isl-auth is set to strict or relax.

3600

auto-isl-auth-user <string>

Select the user certificate, such as Fortinet_Factory.

This option is available when auto-isl-auth is set to strict or relax.

No default

auto-isl-hello-timer <1-30>

Enter a value (in seconds) for the hello timer. The range is 1 to 30.

3

auto-isl-port-group <0-9>

Enter a value for the port group. The range is 0 to 9.

0

auto-isl-receive-timeout

Enter a value (in seconds) for the receive timeout. The range is 3 to 90.

9

auto-mclag-icl {enable | disable}

Enable or disable the MCLAG inter-chassis link.

disable

med-tlvs (inventory-management | location-identification | network-policy | power-management)

Enable the inventory-management TLVs, location-identification TLVs, network-policy TLVs, and/or power-management TLVs.

inventory-management network-policy location-identification

vlan-name-map <single_VLANs_or_VLAN_ranges>

You can enter more than 10 VLAN identifiers, but only the first 10 VLANs with VLAN descriptions will be advertised.

The VLAN identifiers are separated with commas and no spaces. The vlan-name-map configuration must be less than 4,096 characters.

This option is available only when 802.1-tlvs is set to vlan-name.

No default.

config custom-tlvs

<TLVname_str>

Enter the TLV name.

No default

information-string

Organizationally defined information string. Enter up to 507 bytes in hexadecimal notation.

No default

oui

Organizationally unique identifier. Enter 3 hexadecimal bytes (000000 - FFFFFF). At least one byte must have a non-zero value.

000000

subtype

Organizationally defined subtype. Enter an integer in the range of 0 to 255.

0

config med-location-service

address-civic

Civic address and postal information.

No default

status {enable | disable}

Enable the status to transmit the type-length-value (TLV) if the LLDP-MED profile has been enabled on a port.

disable

sys-location-id <string>

Use the specified location entry that was already entered with the config system location command.

No default

coordinates

Coordinates of the location.

No default

status {enable | disable}

Enable the status to transmit the type-length-value (TLV) if the LLDP-MED profile has been enabled on a port.

disable

sys-location-id <string>

Use the specified location entry that was already entered with the config system location command.

No default

elin-number

Emergency location identifier number (ELIN).

No default

status {enable | disable}

Enable the status to transmit the type-length-value (TLV) if the LLDP-MED profile has been enabled on a port.

disable

sys-location-id <string>

Use the specified location entry that was already entered with the config system location command.

No default

config med-network-policy

{guest-voice | guest-voice-signaling | softphone-voice | streaming-video | video-conferencing | video-signaling | voice | voice-signaling}

Enter one of the policy type names.

No default

status {enable | disable}

Enable or disable the policy for the policy type.

disable

assign-vlan {enable | disable}

Enable or disable whether the VLAN is added as one of the allowed-vlans for this port.

disable

dscp <0-63>

DSCP value to send.

0

priority <0-7>

CoS priority value to send.

0

vlan <0-4094>

VLAN value to send.

Setting this option to 0 will advertise the network policy as priority tagged, rather than VLAN tagged. Priority tagged network policies are always transmitted, whereas VLAN tagged are only transmitted if the VLAN is present on the switch interface sending the LLDP packet.

0

NOTE: LLDP-MED network policies cannot be deleted or added. To use a policy, the med-tlvs field must include network-policy, and you must set the policy to enabled. The VLAN values on the policy are cross-checked against the VLAN native, allowed, and untagged attributes for any interfaces that contain physical-ports using this profile. The cross-check determines if the policy TLV should be sent (VLAN must be native or allowed), and if the TLV should mark the VLAN as tagged or untagged (VLAN is native, or is in untagged). The network policy TLV is automatically updated when a switch interface changes VLAN configuration, or if a physical port is added to, or removed from, a trunk.

Example

The following example configures an LLDP-MED profile:

config switch lldp profile

edit "Forti670i"

config med-network-policy

edit "voice"

set dscp 46

set priority 5

set status enable

set vlan 400

next

edit "guest-voice"

next

edit "guest-voice-signaling"

next

edit "softphone-voice"

next

edit "video-conferencing"

next

edit "streaming-video"

set dscp 40

set priority 3

set status enable

set vlan 400

next

edit "video-signaling"

next

end

set med-tlvs inventory-management network-policy

next

end

config switch lldp settings

Configure the global LLDP settings.

Syntax

config switch lldp settings

set status {enable| disable}

set tx-hold <1-16>

set tx-interval <5-4095>

set fast-start-interval <0 or 2-5>

set management-interface (internal | <string>)

set management-address {ipv4 | ipv6 | none}

set device-detection {enable | disable}

end

Variable

Description

Default

status

Enable or disable

Enabled

tx-hold

Number of tx-intervals before the local LLDP data expires. Therefore, the packet TTL (in seconds) is tx-hold times tx-interval. The range for tx-hold is 1 to 16.

4

tx-interval

How often the FortiSwitch transmits the LLDP PDU. The range is 5 to 4095 seconds.

30

fast-start-interval

How often the FortiSwitch transmits the first 4 LLDP packets when a link comes up. The range is 2 to 5 seconds.

Set this variable to zero to disable fast start.

2

management-interface

Primary management interface to be advertised in LLDP and CDP PDUs.

mgmt or internal, depending on FortiSwitch model.

management-address {ipv4 | ipv6 | none}

Select whether to advertise the IPv4 management address, the IPv6 management address, or no management address in the Management Address TLV

ipv4 ipv6

device-detection {enable | disable}

Enable or disable whether LLDP neighbor devices are dynamically detected.

This option is available only in FortiLink mode.

disable

Example

The following example configures the global LLDP settings:

config switch lldp settings

set status enable

set tx-hold 8

set tx-interval 2000

set fast-start-interval 3

set management-interface internal

set management-address ipv4

end

config switch macsec profile

Use these commands to configure a Media Access Control security (MACsec) profile.

Syntax

config switch macsec profile

edit <profile_name>

set cipher_suite {GCM-AES-128 | GCM-AES-256 | GCM-AES-XPN-128 | GCM-AES-XPN-256}

set confident-offset {0 | 30 | 50}

set eap-tls-ca-cert <CA_certificate>

set eap-tls-cert <client_certificate>

set eap-tls-identity <name_of_client>

set eap-tls-radius-server <name_of_RADIUS_server>

set encrypt-traffic {enable | disable}

set include-macsec-sci {enable | disable}

set include-mka-icv-ind enable

set macsec-mode {static-cak | dynamic-cak}

set macsec-validate strict

set mka-priority <0-255>

set mka-sak-rekey-time {0 | 60-1000000}

set replay-protect {enable | disable}

set replay-window <0-16777215>

set status {enable | disable}

config mka-psk

edit <pre-shared key name>

set crypto-alg {AES_128_CMAC | AES_256_CMAC}

set mka-cak <string>

set mka-ckn <string>

set status active

next

end

config traffic-policy

edit <traffic_policy_name>

set exclude-protocol {arp | dot1q | fortilink | ipv4 | ipv6 | lacp | lldp | qinq | stp}

set security-policy must-secure

set status enable

next

end

next

end

Variable

Description

Default

<profile_name> Enter a name for the MACsec profile. No default
cipher_suite {GCM-AES-128 | GCM-AES-256 | GCM-AES-XPN-128 | GCM-AES-XPN-256} Select which cipher suite to use for encryption. GCM-AES-128
confident-offset {0 | 30 | 50} Select the number of bytes for the MACsec traffic confidentiality offset. Selecting 0 means that all of the MACsec traffic is encrypted. Selecting 30 or 50 bytes means that the first 30 or 50 bytes of MACsec traffic are not encrypted. 0

eap-tls-ca-cert <CA_certificate>

Specify the certificate authority (CA) to use for the MACsec CAK.

This option is available only when macsec-mode is set to dynamic-cak.

No default

eap-tls-cert<client_certificate>

Select the client certificate that you imported for the MACsec CAK.

This option is available only when macsec-mode is set to dynamic-cak.

No default

eap-tls-identity <name_of_client>

Enter the name of the client for the MACsec CAK.

This option is available only when macsec-mode is set to dynamic-cak.

No default

eap-tls-radius-server <name_of_RADIUS_server>

Enter the name of the RADIUS server to use for the MACsec CAK.

This option is available only when macsec-mode is set to dynamic-cak.

No default

encrypt-traffic {enable | disable} Enable or disable whether MACsec traffic is encrypted. enable
include-macsec-sci {enable | disable} Enable or disable whether to include the MACsec transmit secure channel identifier (SCI). enable
include-mka-icv-ind enable The MACsec Key Agreement (MKA) integrity check value (ICV) indicator is always included. enable
macsec-mode {static-cak | dynamic-cak} Select whether MACsec uses the static-CAK mode or the dynamic-CAK mode. static-cak
macsec-validate strict The MACsec validation is always strict. strict
mka-priority <0-255> Enter the MACsec MKA priority. 255

mka-sak-rekey-time{0 | 60-1000000}

Set the number of seconds before a new secure association key (SAK) is generated. Set to 0 to disable the timer. The minimum number of seconds is 60; the maximum number of seconds is 1,000,000.

0

replay-protect {enable | disable} Enable or disable MACsec replay protection. MACsec replay protection drops packets that arrive out of sequence, depending on the replay-window value. disable
replay-window <0-16777215>

Enter the number of packets for the MACsec replay window size. If two packets arrive with the difference between their packet identifiers more then the replay window size, the most recent packet of the two is dropped. The range is 0-16777215 packets. Enter 0 to ensure that all packets arrive in order without any repeats.

32
status {enable | disable} Enable or disable this MACsec profile. enable
config mka-psk Configure the MACsec MKA pre-shared key.
<pre-shared key name> Enter a name for this MACsec MKA pre-shared key configuration. No default
crypto-algcrypto-alg {AES_128_ CMAC | AES_256_CMAC} Select the AES_128_CMAC or AES_256_CMAC algorithm to encrypt the pre-shared key. AES_128_CMAC
mka-cak <string>

Enter the string of hexadecimal digits for the connectivity association key (CAK). The string can be up to 32-bytes or 64-bytes long.

No default
mka-ckn <string>

Enter the string of hexadecimal digits for the connectivity association name (CKN). The string must be an even number of bytes, 2-bytes to 64-bytes long.

No default
status active

The status of the pre-shared key pair is always active.

active

config traffic-policy

Configure the MACsec traffic policy.

<traffic_policy_name>

Enter a name for this MACsec traffic policy.

No default

exclude-protocol {arp | dot1q | fortilink | ipv4 | ipv6 | lacp | lldp | qinq | stp}

Select one or more protocols that will not be secured by the MACsec traffic policy:

  • arp—Do not encrypt ARP packets.
  • dot1q—Do not encrypt 802.1q VLAN packets.
  • fortilink—Do not encrypt FortiLink packets.
  • ipv4—Do not encrypt IPv4 packets.
  • ipv6—Do not encrypt IPv6 packets.
  • lacp—Do not encrypt LACP packets.
  • lldp—Do not encrypt LLDP packets.
  • qinq—Do not encrypt 802.1ad QinQ packets.
  • stp—Do not encrypt STP packets.

Separate protocols with a space. By default, all protocols are encrypted if no protocols are excluded.

No default

security-policy must-secure

The policy must secure traffic for MACsec.

must-secure

status enable

The status of this MACsec traffic policy is always enabled.

enable

Example

This example configures a MACsec profile.

config switch macsec profile

edit "2"

set cipher_suite GCM-AES-128

set confident-offset 0

set encrypt-traffic enable

set include-macsec-sci enable

set include-mka-icv-ind enable

set macsec-mode static-cak

set macsec-validate strict

set mka-priority 199

config mka-psk

edit "2"

set crypto-alg AES_128_CMAC

set mka-cak "0123456789ABCDEF0123456789ABCDEE"

set mka-ckn "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333436"

set status active

next

end

set replay-protect disable

set replay-window 32

set status enable

config traffic-policy

edit "2"

set security-policy must-secure

set status enable

next

end

next

end

config switch mirror

Use these commands to configure the packet mirror. Packet mirroring allows you to collect packets on specified ports and then send them to another port to be collected and analyzed.

Syntax

config switch mirror

edit <mirror session name>

set dst <interface>

set encap-gre-protocol <hexadecimal_integer>

set encap-ipv4-src <IPv4_address>

set encap-ipv4-tos <hexadecimal_integer>

set encap-ipv4-ttl <0-255>

set encap-mac-dst <MAC_address>

set encap-mac-src <MAC_address>

set encap-vlan {tagged | untagged}

set encap-vlan-cfi <0-1>

set encap-vlan-id <1-4094>

set encap-vlan-priority <0-7>

set encap-vlan-tpid <0x0001-0xfffe>

set erspan-collector-ip <IPv4_address>

set mode {ERSPAN-auto | ERSPAN-manual | RSPAN | SPAN}

set rspan-ip <IPv4_address>

set src-egress <interface_name>

set src-ingress <interface_name>

set status {active | inactive}

set strip-mirrored-traffic-tags {disable | enable}

set switching-packet {enable | disable}

end

Variable

Description

Default

<mirror session name>

Enter the name of the mirror session to edit (or enter a new mirror session name).

No default

dst <interface>

Required when the mode is set to ERSPAN-manual, RSPAN (when the switch is not in FortiLink mode), or SPAN.

On FortiSwitch models that support RSPAN and ERSPAN, set the trunk or physical port that will act as a mirror. The physical port cannot be part of a trunk.

On FortiSwitch models that do not support RSPAN and ERSPAN, set the physical port that will act as a mirror. The physical port can be part of a trunk.

No default

encap-gre-protocol <hexadecimal_integer>

Set the protocol value in the ERSPAN GRE header.

This option is available when the mode is ERSPAN-auto or ERSPAN-manual.

0x88be

encap-ipv4-src <IPv4_address>

Required when the mode is set to ERSPAN-manual and the status is active.

Set the IPv4 source address in the ERSPAN IP header. The range is 0.0.0.1-255.255.255.254.

This option is available when the mode is ERSPAN-manual.

0.0.0.0

encap-ipv4-tos <hexadecimal_integer>

Set the type of service (ToS) value or enter the DSCP and ECN values in the ERSPAN IP header.

This option is available when the mode is ERSPAN-auto or ERSPAN-manual.

0x00

encap-ipv4-ttl <0-255>

Set the IPv4 time-to-live (TTL) value in the ERSPAN IP header.

This option is available when the mode is ERSPAN-auto or ERSPAN-manual.

16

encap-mac-dst <MAC_address>

Required when the mode is set to ERSPAN-manual and the status is active.

Set the MAC address of the next-hop or gateway on the path to the ERSPAN collector IP address. The range is 00:00:00:00:00:01-FF:FF:FF:FF:FF:FF.

This option is available only when the mode is ERSPAN-manual.

00:00:00:00:00:00

encap-mac-src <MAC_address>

Required when the mode is set to ERSPAN-manual and the status is active.

Set the source MAC address in the ERSPAN Ethernet header. The range is 00:00:00:00:00:01-FF:FF:FF:FF:FF:FE.

This option is available when the mode is ERSPAN-manual.

00:00:00:00:00:00

encap-vlan {tagged | untagged}

Set the status of ERSPAN encapsulation headers to tagged or untagged to control whether the VLAN header is added to the encapsulated traffic.

This option is available if the mode is ERSPAN-manual.

untagged

encap-vlan-cfi <0-1>

Set the canonical format identifier (CFI) or drop eligible indicator (DEI) bit in the ERSPAN or RSPAN VLAN header.

This option is available when the mode is RSPAN or ERSPAN-auto. This option is available for the ERSPAN-manual mode if encap-vlan is set to tagged.

When the mode is RSPAN, this option is not available on the 248D, 248D-POE, 248D-FPOE,248E, 248E-POE, 248E-FPOE, 448D, 448D-POE, and 448D-FPOE models.

0

encap-vlan-id <1-4094>

Set the VLAN identifier in the ERSPAN or RSPAN VLAN header.

This option is available when the mode is RSPAN. This option is available for the ERSPAN-manual mode if encap-vlan is set to tagged.

1

encap-vlan-priority <0-7>

Set the class of service (CoS) bits in the ERSPAN or RSPAN VLAN header.

This option is available when the mode is RSPAN or ERSPAN-auto. This option is available for the ERSPAN-manual mode if encap-vlan is set to tagged.

When the mode is RSPAN, this option is not available on the 248D, 248D-POE, 248D-FPOE,248E, 248E-POE, 248E-FPOE, 448D, 448D-POE, and 448D-FPOE models.

0

encap-vlan-tpid <0x0001-0xfffe>

Set the tag protocol identifier (TPID) for the encapsulating VLAN header. The default value, 0x8100, is for an IEEE 802.1Q-tagged frame.

This option is available when the mode is RSPAN or ERSPAN-auto. This option is available for the ERSPAN-manual mode if encap-vlan is set to tagged.

0x8100

erspan-collector-ip <IPv4_address>

Required when the status is active and the mode is set to ERSPAN-auto or ERSPAN-manual.

Set the IPv4 address for the ERSPAN collector. The range is 0.0.0.1-255.255.255.255.

This option is available only when the mode is ERSPAN-auto or ERSPAN-manual.

0.0.0.0

mode {ERSPAN-auto | ERSPAN-manual | RSPAN | SPAN}

Select the mirroring mode:

  • ERSPAN-auto—Mirror traffic to the specified destination interface using ERSPAN encapsulation. The header contents are automatically configured.
  • ERSPAN-manual—Mirror traffic to the specified destination interface using ERSPAN encapsulation. The header contents are manually configured.
  • RSPAN—Mirror traffic to the specified destination interface using RSPAN encapsulation.
  • SPAN—Mirror traffic to the specified destination interface without encapsulation.

SPAN is supported on all FortiSwitch models. RSPAN and ERSPAN are supported on 124D, 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE, 248E-FPOE, 524D, 524D-FPOE, 548D, 548D-FPOE, 1024D, 1048D, 1048E, 3032D, and 3032E.

SPAN

rspan-ip <IPv4_address>

Required when the mode is RSPAN, the status is active, and the switch is in FortiLink mode.

Enter the destination IP address for the RSPAN collector. The range is 0.0.0.1-255.255.255.255.

This option is available only when the mode is RSPAN and the switch is in FortiLink mode.

0.0.0.0

src-egress <interface_name>

Optional. Set the source egress physical ports that will be mirrored. Only one active egress mirror session is allowed.

No default

src-ingress <interface_name>

Optional. Specify the source ingress physical ports that will be mirrored.

No default

status {active | inactive}

Set the mirror session to active or inactive.

inactive

strip-mirrored-traffic-tags {disable | enable}

Enable or disable the removal of VLAN tags from mirrored traffic.

This option is available if the mode is ERSPAN-auto or ERSPAN-manual.

disable

switching-packet {enable | disable}

Enable or disable the switching functionality on the dst interface when mirroring.

disable

Example

The following example configures a port mirror:

config switch mirror

edit "m1"

set mode SPAN

set dst "port5"

set src-egress "port2" "port3"

set src-ingress "port2" "port4"

set status active

set switching-packet enable

end

config switch mld-snooping globals

Use this command to configure global settings for Multicast Listener Discovery (MLD) snooping on the FortiSwitch unit.

Syntax

config switch mld-snooping globals

set aging-time <integer>

set leave-response-timeout <integer>

set query-interval <10-1200>

end

Variable

Description

Default

aging-time <integer>

The maximum number of seconds to retain a multicast snooping entry for which no packets have been seen (15-3600).

300

leave-response-timeout <integer>

Enter the maximum number of seconds that the switch waits after sending a group-specific query in response to the leave message. The range of values is 1-20.

10

query-interval <10-1200>

Enter the maximum number of seconds between MLD queries.

125

Example

The following example configures the global settings for MLD snooping on the FortiSwitch unit:

config switch mld-snooping globals

set aging-time 150

set leave-response-timeout 15

set query-interval 200

end

config switch mrp profile

Use this command to configure a Media Redundancy Protocol (MRP) profile.

Syntax

config switch mrp profile

edit <MRP_profile_name>

set default-test-interval <30-50 ms>

set short-test-interval <10-30 ms>

set test-monitoring-count <1-5>

set topology-change-interval <10-20 ms>

set topology-change-repeat-count <1-5>

next

end

Variable

Description

Default

<MRP_profile_name> Enter a name for the MRP profile. No default
default-test-interval <30-50 ms> Enter the default number of milliseconds between sending MRP_Test frames. 50
short-test-interval <10-30 ms> Enter the number of milliseconds before sending MRP_Test frames after link changes in the ring. 30

test-monitoring-count <1-5>

Enter the number of MRP_Test frames received that are monitored.

5

topology-change-interval <10-20 ms>

Enter the number of milliseconds between sending MRP_TopologyChange frames.

20

topology-change-repeat-count <1-5>

Enter the number of repeated MRP_TopologyChange frames that are transmitted.

3

config switch mrp settings

Use this command to configure the Media Redundancy Protocol (MRP) settings.

Syntax

config switch mrp settings

edit <MRP_ring_ID>

set status {disable | enable}

set role {automanager | client}

set domain-id <32_hexadecimal_digits>

set domain-name <domain_name>

set vlan-id <1-4094>

set priority <0-65535>

set ring-port1 <port_name>

set ring-port2 <port_name>

set profile-name {500ms | <custom_profile_name>}

next

end

Variable

Description

Default

<MRP_ring_ID>

Enter a unique identifier for this MRP ring.

No default

status {disable | enable} Enable or disable MRP. disable
role {automanager | client} Select whether the switch acts as an MRP client or an MRP automanager. client
domain-id <32_hexadecimal_digits> Enter a universally unique identifier to represent the MRP ring. FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF
domain-name <domain_name> Enter a unique logical name for the MRP domain identifier. domain1
vlan-id <1-4094> Optional. Enter the VLAN identifier for sending MRP frames. If you set this option to a different value than 1, the VLAN must be created before it is assiged to the MRP ring. 1
priority <0-65535> Enter the priority of the MRP manager. The highest priority is 0, and the lowest priority is 65535. 40960

ring-port1 <port_name>

The physical port that serves as the first ring port.

No default

ring-port2 <port_name>

The physical port that serves as the second ring port.

No default

profile-name {500ms | <custom_profile_name>}

A unique MRP profile name.

500ms

Example

This example shows how to configure the settings for the MRP manager:

config switch mrp settings

edit 1

set status enable

set role automanager

set domain-id FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF

set domain-name domain1

set vlan-id 4094

set priority 40960

set ring-port1 port7

set ring-port2 port8

set profile-name profile1

next

end

config switch network-monitor directed

Use this command to configure a static entry for network monitoring on the FortiSwitch unit.

Syntax

config switch network-monitor directed

edit <unused network monitor>

set monitor-mac <xx:xx:xx:xx:xx:xx>

end

Variable

Description

Default

<unused network monitor>

Enter the number of an unused network monitor.

No default

monitor-mac <xx:xx:xx:xx:xx:xx>

Enter the MAC address to be monitored.

00:00:00:00:00:00

Example

The following example specifies a MAC address to be monitored:

config switch network-monitor directed

edit 1

set monitor-mac 00:25:00:61:64:6d

next

end

config switch network-monitor settings

Use this command to configure global settings for network monitoring on the FortiSwitch unit.

Syntax

config switch network-monitor settings

set db-aging-interval <3600-86400>

set status {disable | enable}

set survey-mode {disable | enable}

set survey-mode-interval <120-3600>

end

Variable

Description

Default

db-aging-interval <integer>

Enter the network monitor database aging interval. The value range is 3600-86400 seconds. Set the option to 0 to disable it.

3600

status {disable | enable}

Enable or disable the network monitor.

disable

survey-mode {disable | enable}

Enable or disable the network monitor survey mode.

disable

survey-mode-interval <integer>

Enter the duration for which a network monitor is programmed in hardware in the survey mode. The value range is 120-3600 seconds.

120

Example

The following example starts network monitoring in survey mode:

config switch network-monitor settings

set status enable

set survey-mode enable

set survey-mode-interval 480

end

config switch phy-mode

Use this command to configure split ports or to set the speed of the FS-2048F ports.

Syntax

config switch phy-mode

set port-configuration {default | disable-port54 | disable-port41-48 | 4x100G | 6x40G | 4x4x25G}

set {<port-name>-phy-mode <single-port> | port1-port12-phy-mode | port13-port24-phy-mode | port25-port36-phy-mode | port37-port48-phy-mode} {4x25G | 4x10G | 4x1G | 2x50G | 1G/10G | 25G}

...

end

Variable

Description

Default

port-configuration {default | disable-port54 | disable-port41-48 | 4x100G | 6x40G | 4x4x25G}

  • For 548D and 548D-FPOE, set this option to disable-port54 if only port 53 is splittable and port 54 is unavailable.

  • For 548D and 548D-FPOE, set this option to disable-port41-48 if ports 41 to 48 are unavailable, but ports 53 and 54 are splittable.

  • For 1048E, set this option to 4x100G to enable the maximum speed (100G) of ports 49 through 52. Ports 53 and 54 are disabled.

  • For 1048E, set this option to 6x40G to enable the maximum speed (40G) of ports 49 through 54.

  • For 1048E, set this option to 4x4x25G to enable the maximum speed (25G) of ports 49 through 52. Ports 47 and 48 are disabled.

default

{<port-name>-phy-mode <single-port> | port1-port12-phy-mode | port13-port24-phy-mode | port25-port36-phy-mode | port37-port48-phy-mode} {4x25G | 4x10G | 4x1G | 2x50G | 1G/10G | 25G}

Use one entry for each port that supports split ports.

  • Set this option to single-port to use the port at the full base speed without splitting it.

  • For FS-2048F, set this option to port1-port12-phy-mode to set the speed of ports 1-12.

  • For FS-2048F, set this option to port13-port24-phy-mode to set the speed of ports 13-24.

  • For FS-2048F, set this option to port25-port36-phy-mode to set the speed of ports 25-36.

  • For FS-2048F, set this option to port37-port48-phy-mode to set the speed of ports 37-48.

  • For 100G QSFP only, set this option to 4x25G to split one port into four subports of 25 Gbps each.
    NOTE: For the FS-T1024E and FS-1024E models, the auto-module selects the correct speed for the subports. If you insert a 100G QSFP28 module, the subports are automatically changed to 4x25G. If you insert a 40G QSFP+ module, the subports are automatically changed to 4x10G.

  • For 40G or 100G QSFP only, set this option to 4x10G to split one port into four subports of 10Gbps each.

  • For 40G or 100G QSFP only, set this option to 4x1G to split one port into four subports of 1 Gbps each.

  • For 100G QSFP only, set this option to 2x50G to split one port into two subports of 50 Gbps each.

  • For FS-2048F, set this option to 1G/10G to set the speed of the ports to 1G or 10G.

  • For FS-2048F, set this option to 25G to set the speed of the ports to 25G.

1x40G

Example

In the following example, a FortiSwitch 3032D is configured with ports 10, 14, and 28 set to 4x10G:

config switch phy-mode

set port5-phy-mode 1x40G

set port6-phy-mode 1x40G

set port7-phy-mode 1x40G

set port8-phy-mode 1x40G

set port9-phy-mode 1x40G

set port10-phy-mode 4x10G

set port11-phy-mode 1x40G

set port12-phy-mode 1x40G

set port13-phy-mode 1x40G

set port14-phy-mode 4x10G

set port15-phy-mode 1x40G

set port16-phy-mode 1x40G

set port17-phy-mode 1x40G

set port18-phy-mode 1x40G

set port19-phy-mode 1x40G

set port20-phy-mode 1x40G

set port21-phy-mode 1x40G

set port22-phy-mode 1x40G

set port23-phy-mode 1x40G

set port24-phy-mode 1x40G

set port25-phy-mode 1x40G

set port26-phy-mode 1x40G

set port27-phy-mode 1x40G

set port28-phy-mode 4x10G

end

In the following example, a FortiSwitch 1048E model is configured so that each port is split into four subports of 25 Gbps each.

config switch phy-mode

set port-configuration 4x4x25G

set port49-phy-mode 4x25G

set port50-phy-mode 4x25G

set port51-phy-mode 4x25G

set port52-phy-mode 4x25G

end

config switch physical-port

Use this command to configure a physical port.

Syntax

config switch physical-port

edit <port_name>

set cdp-status {disable | rx-only | tx-only | tx-rx}

set description <description_str>

set dmi-status {disable | enable | global}

set egress-drop-mode {disabled | enabled}

set energy-efficient-ethernet {enable | disable}

set eee-tx-idle-time <integer>

set eee-tx-wake-time <integer>

set fec-state {cl74 | cl91 | detect-by-module | disabled}

set flapguard {enabled | disabled}

set flap-duration <5-300>

set flap-rate <1-30>

set flap-timeout <0-120>

set flow-control {tx | rx | both | disable}

set fortilink-p2p {enable | disable}

set pause-meter-rate <integer>

set pause-resume {25% | 50% | 75%}

set l2-learning {enable | disable}

set l2-sa-unknown {drop | forward}

set lldp-profile <profile name>

set lldp-status {tx-only | rx-only | tx-rx | disable}

set loopback {disable | local | remote}

set macsec-pae-mode {none | supp | auth}

set macsec-profile <string>

set max-frame-size <bytes_int>

set poe-disconnection-type {AC | DC | DC-delay}

set poe-port-mode {IEEE802_3AF | IEEE802_3AT}

set poe-port-power {normal | perpetual | perpetual-fast}

set poe-port-priority {critical-priority | high-priority | low-priority}

set poe-pre-standard-detect {disable | enable}

set poe-status {enable | disable}

set priority-based-flow-control {enable | disable}

set qsfp-low-power-mode {enabled | disabled}

set security-mode {none | macsec}

set speed <speed_str>

set status {down | up}

set storm-control-mode {disabled | global | override}

config storm-control

set broadcast {enable | disable}

set burst-size-level <0-4>

set rate [0 | 2-10000000]

set unknown-multicast {enable | disable}

set unknown-unicast {enable | disable}

end

Variable

Description

Default

<port_name>

Enter the port name.

