<policy-id>

Enter the unique ID number of this policy.

description <string>

Enter a description or other information about the policy. The description is limited to 63 characters. Enclose the string in single quotes to enter special characters or spaces.

filter-id <string>

Enter the filter-id of the policy. NOTE:Changing the name of filter-id after authentication causes errors in the output of the diagnose switch 802-1x status-dacl command when the session is using filter-id.

<ingress_policy_ID>

Enter the ingress policy identifier.

description <string>

Enter a description of the policy.

group <integer>

Enter the group ID of the policy. You can only enter 1.

count {enable | disable}

Enable or disable the count action.

drop {enable | disable}

Enable or disable the drop action.

dst-ip-prefix <IP_address_and_netmask>

Enter the destination IP address and subnet mask to be matched.

dst-mac <MAC_address>

Enter the destination MAC address to be matched.

ether-type <integer>

Enter the Ethernet type to be matched.

service <service_name>

Enter the service name to be matched.

src-ip-prefix <IP_address_and netmask>

Enter the source IP address and subnet mask to be matched.

<policy-id>

Enter the unique ID number of this policy.

description <string>

Enter a description or other information about the policy. The description is limited to 63 characters. Enclose the string in single quotes to enter special characters or spaces.

interface <port_name>

Interface that the policy applies to.

schedule <schedule_name>

Select a schedule for when the ACL policy will be enforced.

The schedule must have been defined already with the config system schedule command.

status {active | inactive}

Make the egress ACL policy active or inactive.

cos <802.1Q CoS value to match>

Enter the 802.1Q CoS value to match.

dscp <DSCP value to match>

Enter the DSCP value to match.

dst-ip-prefix <IP_address> <mask>

Destination IP address and subnet mask to be matched.

dst-mac <MAC_address>

Destination MAC address to be matched.

ether-type <integer>

Ethernet type to be matched.

service <service_ID>

Service type to be matched.

src-ip-prefix <IP_address> <mask>

Source IP address and subnet mask to be matched.

src-mac <MAC_address>

Source MAC address to be matched.

vlan-id <VLAN_ID>

VLAN identifier to be matched.

count {enable | disable}

Enable or disable the count action.

count-type {all | green | yellow}

You can select all to count all egress packets, green to count egress packets if the traffic rate is within the guaranteed information rate, and yellow to count all other egress packets.

drop {enable | disable}

Enable or disable the drop action.

mirror <mirror_session>

Mirror session name.

outer-vlan-tag <integer>

Outer VLAN tag.

policer <policer>

Identifier of the policer to associate with this policy. To create a policer, see config switch acl policer.

redirect <interface_name>

Redirect interface name.

<policy-id>

Enter the unique ID number of this policy.

description <string>

Enter a description or other information about the policy. The description is limited to 63 characters. Enclose the string in single quotes to enter special characters or spaces.

group <group_ID>

Enter the group identifier of the policy. The range of group identifiers varies among the different platforms.

Starting in FortiSwitchOS 6.2.0, you can create groups for multiple ingress ACLs.

NOTE: The group identifier must be 3 or higher to be able to use IPv6 addresses.

ingress-interface <port > [<port > ... <port >]

If ingress-interface-all is disabled, enter the interface list to which the policy is bound on the ingress.

ingress-interface-all {enable | disable}

If enabled, policy is bound to all interfaces.

schedule <schedule_name>

Select a schedule for when the ACL policy will be enforced.

The schedule must have been defined already with the config system schedule command.

status {active | inactive}

Make the ingress ACL policy active or inactive.

cos <802.1Q CoS value to match>

Enter the 802.1Q CoS value to match. The range of values is 0-7.

dscp <DSCP value to match>

Enter the DSCP value to match. The range of values is 0-63.

dst-ip-prefix <IPv4_address> <mask>

Enter the destination IPv4 address and subnet mask to be matched.

dst-ip6-prefix <IPv6_address> <prefix>

Enter the destination IPv6 address and prefix to be matched.

NOTE: You must set group to 3 or higher for this option to be available. If you are going to use a dynamic ACL, set group to 4 or higher.

dst-mac <MAC_address>

Enter the destination MAC address to be matched.

ether-type <integer>

Enter the Ethernet type to be matched. The range of values is 0-65535.

service <service-id>

Enter the service type to be matched.

src-ip-prefix <IPv4_address> <mask>

Enter the source IPv4 address and subnet mask to be matched.

src-ip6-prefix <IPv6_address> <prefix>

Enter the source IPv6 address and prefix to be matched.

NOTE: You must set group to 3 or higher for this option to be available. If you are going to use a dynamic ACL, set group to 4 or higher.

src-mac <MAC_address>

Enter the source MAC address to be matched.

vlan-id <vlan-id>

Enter the VLAN identifier to be matched. The range of values is 1-4094.

cos-queue <0-7>

CoS queue number (0-7).

count

Enable or disable the count action.

count-type {all | green | yellow | red}

You can select all to count all ingress packets, green to count ingress packets if the traffic rate is within the guaranteed information rate, yellow to count ingress packets if they exceed the committed burst size but do not exceed the excess burst size, and red to count all other ingress packets.

cpu-cos-queue <integer>

CPU CoS queue number. This CoS queue is only used if the packets reach the CPU. Enter set cpu-cos-queue ? to see the value range.

drop

Enable or disable the drop action.

egress-mask {<physical_port_name> | internal}

List of physical ports to be configured in egress mask.

mirror <mirror_session>

Mirror session name.

outer-vlan-tag

Outer VLAN tag. The range of values is 1-4094.

policer

Identifier of the policer to associate with this policy. To create a policer, see config switch acl policer.

redirect <interface_name>

Redirect interface name.

redirect-bcast-cpu

Redirect broadcast to all ports including the CPU.

redirect-bcast-no-cpu

Redirect broadcast to all ports excluding the CPU.

redirect-physical-port

List of ports to redirect the packet.

remark-cos <0-7>

Set the CoS marking value. The range is 0-7.

<policer index>

Enter the index for this ACL policer

description <string>

Enter a text description for the policer.

guaranteed-bandwidth <bandwidth_value>

Enter the amount of bandwidth guaranteed to be available for traffic controlled by the policy. The value range is 0 to 16 776 000 Kbits/second.

guaranteed-burst <in_bytes>

Guaranteed burst size in bytes (max value = 4294967295)

maximum-burst <in_bytes>

Maximum burst size in bytes (max value = 4294967295)

<policy-id>

Enter the unique ID number of this policy.

description <string>

Enter a description or other information about the policy. The description is limited to 63 characters. Enclose the string in single quotes to enter special characters or spaces.

interface <port_name>

Select which ingress interface that the policy applies to.

interface-all {enable | disable}

Enable or disable whether the policy applies to all ingress interfaces.

schedule <schedule_name>

Select a schedule for when the ACL policy will be enforced.

The schedule must have been defined already with the config system schedule command.

status {active | inactive}

Make the prelookup ACL policy active or inactive.

cos <802.1Q CoS value to match>

Enter the 802.1Q CoS value to match.

dscp <DSCP value to match>

Enter the DSCP value to match.

dst-ip-prefix <IP_address> <mask>

Destination IP address and subnet mask to be matched.

dst-mac <MAC_address>

Destination MAC address to be matched.

ether-type <integer>

Ethernet type to be matched.

service <service_ID>

Service type to be matched.

src-ip-prefix <IP_address> <mask>

Source IP address and subnet mask to be matched.

src-mac <MAC_address>

Source MAC address to be matched.

vlan-id <VLAN_ID>

VLAN identifier to be matched.

count {enable | disable}

Enable or disable the count action.

cos-queue <0-7>

CPU CoS queue number (20-29). Only if packets reach to CPU. The value range is 20-29.

drop {enable | disable}

Enable or disable the drop action.

outer-vlan-tag <integer>

Outer VLAN tag.

<service name>

Enter the name of this custom service.

comment <string>

Add comments for the custom service.

color <0-32>

Set the icon color to use in the Web-based manager. A value of zero sets the default color (1).

protocol {ICMP | IP | TCP/UDP/SCTP}

Select the protocol used by the service.

These protocols are available when explicit-proxy is enabled.

icmptype <0-255>

If you set the protocol to ICMP, set the ICMP type.

icmpcode <0-255>

If you set the protocol to ICMP, set the ICMP code.

protocol-number

For an IP service, enter the IP protocol number.

sctp-portrange

For SCTP services, enter the destination and source port ranges.

tcp-portrange

For TCP services, enter the destination and source port ranges.

density-mode

Enable or disable density mode.

mgmt-vlan <1-4094>

Set the VLAN to use for the native VLAN on ISL ports and the native VLAN on the internal switch interface.

access-vlan-mode {fail-close | fail-open | legacy}

Select the intra-VLAN traffic behavior with loss of connection to the FortiGate device:

• fail-close—When the connection to the FortiGate device is lost, traffic between end points on the VLAN is blocked.

• fail-open—When the connection to the FortiGate device is lost, traffic on the VLAN can continue directly between end points.

• legacy—Backward-compatible behavior.

allow-mac-move {enable | disable}

Enable or disable the capability for the 802.1X client to move between ports that are not directly connected to the FortiSwitch unit without having to delete the 802.1X session.

This command is available only for the FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148F, FS-148F-POE, and FS-148F-FPOE models.

auto-fortilink-discovery {enable | disable}

Enable or disable the capability for the FortiGate device to automatically discover the FortiLink interface on the FortiSwitch unit.

auto-isl {enable | disable}

Enable or disable the capability to automatically form an inter-switch LAG.

auto-isl-port-group <0-9>

Set the ISL port group. The range is 0-9.

auto-stp-priority {enable | disable}

Enable or disable the automatic assigned STP switch priortiy.

bpdu-learn {enable | disable}

Enable or disable bridge protocol data unit (BPDU) learning.

NOTE: This command is available on the following FortiSwitch models: FS-224D-FPOE, FS-224E, FS-224E-POE, FS-248D, FS-248E-POE, FS-248E-FPOE, FS-424E, FS-424E-POE, FS-424E-FPOE, FS-424E-Fiber, FS-M426E-FPOE, FS-448E, FS-448E-POE, FS-448E-FPOE, FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE, FS-1048E, and FS-3032E.

dhcp-snooping-database-export {disable | enable}

Enable or disable whether the DHCP snooping database is exported to file.

dmi-global-all {enable | disable}

Enable or disable DMI globally.

flapguard-retain-trigger {enable | disable}

Enable this setting to keep the “triggered” status in the output of the diagnose flapguard status command after a switch has been rebooted until the port has been reset with the execute flapguard reset <port_name> command.

