12 ago 2024 — execute switch-controller ssh admin S524DF4K15000024. Disabling stacking. To ... fast-start-interval. How often the FortiSwitch transmits the first 4 LLDP ...328 pagine
FortiLink Guide (FortiOS 7.4.4)
FortiSwitchOS 7.4.3
FORTINET DOCUMENT LIBRARY https://docs.fortinet.com FORTINET VIDEO LIBRARY https://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com FORTINET TRAINING & CERTIFICATION PROGRAM https://www.fortinet.com/training-certification FORTINET TRAINING INSTITUTE https://training.fortinet.com FORTIGUARD LABS https://www.fortiguard.com END USER LICENSE AGREEMENT https://www.fortinet.com/doc/legal/EULA.pdf FEEDBACK Email: techdoc@fortinet.com
May 15, 2024 FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4) 11-744-980435-20240515
TABLE OF CONTENTS
Change log
9
Whats new in FortiOS 7.4.4
10
Introduction
11
Supported models
11
Support of FortiLink features
12
Before you begin
12
FortiSwitch management
13
Zero-touch management
13
Zero-touch provisioning automation
14
Configuring the trigger
14
Configuring the action
17
Configuring the automation stitch
19
Configuration examples
20
Configuring FortiLink
24
1. Enabling the switch controller on the FortiGate unit
24
2. Configuring the FortiLink interface
25
3. Auto-discovery of the FortiSwitch ports
30
Deleting a FortiLink interface
33
Optional FortiLink configuration required before discovering and authorizing FortiSwitch
units
33
Migrating the configuration of standalone FortiSwitch units
34
VLAN interface templates for FortiSwitch units
34
Automatic provisioning of FortiSwitch firmware upon authorization
37
Discovering
40
Authorizing
40
Preparing the FortiSwitch unit
40
Optional FortiLink configuration
40
Assigning roles to FortiLink VLAN interfaces
41
Using the FortiSwitch serial number for automatic name resolution
41
Changing the admin password on the FortiGate for all managed FortiSwitch units 42
Disabling the FortiSwitch console port login
42
Using automatic network detection and configuration
43
Limiting the number of parallel processes for FortiSwitch configuration
43
Configuring access to management and internal interfaces
44
Enabling FortiLink VLAN optimization
44
Configuring the MAC sync interval
45
Configuring the FortiSwitch management port
45
Multiple FortiLink interfaces
46
Grouping FortiSwitch units
46
Improving the FortiLink connection
46
FortiLink with HTTPS
47
Disabling stacking
49
Determining the network topology
50
Single FortiGate managing a single FortiSwitch unit
50
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
3
Fortinet Inc.
Single FortiGate unit managing a stack of several FortiSwitch units
51
HA-mode FortiGate units managing a single FortiSwitch unit
52
HA-mode FortiGate units managing a stack of several FortiSwitch units
53
HA-mode FortiGate units managing a FortiSwitch two-tier topology
53
Single FortiGate unit managing multiple FortiSwitch units (using a hardware or software
switch interface)
54
HA-mode FortiGate units using hardware-switch interfaces and STP
55
FortiLink over a point-to-point layer-2 network
56
FortiLink mode over a layer-3 network
56
In-band management
57
Out-of-band management
59
Other topologies
59
Limitations
60
Managing FortiSwitch units on VXLAN interfaces
60
Configure the FortiSwitch unit
61
Configure the FortiGate device
62
FortiSwitch VLANs over VXLAN
63
Verifying VXLAN management
66
Switch redundancy with MCLAG
66
Standalone FortiGate unit with dual-homed FortiSwitch access
66
HA-mode FortiGate units with dual-homed FortiSwitch access
67
HA-mode one-tier MCLAG
68
FortiLink with an HA cluster of four FortiGate units
69
HA-mode FortiGate units in different sites
71
Isolated LAN/WAN with multiple FortiLink interfaces
71
Three-tier FortiLink MCLAG configuration
72
Dual-homed servers connected to a pair of FortiSwitch units using an MCLAG
73
MCLAG peer groups
74
MCLAG requirements
74
Transitioning from a FortiLink split interface to a FortiLink MCLAG
74
Deploying MCLAG topologies
77
Dual-homed servers connected to a pair of FortiSwitch units using an MCLAG
78
Multi-tiered MCLAG with HA-mode FortiGate units
79
HA-mode FortiGate units in different sites
81
Interconnecting FortiLink fabrics
85
Configuring FortiSwitch VLANs and ports
89
Configuring VLANs
89
Creating VLANs
89
Viewing FortiSwitch VLANs
92
Changing the VLAN configuration mode
92
Configuring multiple managed FortiSwitch VLANs to be used in a software switch 93
Configuring inter-VLAN routing offload
94
Configuring ports using the GUI
96
Configuring port speed and status
97
Configuring flap guard
98
Resetting a port
99
Viewing the flap-guard configuration
99
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
4
Fortinet Inc.
Configuring PoE
100
Enabling PoE on the port
100
Enabling PoE pre-standard detection
100
Configuring PoE port settings
101
Resetting the PoE port
101
Displaying general PoE status
102
Adding 802.3ad link aggregation groups (trunks)
102
MCLAG trunks
103
LACP fallback mode
105
Configuring FortiSwitch split ports (phy-mode) in FortiLink mode
106
Configuring split ports on a previously discovered FortiSwitch unit
107
Configuring split ports with a new FortiSwitch unit
108
Configuring forward error correction on switch ports
108
Configuring a split port on the FortiSwitch unit
109
Restricting the type of frames allowed through IEEE 802.1Q ports
111
Multitenancy and VDOMs
111
FortiSwitch ports dedicated to VDOMs
111
FortiSwitch VLANs from different VDOMs sharing the same FortiSwitch ports
114
Configuring switching features
115
Configuring DHCP blocking, STP, and loop guard on managed FortiSwitch ports
115
Configuring edge ports
116
Configuring loop guard
117
Configuring STP settings
117
Configuring STP on FortiSwitch ports
119
Configuring STP root guard
121
Configuring STP BPDU guard
121
Configuring interoperation with per-VLAN RSTP
123
Dynamic MAC address learning
124
Limiting the number of learned MAC addresses on a FortiSwitch interface
124
Controlling how long learned MAC addresses are saved
125
Logging violations of the MAC address learning limit
125
Persistent (sticky) MAC addresses
126
Logging changes to MAC addresses
127
Configuring storm control
127
Configuring IGMP-snooping settings
128
Configuring global IGMP-snooping settings
128
Configuring IGMP-snooping settings on a switch
129
Configuring the IGMP-snooping proxy
129
Configuring the IGMP-snooping querier
130
Configuring PTP transparent-clock mode
131
Device detection
134
Enabling network-assisted device detection
134
Voice device detection
134
Configuring IoT detection
141
Configuring LLDP-MED settings
142
Creating LLDP asset tags for each managed FortiSwitch
144
Adding media endpoint discovery (MED) to an LLDP configuration
145
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
5
Fortinet Inc.
Displaying LLDP information Configuring the LLDP settings
FortiSwitch security FortiLink secure fabric Authentication modes Encryption modes Configuring the FortiLink secure fabric Configuration example Viewing the FortiLink secure fabric Requirements and limitations FortiSwitch network access control Summary of the procedure Defining a FortiSwitch NAC VLAN Configuring the FortiSwitch NAC settings Defining a FortiSwitch NAC policy Viewing the devices that match the NAC policy Viewing device statistics Example of using LAN segments with NAC Using the FortiSwitch NAC VLAN widget Configuring dynamic port policy rules Set the access mode and port policy for the port Set the FortiLink policy settings to the FortiLink interface Create the FortiLink policy settings Create the dynamic port policy rule Set how often the dynamic port policy engine runs FortiSwitch security policies Number of devices supported per port for 802.1X MAC-based authentication Configuring the 802.1X settings for a virtual domain Overriding the virtual domain settings Specifying how RADIUS request attributes are formatted Dynamically and manually assigning the NAS-IP-Address attribute Dynamic VLAN assignment Dynamic access control lists Defining an 802.1X security policy Applying an 802.1X security policy to a FortiSwitch port Testing 802.1X authentication with monitor mode Clearing authorized sessions RADIUS accounting support RADIUS change of authorization (CoA) support 802.1X authentication deployment example Detailed deployment notes Configuring the DHCP trust setting Configuring the DHCP server access list Including option-82 data Configuring dynamic ARP inspection (DAI) Monitoring ARP packets Configuring DHCP-snooping static entries Configuring IPv4 source guard
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
Fortinet Inc.
145 146
148 148 149 150 150 151 151 152 152 153 153 154 158 173 174 175 179 180 181 181 181 182 184 185 186 186 187 188 188 189 192 196 198 199 199 200 200 203 205 205 206 208 210 211 211 212
6
Enabling IPv4 source guard
213
Creating static entries
214
Checking the IPv4 source-guard entries
214
Configuring an ACL
215
Create an ACL ingress policy
215
Create an ACL group
216
Apply the ACL group to a managed switch port
216
View the counters
217
Configuration example
217
Showing Security Fabric information
218
Blocking intra-VLAN traffic
219
Quarantines
221
Quarantining MAC addresses
221
Using quarantine with DHCP
225
Using quarantine with 802.1x MAC-based authentication
225
Viewing quarantine entries
227
Releasing MAC addresses from quarantine
229
Optimizing the FortiSwitch network
231
Configuring QoS with managed FortiSwitch units
242
Configuring ECN for managed FortiSwitch devices
244
Logging and monitoring
245
FortiSwitch log settings
245
Exporting logs to FortiGate
245
Sending logs to a remote Syslog server
246
Configuring FortiSwitch port mirroring
246
Configuring the FortiOS one-arm sniffer
251
1. Specify the managed switch port to use to mirror traffic in RSPAN or ERSPAN
mode
251
2. Enable the FortiOS one-arm sniffer on the VLAN interface that will mirror traffic 252
3. Configure the FortiOS one-arm sniffer in a firewall policy
252
5. Review the logs for the sniffer policy
253
Configuration example
253
Configuring SNMP
255
Configuring SNMP globally
256
Configuring SNMP locally
258
SNMP OIDs
259
Configuring sFlow
260
Configuring flow tracking and export
261
Configuring flow tracking
262
Using the FortiView Internal Hubs monitor
264
Configuring flow control and ingress pause metering
267
Operation and maintenance
269
Defining names for managed switches
269
Discovering, authorizing, and deauthorizing FortiSwitch units
271
Editing a managed FortiSwitch unit
271
Adding preauthorized FortiSwitch units
271
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
7
Fortinet Inc.