No default

cdp-status {disable | rx-only | tx-only | tx-rx}

Set the CDP transmit and receive status (LLDP must be enabled in LLDP settings).
  • disable disables CDP transmit and receive.
  • rx-only enables CDP as receive only.
  • tx-only enables CDP as transmit only.
  • tx-rx enables CDP transmit and receive.

disable

description <description_str>

Optionally enter a description.

No default

dmi-status

Enable or disable DMI access. Set to global to use the global switch setting.

global

egress-drop-mode {disabled | enabled>

Enable or disable egress drop.

enabled

energy-efficient-ethernet {enable | disable}

Enable or disable energy-efficient Ethernet.

disable

eee-tx-idle-time <integer>

Enter the number of microseconds that circuits are turned off to save power. The range is 0-2560 microseconds. This option is available only if energy-efficient-ethernet is enabled.

60

eee-tx-wake-time <integer>

Enter the number of microseconds during which no data is transmitted while the circuits that were turned off are being restarted. The range is 0-2560 microseconds. This option is available only if energy-efficient-ethernet is enabled.

30

fec-state {cl74 | cl91 | detect-by-module | disabled}

Set the Forward Error Correction (FEC) state:

  • cl74—Enable Clause 74 RS-FEC, which only applies to 25 Gbps.
  • cl91—Enable Clause 91 RS-FEC, which only applies to 100 Gbps.
  • detect-by-module—Automatically detect whether FEC is supported by the module. This option applies to the 25G and 100G ports of the FS-1048E and FS-3032E models; this option also applies to the split ports of the FS-1048E and FS-3032E models.
  • disabled—Disable FEC.

detect-by-module

flapguard {enabled | disabled}

Enable or disable flap guard for this port.

disabled

flap-duration <5-300>

After enabling the port flap guard, set the number of seconds during which the flap rate is counted.

30

flap-rate <1-30>

After enabling the port flap guard, set how many times that a portʼs status changes during a specified number of seconds before the flap guard is triggered.

5

flap-timeout <0-120>

After enabling the port flap guard, set the number of minutes before flap guard resets. Setting this value to 0 means that there is no timeout.

0

flow-control {tx | rx | both | disable}

Set flow control:
  • tx—Enable transmit pause only.
  • rx—Enable receive pause only.
  • both—Enable both transmit and receive pause.
  • disable—Disable flow control.

disable

fortilink-p2p {enable | disable}

Enable or disable running FortiLink mode over a point-to-point layer-2 network.

disable

pause-meter-rate <integer>

Enter the number of kilobits for the ingress metering rate. The range is 64 to 2147483647. Set to 0 to disable. Available if flow-control is set to tx.

0

pause-resume {25% | 50% | 75%}

Enter the percentage of the threshold to resume traffic to the ingress port. Available if flow-control is set to tx and pause-meter-rate is set to a nonzero value.

75%

l2-learning

Enable or disable dynamic IP learning for this interface

enabled

l2-sa-unknown {drop | forward}

Drop or forward unknown (SMAC) packets when dynamic MAC address learning is disabled.

drop

lldp-profile

Enter the LLDP profile name for this port.

default

lldp-status

Set LLDP status for this port:
  • tx-only—enable transmit only
  • rx-only—enable receive only
  • tx-rx—enable both transmit and receive
  • disable—disable LLDP

tx-rx

loopback {disable | local | remote}

Set whether the physical port loops back on itself, either locally or remotely:
  • Select local for a physical-layer loopback. If the hardware does not support a physical-layer loopback, a MAC-address loopback is used instead.
  • Select remote for a physical-layer lineside loopback.

disable

macsec-pae-mode {none | supp | auth}

Select the PAE mode for the MACSEC interface:

  • none—No PAE is configured, and PSK is applied.

  • supp—The interface acts as a PAE supplicant for MACsec CAK.

  • auth—The interface acts as a PAE authenticator for MACsec CAK.

none

macsec-profile <string>

Specify the MACsec profile to apply to the port.

No default

max-frame-size <bytes_int>

Set the maximum frame size. The range and default depend on the switch model. See the FortiSwitchOS feature matrix.

NOTE: For the FS-1xxE, FS-1xxF, and FS-110G-FPOE models, this command is under the config switch global command.

Varies

poe-disconnection-type {AC | DC | DC-delay}

Select how a FortiSwitch unit with Power over Ethernet (PoE) disconnects from a powered device:

  • AC—AC disconnect.

  • DC—DC disconnect.

  • DC-delay—DC disconnect with an extra 500-millisecond delay.

DC

poe-port-mode {IEEE802_3AF | IEEE802_3AT}

Set the PoE port mode to IEEE802.3AFor IEEE802.3AT.

IEEE802_3AT

poe-port-power {normal | perpetual | perpetual-fast}

Select whether the PoE power is delivered while a switch restarts:

  • normal—PoE power is not provided while a switch restarts.

  • perpetual—PoE power is provided during a soft reboot (switch is restarted while powered up).

  • perpetual-fast—PoE power is provided during a hard reboot (the switchʼs power is physically turned off and then on again).

normal

poe-port-priority {critical-priority | high-priority | low-priority}

Set the port priority. If there is not enough power, power is alloted first to critical-priority ports, then to high-priority ports, and then to low-priority ports.

low-priority

poe-pre-standard-detect {disable | enable}

Enable or disable PoE pre-standard detection.

NOTE: PoE pre-standard detection is a global setting for the following FortiSwitch models: FSR-112D-POE, FS-548D-FPOE, FS-524D-FPOE, FS-108D-POE, FS-224D-POE, FS-108E-POE, FS-108E-FPOE, FS-124E-POE, FS-124E-FPOE, 148F-POE, and 148F-FPOE. For the other FortiSwitch PoE models, PoE pre-standard detection is set on each port.

disable

poe-status {enable | disable}

Enable Power over Ethernet. This option is only available with the FortiSwitch-324B-POE.

enable

priority-based-flow-control {enable | disable}

Enable priority-based flow control to avoid frame loss by stopping incoming traffic when a queue is congested. When priority-based flow control is disabled, 802.3 flow control can be used.

disable

qsfp-low-power-mode {enabled | disabled}

Enable or disable the low-power mode on FortiSwitch models with QSFP (quad small form-factor pluggable) ports.

disabled

security-mode {none | macsec}

Select no security or MACsec-based port security authentication. You cannot mix MACsec with ISL authentication.

none

speed <speed_str>

Set the speed of this port. Values depend on the switch model and port. For example:

  • 1000auto—Autonegotiation (1 Gbps full-duplex only).
  • 100full—100 Mbps full-duplex.
  • 100half—100 Mbps half-duplex.
  • 10full—10 Mbps full-duplex.
  • 10half—10 Mbps half-duplex.
  • auto—Auto-negotiation.
  • 10000cr—10 Gbps copper interface.
  • 10000full—10 Gbps full-duplex.
  • 10000sr—10 Gbps SFI interface.
  • 1000full—1 Gbps full-duplex.
  • 25000cr—25 Gbps copper interface.

  • 25000full—25 Gbps full-duplex.

  • 25000sr—25 Gbps SFI interface.

  • 40000auto—Autonegotiation of the 40G-CR4 interface of FS-1048E.

  • auto-module—Maximum speed supported by module.

auto

status {down | up}

Set the administrative status of this interface: up or down.

up

storm-control-mode {disabled | global | override}

By default, you configure storm control on a system-wide level. Set this option to override if you want to configure storm control on a per-port level using the config storm-control command, which is only available when the storm-control-mode is set to override. Set this option to disabled to deactivate port-level storm-control configuration.

global

config storm-control

broadcast {enable | disable}

Enable or disable storm control for broadcast traffic.

disable

burst-size-level <0-4>

Set the burst-size level for storm control. Use a higher number to handle bursty traffic. The maximum number of packets or bytes allowed for each burst-size level depends on the switch model.

NOTE: This command is not available for the FS-108E, FS-108E-POE, FS-108-FPOE, FS-124E, FS-124E-POE, and FS-124E-FPOE models.

0

rate [0 | 2-10000000]

Specify the rate as packets-per-second. If you set the rate to zero, the system drops all packets (for the enabled traffic types).

500

unknown-multicast {enable | disable}

Enable or disable storm control for unknown multicast traffic.

disable

unknown-unicast {enable | disable}

Enable or disable storm control for unknown unicast traffic.

disable

Example

In the following example, port4 is configured:

config switch physical-port

edit "port4"

set lldp-profile "Forti670i"

set speed auto

next

end

config switch prp channel

Use this command to configure a Parallel Redundancy Protocol (PRP) channel.

Syntax

config switch prp channel

edit {1 | 2}

set status {enable | disable}

set channel-port-pair <physical_port_pair>

set vlan-id <1-4094>

set vlan-id-cos <0-7>

set vlan-id-tagged {enable | disable}

set prp-internal-vlan <2-4094>

next

end

Variable

Description

Default

status {enable | disable} Enable or disable this PRP channel. disable
channel-port-pair <physical_port_pair> Select which port A and port B pair to use for this PRP channel. Enter set channel-port-pair ? to see the available physical port pairs. No default

vlan-id <1-4094>

Enter the VLAN identifier of the supervision frame.

This option is available only when vlan-id-tagged is set to enable.

1

vlan-id-cos <0-7>

Enter the class of service (CoS) value to be set in the VLAN tag of the supervision frame.

This option is available only when vlan-id-tagged is set to enable.

0

vlan-id-tagged {enable | disable}

Enable or disable supervision frame VLAN ID tagging.

disable

prp-internal-vlan <2-4094>

Assign all MAC addresses of this PRP channel to this internal VLAN ID.

NOTE: If you are using an HSR ring and a PRP channel in your network, you need to change the default value so that each HSR ring and PRP channel is in a different internal VLAN.

No default

Example

The following example configures a PRP channel using port5, port6, and VLAN 4092:

config switch prp channel

edit 1

set status enable

set channel-port-pair port5-port6

set prp-internal-vlan 4092

next

end

config switch prp settings

Use this command to to configure PRP settings.

Syntax

config switch prp settings

set mac-da <0-255>

set life-check-interval <2-60 seconds>

end

Variable

Description

Default

mac-da <0-255>

Specify the last 8 bits of the PRP supervision frame MAC DA.

0

life-check-interval <2-60 seconds>

Specify how often (in seconds) the PRP supervision frame is generated for each MAC address in the VDAN table.

2

Example

The following example configures PRP settings:

config switch prp settings

set mac-da 100

set life-check-interval 30

end

config switch ptp settings

Use this command to configure the Precision Time Protocol (PTP) global settings.

Syntax

config switch ptp settings

set status {enable | disable}

set profile {default | name_of_PTP_profile}

end

Parameter

Description

Default value

status

Enable or disable PTP.

disable

profile

The default profile is automatically selected.

NOTE: On some legacy platforms, the default profile must be manually selected.

default

Example

The following example enables PTP and selects the newprofile PTP profile:

config switch ptp settings

set status enable

set profile newprofile

end

config switch qos dot1p-map

Use this command to configure a dot1p map. A dot1p map defines a mapping between IEEE 802.1p CoS values (from incoming packets on a trusted interface) and the egress queue values. For an example, see Appendix: FortiSwitch QoS template.

NOTE: You can configure only one dot1p map per switch on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

Syntax

config switch qos dot1p-map

edit <dot1p map name>

set description <text>

set [priority-0|priority-1|priority-2|...priority-7] <queue number>

set egress-pri-tagging {disable | enable}

next

end

Variable

Description

Default

<dot1p map name>

Enter the name of a dot1p map.

No default

<text>

Enter a description of the dot1p map.

No default

[priority-0|priority-1|priority-2|...priority-7] <queue number>

Set the priority of each queue.

queue-0

egress-pri-tagging {disable | enable}

Enable or disable priority tagging on outgoing frames.

NOTE: This command is not available on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

disable

Example

config switch qos dot1p-map

edit "test1"

set priority-0 queue-2

set priority-1 queue-0

set priority-2 queue-1

set priority-3 queue-3

set priority-4 queue-4

set priority-5 queue-5

set priority-6 queue-6

set priority-7 queue-7

set egress-pri-tagging enable

next

end

Values that are not explicitly included in the map will follow the default mapping, which maps each priority (0-7) to queue 0.

If an incoming packet contains no CoS value, the switch assigns a CoS value of zero. Use the set default-cos <interface> command to configure a different default CoS value. The valid range is from 0 to 7. The configured default CoS only applies if you also set trust-dot1p-map on the interface.

config switch qos ip-dscp-map

Use this command to configure a DSCP map. A DSCP map defines a mapping between IP Precedence or Differentiated Services Code Point (DSCP) values and the egress queue values. For an example, see Appendix: FortiSwitch QoS template.

NOTE: You can configure only one DSCP map per switch on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

Syntax

config switch qos ip-dscp-map

edit <ip-dscp map name>

set description <text>

config map

edit <entry-name>

set diffserv [ [ AF11 | AF12 | AF13 | AF21 | AF22 | AF23 | AF31 | AF32 | AF33 | AF41 | AF42 | AF43 | CS0 | CS1 | CS2 | CS3 | CS4 | CS5 | CS6 | CS7 | EF ]

set ip-precedence [ Network Control | Internetwork Control | Critic/ECP | Flash Override | Flash, Immediate | Priority | Routine ]

set value <dscp raw value>

set cos-queue <queue number>

next

end

next

end

Variable

Description

Default

<ip-dscp map name>

Enter the name of a DSCP map.

No default

<text>

Enter a description of the DSCP map.

No default

<entry-name>

Enter a unique integer to create a new entry.

No default

diffserv [ [ AF11 | AF12 | AF13 | AF21 | AF22 | AF23 | AF31 | AF32 | AF33 | AF41 | AF42 | AF43 | CS0 | CS1 | CS2 | CS3 | CS4 | CS5 | CS6 | CS7 | EF ]

Set the differentiated service.

No default

ip-precedence [ Network Control | Internetwork Control | Critic/ECP | Flash Override | Flash, Immediate | Priority | Routine ]

Set the IP precedence.

No default

value <dscp raw value>

enter the raw value of DSCP (0-63).

No default

cos-queue <queue number>

Enter the CoS queue number.

0

Example

The following example defines a mapping for two of the DSCP values:

config switch qos ip-dscp-map

edit "m1"

config map

edit "e1"

set cos-queue 0

set ip-precedence Immediate

next

edit "e2"

set cos-queue 3

set value 13

next

end

next

end

Values that are not explicitly included in the map will follow the default mapping, which assigns queue 0 for all DSCP values.

config switch qos qos-policy

Use this command to configure QoS policies. For an example, see Appendix: FortiSwitch QoS template.

In a QoS policy, you set the scheduling mode (Strict, Round Robin, Weighted Round Robin) for the policy, and configure one or more CoS queues.

Syntax

config switch qos qos-policy

edit <policy_name>

set rate-by {kbps | percent}

set schedule {strict | round-robin | weighted}

config cos-queue

edit [queue-0 ... queue-7]

set description <text>

set drop-policy {taildrop | weighted-random-early-detection}

set ecn {enable | disable}

set max-rate <rate kbps>

set min-rate <rate kbps>

set max-rate-percent <percentage>

set min-rate-percent <percentage>

set weight <value>

set wred-slope <value>

next

end

next

end

Variable

Description

Default

<policy_name>

Enter the name of the QoS policy.

No default

rate-by {kbps | percent}

Set whether the CoS queue rate is measured in kbps or by percentage.

kbps

schedule {strict | round-robin | weighted}

Set the CoS queue scheduling.
  • strict—The queues are served in descending order (of queue number), so higher number queues receive higher priority. The purpose of the strict scheduling mode is to provide lower latency service to higher classes of traffic. However, if the interface experiences congestion, the lower priority traffic could be starved.
  • round-robin— In round robin mode, the scheduler visits each backlogged queue, servicing a single packet from each queue before moving on to the next one. The purpose of round robin scheduling is to provide fair access to the egress port bandwidth.
  • weighted— Each of the eight egress queues is assigned a weight value ranging from 0 to 63. The purpose of weighted round robin scheduling is to provide prioritized access to the egress port bandwidth, such that queues with higher weight get more of the bandwidth, but lower priority traffic is not starved.

round-robin

[queue-0 ... queue-7]

Set the CoS queue to update.

No default

description <text>

Enter a description of the CoS queue.

No default

drop-policy {taildrop | weighted-random-early-detection}

Set the CoS queue drop policy.
  • taildrop—When the queue is full, new packets are dropped.
  • weighted-random-early-detection—When the queue reaches the packet-dropping threshold, packets start getting dropped randomly based on the probability defined in the wred-slope setting.
NOTE: For the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models, set the CoS queue drop policy under the config switch global command.

taildrop

set ecn {enable | disable}

If you select random early detection in the CLI, you can enable explicit congestion notification (ECN) marking to indicate that congestion is occuring without just dropping packets. If you disable this option, the normal queue drop policy applies.

disable

max-rate <rate kbps>

If you set the rate-by to kbps, enter the maximum rate in kbps. Set the value to 0 to disable.

NOTE: For the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models, the switch rounds the max-rate value to the nearest multiple of 16 internally. If the rounding result is 0, max-rate is disabled internally.

0

min-rate <rate kbps>

If you set the rate-by to kbps, enter the minimum rate in kbps. Set the value to 0 to disable.

NOTE: This command is not available on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

0

max-rate-percent <percentage>

If you set the rate-by to percent, enter the maximum rate as a percentage of the link speed.

0

min-rate-percent <percentage>

If you set the rate-by to percent, enter the minimum rate as a percentage of the link speed.

NOTE: This command is not available on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

0

weight <value>

Enter the weight of weighted round robin scheduling. (applicable if the policy schedule is weighted )

1

wred-slope <value>

Enter the slope of WRED drop probability.

NOTE: For the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models, set the QoS RED/WRED drop probability under the config switch global command.

45

Example

The following example defines a QoS policy for queue 0:

config switch qos qos-policy

edit policy1

set rate-by kbps

set schedule weighted

config cos-queue

edit queue-0

set description "QoS policy for queue 0"

set drop-policy weighted-random-early-detection

set max-rate 20

set min-rate 10

set weight 5

set wred-slope 15

end

end

config switch quarantine

NOTE: This command is available only in FortiLink mode.

Us this command to specify which MAC addresses to quarantine on the FortiSwitch unit.

Syntax

config switch quarantine

edit <MAC_address_to_quarantine>

set cos-queue <0-7>

set description <string>

set drop {enable | disable}

set policer <integer>

end

Variable

Description

Default

<MAC_address_to_quarantine>

Enter the MAC address to quarantine.

No default

cos-queue <0-7>

Set the class-of-service queue for the quarantined device traffic. Use the unset cos-queue command to disable this setting.

No default

description <string>

Enter an optional description of the quarantined MAC address.

No default

drop {enable | disable}

Enable or disable whether quarantined device traffic is dropped.

disable

policer <integer>

Set the ACL policer for the quarantined device traffic.

0

config switch raguard-policy

Use this command to specify the criteria that router advertisement (RA) messages must match before the RA messages are forwarded. If the RA messages match the criteria in the RA-guard policy, they are forwarded. If the RA messages do not match the criteria in the RA-guard policy, they are dropped.

IPv6 RA guard is supported on 2xx models and higher.

Syntax

config switch raguard-policy

edit <RA-guard policy name>

set device-role {host | router}

set managed-flag {Off | On}

set other-flag {Off | On}

set max-hop-limit <0-255>

set min-hop-limit <0-255>

set max-router-preference {high | medium | low}

set match-src-addr <name_of_IPv6_access_list>

set match-prefix <name_of_IPv6_prefix_list>

next

end

Variable

Description

Default

<RA-guard policy name>

Enter the name of the RA-guard policy.

No default

device-role {host | router}

Set whether this policy applies to hosts or routers. If this option is set to host, all RA messages are dropped. If this option is set to router, the policy checks the other specified criteria.

host

managed-flag {Off | On}

Set to On for the policy to accept RA messages that are flagged with the M (managed address configuration) flag; if the RA messages are not flagged, they are dropped.

Set to Off for the policy to accept RA messages that arenot flagged with the M flag; if the RA messages are flagged, they are dropped.

If this option is not set, the policy skips this check.

No default

other-flag {Off | On}

Set to On for the policy to accept RA messages that are flagged with the O (other configuration) flag; if the RA messages are not flagged, they are dropped.

Set to Off for the policy to accept RA messages that arenot flagged with the O flag; if the RA messages are flagged, they are dropped.

If this option is not set, the policy skips this check.

No default

max-hop-limit <0-255>

Enter the maximum hop number for the policy to accept RA messages with a hop number equal or less than this value.

If this option is not set, the policy skips this check.

0

min-hop-limit <0-255>

Enter the minimum hop number for the policy to accept RA messages with a hop number equal or more than this value.

If this option is not set, the policy skips this check.

0

max-router-preference {high | medium | low}

Set the default router preference for the policy to accept RA messages with the router preference equal or less than this setting. When the router preference of RA messages is not set as high, medium, or low, RA guard acts as if the router preference was set to medium.

If this option is not set, the policy skips this check.

No default

match-src-addr <name_of_IPv6_access_list>

Enter the name of the IPv6 access list for the policy to check if the source IPv6 address of the RA message matches an allowed address. The IPv6 access list must be created (with the config router access-list6 command) before it is used in a policy.

No default

match-prefix <name_of_IPv6_prefix_list>

Enter the name of the IPv6 prefix list for the policy to check if the IPv6 address prefix of the RA message matches an allowed prefix. The IPv6 prefix list must be created (with the config router prefix-list6 command) before it is used in a policy.

No default

Example

The following example creates an IPv6 RA-guard policy:

config switch raguard-policy

edit RApolicy1

set device-role router

set managed-flag On

set other-flag On

set max-hop-limit 100

set min-hop-limit 5

set max-router-preference medium

set match-src-addr accesslist1

set match-prefix prefixlist1

next

end

config switch security-feature

Use this command to configure security checks for incoming TCP/UDP packets. The packet is dropped if it matches one of the security rules that have been enabled.

Syntax (for models FS-108D-POE, FS-112D-POE, FS-224D-POE)

config switch security-feature

set tcp-syn-data {enable | disable}

set tcp-udp-port-zero {enable | disable}

set tcp_flag_zero {enable | disable}

set tcp_flag_FUP {enable | disable}

set tcp_flag_SF {enable | disable}

set tcp_flag_SR {enable | disable}

set tcp_frag_ipv4_icmp {enable | disable}

set tcp_arp_mac_mismatch {enable | disable}

set allow-mcast-sa {enable | disable}

end

Variable

Description

Default

tcp-syn-data

TCP SYN packet contains additional data (possible DoS attack).

disable

tcp-udp-port-zero

TCP or UDP packet has the source or destination port set to zero.

disable

tcp_flag_zero

TCP packet with all flags set to zero.

disable

tcp_flag_FUP

TCP packet with FIN, URG and PSH flags set.

disable

tcp_flag_SF

TCP packet with SYN and FIN flags set.

disable

tcp_flag_SR

TCP packet with SYN and RST flags set.

disable

tcp_frag_ipv4_icmp

Fragmented ICMPv4 packet.

disable

tcp_arp_mac_mismatch

ARP packet with MAC source address mismatch between the layer- 2 header and the ARP packet payload.

disable

allow-mcast-sa

Ethernet packet whose source MAC address is multicast.

disable

Syntax (for FS-1xxE, FS-1xxF, and FS-110G-FPOE)

config switch security-feature

set tcp-flag-zero {enable | disable}

set tcp-flag-FUP {enable | disable}

set tcp-flag-SF {enable | disable}

set tcp-flag-SR {enable | disable}

set arp-mac-mismatch {enable | disable}

set macsa-eq-macda {enable | disable}

set sip-eq-dip {enable | disable}

set tcp-port-eq {enable | disable}

set udp-port-eq {enable | disable}

set ip-pod {enable | disable}

set icmp-frag {enable | disable}

set tcp-frag-off-min {enable | disable}

set tcp-syn-sp-less-1024 {enable | disable}

set invalid-ipv4-hdr-len {enable | disable}

set gratuitous-arp {enable | disable}

end

Variable

Description

Default

tcp-flag-zero TCP packet with all flags set to zero. disable
tcp-flag-FUP

TCP packet with FIN, URG, and PSH flags set.

disable
tcp-flag-SF

TCP packet with SYN and FIN flags set.

disable
tcp-flag-SR TCP packet with SYN and RST flags set. disable
arp-mac-mismatch ARP packet with MAC source address mismatch between the MAC header and the ARP packet payload. disable
macsa-eq-macda Packet with source MAC address equal to the destination MAC address. disable
sip-eq-dip TCP packet with source IP address equal to the destination IP address. disable
tcp-port-eq TCP packet with the same source and destination TCP port. disable

udp-port-eq

IP packet with the same source and destination UDP port.

disable

ip-pod

The IPv4/IPv6 packet length is larger than 64 kB.

disable

icmp-frag

Fragmented ICMP packet.

disable

tcp-frag-off-min

TCP non-initial fragments carry the TCP header.

disable

tcp-syn-sp-less-1024

TCP SYN packet with a source port less than 1024.

disable

invalid-ipv4-hdr-len

IPv4 packet with a header length greater than the total length.

NOTE: This command is available only on the FS-124F, FS-124F-FPOE, FS-124F-POE, FS-148F, FS-148F-FPOE, and FS-148F-POE models.

disable

gratuitous-arp

Gratuitous ARP packet.

NOTE: This command available only on the FS-108E, FS-108E-FPOE, FS-108E-POE, FS-108F, FS-108F-FPOE, FS-108F-POE, FS-124E, FS-124E-FPOE, FS-124E-POE, FS-148E, and FS-148E-POE models.

disable

Syntax (for all other FortiSwitch models)

config switch security-feature

set sip-eq-dip {enable | disable}

set tcp-flag {enable | disable}

set tcp-port-eq {enable | disable}

set tcp-flag-FUP {enable | disable}

set tcp-flag-SF {enable | disable}

set v4-first-frag {enable | disable}

set udp-port-eq {enable | disable}

set tcp-hdr-partial {enable | disable}

set macsa-eq-macda {enable | disable}

set allow-mcast-sa {enable | disable}

set allow-sa-mac-all-zero {enable | disable}

end

Variable

Description

Default

sip-eq-dip

TCP packet with the same source IP address and destination IP address.

disable

tcp-flag

DoS attack checking for TCP flags.

disable

tcp-port-eq

TCP packet with the same source and destination TCP port.

disable

tcp-flag-FUP

TCP packet with FIN, URG, and PSH flags set, and sequence number is zero.

disable

tcp-flag-SF

TCP packet with SYN and FIN flags set.

disable

v4-first-frag

DoS attack checking for IPv4 first fragment.

disable

udp-port-eq

IP packet with the same source and destination UDP port.

disable

tcp-hdr-partial

TCP packet with partial header.

disable

macsa-eq-macda

Packet with the same source MAC address and destination MAC address.

disable

allow-mcast-sa

Ethernet packet whose source MAC address is multicast.

disable

allow-sa-mac-all-zero

Ethernet packet whose source MAC address is all zeros.

disable

Example

The following example configures various security checks for incoming TCP/UDP packets:

config switch security-feature

set sip-eq-di enable

set tcp-flag enable

set tcp-port-eq enable

set tcp-flag-FUP enable

set tcp-flag-SF enable

set v4-first-frag enable

set udp-port-eq enable

set tcp-hdr-partial enable

set macsa-eq-macda enable

set allow-mcast-sa disable

set allow-sa-mac-all-zero disable

end

config switch static-mac

Use this command to configure one (or more) static MAC address on an interface.

Syntax

config switch static-mac

edit <sequence number>

set action {allow | drop}

set description <optional_string>

set interface <interface_name>

set mac <static_MAC_address>

set type {sticky | static}

set vlan-id <1-4095>

end

Variable

Description

Default

<sequence number>

Enter a sequence number.

No default

action {allow | drop}

Select whether packets with the specified source static MAC address are allowed or dropped.

allow

description <optional_string>

Optional. Enter a description of the static MAC address.

No default

interface <interface_name>

Enter the interface name.

No default

mac <static_MAC_address>

Enter the static MAC address.

00:00:00:00:00:00

type {sticky | static}

Set the MAC address as a persistent (sticky) addres or a static address.

static

vlan-id <1-4095>

Enter the VLAN identifier.

1

Example

config switch static-mac

edit 1

set action drop

set description "first static MAC address"

set interface port10

set mac d6:dd:25:be:2c:43

set type static

set vlan-id 10

end

config switch storm-control

Use this command to configure storm control.

Syntax

config switch storm-control

set broadcast {enable | disable}

set burst-size-level <0-4>

set rate [0 | 2-10000000]

set unknown-multicast {enable | disable}

set unknown-unicast {enable | disable}

end

Variable

Description

Default

broadcast {enable | disable}

Enable or disable storm control for broadcast traffic.

disable

burst-size-level <0-4>

Set the burst-size level for storm control. Use a higher number to handle bursty traffic. The maximum number of packets or bytes allowed for each burst-size level depends on the switch model.

0

rate [0 | 2-10000000]

Specify the rate as packets-per-second. If you set the rate to zero, the system drops all packets (for the enabled traffic types).