Disable this setting to reset the “triggered” status when the switch is rebooted.

flood-unknown-multicast {enable | disable}

Enable or disable whether to flood the VLAN with unknown multicast messages.

flood-vtp {enable | disable}

Enable or disable the Cisco VTP flood in the VLAN.

fortilink-heartbeat-timeout <0-300>

Set how long before the FortiLink heartbeat times out. Set the value to 0 to disable the FortiLink heartbeat.

fortilink-p2p-native-vlan <integer>

Specify the native VLAN on the inter-switch link (ISL) when fortilink-p2p is enabled under the config switch physical port command.

fortilink-p2p-tpid <interger>

Set the FortiLink point-to-point TPID value. The range of values is 0x0001 to 0xfffe.

This command is only available in FortiLink mode.

fortilink-vlan-optimization {enable | disable}

Enable or disable FortiLink VLAN optimization.

forti-trunk-dmac <xx:xx:xx:xx:xx:xx>

Enter the destination MAC address to be used for FortiTrunk heartbeat packets.

ip-mac-binding {enable | disable}

Enable or disable IP-MAC binding for the switch

l2-memory-check {enable | disable}

Enable or disable whether FortiSwitchOS checks the size of the layer-2 table. When this feature is enabled, the set l2-memory-check interval command controls the frequency that the table is checked. When the table size is more than 75-percent full or less than 70-percent full, FortiSwitchOS adds a warning to the system log.

l2-memory-check-interval <number_of_seconds>

When l2-memory-check is enabled, FortiSwitchOS checks the size of the layer-2 table at the specified interval. The range of values is 5-86400 seconds.

log-mac-limit-violations {enable | disable}

Enable or disable the logging of layer-2 learning limit violations for an interface or VLAN. The most recent violation that occurred on each interface or VLAN is logged. After that, no more violations are logged until the log is reset for the triggered interface or VLAN. Only the most recent 128 violations are displayed in the console.

NOTE: This command is only displayed if your FortiSwitch model supports it.

log-source-guard-violations {enable | disable}

Enable or disable logs for source guard violations on a system-wide level.

loop-guard-tx-interval <0-30>

Enter the loop guard transmit interval. Value range is 1-30. The units is seconds.

mac-aging-interval <seconds>

Specify how often the learning-limit violation log is reset. The range is 10 to 1,000,000 seconds. Set to 0 to disable.

mac-violation-timer <integer>

How long (in minutes) violations of the layer-2 learning limit are kept in the log. The value range is 0-1500. Set to 0 to disable the timer.

max-frame-size <bytes_int>

Set the maximum frame size. The range and default depend on the switch model. See the FortiSwitchOS feature matrix.

NOTE: If you are not using the FS-1xxE, FS-1xxF, or FS-110G-FPOE models, this command is under config switch physical-port.

max-path-in-ecmp-group <integer>

Set the maximum path in one ECMP group.

mclag-igmpsnooping-aware {enable | disable}

Enable this option to synchronize both query ports and group entries across peer MCLAG trunks. This option can be used in standalone mode and in FortiLink mode.

NOTE: For IGMP snooping to work correctly in an MCLAG, you need to use the set mclag-igmpsnooping-aware enable command on all FortiSwitch units in the network topology and use the set igmps-flood-reports enable command on each MCLAG core FortiSwitch unit.

mclag-peer-info-timeout <integer>

Enter the MCLAG peer info timeout. The value range is 30 to 600 seconds.

mclag-port-base <integer>

Set the MCLAG port base.

mclag-split-brain-all-ports-down {enable | disable}

When this option is enabled and a split-brain state occurs, the switch that goes dormant shuts down all ports before going dormant; the state of the ICL trunk ports is not changed.

When this option is disabled and a split-brain state occurs,

the switch that goes dormant does not shut down any ports before going dormant.

This command is only available when mclag-split-brain-detect is enabled.

mclag-split-brain-detect {enable | disable}

Enable or disable the detection of the MCLAG split-brain state.

mclag-split-brain-priority <0-100>

When the split-brain state occurs, the switch with the lowest priority goes dormant. If both switches have the same priority, the switch with the lowest MAC address goes dormant when the split-brain state occurs.

This command is only available when mclag-split-brain-detect is enabled.

mclag-stp-aware {enable | disable}

Enable or disable whether the STP can be used within the MCLAG.

mirror-qos <0-7>

Enter the quality of service (QoS) priority for packets mirrored by this FortiSwitch unit. Applies only to the FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE, FS-1048E, and FS-3032D models.

name <string>

Enter a name for the switch.

neighbor-discovery-to-cpu {enable | disable}

Enable or disable the forwarding of reserved multicast packets to the CPU. Applies only to the 200 Series and 400 Series.

packet-buffer-mode {store-forward | cut-through}

Set the switching mode to store-and-forward or cut-through for the main buffer.

poe-alarm-threshold <threshold (percent of total power budget) above which an alarm event is generated>

Enter the threshold (a specified percentage of the total power budget) above which an alarm event is generated.

poe-guard-band <integer>

Enter the power (W) to reserve in case of a spike in PoE consumption.

poe-power-budget <integer>

Set or override the maximum power budget.

poe-power-mode {first-come-first-served | priority}

Set the PoE power mode to priority based or first-come, first-served.

poe-pre-standard-detect {disable | enable}

Enable or disable PoE pre-standard detection.

NOTE: PoE pre-standard detection is a global setting for the following FortiSwitch models: FS-548D-FPOE, FS-524D-FPOE, FS-224D-POE, FS-124E-POE, FS-124E-FPOE, 148F-POE, and 148F-FPOE. For the other FortiSwitch PoE models, PoE pre-standard detection is set on each port.

qos-drop-policy {random-early-detection | taildrop}

• taildrop—When the queue is full, new packets are dropped.
• random-early-detection—As the queue fills, the probability increases that packets will be dropped.

qos-red-probability <integer>

Set the QoS RED/WRED drop probability. The FS-124E, FS-124E-POE, and FS-124E-FPOE models support 0-100 percent. The FS-148E, FS-148E-POE, and FS-148E-FPOE models support 0-25 percent.

NOTE: This command is available only for the FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

reserved-mcast-to-cpu {enable | disable}

Enable or disable the forwarding of IPv6 neighbor-discovery packets to the CPU. Applies only to the 200 Series and 400 Series.

source-guard-violation-timer <intebger>

Enter the number of minutes for a global timeout for source guard violations. The range of values is 0-1500. Set this option to 0 to disable it.

This command is only available when log-source-guard-violations is enabled.

storm-control-monitor {enable | disable}

Enable or disable storm-control monitoring.

storm-control-high-rate <0-65536>

When this rate (in dropped packets per second) is exceeded, a log message is generated.

This command is only available when storm-control-monitor is enabled.

storm-control-rate-filter <0-100>

Set the percentage for how sensitive storm-control monitoring is to changes in the storm-control-high-rate. Higher percentages mean that the storm-control monitoring is more sensitive to changes in the storm-control-high-rate.

This command is only available when storm-control-monitor is enabled.

trunk-hash-mode {default| enhanced}

Set the trunk hash mode to default or enhanced

trunk-hash-unicast-src-port {enable | disable}

Enable or disable whether the trunk hashing algorithm for unicast packets uses the source port.

trunk-hash-unkunicast-src-dst {enable | disable}

Enable or disable trunk hash for unknown unicast src-dst.

virtual-wire-tpid <0x0001-0xfffe>

TPID value used by virtual-wires. The value range is from 0x0001 to 0xfffe.

Choose a value unlikely to be seen as a TPID or ethertype in your network.

vxlan-dport <integer >

Set the VXLAN destination UDP port. The range of values is 1-65535.

vxlan-sport <integer>

Set the VXLAN source UDP port. The range of values is 1-65535.

vxlan-stp-virtual-mac <MAC_address>

Set the MAC address for the virtual STP root.

This option is available only when vxlan-stp-virtual-root is enabled.

vxlan-stp-virtual-root {enable | disable}

When this option is enabled, the local switch automatically becomes the STP root for STP instances that contain the configured VXLANʼs access VLAN. When this option is disabled, the local switch does not automatically become the STP root for STP instances that contain the configured VXLANʼs access VLAN.

vxlan-qos-inner-to-outer {copy-to-outer | fixed}

Select how the differential service code point (DSCP) is determined:

• copy-to-outer—Copy the DSCP value from the inner header to the outer header.

• fixed—Use a fixed DSCP value in the IP header of the outer encapsulation. Specify the fixed value with the set vxlan-qos-dscp command.

vxlan-qos-dscp <0-63>

Specify the fixed DSCP value in the IP header of the outer encapsulation.

This command is available only when vxlan-qos-inner-to-outer is set to fixed.

link-down-auth

• set-unauth—revert all devices to the un-authenticated state. Each device will need to reauthenticate.
• no-action— if reauthenication is not required.

mab-entry-as {dynamic | static}

Configure the MAC authentication bypass (MAB) MAC entries as static or dynamic:

• In static mode, MAB sessions are kept until the link goes down or the MAB sessions are manually deleted with the CLI.

• In dynamic mode, MAB sessions are treated the same way as dynamically learned MAC addresses.

mab-reauth {enable | disable}

Enable or disable whether MAB retries authentication before assigning a device to a guest VLAN for unauthorized users.

mac-called-station-delimiter {colon | hyphen | none | single-hyphen}

Select which delimiter is used for the Called-Station-Id attribute or select none for no delimiter:

• colon

• hyphen

• single-hyphen

mac-calling-station-delimiter {colon | hyphen | none | single-hyphen}

Select which delimiter is used for the Calling-Station-Id attribute or select none for no delimiter:

• colon

• hyphen

• single-hyphen

mac-case {lowercase | uppercase}

Select whether MAC addresses use lowercase or uppercase letters.

mac-password-delimiter {colon | hyphen | none | single-hyphen}

Select which delimiter is used for the User-Password attribute or select none for no delimiter:

• colon

• hyphen

• single-hyphen

mac-username-delimiter {colon | hyphen | none | single-hyphen}

Select which delimiter is used for the User-Name attribute or select none for no delimiter:

• colon

• hyphen

• single-hyphen

max-reauth-attempt

If 802.1x authentication fails, this setting caps the number of attempts that the system will initiate. The range is from 0 to 15 where "0" disables the reauthentication attempts.

quarantine-vlan {enable | disable}

Enable or disable quarantine VLAN detection. Enable this setting to use quarantines with 802.1x MAC-based authentication in FortiLink mode.

reauth-period

Defines how often the device needs to reauthenticate. If a session remains active beyond this number of minutes, the system requires the device to reauthenticate.

redbox-mode hsr-san

HSR-SAN is currenly the only RedBox operation mode supported.

vlan-id <1-4094>

Enter the VLAN identifier of the supervision frame.