Using wildcard serial numbers to pre-authorize FortiSwitch units
272
Authorizing the FortiSwitch unit
273
Deauthorizing FortiSwitch units
273
Converting to FortiSwitch standalone mode
273
Managed FortiSwitch display
274
Cloud icon indicates that the FortiSwitch unit is managed over layer 3
275
Re-ordering FortiSwitch units in the Topology view
275
FortiSwitch clients
278
Diagnostics and tools
280
Making the LEDs blink
282
Running the cable test
282
FortiSwitch ports display
283
FortiSwitch per-port device visibility
283
Displaying, resetting, and restoring port statistics
284
Managing DSL transceivers (FN-TRAN-DSL)
288
Network interface display
290
Data statistics
290
Sample topology
291
Synchronizing the FortiGate unit with the managed FortiSwitch units
291
Viewing and upgrading the FortiSwitch firmware version
292
Firmware upgrade of stacked or tiered FortiSwitch units
293
Configuring automatic federated firmware updates
297
Configuration example
297
Canceling pending or downloading FortiSwitch upgrades
299
Configuring automatic backups
299
Registering FortiSwitch to FortiCloud
300
Replacing a managed FortiSwitch unit
302
Executing custom FortiSwitch scripts
309
Creating a custom script
309
Executing a custom script once
309
Binding a custom script to a managed switch
309
Resetting PoE-enabled ports
310
Appendix A: Configuring the Media Redundancy Protocol
311
Appendix B: Configuring HSR and PRP with FortiLink
314
Configuring HSR with FortiLink
314
Configuration example
315
Configuring HSR and PRP with FortiLink
319
Configuration example
321
Limitations for HSR and PRP with FortiLink
327
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
8
Fortinet Inc.
Change log
Date May 15, 2024
Change Description Initial document release for FortiOS 7.4.4
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
9
Fortinet Inc.
Whats new in FortiOS 7.4.4
The following list contains new managed FortiSwitchOS features added in FortiOS 7.4.4. Click on a link to navigate to that section for further information:
l Two more port speed options are available for managed switches: 40000auto (autonegotiation of the 40G-CR4 interface of FS-1048E) and 2500full (25 Gbps full-duplex.). You can select these speeds under the config switch-controller managed-switch command.
l The LACP fallback mode is now supported on managed switches. LACP fallback mode allows a selected port to stay up so that a device not running LACP can still connect to the network. For more details, see LACP fallback mode on page 105.
l You can now monitor ARP packets for a specific VLAN on a DHCP-snooping trusted port of a managed FortiSwitch unit and save the VLAN ID, MAC addresses, and IP addresses in the DHCP-snooping database. For more details, see Monitoring ARP packets on page 211.
l You can now specify a tagged VLAN for users to be assigned to when the authentication server is unavailable. Previously, you could only specify an untagged VLAN. This feature is available with 802.1x MAC-based authentication. It is compatible with both Extensible Authentication Protocol (EAP) and MAC authentication bypass (MAB). For more details, see FortiSwitch security policies on page 185.
l You can now use RADIUS attributes to configure dynamic access control lists (DACLs) on the 802.1x ports of managed switches. DACLs are configured on a switch or saved on a RADIUS server. You can use DACLs to control traffic per user session or per port for switch ports directly connected to user clients. DACLs apply to hardware only when 802.1x authentication is successful. For more details, see Dynamic access control lists on page 192.
l You can now use log IDs for the following events as triggers for automation stitches: l A switch is added to or removed from a switch group. l The location of a switch changed. l A new switch peer was detected (either a peer to a single switch or an MCLAG). l A switch port was exported to or returned from a virtual switch. l A switch was added to or removed from a virtual port pool. l A switch was connected using FortiLink mode over a layer-2 or layer-3 network.
For more details, see Zero-touch provisioning automation on page 14. l The FS-6xxF models now support the same LAN-segment functionality as the 200 Series and 500 Series. For more
information about LAN segments, see Configuring the FortiSwitch NAC settings on page 154. l FortiSwitch NAC policies have been enhanced:
l NAC policies now support FortiVoice and FortiFones. The NAC policy will match a dynamic MAC address group of all FortiFones registered with a FortiVoice unit.
l You can now control how long matched devices are kept for NAC policies. In previous releases, matched devices were deleted when a connection-ID table entry was deleted, the port link status went down, the device was inactive, or the switch was offline.
For more details, see Defining a FortiSwitch NAC policy on page 158. l You can now control how long matched devices are kept for dynamic port policies (DPPs). In previous releases,
matched devices were deleted when the connection-ID table entry was deleted, the port link status went down, the device was inactive, or the switch was offline. In addition, devices matched by DPPs are now matched according to the priority, instead of using First Come, First Serve (FCFS) matching. For more details, see Create the dynamic port policy rule on page 182.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
10
Fortinet Inc.
Introduction
This section provides information about how to set up and configure managed FortiSwitch units using the FortiGate unit (termed "using FortiSwitch in FortiLink mode").
NOTE: FortiLink is not supported in transparent mode.
The maximum number of supported FortiSwitch units depends on the FortiGate model:
FortiGate Model Range
FortiGate 40F, FortiGate-VM01 FortiGate 6xE, 8xE, 90E, 91E FGR-60F, FG-60F, FGR-60F-3G4G, FG-61F, FG-80F, FG-80FB, FG-80FP, FG-81F, FG81FP FortiGate 100D, FortiGate-VM02 FortiGate 100E, 100EF, 100F, 101E, 140E, 140E-POE FortiGate 200E, 201E FortiGate 300D to 500D FortiGate 300E to 500E FortiGate 600D to 900D and FortiGate-VM04 FortiGate 600E to 900E FortiGate 1000D to 15xxD FortiGate 1100E to 26xxF FortiGate-3xxx and up and FortiGate-VM08 and up
Number of FortiSwitch Units
Supported 8 16 24
24 32 64 48 72 64 96 128 196 300
Supported models
Refer to the FortiLink Compatibility table to find which FortiSwitchOS versions support which FortiOS versions.
New models (NPI releases) might not support FortiLink. Contact Customer Service & Support to check support for FortiLink.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
11
Fortinet Inc.
Introduction
Support of FortiLink features
Refer to the FortiSwitchOS feature matrix for details about the FortiLink features supported by each FortiSwitch model.
Before you begin
Before you configure the managed FortiSwitch unit, the following assumptions have been made in the writing of this manual:
l You have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your FortiSwitch model, and you have administrative access to the FortiSwitch GUI and CLI.
l You have installed a FortiGate unit on your network and have administrative access to the FortiGate GUI and CLI.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
12
Fortinet Inc.
FortiSwitch management
This section contains information about the FortiSwitch and FortiGate ports that you connect to establish a FortiLink connection. In FortiSwitchOS 3.3.0 and later releases, you can use any of the switch ports for FortiLink. Some or all of the switch ports (depending on the model) support auto-discovery of the FortiLink ports. You can chose to connect a single FortiLink port or multiple FortiLink ports as a logical interface (link-aggregation group, hardware switch, or software switch). NOTE: FortiSwitch units, when used in FortiLink mode, support only the default administrative access HTTPS port (443). This section covers the following topics:
l Zero-touch management on page 13 l Zero-touch provisioning automation on page 14 l Configuring FortiLink on page 24 l Optional FortiLink configuration required before discovering and authorizing FortiSwitch units on page 33 l Discovering on page 40 l Optional FortiLink configuration on page 40 l Disabling stacking on page 49
Use the FortiGate GUI or CLI to configure the FortiSwitch units unless this manual specifically says to directly configure the FortiSwitch units. If you make configuration changes directly on the FortiSwitch units, the FortiGate device will not be aware of the changes, resulting in missing configurations when the FortiSwitch units are restarted.
Zero-touch management
Starting in FortiSwitchOS 7.2.0 with FortiOS 7.2.0, zero-touch management is now more efficient for new FortiSwitch units. When a new FortiSwitch unit is started, by default, it will connect to the available manager, which can be a FortiGate device, FortiLAN Cloud, or FortiSwitch Manager. Only one manager can be used at a time. Although FortiSwitchOS does not prevent more than one manager being chosen, a FortiSwitch unit cannot be authorized for more than one manager in most cases. The FortiSwitch configuration does not need to be backed up before the FortiSwitch unit is managed, and the FortiSwitch unit does not need to be restarted when it becomes managed.
For a FortiSwitch unit that has already been configured, Fortinet recommends resetting the FortiSwitch unit to the factory defaults with the execute factoryreset command before upgrading to FortiSwitchOS 7.2.0 with FortiOS 7.2.0; otherwise, the FortiSwitch unit might not come online or might have a configuration synchronization error.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
13
Fortinet Inc.
FortiSwitch management
Under zero-touch management, the following settings are applied as factory defaults: l All switch interfaces have VLAN 1 as the native VLAN. l The internal system interface is set to VLAN 1, as well as all front-panel ports. l The mgmt and internal interfaces have DHCP enabled. l Auto topology is enabled. To disable auto topology, use the following commands: config switch auto-network set status disable end l All ports are enabled for FortiLink auto-discovery. l FortiLAN Cloud is enabled. l FortiLink CAPWAP discovery is enabled. l When a layer-2 network is detected, the Multiple Spanning Tree Protocol (MSTP) is applied to instances 0 and 15., and the internal switch interface is changed to a native VLAN of 4094. l When a layer-3 network is detected, a static interchassis link (ICL) is created.
When the connection mode is DHCP, the gateway IP address is taken from the DHCP server by default (set defaultgw enable under the config system interface command) for both the internal and mgmt interfaces, which could prevent FortiLink from working (if multiple default routes are provided, FortiSwitchOS uses equal-cost multipath routing [ECMP] to determine the route). If you are using DHCP for both mgmt and internal interfaces, Fortinet recommends resolving this conflict by disabling the default gateway on the interface that will not be used for managing FortiSwitch (set defaultgw disable under the config system interface command).
Zero-touch provisioning automation
You can use automation stitches on managed switches for zero-touch provisioning. To configure an automation stitch, you specify a trigger and the action that is performed when the trigger occurs.
To create an automation stitch:
1. Configure the trigger. 2. Configure the action. 3. Configure the automation stitch.
Configuring the trigger
You can specify one of the following triggers: l The configuration changed. l There was a warm or cold reboot of the switch. l The scheduled time occurred. l An event was logged. NOTE: When you specify the log ID, the range of values is 1-65535. If you use the full 10-digit entry, the first four digits are truncated.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
14
Fortinet Inc.
FortiSwitch management
Starting in FortiOS 7.4.4, you can use log IDs for the following events as triggers for automation stitches:
l A switch is added to or removed from a switch group. l The location of a switch changed. l A new switch peer was detected (either a peer to a single switch or an MCLAG). l A switch port was exported to or returned from a virtual switch. l A switch was added to or removed from a virtual port pool. l A switch was connected using FortiLink mode over a layer-2 or layer-3 network.