500

unknown-multicast {enable | disable}

Enable or disable storm control for unknown multicast traffic.

disable

unknown-unicast {enable | disable}

Enable or disable storm control for unknown unicast traffic.

disable

Example

config switch storm-control

set broadcast enable

set burst-size-level 2

set rate 1000

set unknown-multicast enable

set unknown-unicast enable

end

config switch stp instance

Use this command to configure an STP instance.

Syntax

config switch stp instance

edit <instance_id>

set priority <priority_int>

set vlan-range <vlan_map>

config stp-port

edit <port name>

set cost <cost_int>

set priority <priority_int>

end

end

Variable

Description

Default

<instance_id>

Enter an instance identifier. The range differs for the various FortiSwitch models.

No default

priority <priority_int>

Set the STP priority. The acceptable priority values are 0, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 4096, 40960, 45056, 49152, 53248, 57344, 61440, and 8192.

32768

vlan-range <vlan_map>

Enter the VLANs to which STP applies. <vlan_map> is a comma-separated list of VLAN IDs or VLAN ID ranges, for example “1,3-4,6,7,9-100” .

No default

config stp-port

<port name>

Enter the name of the port.

No default

cost <cost_int>

Enter the cost of using this interface. Use set cost ? for suggested cost values based on link speed.

0

priority <priority_int>

Enter the priority of this interface. Use set priority ? to list the acceptable priority values.

128

Example

config switch stp instance

edit "1"

set priority 8192

config stp-port

edit "port18"

set cost 0

set priority 128

next

edit "port19"

set cost 0

set priority 128

next

end

set vlan-range 5 7 11-20

end

config switch stp settings

Use this command to configure STP settings.

Syntax

config switch stp settings

set flood {enable | disable}

set forward-time <fseconds_int>

set hello-time <hseconds_int>

set max-age <age>

set max-hops <hops_int>

set mclag-stp-bpdu {both | single}

set name <name_str>

set revision <rev_int>

set status {enable | disable}

end

Variable

Description

Default

flood {enable | disable}

Set to enable if you want the STP packets arriving at any port to pass through the switch without being processed. Set to disable if you want to block STP packets arriving at any port.

This command is available only when status is set to disable.

disable

forward-time <fseconds_int>

Enter the forwarding delay in seconds. Range 4 to 30.

15

hello-time <hseconds_int>

Enter the hello time in seconds. Range 1 to 10.

2

max-age <age>

Enter the maximum age. Range 6 to 40.

20

max-hops <hops_int>

Enter the maximum number of hops. Range 1 to 40.

20

mclag-stp-bpdu {both | single}

Set to both to allow both core switches of an MCLAG to transmit STP BPDUs. Set to single to prevent both core switches of an MCLAG from transmitting STP BPDUs.

both

name <name_str>

Enter a string value for the name.

No default

revision <rev_int>

Range 0 to 65535.

0

status {enable | disable}

Enable or disable status report.

enable

Example

config switch stp settings

set forward-time 15

set hello-time 5

set max-age 20

set max-hops 20

set name "region1"

set revision 1

set status enable

end

config switch trunk

Use this command to configure link aggregation.

Syntax

config switch trunk

edit <trunk name>

set aggregator-mode {bandwidth | count}

set auto-isl <integer>

set bundle [enable|disable]

set min_bundle <integer>

set max_bundle <integer>

set description <description_str>

set fortilink <integer>

set isl-fortilink <integer>

set lacp-speed {slow | fast}

set mclag {disable | enable}

set mclag-icl {disable | enable}

set member-withdrawal-behavior {block | forward}

set members <intf1 ... intfn>

set mode {fortinet-trunk | lacp-active | lacp-passive | static}

set fallback-port <port_name>

set port-selection-criteria {src-ip | src-mac | dst-ip | dst-mac | src-dst-ip | src-dst-mac}

set static-isl {enable | disable}

set static-isl-auto-vlan {enable | disable}

end

Variable

Description

Default

<trunk name>

Enter a name for the trunk.

No default

aggregator-mode {bandwidth | count}

Select how an aggregator groups ports when the trunk is in LACP mode. Select bandwidth to group ports into the aggregator with the largest bandwidth. Select count to group ports into the aggregator with the most ports.

bandwidth

auto-isl <integer>

Automatically forms an ISL-encapsulated trunk, up to the specified maximum size.

0

bundle [enable|disable]

Enable or disable bundling

disable

min_bundle

Set the minimum size of the bundle. This option is available only when bundle has been enabled.

1

max_bundle

Set the maximum size of the bundle. This option is available only when bundle has been enabled.

24

description <description_str>

Optionally, enter a description.

No default

fortilink <integer>

Set the FortiLink trunk.

0

isl-fortilink <integer>

Set the ISL FortiLink trunk.

0

lacp-speed {slow | fast}

Select fast to send an LACP message every second. Select slow to send an LACP message every 30 seconds.

slow

mclag {disable | enable}

Enable or disable multichassis LAG (MCLAG).

disable

mclag-icl {disable | enable}

Enable or disable the MCLAG inter-chassis link (ICL).

disable

member-withdrawal-behavior {block | forward}

Select how the port behaves after it withdraws because of loss-of-control packets.

block

members <intf1 ... intfn>

Enter the names of the interfaces that belong to this trunk. Separate the names with spaces.

No default

mode {fortinet-trunk | lacp-active | lacp-passive | static}

Select the link aggregation mode:
  • fortinet-trunk—use heartbeat packets to detect whether trunk members are available.
  • lacp-active—use active LACP 802.3ad aggregation
  • lacp-passive—use passive LACP 802.3ad aggregation
  • static—use static aggregation, ignoring and not sending control messages

static

fallback-port <port_name>

Select which port will stay up in LACP fallback mode so that a device not running LACP can still connect to the network.

No default

port-selection-criteria {src-ip | src-mac | dst-ip | dst-mac | src-dst-ip | src-dst-mac}

Select the port selection criteria:
  • src-ip—source IP address
  • src-mac—source MAC address
  • dst-ip—destination IP address
  • dst-mac—destination MAC address
  • src-dst-ip—both source and destination IP addresses
  • src-dst-mac—both source and destination MAC addresses

src-dst-ip

static-isl {enable | disable}

Available only in FortiLink mode. Enable to manually create an inter-switch link (ISL) trunk.

default

static-isl-auto-vlan {enable | disable}

Available only in FortiLink mode. Enable or disable automatic VLAN configuration on the ISL.

default

Heartbeat Trunk

When you set the trunk mode to fortinet-trunk, the following configuration fields are available:

config switch trunk

edit hb-trunk

set mode fortinet-trunk

set port-selection-criteria {src-ip | src-mac | dst-ip | dst-mac | src-dst-ip | src-dst-mac}

set description <description_str>

set members <port> [<port>] ... [<port>]

set member-withdrawal-behavior {block | forward}

set max-miss-heartbeats <3-32>

set hb-out-vlan <int>

set hb-in-vlan <int>

set hb-src-ip <x.x.x.x>

set hb-dst-ip <x.x.x.x>

set hb-src-udp-port <int>

set hb-dst-udp-port <int>

set hb-verify {enable | disable}

end

Variable

Description

Default

port-selection-criteria {src-ip | src-mac | dst-ip | dst-mac | src-dst-ip | src-dst-mac}

Select the port selection criteria:
  • src-ip — source IP address
  • src-mac — source MAC address
  • dst-ip — destination IP address
  • dst-mac — destination MAC address
  • src-dst-ip — both source and destination IP addresses
  • src-dst-mac — both source and destination MAC addresses

src-dst-ip

description <description_str>

Optionally, enter a description.

No default

members <port> [<port>] ... [<port>]

Enter the names of the ports that belong to this trunk. Separate the names with spaces.

No default

member-withdrawal-behavior {block | forward}

Set the port behavior after it withdraws because of the loss of control packets.

block

max-miss-heartbeats <3-32>

Enter the maximum number of heartbeat messages that can be lost before the FortiGate is deemed to be unavailable. Set a value between 3 and 32.

10

hb-out-vlan

Enter the outgoing VLAN value.

0

hb-in-vlan

Enter the incoming VLAN value.

0

hb-src-ip

Enter the source IP address for the heartbeat packet.

0.0.0.0

hb-dst-ip

Enter the destination IP address for the heartbeat packet.

0.0.0.0

hb-src-udp-port

Enter the source UDP port value for the heartbeat packet.

0

hb-dst-udp-port

Enter the destination UDP port value for the heartbeat packet.

0

hb-verify

Enable or disable heartbeat packet verification.

disable

Example

The following example creates trunk tr1 with heartbeat capability:

config switch trunk

edit "tr1"

set mode fortinet-trunk

set members "port1" "port2"

set hb-out-vlan 300

set hb-in-vlan 500

set hb-src-ip 10.105.7.200

set hb-dst-ip 10.105.7.199

set hb-src-udp-port 12345

set hb-dst-udp-port 54321

set hb-verify enable

next

end

config switch virtual-port

Use this command to configure DHCP snooping on VXLAN virtual ports. Virtual ports are configured automatically by the system; users cannot create them.

Syntax

config switch virtual-port

edit <virtual_port_name>

set description <string>

set dhcp-snooping {trusted | untrusted}

set dhcp-snoop-learning-limit-check {enable | disable}

set dhcp-snoop-learning-limit <1-16000>

next

end

Variable

Description

Default

<virtual_port_name>

Enter a name for the virtual port. The name must be in the following format:

vni.<VNI>.<remote_end_VTEP_IP_address>

For example, if the VXLAN network identifier (VNI) is 100 and the remote end of the VXLAN tunnel is at 1.1.1.1, the virtual port name is vni.100.1.1.1.1.

No default
description <string> Enter a description for the virtual port. No default
dhcp-snooping {trusted | untrusted} Set the interface to trusted or untrusted. trusted
dhcp-snoop-learning-limit-check {enable | disable}

Enable or disable whether there is a limit for how many IP addresses are in the DHCP-snooping binding database for this virtual port.

The set dhcp-snoop-learning-limit-check command is available only when dhcp-snooping has been set to untrusted.

disable

dhcp-snoop-learning-limit <1-16000>

Set the maximum number of IP addresses learned on this virtual port for the DHCP-snooping binding database.

The set dhcp-snoop-learning-limit command is available only when dhcp-snoop-learning-limit-check is enabled.

5

Example

The following example enables DHCP snooping on VNI 100 with the remote end of the VXLAN tunnel at 1.1.1.1. The number of IP addresses learned for the DHCP-snooping binding database has been limited to 100.

config switch virtual-port

edit vni.100.1.1.1.1

set description "virtual port for VNI 100"

set dhcp-snooping untrusted

set dhcp-snoop-learning-limit-check enable

set dhcp-snoop-learning-limit 100

next

end

config switch virtual-wire

Use this command to forward traffic between two ports with minimal filtering or packet modifications. The VLAN setting is optional.

NOTE: Virtual-wire ports will not be able to transmit or receive packets from other members of the VLAN or other virtual-wires that use the same VLAN. The VLAN should not have complex configurations such as private VLAN.

Syntax

config switch virtual-wire

edit <id>

set first-member <port>

set second-member <port>

set vlan <1-4095>

next

end

Variable

Description

Default

<id>

Enter a unique integer to create a new entry.

No default

first-member <port>

first member in the virtual-wire pair

No default

second-member <port>

second member in the virtual-wire pair

No default

vlan <1-4095>

VLAN used. The VLAN can be shared between virtual-wires and non-virtual-wire ports

4011

Example

The following example creates a virtual wire between ports 7 and 8:

config switch virtual-wire

edit 1

set first-member "port7"

set second-member "port8"

set vlan 70

next

end

config switch vlan

Use this command to configure VLANs.

Syntax

config switch vlan

edit <VLAN_ID>

set access-vlan {enable | disable}

set assignment-priority <1-255>

set cos-queue <0-7>

set description <description_str>

set dhcp-snooping {enable | disable | monitor}

set dhcp-snooping-verify-mac {enable | disable}

set dhcp-snooping-option82 {enable | disable}

set arp-inspection {enable | disable | monitor}

set dhcp6-snooping {enable | disable}

set igmp-snooping {enable | disable}

set igmp-snooping-querier {enable | disable}

set igmp-snooping-querier-addr <IPv4_address>

set igmp-snooping-querier-version {2|3}

set igmp-snooping-fast-leave {enable | disable}

set igmp-snooping-proxy {enable | disable}

set lan-segment {enable | disable}

set lan-subvlans <VLAN_identifiers>

set lan-internal-vlan <VLAN_identifier>

set learning {enable | disable}

set learning-limit <integer>

set mld-snooping {enable | disable}

set mld-snooping-fast-leave {enable | disable}

set mld-snooping-querier {enable | disable}

set mld-snooping-querier-addr <IPv6_address>

set mld-snooping-proxy {enable | disable}

set policer <integer>

set private-vlan {enable | disable}

set isolated-vlan <integer>

set community-vlans <vlan_map>

set rspan-mode {enable | disable}

config dhcp-snooping-static-client

set mac-addr <MAC_address>

set switch-interface <interface_name>

set ip-addr <IPv4_address>

config igmp-snooping-static-group

edit <group_name>

set mcast-addr <IPv4_address>

set members <interface_name1> <interface_name2>...

set ignore-reports {enable | disable}

end

config mld-snooping-static-group

edit <group_name>

set mcast-addr <IPv6_address>

set members <interface_name1> <interface_name2>...

set ignore-reports {enable | disable}

end

config member-by-mac

config member-by-ipv4

config member-by-ipv6

config member-by-proto

config dhcp-server-access-list

end

Variable

Description

Default

<vlan id>

Enter a VLAN identifier.

No default

access-vlan {enable | disable}

Set to enable to block FortiSwitch port-to-port traffic on this VLAN while allowing traffic to and from the FortiGate unit. Set to disable to allow normal VLAN traffic.

disable

assignment-priority <1-255>

Assign a priority to the VLAN. If there is more than one VLAN with the same name (specified in the set description command), FortiSwitchOS selects the VLAN with the lowest assignment-priority value (which is the highest priority) of the VLANs with names (specified in the set description command) that match the RADIUS Egress-VLAN-Name attribute.

128

cos-queue <0-7>

Specify which class of service (CoS) queue is used for traffic on this VLAN or use the unset cos-queue command to disable this setting.

This command is available only in FortiLink mode.

No default

description <description_str>

Optionally, enter a description.

If the Tunnel-Private-Group-Id attribute on the RADIUS server was set to the VLAN name, set the description to the same string. For example:

set description "newvlan"

No default

dhcp-snooping {enable | disable | monitor}

Select the setting for IPv4 DHCP snooping:

  • enable—Enable IPv4 DHCP snooping on this VLAN.

  • disable—Disable IPv4 DHCP snooping on this VLAN.

  • monitor—Monitor IPv4 DHCP snooping on this VLAN.

disable

dhcp-snooping-verify-mac {enable | disable}

Enable or disable whether to verify the source MAC address. This option is available only if dhcp-snooping is set to enable.

disable

dhcp-snooping-option82 {enable | disable}

Enable or disable whether to insert option-82 fields. This option is available only if dhcp-snooping is set to enable.

disable

arp-inspection {enable | disable | monitor}

Specify one of the following:

  • enable—Enable dynamic ARP inspection.

  • disable—Disable dynamic ARP inspection.

  • monitor—Monitor ARP packets.

NOTE: You must set dhcp-snooping to enable to be able to set arp-inspection to enable or monitor.

disable

dhcp6-snooping {enable | disable}

Enable or disable IPv6 DHCP snooping for this VLAN.

disable

igmp-snooping {enable | disable}

Enable or disable IGMP snooping on the VLAN.

disable

igmp-snooping-fast-leave {enable | disable}

Enable or disable IGMP-snooping fast leave on this VLAN. This field is only available if igmp-snooping is enabled.

enable

igmp-snooping-querier {enable | disable}

Enable or disable whether periodic IGMP-snooping queries are sent to get IGMP reports. This field is only available if igmp-snooping is enabled.

disable

igmp-snooping-querier-addr <IPv4_address>

Required. Enter the IPv4 address for the IGMP-snooping querier. This field if only available if igmp-snooping-querier is enabled.

0.0.0.0

igmp-snooping-querier-version {2|3}

Select whether to use the IGMP-snooping querier version 2 or version 3.

2

igmp-snooping proxy {enable | disable}

Enable or disable the IGMP-snooping proxy on this VLAN. When the IGMP-snooping proxy is enabled, this VLAN sends IGMP reports. This field is only available if igmp-snooping is enabled.

disable

lan-segment {enable | disable}

Enable or disable the use of LAN segments.

disable

lan-subvlans <VLAN_identifiers>

Enter the VLAN identifiers to assign to the LAN segment. You can enter single VLANs or ranges of VLANs, separated by commas without white space. For example: “1,2-4,5,7,9-100”. The value must be less than 4,096 characters. This field is only available if lan-segment is enabled.

No default

lan-internal-vlan <VLAN_identifier>

For the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models only.

After you enable LAN segments, FortiSwitchOS automatically assigns a VLAN for internal use. This VLAN cannot be used for any other purpose. If you want to assign a different internal VLAN, type set lan-internal-vlan ? to see a range of VLANs; however, these VLANs might not be available. If no VLANs are available to be used as an internal VLAN, the LAN segment configuration returns an error message.

This field is only available if lan-segment is enabled.

0

learning {enable | disable}

Enable or disable layer-2 learning on this VLAN.

enable

learning-limit <integer>

Limit the number of dynamic MAC addresses on this VLAN. The per-VLAN MAC address learning limit is between 1 and 128. Set the value to 0 for no limit.

0

mld-snooping {enable | disable}

Enable or disable Multicast Listener Discovery (MLD) snooping for the this VLAN.

disable

mld-snooping-fast-leave {enable | disable}

Enable or disable MLD-snooping fast leave on this VLAN. This field is only available if mld-snooping is enabled.

enable

mld-snooping-querier {enable | disable}

Enable or disable whether periodic MLD-snooping queries are sent to get MLD reports. This field is only available if mld-snooping is enabled.

disable

mld-snooping-querier-addr <IPv6_address>

Required. Enter the IPv6 address for the MLD-snooping querier. This field if only available if mld-snooping-querier is enabled.

::

mld-snooping-proxy {enable | disable}

Enable or disable the MLD-snooping proxy on this VLAN. When the MLD-snooping proxy is enabled, this VLAN sends MLD reports. This field is only available if mld-snooping is enabled.

disable

policer <integer>

Set the policer for the traffic on this VLAN.

This command is available only in FortiLink mode.

0

private-vlan {enable | disable}

Set to enable if this is a private VLAN.

disable

isolated-vlan <integer>

(Valid if private VLAN is enabled) Enter the isolated VLAN.

0

community-vlans <vlan_map>

(Valid if private VLAN is enabled) Enter the communities within this private VLAN. Enter single VLANs or ranges of VLANS separated by commas without white space. For example: 1,3-4,6,7,9-100

No default

rspan-mode {enable | disable}

Enable or disable port mirroring using the remote switch port analyzer (RSPAN) on this VLAN.

disable

config dhcp-snooping-static-client

mac-addr <MAC_address>

Specify a MAC address to bind to an IP address for this VLAN. Use the form of xx:xx:xx:xx:xx:xx.

00:00:00:00:00:00

switch-interface <interface_name>

Specify the switch interface to associate with this DHCP-snooping static entry.

To find out which switch interfaces are valid, type set switch-interface ?.

No default

ip-addr <IPv4_address>

Specify the IPv4 address to bind to a MAC address for this VLAN.

0.0.0.0

config igmp-snooping-static-group

<group_name>

Enter the IGMP static group name.

No default

mcast-addr <IPv4_address>

Enter the IPv4 multicast address for the IGMP static group.

0.0.0.0

members <interface_name1> <interface_name2>...

Enter the interfaces that belong to the IGMP static group.

No default

ignore-reports {enable | disable}

Enable or disable whether IGMP snooping ignores dynamic joins from other ports.

disable

config mld-snooping-static-group

<group_name>

Enter the MLD static group name.

No default

mcast-addr <IPv6_address>

Enter the IPv6 multicast address for the MLD static group.

No default

members <interface_name1> <interface_name2>...

Enter the interfaces that belong to the MLD static group.

No default

ignore-reports {enable | disable}

Enable or disable whether MLD snooping ignores dynamic joins from other ports.

disable

config member-by

Use this command to assign VLANs based on specific fields in the packet (source MAC address, source IP address, or layer-2 protocol).

config switch vlan

edit <vlan id>

config member-by-mac

edit <id>

set mac XX:XX:XX:XX:XX:XX

set description <128 byte string>

next

end

config member-by-ipv4

edit <id>

set address a.b.c.d/e

set description <128-byte string>

next

end

config member-by-ipv6

edit <id>

set prefix xx:xx:xx:xx::/prefix

set description <128-byte string>

next

end

config member-by-proto

edit <id>

set frametypes {ethernet2 | 802.3d | llc}

set protocol <6-digit hex value>

end

Variable

Description

Default

config member-by-mac

edit <id>

For a new entry, enter an unused ID.

No default

mac XX:XX:XX:XX:XX:XX

Enter a MAC address. If the source MAC address of an incoming packet matches this value, the associated VLAN will be assigned to the packet.

00:00:00:00:00:00

description

Enter up to 128 characters.

No default

config member-by-ipv4

edit <id>

For a new entry, enter an unused ID.

No default

address a.b.c.d/e

Enter an IPv4 address and network mask. If the source IP address of an incoming packet matches this value, the associated VLAN will be assigned to the packet. The subnet mask must be a value in the range of 1-32.

0.0.0.0 0.0.0.0

description

Enter up to 128 characters.

No default

config member-by-ipv6

edit <id>

For a new entry, enter an unused ID.

No default

prefix xx:xx:xx:xx::/prefix

Enter an IPv6 prefix. If the source IP address of an incoming packet matches this value, the associated VLAN will be assigned to the packet. The /prefix must in the range of 1-64.

::/0

description

Enter up to 128 characters.

No default

config member-by-proto

edit <id>

For a new entry, enter an unused ID.

No default

frametypes {ethernet2 | 802.3d | llc}

Enter one or more Ethernet frame type. Set this value to llc for logical link control. Set this value to 802.3d for 802.3d and SNAP.

ethernet2 802.3d llc

protocol <6-digit hex value>

Enter an Ethernet protocol value If the frametype and Ethernet protocol value of an incoming packet matches these values, the associated VLAN will be assigned to the packet. The value range is 0-65535.

0x0000

Example

The following example configures a VLAN:

config switch vlan

edit 100

config member-by-mac

edit 1

set description "pc2"

set mac 00:21:cc:d2:76:72

next

end

end

end

The following example configures the IGMP-snooping querier:

config switch vlan

edit 100

set igmp-snooping enable

set igmp-snooping-querier enable

set igmp-snooping-querier-addr 1.2.3.4

set igmp-snooping-querier-version 3

next

end

config dhcp-server-access-list

Use this command to create a list of DHCP servers that DHCP snooping will include in the allowed server list. This list is used only if the set dhcp-server-access-list command has been enabled; see config system global.

config switch vlan

edit <vlan id>

set dhcp-snooping enable

set dhcp6-snooping enable

config dhcp-server-access-list

edit <string>

set server-ip <xxx.xxx.xxx.xxx>

set server-ip6 <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx>

next

end

next

end

Variable

Description

Default

edit <vlan id>

Enter a VLAN identifier.

No default

dhcp-snooping enable

Enable for IPv4 DHCP snooping.

The config dhcp-server-access-list command is available only after DHCP snooping (IPv4 or IPv6) has been enabled for that VLAN.

disable

dhcp6-snooping enable

Enable for IPv6 DHCP snooping.

The config dhcp-server-access-list command is available only after DHCP snooping (IPv4 or IPv6) has been enabled for that VLAN.

disable

config dhcp-server-access-list

edit <string>

Enter name of DHCP server access list

No default

server-ip <xxx.xxx.xxx.xxx>

If you enabled IPv4 DHCP snooping, enter Class A, B, or C IPv4 address for the DHCP server.

0.0.0.0

server-ip6 <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx>

If you enabled IPv6 DHCP snooping, enter the IPv6 address for the DHCP server.

No default

Example

The following example configures IPv4 DHCP snooping to include the specified DHCP server in the allowed server list:

config switch vlan

edit 100

set dhcp-snooping enable

config dhcp-server-access-list

edit "DHCPserver1"

set server-ip 128.8.0.0

next

end

next

end

The following example configures IPv6 DHCP snooping to include the specified DHCP server in the allowed server list:

config switch vlan

edit 100

set dhcp6-snooping enable

config dhcp-server-access-list

edit "DHCPserver1"

set server-ip6 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234

next

end

next

end

config switch vlan-tpid

Use this command to configure the VLAN TPID profile for VLAN stacking (QnQ). Each VLAN TPID profile contains one value for the EtherType field.

The FortiSwitch unit supports a maximum of four VLAN TPID profiles, including the default (0x8100). The default VLAN TPID profile (0x8100) cannot be deleted or changed.

To configure VLAN stacking and to select which VLAN TPID profile to use, see config switch interface.

Syntax

config switch vlan-tpid

edit <VLAN_TPID_profile_name>

set ether-type <0x0001-0xfffe>

next

end

Variable

Description

Default

<VLAN_TPID_profile_name>

Enter a name for the VLAN TPID profile name.

No default

ether-type <0x0001-0xfffe>

Enter a hexadecimal value for the EtherType field.

0x8100

config switch

config switch

Use the config switch commands to configure options related to switching functionality:

config switch acl 802-1X

Use this command to configure an 802.1x RADIUS dynamic ingress policy.

Syntax

config switch acl 802-1X

edit <policy_ID>

set description <string>

set filter-id <string>

config access-list-entry

edit <ingress_policy_ID>

set description <string>

set group <integer>

config action

set count {enable | disable}

set drop {enable | disable}

end

config classifier

set dst-ip-prefix <IP_address_and_netmask>

set dst-mac <MAC_address>

set ether-type <integer>

set service <service_name>

set src-ip-prefix <IP_address_and netmask>

set src-mac <MAC_address>

end

next

end

next

end

Variable

Description

Default

<policy-id>

Enter the unique ID number of this policy.

No default

description <string>

Enter a description or other information about the policy. The description is limited to 63 characters. Enclose the string in single quotes to enter special characters or spaces.

No default

filter-id <string>

Enter the filter-id of the policy. NOTE:Changing the name of filter-id after authentication causes errors in the output of the diagnose switch 802-1x status-dacl command when the session is using filter-id.

No default

config access-list-entry

<ingress_policy_ID>

Enter the ingress policy identifier.

No default

description <string>

Enter a description of the policy.

No default

group <integer>

Enter the group ID of the policy. You can only enter 1.

1

config action

count {enable | disable}

Enable or disable the count action.

disable

drop {enable | disable}

Enable or disable the drop action.

disable

config classifier

dst-ip-prefix <IP_address_and_netmask>

Enter the destination IP address and subnet mask to be matched.

0.0.0.0 0.0.0.0

dst-mac <MAC_address>

Enter the destination MAC address to be matched.

00:00:00:00:00:00

ether-type <integer>

Enter the Ethernet type to be matched.

0x0000

service <service_name>

Enter the service name to be matched.

No default

src-ip-prefix <IP_address_and netmask>

Enter the source IP address and subnet mask to be matched.

0.0.0.0 0.0.0.0

src-mac <MAC_address>

Enter the source MAC address to be matched.

00:00:00:00:00:00

Example

This example shows how to configure an 802.1x RADIUS dynamic ingress policy.

config switch acl 802-1X

edit 1

set description "Test Filter-Id"

set filter-id “Testing”

config access-list-entry

edit 1

set description "Test ACL entry”

config action

set count enable

set drop enable

end

config classifier

set dst-ip-prefix 192.168.0.0 255.255.255.0

set ether-type 0x0800

set service "filter-id-service1"

set src-ip-prefix 192.168.0.0 255.255.255.0

set src-mac 00:00:00:00:00:00

end

next

end

next

end

config switch acl egress

Use this command to configure an access control list (ACL) for an egress policy.

Syntax

config switch acl egress

edit <policy_ID>

set description <string>

set interface <port_name>

set schedule <schedule_name>

set status {active | inactive}

config classifier

set cos <802.1Q CoS value to match>

set dscp <DSCP value to match>

set dst-ip-prefix <IP_address> <mask>

set dst-mac <MAC_address>

set ether-type <integer>

set service <service_ID>

set src-ip-prefix <IP_address> <mask>

set src-mac <MAC_address>

set vlan-id <VLAN_ID>

end

config action

set count {enable | disable}

set count-type {all | green | yellow}

set drop {enable | disable}

set mirror <mirror_session>

set outer-vlan-tag <integer>

set policer <policer>

set redirect <interface_name>

set remark-dscp <0-63>

end

end

Variable

Description

Default

<policy-id>

Enter the unique ID number of this policy.

No default

description <string>

Enter a description or other information about the policy. The description is limited to 63 characters. Enclose the string in single quotes to enter special characters or spaces.

No default

interface <port_name>

Interface that the policy applies to.

No default

schedule <schedule_name>

Select a schedule for when the ACL policy will be enforced.

The schedule must have been defined already with the config system schedule command.

No default

status {active | inactive}

Make the egress ACL policy active or inactive.

active

config classifier

cos <802.1Q CoS value to match>

Enter the 802.1Q CoS value to match.

No default

dscp <DSCP value to match>

Enter the DSCP value to match.

No default

dst-ip-prefix <IP_address> <mask>

Destination IP address and subnet mask to be matched.

0.0.0.0 0.0.0.0

dst-mac <MAC_address>

Destination MAC address to be matched.

00:00:00:00:00:00

ether-type <integer>

Ethernet type to be matched.

0x0000

service <service_ID>

Service type to be matched.