This option is available only when vlan-id-tagged is set to enable.

vlan-id-cos <0-7>

Enter the class of service (CoS) value to be set in the VLAN tag of the supervision frame.

This option is available only when vlan-id-tagged is set to enable.

vlan-id-tagged {enable | disable}

Enable or disable supervision frame VLAN ID tagging.

mac-da <0-255>

Specify the last 8 bits of the HSR supervision frame MAC destination address (DA).

aging-time <integer>

The maximum number of seconds to retain a multicast snooping entry for which no packets have been seen (15-3600).

leave-response-timeout <integer>

Enter the maximum number of seconds that the switch waits after sending a group-specific query in response to the leave message. The range of values is 1-20.

<interface_name>

Enter the name of the interface.

allowed-vlans

{vlan1 vlan2 ...}

Enter the names of the VLANs permitted on this interface.

arp-inspection-trust {trusted | untrusted}

Set the interface to trusted or untrusted.

auto-discovery-fortilink-packet-interval <3-300>

Enter the FortiLink packet interval for automatic discovery. The value range is 3 to 300 seconds.

default-cos <0-7>

Set the default CoS value for untagged packets. Integer in the range of 0 to 7.

The configured default CoS only applies if you also set trust-dot1p-map on the interface.

NOTE: The set default-cos command is not available on the following FortiSwitch models: 224D-FPOE, 248D, 224E, 224E-POE, 248E-POE, and 248E-FPOE.

description <string>

Enter a description of the interface.

discard-mode {all-tagged | all-untagged | none}

Set the discard mode for this interface.

dhcp-snooping {trusted | untrusted}

Set the interface to trusted or untrusted.

dhcp-snoop-learning-limit <1-16000>

Set the maximum number of IP addresses learned on this interface for the DHCP-snooping binding database.

The set dhcp-snoop-learning-limit command is available only when dhcp-snoop-learning-limit-check is enabled.

dhcp-snoop-learning-limit-check {disable | enable}

Enable or disable whether there is a limit for how many IP addresses are in the DHCP-snooping binding database for this interface.

dhcp-snooping-option82-trust {enable | disable}

Enable or disable (allow/disallow) DHCP packets with option-82 on an untrusted interface.

edge-port {enabled | disabled}

Enable if the port does not have another switch connected to it.

force-egr-prio-tag {enable | disable}

NOTE: This command is only for the FS-1xxE, FS-1xxF, and FS-110G-FPOE models.

Enable or disable the forced priority tagging on egress ports.

• enable—When the allowed-vlans command is set on a port, all egress traffic will have the priority tag of vlan=0.

  This command is most useful when the port is acting as an access port for native traffic only.

• disable—Priority tagging is not forced on egress ports.

igmp-snooping-flood-reports {enable | disable}

Enable or disable whether to flood IGMP-snooping reports to this interface.

NOTE: For IGMP snooping to work correctly in an MCLAG, you need to use the set mclag-igmpsnooping-aware enable command on all FortiSwitch units in the network topology and use the set igmp-snooping-flood-reports enable command on each MCLAG core FortiSwitch unit.

mcast-snooping-flood-traffic {enable | disable}

Enable or disable whether to flood multicast traffic to this interface.

mld-snooping-flood-reports {enable | disable}

Enable or disable whether to flood MLD-snooping reports to this interface.

ip-mac-binding {enable | disable | global}

Enable or disable IP-MAC binding for this interface. Set the value to 'global', the interface inherits the global ip-mac-binding configuration value.

ip-source-guard {enable | disable}

Enable or disable IP source guard for this interface. After you enable this feature, use the config switch ip-source-guard command to configure it.

learning-limit <0 - 128>

Limit the number of dynamic MAC addresses on this port.

The value range is 0 and 128. Setting the learning-limit to 0 means that there is no limit to the number of MAC addresses learned.

NOTE: You cannot set the learning-limit on the internal interface.

learning-limit-action {none | shutdown}

When the leaning-limit is exceeded, select none to take no action or select shutdown to disable this interface. The learning-limit-action applies only to physical switch port interfaces, not to trunks or VLANs.

The learning-limit-action is available only when learning-limit has been set to 1-128.

log-mac-event {enable | disable}

Enable or disable the logging of dynamic MAC address events.

loop-guard {enabled | disabled}

Enable or disable loop guard for this interface.

loop-guard-timeout <0-120>

After enabling loop guard, set the number of minutes before loop guard resets. Setting this value to 0 means that there is no timeout.

loop-guard-mac-move-threshold <0-100>

After enabling loop guard, set the number of MAC address moves per second for this interface. The threshold must be exceeded for 6 consecutive seconds to trigger loop guard.

nac {enable | disable}

This command is available only in FortiLink mode. Enable to allow the switch to transmit MAC events to the FortiGate device to imporve network access control (NAC) performance.

native-vlan <vlan_int>

Enter the native (untagged) VLAN for this interface.

packet-sampler {enabled | disabled}

Enable or disable packet sampling for flow export.

sample-direction {both | rx |tx}

Set the sFlow sample direction to monitor received traffic (rx), monitor transmitted traffic (tx), or monitor both.

This option is only available when the packet-sampler is enabled.

packet-sample-rate <0-99999>

If packet-sampler is set to enabled, you can change the packet sample rate.

private-vlan {disabled | promiscuous | sub-vlan}

Enable private VLAN functionality.

NOTE: Private VLANs are not supported on the FortiSwitch-28C.

ptp-policy {<string> | default}

Enter the name of the Precision Time Protocol (PTP) policy to appy to this port.

ptp-status {enable | disable}

Enable or disable PTP on this port.

qos-policy {<string> | default}

Enter the name of the QoS egress CoS queue policy.

rpvst-port {enabled | disabled}

Enable or disable whether this interface interoperates with per-VLAN spanning tree (PVST).

security-groups <security-group-name>

Enter the security group name if you are using port-based authentication or MAC-based authentication.

sflow-counter-interval <0-255>

Set the polling interval for the sFlow sampler counter. Set to 0 to disable polling.

snmp-index <integer>

Enter the SNMP index for this interface.

sticky-mac {disable | enable}

Enable or disable whether dynamically learned MAC addresses are persistent when the status of a FortiSwitch port changes (goes down or up).

stp-bpdu-guard {disabled | enabled}

Enable or disable STP BPDU guard protection. To use STP BPDU guard on this interface, you must enable stp-state and edge-port.

stp-loop-protection {enabled | disabled}

Enable or disable STP loop protection on this interface.

stp-root-guard {disabled | enabled}

Enable or disable STP root guard protection. To use STP root guard, you must enable stp-state.

stp-state {enabled | disabled}

Enable or disable Spanning Tree Protocol (STP) on this interface.

trust-dot1p-map

Whether to trust the dot1p CoS value in the incoming packets. Specify a map to map the CoS value to an egress queue value.

trust-ip-dscp-map

Whether to trust the DSCP QoS value in the incoming packets. Specify a map to map the DSCP value to an egress queue value.

untagged-vlans

Select the allowed-vlans to be transmitted without VLAN tags

vlan-mapping-miss-drop {enable | disable}

Enable or disable whether a packet is dropped if the VLAN ID in the packetʼs tag is not defined in the vlan-mapping configuration.

vlan-tpid <default | string>

Select which VLAN TPID profile to use. The default VLAN TPID profile has a value of 0x8100 and cannot be deleted or changed.

NOTE: If you are not using the default VLAN TPID profile, you must have already defined the VLAN TPID profile with the config switch vlan-tpid command.

<VLAN_ID>

Select the VLAN identifier.

remote-id <string>

Enter the plain text string to use in the Remote ID field instead of the global value.

The plain text string can be a maximum of 256 characters long. The combined length of the remote-id and circuit-id text strings can be a maximum of 256 characters long.

circuit-id <string>

Enter the plain text string to use in the Circuit ID field instead of the global value.

The plain text string can be a maximum of 256 characters long. The combined length of the remote-id and circuit-id text strings can be a maximum of 256 characters long.

{allow-mac-move-from | allow-mac-move-to} {enable | disable}

Depending on the FortiSwitch model, you will see one of these commands:

• allow-mac-move-from—Enable on the source port when an 802.1x client is being moved between ports that are not directly connected to the FortiSwitch unit. This command is available only for the FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

• allow-mac-move-to—Enable on the destination port when an 802.1x client is being moved between ports that are not directly connected to the FortiSwitch unit. This command is available only for 200 Series, FS-4xxE, 500 Series, FS-1024E, FS-T1024E, FS-T1024F-FPOE, FS-1048E, and FS-3032E.

eap-egress-tagged {enable | disable}

When allow-mac-move is enabled, you can enable this option to ensure that egress EAPOL packets are tagged without needing additional checking.

port-security-mode {none | 802.1X | 802.1X-mac-based}

Set the security mode for the port.

• 802.1X—Use this setting for port-based authentication.
• 802.1X-mac-based—Use this setting for MAC-based authentication.

If you change the security mode to 802.1X or 802.1X-mac-based, you must set the security group with the set security-groups command.

auth-fail-vlan {enable | disable}

When enabled, the system assigns the auth-fail-vlanid to users who attempted to authenticate but failed to provide valid credentials.

auth-fail-vlanid <VLAN_id>

Enter the VLAN identifier that the system assigns to users who attempted to authenticate but failed to provide valid credentials. This field is mandatory when auth-fail-vlan is enabled.

auth-order {MAB | MAB-dot1x | dot1x-MAB}

This command is available only when the set mac-auth-bypass command is enabled.

Select one of the authentication order modes:

• MAB—In the MAB-only authentication mode, the FortiSwitch unit performs MAB authentication without performing EAP authentication. EAP packets are not sent.