You can use the following wildcard characters in the set value command for the automation trigger:
l Use an asterisk to match any character string of any length, including 0-characters long. For example, use set value "*1567*" to match values of 81567 and 156789.
l Use square brackets to match one of the multiple characters. For example, use set value "[aA]dmin" to match values of admin and Admin.
You can configure multiple fields for the automation trigger when the event-type is event-log and the logid is set. The action is only performed if all conditions are valid (using AND logic). For example, the following automation trigger requires both the log message to include VRRP and the interface to be svi777 before the action is performed.
config system automation-trigger edit "VRRPlogtrigger" set event-type event-log set logid 10229 config fields edit 1 set name "msg" set value "*VRRP*" next edit 2 set name "interface" set value "svi777" next end next
end
To configure the trigger:
config system automation-trigger edit <trigger_name> set description <string> set trigger-type {event-based | scheduled} set event-type {config-change | event-log | reboot} set logid <log_ID> set trigger-frequency {daily | hourly | monthly | weekly} set trigger-hour <0-23> set trigger-minute <0-59> set trigger-day <1-31> set trigger-weekday <friday | monday | saturday | sunday | thursday | tuesday | wednesday> config fields edit <entry_ID> set name <string> set value <string> next
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
15
Fortinet Inc.
FortiSwitch management
end next end
Variable
Description
Default
<trigger_name>
Name of the trigger configuration.
No default
description
Description of the trigger.
No default
trigger-type
Select the type of trigger: l event-based--Event-based trigger. l scheduled--Scheduled trigger.
event-based
event-type
Select the type of event to trigger the automation-stitch action: l config-change--Configuration change. l event-log--Use the log ID as the trigger. l reboot--After the switch restarts, the action is triggered.
This option is available only when the trigger-type is set to event-based.
config-change
logid <log_ID>
Enter the log ID to trigger the action. The range of values is 1- 0 65535. If you use the full 10-digit entry, the first four digits are truncated.
This option is available only when the trigger-type is set to event-based and event-type is set to event-log.
trigger-frequency {daily | hourly | monthly | weekly}
Select whether the automation-stitch action is performed on a daily, hourly, monthly, or weekly basis.
This option is available only when the trigger-type is set to scheduled.
daily
trigger-hour <0-23>
Select which hour of the day the automation-stitch action is
0
performed.
This option is available only when the trigger-type is set to scheduled and the trigger-frequency is set to daily or monthly, or weekly.
trigger-minute <0-59>
Select which minute of the hour the automation-stitch action is 0 performed.
This option is available only when the trigger-type is set to scheduled.
trigger-day <1-31>
Select which day of the month the automation-stitch action is 1 performed.
This option is available only when the trigger-type is set to scheduled and the trigger-frequency is set to monthly.
trigger-weekday <friday | monday | saturday | sunday | thursday | tuesday | wednesday>
Select which day of the week the automation-stitch action is performed.
This option is available only when the trigger-type is set to scheduled and the trigger-frequency is set to weekly.
No default
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
16
Fortinet Inc.
FortiSwitch management
Variable config fields
<entry_ID> name <string> value <string>
Description
This option is available only when the event-type is eventlog and the logid is set. Starting in FortiSwitchOS 7.2.2, you can configure multiple fields for the automation trigger. The action is only performed if all conditions are valid (using AND logic).
Enter an identifier for this entry.
Enter a name for this field.
Enter a value for this field. l Use an asterisk to match any character string of any length, including 0-characters long. For example, use set value "*1567*" to match values of 81567 and 156789. l Use square brackets to match one of the multiple characters. For example, use set value "[aA]dmin" to match values of admin and Admin.
Default
No default No default No default
Configuring the action
You can specify one of the following actions:
l Run a CLI script. l Send an email message. l Display an alert in the dashboard. l Send data to a uniform resource identifier (URI), such as an IP address or URL.
To configure the action:
config system automation-action edit <name> set action-type {alert | cli-script | email | webhook} set accprofile <string> set email-body <string> set email-from <string> set email-subject <string> set email-to <email_address> set http-body <request_body> set method {delete | get | patch | post | put} set minimum-interval <0-2592000> set port <1-65535> set protocol {http | https} set script <string> set uri <request_API_URI> next
end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
17
Fortinet Inc.
FortiSwitch management
Variable
Description
Default
<name>
Name of the action configuration.
No default
action-type {alert | cli-script |
Select the type of action to perform:
alert
email | webhook}
l alert--Display an alert in the dashboard.
l cli-script--Run a CLI script.
l email--Send a notification email.
l webhook--Send data to a uniform resource identifier (URI), such as an IP address or URL.
accprofile <string>
Specify the access profile required to run the CLI script. This option is available only when action-type is set to cliscript.
No default
email-body <string>
Enter the body of the email. By default, the log message is sent. This option is available only when action-type is set to email.
%%log%%
email-from <string>
Enter the name of the sender of the email. This option is available only when action-type is set to email.
No default
email-subject <string>
Enter the subject of the email. This option is available only when action-type is set to email.
No default
email-to <email_address>
Enter the email address or addresses that the email will be sent to when automation stitch is triggered.
This option is available only when action-type is set to email.
none
http-body <string>
If necessary, enter the request body. Use a serialized JSON string.
This option is available only when action-type is set to webhook.
No default
method {delete | get | patch | post Select the request method: DELETE, GET, PATCH, POST, or post
| put}
PUT.
This option is available only when action-type is set to webhook.
minimum-interval <0-2592000> Select how many seconds must pass before the action can be 0 performed again.
port <1-65535>
Enter the port number that this protocol will use.
80
If the protocol is set to http, the default port is 80. If the protocol is set to https, the default port is 443.
This option is available only when action-type is set to webhook.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
18
Fortinet Inc.
FortiSwitch management
Variable protocol {http | https}
script <string>
uri <string>
Description
Default
Enter the request protocol, either HTTP or HTTPS.
http
This option is available only when action-type is set to webhook.
Specify the name and path to the CLI script. This option is available only when action-type is set to cliscript.
No default
Required. Enter the uniform resource identifier (URI), such as an IP address or URL.
This option is available only when action-type is set to webhook.
No default
Configuring the automation stitch
To configure the automation stitch:
config system automation-stitch edit <name> set description <string> set status {enable | disable} set trigger <trigger_name> config actions edit <action_ID> set action <action_name> set delay <0-3600> set required {enable | disable} next end next
end
Variable <name> description <string> status {enable | disable} trigger <trigger_name> <action_ID> action <action_name>
delay <0-3600>
required {enable | disable}
Description Name of the automation-stitch configuration. Enter a description of the automation stitch. Enable or disable this automation stitch. Enter the name of the trigger for this automation stitch. Enter an integer to identify the action. Enter the name of the action configuration for this automation stitch. Enter the number of seconds to delay before executing the automation stitch. Enable this option if the action is required or disable this option if the action is not required.
Default No default No default enable No default 0 none
0
disable
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
19
Fortinet Inc.
FortiSwitch management
Configuration examples
Example 1
The following example shows how to create an automation stitch that will display an alert in the dashboard every hour.
config system automation-trigger edit testtrigger set trigger-type scheduled set trigger-frequency hourly set trigger-minute 30 next
end
config system automation-action edit testaction set action-type alert set minimum-interval 1200 next
end
config system automation-stitch edit teststitch set status enable set trigger testtrigger config actions edit 1 set action testaction set required enable next end next
end
Example 2
In the following example, the specified log identifier (32002) causes the FortiSwitch unit to send the log message to the server.
config system automation-trigger edit "badLogin" set event-type event-log set logid 32002 next
end
config system automation-action edit "Send log to server" set action-type webhook set uri "172.16.200.44" set http-body "%%log%%" set port 80 next
end
config system automation-stitch edit "webhookstitch"
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
20
Fortinet Inc.
FortiSwitch management
set trigger "badLogin" set status enable config actions
edit 1 set action "Send log to server" set required enable
next end next end
Example 3
The log message with ID 42599 is generated when the storm-control dropped-packet rate is too high. The log message with ID 42600 is generated when the storm-control dropped-packet rate goes below the threshold.
In the following example, log ID 42599 triggers a CLI script that shuts down the affected port, and log ID 42600 triggers another CLI script that waits 5 minutes and then brings up the affected port.
config system automation-trigger edit "PortStormControlDrop" set event-type event-log set logid 42599 next edit "PortStormControlClear" set event-type event-log set logid 42600 next
end
config system automation-action edit "ShutdownPort" set action-type cli-script set script "config switch physical-port edit %%log.switch.physical-port%% set status down next end" set accprofile "super_admin" next edit "BringupPort" set action-type cli-script set script "sleep 300 config switch physical-port edit %%log.switch.physical-port%% set status up next end" set accprofile "super_admin" next
end
config system automation-stitch edit "DisablePortOnStormControlDrop" set trigger "PortStormControlDrop" set status enable config actions
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
21
Fortinet Inc.
FortiSwitch management
edit 1 set action "ShutdownPort" set required enable
next end next edit "EnablePortOnStormControlClear" set trigger "PortStormControlClear" set status enable config actions
edit 2 set action "BringupPort" set required enable
next end next end
Example 4
In the following example, CLI scripts are used to configure new switches.
config system automation-trigger edit "SwitchAuthorized.Model.ALL" set event-type event-log set logid 32602 next edit "SwitchAuthorized.Model.S108DV" set event-type event-log set logid 32602 config fields edit 1 set name "sn" set value "S108DV*" next end next edit "SwitchAuthorized.Model.FS1E48" set event-type event-log set logid 32602 config fields edit 1 set name "sn" set value "FS1E48*" next end next
end
config system automation-action edit "swc.assign.port.vlans" set action-type cli-script set script "config switch-controller managed-switch edit %%log.sn%% config ports edit \"port8\"
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
22
Fortinet Inc.
FortiSwitch management
set vlan \"vlan.20\" next end next end" set accprofile "super_admin" next edit "swc.add.switch2.group-core" set action-type cli-script set script "config switch-controller switch-group edit \"core\" append members %%log.sn%% next end" set accprofile "super_admin" next edit "swc.setswitch.syslog" set action-type cli-script set script "config switch-controller managed-switch edit %%log.sn%% config remote-log edit \"syslogd\"
set status enable set server \"192.168.0.111\" next end end" set accprofile "super_admin" next edit "swc.add.switch2.group-edge" set action-type cli-script set script "config switch-controller switch-group edit \"edge\" append members %%log.sn%% next end" set accprofile "super_admin" next end
config system automation-stitch edit "ZT.OnboardNewSwitch.Global" set trigger "SwitchAuthorized.Model.ALL" config actions edit 1 set action "swc.setswitch.syslog" set required enable next end next edit "ZT.OnboardNewSwitch.Edge" set trigger "SwitchAuthorized.Model.S108DV" config actions edit 1 set action "swc.assign.port.vlans" set required enable next
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
23
Fortinet Inc.