No default

src-ip-prefix <IP_address> <mask>

Source IP address and subnet mask to be matched.

0.0.0.0 0.0.0.0

src-mac <MAC_address>

Source MAC address to be matched.

00:00:00:00:00:00

vlan-id <VLAN_ID>

VLAN identifier to be matched.

0

config action

count {enable | disable}

Enable or disable the count action.

disable

count-type {all | green | yellow}

You can select all to count all egress packets, green to count egress packets if the traffic rate is within the guaranteed information rate, and yellow to count all other egress packets.

No default

drop {enable | disable}

Enable or disable the drop action.

disable

mirror <mirror_session>

Mirror session name.

No default

outer-vlan-tag <integer>

Outer VLAN tag.

0

policer <policer>

Identifier of the policer to associate with this policy. To create a policer, see config switch acl policer.

0

redirect <interface_name>

Redirect interface name.

No default

remark-dscp <0-63>

Set the DSCP marking value.

No default

config switch acl ingress

Use this command to configure an ACL for an ingress policy. Starting in FortiSwitchOS 6.2.0, you can create groups for multiple ingress ACLs. Starting in FortiSwitchOS 7.2.3, IPv6 addresses are supported.

Syntax

config switch acl ingress

edit <policy-id>

set description <string>

set group <group_ID>

set ingress-interface <port > [<port > ... <port >]

set ingress-interface-all {enable | disable}

set schedule <schedule_name>

set status {active | inactive}

config classifier

set cos <802.1Q CoS value to match>

set dscp <DSCP value to match>

set dst-ip-prefix <IPv4_address> <mask>

set dst-ip6-prefix <IPv6_address> <prefix>

set dst-mac <MAC_address>

set ether-type <integer>

set service <service-id>

set src-ip-prefix <IPv4_address> <mask>

set src-ip6-prefix <IPv6_address> <prefix>

set src-mac <MAC_address>

set vlan-id <vlan-id>

end

config action

set cos-queue <0-7>

set count {enable | disable}

set count-type {all | green | yellow | red}

set cpu-cos-queue <integer>

set drop {enable | disable}

set egress-mask {<physical_port_name> | internal}

set mirror <mirror_session>

set outer-vlan-tag <integer>

set policer <policer>

set redirect <interface_name>

set redirect-bcast-cpu {enable | disable}

set redirect-bcast-no-cpu {enable | disable}

set redirect-physical-port <list of physical ports to redirect>

set remark-cos <0-7>

set remark-dscp <0-63>

end

end

Variable

Description

Default

<policy-id>

Enter the unique ID number of this policy.

No default

description <string>

Enter a description or other information about the policy. The description is limited to 63 characters. Enclose the string in single quotes to enter special characters or spaces.

No default

group <group_ID>

Enter the group identifier of the policy. The range of group identifiers varies among the different platforms.

Starting in FortiSwitchOS 6.2.0, you can create groups for multiple ingress ACLs.

NOTE: The group identifier must be 3 or higher to be able to use IPv6 addresses.

1

ingress-interface <port > [<port > ... <port >]

If ingress-interface-all is disabled, enter the interface list to which the policy is bound on the ingress.

No default

ingress-interface-all {enable | disable}

If enabled, policy is bound to all interfaces.

disable

schedule <schedule_name>

Select a schedule for when the ACL policy will be enforced.

The schedule must have been defined already with the config system schedule command.

No default

status {active | inactive}

Make the ingress ACL policy active or inactive.

active

config classifier

cos <802.1Q CoS value to match>

Enter the 802.1Q CoS value to match. The range of values is 0-7.

0

dscp <DSCP value to match>

Enter the DSCP value to match. The range of values is 0-63.

0

dst-ip-prefix <IPv4_address> <mask>

Enter the destination IPv4 address and subnet mask to be matched.

0.0.0.0 0.0.0.0

dst-ip6-prefix <IPv6_address> <prefix>

Enter the destination IPv6 address and prefix to be matched.

NOTE: You must set group to 3 or higher for this option to be available. If you are going to use a dynamic ACL, set group to 4 or higher.

::/0

dst-mac <MAC_address>

Enter the destination MAC address to be matched.

00:00:00:00:00:00

ether-type <integer>

Enter the Ethernet type to be matched. The range of values is 0-65535.

0x0000

service <service-id>

Enter the service type to be matched.

No default

src-ip-prefix <IPv4_address> <mask>

Enter the source IPv4 address and subnet mask to be matched.

0.0.0.0 0.0.0.0

src-ip6-prefix <IPv6_address> <prefix>

Enter the source IPv6 address and prefix to be matched.

NOTE: You must set group to 3 or higher for this option to be available. If you are going to use a dynamic ACL, set group to 4 or higher.

::/0

src-mac <MAC_address>

Enter the source MAC address to be matched.

00:00:00:00:00:00

vlan-id <vlan-id>

Enter the VLAN identifier to be matched. The range of values is 1-4094.

0

config action

cos-queue <0-7>

CoS queue number (0-7).

No default

count

Enable or disable the count action.

disable

count-type {all | green | yellow | red}

You can select all to count all ingress packets, green to count ingress packets if the traffic rate is within the guaranteed information rate, yellow to count ingress packets if they exceed the committed burst size but do not exceed the excess burst size, and red to count all other ingress packets.

No default

cpu-cos-queue <integer>

CPU CoS queue number. This CoS queue is only used if the packets reach the CPU. Enter set cpu-cos-queue ? to see the value range.

disabled

drop

Enable or disable the drop action.

disable

egress-mask {<physical_port_name> | internal}

List of physical ports to be configured in egress mask.

none

mirror <mirror_session>

Mirror session name.

No default

outer-vlan-tag

Outer VLAN tag. The range of values is 1-4094.

0

policer

Identifier of the policer to associate with this policy. To create a policer, see config switch acl policer.

0

redirect <interface_name>

Redirect interface name.

No default

redirect-bcast-cpu

Redirect broadcast to all ports including the CPU.

disable

redirect-bcast-no-cpu

Redirect broadcast to all ports excluding the CPU.

disable

redirect-physical-port

List of ports to redirect the packet.

none

remark-cos <0-7>

Set the CoS marking value. The range is 0-7.

No default

remark-dscp <0-63>

Set the DSCP marking value. The range is 0-63.

No default

Examples

In the following example, traffic from VLAN 3 is blocked to a specified destination IP subnet (10.10.0.0/16) but allowed to all other destinations:

config switch acl ingress

edit 1

config action

set count enable

set drop enable

end

config classifier

set dst-ip-prefix 10.10.0.0 255.255.0.0

set vlan-id 3

end

set ingress-interface-all enable

set status inactive

next

edit 2

config classifier

set vlan-id 3

end

set ingress-interface-all enable

set status active

next

end

In the following example, packets are classified by matching both the CoS and DSCP values. Both the CoS and DSCP marking values are set:

config switch acl ingress

edit 1

config classifier

set src-mac 11:22:33:aa:bb:cc

set cos 2

set dscp 10

end

config action

set count enable

set remark-cos 4

set remark-dscp 20

end

set ingress-interface port2

set status active

end

config switch acl policer

Use this command to configure an ACL policer for egress or ingress policies.

Syntax

config switch acl policer

edit <policer index>

set description <string>

set guaranteed-bandwidth <bandwidth_value>

set guaranteed-burst <in_bytes>

set maximum-burst <in_bytes>

set type {egress | ingress}

end

Variable

Description

Default

<policer index>

Enter the index for this ACL policer

No default

description <string>

Enter a text description for the policer.

No default

guaranteed-bandwidth <bandwidth_value>

Enter the amount of bandwidth guaranteed to be available for traffic controlled by the policy. The value range is 0 to 16 776 000 Kbits/second.

0

guaranteed-burst <in_bytes>

Guaranteed burst size in bytes (max value = 4294967295)

0

maximum-burst <in_bytes>

Maximum burst size in bytes (max value = 4294967295)

0

type {egress | ingress}

Specify whether the policer is for egress or ingress policies.

ingress

Example

This example shows how to configure an ACL policer for egress policies.

config switch acl policer

edit 1

set description policer1

set guaranteed-bandwidth 8776000

set guaranteed-burst 858993459

set maximum-burst 4294967295

set type egress

end

config switch acl prelookup

Use this command to configure an ACL for a lookup policy.

Syntax

config switch acl prelookup

edit <policy_ID>

set description <string>

set interface <port_name>

set interface-all {enable | disable}

set schedule <schedule_name>

set status {active | inactive}

config classifier

set cos <802.1Q CoS value to match>

set dscp <DSCP value to match>

set dst-ip-prefix <IP_address> <mask>

set dst-mac <MAC_address>

set ether-type <integer>

set service <service_ID>

set src-ip-prefix <IP_address> <mask>

set src-mac <MAC_address>

set vlan-id <VLAN_ID>

end

config action

set count {enable | disable}

set cos-queue <0-7>

set drop {enable | disable}

set outer-vlan-tag <integer>

set remark-cos <0-7>

end

end

Variable

Description

Default

<policy-id>

Enter the unique ID number of this policy.

No default

description <string>

Enter a description or other information about the policy. The description is limited to 63 characters. Enclose the string in single quotes to enter special characters or spaces.

No default

interface <port_name>

Select which ingress interface that the policy applies to.

No default

interface-all {enable | disable}

Enable or disable whether the policy applies to all ingress interfaces.

disable

schedule <schedule_name>

Select a schedule for when the ACL policy will be enforced.

The schedule must have been defined already with the config system schedule command.

No default

status {active | inactive}

Make the prelookup ACL policy active or inactive.

active

config classifier

cos <802.1Q CoS value to match>

Enter the 802.1Q CoS value to match.

No default

dscp <DSCP value to match>

Enter the DSCP value to match.

No default

dst-ip-prefix <IP_address> <mask>

Destination IP address and subnet mask to be matched.

0.0.0.0 0.0.0.0

dst-mac <MAC_address>

Destination MAC address to be matched.

00:00:00:00:00:00

ether-type <integer>

Ethernet type to be matched.

0x0000

service <service_ID>

Service type to be matched.

No default

src-ip-prefix <IP_address> <mask>

Source IP address and subnet mask to be matched.

0.0.0.0 0.0.0.0

src-mac <MAC_address>

Source MAC address to be matched.

00:00:00:00:00:00

vlan-id <VLAN_ID>

VLAN identifier to be matched.

0

config action

count {enable | disable}

Enable or disable the count action.

disable

cos-queue <0-7>

CPU CoS queue number (20-29). Only if packets reach to CPU. The value range is 20-29.

No default

drop {enable | disable}

Enable or disable the drop action.

disable

outer-vlan-tag <integer>

Outer VLAN tag.

0

remark-cos <0-7>

Set the CoS marking value. The range is 0-7.

No default

config switch acl service custom

Use this command to customize one of the ACL services.

Syntax

config switch acl service custom

edit <service name>

set comment <string>

set color <0-32>

set protocol {ICMP | IP | TCP/UDP/SCTP}

set icmptype <0-255>

set icmpcode <0-255>

set protocol-number <IP protocol number>

set sctp-portrange <dstportlow_int>[-<dstporthigh_int>:<srcportlow_int>-<srcporthigh_int>]

set tcp-portrange <dstportlow_int>[-<dstporthigh_int>:<srcportlow_int>-<srcporthigh_int>]

set udp-portrange <dstportlow_int>[-<dstporthigh_int>:<srcportlow_int>-<srcporthigh_int>]

end

end

Variable

Description

Default

<service name>

Enter the name of this custom service.

No default

comment <string>

Add comments for the custom service.

No default

color <0-32>

Set the icon color to use in the Web-based manager. A value of zero sets the default color (1).

0

protocol {ICMP | IP | TCP/UDP/SCTP}

Select the protocol used by the service.

These protocols are available when explicit-proxy is enabled.

TCP/UDP/SCTP

icmptype <0-255>

If you set the protocol to ICMP, set the ICMP type.

0

icmpcode <0-255>

If you set the protocol to ICMP, set the ICMP code.

0

protocol-number

For an IP service, enter the IP protocol number.

0

sctp-portrange

For SCTP services, enter the destination and source port ranges.

No default

tcp-portrange

For TCP services, enter the destination and source port ranges.

No default

udp-portrange

For UDP services, enter the destination and source port ranges.

No default

Notes:
  • srcport_low and srcport_high can be omitted if the value pair is 1-65535
  • dstport_high can be omitted if dstport_low is equal to dstport_high
  • srcport_low and srcport_high can be omitted if the value pair is 1-65535
  • dstport_high can be omitted if dstport_low is equal to dstport_high

Example

In the following example, Server Message Block (SMB) traffic received on port 1 is mirrored to port 3. SMB protocol uses port 445:

config switch acl service custom

edit "SMB"

set tcp-portrange 445

next

end

config switch acl ingress # apply policy to port 1 ingress and send to port 3

edit 1

set description "cnt_n_mirror_smb"

set ingress-interface "port1"

config action

set count enable

set mirror "port3"

end

config classifier

set service "SMB"

set src-ip-prefix 20.20.20.100 255.255.255.255

set dst-ip-prefix 100.100.100.0 255.255.255.0

end

next

end

config switch acl settings

Use this command to configure the global ACL settings

Syntax

config switch acl settings

set density-mode {disable | enable}

set trunk-load-balance {disable | enable}

end

Variable

Description

Default

density-mode

Enable or disable density mode.

disable

trunk-load-balance

Enable or disable trunk-load-balancing for ACL actions.

enable

Example

The following example configures the global ACL settings:

config switch acl settings

set density-mode enable

set trunk-load-balance enable

end

config switch auto-isl-port-group

Use this command to create a multi-tiered MCLAG trunk when the FortiSwitch unit is managed by a FortiGate unit.

Syntax

config switch auto-isl-port-group

edit <trunk_name>

set members <one or more ports>

end

Example

The following example creates two trunks for a multi-tiered MCLAG:

config switch auto-isl-port-group

edit "mclag-core1"

set members "port1" "port2"

next

edit "mclag-core2"

set members "port3" "port4"

end

config switch auto-network

Use this command to automatically form an inter-switch link (ISL) between two switches.

Note

Starting in FortiSwitchOS 7.2.0, auto-network is enabled by default.

After an execute factoryreset command is executed on a FortiSwitch unit in standalone mode, the auto-network configuration is enabled by default. If you are not using auto-network, you must manually disable it.

Syntax

config switch auto-network

set mgmt-vlan <1-4094>

set status {enable | disable}

end

Variable

Description

Default

mgmt-vlan <1-4094>

Set the VLAN to use for the native VLAN on ISL ports and the native VLAN on the internal switch interface.

4094

status {enable | disable}

Enable or disable whether an ISL is automatically formed between two switches.

enable

Example

The following example enables the automatic formation of an ISL between two switches:

config switch auto-network

set mgmt-vlan 200

set status enable

end

config switch global

Use this command to configure system-wide FortiSwitch settings.

Syntax

config switch global

set allow-mac-move {enable | disable}

set auto-fortilink-discovery {enable | disable}

set auto-isl {enable | disable}

set auto-isl-port-group <0-9>

set auto-stp-priority {enable | disable}

set bpdu-learn {enable | disable}

set dhcp-snooping-database-export {disable | enable}

set dmi-global-all {enable | disable}

set flapguard-retain-trigger {enable | disable}

set flood-unknown-multicast {enable | disable}

set fortilink-heartbeat-timeout <0-300>

set fortilink-p2p-native-vlan <integer>

set fortilink-p2p-tpid <interger>

set fortilink-vlan-optimization {enable | disable}

set forti-trunk-dmac <xx:xx:xx:xx:xx:xx>

set ip-mac-binding {enable | disable}

set l2-memory-check {enable | disable}

set l2-memory-check-interval <number_of_seconds>

set log-mac-limit-violations {enable | disable}

set log-source-guard-violations {enable | disable}

set loop-guard-tx-interval <0-30>

set mac-aging-interval <seconds>

set mac-violation-timer <integer>

set max-frame-size <bytes_int>

set max-path-in-ecmp-group <integer>

set mclag-igmpsnooping-aware {enable | disable}

set mclag-peer-info-timeout <integer>

set mclag-port-base <integer>

set mclag-split-brain-all-ports-down {enable | disable}

set mclag-split-brain-detect {enable | disable}

set mclag-split-brain-priority <0-100>

set mclag-stp-aware {enable | disable}

set mirror-qos <0-7>

set name <string>

set neighbor-discovery-to-cpu {enable | disable}

set packet-buffer-mode {store-forward | cut-through}

set poe-alarm-threshold <threshold (percent of total power budget) above which an alarm event is generated>

set poe-guard-band <integer>

set poe-power-budget <integer>

set poe-power-mode {first-come-first-served | priority}

set poe-pre-standard-detect {disable | enable}

set qos-drop-policy {random-early-detection | taildrop}

set qos-red-probability <integer>

set reserved-mcast-to-cpu {enable | disable}

set source-guard-violation-timer <integer>

set storm-control-monitor {enable | disable}

set storm-control-high-rate <0-65536>

set storm-control-rate-filter <0-100>

set trunk-hash-mode {default| enhanced}

set trunk-hash-unicast-src-port {enable | disable}

set trunk-hash-unkunicast-src-dst {enable | disable}

set virtual-wire-tpid <0x0001-0xfffe>

set vxlan-dport <integer>

set vxlan-sport <integer>

set vxlan-stp-virtual-mac <MAC_address>

set vxlan-stp-virtual-root {enable | disable}

set vxlan-qos-inner-to-outer {copy-to-outer | fixed}

set vxlan-qos-dscp <0-63>

config port-security

set link-down-auth {no-action | set-unauth}

set mab-entry-as {dynamic | static}

set mab-reauth {enable | disable}

set mac-called-station-delimiter {colon | hyphen | none | single-hyphen}

set mac-calling-station-delimiter {colon | hyphen | none | single-hyphen}

set mac-case {lowercase | uppercase}

set mac-password-delimiter {colon | hyphen | none | single-hyphen}

set mac-username-delimiter {colon | hyphen | none | single-hyphen}

set max-reauth-attempt <0-15>

set quarantine-vlan {enable | disable}

set reauth-period <1-1440>

set tx-period <12-60>

end

end

Variable

Description

Default

allow-mac-move {enable | disable}

Enable or disable the capability for the 802.1X client to move between ports that are not directly connected to the FortiSwitch unit without having to delete the 802.1X session.

This command is available only for the FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148F, FS-148F-POE, and FS-148F-FPOE models.

disable

auto-fortilink-discovery {enable | disable}

Enable or disable the capability for the FortiGate device to automatically discover the FortiLink interface on the FortiSwitch unit.

enable

auto-isl {enable | disable}

Enable or disable the capability to automatically form an inter-switch LAG.

enable

auto-isl-port-group <0-9>

Set the ISL port group. The range is 0-9.

0

auto-stp-priority {enable | disable}

Enable or disable the automatic assigned STP switch priortiy.

enable

bpdu-learn {enable | disable}

Enable or disable bridge protocol data unit (BPDU) learning.

NOTE: This command is available on the following FortiSwitch models: FSR-124D, FS-224D-FPOE, FS-224E, FS-224E-POE, FS-248D, FS-248E-POE, FS-248E-FPOE, FS-424D, FS-424D-POE, FS-424D-FPOE, FS-424E, FS-424E-POE, FS-424E-FPOE, FS-424E-Fiber, FS-M426E-FPOE, FS-448D, FS-448D-POE, FS-448D-FPOE, FS-448E, FS-448E-POE, FS-448E-FPOE, FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE, FS-1024D, FS-1048D, FS-1048E, FS-3032D, and FS-3032E.

enable

dhcp-snooping-database-export {disable | enable}

Enable or disable whether the DHCP snooping database is exported to file.

disable

dmi-global-all {enable | disable}

Enable or disable DMI globally.

enable

flapguard-retain-trigger {enable | disable}

Enable this setting to keep the “triggered” status in the output of the diagnose flapguard status command after a switch has been rebooted until the port has been reset with the execute flapguard reset <port_name> command.

Disable this setting to reset the “triggered” status when the switch is rebooted.

disable

flood-unknown-multicast {enable | disable}

Enable or disable whether to flood the VLAN with unknown multicast messages.

disable

fortilink-heartbeat-timeout <0-300>

Set how long before the FortiLink heartbeat times out. Set the value to 0 to disable the FortiLink heartbeat.

60

fortilink-p2p-native-vlan <integer>

Specify the native VLAN on the inter-switch link (ISL) when fortilink-p2p is enabled under the config switch physical port command.

4094

fortilink-p2p-tpid <interger>

Set the FortiLink point-to-point TPID value. The range of values is 0x0001 to 0xfffe.

This command is only available in FortiLink mode.

0x8100

fortilink-vlan-optimization {enable | disable}

Enable or disable FortiLink VLAN optimization.

disable

forti-trunk-dmac <xx:xx:xx:xx:xx:xx>

Enter the destination MAC address to be used for FortiTrunk heartbeat packets.

02:80:c2:00:00:02

ip-mac-binding {enable | disable}

Enable or disable IP-MAC binding for the switch

disable

l2-memory-check {enable | disable}

Enable or disable whether FortiSwitchOS checks the size of the layer-2 table. When this feature is enabled, the set l2-memory-check interval command controls the frequency that the table is checked. When the table size is more than 75-percent full or less than 70-percent full, FortiSwitchOS adds a warning to the system log.

disable

l2-memory-check-interval <number_of_seconds>

When l2-memory-check is enabled, FortiSwitchOS checks the size of the layer-2 table at the specified interval. The range of values is 5-86400 seconds.

120

log-mac-limit-violations {enable | disable}

Enable or disable the logging of layer-2 learning limit violations for an interface or VLAN. The most recent violation that occurred on each interface or VLAN is logged. After that, no more violations are logged until the log is reset for the triggered interface or VLAN. Only the most recent 128 violations are displayed in the console.

NOTE: This command is only displayed if your FortiSwitch model supports it.

disable

log-source-guard-violations {enable | disable}

Enable or disable logs for source guard violations on a system-wide level.

disable

loop-guard-tx-interval <0-30>

Enter the loop guard transmit interval. Value range is 1-30. The units is seconds.

3

mac-aging-interval <seconds>

Specify how often the learning-limit violation log is reset. The range is 10 to 1,000,000 seconds. Set to 0 to disable.

300

mac-violation-timer <integer>

How long (in minutes) violations of the layer-2 learning limit are kept in the log. The value range is 0-1500. Set to 0 to disable the timer.

0

max-frame-size <bytes_int>

Set the maximum frame size. The range and default depend on the switch model. See the FortiSwitchOS feature matrix.

NOTE: If you are not using the FS-1xxE, FS-1xxF, or FS-110G-FPOE models, this command is under the config switch physical-port command.

Varies

max-path-in-ecmp-group <integer>

Set the maximum path in one ECMP group.

8

mclag-igmpsnooping-aware {enable | disable}

Enable this option to synchronize both query ports and group entries across peer MCLAG trunks. This option can be used in standalone mode and in FortiLink mode.

NOTE: For IGMP snooping to work correctly in an MCLAG, you need to use the set mclag-igmpsnooping-aware enable command on all FortiSwitch units in the network topology and use the set igmps-flood-reports enable command on each MCLAG core FortiSwitch unit.

disable

mclag-peer-info-timeout <integer>

Enter the MCLAG peer info timeout. The value range is 30 to 600 seconds.

30

mclag-port-base <integer>

Set the MCLAG port base.

0

mclag-split-brain-all-ports-down {enable | disable}

When this option is enabled and a split-brain state occurs, the switch that goes dormant shuts down all ports before going dormant; the state of the ICL trunk ports is not changed.

When this option is disabled and a split-brain state occurs,

the switch that goes dormant does not shut down any ports before going dormant.

This command is only available when mclag-split-brain-detect is enabled.

disable

mclag-split-brain-detect {enable | disable}

Enable or disable the detection of the MCLAG split-brain state.

disable

mclag-split-brain-priority <0-100>

When the split-brain state occurs, the switch with the lowest priority goes dormant. If both switches have the same priority, the switch with the lowest MAC address goes dormant when the split-brain state occurs.

This command is only available when mclag-split-brain-detect is enabled.

50

mclag-stp-aware {enable | disable}

Enable or disable whether the STP can be used within the MCLAG.

enable

mirror-qos <0-7>

Enter the quality of service (QoS) priority for packets mirrored by this FortiSwitch unit. Applies only to the FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE, FS-1048E, and FS-3032D models.

0

name <string>

Enter a name for the switch.

No default

neighbor-discovery-to-cpu {enable | disable}

Enable or disable the forwarding of reserved multicast packets to the CPU. Applies only to the 200 Series and 400 Series.

enable

packet-buffer-mode {store-forward | cut-through}

Set the switching mode to store-and-forward or cut-through for the main buffer of the FS-1024D, FS-1048D, or FS-3032D model.

store-forward

poe-alarm-threshold <threshold (percent of total power budget) above which an alarm event is generated>

Enter the threshold (a specified percentage of the total power budget) above which an alarm event is generated.

80

poe-guard-band <integer>

Enter the power (W) to reserve in case of a spike in PoE consumption.

19

poe-power-budget <integer>

Set or override the maximum power budget.

400

poe-power-mode {first-come-first-served | priority}

Set the PoE power mode to priority based or first-come, first-served.

priority

poe-pre-standard-detect {disable | enable}

Enable or disable PoE pre-standard detection.

NOTE: PoE pre-standard detection is a global setting for the following FortiSwitch models: FSR-112D-POE, FS-548D-FPOE, FS-524D-FPOE, FS-108D-POE, FS-224D-POE, FS-108E-POE, FS-108E-FPOE, FS-124E-POE, FS-124E-FPOE, 148F-POE, and 148F-FPOE. For the other FortiSwitch PoE models, PoE pre-standard detection is set on each port.

disable

qos-drop-policy {random-early-detection | taildrop}

Set the CoS queue drop policy.
  • taildrop — When the queue is full, new packets are dropped.
  • random-early-detection — As the queue fills, the probability increases that packets will be dropped.
NOTE: This command is available only for the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

taildrop

qos-red-probability <integer>

Set the QoS RED/WRED drop probability. The FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, and FS-124E-FPOE models support 0-100 percent. The FS-148E, FS-148E-POE, and FS-148E-FPOE models support 0-25 percent.

NOTE: This command is available only for the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

12

reserved-mcast-to-cpu {enable | disable}

Enable or disable the forwarding of IPv6 neighbor-discovery packets to the CPU. Applies only to the 200 Series and 400 Series.

enable

source-guard-violation-timer <intebger>

Enter the number of minutes for a global timeout for source guard violations. The range of values is 0-1500. Set this option to 0 to disable it.

This command is only available when log-source-guard-violations is enabled.

0

storm-control-monitor {enable | disable}

Enable or disable storm-control monitoring.

disable

storm-control-high-rate <0-65536>

When this rate (in dropped packets per second) is exceeded, a log message is generated.

This command is only available when storm-control-monitor is enabled.

300

storm-control-rate-filter <0-100>

Set the percentage for how sensitive storm-control monitoring is to changes in the storm-control-high-rate. Higher percentages mean that the storm-control monitoring is more sensitive to changes in the storm-control-high-rate.

This command is only available when storm-control-monitor is enabled.

20

trunk-hash-mode {default| enhanced}

Set the trunk hash mode to default or enhanced

default

trunk-hash-unicast-src-port {enable | disable}

Enable or disable whether the trunk hashing algorithm for unicast packets uses the source port.

disable

trunk-hash-unkunicast-src-dst {enable | disable}

Enable or disable trunk hash for unknown unicast src-dst.

enable

virtual-wire-tpid <0x0001-0xfffe>

TPID value used by virtual-wires. The value range is from 0x0001 to 0xfffe.

Choose a value unlikely to be seen as a TPID or ethertype in your network.

0xdee5

vxlan-dport <integer >

Set the VXLAN destination UDP port. The range of values is 1-65535.

4789

vxlan-sport <integer>

Set the VXLAN source UDP port. The range of values is 1-65535.

0

vxlan-stp-virtual-mac <MAC_address>

Set the MAC address for the virtual STP root.

This option is available only when vxlan-stp-virtual-root is enabled.

08:5B:0E:00:00:00

vxlan-stp-virtual-root {enable | disable}

When this option is enabled, the local switch automatically becomes the STP root for STP instances that contain the configured VXLANʼs access VLAN. When this option is disabled, the local switch does not automatically become the STP root for STP instances that contain the configured VXLANʼs access VLAN.

disable

vxlan-qos-inner-to-outer {copy-to-outer | fixed}

Select how the differential service code point (DSCP) is determined:

  • copy-to-outer—Copy the DSCP value from the inner header to the outer header.

  • fixed—Use a fixed DSCP value in the IP header of the outer encapsulation. Specify the fixed value with the set vxlan-qos-dscp command.

copy-to-outer

vxlan-qos-dscp <0-63>

Specify the fixed DSCP value in the IP header of the outer encapsulation.

This command is available only when vxlan-qos-inner-to-outer is set to fixed.

0

config port-security

link-down-auth

If a link goes down, this setting determines if the affected devices needs to reauthenticate.
  • set-unauth—revert all devices to the un-authenticated state. Each device will need to reauthenticate.
  • no-action— if reauthenication is not required.

set-unauth

mab-entry-as {dynamic | static}

Configure the MAC authentication bypass (MAB) MAC entries as static or dynamic:

  • In static mode, MAB sessions are kept until the link goes down or the MAB sessions are manually deleted with the CLI.