• MAB-dot1x—This command has been added for future use. It currently has no effect on authentication.

• dot1x-MAB—This command has been added for future use. It currently has no effect on authentication.

auth-priority {MAB-dot1x | dot1x-MAB | legacy}

Select the priority of MAC authentication bypass (MAB) authentication and EAP 802.1X authentication.

• MAB-dot1x—The switch tries MAB authentication first and then EAP 802.1X authentication if MAB authentication fails. If EAP 802.1X authentication also fails, users are assigned to the auth-fail-vlanid VLAN if it is configured.

• dot1x-MAB—The switch tries EAP 802.1X authentication first and then MAB authentication if EAP 802.1X fails. If MAB authentication also fails, users are assigned to the auth-fail-vlanid VLAN if it is configured.

• legacy—The switch tries EAP 802.1X authentication and MAB authentication in the order that they are received with EAP 802.1X authentication having absolute priority. If authentication fails, users are assigned to a guest VLAN if it has been configured. There is no time delay involved.

This commands is available only when the set mac-auth-bypass command is enabled.

authserver-timeout-period <3-15>

Enter the number of seconds before the authentication server stops trying to authenticate users.

authserver-timeout-tagged {disable | lldp-voice | static}

Select whether users are assigned to the specified VLAN when the authentication server times out:

• disable—Users are not assigned to a specified VLAN when the authentication server times out.

• lldp-voice—Users are assigned to the VLAN specified in the set lldp-profile command (under config switch physical-port).

• static—Users are assigned to the tagged VLAN specified in the set authserver-timeout-tagged-vlanid command.

authserver-timeout-tagged-vlanid <1-4094>

Enter the identifier for the tagged VLAN that the system assigns to users when the authentication server times out.

authserver-timeout-vlan {enable | disable}

Enable or disable whether users are assigned to the specified VLAN when the authentication server times out.

authserver-timeout-vlanid <1-4094>

Enter the identifier for the untagged VLAN that the system assigns to users when the authentication server times out. This field is mandatory when authserver-timeout-vlan is enabled.

dacl {enable | disable}

Enable or disable the dynamic access control list (DACL) on this interface.

eap-auto-untagged-vlans {enable | disable}

Enable to allow voice traffic with voice VLAN tag at egress.

eap-passthru {disable | enable}

Enable or disable the EAP pass-through mode.

framevid-apply {disable | enable}

Enable or disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

NOTE: For phone and PC configuration only, disable framevid-apply to preserve the native VLAN when the data traffic is expected to be untagged.

guest-auth-delay <integer>

If a device does not attempt to authenticate within this timeframe (in seconds), the guest VLAN is assigned.

guest-vlan {enable | disable}

When enabled, the system assigns the guest-vlanid to unauthorized users.

guest-vlanid <VLAN_id>

VLAN identifier. Mandatory field when guest VLAN is enabled.

mab-eapol-request <0-10>

Set how many EAP packets are sent to trigger EAP authentication for “silent supplicants” (such as end devices running Windows 7) that send non-EAP packets when they wake up from sleep mode.

To disable this feature, set mab-eapol-request to 0 or disable mac-auth-bypass.

mac-auth-bypass {enable | disable}

Enable or disable MAC authentication bypass (MAB). If you enable MAB on the port, the system will use the device MAC address as the user name and password for authentication.

open-auth {enable | disable}

Enable or disable open authentication (monitor mode) on this interface.

quarantine-vlan {enable | disable}

Enable or disable quarantine VLAN detection. Enable this setting to use quarantines with 802.1x MAC-based authentication in FortiLink mode.

radius-timeout-overwrite {enable | disable}

Enable this option to use the value of the session-timeout attribute. The session-timeout attribute specifies how many seconds of idleness are allowed before the FortiSwitch unit disconnects a session. The value must be more than 60 seconds.

<ID>

Enter an identifier for the IPv6 RA-guard configuration.

raguard-policy <name_of_RA_guard_policy>

Enter the name of the RA-guard policy to use for this interface.

The RA-guard policy must be created (with the config switch raguard-policy command) before it is applied to an interface.

vlan-list <list_of_VLANs>

Enter a VLAN or a range of VLANs to apply this policy to. Use less than 4,096 characters for the vlan-list value. Separate the VLANs and VLAN ranges with commans, for example:

1,3-4,6,7,9-100

status {enable | disable}

Enable this setting to use the VLAN stacking (QinQ) mode.

edge-type customer

If the QinQ mode is enabled, the edge type is set to customer.

vlan-mapping-miss-drop {enable | disable}

If the QinQ mode is enabled, enable or disable whether a frame is dropped if the VLAN ID in the frameʼs tag is not defined in the vlan-mapping configuration. This option is available only when allowed-c-vlan has not been set.

add-inner <1-4095>

If the QinQ mode is enabled, add the inner tag for untagged frames upon ingress.

remove-inner {enable | disable}

If the QinQ mode is enabled, enable or disable whether the inner tag is removed upon egress.

native-c-vlan <1-4094>

Specify the native C VLAN (1-4094) for untagged packets. When you specify a value for native-c-vlan, FortiSwitchOS adds the native inner tag to untagged frames upon ingress and removes the native inner tag at egress.

allowed-c-vlan <list_of_VLANs>

Specify single VLANs or ranges of VLANs. Use a comma to separate values without any spaces. The allowed-c-vlan applies to both ingress and egress. You must use less than 4,096 characters to list the VLANs. This option is available only when vlan-mapping-miss-drop is disabled.

priority {follow-c-tag | follow-s-tag}

If the QinQ mode is enabled, select whether to follow the priority of the S-tag (service tag) or C-tag (customer tag).

NOTE: This command is not available on the 224D-FPOE, 248D, 224E, 224E-POE, 248E-POE and 248E-FPOE models.

s-tag-priority <0-7>

If frames follow the priority of the S-tag (service tag), enter the priority value. This option is available only when the priority is set to follow-s-tag.

NOTE: This command is not available on the 224D-FPOE, 248D, 224E, 224E-POE, 248E-POE and 248E-FPOE models.

<id>

Enter a mapping entry identifier.

description <string>

Enter a description of the mapping entry.

match-c-vlan <1-4094>

Enter a matching customer (inner) VLAN.

new-s-vlan <1-4094>

Enter a new service (outer) VLAN.

NOTE: The VLAN must be in the portʼs allowed VLAN list.

This option is only available after you set the value for match-c-vlan.

<id>

Enter an identifier for the VLAN mapping entry.

description <string>

Enter a description of the VLAN mapping entry.

direction {egress | ingress}

Select the ingress or egress direction.

match-s-vlan <1-4094>

If the direction is set to egress, enter the service (outer) VLAN to match.

match-c-vlan <1-4094>

If the direction is set to ingress, enter the customer (inner) VLAN to match.

action {add | delete | replace}

Select what happens when the packet is matched:

• add—When the packet is matched, add the service VLAN. You cannot set the action to add for the egress direction.
• delete—When the packet is matched, delete the service VLAN. You cannot set the action to delete for the ingress direction.
• replace—When the packet is matched, replace the customer VLAN or service VLAN.

This option is only available after you set a value for match-c-vlan or match-s-vlan.

<sequence_int>

Enter a sequence number for the IP-MAC binding entry.

ip <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>

Enter the source IP address and network mask for this rule.

mac <xx:xx:xx:xx:xx:xx>

Enter the MAC address for this rule.

<port_name>

Enter the name of the port.

<id>

Enter a unique integer to create a new entry.

ip <xxx.xxx.xxx.xxx>

Required. Enter the IPv4 address to bind to the MAC address. Masks are not supported.

profile

Enter a name for the LLDP profile.

802.1-tlvs {port-vlan-id | vlan-name}

The port-vlan-id TLV will send the native VLAN of the port. If the value is changed, the sent value will reflect the updated value.

The vlan-name TLV sends the VLAN descriptions that are configured in the set description command under config switch vlan.

802.3-tlvs {eee-config | max-frame-size | power-negotiation}

• eee-config—Use this TLV to send the energy-efficient Ethernet (EEE) status of the port.
• max-frame-size—This TLV will send the maximum frame size value of the port. If the value is changed, the sent value reflects the updated value.
• power-negotiation—Use this TLV to send the power over Ethernet (PoE) classification of the port.

auto-isl

Enable or disable the auto ISL capability.

auto-isl-auth {legacy | strict | relax}

Select the authentication mode:

• legacy—This mode is the default. There is no authentication.

• strict—If authentication succeeds, FortiOS forms a secure ISL trunk. If authentication fails, no ISL trunk is formed.

• relax—If authentication succeeds, FortiOS forms a secure ISL trunk. If authentication fails, FortiOS forms a restricted ISL trunk.

auto-isl-auth-encrypt {mixed | must | none}

Select the encryption mode:

• mixed—FortiOS enables MACsec on the ISL trunk ports that support MACsec; the ISL trunk members act as encrypted links. FortiOS disables MACsec on the ISL members that do not support MACsec; these ISL trunk members act as unencrypted links.

• must—FortiOS enables MACsec on all ISL trunk members. If the port supports MACsec, the port acts as an encrypted link. If the port does not support MACsec, the port is removed from the ISL trunk, but the port still functions as a user port.

• none—There is no encryption, and FortiOS does not enable MACsec on the ISL trunk members.

This option is available when auto-isl-auth is set to strict or relax.

auto-isl-auth-identity <string>

Enter the identity, such as fortilink.

This option is available when auto-isl-auth is set to strict or relax.

auto-isl-auth-macsec-profile default-macsec-auto-isl

Use the default-macsec-auto-isl profile.

This option is available when auto-isl-auth-encrypt is set to mixed or must.

auto-isl-auth-reauth <0-3600>

Enter the reauthentication period in minutes.

This option is available when auto-isl-auth is set to strict or relax.

auto-isl-auth-user <string>

Select the user certificate, such as Fortinet_Factory.

This option is available when auto-isl-auth is set to strict or relax.

auto-isl-hello-timer <1-30>

Enter a value (in seconds) for the hello timer. The range is 1 to 30.

auto-isl-port-group <0-9>

Enter a value for the port group. The range is 0 to 9.

auto-isl-receive-timeout

Enter a value (in seconds) for the receive timeout. The range is 3 to 90.

auto-mclag-icl {enable | disable}

Enable or disable the MCLAG inter-chassis link.

med-tlvs (inventory-management | location-identification | network-policy | power-management)

Enable the inventory-management TLVs, location-identification TLVs, network-policy TLVs, and/or power-management TLVs.

vlan-name-map <single_VLANs_or_VLAN_ranges>

You can enter more than 10 VLAN identifiers, but only the first 10 VLANs with VLAN descriptions will be advertised.