FortiSwitch management
edit 2 set action "swc.add.switch2.group-edge" set required enable
next end next edit "ZT.OnboardNewSwitch.Core" set trigger "SwitchAuthorized.Model.FS1E48" config actions
edit 2 set action "swc.add.switch2.group-core" set required enable
next end next end
Configuring FortiLink
You need to physically connect the FortiSwitch unit to the FortiGate unit only after completing this section. Some settings are only possible when the FortiGate unit has not authorized any switches.
To configure FortiLink:
1. Enabling the switch controller on the FortiGate unit on page 24 2. Configuring the FortiLink interface on page 25 3. Auto-discovery of the FortiSwitch ports on page 30
1. Enabling the switch controller on the FortiGate unit
Before connecting the FortiSwitch and FortiGate units, ensure that the switch controller feature is enabled on the FortiGate unit with the FortiGate GUI or CLI to enable the switch controller. Depending on the FortiGate model and software release, this feature might be enabled by default.
Using the FortiGate GUI
1. Go to System > Feature Visibility. 2. Turn on the Switch Controller feature, which is in the Core Features list. 3. Select Apply. The menu option WiFi & Switch Controller now appears.
Using the FortiGate CLI
Use the following commands to enable the switch controller: config system global
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
24
Fortinet Inc.
FortiSwitch management
set switch-controller enable end
2. Configuring the FortiLink interface
The FortiLink interface is created automatically as an aggregate interface type; if the FortiGate model does not support the aggregate interface type, the FortiLink interface is created automatically as a hardware switch. Fortinet recommends keeping the default type of the FortiLink; however, if a physical interface or soft-switch interface type is required, the interface must be enabled for FortiLink using the FortiOS CLI, and then the default FortiLink interface can be deleted. The FortiLink interface type is dependent on the network topology to be deployed. See Determining the network topology on page 50.
Using the FortiGate GUI
This section describes how to configure a FortiLink between a FortiSwitch unit and a FortiGate unit. You can configure FortiLink using the FortiGate GUI or CLI. Fortinet recommends using the GUI because the CLI procedures are more complex (and therefore more prone to error). If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection with no configuration steps on the FortiSwitch and with a few simple configuration steps on the FortiGate unit.
Configure the FortiLink interface
To configure the FortiLink interface on the FortiGate unit:
1. Go to WiFi & Switch Controller > FortiLink Interface. 2. Select + in the Interface members field and then select the ports to add to the FortiLink interface.
NOTE: If you do not see any ports listed in the Select Entries pane, go to Network > Interfaces, right-click the FortiLink physical port, select Edit, delete the port from the Interface Members field, and then select OK. 3. Configure the IP/Network Mask for your network. 4. Select Automatically authorize devices. 5. Select Apply.
FortiLink split interface
You can use the FortiLink split interface to connect the FortiLink aggregate interface from one FortiGate unit to two FortiSwitch units. When the FortiLink split interface is enabled, only one link remains active. The aggregate interface for this configuration must contain exactly two physical ports (one for each FortiSwitch unit). The FortiLink split interface is enabled by default. You can configure this feature with the FortiGate GUI and CLI. NOTE: The FortiLink split interface must be enabled before MCLAG is enabled on the FortiSwitch unit. After MCLAG is enabled, you can disable the FortiLink split interface to make both links active. See MCLAG peer groups on page 74.
Using the FortiGate GUI:
1. Go to WiFi & Switch Controller > FortiLink Interface. 2. Move the FortiLink split interface slider.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
25
Fortinet Inc.
FortiSwitch management
Using the FortiGate CLI:
config system interface edit <name of the FortiLink interface> set fortilink-split-interface {enable | disable} end
Using the FortiGate CLI
This section describes how to configure FortiLink using the FortiGate CLI. Fortinet recommends using the FortiGate GUI because the CLI procedures are more complex (and therefore more prone to error). If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection (single port or LAG) with no configuration steps on the FortiSwitch and with a few simple configuration steps on the FortiGate unit. You can also configure FortiLink mode over a layer-3 network.
Summary of the procedure
1. On the FortiGate unit, configure the FortiLink interface. 2. Authorize the managed FortiSwitch unit manually if you did not select Automatically authorize devices. For example, if the IP address, members, and automatic FortiSwitch authorization are enabled: config system interface
edit "fortilink" set ip 172.16.16.254 255.255.255.0 set member "port9" "port10" set auto-auth-extension-device enable
next end If required, remove a physical port from the lan interface: config system virtual-switch
edit lan config port delete port1 end
end end
2.1 Custom FortiLink interfaces
Choosing the FortiGate ports
The FortiLink can consist of a single (physical) or multiple ports (802.3ad aggregate, hardware switch, or software switch). FortiLink is supported on all Ethernet ports except HA and MGMT. If the default FortiLink interface was removed, on the FortiGate GUI, edit the interface and select Dedicated to FortiSwitch. Optionally, set the IP address and enable auto-authorization. Disable the split-interface if the interface is the aggregate type and is connecting all members to the same FortiSwitch unit.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
26
Fortinet Inc.
FortiSwitch management
NOTE: The FortiLink interface type is dependent upon the network topology to be deployed. See Determining the network topology on page 50.
Configure FortiLink on a physical port
Configure FortiLink on any physical port on the FortiGate unit and authorize the FortiSwitch unit as a managed switch. In the following steps, port1 is configured as the FortiLink port. 1. Configure port1 as the FortiLink interface with the customer IP address and automatic authorization:
config system interface edit "port1" set fortilink enable set ip 172.16.16.254 255.255.255.0 set auto-auth-extension-device enable next
end
If required, remove port1 from the lan interface:
config system virtual-switch edit lan config port delete port1 end end
end
2. (Optional) Configure an NTP server on port1:
config system ntp set server-mode enable set interface port1
end
3. If automatic authorization is disabled, you need to manually authorize the FortiSwitch unit as a managed switch:
config switch-controller managed-switch edit FS224D3W14000370 set fsw-wan1-admin enable end
end
4. The FortiSwitch unit will reboot when you issue the set fsw-wan1-admin enable command.
Configure FortiLink on a logical interface
You can configure FortiLink on a logical interface: link-aggregation group (LAG), hardware switch, or software switch. LAG is supported on all FortiSwitch models. Check the FortiGate feature matrix to check which models support the hardware switch and LAG (802.3ad aggregate) interfaces. In the following procedure, port 4 and port 5 are configured as a FortiLink LAG.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
27
Fortinet Inc.
FortiSwitch management
Using the GUI:
To configure the FortiLink interface on the FortiGate unit: 1. Go to Network > Interfaces and click Create New. 2. Enter a name for the interface (11 characters maximum). 3. For the type, select 802.3ad aggregate. 4. Select + in the Interface members field and then select the ports to add to the FortiLink interface.
NOTE: If you do not see any ports listed in the Select Entries pane, go to Network > Interfaces, edit the lan or internal interface, delete the port from the Interface Members field, and then click OK. 5. Configure the IP/Network Mask for your network. 6. Select Automatically authorize devices. 7. Click Apply. If you want to add a third FortiLink interface, go to WiFi & Switch Controller > FortiLink Interface and click Create new.
Using the CLI:
1. If required, remove the FortiLink ports from the lan interface:
config system virtual-switch edit lan config port delete port4 delete port5 end end
end
2. Create a trunk with the two ports that you connected to the switch:
config system interface edit flink1 (enter a name with a maximum of 11 characters) set ip 172.16.16.254 255.255.255.0 set type aggregate set member port4 port5 set fortilink enable (optional) set fortilink-split-interface disable next
end
NOTE: If the members of the aggregate interface connect to the same FortiSwitch unit, you must disable fortilink-split-interface.
Configure a LAG on a FortiLink-enabled software switch
Starting in FortiOS 7.2.0 with FortiSwitchOS 7.2.0, you can configure a link-aggregation group (LAG) as a member of a software switch that is being used for FortiLink. Previously, you could not add a LAG to a software switch that was being used for FortiLink.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
28
Fortinet Inc.
FortiSwitch management
l You must set fortilink-neighbor-detect to lldp. l Aggregate interfaces do not automatically form an inter-switch link (ISL) within a
FortiGate software switch. You must create the aggregate interfaces and add them to the software switch. l The FortiSwitch unit will automatically form an ISL with correctly configured FortiGate aggregate interfaces.
In the following example, aggregate1 and aggregate2 are FortiGate aggregate interfaces. The third interface, switch3, is a software switch with FortiLink enabled. The three interfaces are configured, and then aggregate1 and aggregate2 are added to the software switch interface.
config system interface edit "aggregate1" set vdom "root" set type aggregate set member "port11" set device-identification enable set role lan set snmp-index 25 next edit "aggregate2" set vdom "root" set type aggregate set member "port7" set device-identification enable set role lan set snmp-index 34 next edit "switch3" set vdom "root" set fortilink enable set ip 10.255.1.1 255.255.255.0 set allowaccess ping fabric set type switch set lldp-reception enable set lldp-transmission enable set snmp-index 26 set fortilink-neighbor-detect lldp set swc-first-create 64 config ipv6 set ip6-send-adv enable set ip6-other-flag enable end next
end
config system switch-interface edit "switch3" set vdom "root" set member "aggregate1" "aggregate2" next
end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
29
Fortinet Inc.
FortiSwitch management
3. Auto-discovery of the FortiSwitch ports
Starting with FortiSwitch 7.2.0, all ports are enabled for auto-discovery by default.
NOTE: For details on how to connect the FortiSwitch topology, see Determining the network topology on page 50.
By default, each FortiSwitch model provides a set of ports that are enabled for FortiLink auto-discovery. If you connect the FortiLink using one of these ports, no switch configuration is required.
In FortiSwitchOS 3.4.0 and later releases, the last four ports are the default auto-discovery FortiLink ports. You can also run the show switch interface command on the FortiSwitch unit to see the ports that have auto-discovery enabled.
The following table lists the default auto-discovery ports for each switch model.
FortiSwitch Model FS-108D-POE FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE FSR-112D-POE FS-124D, FS-124D-POE FSR-124D FS-124E, FS-124E-POE, FS-124E-FPOE, FS-124F, FS-124F-POE, FS-124F-FPOE FS-148E, FS-148E-POE FS-148F, FS-148F-POE, FS-148F-FPOE FS-224D-POE FS-224D-FPOE FS-224E, FS-224E-POE FS-248D, FS-248D-FPOE FS-248D-POE FS-248E-POE, FS-248E-FPOE FS-424D, FS-424D-POE, FS-424D-FPOE FS-424E-Fiber FS-426E-FPOE-MG FS-448D, FS-448D-POE, FS-448D-FPOE FS-524D, FS-524D-FPOE
Default Auto-FortiLink ports port9port10 port7port10
port5port12 port23port26 port1-port4, port21port28 port21port28
port21port52 port48port52 port21port24 port21port28 port21port28 port45port52 port47port50 port45port52 port23port26 port1-port30 port23-port30 port45port52 port21port30
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
30
Fortinet Inc.