  • In dynamic mode, MAB sessions are treated the same way as dynamically learned MAC addresses.

static

mab-reauth {enable | disable}

Enable or disable whether MAB retries authentication before assigning a device to a guest VLAN for unauthorized users.

disable

mac-called-station-delimiter {colon | hyphen | none | single-hyphen}

Select which delimiter is used for the Called-Station-Id attribute or select none for no delimiter:

  • colon

  • hyphen

  • single-hyphen

hyphen

mac-calling-station-delimiter {colon | hyphen | none | single-hyphen}

Select which delimiter is used for the Calling-Station-Id attribute or select none for no delimiter:

  • colon

  • hyphen

  • single-hyphen

hyphen

mac-case {lowercase | uppercase}

Select whether MAC addresses use lowercase or uppercase letters.

lowercase

mac-password-delimiter {colon | hyphen | none | single-hyphen}

Select which delimiter is used for the User-Password attribute or select none for no delimiter:

  • colon

  • hyphen

  • single-hyphen

hyphen

mac-username-delimiter {colon | hyphen | none | single-hyphen}

Select which delimiter is used for the User-Name attribute or select none for no delimiter:

  • colon

  • hyphen

  • single-hyphen

hyphen

max-reauth-attempt

If 802.1x authentication fails, this setting caps the number of attempts that the system will initiate. The range is from 0 to 15 where "0" disables the reauthentication attempts.

3

quarantine-vlan {enable | disable}

Enable or disable quarantine VLAN detection. Enable this setting to use quarantines with 802.1x MAC-based authentication in FortiLink mode.

enable

reauth-period

Defines how often the device needs to reauthenticate. If a session remains active beyond this number of minutes, the system requires the device to reauthenticate.

60

tx-period <12-60>

Specify how many seconds are allowed for the 802.1x reauthentication before it times out.

30

Example

The following example configures system-wide FortiSwitch settings:

config switch global

set auto-isl enable

set dhcp-snooping-database-export enable

set dmi-global-all enable

set ip-mac-binding enable

set loop-guard-tx-interval 15

set mac-aging-interval 150

set max-path-in-ecmp-group 4

set mclag-peer-info-timeout 300

set poe-alarm-threshold 40

set poe-power-mode first-come-first-served

set poe-guard-band 10

set poe-pre-standard-detect enable

set poe-power-budget 200

set trunk-hash-mode enhanced

set trunk-hash-unkunicast-src-dst enable

end

config switch hsr ring

Use this command to configure a High-Availability Seamless Redundancy (HSR) ring.

Syntax

config switch hsr ring

edit {1 | 2}

set status {enable | disable}

set ring-port-pair <physical_port_pair>

set redbox-mode hsr-san

set vlan-id <1-4094>

set vlan-id-cos <0-7>

set vlan-id-tagged {enable | disable}

set hsr-internal-vlan <VLAN_ID>

next

end

Variable

Description

Default

status {enable | disable} Enable or disable this HSR ring. disable
ring-port-pair <physical_port_pair> Select which port A and port B pair to use for this HSR ring. Enter set ring-port-pair ? to see the available physical port pairs. No default

redbox-mode hsr-san

HSR-SAN is currenly the only RedBox operation mode supported.

hsr-san

vlan-id <1-4094>

Enter the VLAN identifier of the supervision frame.

This option is available only when vlan-id-tagged is set to enable.

1

vlan-id-cos <0-7>

Enter the class of service (CoS) value to be set in the VLAN tag of the supervision frame.

This option is available only when vlan-id-tagged is set to enable.

0

vlan-id-tagged {enable | disable}

Enable or disable supervision frame VLAN ID tagging.

disable

hsr-internal-vlan <2-4094>

Assign all MAC addresses of this HSR ring to this internal VLAN ID.

NOTE: If you are using an HSR ring and a PRP channel in your network, you need to change the default value so that each HSR ring and PRP channel is in a different internal VLAN.

No default

Example

The following example configures an HSR ring:

config switch hsr ring

edit 1

set status enable

set ring-port-pair port7-port8

next

end

config switch hsr settings

Use this command to configure HSR settings.

Syntax

config switch hsr settings

set mac-da <0-255>

set life-check-interval <2-60 seconds>

end

Variable

Description

Default

mac-da <0-255>

Specify the last 8 bits of the HSR supervision frame MAC destination address (DA).

0

life-check-interval <2-60 seconds>

Specify how often (in seconds) the HSR supervision frame is generated for each MAC address in the VDAN table.

2

Example

The following example configures the HSR settings:

config switch hsr settings

set mac-da 100

set life-check-interval 30

end

config switch igmp-snooping globals

Use this command to configure global settings for IGMP snooping on the FortiSwitch unit.

Syntax

config switch igmp-snooping globals

set aging-time <1-20>

set leave-response-timeout <integer>

set lookup-mode {L2 | L3}

set query-interval <10-1200>

set query-max-response-timeout <100-32768>

end

Variable

Description

Default

aging-time <integer>

The maximum number of seconds to retain a multicast snooping entry for which no packets have been seen (15-3600).

300

leave-response-timeout <1-20>

Enter the maximum number of seconds that the switch waits after sending a group-specific query in response to the leave message.

10

lookup-mode {L2 | L3}

Select whether IMGP groups are looked up by their IP addresses or their MAC addresses:

  • L2—Look up IGMP groups in the MAC address table. Set the lookup-mode to L2 for the FS-1024E, FS-T1024E, FS-T1024F-FPOE, FS-2048F, and FS-1048E models so that IGMP groups with TTL=1 streams are not dropped.

  • L3—Look up IGMP groups in the IP multicast address table.

L3

query-interval <10-1200>

Enter the maximum number of seconds between IGMP queries.

120

query-max-response-timeout <100-32768>

Enter the maximum number of milliseconds that a host waits for responses to a general query message.

10000

Example

The following example configures global settings for IGMP snooping on the FortiSwitch unit:

config switch igmp-snooping globals

set aging-time 150

set leave-response-timeout 15

set query-interval 200

end

config switch interface

Use this command to configure FortiSwitch features on an interface.

NOTE: Settings under config qnq are for customer VLANs (C-VLANs). Other settings such as set allowed-vlans, set native-vlan, and set vlan-tpid are for service-provider VLANs (S-VLANs).

Syntax

config switch interface

edit <interface_name>

set allowed-vlans {vlan1 vlan2 ...}

set arp-inspection-trust {trusted | untrusted}

set auto-discovery-fortilink-packet-interval <3-300>

set default-cos <0-7>

set description <string>

set discard-mode {all-tagged | all-untagged | none}

set dhcp-snooping {trusted | untrusted}

set dhcp-snoop-learning-limit <1-16000>

set dhcp-snoop-learning-limit-check {disable | enable}

set dhcp-snooping-option82-trust {enable | disable}

set edge-port {enabled | disabled}

set force-egr-prio-tag {enable | disable}

set igmp-snooping-flood-reports {enable | disable}

set mcast-snooping-flood-traffic {enable | disable}

set mld-snooping-flood-reports {enable | disable}

set ip-mac-binding {enable | disable | global}

set ip-source-guard {enable | disable}

set learning-limit <0-128>

set learning-limit-action {none | shutdown}

set log-mac-event {enable | disable}

set loop-guard {enabled | disabled}

set loop-guard-timeout <0-120>

set loop-guard-mac-move-threshold <0-100>

set nac {enable | disable}

set native-vlan <vlan_int>

set packet-sampler {enabled | disabled}

set sample-direction {both | rx |tx}

set packet-sample-rate <0-99999>

set private-vlan {disabled | promiscuous sub-vlan}

set ptp-policy {<string> | default}

set ptp-status {enable | disable}

set qos-policy {<string> | default}

set rpvst-port {enabled | disabled}

set security-groups <security-group-name>

set sflow-counter-interval <0-255>

set snmp-index <integer>

set sticky-mac {disable | enable}

set stp-bpdu-guard {disabled | enabled}

set stp-loop-protection {enabled | disabled}

set stp-root-guard {disabled | enabled}

set stp-state {enabled | disabled}

set trust-dot1p-map <string>

set trust-ip-dscp-map <string>

set untagged-vlans {vlan1 vlan2 ...}

set vlan-mapping-miss-drop {enable | disable}

set vlan-tpid <default | string>

config dhcp-snoop-option82-override

edit <VLAN_ID>

set remote-id <string>

set circuit-id <string>

next

end

config port-security

set {allow-mac-move-from | allow-mac-move-to} {enable | disable}

set eap-egress-tagged {enable | disable}

set port-security-mode {none | 802.1X | 802.1X-mac-based}

set auth-fail-vlan {enable | disable}

set auth-fail-vlanid <VLAN_id>

set auth-order {MAB | MAB-dot1x | dot1x-MAB}

set auth-priority {MAB-dot1x | dot1x-MAB | legacy}

set authserver-timeout-period <3-15>

set authserver-timeout-tagged {disable | lldp-voice | static}

set authserver-timeout-tagged-vlanid <1-4094>

set authserver-timeout-vlan {enable | disable}

set authserver-timeout-vlanid <1-4094>

set dacl {enable | disable}

set eap-auto-untagged-vlans {enable | disable}

set eap-passthru {disable | enable}

set framevid-apply {disable | enable}

set guest-auth-delay <integer>

set guest-vlan {enable | disable}

set guest-vlanid <VLAN_id>

set mab-eapol-request <0-10>

set mac-auth-bypass {enable | disable}

set open-auth {enable | disable}

set quarantine-vlan {enable | disable}

set radius-timeout-overwrite {enable | disable}

next

end

config raguard

edit <ID>

set raguard-policy <name_of_RA_guard_policy>

set vlan-list <list_of_VLANs>

next

end

config qnq

set status {enable | disable}

set edge-type customer

set vlan-mapping-miss-drop {enable | disable}

set add-inner <1-4095>

set remove-inner {enable | disable}

set native-c-vlan <1-4094>

set allowed-c-vlan <list_of_VLANs>

set priority {follow-c-tag | follow-s-tag}

set s-tag-priority <0-7>

config vlan-mapping

edit <id>

set description <string>

set match-c-vlan <1-4094>

set new-s-vlan <1-4094>

next

end

end

config vlan-mapping

edit <id>

set description <string>

set direction {egress | ingress}

set match-s-vlan <1-4094>

set match-c-vlan <1-4094>

set action {add | delete | replace}

set new-s-vlan <1-4094>

next

end

next

end

Variable

Description

Default

<interface_name>

Enter the name of the interface.

No default

allowed-vlans

{vlan1 vlan2 ...}

Enter the names of the VLANs permitted on this interface.

No default

arp-inspection-trust {trusted | untrusted}

Set the interface to trusted or untrusted.

untrusted

auto-discovery-fortilink-packet-interval <3-300>

Enter the FortiLink packet interval for automatic discovery. The value range is 3 to 300 seconds.

5

default-cos <0-7>

Set the default CoS value for untagged packets. Integer in the range of 0 to 7.

The configured default CoS only applies if you also set trust-dot1p-map on the interface.

NOTE: The set default-cos command is not available on the following FortiSwitch models: 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE, and 248E-FPOE.

0

description <string>

Enter a description of the interface.

No default

discard-mode {all-tagged | all-untagged | none}

Set the discard mode for this interface.

none

dhcp-snooping {trusted | untrusted}

Set the interface to trusted or untrusted.

untrusted

dhcp-snoop-learning-limit <1-16000>

Set the maximum number of IP addresses learned on this interface for the DHCP-snooping binding database.

The set dhcp-snoop-learning-limit command is available only when dhcp-snoop-learning-limit-check is enabled.

5

dhcp-snoop-learning-limit-check {disable | enable}

Enable or disable whether there is a limit for how many IP addresses are in the DHCP-snooping binding database for this interface.

disable

dhcp-snooping-option82-trust {enable | disable}

Enable or disable (allow/disallow) DHCP packets with option-82 on an untrusted interface.

disable

edge-port {enabled | disabled}

Enable if the port does not have another switch connected to it.

disable

force-egr-prio-tag {enable | disable}

NOTE: This command is only for the FS-1xxE, FS-1xx, and FS-110G-FPOE models.

Enable or disable the forced priority tagging on egress ports.

  • enable—When the allowed-vlans command is set on a port, all egress traffic will have the priority tag of vlan=0.

    This command is most useful when the port is acting as an access port for native traffic only.

  • disable—Priority tagging is not forced on egress ports.

disable

igmp-snooping-flood-reports {enable | disable}

Enable or disable whether to flood IGMP-snooping reports to this interface.

NOTE: For IGMP snooping to work correctly in an MCLAG, you need to use the set mclag-igmpsnooping-aware enable command on all FortiSwitch units in the network topology and use the set igmp-snooping-flood-reports enable command on each MCLAG core FortiSwitch unit.

disable

mcast-snooping-flood-traffic {enable | disable}

Enable or disable whether to flood multicast traffic to this interface.

disable

mld-snooping-flood-reports {enable | disable}

Enable or disable whether to flood MLD-snooping reports to this interface.

disable

ip-mac-binding {enable | disable | global}

Enable or disable IP-MAC binding for this interface. Set the value to 'global', the interface inherits the global ip-mac-binding configuration value.

disable

ip-source-guard {enable | disable}

Enable or disable IP source guard for this interface. After you enable this feature, use the config switch ip-source-guard command to configure it.

disable

learning-limit <0 - 128>

Limit the number of dynamic MAC addresses on this port.

The value range is 0 and 128. Setting the learning-limit to 0 means that there is no limit to the number of MAC addresses learned.

NOTE: You cannot set the learning-limit on the internal interface.

0

learning-limit-action {none | shutdown}

When the leaning-limit is exceeded, select none to take no action or select shutdown to disable this interface. The learning-limit-action applies only to physical switch port interfaces, not to trunks or VLANs.

The learning-limit-action is available only when learning-limit has been set to 1-128.

none

log-mac-event {enable | disable}

Enable or disable the logging of dynamic MAC address events.

disable

loop-guard {enabled | disabled}

Enable or disable loop guard for this interface.

disabled

loop-guard-timeout <0-120>

After enabling loop guard, set the number of minutes before loop guard resets. Setting this value to 0 means that there is no timeout.

45

loop-guard-mac-move-threshold <0-100>

After enabling loop guard, set the number of MAC address moves per second for this interface. The threshold must be exceeded for 6 consecutive seconds to trigger loop guard.

0

nac {enable | disable}

This command is available only in FortiLink mode. Enable to allow the switch to transmit MAC events to the FortiGate device to imporve network access control (NAC) performance.

disable

native-vlan <vlan_int>

Enter the native (untagged) VLAN for this interface.

1

packet-sampler {enabled | disabled}

Enable or disable packet sampling for flow export.

disabled

sample-direction {both | rx |tx}

Set the sFlow sample direction to monitor received traffic (rx), monitor transmitted traffic (tx), or monitor both.

This option is only available when the packet-sampler is enabled.

both

packet-sample-rate <0-99999>

If packet-sampler is set to enabled, you can change the packet sample rate.

512

private-vlan {disabled | promiscuous | sub-vlan}

Enable private VLAN functionality.

NOTE: Private VLANs are not supported on the FortiSwitch-28C.

disabled

ptp-policy {<string> | default}

Enter the name of the Precision Time Protocol (PTP) policy to appy to this port.

default

ptp-status {enable | disable}

Enable or disable PTP on this port.

enable

qos-policy {<string> | default}

Enter the name of the QoS egress CoS queue policy.

default

rpvst-port {enabled | disabled}

Enable or disable whether this interface interoperates with per-VLAN spanning tree (PVST).

disabled

security-groups <security-group-name>

Enter the security group name if you are using port-based authentication or MAC-based authentication.

No default

sflow-counter-interval <0-255>

Set the polling interval for the sFlow sampler counter. Set to 0 to disable polling.

0

snmp-index <integer>

Enter the SNMP index for this interface.

Default is the port number

sticky-mac {disable | enable}

Enable or disable whether dynamically learned MAC addresses are persistent when the status of a FortiSwitch port changes (goes down or up).

disable

stp-bpdu-guard {disabled | enabled}

Enable or disable STP BPDU guard protection. To use STP BPDU guard on this interface, you must enable stp-state and edge-port.

disabled

stp-loop-protection {enabled | disabled}

Enable or disable STP loop protection on this interface.

disabled

stp-root-guard {disabled | enabled}

Enable or disable STP root guard protection. To use STP root guard, you must enable stp-state.

disabled

stp-state {enabled | disabled}

Enable or disable Spanning Tree Protocol (STP) on this interface.

enabled

trust-dot1p-map

Whether to trust the dot1p CoS value in the incoming packets. Specify a map to map the CoS value to an egress queue value.

No default

trust-ip-dscp-map

Whether to trust the DSCP QoS value in the incoming packets. Specify a map to map the DSCP value to an egress queue value.

No default

untagged-vlans

Select the allowed-vlans to be transmitted without VLAN tags

No default

vlan-mapping-miss-drop {enable | disable}

Enable or disable whether a packet is dropped if the VLAN ID in the packetʼs tag is not defined in the vlan-mapping configuration.

disable

vlan-tpid <default | string>

Select which VLAN TPID profile to use. The default VLAN TPID profile has a value of 0x8100 and cannot be deleted or changed.

NOTE: If you are not using the default VLAN TPID profile, you must have already defined the VLAN TPID profile with the config switch vlan-tpid command.

default

config dhcp-snoop-option82-override

<VLAN_ID>

Select the VLAN identifier.

No default

remote-id <string>

Enter the plain text string to use in the Remote ID field instead of the global value.

The plain text string can be a maximum of 256 characters long. The combined length of the remote-id and circuit-id text strings can be a maximum of 256 characters long.

No default

circuit-id <string>

Enter the plain text string to use in the Circuit ID field instead of the global value.

The plain text string can be a maximum of 256 characters long. The combined length of the remote-id and circuit-id text strings can be a maximum of 256 characters long.

No default

config port-security

{allow-mac-move-from | allow-mac-move-to} {enable | disable}

Depending on the FortiSwitch model, you will see one of these commands:

  • allow-mac-move-from—Enable on the source port when an 802.1x client is being moved between ports that are not directly connected to the FortiSwitch unit. This command is available only for the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

  • allow-mac-move-to—Enable on the destination port when an 802.1x client is being moved between ports that are not directly connected to the FortiSwitch unit. This command is available only for FSR-124D, 200 Series, FS-4xxE, 500 Series, FS-1024D, FS-1024E, FS-T1024E, FS-1048E, and FS-3032E.

disable

eap-egress-tagged {enable | disable}

When allow-mac-move is enabled, you can enable this option to ensure that egress EAPOL packets are tagged without needing additional checking.

enable

port-security-mode {none | 802.1X | 802.1X-mac-based}

Set the security mode for the port.

  • 802.1X—Use this setting for port-based authentication.
  • 802.1X-mac-based—Use this setting for MAC-based authentication.

If you change the security mode to 802.1X or 802.1X-mac-based, you must set the security group with the set security-groups command.

none

auth-fail-vlan {enable | disable}

When enabled, the system assigns the auth-fail-vlanid to users who attempted to authenticate but failed to provide valid credentials.

disable

auth-fail-vlanid <VLAN_id>

Enter the VLAN identifier that the system assigns to users who attempted to authenticate but failed to provide valid credentials. This field is mandatory when auth-fail-vlan is enabled.

200

auth-order {MAB | MAB-dot1x | dot1x-MAB}

This command is available only when the set mac-auth-bypass command is enabled.

Select one of the authentication order modes:

  • MAB—In the MAB-only authentication mode, the FortiSwitch unit performs MAB authentication without performing EAP authentication. EAP packets are not sent.

  • MAB-dot1x—This command has been added for future use. It currently has no effect on authentication.

  • dot1x-MAB—This command has been added for future use. It currently has no effect on authentication.

MAB-dot1x

auth-priority {MAB-dot1x | dot1x-MAB | legacy}

Select the priority of MAC authentication bypass (MAB) authentication and EAP 802.1X authentication.

  • MAB-dot1x—The switch tries MAB authentication first and then EAP 802.1X authentication if MAB authentication fails. If EAP 802.1X authentication also fails, users are assigned to the auth-fail-vlanid VLAN if it is configured.

  • dot1x-MAB—The switch tries EAP 802.1X authentication first and then MAB authentication if EAP 802.1X fails. If MAB authentication also fails, users are assigned to the auth-fail-vlanid VLAN if it is configured.

  • legacy—The switch tries EAP 802.1X authentication and MAB authentication in the order that they are received with EAP 802.1X authentication having absolute priority. If authentication fails, users are assigned to a guest VLAN if it has been configured. There is no time delay involved.

This commands is available only when the set mac-auth-bypass command is enabled.

legacy

authserver-timeout-period <3-15>

Enter the number of seconds before the authentication server stops trying to authenticate users.

3

authserver-timeout-tagged {disable | lldp-voice | static}

Select whether users are assigned to the specified VLAN when the authentication server times out:

  • disable—Users are not assigned to a specified VLAN when the authentication server times out.

  • lldp-voice—Users are assigned to the VLAN specified in the set lldp-profile command (under config switch physical-port).

  • static—Users are assigned to the tagged VLAN specified in the set authserver-timeout-tagged-vlanid command.

disable

authserver-timeout-tagged-vlanid <1-4094>

Enter the identifier for the tagged VLAN that the system assigns to users when the authentication server times out.

300

authserver-timeout-vlan {enable | disable}

Enable or disable whether users are assigned to the specified VLAN when the authentication server times out.

disable

authserver-timeout-vlanid <1-4094>

Enter the identifier for the untagged VLAN that the system assigns to users when the authentication server times out. This field is mandatory when authserver-timeout-vlan is enabled.

300

dacl {enable | disable}

Enable or disable the dynamic access control list (DACL) on this interface.

disable

eap-auto-untagged-vlans {enable | disable}

Enable to allow voice traffic with voice VLAN tag at egress.

enable

eap-passthru {disable | enable}

Enable or disable the EAP pass-through mode.

enable

framevid-apply {disable | enable}

Enable or disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

NOTE: For phone and PC configuration only, disable framevid-apply to preserve the native VLAN when the data traffic is expected to be untagged.

enable

guest-auth-delay <integer>

If a device does not attempt to authenticate within this timeframe (in seconds), the guest VLAN is assigned.

5

guest-vlan {enable | disable}

When enabled, the system assigns the guest-vlanid to unauthorized users.

disable

guest-vlanid <VLAN_id>

VLAN identifier. Mandatory field when guest VLAN is enabled.

100

mab-eapol-request <0-10>

Set how many EAP packets are sent to trigger EAP authentication for “silent supplicants” (such as end devices running Windows 7) that send non-EAP packets when they wake up from sleep mode.

To disable this feature, set mab-eapol-request to 0 or disable mac-auth-bypass.

3

mac-auth-bypass {enable | disable}

Enable or disable MAC authentication bypass (MAB). If you enable MAB on the port, the system will use the device MAC address as the user name and password for authentication.

disable

open-auth {enable | disable}

Enable or disable open authentication (monitor mode) on this interface.

disable

quarantine-vlan {enable | disable}

Enable or disable quarantine VLAN detection. Enable this setting to use quarantines with 802.1x MAC-based authentication in FortiLink mode.

enable

radius-timeout-overwrite {enable | disable}

Enable this option to use the value of the session-timeout attribute. The session-timeout attribute specifies how many seconds of idleness are allowed before the FortiSwitch unit disconnects a session. The value must be more than 60 seconds.

disable

config raguard

<ID>

Enter an identifier for the IPv6 RA-guard configuration.

No default

raguard-policy <name_of_RA_guard_policy>

Enter the name of the RA-guard policy to use for this interface.

The RA-guard policy must be created (with the config switch raguard-policy command) before it is applied to an interface.

No default

vlan-list <list_of_VLANs>

Enter a VLAN or a range of VLANs to apply this policy to. Use less than 4,096 characters for the vlan-list value. Separate the VLANs and VLAN ranges with commans, for example:

1,3-4,6,7,9-100

All allowed VLANs on this port

config qnq

status {enable | disable}

Enable this setting to use the VLAN stacking (QnQ) mode.

disable

edge-type customer

If the QnQ mode is enabled, the edge type is set to customer.

customer

vlan-mapping-miss-drop {enable | disable}

If the QnQ mode is enabled, enable or disable whether a frame is dropped if the VLAN ID in the frameʼs tag is not defined in the vlan-mapping configuration. This option is available only when allowed-c-vlan has not been set.

disable

add-inner <1-4095>

If the QnQ mode is enabled, add the inner tag for untagged frames upon ingress.

No default

remove-inner {enable | disable}

If the QnQ mode is enabled, enable or disable whether the inner tag is removed upon egress.

disable

native-c-vlan <1-4094>

Specify the native C VLAN (1-4094) for untagged packets. When you specify a value for native-c-vlan, FortiSwitchOS adds the native inner tag to untagged frames upon ingress and removes the native inner tag at egress.

No default

allowed-c-vlan <list_of_VLANs>

Specify single VLANs or ranges of VLANs. Use a comma to separate values without any spaces. The allowed-c-vlan applies to both ingress and egress. You must use less than 4,096 characters to list the VLANs. This option is available only when vlan-mapping-miss-drop is disabled.

No default

priority {follow-c-tag | follow-s-tag}

If the QnQ mode is enabled, select whether to follow the priority of the S-tag (service tag) or C-tag (customer tag).

NOTE: This command is not available on the 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE and 248E-FPOE models.

follow-s-tag

s-tag-priority <0-7>

If frames follow the priority of the S-tag (service tag), enter the priority value. This option is available only when the priority is set to follow-s-tag.

NOTE: This command is not available on the 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE and 248E-FPOE models.

0

config vlan-mapping (options available when QnQ is enabled)

<id>

Enter a mapping entry identifier.

No default

description <string>

Enter a description of the mapping entry.

No default

match-c-vlan <1-4094>

Enter a matching customer (inner) VLAN.

0

new-s-vlan <1-4094>

Enter a new service (outer) VLAN.

NOTE: The VLAN must be in the portʼs allowed VLAN list.

This option is only available after you set the value for match-c-vlan.

No default

config vlan-mapping (options available when QnQ is disabled)

<id>

Enter an identifier for the VLAN mapping entry.

No default

description <string>

Enter a description of the VLAN mapping entry.

No default

direction {egress | ingress}

Select the ingress or egress direction.

No default

match-s-vlan <1-4094>

If the direction is set to egress, enter the service (outer) VLAN to match.

0

match-c-vlan <1-4094>

If the direction is set to ingress, enter the customer (inner) VLAN to match.

0

action {add | delete | replace}

Select what happens when the packet is matched:

  • add—When the packet is matched, add the service VLAN. You cannot set the action to add for the egress direction.
  • delete—When the packet is matched, delete the service VLAN. You cannot set the action to delete for the ingress direction.
  • replace—When the packet is matched, replace the customer VLAN or service VLAN.

This option is only available after you set a value for match-c-vlan or match-s-vlan.

No default

new-s-vlan <1-4094>

Set the new service (outer) VLAN.

This option is only available after you set the action to add or replace for the ingress direction or after you set the action to replace for the egress direction.

No default

Example

The following example shows QoS configuration on a trunk interface:

config switch interface

edit "tr1"

set snmp-index 56

set trust-dot1p-map "dot1p_map1"

set default-cos 1

set qos-policy "p1"

next

end

The following example shows how to configure 802.1x authentication:

config switch interface

edit "port11"

set native-vlan 200

set snmp-index 11

config port-security

set port-security-mode 802.1X

set auth-fail-vlan enable

set auth-fail-vlanid 301

set authserver-timeout-period 4

set authserver-timeout-vlan enable

set authserver-timeout-vlanid 300

set eap-auto-untagged-vlans enable

set eap-passthru enable

set framevid-apply enable

set guest-auth-delay 5

set guest-vlan enable

set guest-vlanid 401

set mab-eapol-request 0

set mac-auth-bypass disable

set open-auth disable

set quarantine-vlan enable

set radius-timeout-overwrite enable

end

set security-groups "radius1grp"

next

end

config switch ip-mac-binding

Use IP-MAC binding to prevent ARP spoofing.

The port accepts a packet only if the source IP address and source MAC address in the packet match an entry in the IP-MAC binding table.

You can enable or disable IP-MAC binding for the whole switch, and you can override this global setting for each port.

Syntax

config switch ip-mac-binding

edit <sequence_int>

set ip <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>

set mac <xx:xx:xx:xx:xx:xx>

set status {enable | disable}

next

end

Variable

Description

Default

<sequence_int>

Enter a sequence number for the IP-MAC binding entry.

No default

ip <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>

Enter the source IP address and network mask for this rule.

0.0.0.0 0.0.0.0

mac <xx:xx:xx:xx:xx:xx>

Enter the MAC address for this rule.

00:00:00:00:00:00

status {enable | disable}

Enable or disable the IP-MAC binding.

disable

Example

The following example configures the IP-MAC binding for the FortiSwitch unit:

config switch ip-mac-binding

edit 1

set ip 172.168.20.1 255.255.255.255

set mac 00:21:cc:d2:76:72

set status enable

next

end

config switch ip-source-guard

Use this command to configure IP source guard for a port by binding IPv4 addresses to MAC addresses.

Syntax

config switch ip-source-guard

edit <port_name>

config binding-entry

edit <id>

set ip <xxx.xxx.xxx.xxx>

set mac <XX:XX:XX:XX:XX:XX>

next

end

next

end

Variable

Description

Default

<port_name>

Enter the name of the port.

No default

<id>

Enter a unique integer to create a new entry.

No default

ip <xxx.xxx.xxx.xxx>

Required. Enter the IPv4 address to bind to the MAC address. Masks are not supported.

0.0.0.0

mac <XX:XX:XX:XX:XX:XX>

Required. Enter the MAC address to bind to the IPv4 address.