The VLAN identifiers are separated with commas and no spaces. The vlan-name-map configuration must be less than 4,096 characters.

This option is available only when 802.1-tlvs is set to vlan-name.

<TLVname_str>

Enter the TLV name.

information-string

Organizationally defined information string. Enter up to 507 bytes in hexadecimal notation.

oui

Organizationally unique identifier. Enter 3 hexadecimal bytes (000000 - FFFFFF). At least one byte must have a non-zero value.

subtype

Organizationally defined subtype. Enter an integer in the range of 0 to 255.

address-civic

Civic address and postal information.

status {enable | disable}

Enable the status to transmit the type-length-value (TLV) if the LLDP-MED profile has been enabled on a port.

sys-location-id <string>

Use the specified location entry that was already entered with the config system location command.

coordinates

Coordinates of the location.

status {enable | disable}

Enable the status to transmit the type-length-value (TLV) if the LLDP-MED profile has been enabled on a port.

sys-location-id <string>

Use the specified location entry that was already entered with the config system location command.

elin-number

Emergency location identifier number (ELIN).

status {enable | disable}

Enable the status to transmit the type-length-value (TLV) if the LLDP-MED profile has been enabled on a port.

sys-location-id <string>

Use the specified location entry that was already entered with the config system location command.

{guest-voice | guest-voice-signaling | softphone-voice | streaming-video | video-conferencing | video-signaling | voice | voice-signaling}

Enter one of the policy type names.

status {enable | disable}

Enable or disable the policy for the policy type.

assign-vlan {enable | disable}

Enable or disable whether the VLAN is added as one of the allowed-vlans for this port.

dscp <0-63>

DSCP value to send.

priority <0-7>

CoS priority value to send.

status

Enable or disable

tx-hold

Number of tx-intervals before the local LLDP data expires. Therefore, the packet TTL (in seconds) is tx-hold times tx-interval. The range for tx-hold is 1 to 16.

tx-interval

How often the FortiSwitch transmits the LLDP PDU. The range is 5 to 4095 seconds.

fast-start-interval

How often the FortiSwitch transmits the first 4 LLDP packets when a link comes up. The range is 2 to 5 seconds.

Set this variable to zero to disable fast start.

management-interface

Primary management interface to be advertised in LLDP and CDP PDUs.

management-address {ipv4 | ipv6 | none}

Select whether to advertise the IPv4 management address, the IPv6 management address, or no management address in the Management Address TLV

eap-tls-ca-cert <CA_certificate>

Specify the certificate authority (CA) to use for the MACsec CAK.

This option is available only when macsec-mode is set to dynamic-cak.

eap-tls-cert<client_certificate>

Select the client certificate that you imported for the MACsec CAK.

This option is available only when macsec-mode is set to dynamic-cak.

eap-tls-identity <name_of_client>

Enter the name of the client for the MACsec CAK.

This option is available only when macsec-mode is set to dynamic-cak.

eap-tls-radius-server <name_of_RADIUS_server>

Enter the name of the RADIUS server to use for the MACsec CAK.

This option is available only when macsec-mode is set to dynamic-cak.

mka-sak-rekey-time {0 | 60-1000000}

Set the number of seconds before a new secure association key (SAK) is generated. Set to 0 to disable the timer. The minimum number of seconds is 60; the maximum number of seconds is 1,000,000.

Enter the number of packets for the MACsec replay window size. If two packets arrive with the difference between their packet identifiers more then the replay window size, the most recent packet of the two is dropped. The range is 0-16777215 packets. Enter 0 to ensure that all packets arrive in order without any repeats.

Enter the string of hexadecimal digits for the connectivity association key (CAK). The string can be 32-bytes or 64-bytes long.

Enter the string of hexadecimal digits for the connectivity association name (CKN). The string must be an even number of bytes, 2-bytes to 64-bytes long.

The status of the pre-shared key pair is always active.

config traffic-policy

<traffic_policy_name>

Enter a name for this MACsec traffic policy.

exclude-protocol {arp | dot1q | fortilink | ipv4 | ipv6 | lacp | lldp | qinq | stp}

Select one or more protocols that will not be secured by the MACsec traffic policy:

• arp—Do not encrypt ARP packets.
• dot1q—Do not encrypt 802.1q VLAN packets.
• fortilink—Do not encrypt FortiLink packets.
• ipv4—Do not encrypt IPv4 packets.
• ipv6—Do not encrypt IPv6 packets.
• lacp—Do not encrypt LACP packets.
• lldp—Do not encrypt LLDP packets.
• qinq—Do not encrypt 802.1ad QinQ packets.
• stp—Do not encrypt STP packets.

Separate protocols with a space. By default, all protocols are encrypted if no protocols are excluded.

security-policy must-secure

The policy must secure traffic for MACsec.

<mirror session name>

Enter the name of the mirror session to edit (or enter a new mirror session name).

dst <interface>

Required when the mode is set to ERSPAN-manual, RSPAN (when the switch is not in FortiLink mode), or SPAN.

On FortiSwitch models that support RSPAN and ERSPAN, set the trunk or physical port that will act as a mirror. The physical port cannot be part of a trunk.

On FortiSwitch models that do not support RSPAN and ERSPAN, set the physical port that will act as a mirror. The physical port can be part of a trunk.

encap-gre-protocol <hexadecimal_integer>

Set the protocol value in the ERSPAN GRE header.

This option is available when the mode is ERSPAN-auto or ERSPAN-manual.

encap-ipv4-src <IPv4_address>

Required when the mode is set to ERSPAN-manual and the status is active.

Set the IPv4 source address in the ERSPAN IP header. The range is 0.0.0.1-255.255.255.254.

This option is available when the mode is ERSPAN-manual.

encap-ipv4-tos <hexadecimal_integer>

Set the type of service (ToS) value or enter the DSCP and ECN values in the ERSPAN IP header.

This option is available when the mode is ERSPAN-auto or ERSPAN-manual.

encap-ipv4-ttl <0-255>

Set the IPv4 time-to-live (TTL) value in the ERSPAN IP header.

This option is available when the mode is ERSPAN-auto or ERSPAN-manual.

encap-mac-dst <MAC_address>

Required when the mode is set to ERSPAN-manual and the status is active.

Set the MAC address of the next-hop or gateway on the path to the ERSPAN collector IP address. The range is 00:00:00:00:00:01-FF:FF:FF:FF:FF:FF.

This option is available only when the mode is ERSPAN-manual.

encap-mac-src <MAC_address>

Required when the mode is set to ERSPAN-manual and the status is active.

Set the source MAC address in the ERSPAN Ethernet header. The range is 00:00:00:00:00:01-FF:FF:FF:FF:FF:FE.

This option is available when the mode is ERSPAN-manual.

encap-vlan {tagged | untagged}

Set the status of ERSPAN encapsulation headers to tagged or untagged to control whether the VLAN header is added to the encapsulated traffic.

This option is available if the mode is ERSPAN-manual.

encap-vlan-cfi <0-1>

Set the canonical format identifier (CFI) or drop eligible indicator (DEI) bit in the ERSPAN or RSPAN VLAN header.

This option is available when the mode is RSPAN or ERSPAN-auto. This option is available for the ERSPAN-manual mode if encap-vlan is set to tagged.

When the mode is RSPAN, this option is not available on the 248D, 248D-POE, 248D-FPOE,248E, 248E-POE, 248E-FPOE, 448D, 448D-POE, and 448D-FPOE models.

encap-vlan-id <1-4094>

Set the VLAN identifier in the ERSPAN or RSPAN VLAN header.

This option is available when the mode is RSPAN. This option is available for the ERSPAN-manual mode if encap-vlan is set to tagged.

encap-vlan-priority <0-7>

Set the class of service (CoS) bits in the ERSPAN or RSPAN VLAN header.

This option is available when the mode is RSPAN or ERSPAN-auto. This option is available for the ERSPAN-manual mode if encap-vlan is set to tagged.

When the mode is RSPAN, this option is not available on the 248D, 248D-POE, 248D-FPOE,248E, 248E-POE, 248E-FPOE, 448D, 448D-POE, and 448D-FPOE models.

encap-vlan-tpid <0x0001-0xfffe>

Set the tag protocol identifier (TPID) for the encapsulating VLAN header. The default value, 0x8100, is for an IEEE 802.1Q-tagged frame.

This option is available when the mode is RSPAN or ERSPAN-auto. This option is available for the ERSPAN-manual mode if encap-vlan is set to tagged.

erspan-collector-ip <IPv4_address>

Required when the status is active and the mode is set to ERSPAN-auto or ERSPAN-manual.

Set the IPv4 address for the ERSPAN collector. The range is 0.0.0.1-255.255.255.255.

This option is available only when the mode is ERSPAN-auto or ERSPAN-manual.

mode {ERSPAN-auto | ERSPAN-manual | RSPAN | SPAN}

Select the mirroring mode:

• ERSPAN-auto—Mirror traffic to the specified destination interface using ERSPAN encapsulation. The header contents are automatically configured.
• ERSPAN-manual—Mirror traffic to the specified destination interface using ERSPAN encapsulation. The header contents are manually configured.
• RSPAN—Mirror traffic to the specified destination interface using RSPAN encapsulation.
• SPAN—Mirror traffic to the specified destination interface without encapsulation.

rspan-ip <IPv4_address>

Required when the mode is RSPAN, the status is active, and the switch is in FortiLink mode.

Enter the destination IP address for the RSPAN collector. The range is 0.0.0.1-255.255.255.255.

This option is available only when the mode is RSPAN and the switch is in FortiLink mode.

src-egress <interface_name>

Optional. Set the source egress physical ports that will be mirrored. Only one active egress mirror session is allowed.

src-ingress <interface_name>

Optional. Specify the source ingress physical ports that will be mirrored.

status {active | inactive}

Set the mirror session to active or inactive.

strip-mirrored-traffic-tags {disable | enable}

Enable or disable the removal of VLAN tags from mirrored traffic.