FortiSwitch management
FortiSwitch Model FS-548D FS-548D-FPOE, FS-548DN FS-1024D FS-1024E, FS-T1024E FS-1048D, FS-1048E FS-3032D, FS-3032E
Default Auto-FortiLink ports port39port54 port45port54 port1port24 port1port26 port1port52 port1port32
NOTE: Any port can be used for FortiLink if it is manually configured. You can use any of the switch ports for FortiLink.
Automatic inter-switch links (ISLs)
After a FortiSwitch unit is discovered and in FortiLink mode, all ports are enabled for FortiLink. Connect another FortiSwitch unit to any of the already discovered FortiSwitch ports, and the ISL is formed automatically, and the new unit is discovered by the FortiGate unit.
Static ISL trunks
In some cases, you might want to manually create an ISL trunk, for example, for FortiLink mode over a point-to-point layer-2 network or for FortiLink mode over a layer-3 network. You can also enable or disable automatic VLAN configuration on the manually created (static) ISL trunk. The static ISL feature can also be used to lock down the FortiLink topology after automatic discovery. Locking down the Security Fabric topology prevents the automatically created ISLs and ICLs from being accidentally deleted.
To manually create an ISL trunk in the CLI:
config switch trunk edit "<trunk_name>" set static-isl enable set static-isl-auto-vlan {enable | disable} end
Locking down the ISL trunk in the GUI (when there is a single FortiLink interface):
1. Go to WiFi & Switch Controller > FortiLink Interface. 2. Enable Lockdown ISL.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
31
Fortinet Inc.
FortiSwitch management
Locking down the ISL trunk in the GUI (when there are two or more FortiLink interfaces):
1. Go to WiFi & Switch Controller > FortiLink Interface. 2. Right-click the FortiLink interface in the Name column.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
32
Fortinet Inc.
FortiSwitch management 3. Click Lockdown ISL.
Locking down ISLs and ICLs is one of the recommendations in the Security Rating report (Security Fabric > Security Rating).
Deleting a FortiLink interface
If you have any problems with deleting a FortiLink interface, disable it first using the CLI: config switch interface
edit <FortiLink_interface_name> set fortilink disable
end
Optional FortiLink configuration required before discovering and authorizing FortiSwitch units
This section covers the following topics: l Migrating the configuration of standalone FortiSwitch units on page 34 l VLAN interface templates for FortiSwitch units on page 34
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
33
Fortinet Inc.
FortiSwitch management
l Automatic provisioning of FortiSwitch firmware upon authorization on page 37
Migrating the configuration of standalone FortiSwitch units
When a configured standalone FortiSwitch unit is converted to FortiLink mode, the standalone configuration is lost. To save time, use the fortilinkify.py utility to migrate your standalone configuration from one or more FortiSwitch units to a combined FortiGate-compatible configuration. To get the script and instructions, go to: https://fndn.fortinet.net/index.php?/tools/file/68-fortiswitch-configuration-migration-tool/
VLAN interface templates for FortiSwitch units
NOTE: You can only create VLAN interface templates when the FortiGate device has not authorized any FortiSwitch units yet, so only physically connect the FortiSwitch unit to the FortiGate device after completing this section. You can create configuration templates that define the VLAN interfaces and are applied to new FortiSwitch devices when they are discovered and managed by the FortiGate device. For each VDOM, you can create templates, and then assign those templates to the automatically created switch VLAN interfaces for six types of traffic. The network subnet that is reserved for the switch controller can also be customized. To ensure that switch VLAN interface names are unique for each system, the following naming rules are used:
l root VDOM: The interface names are the same as the template names. l other VDOMs: The interface name is created from the template name and the SNMP index of the interface. For
example, if the template name is quarantined and the SNMP index is 29, the interface name is quarantined.29. You can also customize the FortiLink management VLAN per FortiLink interface: config system interface edit <fortilink interface>
set fortilink enable set switch-controller-mgmt-vlan <integer> next end The management VLAN can be a number from 1 to 4094. the default value is 4094.
Create VLAN interface templates
To configure the VLAN interface templates:
config switch-controller initial-config template edit <template_name> set vlanid <integer> set ip <ip/netmask> set allowaccess {options} set auto-ip {enable | disable} set dhcp-server {enable | disable} next
end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
34
Fortinet Inc.
FortiSwitch management
<template_name> vlanid <integer>
ip <ip/netmask>
allowaccess {options} auto-ip {enable | disable}
dhcp-server {enable | disable}
The name, or part of the name, of the template.
The unique VLAN ID for the type of traffic the template is assigned to (1-4094; the default is 4094).
The IP address and subnet mask of the switch VLAN interface. This can only be configured when auto-ip is disabled.
The permitted types of management access to this interface.
When enabled, the switch-controller will pick an unused 24 bit subnet from the switch-controller-reserved-network (configured in config system global).
When enabled, the switch-controller will create a DHCP server for the switch VLAN interface
To assign the templates to the specific traffic types:
config switch-controller initial-config vlans set default-vlan <template> set quarantine <template> set rspan <template> set voice <template> set video <template> set nac <template>
end
default-vlan <template> quarantine <template> rspan <template> voice <template> video <template> nac <template>
Default VLAN assigned to all switch ports upon discovery. VLAN for quarantined traffic. VLAN for RSPAN/ERSPAN mirrored traffic. VLAN dedicated for voice devices. VLAN dedicated for video devices. VLAN for NAC onboarding devices.
To configure the network subnet that is reserved for the switch controller:
config system global set switch-controller-reserved-network <ip/netmask>
end The default value is 169.254.0.0 255.255.0.0.
Example
In this example, six templates are configured with different VLAN IDs. Except for the default template, all of them have DHCP server enabled. When a FortiSwitch is discovered, VLANs and the corresponding DHCP servers are automatically created.
To configure six templates and apply them to VLAN traffic types: config switch-controller initial-config template
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
35
Fortinet Inc.
FortiSwitch management
edit "default" set vlanid 1 set auto-ip disable
next edit "quarantine"
set vlanid 4093 set dhcp-server enable next edit "rspan" set vlanid 4092 set dhcp-server enable next edit "voice" set vlanid 4091 set dhcp-server enable next edit "video" set vlanid 4090 set dhcp-server enable next edit "onboarding" set vlanid 4089 set dhcp-server enable next end config switch-controller initial-config vlans set default-vlan "default" set quarantine "quarantine" set rspan "rspan" set voice "voice" set video "video" set nac "onboarding" end
To see the automatically created VLANs and DHCP servers:
show system interface edit "default" set vdom "root" set snmp-index 24 set switch-controller-feature default-vlan set interface "fortilink" set vlanid 1 next edit "quarantine" set vdom "root" set ip 169.254.11.1 255.255.255.0 set description "Quarantine VLAN" set security-mode captive-portal set replacemsg-override-group "auth-intf-quarantine" set device-identification enable set snmp-index 25 set switch-controller-access-vlan enable set switch-controller-feature quarantine set color 6 set interface "fortilink" set vlanid 4093
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
36
Fortinet Inc.
FortiSwitch management
next ... end show system dhcp server edit 2
set dns-service local set ntp-service local set default-gateway 169.254.1.1 set netmask 255.255.255.0 set interface "fortilink" config ip-range
edit 1 set start-ip 169.254.1.2 set end-ip 169.254.1.254
next end set vci-match enable set vci-string "FortiSwitch" "FortiExtender" next edit 3 set dns-service default set default-gateway 169.254.11.1 set netmask 255.255.255.0 set interface "quarantine" config ip-range
edit 1 set start-ip 169.254.11.2 set end-ip 169.254.11.254
next end set timezone-option default next ... end
Automatic provisioning of FortiSwitch firmware upon authorization
Starting in FortiOS 7.0.0, administrators can use the FortiOS CLI to upload the FortiSwitch firmware and then configure the managed FortiSwitch units to be automatically upgraded with the uploaded firmware when the switches were authorized by FortiLink. On FortiGate models that have a hard disk, up to four images for the same FortiSwitch model can be uploaded. For FortiGate models without a hard disk, only one image can be uploaded for each FortiSwitch model.
Starting in FortiOS 7.0.4, administrators no longer need to upload the FortiSwitch firmware. Instead, administrators can configure the managed FortiSwitch units to be automatically upgraded to the latest FortiSwitchOS version available in FortiGuard when the switches are authorized by FortiLink. If the FortiSwitch units are already running the latest version of FortiSwitchOS when they are authorized, no changes are made.
l You cannot use the one-time automatic upgrade with the automatic provisioning that uses uploaded firmware. When firmware-provision-latest is set to once, the firmware-provision and firmware-provision-version commands are unset.
l If a FortiSwitch unit is being upgraded when the one-time automatic upgrade is configured, the upgrade in progress is paused until the one-time automatic upgrade is completed.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
37
Fortinet Inc.
FortiSwitch management
To configure the automatic provisioning using uploaded FortiSwitch firmware:
config switch-controller managed-switch edit <FortiSwitch_serial_number> set firmware-provision {enable | disable} set firmware-provision-version <version> next
end
firmware-provision {enable | disable}
firmware-provisionversion <version>
Enable or disable provisioning firmware to the FortiSwitch unit after authorization (the default is disable).
The firmware version to provision the FortiSwitch unit with on bootup. The format is major_version.minor_version.build_number, for example, 6.4.0454.
In the following example, a FortiSwitch 248E-POE is upgraded from FortiSwitchOS 6.4.3 to 6.4.4: 1. Upload the FortiSwitch image to the FortiGate device and confirm that it was uploaded successfully:
# execute switch-controller switch-software upload tftp 248-454.out 172.18.60.160
Downloading file 248-454.out from tftp server 172.18.60.160... ########################### Image checking ... Image MD5 calculating ... Image Saving S248EP-IMG.swtp ... Successful!
File Syncing... # execute switch-controller switch-software list-available
ImageName S248EP-v6.4-build454-IMG.swtp 15:06:07 2020
ImageSize(B) ImageInfo
28579517
S248EP-v6.4-build454
2. On the FortiSwitch unit, check the current version:
# get system status Version: FortiSwitch-248E-POE v6.4.3,build0452,201029 (GA) Serial-Number: S248EPTF18001842 BIOS version: 04000004 System Part-Number: P22169-02 Burn in MAC: 70:4c:a5:e1:53:f6 Hostname: S248EPTF18001842 Distribution: International Branch point: 452 System time: Wed Dec 31 16:11:17 1969
3. On the FortiGate device, enable firmware provisioning and specify the version:
config switch-controller managed-switch edit S248EPTF18000000 set firmware-provision enable set firmware-provision-version 6.4.0454 next
end
4. On the FortiGate device, authorize the FortiSwitch unit:
Uploaded Time Mon Nov 30
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
38
Fortinet Inc.