00:00:00:00:00:00

Example

The following example binds an IPv4 address to a MAC address so that traffic from that IP address will be allowed on port4:

config switch ip-source-guard

edit port4

config binding-entry

edit 1

set ip 172.168.20

set mac 00:21:cc:d2:76:72

next

end

next

end

config switch lldp profile

Use this command to configure LLDP profile settings. The LLDP profile contains most of the port-specific configuration. Profiles are designed to provide a central point of configuration for LLDP settings that are likely to be the same for multiple ports.

There are two static LLDP profiles: default and default-auto-isl. These profiles are created automatically. They can be modified but cannot be deleted. The default-auto-isl profile always has auto-isl enabled, and rejects any configurations which attempt to disable it.

Syntax

config switch lldp profile

edit <profile>

set 802.1-tlvs {port-vlan-id | vlan-name}

set 802.3-tlvs {eee-config | max-frame-size | power-negotiation}

set auto-isl {enable | disable}

set auto-isl-auth {legacy | strict | relax}

set auto-isl-auth-encrypt {mixed | must | none}

set auto-isl-auth-identity <string>

set auto-isl-auth-macsec-profile default-macsec-auto-isl

set auto-isl-auth-reauth <0-3600>

set auto-isl-auth-user <string>

set auto-isl-hello-timer <1-30>

set auto-isl-port-group <0-9>

set auto-isl-receive-timeout <3-90>

set auto-mclag-icl {enable | disable}

set med-tlvs (inventory-management | location-identification | network-policy | power-management)

set vlan-name-map <single_VLANs_or_VLAN_ranges>

config custom-tlvs

edit <TLVname_str>

set information-string <hex-bytes>

set oui <hex-bytes>

set subtype <integer>

next

config med-location-service

edit address-civic

set status {enable | disable}

set sys-location-id <string>

next

edit coordinates

set status {enable | disable}

set sys-location-id <string>

next

edit elin-number

set status {enable | disable}

set sys-location-id <string>

next

config med-network-policy

edit {guest-voice | guest-voice-signaling | softphone-voice |

streaming-video | video-conferencing | video-signaling |

voice | voice-signaling}

set status {enable | disable}

set assign-vlan {enable | disable}

set dscp <0 - 63>

set priority <0 - 7>

set vlan <0 - 4094>

next

end

Variable

Description

Default

profile

Enter a name for the LLDP profile.

No default

802.1-tlvs {port-vlan-id | vlan-name}

The port-vlan-id TLV will send the native VLAN of the port. If the value is changed, the sent value will reflect the updated value.

The vlan-name TLV sends the VLAN descriptions that are configured in the set description command under config switch vlan.

No default

802.3-tlvs {eee-config | max-frame-size | power-negotiation}

Set which 802.3 TLVs are enabled:
  • eee-config—Use this TLV to send the energy-efficient Ethernet (EEE) status of the port.
  • max-frame-size—This TLV will send the maximum frame size value of the port. If the value is changed, the sent value reflects the updated value.
  • power-negotiation—Use this TLV to send the power over Ethernet (PoE) classification of the port.

no TLV enabled

auto-isl

Enable or disable the auto ISL capability.

Disabled

auto-isl-auth {legacy | strict | relax}

Select the authentication mode:

  • legacy—This mode is the default. There is no authentication.

  • strict—If authentication succeeds, FortiOS forms a secure ISL trunk. If authentication fails, no ISL trunk is formed.

  • relax—If authentication succeeds, FortiOS forms a secure ISL trunk. If authentication fails, FortiOS forms a restricted ISL trunk.

legacy

auto-isl-auth-encrypt {mixed | must | none}

Select the encryption mode:

  • mixed—FortiOS enables MACsec on the ISL trunk ports that support MACsec; the ISL trunk members act as encrypted links. FortiOS disables MACsec on the ISL members that do not support MACsec; these ISL trunk members act as unencrypted links.

  • must—FortiOS enables MACsec on all ISL trunk members. If the port supports MACsec, the port acts as an encrypted link. If the port does not support MACsec, the port is removed from the ISL trunk, but the port still functions as a user port.

  • none—There is no encryption, and FortiOS does not enable MACsec on the ISL trunk members.

This option is available when auto-isl-auth is set to strict or relax.

none

auto-isl-auth-identity <string>

Enter the identity, such as fortilink.

This option is available when auto-isl-auth is set to strict or relax.

No default

auto-isl-auth-macsec-profile default-macsec-auto-isl

Use the default-macsec-auto-isl profile.

This option is available when auto-isl-auth-encrypt is set to mixed or must.

default-macsec-auto-isl

auto-isl-auth-reauth <0-3600>

Enter the reauthentication period in minutes.

This option is available when auto-isl-auth is set to strict or relax.

3600

auto-isl-auth-user <string>

Select the user certificate, such as Fortinet_Factory.

This option is available when auto-isl-auth is set to strict or relax.

No default

auto-isl-hello-timer <1-30>

Enter a value (in seconds) for the hello timer. The range is 1 to 30.

3

auto-isl-port-group <0-9>

Enter a value for the port group. The range is 0 to 9.

0

auto-isl-receive-timeout

Enter a value (in seconds) for the receive timeout. The range is 3 to 90.

9

auto-mclag-icl {enable | disable}

Enable or disable the MCLAG inter-chassis link.

disable

med-tlvs (inventory-management | location-identification | network-policy | power-management)

Enable the inventory-management TLVs, location-identification TLVs, network-policy TLVs, and/or power-management TLVs.

inventory-management network-policy location-identification

vlan-name-map <single_VLANs_or_VLAN_ranges>

You can enter more than 10 VLAN identifiers, but only the first 10 VLANs with VLAN descriptions will be advertised.

The VLAN identifiers are separated with commas and no spaces. The vlan-name-map configuration must be less than 4,096 characters.

This option is available only when 802.1-tlvs is set to vlan-name.

No default.

config custom-tlvs

<TLVname_str>

Enter the TLV name.

No default

information-string

Organizationally defined information string. Enter up to 507 bytes in hexadecimal notation.

No default

oui

Organizationally unique identifier. Enter 3 hexadecimal bytes (000000 - FFFFFF). At least one byte must have a non-zero value.

000000

subtype

Organizationally defined subtype. Enter an integer in the range of 0 to 255.

0

config med-location-service

address-civic

Civic address and postal information.

No default

status {enable | disable}

Enable the status to transmit the type-length-value (TLV) if the LLDP-MED profile has been enabled on a port.

disable

sys-location-id <string>

Use the specified location entry that was already entered with the config system location command.

No default

coordinates

Coordinates of the location.

No default

status {enable | disable}

Enable the status to transmit the type-length-value (TLV) if the LLDP-MED profile has been enabled on a port.

disable

sys-location-id <string>

Use the specified location entry that was already entered with the config system location command.

No default

elin-number

Emergency location identifier number (ELIN).

No default

status {enable | disable}

Enable the status to transmit the type-length-value (TLV) if the LLDP-MED profile has been enabled on a port.

disable

sys-location-id <string>

Use the specified location entry that was already entered with the config system location command.

No default

config med-network-policy

{guest-voice | guest-voice-signaling | softphone-voice | streaming-video | video-conferencing | video-signaling | voice | voice-signaling}

Enter one of the policy type names.

No default

status {enable | disable}

Enable or disable the policy for the policy type.

disable

assign-vlan {enable | disable}

Enable or disable whether the VLAN is added as one of the allowed-vlans for this port.

disable

dscp <0-63>

DSCP value to send.

0

priority <0-7>

CoS priority value to send.

0

vlan <0-4094>

VLAN value to send.

Setting this option to 0 will advertise the network policy as priority tagged, rather than VLAN tagged. Priority tagged network policies are always transmitted, whereas VLAN tagged are only transmitted if the VLAN is present on the switch interface sending the LLDP packet.

0

NOTE: LLDP-MED network policies cannot be deleted or added. To use a policy, the med-tlvs field must include network-policy, and you must set the policy to enabled. The VLAN values on the policy are cross-checked against the VLAN native, allowed, and untagged attributes for any interfaces that contain physical-ports using this profile. The cross-check determines if the policy TLV should be sent (VLAN must be native or allowed), and if the TLV should mark the VLAN as tagged or untagged (VLAN is native, or is in untagged). The network policy TLV is automatically updated when a switch interface changes VLAN configuration, or if a physical port is added to, or removed from, a trunk.

Example

The following example configures an LLDP-MED profile:

config switch lldp profile

edit "Forti670i"

config med-network-policy

edit "voice"

set dscp 46

set priority 5

set status enable

set vlan 400

next

edit "guest-voice"

next

edit "guest-voice-signaling"

next

edit "softphone-voice"

next

edit "video-conferencing"

next

edit "streaming-video"

set dscp 40

set priority 3

set status enable

set vlan 400

next

edit "video-signaling"

next

end

set med-tlvs inventory-management network-policy

next

end

config switch lldp settings

Configure the global LLDP settings.

Syntax

config switch lldp settings

set status {enable| disable}

set tx-hold <1-16>

set tx-interval <5-4095>

set fast-start-interval <0 or 2-5>

set management-interface (internal | <string>)

set management-address {ipv4 | ipv6 | none}

set device-detection {enable | disable}

end

Variable

Description

Default

status

Enable or disable

Enabled

tx-hold

Number of tx-intervals before the local LLDP data expires. Therefore, the packet TTL (in seconds) is tx-hold times tx-interval. The range for tx-hold is 1 to 16.

4

tx-interval

How often the FortiSwitch transmits the LLDP PDU. The range is 5 to 4095 seconds.

30

fast-start-interval

How often the FortiSwitch transmits the first 4 LLDP packets when a link comes up. The range is 2 to 5 seconds.

Set this variable to zero to disable fast start.

2

management-interface

Primary management interface to be advertised in LLDP and CDP PDUs.

mgmt or internal, depending on FortiSwitch model.

management-address {ipv4 | ipv6 | none}

Select whether to advertise the IPv4 management address, the IPv6 management address, or no management address in the Management Address TLV

ipv4 ipv6

device-detection {enable | disable}

Enable or disable whether LLDP neighbor devices are dynamically detected.

This option is available only in FortiLink mode.

disable

Example

The following example configures the global LLDP settings:

config switch lldp settings

set status enable

set tx-hold 8

set tx-interval 2000

set fast-start-interval 3

set management-interface internal

set management-address ipv4

end

config switch macsec profile

Use these commands to configure a Media Access Control security (MACsec) profile.

Syntax

config switch macsec profile

edit <profile_name>

set cipher_suite {GCM-AES-128 | GCM-AES-256 | GCM-AES-XPN-128 | GCM-AES-XPN-256}

set confident-offset {0 | 30 | 50}

set eap-tls-ca-cert <CA_certificate>

set eap-tls-cert <client_certificate>

set eap-tls-identity <name_of_client>

set eap-tls-radius-server <name_of_RADIUS_server>

set encrypt-traffic {enable | disable}

set include-macsec-sci {enable | disable}

set include-mka-icv-ind enable

set macsec-mode {static-cak | dynamic-cak}

set macsec-validate strict

set mka-priority <0-255>

set mka-sak-rekey-time {0 | 60-1000000}

set replay-protect {enable | disable}

set replay-window <0-16777215>

set status {enable | disable}

config mka-psk

edit <pre-shared key name>

set crypto-alg {AES_128_CMAC | AES_256_CMAC}

set mka-cak <string>

set mka-ckn <string>

set status active

next

end

config traffic-policy

edit <traffic_policy_name>

set exclude-protocol {arp | dot1q | fortilink | ipv4 | ipv6 | lacp | lldp | qinq | stp}

set security-policy must-secure

set status enable

next

end

next

end

Variable

Description

Default

<profile_name> Enter a name for the MACsec profile. No default
cipher_suite {GCM-AES-128 | GCM-AES-256 | GCM-AES-XPN-128 | GCM-AES-XPN-256} Select which cipher suite to use for encryption. GCM-AES-128
confident-offset {0 | 30 | 50} Select the number of bytes for the MACsec traffic confidentiality offset. Selecting 0 means that all of the MACsec traffic is encrypted. Selecting 30 or 50 bytes means that the first 30 or 50 bytes of MACsec traffic are not encrypted. 0

eap-tls-ca-cert <CA_certificate>

Specify the certificate authority (CA) to use for the MACsec CAK.

This option is available only when macsec-mode is set to dynamic-cak.

No default

eap-tls-cert<client_certificate>

Select the client certificate that you imported for the MACsec CAK.

This option is available only when macsec-mode is set to dynamic-cak.

No default

eap-tls-identity <name_of_client>

Enter the name of the client for the MACsec CAK.

This option is available only when macsec-mode is set to dynamic-cak.

No default

eap-tls-radius-server <name_of_RADIUS_server>

Enter the name of the RADIUS server to use for the MACsec CAK.

This option is available only when macsec-mode is set to dynamic-cak.

No default

encrypt-traffic {enable | disable} Enable or disable whether MACsec traffic is encrypted. enable
include-macsec-sci {enable | disable} Enable or disable whether to include the MACsec transmit secure channel identifier (SCI). enable
include-mka-icv-ind enable The MACsec Key Agreement (MKA) integrity check value (ICV) indicator is always included. enable
macsec-mode {static-cak | dynamic-cak} Select whether MACsec uses the static-CAK mode or the dynamic-CAK mode. static-cak
macsec-validate strict The MACsec validation is always strict. strict
mka-priority <0-255> Enter the MACsec MKA priority. 255

mka-sak-rekey-time{0 | 60-1000000}

Set the number of seconds before a new secure association key (SAK) is generated. Set to 0 to disable the timer. The minimum number of seconds is 60; the maximum number of seconds is 1,000,000.

0

replay-protect {enable | disable} Enable or disable MACsec replay protection. MACsec replay protection drops packets that arrive out of sequence, depending on the replay-window value. disable
replay-window <0-16777215>

Enter the number of packets for the MACsec replay window size. If two packets arrive with the difference between their packet identifiers more then the replay window size, the most recent packet of the two is dropped. The range is 0-16777215 packets. Enter 0 to ensure that all packets arrive in order without any repeats.

32
status {enable | disable} Enable or disable this MACsec profile. enable
config mka-psk Configure the MACsec MKA pre-shared key.
<pre-shared key name> Enter a name for this MACsec MKA pre-shared key configuration. No default
crypto-algcrypto-alg {AES_128_ CMAC | AES_256_CMAC} Select the AES_128_CMAC or AES_256_CMAC algorithm to encrypt the pre-shared key. AES_128_CMAC
mka-cak <string>

Enter the string of hexadecimal digits for the connectivity association key (CAK). The string can be up to 32-bytes or 64-bytes long.

No default
mka-ckn <string>

Enter the string of hexadecimal digits for the connectivity association name (CKN). The string must be an even number of bytes, 2-bytes to 64-bytes long.

No default
status active

The status of the pre-shared key pair is always active.

active

config traffic-policy

Configure the MACsec traffic policy.

<traffic_policy_name>

Enter a name for this MACsec traffic policy.

No default

exclude-protocol {arp | dot1q | fortilink | ipv4 | ipv6 | lacp | lldp | qinq | stp}

Select one or more protocols that will not be secured by the MACsec traffic policy:

  • arp—Do not encrypt ARP packets.
  • dot1q—Do not encrypt 802.1q VLAN packets.
  • fortilink—Do not encrypt FortiLink packets.
  • ipv4—Do not encrypt IPv4 packets.
  • ipv6—Do not encrypt IPv6 packets.
  • lacp—Do not encrypt LACP packets.
  • lldp—Do not encrypt LLDP packets.
  • qinq—Do not encrypt 802.1ad QinQ packets.
  • stp—Do not encrypt STP packets.

Separate protocols with a space. By default, all protocols are encrypted if no protocols are excluded.

No default

security-policy must-secure

The policy must secure traffic for MACsec.

must-secure

status enable

The status of this MACsec traffic policy is always enabled.

enable

Example

This example configures a MACsec profile.

config switch macsec profile

edit "2"

set cipher_suite GCM-AES-128

set confident-offset 0

set encrypt-traffic enable

set include-macsec-sci enable

set include-mka-icv-ind enable

set macsec-mode static-cak

set macsec-validate strict

set mka-priority 199

config mka-psk

edit "2"

set crypto-alg AES_128_CMAC

set mka-cak "0123456789ABCDEF0123456789ABCDEE"

set mka-ckn "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333436"

set status active

next

end

set replay-protect disable

set replay-window 32

set status enable

config traffic-policy

edit "2"

set security-policy must-secure

set status enable

next

end

next

end

config switch mirror

Use these commands to configure the packet mirror. Packet mirroring allows you to collect packets on specified ports and then send them to another port to be collected and analyzed.

Syntax

config switch mirror

edit <mirror session name>

set dst <interface>

set encap-gre-protocol <hexadecimal_integer>

set encap-ipv4-src <IPv4_address>

set encap-ipv4-tos <hexadecimal_integer>

set encap-ipv4-ttl <0-255>

set encap-mac-dst <MAC_address>

set encap-mac-src <MAC_address>

set encap-vlan {tagged | untagged}

set encap-vlan-cfi <0-1>

set encap-vlan-id <1-4094>

set encap-vlan-priority <0-7>

set encap-vlan-tpid <0x0001-0xfffe>

set erspan-collector-ip <IPv4_address>

set mode {ERSPAN-auto | ERSPAN-manual | RSPAN | SPAN}

set rspan-ip <IPv4_address>

set src-egress <interface_name>

set src-ingress <interface_name>

set status {active | inactive}

set strip-mirrored-traffic-tags {disable | enable}

set switching-packet {enable | disable}

end

Variable

Description

Default

<mirror session name>

Enter the name of the mirror session to edit (or enter a new mirror session name).

No default

dst <interface>

Required when the mode is set to ERSPAN-manual, RSPAN (when the switch is not in FortiLink mode), or SPAN.

On FortiSwitch models that support RSPAN and ERSPAN, set the trunk or physical port that will act as a mirror. The physical port cannot be part of a trunk.

On FortiSwitch models that do not support RSPAN and ERSPAN, set the physical port that will act as a mirror. The physical port can be part of a trunk.

No default

encap-gre-protocol <hexadecimal_integer>

Set the protocol value in the ERSPAN GRE header.

This option is available when the mode is ERSPAN-auto or ERSPAN-manual.

0x88be

encap-ipv4-src <IPv4_address>

Required when the mode is set to ERSPAN-manual and the status is active.

Set the IPv4 source address in the ERSPAN IP header. The range is 0.0.0.1-255.255.255.254.

This option is available when the mode is ERSPAN-manual.

0.0.0.0

encap-ipv4-tos <hexadecimal_integer>

Set the type of service (ToS) value or enter the DSCP and ECN values in the ERSPAN IP header.

This option is available when the mode is ERSPAN-auto or ERSPAN-manual.

0x00

encap-ipv4-ttl <0-255>

Set the IPv4 time-to-live (TTL) value in the ERSPAN IP header.

This option is available when the mode is ERSPAN-auto or ERSPAN-manual.

16

encap-mac-dst <MAC_address>

Required when the mode is set to ERSPAN-manual and the status is active.

Set the MAC address of the next-hop or gateway on the path to the ERSPAN collector IP address. The range is 00:00:00:00:00:01-FF:FF:FF:FF:FF:FF.

This option is available only when the mode is ERSPAN-manual.

00:00:00:00:00:00

encap-mac-src <MAC_address>

Required when the mode is set to ERSPAN-manual and the status is active.

Set the source MAC address in the ERSPAN Ethernet header. The range is 00:00:00:00:00:01-FF:FF:FF:FF:FF:FE.

This option is available when the mode is ERSPAN-manual.

00:00:00:00:00:00

encap-vlan {tagged | untagged}

Set the status of ERSPAN encapsulation headers to tagged or untagged to control whether the VLAN header is added to the encapsulated traffic.

This option is available if the mode is ERSPAN-manual.

untagged

encap-vlan-cfi <0-1>

Set the canonical format identifier (CFI) or drop eligible indicator (DEI) bit in the ERSPAN or RSPAN VLAN header.

This option is available when the mode is RSPAN or ERSPAN-auto. This option is available for the ERSPAN-manual mode if encap-vlan is set to tagged.

When the mode is RSPAN, this option is not available on the 248D, 248D-POE, 248D-FPOE,248E, 248E-POE, 248E-FPOE, 448D, 448D-POE, and 448D-FPOE models.

0

encap-vlan-id <1-4094>

Set the VLAN identifier in the ERSPAN or RSPAN VLAN header.

This option is available when the mode is RSPAN. This option is available for the ERSPAN-manual mode if encap-vlan is set to tagged.

1

encap-vlan-priority <0-7>

Set the class of service (CoS) bits in the ERSPAN or RSPAN VLAN header.

This option is available when the mode is RSPAN or ERSPAN-auto. This option is available for the ERSPAN-manual mode if encap-vlan is set to tagged.

When the mode is RSPAN, this option is not available on the 248D, 248D-POE, 248D-FPOE,248E, 248E-POE, 248E-FPOE, 448D, 448D-POE, and 448D-FPOE models.

0

encap-vlan-tpid <0x0001-0xfffe>

Set the tag protocol identifier (TPID) for the encapsulating VLAN header. The default value, 0x8100, is for an IEEE 802.1Q-tagged frame.

This option is available when the mode is RSPAN or ERSPAN-auto. This option is available for the ERSPAN-manual mode if encap-vlan is set to tagged.

0x8100

erspan-collector-ip <IPv4_address>

Required when the status is active and the mode is set to ERSPAN-auto or ERSPAN-manual.

Set the IPv4 address for the ERSPAN collector. The range is 0.0.0.1-255.255.255.255.

This option is available only when the mode is ERSPAN-auto or ERSPAN-manual.

0.0.0.0

mode {ERSPAN-auto | ERSPAN-manual | RSPAN | SPAN}

Select the mirroring mode:

  • ERSPAN-auto—Mirror traffic to the specified destination interface using ERSPAN encapsulation. The header contents are automatically configured.
  • ERSPAN-manual—Mirror traffic to the specified destination interface using ERSPAN encapsulation. The header contents are manually configured.
  • RSPAN—Mirror traffic to the specified destination interface using RSPAN encapsulation.
  • SPAN—Mirror traffic to the specified destination interface without encapsulation.

SPAN is supported on all FortiSwitch models. RSPAN and ERSPAN are supported on 124D, 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE, 248E-FPOE, 524D, 524D-FPOE, 548D, 548D-FPOE, 1024D, 1048D, 1048E, 3032D, and 3032E.

SPAN

rspan-ip <IPv4_address>

Required when the mode is RSPAN, the status is active, and the switch is in FortiLink mode.

Enter the destination IP address for the RSPAN collector. The range is 0.0.0.1-255.255.255.255.

This option is available only when the mode is RSPAN and the switch is in FortiLink mode.

0.0.0.0

src-egress <interface_name>

Optional. Set the source egress physical ports that will be mirrored. Only one active egress mirror session is allowed.

No default

src-ingress <interface_name>

Optional. Specify the source ingress physical ports that will be mirrored.

No default

status {active | inactive}

Set the mirror session to active or inactive.

inactive

strip-mirrored-traffic-tags {disable | enable}

Enable or disable the removal of VLAN tags from mirrored traffic.

This option is available if the mode is ERSPAN-auto or ERSPAN-manual.

disable

switching-packet {enable | disable}

Enable or disable the switching functionality on the dst interface when mirroring.

disable

Example

The following example configures a port mirror:

config switch mirror

edit "m1"

set mode SPAN

set dst "port5"

set src-egress "port2" "port3"

set src-ingress "port2" "port4"

set status active

set switching-packet enable

end

config switch mld-snooping globals

Use this command to configure global settings for Multicast Listener Discovery (MLD) snooping on the FortiSwitch unit.

Syntax

config switch mld-snooping globals

set aging-time <integer>

set leave-response-timeout <integer>

set query-interval <10-1200>

end

Variable

Description

Default

aging-time <integer>

The maximum number of seconds to retain a multicast snooping entry for which no packets have been seen (15-3600).

300

leave-response-timeout <integer>

Enter the maximum number of seconds that the switch waits after sending a group-specific query in response to the leave message. The range of values is 1-20.

10

query-interval <10-1200>

Enter the maximum number of seconds between MLD queries.

125

Example

The following example configures the global settings for MLD snooping on the FortiSwitch unit:

config switch mld-snooping globals

set aging-time 150

set leave-response-timeout 15

set query-interval 200

end

config switch mrp profile

Use this command to configure a Media Redundancy Protocol (MRP) profile.

Syntax

config switch mrp profile

edit <MRP_profile_name>

set default-test-interval <30-50 ms>

set short-test-interval <10-30 ms>

set test-monitoring-count <1-5>

set topology-change-interval <10-20 ms>

set topology-change-repeat-count <1-5>

next

end

Variable

Description

Default

<MRP_profile_name> Enter a name for the MRP profile. No default
default-test-interval <30-50 ms> Enter the default number of milliseconds between sending MRP_Test frames. 50
short-test-interval <10-30 ms> Enter the number of milliseconds before sending MRP_Test frames after link changes in the ring. 30

test-monitoring-count <1-5>

Enter the number of MRP_Test frames received that are monitored.

5

topology-change-interval <10-20 ms>

Enter the number of milliseconds between sending MRP_TopologyChange frames.

20

topology-change-repeat-count <1-5>

Enter the number of repeated MRP_TopologyChange frames that are transmitted.

3

config switch mrp settings

Use this command to configure the Media Redundancy Protocol (MRP) settings.

Syntax

config switch mrp settings

edit <MRP_ring_ID>

set status {disable | enable}

set role {automanager | client}

set domain-id <32_hexadecimal_digits>

set domain-name <domain_name>

set vlan-id <1-4094>

set priority <0-65535>

set ring-port1 <port_name>

set ring-port2 <port_name>

set profile-name {500ms | <custom_profile_name>}

next

end

Variable

Description

Default

<MRP_ring_ID>

Enter a unique identifier for this MRP ring.

No default

status {disable | enable} Enable or disable MRP. disable
role {automanager | client} Select whether the switch acts as an MRP client or an MRP automanager. client
domain-id <32_hexadecimal_digits> Enter a universally unique identifier to represent the MRP ring. FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF
domain-name <domain_name> Enter a unique logical name for the MRP domain identifier. domain1
vlan-id <1-4094> Optional. Enter the VLAN identifier for sending MRP frames. If you set this option to a different value than 1, the VLAN must be created before it is assiged to the MRP ring. 1
priority <0-65535> Enter the priority of the MRP manager. The highest priority is 0, and the lowest priority is 65535. 40960

ring-port1 <port_name>

The physical port that serves as the first ring port.

No default

ring-port2 <port_name>

The physical port that serves as the second ring port.

No default

profile-name {500ms | <custom_profile_name>}

A unique MRP profile name.

500ms

Example

This example shows how to configure the settings for the MRP manager:

config switch mrp settings

edit 1

set status enable

set role automanager

set domain-id FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF

set domain-name domain1

set vlan-id 4094

set priority 40960

set ring-port1 port7

set ring-port2 port8

set profile-name profile1

next

end

config switch network-monitor directed

Use this command to configure a static entry for network monitoring on the FortiSwitch unit.

Syntax

config switch network-monitor directed

edit <unused network monitor>

set monitor-mac <xx:xx:xx:xx:xx:xx>

end

Variable

Description

Default

<unused network monitor>

Enter the number of an unused network monitor.

No default

monitor-mac <xx:xx:xx:xx:xx:xx>

Enter the MAC address to be monitored.

00:00:00:00:00:00

Example

The following example specifies a MAC address to be monitored:

config switch network-monitor directed

edit 1

set monitor-mac 00:25:00:61:64:6d

next

end

config switch network-monitor settings

Use this command to configure global settings for network monitoring on the FortiSwitch unit.

Syntax

config switch network-monitor settings

set db-aging-interval <3600-86400>

set status {disable | enable}

set survey-mode {disable | enable}

set survey-mode-interval <120-3600>

end

Variable

Description

Default

db-aging-interval <integer>

Enter the network monitor database aging interval. The value range is 3600-86400 seconds. Set the option to 0 to disable it.

3600

status {disable | enable}

Enable or disable the network monitor.

disable

survey-mode {disable | enable}

Enable or disable the network monitor survey mode.

disable

survey-mode-interval <integer>

Enter the duration for which a network monitor is programmed in hardware in the survey mode. The value range is 120-3600 seconds.

120

Example

The following example starts network monitoring in survey mode:

config switch network-monitor settings

set status enable

set survey-mode enable

set survey-mode-interval 480

end

config switch phy-mode

Use this command to configure split ports or to set the speed of the FS-2048F ports.

Syntax

config switch phy-mode

set port-configuration {default | disable-port54 | disable-port41-48 | 4x100G | 6x40G | 4x4x25G}

set {<port-name>-phy-mode <single-port> | port1-port12-phy-mode | port13-port24-phy-mode | port25-port36-phy-mode | port37-port48-phy-mode} {4x25G | 4x10G | 4x1G | 2x50G | 1G/10G | 25G}

...

end

Variable

Description

Default

port-configuration {default | disable-port54 | disable-port41-48 | 4x100G | 6x40G | 4x4x25G}

  • For 548D and 548D-FPOE, set this option to disable-port54 if only port 53 is splittable and port 54 is unavailable.

  • For 548D and 548D-FPOE, set this option to disable-port41-48 if ports 41 to 48 are unavailable, but ports 53 and 54 are splittable.

  • For 1048E, set this option to 4x100G to enable the maximum speed (100G) of ports 49 through 52. Ports 53 and 54 are disabled.

  • For 1048E, set this option to 6x40G to enable the maximum speed (40G) of ports 49 through 54.