This option is available if the mode is ERSPAN-auto or ERSPAN-manual.

aging-time <integer>

The maximum number of seconds to retain a multicast snooping entry for which no packets have been seen (15-3600).

leave-response-timeout <integer>

Enter the maximum number of seconds that the switch waits after sending a group-specific query in response to the leave message. The range of values is 1-20.

test-monitoring-count <1-5>

Enter the number of MRP_Test frames received that are monitored.

topology-change-interval <10-20 ms>

Enter the number of milliseconds between sending MRP_TopologyChange frames.

<MRP_ring_ID>

Enter a unique identifier for this MRP ring.

ring-port1 <port_name>

The physical port that serves as the first ring port.

ring-port2 <port_name>

The physical port that serves as the second ring port.

<unused network monitor>

Enter the number of an unused network monitor.

db-aging-interval <integer>

Enter the network monitor database aging interval. The value range is 3600-86400 seconds. Set the option to 0 to disable it.

status {disable | enable}

Enable or disable the network monitor.

survey-mode {disable | enable}

Enable or disable the network monitor survey mode.

port-configuration {default | disable-port54 | disable-port41-48 | 4x100G | 6x40G | 4x4x25G}

• For 548D and 548D-FPOE, set this option to disable-port54 if only port 53 is splittable and port 54 is unavailable.

• For 548D and 548D-FPOE, set this option to disable-port41-48 if ports 41 to 48 are unavailable, but ports 53 and 54 are splittable.

• For 1048E, set this option to 4x100G to enable the maximum speed (100G) of ports 49 through 52.

• For 1048E, set this option to 6x40G to enable the maximum speed (40G) of ports 49 through 54.

• For 1048E, set this option to 4x4x25G to enable the maximum speed (25G) of ports 49 through 52.

<port_name>

Enter the port name.

cdp-status {disable | rx-only | tx-only | tx-rx}

• disable disables CDP transmit and receive.
• rx-only enables CDP as receive only.
• tx-only enables CDP as transmit only.
• tx-rx enables CDP transmit and receive.

description <description_str>

Optionally enter a description.

dmi-status

Enable or disable DMI access. Set to global to use the global switch setting.

egress-drop-mode {disabled | enabled>

Enable or disable egress drop.

energy-efficient-ethernet {enable | disable}

Enable or disable energy-efficient Ethernet.

eee-tx-idle-time <integer>

Enter the number of microseconds that circuits are turned off to save power. The range is 0-2560 microseconds. This option is available only if energy-efficient-ethernet is enabled.

eee-tx-wake-time <integer>

Enter the number of microseconds during which no data is transmitted while the circuits that were turned off are being restarted. The range is 0-2560 microseconds. This option is available only if energy-efficient-ethernet is enabled.

fec-state {cl74 | cl91 | detect-by-module | disabled}

Set the Forward Error Correction (FEC) state:

• cl74—Enable Clause 74 RS-FEC, which only applies to 25 Gbps.
• cl91—Enable Clause 91 RS-FEC, which only applies to 100 Gbps.
• detect-by-module—Automatically detect whether FEC is supported by the module. This option applies to the 25G and 100G ports of the FS-1048E and FS-3032E models; this option also applies to the split ports of the FS-1048E and FS-3032E models.
• disabled—Disable FEC.

flapguard {enabled | disabled}

Enable or disable flap guard for this port.

flap-duration <5-300>

After enabling the port flap guard, set the number of seconds during which the flap rate is counted.

flap-rate <1-30>

After enabling the port flap guard, set how many times that a portʼs status changes during a specified number of seconds before the flap guard is triggered.

flap-timeout <0-120>

After enabling the port flap guard, set the number of minutes before flap guard resets. Setting this value to 0 means that there is no timeout.

flow-control {tx | rx | both | disable}

• tx—Enable transmit pause only.
• rx—Enable receive pause only.
• both—Enable both transmit and receive pause.
• disable—Disable flow control.

fortilink-p2p {enable | disable}

Enable or disable running FortiLink mode over a point-to-point layer-2 network.

pause-meter-rate <integer>

Enter the number of kilobits for the ingress metering rate. The range is 64 to 2147483647. Set to 0 to disable. Available if flow-control is set to tx.

pause-resume {25% | 50% | 75%}

Enter the percentage of the threshold to resume traffic to the ingress port. Available if flow-control is set to tx and pause-meter-rate is set to a nonzero value.

l2-learning

Enable or disable dynamic IP learning for this interface

l2-sa-unknown {drop | forward}

Drop or forward unknown (SMAC) packets when dynamic MAC address learning is disabled.

lldp-profile

Enter the LLDP profile name for this port.

lldp-status

• tx-only—enable transmit only
• rx-only—enable receive only
• tx-rx—enable both transmit and receive
• disable—disable LLDP

loopback {disable | local | remote}

• Select local for a physical-layer loopback. If the hardware does not support a physical-layer loopback, a MAC-address loopback is used instead.
• Select remote for a physical-layer lineside loopback.

macsec-pae-mode {none | supp | auth}

Select the PAE mode for the MACSEC interface:

• none—No PAE is configured, and PSK is applied.

• supp—The interface acts as a PAE supplicant for MACsec CAK.

• auth—The interface acts as a PAE authenticator for MACsec CAK.

macsec-profile <string>

Specify the MACsec profile to apply to the port.

max-frame-size <bytes_int>

Set the maximum frame size. The range and default depend on the switch model. See the FortiSwitchOS feature matrix.

NOTE: For the FS-1xxE, FS-1xxF, and FS-110G-FPOE models, this command is under the config switch global command.

poe-disconnection-type {AC | DC | DC-delay}

Select how a FortiSwitch unit with Power over Ethernet (PoE) disconnects from a powered device:

• AC—AC disconnect.

• DC—DC disconnect.

• DC-delay—DC disconnect with an extra 500-millisecond delay.

poe-port-mode {IEEE802_3AF | IEEE802_3AT}

Set the PoE port mode to IEEE802.3AFor IEEE802.3AT.

poe-port-power {normal | perpetual | perpetual-fast}

Select whether the PoE power is delivered while a switch restarts:

• normal—PoE power is not provided while a switch restarts.

• perpetual—PoE power is provided during a soft reboot (switch is restarted while powered up).

• perpetual-fast—PoE power is provided during a hard reboot (the switchʼs power is physically turned off and then on again).

poe-port-priority {critical-priority | high-priority | low-priority}

Set the port priority. If there is not enough power, power is alloted first to critical-priority ports, then to high-priority ports, and then to low-priority ports.

poe-pre-standard-detect {disable | enable}

Enable or disable PoE pre-standard detection.

NOTE: PoE pre-standard detection is a global setting for the following FortiSwitch models: FS-548D-FPOE, FS-524D-FPOE, FS-224D-POE, FS-124E-POE, FS-124E-FPOE, 148F-POE, and 148F-FPOE. For the other FortiSwitch PoE models, PoE pre-standard detection is set on each port.

poe-status {enable | disable}

Enable Power over Ethernet.

priority-based-flow-control {enable | disable}

Enable priority-based flow control to avoid frame loss by stopping incoming traffic when a queue is congested. When priority-based flow control is disabled, 802.3 flow control can be used.

qsfp-low-power-mode {enabled | disabled}

Enable or disable the low-power mode on FortiSwitch models with QSFP (quad small form-factor pluggable) ports.

security-mode {none | macsec}

Select no security or MACsec-based port security authentication. You cannot mix MACsec with ISL authentication.

speed <speed_str>

Set the speed of this port. Values depend on the switch model and port. For example:

• 1000auto—Autonegotiation (1 Gbps full-duplex only).
• 100full—100 Mbps full-duplex.
• 100half—100 Mbps half-duplex.
• 10full—10 Mbps full-duplex.
• 10half—10 Mbps half-duplex.
• auto—Auto-negotiation.
• 10000cr—10 Gbps copper interface.
• 10000full—10 Gbps full-duplex.
• 10000sr—10 Gbps SFI interface.
• 1000full—1 Gbps full-duplex.

• 25000cr—25 Gbps copper interface.

• 25000full—25 Gbps full-duplex.

• 25000sr—25 Gbps SFI interface.

• 40000auto—Autonegotiation of the 40G-CR4 interface of FS-1048E.

• auto-module—Maximum speed supported by module.

status {down | up}

Set the administrative status of this interface: up or down.

storm-control-mode {disabled | global | override}

By default, you configure storm control on a system-wide level. Set this option to override if you want to configure storm control on a per-port level using the config storm-control command, which is only available when the storm-control-mode is set to override. Set this option to disabled to deactivate port-level storm-control configuration.

broadcast {enable | disable}

Enable or disable storm control for broadcast traffic.

burst-size-level <0-4>

Set the burst-size level for storm control. Use a higher number to handle bursty traffic. The maximum number of packets or bytes allowed for each burst-size level depends on the switch model.

NOTE: This command is not available for the FS-124E, FS-124E-POE, and FS-124E-FPOE models.

rate [0 | 2-10000000]

Specify the rate as packets-per-second. If you set the rate to zero, the system drops all packets (for the enabled traffic types).

unknown-multicast {enable | disable}

Enable or disable storm control for unknown multicast traffic.

vlan-id <1-4094>

Enter the VLAN identifier of the supervision frame.

This option is available only when vlan-id-tagged is set to enable.

vlan-id-cos <0-7>

Enter the class of service (CoS) value to be set in the VLAN tag of the supervision frame.

This option is available only when vlan-id-tagged is set to enable.

vlan-id-tagged {enable | disable}

Enable or disable supervision frame VLAN ID tagging.

mac-da <0-255>

Specify the last 8 bits of the PRP supervision frame MAC DA.

status

Enable or disable PTP.

<dot1p map name>

Enter the name of a dot1p map.

<text>

Enter a description of the dot1p map.

[priority-0|priority-1|priority-2|...priority-7] <queue number>

Set the priority of each queue.

<ip-dscp map name>

Enter the name of a DSCP map.

<text>

Enter a description of the DSCP map.

<entry-name>

Enter a unique integer to create a new entry.

diffserv [ [ AF11 | AF12 | AF13 | AF21 | AF22 | AF23 | AF31 | AF32 | AF33 | AF41 | AF42 | AF43 | CS0 | CS1 | CS2 | CS3 | CS4 | CS5 | CS6 | CS7 | EF ]

Set the differentiated service.

ip-precedence [ Network Control | Internetwork Control | Critic/ECP | Flash Override | Flash, Immediate | Priority | Routine ]

Set the IP precedence.

value <dscp raw value>

enter the raw value of DSCP (0-63).