FortiSwitch management
config switch-controller managed-switch edit S248EPTF18000000 set fsw-wan1-peer flink set fsw-wan1-admin enable next
end
5. When the authorized FortiSwitch unit is in FortiLink mode, it automatically starts upgrading to the provisioned firmware:
# execute switch-controller get-upgrade-status Device Running-version
Status
Next-boot
========================================================================================
===========================
VDOM : vdom1
FS1D243Z170000XX FS1D24-v6.4.0-build456,201121 (Interim)
(0/0/0) N/A (Idle)
S248DN3X170002XX S248DN-v6.4.0-build456,201121 (Interim)
(0/0/0) N/A (Idle)
S248EPTF18000000 S248EP-v6.4.3-build452,201029 (GA)
(14/0/0) N/A
(Upgrading)
6. Check the version when the upgrade is complete:
# execute switch-controller get-conn-status Managed-devices in current vdom vdom1:
FortiLink interface : flink
SWITCH-ID
VERSION
NAME
FS1D243Z17000032 v6.4.0 (456)
11:08:10 2020 -
S248DN3X170002XX v6.4.0 (456)
11:08:32 2020 -
S248EPTF18000000 v6.4.4 (454)
15:20:53 2020 -
STATUS
FLAG ADDRESS
Authorized/Up - 169.254.1.3
Authorized/Up - 169.254.1.4
Authorized/Up C 169.254.1.6
JOIN-TIME Mon Nov 30 Mon Nov 30 Mon Nov 30
To set up the one-time automatic upgrade of the FortiSwitch firmware:
1. On the FortiGate device, configure automatic provisioning:
config switch-controller global set firmware-provision-on-authorization enable
end
By default, the set firmware-provision-latest command is set to disable under config switchcontroller managed-switch before the FortiSwitch unit is authorized by the FortiGate device. 2. On the FortiGate device, authorize the FortiSwitch unit.
config switch-controller managed-switch edit <FortiSwitch_serial_number> set fsw-wan1-peer <FortiLink_interface_name> set fsw-wan1-admin enable end
Authorizing the FortiSwitch unit changes the setting of the set firmware-provision-latest command to once under config switch-controller managed-switch.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
39
Fortinet Inc.
FortiSwitch management
3. When the status of the managed FortiSwitch unit is "Authorized/Up," the FortiGate device downloads the latest supported version of FortiSwitchOS from FortiGuard and then upgrades the switch.
4. The setting of the set firmware-provision-latest command is changed to disable under config switch-controller managed-switch.
Instead of enabling firmware-provision-on-authorization, you can leave the command at its default setting (set firmware-provision-on-authorization disable) and change the setting of firmware-provision-latest to once.
Discovering
This section covers the following topics: l Authorizing on page 40 l Preparing the FortiSwitch unit on page 40
Authorizing
If automatic authorization is disabled, you need to authorize the FortiSwitch unit as a managed switch: config switch-controller managed-switch
edit FS224D3W14000370 set fsw-wan1-admin enable
end end NOTE: After authorization, the FortiSwitch unit reboots in FortiLink mode.
Preparing the FortiSwitch unit
If the FortiSwitch unit is in the factory default configuration, it is ready to be connected to the FortiGate device. If the FortiSwitch unit is not in the factory default configuration, log in to the FortiSwitch unit with the CLI and use the execute factoryreset command to reset the FortiSwitch unit to the factory defaults
Optional FortiLink configuration
This section covers the following topics: l Assigning roles to FortiLink VLAN interfaces on page 41 l Using the FortiSwitch serial number for automatic name resolution on page 41 l Changing the admin password on the FortiGate for all managed FortiSwitch units on page 42 l Disabling the FortiSwitch console port login on page 42 l Using automatic network detection and configuration on page 43 l Limiting the number of parallel processes for FortiSwitch configuration on page 43
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
40
Fortinet Inc.
FortiSwitch management
l Configuring access to management and internal interfaces on page 44 l Enabling FortiLink VLAN optimization on page 44 l Configuring the MAC sync interval on page 45 l Configuring the FortiSwitch management port on page 45 l Multiple FortiLink interfaces on page 46 l Grouping FortiSwitch units on page 46 l Improving the FortiLink connection on page 46 l FortiLink with HTTPS on page 47
Assigning roles to FortiLink VLAN interfaces
If you are using the FortiGate units security rating feature, you need to assign a role of LAN, WAN, or DMZ to your FortiLink VLAN interfaces before referencing them in any firewall policies. If this is not done, the security rating score is lowered until the issue is remedied, due to failing the "Interface Classification" requirement.
Using the FortiSwitch serial number for automatic name resolution
By default, you can check that FortiSwitch unit is accessible from the FortiGate unit with the execute ping <FortiSwitch_IP_address> command. If you want to use the FortiSwitch serial number instead of the FortiSwitch IP address, use the following commands: config switch-controller global
set sn-dns-resolution enable end NOTE:The set sn-dns-resolution enable configuration is enabled by default. Then you can use the execute ping <FortiSwitch_serial_ number>.<domain_name> command to check if the FortiSwitch unit is accessible from the FortiGate unit. For example: FG100D3G15817028 (root) # execute ping S524DF4K15000024.fsw PING S524DF4K15000024.fsw (123.456.7.8): 56 data bytes 64 bytes from 123.456.7.8: icmp_seq=0 ttl=64 time=0.0 ms 64 bytes from 123.456.7.8: icmp_seq=1 ttl=64 time=0.0 ms 64 bytes from 123.456.7.8: icmp_seq=2 ttl=64 time=0.0 ms 64 bytes from 123.456.7.8: icmp_seq=3 ttl=64 time=0.0 ms 64 bytes from 123.456.7.8: icmp_seq=4 ttl=64 time=0.0 ms
Optionally, you can omit the domain name (.fsw) from the command by setting the default DNS domain on the FortiGate unit. config system dns
set domain "fsw" end
Now you can use the execute ping <FortiSwitch_serial_number> command to check if the FortiSwitch unit is accessible from the FortiGate unit. For example: FG100D3G15817028 (root) # execute ping S524DF4K15000024 PING S524DF4K15000024.fsw (123.456.7.8): 56 data bytes 64 bytes from 123.456.7.8: icmp_seq=0 ttl=64 time=0.0 ms 64 bytes from 123.456.7.8: icmp_seq=1 ttl=64 time=0.0 ms
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
41
Fortinet Inc.
FortiSwitch management
64 bytes from 123.456.7.8: icmp_seq=2 ttl=64 time=0.0 ms 64 bytes from 123.456.7.8: icmp_seq=3 ttl=64 time=0.0 ms 64 bytes from 123.456.7.8: icmp_seq=4 ttl=64 time=0.0 ms
--- S524DF4K15000024.fsw ping statistics --5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms
Changing the admin password on the FortiGate for all managed FortiSwitch units
By default, each FortiSwitch has an admin account without a password. To replace the admin passwords for all FortiSwitch units managed by a FortiGate, use the following commands from the FortiGate CLI:
config switch-controller switch-profile edit default set login-passwd-override {enable | disable} set login-passwd <password> next
end
If you had already applied a profile with the override enabled and the password set and then decide to remove the admin password, you need to apply a profile with the override enabled and no password set; otherwise, your previously set password will remain in the FortiSwitch. For example:
config switch-controller switch-profile edit default set login-passwd-override enable unset login-passwd next
end
Disabling the FortiSwitch console port login
Starting in FortiOS 7.2.0 with FortiSwitchOS 7.2.0, administrators can use the FortiSwitch profile to control whether users can log in with the managed FortiSwitchOS console port. By default, users can log in with the managed FortiSwitchOS console port.
To change the FortiSwitch profile:
config switch-controller switch-profile edit {default | <FortiSwitch_profile_name>} set login {enable | disable} enabled by default end
To disable logging in to the managed FortiSwitch consort port in the default FortiSwitch profile:
config switch-controller switch-profile edit default set login disable end
To change which FortiSwitch profile is used by a managed switch
config switch-controller managed-switch
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
42
Fortinet Inc.
FortiSwitch management
edit <FortiSwitch_serial_number> set switch-profile {default | <FortiSwitch_profile_name>}
end
For example: config switch-controller managed-switch
edit S524DF4K15000024 set switch-profile new_switch_profile
end
Using automatic network detection and configuration
There are three commands that let you use automatic network detection and configuration.
To specify which policies can override the defaults for a specific ISL, ICl, or FortiLink interface: config switch-controller auto-config custom
edit <automatically configured FortiLink, ISL, or ICL interface name> config switch-binding edit "switch serial number" set policy "custom automatic-configuation policy" end
To specify policies that are applied automatically for all ISL, ICL, and FortiLink interfaces: config switch-controller auto-config default
set fgt-policy <default FortiLink automatic-configuration policy> set isl-policy <default ISL automatic-configuration policy> set icl-policy <default ICL automatic-configuration policy> end
NOTE: The ICL automatic-configuration policy requires FortiOS 6.2.0 or later.
To specify policy definitions that define the behavior on automatically configured interfaces: config switch-controller auto-config policy
edit <policy_name> set qos-policy <automatic-configuration QoS policy> set storm-control-policy <automatic-configuation storm-control policy> set poe-status {enable | disable} set igmp-snooping-flood-reports {enable | disable} set mcast-snooping-flood-traffic {enable | disable}
end
Limiting the number of parallel processes for FortiSwitch configuration
Use the following CLI commands to reduce the number of parallel processes that the switch controller uses for configuring FortiSwitch units: config global
config switch-controller system set parallel-process-override enable set parallel-process <1-300>
end end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
43
Fortinet Inc.
FortiSwitch management
Configuring access to management and internal interfaces
The set allowaccess command configures access to all interfaces on a FortiSwitch unit. If you need to have different access to the FortiSwitch management interface and the FortiSwitch internal interface, you can set up a local-access security policy with the following commands:
config switch-controller security-policy local-access edit <policy_name> set mgmt-allowaccess {https | ping | ssh | snmp | http | telnet | radius-acct} set internal-allowaccess {https | ping | ssh | snmp | http | telnet | radius-acct} end
config switch-controller managed-switch edit <FortiSwitch_serial_number> set access-profile <name_of_policy> end
For example:
config switch-controller security-policy local-access edit policy1 set mgmt-allowaccess https ping ssh radius-acct set internal-allowaccess https ssh snmp telnet end
config switch-controller managed-switch edit S524DF4K15000024 set access-profile policy1 end
NOTE: After you upgrade to FortiOS 6.2, the allowaccess settings for the FortiSwitch mgmt and internal interfaces are overridden by the default local-access security policy.
set min-bundle <int> set max-bundle <int> set members <port1 port2 ...> next end end end
Enabling FortiLink VLAN optimization
When inter-switch links (ISLs) are automatically formed on trunks, the switch controller allows VLANs 1-4093 on ISL ports. This configuration can increase data processing on the FortiSwitch unit. When VLAN optimization is enabled, the FortiSwitch unit allows only user-defined VLANs on the automatically generated trunks.