  • For 1048E, set this option to 4x4x25G to enable the maximum speed (25G) of ports 49 through 52. Ports 47 and 48 are disabled.

default

{<port-name>-phy-mode <single-port> | port1-port12-phy-mode | port13-port24-phy-mode | port25-port36-phy-mode | port37-port48-phy-mode} {4x25G | 4x10G | 4x1G | 2x50G | 1G/10G | 25G}

Use one entry for each port that supports split ports.

  • Set this option to single-port to use the port at the full base speed without splitting it.

  • For FS-2048F, set this option to port1-port12-phy-mode to set the speed of ports 1-12.

  • For FS-2048F, set this option to port13-port24-phy-mode to set the speed of ports 13-24.

  • For FS-2048F, set this option to port25-port36-phy-mode to set the speed of ports 25-36.

  • For FS-2048F, set this option to port37-port48-phy-mode to set the speed of ports 37-48.

  • For 100G QSFP only, set this option to 4x25G to split one port into four subports of 25 Gbps each.
    NOTE: For the FS-T1024E and FS-1024E models, the auto-module selects the correct speed for the subports. If you insert a 100G QSFP28 module, the subports are automatically changed to 4x25G. If you insert a 40G QSFP+ module, the subports are automatically changed to 4x10G.

  • For 40G or 100G QSFP only, set this option to 4x10G to split one port into four subports of 10Gbps each.

  • For 40G or 100G QSFP only, set this option to 4x1G to split one port into four subports of 1 Gbps each.

  • For 100G QSFP only, set this option to 2x50G to split one port into two subports of 50 Gbps each.

  • For FS-2048F, set this option to 1G/10G to set the speed of the ports to 1G or 10G.

  • For FS-2048F, set this option to 25G to set the speed of the ports to 25G.

1x40G

Example

In the following example, a FortiSwitch 3032D is configured with ports 10, 14, and 28 set to 4x10G:

config switch phy-mode

set port5-phy-mode 1x40G

set port6-phy-mode 1x40G

set port7-phy-mode 1x40G

set port8-phy-mode 1x40G

set port9-phy-mode 1x40G

set port10-phy-mode 4x10G

set port11-phy-mode 1x40G

set port12-phy-mode 1x40G

set port13-phy-mode 1x40G

set port14-phy-mode 4x10G

set port15-phy-mode 1x40G

set port16-phy-mode 1x40G

set port17-phy-mode 1x40G

set port18-phy-mode 1x40G

set port19-phy-mode 1x40G

set port20-phy-mode 1x40G

set port21-phy-mode 1x40G

set port22-phy-mode 1x40G

set port23-phy-mode 1x40G

set port24-phy-mode 1x40G

set port25-phy-mode 1x40G

set port26-phy-mode 1x40G

set port27-phy-mode 1x40G

set port28-phy-mode 4x10G

end

In the following example, a FortiSwitch 1048E model is configured so that each port is split into four subports of 25 Gbps each.

config switch phy-mode

set port-configuration 4x4x25G

set port49-phy-mode 4x25G

set port50-phy-mode 4x25G

set port51-phy-mode 4x25G

set port52-phy-mode 4x25G

end

config switch physical-port

Use this command to configure a physical port.

Syntax

config switch physical-port

edit <port_name>

set cdp-status {disable | rx-only | tx-only | tx-rx}

set description <description_str>

set dmi-status {disable | enable | global}

set egress-drop-mode {disabled | enabled}

set energy-efficient-ethernet {enable | disable}

set eee-tx-idle-time <integer>

set eee-tx-wake-time <integer>

set fec-state {cl74 | cl91 | detect-by-module | disabled}

set flapguard {enabled | disabled}

set flap-duration <5-300>

set flap-rate <1-30>

set flap-timeout <0-120>

set flow-control {tx | rx | both | disable}

set fortilink-p2p {enable | disable}

set pause-meter-rate <integer>

set pause-resume {25% | 50% | 75%}

set l2-learning {enable | disable}

set l2-sa-unknown {drop | forward}

set lldp-profile <profile name>

set lldp-status {tx-only | rx-only | tx-rx | disable}

set loopback {disable | local | remote}

set macsec-pae-mode {none | supp | auth}

set macsec-profile <string>

set max-frame-size <bytes_int>

set poe-disconnection-type {AC | DC | DC-delay}

set poe-port-mode {IEEE802_3AF | IEEE802_3AT}

set poe-port-power {normal | perpetual | perpetual-fast}

set poe-port-priority {critical-priority | high-priority | low-priority}

set poe-pre-standard-detect {disable | enable}

set poe-status {enable | disable}

set priority-based-flow-control {enable | disable}

set qsfp-low-power-mode {enabled | disabled}

set security-mode {none | macsec}

set speed <speed_str>

set status {down | up}

set storm-control-mode {disabled | global | override}

config storm-control

set broadcast {enable | disable}

set burst-size-level <0-4>

set rate [0 | 2-10000000]

set unknown-multicast {enable | disable}

set unknown-unicast {enable | disable}

end

Variable

Description

Default

<port_name>

Enter the port name.

No default

cdp-status {disable | rx-only | tx-only | tx-rx}

Set the CDP transmit and receive status (LLDP must be enabled in LLDP settings).
  • disable disables CDP transmit and receive.
  • rx-only enables CDP as receive only.
  • tx-only enables CDP as transmit only.
  • tx-rx enables CDP transmit and receive.

disable

description <description_str>

Optionally enter a description.

No default

dmi-status

Enable or disable DMI access. Set to global to use the global switch setting.

global

egress-drop-mode {disabled | enabled>

Enable or disable egress drop.

enabled

energy-efficient-ethernet {enable | disable}

Enable or disable energy-efficient Ethernet.

disable

eee-tx-idle-time <integer>

Enter the number of microseconds that circuits are turned off to save power. The range is 0-2560 microseconds. This option is available only if energy-efficient-ethernet is enabled.

60

eee-tx-wake-time <integer>

Enter the number of microseconds during which no data is transmitted while the circuits that were turned off are being restarted. The range is 0-2560 microseconds. This option is available only if energy-efficient-ethernet is enabled.

30

fec-state {cl74 | cl91 | detect-by-module | disabled}

Set the Forward Error Correction (FEC) state:

  • cl74—Enable Clause 74 RS-FEC, which only applies to 25 Gbps.
  • cl91—Enable Clause 91 RS-FEC, which only applies to 100 Gbps.
  • detect-by-module—Automatically detect whether FEC is supported by the module. This option applies to the 25G and 100G ports of the FS-1048E and FS-3032E models; this option also applies to the split ports of the FS-1048E and FS-3032E models.
  • disabled—Disable FEC.

detect-by-module

flapguard {enabled | disabled}

Enable or disable flap guard for this port.

disabled

flap-duration <5-300>

After enabling the port flap guard, set the number of seconds during which the flap rate is counted.

30

flap-rate <1-30>

After enabling the port flap guard, set how many times that a portʼs status changes during a specified number of seconds before the flap guard is triggered.

5

flap-timeout <0-120>

After enabling the port flap guard, set the number of minutes before flap guard resets. Setting this value to 0 means that there is no timeout.

0

flow-control {tx | rx | both | disable}

Set flow control:
  • tx—Enable transmit pause only.
  • rx—Enable receive pause only.
  • both—Enable both transmit and receive pause.
  • disable—Disable flow control.

disable

fortilink-p2p {enable | disable}

Enable or disable running FortiLink mode over a point-to-point layer-2 network.

disable

pause-meter-rate <integer>

Enter the number of kilobits for the ingress metering rate. The range is 64 to 2147483647. Set to 0 to disable. Available if flow-control is set to tx.

0

pause-resume {25% | 50% | 75%}

Enter the percentage of the threshold to resume traffic to the ingress port. Available if flow-control is set to tx and pause-meter-rate is set to a nonzero value.

75%

l2-learning

Enable or disable dynamic IP learning for this interface

enabled

l2-sa-unknown {drop | forward}

Drop or forward unknown (SMAC) packets when dynamic MAC address learning is disabled.

drop

lldp-profile

Enter the LLDP profile name for this port.

default

lldp-status

Set LLDP status for this port:
  • tx-only—enable transmit only
  • rx-only—enable receive only
  • tx-rx—enable both transmit and receive
  • disable—disable LLDP

tx-rx

loopback {disable | local | remote}

Set whether the physical port loops back on itself, either locally or remotely:
  • Select local for a physical-layer loopback. If the hardware does not support a physical-layer loopback, a MAC-address loopback is used instead.
  • Select remote for a physical-layer lineside loopback.

disable

macsec-pae-mode {none | supp | auth}

Select the PAE mode for the MACSEC interface:

  • none—No PAE is configured, and PSK is applied.

  • supp—The interface acts as a PAE supplicant for MACsec CAK.

  • auth—The interface acts as a PAE authenticator for MACsec CAK.

none

macsec-profile <string>

Specify the MACsec profile to apply to the port.

No default

max-frame-size <bytes_int>

Set the maximum frame size. The range and default depend on the switch model. See the FortiSwitchOS feature matrix.

NOTE: For the FS-1xxE, FS-1xxF, and FS-110G-FPOE models, this command is under the config switch global command.

Varies

poe-disconnection-type {AC | DC | DC-delay}

Select how a FortiSwitch unit with Power over Ethernet (PoE) disconnects from a powered device:

  • AC—AC disconnect.

  • DC—DC disconnect.

  • DC-delay—DC disconnect with an extra 500-millisecond delay.

DC

poe-port-mode {IEEE802_3AF | IEEE802_3AT}

Set the PoE port mode to IEEE802.3AFor IEEE802.3AT.

IEEE802_3AT

poe-port-power {normal | perpetual | perpetual-fast}

Select whether the PoE power is delivered while a switch restarts:

  • normal—PoE power is not provided while a switch restarts.

  • perpetual—PoE power is provided during a soft reboot (switch is restarted while powered up).

  • perpetual-fast—PoE power is provided during a hard reboot (the switchʼs power is physically turned off and then on again).

normal

poe-port-priority {critical-priority | high-priority | low-priority}

Set the port priority. If there is not enough power, power is alloted first to critical-priority ports, then to high-priority ports, and then to low-priority ports.

low-priority

poe-pre-standard-detect {disable | enable}

Enable or disable PoE pre-standard detection.

NOTE: PoE pre-standard detection is a global setting for the following FortiSwitch models: FSR-112D-POE, FS-548D-FPOE, FS-524D-FPOE, FS-108D-POE, FS-224D-POE, FS-108E-POE, FS-108E-FPOE, FS-124E-POE, FS-124E-FPOE, 148F-POE, and 148F-FPOE. For the other FortiSwitch PoE models, PoE pre-standard detection is set on each port.

disable

poe-status {enable | disable}

Enable Power over Ethernet. This option is only available with the FortiSwitch-324B-POE.

enable

priority-based-flow-control {enable | disable}

Enable priority-based flow control to avoid frame loss by stopping incoming traffic when a queue is congested. When priority-based flow control is disabled, 802.3 flow control can be used.

disable

qsfp-low-power-mode {enabled | disabled}

Enable or disable the low-power mode on FortiSwitch models with QSFP (quad small form-factor pluggable) ports.

disabled

security-mode {none | macsec}

Select no security or MACsec-based port security authentication. You cannot mix MACsec with ISL authentication.

none

speed <speed_str>

Set the speed of this port. Values depend on the switch model and port. For example:

  • 1000auto—Autonegotiation (1 Gbps full-duplex only).
  • 100full—100 Mbps full-duplex.
  • 100half—100 Mbps half-duplex.
  • 10full—10 Mbps full-duplex.
  • 10half—10 Mbps half-duplex.
  • auto—Auto-negotiation.
  • 10000cr—10 Gbps copper interface.
  • 10000full—10 Gbps full-duplex.
  • 10000sr—10 Gbps SFI interface.
  • 1000full—1 Gbps full-duplex.
  • 25000cr—25 Gbps copper interface.

  • 25000full—25 Gbps full-duplex.

  • 25000sr—25 Gbps SFI interface.

  • 40000auto—Autonegotiation of the 40G-CR4 interface of FS-1048E.

  • auto-module—Maximum speed supported by module.

auto

status {down | up}

Set the administrative status of this interface: up or down.

up

storm-control-mode {disabled | global | override}

By default, you configure storm control on a system-wide level. Set this option to override if you want to configure storm control on a per-port level using the config storm-control command, which is only available when the storm-control-mode is set to override. Set this option to disabled to deactivate port-level storm-control configuration.

global

config storm-control

broadcast {enable | disable}

Enable or disable storm control for broadcast traffic.

disable

burst-size-level <0-4>

Set the burst-size level for storm control. Use a higher number to handle bursty traffic. The maximum number of packets or bytes allowed for each burst-size level depends on the switch model.

NOTE: This command is not available for the FS-108E, FS-108E-POE, FS-108-FPOE, FS-124E, FS-124E-POE, and FS-124E-FPOE models.

0

rate [0 | 2-10000000]

Specify the rate as packets-per-second. If you set the rate to zero, the system drops all packets (for the enabled traffic types).

500

unknown-multicast {enable | disable}

Enable or disable storm control for unknown multicast traffic.

disable

unknown-unicast {enable | disable}

Enable or disable storm control for unknown unicast traffic.

disable

Example

In the following example, port4 is configured:

config switch physical-port

edit "port4"

set lldp-profile "Forti670i"

set speed auto

next

end

config switch prp channel

Use this command to configure a Parallel Redundancy Protocol (PRP) channel.

Syntax

config switch prp channel

edit {1 | 2}

set status {enable | disable}

set channel-port-pair <physical_port_pair>

set vlan-id <1-4094>

set vlan-id-cos <0-7>

set vlan-id-tagged {enable | disable}

set prp-internal-vlan <2-4094>

next

end

Variable

Description

Default

status {enable | disable} Enable or disable this PRP channel. disable
channel-port-pair <physical_port_pair> Select which port A and port B pair to use for this PRP channel. Enter set channel-port-pair ? to see the available physical port pairs. No default

vlan-id <1-4094>

Enter the VLAN identifier of the supervision frame.

This option is available only when vlan-id-tagged is set to enable.

1

vlan-id-cos <0-7>

Enter the class of service (CoS) value to be set in the VLAN tag of the supervision frame.

This option is available only when vlan-id-tagged is set to enable.

0

vlan-id-tagged {enable | disable}

Enable or disable supervision frame VLAN ID tagging.

disable

prp-internal-vlan <2-4094>

Assign all MAC addresses of this PRP channel to this internal VLAN ID.

NOTE: If you are using an HSR ring and a PRP channel in your network, you need to change the default value so that each HSR ring and PRP channel is in a different internal VLAN.

No default

Example

The following example configures a PRP channel using port5, port6, and VLAN 4092:

config switch prp channel

edit 1

set status enable

set channel-port-pair port5-port6

set prp-internal-vlan 4092

next

end

config switch prp settings

Use this command to to configure PRP settings.

Syntax

config switch prp settings

set mac-da <0-255>

set life-check-interval <2-60 seconds>

end

Variable

Description

Default

mac-da <0-255>

Specify the last 8 bits of the PRP supervision frame MAC DA.

0

life-check-interval <2-60 seconds>

Specify how often (in seconds) the PRP supervision frame is generated for each MAC address in the VDAN table.

2

Example

The following example configures PRP settings:

config switch prp settings

set mac-da 100

set life-check-interval 30

end

config switch ptp settings

Use this command to configure the Precision Time Protocol (PTP) global settings.

Syntax

config switch ptp settings

set status {enable | disable}

set profile {default | name_of_PTP_profile}

end

Parameter

Description

Default value

status

Enable or disable PTP.

disable

profile

The default profile is automatically selected.

NOTE: On some legacy platforms, the default profile must be manually selected.

default

Example

The following example enables PTP and selects the newprofile PTP profile:

config switch ptp settings

set status enable

set profile newprofile

end

config switch qos dot1p-map

Use this command to configure a dot1p map. A dot1p map defines a mapping between IEEE 802.1p CoS values (from incoming packets on a trusted interface) and the egress queue values. For an example, see Appendix: FortiSwitch QoS template.

NOTE: You can configure only one dot1p map per switch on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

Syntax

config switch qos dot1p-map

edit <dot1p map name>

set description <text>

set [priority-0|priority-1|priority-2|...priority-7] <queue number>

set egress-pri-tagging {disable | enable}

next

end

Variable

Description

Default

<dot1p map name>

Enter the name of a dot1p map.

No default

<text>

Enter a description of the dot1p map.

No default

[priority-0|priority-1|priority-2|...priority-7] <queue number>

Set the priority of each queue.

queue-0

egress-pri-tagging {disable | enable}

Enable or disable priority tagging on outgoing frames.

NOTE: This command is not available on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

disable

Example

config switch qos dot1p-map

edit "test1"

set priority-0 queue-2

set priority-1 queue-0

set priority-2 queue-1

set priority-3 queue-3

set priority-4 queue-4

set priority-5 queue-5

set priority-6 queue-6

set priority-7 queue-7

set egress-pri-tagging enable

next

end

Values that are not explicitly included in the map will follow the default mapping, which maps each priority (0-7) to queue 0.

If an incoming packet contains no CoS value, the switch assigns a CoS value of zero. Use the set default-cos <interface> command to configure a different default CoS value. The valid range is from 0 to 7. The configured default CoS only applies if you also set trust-dot1p-map on the interface.

config switch qos ip-dscp-map

Use this command to configure a DSCP map. A DSCP map defines a mapping between IP Precedence or Differentiated Services Code Point (DSCP) values and the egress queue values. For an example, see Appendix: FortiSwitch QoS template.

NOTE: You can configure only one DSCP map per switch on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

Syntax

config switch qos ip-dscp-map

edit <ip-dscp map name>

set description <text>

config map

edit <entry-name>

set diffserv [ [ AF11 | AF12 | AF13 | AF21 | AF22 | AF23 | AF31 | AF32 | AF33 | AF41 | AF42 | AF43 | CS0 | CS1 | CS2 | CS3 | CS4 | CS5 | CS6 | CS7 | EF ]

set ip-precedence [ Network Control | Internetwork Control | Critic/ECP | Flash Override | Flash, Immediate | Priority | Routine ]

set value <dscp raw value>

set cos-queue <queue number>

next

end

next

end

Variable

Description

Default

<ip-dscp map name>

Enter the name of a DSCP map.

No default

<text>

Enter a description of the DSCP map.

No default

<entry-name>

Enter a unique integer to create a new entry.

No default

diffserv [ [ AF11 | AF12 | AF13 | AF21 | AF22 | AF23 | AF31 | AF32 | AF33 | AF41 | AF42 | AF43 | CS0 | CS1 | CS2 | CS3 | CS4 | CS5 | CS6 | CS7 | EF ]

Set the differentiated service.

No default

ip-precedence [ Network Control | Internetwork Control | Critic/ECP | Flash Override | Flash, Immediate | Priority | Routine ]

Set the IP precedence.

No default

value <dscp raw value>

enter the raw value of DSCP (0-63).

No default

cos-queue <queue number>

Enter the CoS queue number.

0

Example

The following example defines a mapping for two of the DSCP values:

config switch qos ip-dscp-map

edit "m1"

config map

edit "e1"

set cos-queue 0

set ip-precedence Immediate

next

edit "e2"

set cos-queue 3

set value 13

next

end

next

end

Values that are not explicitly included in the map will follow the default mapping, which assigns queue 0 for all DSCP values.

config switch qos qos-policy

Use this command to configure QoS policies. For an example, see Appendix: FortiSwitch QoS template.

In a QoS policy, you set the scheduling mode (Strict, Round Robin, Weighted Round Robin) for the policy, and configure one or more CoS queues.

Syntax

config switch qos qos-policy

edit <policy_name>

set rate-by {kbps | percent}

set schedule {strict | round-robin | weighted}

config cos-queue

edit [queue-0 ... queue-7]

set description <text>

set drop-policy {taildrop | weighted-random-early-detection}

set ecn {enable | disable}

set max-rate <rate kbps>

set min-rate <rate kbps>

set max-rate-percent <percentage>

set min-rate-percent <percentage>

set weight <value>

set wred-slope <value>

next

end

next

end

Variable

Description

Default

<policy_name>

Enter the name of the QoS policy.

No default

rate-by {kbps | percent}

Set whether the CoS queue rate is measured in kbps or by percentage.

kbps

schedule {strict | round-robin | weighted}

Set the CoS queue scheduling.
  • strict—The queues are served in descending order (of queue number), so higher number queues receive higher priority. The purpose of the strict scheduling mode is to provide lower latency service to higher classes of traffic. However, if the interface experiences congestion, the lower priority traffic could be starved.
  • round-robin— In round robin mode, the scheduler visits each backlogged queue, servicing a single packet from each queue before moving on to the next one. The purpose of round robin scheduling is to provide fair access to the egress port bandwidth.
  • weighted— Each of the eight egress queues is assigned a weight value ranging from 0 to 63. The purpose of weighted round robin scheduling is to provide prioritized access to the egress port bandwidth, such that queues with higher weight get more of the bandwidth, but lower priority traffic is not starved.

round-robin

[queue-0 ... queue-7]

Set the CoS queue to update.

No default

description <text>

Enter a description of the CoS queue.

No default

drop-policy {taildrop | weighted-random-early-detection}

Set the CoS queue drop policy.
  • taildrop—When the queue is full, new packets are dropped.
  • weighted-random-early-detection—When the queue reaches the packet-dropping threshold, packets start getting dropped randomly based on the probability defined in the wred-slope setting.
NOTE: For the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models, set the CoS queue drop policy under the config switch global command.

taildrop

set ecn {enable | disable}

If you select random early detection in the CLI, you can enable explicit congestion notification (ECN) marking to indicate that congestion is occuring without just dropping packets. If you disable this option, the normal queue drop policy applies.

disable

max-rate <rate kbps>

If you set the rate-by to kbps, enter the maximum rate in kbps. Set the value to 0 to disable.

NOTE: For the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models, the switch rounds the max-rate value to the nearest multiple of 16 internally. If the rounding result is 0, max-rate is disabled internally.

0

min-rate <rate kbps>

If you set the rate-by to kbps, enter the minimum rate in kbps. Set the value to 0 to disable.

NOTE: This command is not available on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

0

max-rate-percent <percentage>

If you set the rate-by to percent, enter the maximum rate as a percentage of the link speed.

0

min-rate-percent <percentage>

If you set the rate-by to percent, enter the minimum rate as a percentage of the link speed.

NOTE: This command is not available on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

0

weight <value>

Enter the weight of weighted round robin scheduling. (applicable if the policy schedule is weighted )

1

wred-slope <value>

Enter the slope of WRED drop probability.

NOTE: For the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models, set the QoS RED/WRED drop probability under the config switch global command.

45

Example

The following example defines a QoS policy for queue 0:

config switch qos qos-policy

edit policy1

set rate-by kbps

set schedule weighted

config cos-queue

edit queue-0

set description "QoS policy for queue 0"

set drop-policy weighted-random-early-detection

set max-rate 20

set min-rate 10

set weight 5

set wred-slope 15

end

end

config switch quarantine

NOTE: This command is available only in FortiLink mode.

Us this command to specify which MAC addresses to quarantine on the FortiSwitch unit.

Syntax

config switch quarantine

edit <MAC_address_to_quarantine>

set cos-queue <0-7>

set description <string>

set drop {enable | disable}

set policer <integer>

end

Variable

Description

Default

<MAC_address_to_quarantine>

Enter the MAC address to quarantine.

No default

cos-queue <0-7>

Set the class-of-service queue for the quarantined device traffic. Use the unset cos-queue command to disable this setting.

No default

description <string>

Enter an optional description of the quarantined MAC address.

No default

drop {enable | disable}

Enable or disable whether quarantined device traffic is dropped.

disable

policer <integer>

Set the ACL policer for the quarantined device traffic.

0

config switch raguard-policy

Use this command to specify the criteria that router advertisement (RA) messages must match before the RA messages are forwarded. If the RA messages match the criteria in the RA-guard policy, they are forwarded. If the RA messages do not match the criteria in the RA-guard policy, they are dropped.

IPv6 RA guard is supported on 2xx models and higher.

Syntax

config switch raguard-policy

edit <RA-guard policy name>

set device-role {host | router}

set managed-flag {Off | On}

set other-flag {Off | On}

set max-hop-limit <0-255>

set min-hop-limit <0-255>

set max-router-preference {high | medium | low}

set match-src-addr <name_of_IPv6_access_list>

set match-prefix <name_of_IPv6_prefix_list>

next

end

Variable

Description

Default

<RA-guard policy name>

Enter the name of the RA-guard policy.

No default

device-role {host | router}

Set whether this policy applies to hosts or routers. If this option is set to host, all RA messages are dropped. If this option is set to router, the policy checks the other specified criteria.

host

managed-flag {Off | On}

Set to On for the policy to accept RA messages that are flagged with the M (managed address configuration) flag; if the RA messages are not flagged, they are dropped.

Set to Off for the policy to accept RA messages that arenot flagged with the M flag; if the RA messages are flagged, they are dropped.

If this option is not set, the policy skips this check.

No default

other-flag {Off | On}

Set to On for the policy to accept RA messages that are flagged with the O (other configuration) flag; if the RA messages are not flagged, they are dropped.

Set to Off for the policy to accept RA messages that arenot flagged with the O flag; if the RA messages are flagged, they are dropped.

If this option is not set, the policy skips this check.

No default

max-hop-limit <0-255>

Enter the maximum hop number for the policy to accept RA messages with a hop number equal or less than this value.

If this option is not set, the policy skips this check.

0

min-hop-limit <0-255>

Enter the minimum hop number for the policy to accept RA messages with a hop number equal or more than this value.

If this option is not set, the policy skips this check.

0

max-router-preference {high | medium | low}

Set the default router preference for the policy to accept RA messages with the router preference equal or less than this setting. When the router preference of RA messages is not set as high, medium, or low, RA guard acts as if the router preference was set to medium.

If this option is not set, the policy skips this check.

No default

match-src-addr <name_of_IPv6_access_list>

Enter the name of the IPv6 access list for the policy to check if the source IPv6 address of the RA message matches an allowed address. The IPv6 access list must be created (with the config router access-list6 command) before it is used in a policy.

No default

match-prefix <name_of_IPv6_prefix_list>

Enter the name of the IPv6 prefix list for the policy to check if the IPv6 address prefix of the RA message matches an allowed prefix. The IPv6 prefix list must be created (with the config router prefix-list6 command) before it is used in a policy.

No default

Example

The following example creates an IPv6 RA-guard policy:

config switch raguard-policy

edit RApolicy1

set device-role router

set managed-flag On

set other-flag On

set max-hop-limit 100

set min-hop-limit 5

set max-router-preference medium

set match-src-addr accesslist1

set match-prefix prefixlist1

next

end

config switch security-feature

Use this command to configure security checks for incoming TCP/UDP packets. The packet is dropped if it matches one of the security rules that have been enabled.

Syntax (for models FS-108D-POE, FS-112D-POE, FS-224D-POE)

config switch security-feature

set tcp-syn-data {enable | disable}

set tcp-udp-port-zero {enable | disable}

set tcp_flag_zero {enable | disable}

set tcp_flag_FUP {enable | disable}

set tcp_flag_SF {enable | disable}

set tcp_flag_SR {enable | disable}

set tcp_frag_ipv4_icmp {enable | disable}

set tcp_arp_mac_mismatch {enable | disable}

set allow-mcast-sa {enable | disable}

end

Variable

Description

Default

tcp-syn-data

TCP SYN packet contains additional data (possible DoS attack).

disable

tcp-udp-port-zero

TCP or UDP packet has the source or destination port set to zero.

disable

tcp_flag_zero

TCP packet with all flags set to zero.

disable

tcp_flag_FUP

TCP packet with FIN, URG and PSH flags set.

disable

tcp_flag_SF

TCP packet with SYN and FIN flags set.

disable

tcp_flag_SR

TCP packet with SYN and RST flags set.

disable

tcp_frag_ipv4_icmp

Fragmented ICMPv4 packet.

disable

tcp_arp_mac_mismatch

ARP packet with MAC source address mismatch between the layer- 2 header and the ARP packet payload.

disable

allow-mcast-sa

Ethernet packet whose source MAC address is multicast.

disable

Syntax (for FS-1xxE, FS-1xxF, and FS-110G-FPOE)

config switch security-feature

set tcp-flag-zero {enable | disable}

set tcp-flag-FUP {enable | disable}

set tcp-flag-SF {enable | disable}

set tcp-flag-SR {enable | disable}

set arp-mac-mismatch {enable | disable}

set macsa-eq-macda {enable | disable}

set sip-eq-dip {enable | disable}

set tcp-port-eq {enable | disable}

set udp-port-eq {enable | disable}

set ip-pod {enable | disable}

set icmp-frag {enable | disable}

set tcp-frag-off-min {enable | disable}

set tcp-syn-sp-less-1024 {enable | disable}

set invalid-ipv4-hdr-len {enable | disable}

set gratuitous-arp {enable | disable}

end

Variable

Description

Default

tcp-flag-zero TCP packet with all flags set to zero. disable
tcp-flag-FUP

TCP packet with FIN, URG, and PSH flags set.

disable
tcp-flag-SF

TCP packet with SYN and FIN flags set.

disable
tcp-flag-SR TCP packet with SYN and RST flags set. disable
arp-mac-mismatch ARP packet with MAC source address mismatch between the MAC header and the ARP packet payload. disable
macsa-eq-macda Packet with source MAC address equal to the destination MAC address. disable
sip-eq-dip TCP packet with source IP address equal to the destination IP address. disable
tcp-port-eq TCP packet with the same source and destination TCP port. disable

udp-port-eq

IP packet with the same source and destination UDP port.

disable

ip-pod

The IPv4/IPv6 packet length is larger than 64 kB.

disable

icmp-frag

Fragmented ICMP packet.

disable

tcp-frag-off-min

TCP non-initial fragments carry the TCP header.

disable

tcp-syn-sp-less-1024

TCP SYN packet with a source port less than 1024.

disable

invalid-ipv4-hdr-len

IPv4 packet with a header length greater than the total length.