<policy_name>

Enter the name of the QoS policy.

rate-by {kbps | percent}

Set whether the CoS queue rate is measured in kbps or by percentage.

schedule {strict | round-robin | weighted}

• strict—The queues are served in descending order (of queue number), so higher number queues receive higher priority. The purpose of the strict scheduling mode is to provide lower latency service to higher classes of traffic. However, if the interface experiences congestion, the lower priority traffic could be starved.
• round-robin— In round robin mode, the scheduler visits each backlogged queue, servicing a single packet from each queue before moving on to the next one. The purpose of round robin scheduling is to provide fair access to the egress port bandwidth.
• weighted— Each of the eight egress queues is assigned a weight value ranging from 0 to 63. The purpose of weighted round robin scheduling is to provide prioritized access to the egress port bandwidth, such that queues with higher weight get more of the bandwidth, but lower priority traffic is not starved.

[queue-0 ... queue-7]

Set the CoS queue to update.

description <text>

Enter a description of the CoS queue.

drop-policy {taildrop | weighted-random-early-detection}

• taildrop—When the queue is full, new packets are dropped.
• weighted-random-early-detection—When the queue reaches the packet-dropping threshold, packets start getting dropped randomly based on the probability defined in the wred-slope setting.

set ecn {enable | disable}

If you select random early detection in the CLI, you can enable explicit congestion notification (ECN) marking to indicate that congestion is occuring without just dropping packets. If you disable this option, the normal queue drop policy applies.

max-rate <rate kbps>

If you set the rate-by to kbps, enter the maximum rate in kbps. Set the value to 0 to disable.

NOTE: For the FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models, the switch rounds the max-rate value to the nearest multiple of 16 internally. If the rounding result is 0, max-rate is disabled internally.

min-rate <rate kbps>

If you set the rate-by to kbps, enter the minimum rate in kbps. Set the value to 0 to disable.

NOTE: This command is not available on the FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

max-rate-percent <percentage>

If you set the rate-by to percent, enter the maximum rate as a percentage of the link speed.

min-rate-percent <percentage>

If you set the rate-by to percent, enter the minimum rate as a percentage of the link speed.

NOTE: This command is not available on the FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models.

weight <value>

Enter the weight of weighted round robin scheduling. (applicable if the policy schedule is weighted )

<MAC_address_to_quarantine>

Enter the MAC address to quarantine.

cos-queue <0-7>

Set the class-of-service queue for the quarantined device traffic. Use the unset cos-queue command to disable this setting.

description <string>

Enter an optional description of the quarantined MAC address.

drop {enable | disable}

Enable or disable whether quarantined device traffic is dropped.

<RA-guard policy name>

Enter the name of the RA-guard policy.

device-role {host | router}

Set whether this policy applies to hosts or routers. If this option is set to host, all RA messages are dropped. If this option is set to router, the policy checks the other specified criteria.

managed-flag {Off | On}

Set to On for the policy to accept RA messages that are flagged with the M (managed address configuration) flag; if the RA messages are not flagged, they are dropped.

Set to Off for the policy to accept RA messages that arenot flagged with the M flag; if the RA messages are flagged, they are dropped.

If this option is not set, the policy skips this check.

other-flag {Off | On}

Set to On for the policy to accept RA messages that are flagged with the O (other configuration) flag; if the RA messages are not flagged, they are dropped.

Set to Off for the policy to accept RA messages that arenot flagged with the O flag; if the RA messages are flagged, they are dropped.

If this option is not set, the policy skips this check.

max-hop-limit <0-255>

Enter the maximum hop number for the policy to accept RA messages with a hop number equal or less than this value.

If this option is not set, the policy skips this check.

min-hop-limit <0-255>

Enter the minimum hop number for the policy to accept RA messages with a hop number equal or more than this value.

If this option is not set, the policy skips this check.

max-router-preference {high | medium | low}

Set the default router preference for the policy to accept RA messages with the router preference equal or less than this setting. When the router preference of RA messages is not set as high, medium, or low, RA guard acts as if the router preference was set to medium.

If this option is not set, the policy skips this check.

match-src-addr <name_of_IPv6_access_list>

Enter the name of the IPv6 access list for the policy to check if the source IPv6 address of the RA message matches an allowed address. The IPv6 access list must be created (with the config router access-list6 command) before it is used in a policy.

tcp-syn-data

TCP SYN packet contains additional data (possible DoS attack).

tcp-udp-port-zero

TCP or UDP packet has the source or destination port set to zero.

tcp_flag_zero

TCP packet with all flags set to zero.

tcp_flag_FUP

TCP packet with FIN, URG and PSH flags set.

tcp_flag_SF

TCP packet with SYN and FIN flags set.

tcp_flag_SR

TCP packet with SYN and RST flags set.

tcp_frag_ipv4_icmp

Fragmented ICMPv4 packet.

tcp_arp_mac_mismatch

ARP packet with MAC source address mismatch between the layer- 2 header and the ARP packet payload.

TCP packet with FIN, URG, and PSH flags set.

TCP packet with SYN and FIN flags set.

udp-port-eq

IP packet with the same source and destination UDP port.

ip-pod

The IPv4/IPv6 packet length is larger than 64 kB.

icmp-frag

Fragmented ICMP packet.

tcp-frag-off-min

TCP non-initial fragments carry the TCP header.

tcp-syn-sp-less-1024

TCP SYN packet with a source port less than 1024.

invalid-ipv4-hdr-len

IPv4 packet with a header length greater than the total length.

NOTE: This command is available only on the FS-124F, FS-124F-FPOE, FS-124F-POE, FS-148F, FS-148F-FPOE, and FS-148F-POE models.

sip-eq-dip

TCP packet with the same source IP address and destination IP address.

tcp-flag

DoS attack checking for TCP flags.

tcp-port-eq

TCP packet with the same source and destination TCP port.

tcp-flag-FUP

TCP packet with FIN, URG, and PSH flags set, and sequence number is zero.

tcp-flag-SF

TCP packet with SYN and FIN flags set.

v4-first-frag

DoS attack checking for IPv4 first fragment.

udp-port-eq

IP packet with the same source and destination UDP port.

tcp-hdr-partial

TCP packet with partial header.

macsa-eq-macda

Packet with the same source MAC address and destination MAC address.

allow-mcast-sa

Ethernet packet whose source MAC address is multicast.

<sequence number>

Enter a sequence number.

action {allow | drop}

Select whether packets with the specified source static MAC address are allowed or dropped.

description <optional_string>

Optional. Enter a description of the static MAC address.

interface <interface_name>

Enter the interface name.

mac <static_MAC_address>

Enter the static MAC address.

type {sticky | static}

Set the MAC address as a persistent (sticky) addres or a static address.

broadcast {enable | disable}

Enable or disable storm control for broadcast traffic.

burst-size-level <0-4>

Set the burst-size level for storm control. Use a higher number to handle bursty traffic. The maximum number of packets or bytes allowed for each burst-size level depends on the switch model.

rate [0 | 2-10000000]

Specify the rate as packets-per-second. If you set the rate to zero, the system drops all packets (for the enabled traffic types).

unknown-multicast {enable | disable}

Enable or disable storm control for unknown multicast traffic.

<instance_id>

Enter an instance identifier. The range differs for the various FortiSwitch models.

priority <priority_int>

Set the STP priority. The acceptable priority values are 0, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 4096, 40960, 45056, 49152, 53248, 57344, 61440, and 8192.

vlan-range <vlan_map>

Enter the VLANs to which STP applies. <vlan_map> is a comma-separated list of VLAN IDs or VLAN ID ranges, for example “1,3-4,6,7,9-100” .

<port name>

Enter the name of the port.

cost <cost_int>

Enter the cost of using this interface. Use set cost ? for suggested cost values based on link speed.

flood {enable | disable}

Set to enable if you want the STP packets arriving at any port to pass through the switch without being processed. Set to disable if you want to block STP packets arriving at any port.

This command is available only when status is set to disable.

forward-time <fseconds_int>

Enter the forwarding delay in seconds. Range 4 to 30.

hello-time <hseconds_int>

Enter the hello time in seconds. Range 1 to 10.

max-age <age>

Enter the maximum age. Range 6 to 40.

max-hops <hops_int>

Enter the maximum number of hops. Range 1 to 40.

mclag-stp-bpdu {both | single}

Set to both to allow both core switches of an MCLAG to transmit STP BPDUs. Set to single to prevent both core switches of an MCLAG from transmitting STP BPDUs.

name <name_str>

Enter a string value for the name.

revision <rev_int>

Range 0 to 65535.

<trunk name>

Enter a name for the trunk.

aggregator-mode {bandwidth | count}

Select how an aggregator groups ports when the trunk is in LACP mode. Select bandwidth to group ports into the aggregator with the largest bandwidth. Select count to group ports into the aggregator with the most ports.

auto-isl <integer>

Automatically forms an ISL-encapsulated trunk, up to the specified maximum size.

bundle [enable|disable]

Enable or disable bundling

min_bundle

Set the minimum size of the bundle. This option is available only when bundle has been enabled.

max_bundle

Set the maximum size of the bundle. This option is available only when bundle has been enabled.

description <description_str>

Optionally, enter a description.

fortilink <integer>

Set the FortiLink trunk.

isl-fortilink <integer>

Set the ISL FortiLink trunk.

lacp-speed {slow | fast}

Select fast to send an LACP message every second. Select slow to send an LACP message every 30 seconds.

mclag {disable | enable}

Enable or disable multichassis LAG (MCLAG).

mclag-icl {disable | enable}

Enable or disable the MCLAG inter-chassis link (ICL).

member-withdrawal-behavior {block | forward}

Select how the port behaves after it withdraws because of loss-of-control packets.

members <intf1 ... intfn>

Enter the names of the interfaces that belong to this trunk. Separate the names with spaces.

mode {fortinet-trunk | lacp-active | lacp-passive | static}

• fortinet-trunk—use heartbeat packets to detect whether trunk members are available.
• lacp-active—use active LACP 802.3ad aggregation
• lacp-passive—use passive LACP 802.3ad aggregation
• static—use static aggregation, ignoring and not sending control messages

fallback-port <port_name>

Select which port will stay up in LACP fallback mode so that a device not running LACP can still connect to the network.