NOTE: VLAN optimization is enabled by default.
To enable FortiLink VLAN optimization on FortiSwitch units from the FortiGate unit:
config switch-controller global set vlan-optimization enable
end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
44
Fortinet Inc.
FortiSwitch management
NOTE: You cannot use the set vlan-all-mode all command with the set vlan-optimization enable command.
Configuring the MAC sync interval
Use the following commands to configure the global MAC synch interval. The MAC sync interval is the time interval between MAC synchronizations. The range is 30 to 600 seconds, and the default value is 60.
config switch-controller mac-sync-settings set mac-sync-interval <30-600>
end
Configuring the FortiSwitch management port
If the FortiSwitch model has a dedicated management port, you can configure remote management to the FortiSwitch. In FortiLink mode, the FortiGate is the default gateway, so you need to configure an explicit route for the FortiSwitch management port.
Using the FortiGate GUI
1. Go to Network > Static Routes > Create New > Route. 2. Set Destination to Subnet and enter a subnetwork and mask. 3. Set Device to the management interface. 4. Add a Gateway IP address.
Using the FortiSwitch CLI
Enter the following commands: config router static
edit 1 set device mgmt set gateway <router IP address> set dst <router subnet> <subnet mask>
end end In the following example, the FortiSwitch management port is connected to a router with IP address 192.168.0.10: config router static
edit 1 set device mgmt set gateway 192.168.0.10 set dst 192.168.0.0 255.255.0.0
end end If provisioned with custom commands on the FortiGate device, the configuration is preserved on the FortiGate device. See Executing custom FortiSwitch scripts on page 309.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
45
Fortinet Inc.
FortiSwitch management
Multiple FortiLink interfaces
If you are adding a second FortiLink interface, use the CLI to enable FortiLink. For example: config system interface
edit "fortilink_2" set fortilink enable
next end After that, the interface is available in the GUI to complete the settings. Click Create to add additional FortiLink interfaces.
Grouping FortiSwitch units
You can simplify the configuration and management of complex topologies by creating FortiSwitch groups. A group can include one or more FortiSwitch units and you can include different models in a group.
Using the GUI:
1. Go to WiFi & Switch Controller > Managed FortiSwitch. 2. Select Create New > FortiSwitch Group. 3. In the Name field, enter a name for the FortiSwitch group. 4. In the Members field, click + to select which switches to include in the FortiSwitch group. 5. In the Description field, enter a description of the FortiSwitch group. 6. Select OK.
Using the CLI:
config switch-controller switch-group edit <name> set description <string> set members <serial-number> <serial-number> ... end end
Grouping FortiSwitch units allows you to restart all of the switches in the group instead of individually. For example, you can use the following command to restart all of the FortiSwitch units in a group named my-sw-group: execute switch-controller switch-action restart delay switch-group my-sw-group Upgrading the firmware of FortiSwitch groups is easier, too, because fewer commands are needed. See the next section for the procedure.
Improving the FortiLink connection
Starting in FortiOS 7.4.0, there are two CLI commands under config switch-controller system that you can use to improve the FortiLink connection:
l Use the set caputp-echo-interval <8-600> command to set the interval for the Control and Provisioning of Unified Termination Points (CAPUTP) ECHO requests from the Scheduling Wide-area Transport Protocol (SWTP). The default value is 30 seconds. Setting the interval to a shorter time means that an offline device is detected
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
46
Fortinet Inc.
FortiSwitch management
quicker.
l Use the set caputp-max-retransmit <0-64> command to set the maximum number of times that CAPUTP tunnel packets are retransmitted. The default value is 4. Setting the retransmission times to a lower number causes the CAPUTP daemon to time out sooner and then restart for faster failover.
FortiLink with HTTPS
Starting in FortiOS 7.4.2 with FortiSwitchOS 7.4.2, you can use FortiLink with HTTPS to manage FortiSwitch units. Using FortiLink with HTTPS simplifies the management process and improves the user experience and efficiency.
The FortiGate device supports using both the CAPWAP protocol and HTTPS at the same time. Each FortiSwitch unit supports using the CAPWAP protocol or HTTPS; you cannot use both protocols to manage the same FortiSwitch unit.
FortiLink with HTTPS uses the same technology as FortiLAN Cloud to operate over both layer 2 and layer 3.
When you are using FortiLink with HTTPS to manage FortiSwitch units, the same FortiLink features are supported as when you are using FortiLink with the CAPWAP protocol.
To use FortiLink with HTTPS:
1. On the FortiSwitch unit, enable the FortiLink HTTPS management mode (CAPWAP remains enabled): config switch-controller global set mgmt-mode https end
2. On the FortiSwitch unit, set the FortiLAN Cloud service to FortiLink with HTTPS, enter the FortiLink IPv4 address, and enable the status. config system flan-cloud set service-type fortilink-https set name <FortiLink_IPv4_addresss> set status enable end
3. On the FortiGate device, authorize the FortiSwitch unit if it has not already been authorized: config switch-controller managed-switch edit <FortiSwitch_serial_number> set fsw-wan1-admin enable next end
4. On the FortiGate device, check that the tunnel has been established to allow FortiLink with HTTPS: execute switch-controller get-conn-status For example:
FGT_A (vdom1) (Interim)# execute switch-controller get-conn-status Managed-devices in current vdom vdom1:
FortiLink interface : port11
SWITCH-ID
VERSION
SERIAL
S524DN4K16000116 v7.4.0 (0796)
15:41:34 2023 S524DN4K16000116
S248EPTF18001384 v7.4.1 (787)
15:41:43 2023 S248EPTF18001384
S248EPTF18001827 N/A
STATUS
FLAG ADDRESS
Authorized/Up 2T 10.255.1.2
Authorized/Up 2 10.255.1.5
Discovered/Down 2
JOIN-TIME Mon Dec 18 Mon Dec 18 N/A
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
47
Fortinet Inc.
FortiSwitch management
S248EPTF18001827
S124EN5918003682 N/A
Discovered/Down 2
N/A
S124EN5918003682
Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=config sync error, 2=L2, 3=L3, V=VXLAN, T=tunnel, X=External
Managed-Switches: 4 (UP: 2 DOWN: 2 MAX: 72)
5. On the FortiSwitch unit, check that FortiLAN Cloud has established the FortiLink connection: S224DF3X15000367 # get system flan-cloud-mgr connection-info For example:
S524DN4K16000116 # get system flan-cloud-mgr connection-info
Service Name: User Account-ID SSL verify Code Access Service Bootstrap Service
: FortiLink :0 : ok : IP= 10.255.1.1, Port= 443, Connected on: 2023-12-18 15:41:33 : hostname= , Port= 0
State-Machine
: State= FLAN_MGR_STATE_READY, Event= EV_READY_SSL_SESSION_ESTD
SSL Local End-Point SSL Tunnel Uptime SSL Tunnel stats SSL to Cloud
: Interface: internal, IP: 10.255.1.2 : Days: 0 Hours: 0 Mins: 2 [Connected @2023-12-18 15:41:33] : restart-count= 279, Restart Reason= Boot-Strap fails to setup
Stats: ======== Switch Keep Alive Manager Keep Alive
Tx/Reply := 3 / 1 Rx/Error := 2 / 0
Socks Req Rx/Last Stream-ID Reset Req Rx/last Stream-ID Goaway Req Rx := 0 Unknown Req Rx := 0
:= 1193 / 5 := 137 / 276
Syslog FD/Tx/Err := 10 / 62 / 0
FortiLink details ======================= stream_id : 5 online state_id : 7 localSock fd : 11 stpTelSock fd : 12 dhcpTelSock fd : 13 igmpsTelSock fd : 14 macSock fd : 15 cmfSock fd : 16 FortiGate - no response counter : 0 FortiGate - [Last no response time @1969-12-31 16:00:00] online TX counter : 6 online RX_ACK counter : 6 online RX_NACK counter : 0 topology req : 8 topology resp : 4
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
48
Fortinet Inc.
FortiSwitch management
system telemetry req : 8 system telemetry resp : 3 interface telemetry req : 2 interface telemetry resp : 2 mac telemetry req : 0 mac telemetry resp : 0 dot1x user req : 0 dot1x user resp : 0 lldp nbr req : 0 lldp nbr resp : 0 mac cache req : 0 mac cache resp : 0 trunk state req : 21 trunk state resp : 7 port state req : 4 port state resp : 2 poe status req : 0 poe status resp : 0
Used SOCKS stream-id:
=======================
SID
SockFd Proxy-Ports
State
Description
___________________________________________________________________
1
0
UNKNOWN:0<-->0
DATA
BOOTSTRAP
3
0
UDP:9514<-->0
DATA
SYSLOG DATA
5
0
UNKNOWN:0<-->0
DATA
FORTILINK
To log in from the FortiGate device to a switch managed by FortiLink with HTTPS: execute switch-controller ssh <FortiSwitch_user_name> <FortiSwitch_serial_number> For example: execute switch-controller ssh admin S524DF4K15000024
Disabling stacking
To disable stacking, execute the following commands from the FortiGate CLI. In the following example, port4 is the FortiLink interface:
config system interface edit port4 set fortilink-stacking disable end
end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
49
Fortinet Inc.
Determining the network topology
The FortiGate unit requires an active FortiLink interface to manage all of the subtending FortiSwitch units (called stacking). You can configure the FortiLink as a physical interface or as a logical interface (associated with one or more physical interfaces). Depending on the network topology, you can also configure a standby FortiLink. NOTE: For any of the topologies:
l All of the managed FortiSwitch units will function as one Layer-2 stack where the FortiGate unit manages each FortiSwitch separately.
l The active FortiLink carries data as well as management traffic. This section covers the following topics:
l Single FortiGate managing a single FortiSwitch unit on page 50 l Single FortiGate unit managing a stack of several FortiSwitch units on page 51 l HA-mode FortiGate units managing a single FortiSwitch unit on page 52 l HA-mode FortiGate units managing a stack of several FortiSwitch units on page 53 l HA-mode FortiGate units managing a FortiSwitch two-tier topology on page 53 l Single FortiGate unit managing multiple FortiSwitch units (using a hardware or software switch interface) on page
54 l HA-mode FortiGate units using hardware-switch interfaces and STP on page 55 l FortiLink over a point-to-point layer-2 network on page 56 l FortiLink mode over a layer-3 network on page 56 l Managing FortiSwitch units on VXLAN interfaces on page 60 l Switch redundancy with MCLAG on page 66
Single FortiGate managing a single FortiSwitch unit
On the FortiGate unit, the FortiLink interface is configured as a physical or aggregate interface. The 802.3ad aggregate interface type provides a logical grouping of one or more physical interfaces. NOTE:
l For the aggregate interface, you must disable the split interface on the FortiGate unit. l When you are using the aggregate interface on the FortiGate unit for the FortiLink interface, the lacp-mode of the
FortiLink aggregate interface must be set to static. Unless MCLAG is enabled and you are using 6.2.0 or later, see Transitioning from a FortiLink split interface to a FortiLink MCLAG on page 74 for details.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
50
Fortinet Inc.