NOTE: This command is available only on the FS-124F, FS-124F-FPOE, FS-124F-POE, FS-148F, FS-148F-FPOE, and FS-148F-POE models.

disable

gratuitous-arp

Gratuitous ARP packet.

NOTE: This command available only on the FS-108E, FS-108E-FPOE, FS-108E-POE, FS-108F, FS-108F-FPOE, FS-108F-POE, FS-124E, FS-124E-FPOE, FS-124E-POE, FS-148E, and FS-148E-POE models.

disable

Syntax (for all other FortiSwitch models)

config switch security-feature

set sip-eq-dip {enable | disable}

set tcp-flag {enable | disable}

set tcp-port-eq {enable | disable}

set tcp-flag-FUP {enable | disable}

set tcp-flag-SF {enable | disable}

set v4-first-frag {enable | disable}

set udp-port-eq {enable | disable}

set tcp-hdr-partial {enable | disable}

set macsa-eq-macda {enable | disable}

set allow-mcast-sa {enable | disable}

set allow-sa-mac-all-zero {enable | disable}

end

Variable

Description

Default

sip-eq-dip

TCP packet with the same source IP address and destination IP address.

disable

tcp-flag

DoS attack checking for TCP flags.

disable

tcp-port-eq

TCP packet with the same source and destination TCP port.

disable

tcp-flag-FUP

TCP packet with FIN, URG, and PSH flags set, and sequence number is zero.

disable

tcp-flag-SF

TCP packet with SYN and FIN flags set.

disable

v4-first-frag

DoS attack checking for IPv4 first fragment.

disable

udp-port-eq

IP packet with the same source and destination UDP port.

disable

tcp-hdr-partial

TCP packet with partial header.

disable

macsa-eq-macda

Packet with the same source MAC address and destination MAC address.

disable

allow-mcast-sa

Ethernet packet whose source MAC address is multicast.

disable

allow-sa-mac-all-zero

Ethernet packet whose source MAC address is all zeros.

disable

Example

The following example configures various security checks for incoming TCP/UDP packets:

config switch security-feature

set sip-eq-di enable

set tcp-flag enable

set tcp-port-eq enable

set tcp-flag-FUP enable

set tcp-flag-SF enable

set v4-first-frag enable

set udp-port-eq enable

set tcp-hdr-partial enable

set macsa-eq-macda enable

set allow-mcast-sa disable

set allow-sa-mac-all-zero disable

end

config switch static-mac

Use this command to configure one (or more) static MAC address on an interface.

Syntax

config switch static-mac

edit <sequence number>

set action {allow | drop}

set description <optional_string>

set interface <interface_name>

set mac <static_MAC_address>

set type {sticky | static}

set vlan-id <1-4095>

end

Variable

Description

Default

<sequence number>

Enter a sequence number.

No default

action {allow | drop}

Select whether packets with the specified source static MAC address are allowed or dropped.

allow

description <optional_string>

Optional. Enter a description of the static MAC address.

No default

interface <interface_name>

Enter the interface name.

No default

mac <static_MAC_address>

Enter the static MAC address.

00:00:00:00:00:00

type {sticky | static}

Set the MAC address as a persistent (sticky) addres or a static address.

static

vlan-id <1-4095>

Enter the VLAN identifier.

1

Example

config switch static-mac

edit 1

set action drop

set description "first static MAC address"

set interface port10

set mac d6:dd:25:be:2c:43

set type static

set vlan-id 10

end

config switch storm-control

Use this command to configure storm control.

Syntax

config switch storm-control

set broadcast {enable | disable}

set burst-size-level <0-4>

set rate [0 | 2-10000000]

set unknown-multicast {enable | disable}

set unknown-unicast {enable | disable}

end

Variable

Description

Default

broadcast {enable | disable}

Enable or disable storm control for broadcast traffic.

disable

burst-size-level <0-4>

Set the burst-size level for storm control. Use a higher number to handle bursty traffic. The maximum number of packets or bytes allowed for each burst-size level depends on the switch model.

0

rate [0 | 2-10000000]

Specify the rate as packets-per-second. If you set the rate to zero, the system drops all packets (for the enabled traffic types).

500

unknown-multicast {enable | disable}

Enable or disable storm control for unknown multicast traffic.

disable

unknown-unicast {enable | disable}

Enable or disable storm control for unknown unicast traffic.

disable

Example

config switch storm-control

set broadcast enable

set burst-size-level 2

set rate 1000

set unknown-multicast enable

set unknown-unicast enable

end

config switch stp instance

Use this command to configure an STP instance.

Syntax

config switch stp instance

edit <instance_id>

set priority <priority_int>

set vlan-range <vlan_map>

config stp-port

edit <port name>

set cost <cost_int>

set priority <priority_int>

end

end

Variable

Description

Default

<instance_id>

Enter an instance identifier. The range differs for the various FortiSwitch models.

No default

priority <priority_int>

Set the STP priority. The acceptable priority values are 0, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 4096, 40960, 45056, 49152, 53248, 57344, 61440, and 8192.

32768

vlan-range <vlan_map>

Enter the VLANs to which STP applies. <vlan_map> is a comma-separated list of VLAN IDs or VLAN ID ranges, for example “1,3-4,6,7,9-100” .

No default

config stp-port

<port name>

Enter the name of the port.

No default

cost <cost_int>

Enter the cost of using this interface. Use set cost ? for suggested cost values based on link speed.

0

priority <priority_int>

Enter the priority of this interface. Use set priority ? to list the acceptable priority values.

128

Example

config switch stp instance

edit "1"

set priority 8192

config stp-port

edit "port18"

set cost 0

set priority 128

next

edit "port19"

set cost 0

set priority 128

next

end

set vlan-range 5 7 11-20

end

config switch stp settings

Use this command to configure STP settings.

Syntax

config switch stp settings

set flood {enable | disable}

set forward-time <fseconds_int>

set hello-time <hseconds_int>

set max-age <age>

set max-hops <hops_int>

set mclag-stp-bpdu {both | single}

set name <name_str>

set revision <rev_int>

set status {enable | disable}

end

Variable

Description

Default

flood {enable | disable}

Set to enable if you want the STP packets arriving at any port to pass through the switch without being processed. Set to disable if you want to block STP packets arriving at any port.

This command is available only when status is set to disable.

disable

forward-time <fseconds_int>

Enter the forwarding delay in seconds. Range 4 to 30.

15

hello-time <hseconds_int>

Enter the hello time in seconds. Range 1 to 10.

2

max-age <age>

Enter the maximum age. Range 6 to 40.

20

max-hops <hops_int>

Enter the maximum number of hops. Range 1 to 40.

20

mclag-stp-bpdu {both | single}

Set to both to allow both core switches of an MCLAG to transmit STP BPDUs. Set to single to prevent both core switches of an MCLAG from transmitting STP BPDUs.

both

name <name_str>

Enter a string value for the name.

No default

revision <rev_int>

Range 0 to 65535.

0

status {enable | disable}

Enable or disable status report.

enable

Example

config switch stp settings

set forward-time 15

set hello-time 5

set max-age 20

set max-hops 20

set name "region1"

set revision 1

set status enable

end

config switch trunk

Use this command to configure link aggregation.

Syntax

config switch trunk

edit <trunk name>

set aggregator-mode {bandwidth | count}

set auto-isl <integer>

set bundle [enable|disable]

set min_bundle <integer>

set max_bundle <integer>

set description <description_str>

set fortilink <integer>

set isl-fortilink <integer>

set lacp-speed {slow | fast}

set mclag {disable | enable}

set mclag-icl {disable | enable}

set member-withdrawal-behavior {block | forward}

set members <intf1 ... intfn>

set mode {fortinet-trunk | lacp-active | lacp-passive | static}

set fallback-port <port_name>

set port-selection-criteria {src-ip | src-mac | dst-ip | dst-mac | src-dst-ip | src-dst-mac}

set static-isl {enable | disable}

set static-isl-auto-vlan {enable | disable}

end

Variable

Description

Default

<trunk name>

Enter a name for the trunk.

No default

aggregator-mode {bandwidth | count}

Select how an aggregator groups ports when the trunk is in LACP mode. Select bandwidth to group ports into the aggregator with the largest bandwidth. Select count to group ports into the aggregator with the most ports.

bandwidth

auto-isl <integer>

Automatically forms an ISL-encapsulated trunk, up to the specified maximum size.

0

bundle [enable|disable]

Enable or disable bundling

disable

min_bundle

Set the minimum size of the bundle. This option is available only when bundle has been enabled.

1

max_bundle

Set the maximum size of the bundle. This option is available only when bundle has been enabled.

24

description <description_str>

Optionally, enter a description.

No default

fortilink <integer>

Set the FortiLink trunk.

0

isl-fortilink <integer>

Set the ISL FortiLink trunk.

0

lacp-speed {slow | fast}

Select fast to send an LACP message every second. Select slow to send an LACP message every 30 seconds.

slow

mclag {disable | enable}

Enable or disable multichassis LAG (MCLAG).

disable

mclag-icl {disable | enable}

Enable or disable the MCLAG inter-chassis link (ICL).

disable

member-withdrawal-behavior {block | forward}

Select how the port behaves after it withdraws because of loss-of-control packets.

block

members <intf1 ... intfn>

Enter the names of the interfaces that belong to this trunk. Separate the names with spaces.

No default

mode {fortinet-trunk | lacp-active | lacp-passive | static}

Select the link aggregation mode:
  • fortinet-trunk—use heartbeat packets to detect whether trunk members are available.
  • lacp-active—use active LACP 802.3ad aggregation
  • lacp-passive—use passive LACP 802.3ad aggregation
  • static—use static aggregation, ignoring and not sending control messages

static

fallback-port <port_name>

Select which port will stay up in LACP fallback mode so that a device not running LACP can still connect to the network.

No default

port-selection-criteria {src-ip | src-mac | dst-ip | dst-mac | src-dst-ip | src-dst-mac}

Select the port selection criteria:
  • src-ip—source IP address
  • src-mac—source MAC address
  • dst-ip—destination IP address
  • dst-mac—destination MAC address
  • src-dst-ip—both source and destination IP addresses
  • src-dst-mac—both source and destination MAC addresses

src-dst-ip

static-isl {enable | disable}

Available only in FortiLink mode. Enable to manually create an inter-switch link (ISL) trunk.

default

static-isl-auto-vlan {enable | disable}

Available only in FortiLink mode. Enable or disable automatic VLAN configuration on the ISL.

default

Heartbeat Trunk

When you set the trunk mode to fortinet-trunk, the following configuration fields are available:

config switch trunk

edit hb-trunk

set mode fortinet-trunk

set port-selection-criteria {src-ip | src-mac | dst-ip | dst-mac | src-dst-ip | src-dst-mac}

set description <description_str>

set members <port> [<port>] ... [<port>]

set member-withdrawal-behavior {block | forward}

set max-miss-heartbeats <3-32>

set hb-out-vlan <int>

set hb-in-vlan <int>

set hb-src-ip <x.x.x.x>

set hb-dst-ip <x.x.x.x>

set hb-src-udp-port <int>

set hb-dst-udp-port <int>

set hb-verify {enable | disable}

end

Variable

Description

Default

port-selection-criteria {src-ip | src-mac | dst-ip | dst-mac | src-dst-ip | src-dst-mac}

Select the port selection criteria:
  • src-ip — source IP address
  • src-mac — source MAC address
  • dst-ip — destination IP address
  • dst-mac — destination MAC address
  • src-dst-ip — both source and destination IP addresses
  • src-dst-mac — both source and destination MAC addresses

src-dst-ip

description <description_str>

Optionally, enter a description.

No default

members <port> [<port>] ... [<port>]

Enter the names of the ports that belong to this trunk. Separate the names with spaces.

No default

member-withdrawal-behavior {block | forward}

Set the port behavior after it withdraws because of the loss of control packets.

block

max-miss-heartbeats <3-32>

Enter the maximum number of heartbeat messages that can be lost before the FortiGate is deemed to be unavailable. Set a value between 3 and 32.

10

hb-out-vlan

Enter the outgoing VLAN value.

0

hb-in-vlan

Enter the incoming VLAN value.

0

hb-src-ip

Enter the source IP address for the heartbeat packet.

0.0.0.0

hb-dst-ip

Enter the destination IP address for the heartbeat packet.

0.0.0.0

hb-src-udp-port

Enter the source UDP port value for the heartbeat packet.

0

hb-dst-udp-port

Enter the destination UDP port value for the heartbeat packet.

0

hb-verify

Enable or disable heartbeat packet verification.

disable

Example

The following example creates trunk tr1 with heartbeat capability:

config switch trunk

edit "tr1"

set mode fortinet-trunk

set members "port1" "port2"

set hb-out-vlan 300

set hb-in-vlan 500

set hb-src-ip 10.105.7.200

set hb-dst-ip 10.105.7.199

set hb-src-udp-port 12345

set hb-dst-udp-port 54321

set hb-verify enable

next

end

config switch virtual-port

Use this command to configure DHCP snooping on VXLAN virtual ports. Virtual ports are configured automatically by the system; users cannot create them.

Syntax

config switch virtual-port

edit <virtual_port_name>

set description <string>

set dhcp-snooping {trusted | untrusted}

set dhcp-snoop-learning-limit-check {enable | disable}

set dhcp-snoop-learning-limit <1-16000>

next

end

Variable

Description

Default

<virtual_port_name>

Enter a name for the virtual port. The name must be in the following format:

vni.<VNI>.<remote_end_VTEP_IP_address>

For example, if the VXLAN network identifier (VNI) is 100 and the remote end of the VXLAN tunnel is at 1.1.1.1, the virtual port name is vni.100.1.1.1.1.

No default
description <string> Enter a description for the virtual port. No default
dhcp-snooping {trusted | untrusted} Set the interface to trusted or untrusted. trusted
dhcp-snoop-learning-limit-check {enable | disable}

Enable or disable whether there is a limit for how many IP addresses are in the DHCP-snooping binding database for this virtual port.

The set dhcp-snoop-learning-limit-check command is available only when dhcp-snooping has been set to untrusted.

disable

dhcp-snoop-learning-limit <1-16000>

Set the maximum number of IP addresses learned on this virtual port for the DHCP-snooping binding database.

The set dhcp-snoop-learning-limit command is available only when dhcp-snoop-learning-limit-check is enabled.

5

Example

The following example enables DHCP snooping on VNI 100 with the remote end of the VXLAN tunnel at 1.1.1.1. The number of IP addresses learned for the DHCP-snooping binding database has been limited to 100.

config switch virtual-port

edit vni.100.1.1.1.1

set description "virtual port for VNI 100"

set dhcp-snooping untrusted

set dhcp-snoop-learning-limit-check enable

set dhcp-snoop-learning-limit 100

next

end

config switch virtual-wire

Use this command to forward traffic between two ports with minimal filtering or packet modifications. The VLAN setting is optional.

NOTE: Virtual-wire ports will not be able to transmit or receive packets from other members of the VLAN or other virtual-wires that use the same VLAN. The VLAN should not have complex configurations such as private VLAN.

Syntax

config switch virtual-wire

edit <id>

set first-member <port>

set second-member <port>

set vlan <1-4095>

next

end

Variable

Description

Default

<id>

Enter a unique integer to create a new entry.

No default

first-member <port>

first member in the virtual-wire pair

No default

second-member <port>

second member in the virtual-wire pair

No default

vlan <1-4095>

VLAN used. The VLAN can be shared between virtual-wires and non-virtual-wire ports

4011

Example

The following example creates a virtual wire between ports 7 and 8:

config switch virtual-wire

edit 1

set first-member "port7"

set second-member "port8"

set vlan 70

next

end

config switch vlan

Use this command to configure VLANs.

Syntax

config switch vlan

edit <VLAN_ID>

set access-vlan {enable | disable}

set assignment-priority <1-255>

set cos-queue <0-7>

set description <description_str>

set dhcp-snooping {enable | disable | monitor}

set dhcp-snooping-verify-mac {enable | disable}

set dhcp-snooping-option82 {enable | disable}

set arp-inspection {enable | disable | monitor}

set dhcp6-snooping {enable | disable}

set igmp-snooping {enable | disable}

set igmp-snooping-querier {enable | disable}

set igmp-snooping-querier-addr <IPv4_address>

set igmp-snooping-querier-version {2|3}

set igmp-snooping-fast-leave {enable | disable}

set igmp-snooping-proxy {enable | disable}

set lan-segment {enable | disable}

set lan-subvlans <VLAN_identifiers>

set lan-internal-vlan <VLAN_identifier>

set learning {enable | disable}

set learning-limit <integer>

set mld-snooping {enable | disable}

set mld-snooping-fast-leave {enable | disable}

set mld-snooping-querier {enable | disable}

set mld-snooping-querier-addr <IPv6_address>

set mld-snooping-proxy {enable | disable}

set policer <integer>

set private-vlan {enable | disable}

set isolated-vlan <integer>

set community-vlans <vlan_map>

set rspan-mode {enable | disable}

config dhcp-snooping-static-client

set mac-addr <MAC_address>

set switch-interface <interface_name>

set ip-addr <IPv4_address>

config igmp-snooping-static-group

edit <group_name>

set mcast-addr <IPv4_address>

set members <interface_name1> <interface_name2>...

set ignore-reports {enable | disable}

end

config mld-snooping-static-group

edit <group_name>

set mcast-addr <IPv6_address>

set members <interface_name1> <interface_name2>...

set ignore-reports {enable | disable}

end

config member-by-mac

config member-by-ipv4

config member-by-ipv6

config member-by-proto

config dhcp-server-access-list

end

Variable

Description

Default

<vlan id>

Enter a VLAN identifier.

No default

access-vlan {enable | disable}

Set to enable to block FortiSwitch port-to-port traffic on this VLAN while allowing traffic to and from the FortiGate unit. Set to disable to allow normal VLAN traffic.

disable

assignment-priority <1-255>

Assign a priority to the VLAN. If there is more than one VLAN with the same name (specified in the set description command), FortiSwitchOS selects the VLAN with the lowest assignment-priority value (which is the highest priority) of the VLANs with names (specified in the set description command) that match the RADIUS Egress-VLAN-Name attribute.

128

cos-queue <0-7>

Specify which class of service (CoS) queue is used for traffic on this VLAN or use the unset cos-queue command to disable this setting.

This command is available only in FortiLink mode.

No default

description <description_str>

Optionally, enter a description.

If the Tunnel-Private-Group-Id attribute on the RADIUS server was set to the VLAN name, set the description to the same string. For example:

set description "newvlan"

No default

dhcp-snooping {enable | disable | monitor}

Select the setting for IPv4 DHCP snooping:

  • enable—Enable IPv4 DHCP snooping on this VLAN.

  • disable—Disable IPv4 DHCP snooping on this VLAN.

  • monitor—Monitor IPv4 DHCP snooping on this VLAN.

disable

dhcp-snooping-verify-mac {enable | disable}

Enable or disable whether to verify the source MAC address. This option is available only if dhcp-snooping is set to enable.

disable

dhcp-snooping-option82 {enable | disable}

Enable or disable whether to insert option-82 fields. This option is available only if dhcp-snooping is set to enable.

disable

arp-inspection {enable | disable | monitor}

Specify one of the following:

  • enable—Enable dynamic ARP inspection.

  • disable—Disable dynamic ARP inspection.

  • monitor—Monitor ARP packets.

NOTE: You must set dhcp-snooping to enable to be able to set arp-inspection to enable or monitor.

disable

dhcp6-snooping {enable | disable}

Enable or disable IPv6 DHCP snooping for this VLAN.

disable

igmp-snooping {enable | disable}

Enable or disable IGMP snooping on the VLAN.

disable

igmp-snooping-fast-leave {enable | disable}

Enable or disable IGMP-snooping fast leave on this VLAN. This field is only available if igmp-snooping is enabled.

enable

igmp-snooping-querier {enable | disable}

Enable or disable whether periodic IGMP-snooping queries are sent to get IGMP reports. This field is only available if igmp-snooping is enabled.

disable

igmp-snooping-querier-addr <IPv4_address>

Required. Enter the IPv4 address for the IGMP-snooping querier. This field if only available if igmp-snooping-querier is enabled.

0.0.0.0

igmp-snooping-querier-version {2|3}

Select whether to use the IGMP-snooping querier version 2 or version 3.

2

igmp-snooping proxy {enable | disable}

Enable or disable the IGMP-snooping proxy on this VLAN. When the IGMP-snooping proxy is enabled, this VLAN sends IGMP reports. This field is only available if igmp-snooping is enabled.

disable

lan-segment {enable | disable}

Enable or disable the use of LAN segments.

disable

lan-subvlans <VLAN_identifiers>

Enter the VLAN identifiers to assign to the LAN segment. You can enter single VLANs or ranges of VLANs, separated by commas without white space. For example: “1,2-4,5,7,9-100”. The value must be less than 4,096 characters. This field is only available if lan-segment is enabled.

No default

lan-internal-vlan <VLAN_identifier>

For the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models only.

After you enable LAN segments, FortiSwitchOS automatically assigns a VLAN for internal use. This VLAN cannot be used for any other purpose. If you want to assign a different internal VLAN, type set lan-internal-vlan ? to see a range of VLANs; however, these VLANs might not be available. If no VLANs are available to be used as an internal VLAN, the LAN segment configuration returns an error message.

This field is only available if lan-segment is enabled.

0

learning {enable | disable}

Enable or disable layer-2 learning on this VLAN.

enable

learning-limit <integer>

Limit the number of dynamic MAC addresses on this VLAN. The per-VLAN MAC address learning limit is between 1 and 128. Set the value to 0 for no limit.

0

mld-snooping {enable | disable}

Enable or disable Multicast Listener Discovery (MLD) snooping for the this VLAN.

disable

mld-snooping-fast-leave {enable | disable}

Enable or disable MLD-snooping fast leave on this VLAN. This field is only available if mld-snooping is enabled.

enable

mld-snooping-querier {enable | disable}

Enable or disable whether periodic MLD-snooping queries are sent to get MLD reports. This field is only available if mld-snooping is enabled.

disable

mld-snooping-querier-addr <IPv6_address>

Required. Enter the IPv6 address for the MLD-snooping querier. This field if only available if mld-snooping-querier is enabled.

::

mld-snooping-proxy {enable | disable}

Enable or disable the MLD-snooping proxy on this VLAN. When the MLD-snooping proxy is enabled, this VLAN sends MLD reports. This field is only available if mld-snooping is enabled.

disable

policer <integer>

Set the policer for the traffic on this VLAN.

This command is available only in FortiLink mode.

0

private-vlan {enable | disable}

Set to enable if this is a private VLAN.

disable

isolated-vlan <integer>

(Valid if private VLAN is enabled) Enter the isolated VLAN.

0

community-vlans <vlan_map>

(Valid if private VLAN is enabled) Enter the communities within this private VLAN. Enter single VLANs or ranges of VLANS separated by commas without white space. For example: 1,3-4,6,7,9-100

No default

rspan-mode {enable | disable}

Enable or disable port mirroring using the remote switch port analyzer (RSPAN) on this VLAN.

disable

config dhcp-snooping-static-client

mac-addr <MAC_address>

Specify a MAC address to bind to an IP address for this VLAN. Use the form of xx:xx:xx:xx:xx:xx.

00:00:00:00:00:00

switch-interface <interface_name>

Specify the switch interface to associate with this DHCP-snooping static entry.

To find out which switch interfaces are valid, type set switch-interface ?.

No default

ip-addr <IPv4_address>

Specify the IPv4 address to bind to a MAC address for this VLAN.

0.0.0.0

config igmp-snooping-static-group

<group_name>

Enter the IGMP static group name.

No default

mcast-addr <IPv4_address>

Enter the IPv4 multicast address for the IGMP static group.

0.0.0.0

members <interface_name1> <interface_name2>...

Enter the interfaces that belong to the IGMP static group.

No default

ignore-reports {enable | disable}

Enable or disable whether IGMP snooping ignores dynamic joins from other ports.

disable

config mld-snooping-static-group

<group_name>

Enter the MLD static group name.

No default

mcast-addr <IPv6_address>

Enter the IPv6 multicast address for the MLD static group.

No default

members <interface_name1> <interface_name2>...

Enter the interfaces that belong to the MLD static group.

No default

ignore-reports {enable | disable}

Enable or disable whether MLD snooping ignores dynamic joins from other ports.

disable

config member-by

Use this command to assign VLANs based on specific fields in the packet (source MAC address, source IP address, or layer-2 protocol).

config switch vlan

edit <vlan id>

config member-by-mac

edit <id>

set mac XX:XX:XX:XX:XX:XX

set description <128 byte string>

next

end

config member-by-ipv4

edit <id>

set address a.b.c.d/e

set description <128-byte string>

next

end

config member-by-ipv6

edit <id>

set prefix xx:xx:xx:xx::/prefix

set description <128-byte string>

next

end

config member-by-proto

edit <id>

set frametypes {ethernet2 | 802.3d | llc}

set protocol <6-digit hex value>

end

Variable

Description

Default

config member-by-mac

edit <id>

For a new entry, enter an unused ID.

No default

mac XX:XX:XX:XX:XX:XX

Enter a MAC address. If the source MAC address of an incoming packet matches this value, the associated VLAN will be assigned to the packet.

00:00:00:00:00:00

description

Enter up to 128 characters.

No default

config member-by-ipv4

edit <id>

For a new entry, enter an unused ID.

No default

address a.b.c.d/e

Enter an IPv4 address and network mask. If the source IP address of an incoming packet matches this value, the associated VLAN will be assigned to the packet. The subnet mask must be a value in the range of 1-32.

0.0.0.0 0.0.0.0

description

Enter up to 128 characters.

No default

config member-by-ipv6

edit <id>

For a new entry, enter an unused ID.

No default

prefix xx:xx:xx:xx::/prefix

Enter an IPv6 prefix. If the source IP address of an incoming packet matches this value, the associated VLAN will be assigned to the packet. The /prefix must in the range of 1-64.

::/0

description

Enter up to 128 characters.

No default

config member-by-proto

edit <id>

For a new entry, enter an unused ID.

No default

frametypes {ethernet2 | 802.3d | llc}

Enter one or more Ethernet frame type. Set this value to llc for logical link control. Set this value to 802.3d for 802.3d and SNAP.

ethernet2 802.3d llc

protocol <6-digit hex value>

Enter an Ethernet protocol value If the frametype and Ethernet protocol value of an incoming packet matches these values, the associated VLAN will be assigned to the packet. The value range is 0-65535.

0x0000

Example

The following example configures a VLAN:

config switch vlan

edit 100

config member-by-mac

edit 1

set description "pc2"

set mac 00:21:cc:d2:76:72

next

end

end

end

The following example configures the IGMP-snooping querier:

config switch vlan

edit 100

set igmp-snooping enable

set igmp-snooping-querier enable

set igmp-snooping-querier-addr 1.2.3.4

set igmp-snooping-querier-version 3

next

end

config dhcp-server-access-list

Use this command to create a list of DHCP servers that DHCP snooping will include in the allowed server list. This list is used only if the set dhcp-server-access-list command has been enabled; see config system global.

config switch vlan

edit <vlan id>

set dhcp-snooping enable

set dhcp6-snooping enable

config dhcp-server-access-list

edit <string>

set server-ip <xxx.xxx.xxx.xxx>

set server-ip6 <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx>

next

end

next

end

Variable

Description

Default

edit <vlan id>

Enter a VLAN identifier.

No default

dhcp-snooping enable

Enable for IPv4 DHCP snooping.

The config dhcp-server-access-list command is available only after DHCP snooping (IPv4 or IPv6) has been enabled for that VLAN.

disable

dhcp6-snooping enable

Enable for IPv6 DHCP snooping.

The config dhcp-server-access-list command is available only after DHCP snooping (IPv4 or IPv6) has been enabled for that VLAN.

disable

config dhcp-server-access-list

edit <string>

Enter name of DHCP server access list

No default

server-ip <xxx.xxx.xxx.xxx>

If you enabled IPv4 DHCP snooping, enter Class A, B, or C IPv4 address for the DHCP server.

0.0.0.0

server-ip6 <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx>

If you enabled IPv6 DHCP snooping, enter the IPv6 address for the DHCP server.

No default

Example

The following example configures IPv4 DHCP snooping to include the specified DHCP server in the allowed server list:

config switch vlan

edit 100

set dhcp-snooping enable

config dhcp-server-access-list

edit "DHCPserver1"

set server-ip 128.8.0.0

next

end

next

end

The following example configures IPv6 DHCP snooping to include the specified DHCP server in the allowed server list:

config switch vlan

edit 100

set dhcp6-snooping enable

config dhcp-server-access-list

edit "DHCPserver1"

set server-ip6 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234

next

end

next

end

config switch vlan-tpid

Use this command to configure the VLAN TPID profile for VLAN stacking (QnQ). Each VLAN TPID profile contains one value for the EtherType field.

The FortiSwitch unit supports a maximum of four VLAN TPID profiles, including the default (0x8100). The default VLAN TPID profile (0x8100) cannot be deleted or changed.

To configure VLAN stacking and to select which VLAN TPID profile to use, see config switch interface.

Syntax

config switch vlan-tpid

edit <VLAN_TPID_profile_name>

set ether-type <0x0001-0xfffe>

next

end

Variable

Description

Default

<VLAN_TPID_profile_name>

Enter a name for the VLAN TPID profile name.

No default

ether-type <0x0001-0xfffe>

Enter a hexadecimal value for the EtherType field.

0x8100