port-selection-criteria {src-ip | src-mac | dst-ip | dst-mac | src-dst-ip | src-dst-mac}

• src-ip—source IP address
• src-mac—source MAC address
• dst-ip—destination IP address
• dst-mac—destination MAC address
• src-dst-ip—both source and destination IP addresses
• src-dst-mac—both source and destination MAC addresses

static-isl {enable | disable}

Available only in FortiLink mode. Enable to manually create an inter-switch link (ISL) trunk.

port-selection-criteria {src-ip | src-mac | dst-ip | dst-mac | src-dst-ip | src-dst-mac}

• src-ip — source IP address
• src-mac — source MAC address
• dst-ip — destination IP address
• dst-mac — destination MAC address
• src-dst-ip — both source and destination IP addresses
• src-dst-mac — both source and destination MAC addresses

description <description_str>

Optionally, enter a description.

members <port> [<port>] ... [<port>]

Enter the names of the ports that belong to this trunk. Separate the names with spaces.

member-withdrawal-behavior {block | forward}

Set the port behavior after it withdraws because of the loss of control packets.

max-miss-heartbeats <3-32>

Enter the maximum number of heartbeat messages that can be lost before the FortiGate is deemed to be unavailable. Set a value between 3 and 32.

hb-out-vlan

Enter the outgoing VLAN value.

hb-in-vlan

Enter the incoming VLAN value.

hb-src-ip

Enter the source IP address for the heartbeat packet.

hb-dst-ip

Enter the destination IP address for the heartbeat packet.

hb-src-udp-port

Enter the source UDP port value for the heartbeat packet.

hb-dst-udp-port

Enter the destination UDP port value for the heartbeat packet.

Enter a name for the virtual port. The name must be in the following format:

vni.<VNI>.<remote_end_VTEP_IP_address>

For example, if the VXLAN network identifier (VNI) is 100 and the remote end of the VXLAN tunnel is at 1.1.1.1, the virtual port name is vni.100.1.1.1.1.

Enable or disable whether there is a limit for how many IP addresses are in the DHCP-snooping binding database for this virtual port.

The set dhcp-snoop-learning-limit-check command is available only when dhcp-snooping has been set to untrusted.

<id>

Enter a unique integer to create a new entry.

first-member <port>

first member in the virtual-wire pair

second-member <port>

second member in the virtual-wire pair

<vlan id>

Enter a VLAN identifier.

access-vlan {enable | disable}

Set to enable to block FortiSwitch port-to-port traffic on this VLAN while allowing traffic to and from the FortiGate unit. Set to disable to allow normal VLAN traffic.

assignment-priority <1-255>

Assign a priority to the VLAN. If there is more than one VLAN with the same name (specified in the set description command), FortiSwitchOS selects the VLAN with the lowest assignment-priority value (which is the highest priority) of the VLANs with names (specified in the set description command) that match the RADIUS Egress-VLAN-Name attribute.

cos-queue <0-7>

Specify which class of service (CoS) queue is used for traffic on this VLAN or use the unset cos-queue command to disable this setting.

This command is available only in FortiLink mode.

description <description_str>

Optionally, enter a description.

If the Tunnel-Private-Group-Id attribute on the RADIUS server was set to the VLAN name, set the description to the same string. For example:

set description "newvlan"

dhcp-snooping {enable | disable | monitor}

Select the setting for IPv4 DHCP snooping:

• enable—Enable IPv4 DHCP snooping on this VLAN.

• disable—Disable IPv4 DHCP snooping on this VLAN.

• monitor—Monitor IPv4 DHCP snooping on this VLAN.

dhcp-snooping-verify-mac {enable | disable}

Enable or disable whether to verify the source MAC address. This option is available only if dhcp-snooping is set to enable.

dhcp-snooping-option82 {enable | disable}

Enable or disable whether to insert option-82 fields. This option is available only if dhcp-snooping is set to enable.

arp-inspection {enable | disable | monitor}

Specify one of the following:

• enable—Enable dynamic ARP inspection.

• disable—Disable dynamic ARP inspection.

• monitor—Monitor ARP packets.

NOTE: You must set dhcp-snooping to enable to be able to set arp-inspection to enable or monitor.

dhcp6-snooping {enable | disable}

Enable or disable IPv6 DHCP snooping for this VLAN.

igmp-snooping {enable | disable}

Enable or disable IGMP snooping on the VLAN.

igmp-snooping-fast-leave {enable | disable}

Enable or disable IGMP-snooping fast leave on this VLAN. This field is only available if igmp-snooping is enabled.

igmp-snooping-querier {enable | disable}

Enable or disable whether periodic IGMP-snooping queries are sent to get IGMP reports. This field is only available if igmp-snooping is enabled.

igmp-snooping-querier-addr <IPv4_address>

Required. Enter the IPv4 address for the IGMP-snooping querier. This field if only available if igmp-snooping-querier is enabled.

igmp-snooping-querier-version {2|3}

Select whether to use the IGMP-snooping querier version 2 or version 3.

igmp-snooping proxy {enable | disable}

Enable or disable the IGMP-snooping proxy on this VLAN. When the IGMP-snooping proxy is enabled, this VLAN sends IGMP reports. This field is only available if igmp-snooping is enabled.

lan-segment {enable | disable}

Enable or disable the use of LAN segments.

lan-subvlans <VLAN_identifiers>

Enter the VLAN identifiers to assign to the LAN segment. You can enter single VLANs or ranges of VLANs, separated by commas without white space. For example: “1,2-4,5,7,9-100”. The value must be less than 4,096 characters. This field is only available if lan-segment is enabled.

lan-internal-vlan <VLAN_identifier>

For the FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models only.

After you enable LAN segments, FortiSwitchOS automatically assigns a VLAN for internal use. This VLAN cannot be used for any other purpose. If you want to assign a different internal VLAN, type set lan-internal-vlan ? to see a range of VLANs; however, these VLANs might not be available. If no VLANs are available to be used as an internal VLAN, the LAN segment configuration returns an error message.

This field is only available if lan-segment is enabled.

learning {enable | disable}

Enable or disable layer-2 learning on this VLAN.

learning-limit <integer>

Limit the number of dynamic MAC addresses on this VLAN. The per-VLAN MAC address learning limit is between 1 and 128. Set the value to 0 for no limit.

mld-snooping {enable | disable}

Enable or disable Multicast Listener Discovery (MLD) snooping for the this VLAN.

mld-snooping-fast-leave {enable | disable}

Enable or disable MLD-snooping fast leave on this VLAN. This field is only available if mld-snooping is enabled.

mld-snooping-querier {enable | disable}

Enable or disable whether periodic MLD-snooping queries are sent to get MLD reports. This field is only available if mld-snooping is enabled.

mld-snooping-querier-addr <IPv6_address>

Required. Enter the IPv6 address for the MLD-snooping querier. This field if only available if mld-snooping-querier is enabled.

mld-snooping-proxy {enable | disable}

Enable or disable the MLD-snooping proxy on this VLAN. When the MLD-snooping proxy is enabled, this VLAN sends MLD reports. This field is only available if mld-snooping is enabled.

policer <integer>

Set the policer for the traffic on this VLAN.

This command is available only in FortiLink mode.

private-vlan {enable | disable}

Set to enable if this is a private VLAN.

isolated-vlan <integer>

(Valid if private VLAN is enabled) Enter the isolated VLAN.

community-vlans <vlan_map>

(Valid if private VLAN is enabled) Enter the communities within this private VLAN. Enter single VLANs or ranges of VLANS separated by commas without white space. For example: 1,3-4,6,7,9-100

rspan-mode {enable | disable}

Enable or disable port mirroring using the remote switch port analyzer (RSPAN) on this VLAN.

mac-addr <MAC_address>

Specify a MAC address to bind to an IP address for this VLAN. Use the form of xx:xx:xx:xx:xx:xx.

switch-interface <interface_name>

Specify the switch interface to associate with this DHCP-snooping static entry.

To find out which switch interfaces are valid, type set switch-interface ?.

ip-addr <IPv4_address>

Specify the IPv4 address to bind to a MAC address for this VLAN.

<group_name>

Enter the IGMP static group name.

mcast-addr <IPv4_address>

Enter the IPv4 multicast address for the IGMP static group.

members <interface_name1> <interface_name2>...

Enter the interfaces that belong to the IGMP static group.

ignore-reports {enable | disable}

Enable or disable whether IGMP snooping ignores dynamic joins from other ports.

<group_name>

Enter the MLD static group name.

mcast-addr <IPv6_address>

Enter the IPv6 multicast address for the MLD static group.

members <interface_name1> <interface_name2>...

Enter the interfaces that belong to the MLD static group.

edit <id>

For a new entry, enter an unused ID.

mac XX:XX:XX:XX:XX:XX

Enter a MAC address. If the source MAC address of an incoming packet matches this value, the associated VLAN will be assigned to the packet.

description

Enter up to 128 characters.

edit <id>

For a new entry, enter an unused ID.

address a.b.c.d/e

Enter an IPv4 address and network mask. If the source IP address of an incoming packet matches this value, the associated VLAN will be assigned to the packet. The subnet mask must be a value in the range of 1-32.

description

Enter up to 128 characters.

edit <id>

For a new entry, enter an unused ID.

prefix xx:xx:xx:xx::/prefix

Enter an IPv6 prefix. If the source IP address of an incoming packet matches this value, the associated VLAN will be assigned to the packet. The /prefix must in the range of 1-64.

description

Enter up to 128 characters.

edit <id>

For a new entry, enter an unused ID.

frametypes {ethernet2 | 802.3d | llc}

Enter one or more Ethernet frame type. Set this value to llc for logical link control. Set this value to 802.3d for 802.3d and SNAP.

edit <vlan id>

Enter a VLAN identifier.

dhcp-snooping enable

Enable for IPv4 DHCP snooping.

The config dhcp-server-access-list command is available only after DHCP snooping (IPv4 or IPv6) has been enabled for that VLAN.

dhcp6-snooping enable

Enable for IPv6 DHCP snooping.

The config dhcp-server-access-list command is available only after DHCP snooping (IPv4 or IPv6) has been enabled for that VLAN.

edit <string>

Enter name of DHCP server access list

server-ip <xxx.xxx.xxx.xxx>

If you enabled IPv4 DHCP snooping, enter Class A, B, or C IPv4 address for the DHCP server.