Determining the network topology
Single FortiGate unit managing a stack of several FortiSwitch units
The FortiGate unit connects directly to one FortiSwitch unit using a physical or aggregate interface. The remaining FortiSwitch units connect in a ring using inter-switch links (that is, ISL). Optionally, you can connect a standby FortiLink connection to the last FortiSwitch unit. For this configuration, you create a FortiLink Split-Interface (an aggregate interface that contains one active link and one standby link). NOTE:
l When you are using the aggregate interface on the FortiGate unit for the FortiLink interface, the lacp-mode of the FortiLink aggregate interface must be set to static. Unless MCLAG is enabled and you are using 6.2.0 or later, see Transitioning from a FortiLink split interface to a FortiLink MCLAG on page 74 for details.
l Do not create loops or rings with the FortiGate unit in the path.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
51
Fortinet Inc.
Determining the network topology
HA-mode FortiGate units managing a single FortiSwitch unit
The master and slave FortiGate units both connect a FortiLink to the FortiSwitch unit. The FortiLink port(s) and interface type must match on the two FortiGate units. NOTE: Before FortiOS 6.2.0, when using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be active-passive. Starting in FortiOS 6.2.0, the FortiGate HA mode can be either active-passive or active-active.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
52
Fortinet Inc.
Determining the network topology
HA-mode FortiGate units managing a stack of several FortiSwitch units
The active and passive FortiGate units both connect a FortiLink to the first FortiSwitch unit and (optionally) to the last FortiSwitch unit. The FortiLink ports and interface type must match on the two FortiGate units. When using an aggregate interface for the active/standby FortiLink configuration, make sure the FortiLink split interface is enabled (this forces one link to be active and the rest to be standby links, which avoids loops in the network). This option can be disabled later if you enable an MCLAG. See Transitioning from a FortiLink split interface to a FortiLink MCLAG on page 74. NOTE:
l When you are using the aggregate interface on the FortiGate unit for the FortiLink interface, the lacp-mode of the FortiLink aggregate interface must be set to static. Unless MCLAG is enabled and you are using 6.2.0 or later, see Transitioning from a FortiLink split interface to a FortiLink MCLAG on page 74 for details.
l Before FortiOS 6.2.0, when using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be active-passive. Starting in FortiOS 6.2.0, the FortiGate HA mode can be either active-passive or active-active.
HA-mode FortiGate units managing a FortiSwitch two-tier topology
The distribution FortiSwitch unit connects to the active and passive FortiGate units. The FortiLink port(s) and interface type must match on the two FortiGate units. NOTE: Before FortiOS 6.2.0, when using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be active-passive. Starting in FortiOS 6.2.0, the FortiGate HA mode can be either active-passive or active-active.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
53
Fortinet Inc.
Determining the network topology
Single FortiGate unit managing multiple FortiSwitch units (using a hardware or software switch interface)
The FortiGate unit connects directly to each FortiSwitch unit. Each of these FortiLink ports is added to the logical hardware-switch or software-switch interface on the FortiGate unit. Optionally, you can connect other devices to the FortiGate logical interface. These devices, which must support IEEE 802.1q VLAN tagging, will have Layer 2 connectivity with the FortiSwitch ports. NOTE:
l Using the hardware or software switch interface in FortiLink mode is not recommended in most cases. It can be used when the traffic on the ports is very light because all traffic across the switches moves through the FortiGate unit.
l Do not create loops or rings in this topology.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
54
Fortinet Inc.
Determining the network topology
HA-mode FortiGate units using hardware-switch interfaces and STP
In most FortiLink topologies, MCLAG or LAG configurations are used for FortiSwitch redundancy. However, some FortiGate models do not support the FortiLink aggregate interface, or some FortiSwitch models do not support MCLAG. The following network topology uses a hardware-switch interface on each FortiGate unit. Each FortiSwitch unit is connected to a single port of the hardware-switch interface of the FortiGate unit. The inter-switch link (ISL) between the FortiSwitch units provides redundancy. For this network topology to function, use the following commands on each FortiLink hardware-switch interface: config system interface
edit <FortiLink_hardware_switch_interface> set stp enable
end
NOTE: l The FortiLink interface uses the Link Layer Discovery Protocol (LLDP) for neighbor detection. LLDP transmission must be enabled with the set lldp-transmission enable command before enabling Spanning Tree Protocol (STP). l STP and STP forwarding are both supported by the FortiLink hardware-switch interface. l The software-switch interface is not supported. l If the FortiGate model does not support aggregate interfaces, you need to configure the FortiGate unit to be the Common and Internal Spanning Tree (CIST) by assigning the lowest STP priority to the FortiGate unit and placing each switch in a different region. You can assign the STP priority to the FortiGate unit with the set switchpriority command under config system stp. You can move a switch to another region with the set revision command under config stp-settings.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
55
Fortinet Inc.
Determining the network topology
FortiLink over a point-to-point layer-2 network
Starting in FortiSwitchOS 6.4.0, you can run FortiLink mode over a point-to-point layer-2 network. You can form an interswitch link (ISL) between two FortiSwitch units over a layer-2 device or non-FortiSwitch device (such as a wireless bridge). The LLDP destination MAC address is changed to the broadcast MAC address to bypass middle layer-2 devices. For example:
To create this topology, you configure ports on both ends of the link as described in the following procedure and, optionally, configure the tag protocol identifier (TPID) between the two FortiSwitch units. NOTE:
l The set fortilink-p2p command is available in FortiLink mode and standalone mode. The set fortilinkp2p-tpid command is available only in FortiLink mode.
l The FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, FS-148EPOE, FS-148F, FS-148F-POE, FS-148F-FPOE, FS-124F, FS-124F-POE, and FS-124F-FPOE models support only the default 0x8100 TPID; TPID changes are not supported.
1. Enable the FortiLink point-to-point network on each FortiSwitch unit:
config switch physical-port edit <port_name> set fortilink-p2p enable end
2. Make certain that the FortiLink point-to-point TPID value is the same on each FortiSwitch unit. By default, it is 0x8100.
config switch global set fortilink-p2p-tpid <0x0001-0xfffe>
end
FortiLink mode over a layer-3 network
This feature allows FortiSwitch islands to operate in FortiLink mode over a layer-3 network, even though they are not directly connected to the switch-controller FortiGate unit. FortiSwitch islands contain one or more FortiSwitch units. There are two main deployment scenarios for using FortiLink mode over a layer-3 network:
l In-band management, which uses the FortiSwitch units internal interface to connect to the layer-3 network l Out-of-band management, which uses the FortiSwitch units mgmt interface to connect to the layer-3 network
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
56
Fortinet Inc.
Determining the network topology
Starting in FortOS 6.4.3, you can now configure a FortiLink-over-layer-3 network to use the FortiLink interface as the source IP address for the communication between the FortiGate unit and the FortiSwitch unit. You can still use the outbound interface as the source IP address if you prefer.
After you have configured FortiLink mode over a layer-3 network, downgrading FortiSwitchOS is not supported.
To use the FortiLink interface as the source IP address: config system interface
edit <FortiLink_interface> set switch-controller-source-ip fixed
end
In-band management
To configure a FortiSwitch unit to operate in a layer-3 network: NOTE: You must enter these commands in the indicated order for this feature to work.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
57
Fortinet Inc.
Determining the network topology
1. Reset the FortiSwitch to factory default settings with the execute factoryreset command. 2. If you are using DHCP discovery with DHCP option 138, the FortiSwitch unit automatically connects to the FortiGate
unit and establishes FortiLink. If you are not using DHCP discovery with DHCP option 138, you can configure DHCP discovery with a different ac-dhcp-option-code or configure static discovery to find the IP address of the FortiGate unit (switch controller) that manages this switch. If you configure static discovery, you need to create a static inter-switch link (ISL) trunk and then enable or disable automatic VLAN configuration on the manually created (static) ISL trunk. NOTE: Starting in FortiOS 7.4.1 with FortiSwitchOS 7.4.1, when using FortiLink mode over a layer-3 network and DHCP discovery with DHCP option 138, the top FortiSwitch unit (with the _FlinkDhcpDisc_ trunk) will now automatically have a Spanning Tree Protocol (STP) priority of 24576, instead of an STP priority of 32768.
To use DHCP discovery:
config switch-controller global set ac-discovery-type dhcp set ac-dhcp-option-code <integer>
end
To use static discovery:
config switch-controller global set ac-discovery-type static config ac-list edit <id> set ipv4-address <IPv4_address> next end
end config switch trunk
edit <trunk_name> set static-isl enable set static-isl-auto-vlan {enable | disable}
next end
NOTE:
l Make certain that each FortiSwitch unit can successfully ping the FortiGate unit. l The NTP server must be configured on the FortiSwitch unit either manually or provided by DHCP. The NTP server
must be reachable from the FortiSwitch unit. l In addition to the two layer-3 discovery modes (DHCP and static), there is the default layer-2 discovery broadcast
mode. The layer-3 discovery multicast mode is unsupported.
Connecting additional FortiSwitch units to the first FortiSwitch unit
In this scenario, the default FortiLink-enabled port of FortiSwitch 2 is connected to FortiSwitch 1, and the two switches then form an auto-ISL. You only need to configure the discovery settings (see Step 2) for additional switches (FortiSwitch 2 in the following diagram). Check that each FortiSwitch unit can reach the FortiGate unit.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
58
Fortinet Inc.
Determining the network topology
Out-of-band management
You can use the internal interface for one FortiSwitch island to connect to the layer-3 network and the mgmt interface for another FortiSwitch island to connect to the same layer-3 network. Do not mix the internal interface connection and mgmt interface connection within a single FortiSwitch island.
Other topologies
If you have a layer-2 loop topology, make certain that the alternative path can reach the FortiGate unit and that STP is enabled on the FortiLink layer-3 trunk. If you have two FortiSwitch units separately connected to two different intermediary routers or switches and the FortiSwitch units are also connected to each other, an auto-ISL forms automatically, and STP must be enabled to avoid loops. A single logical interface (which can be a LAG) is supported when they use the internal interface as the FortiLink management interface.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
59
Fortinet Inc.
Determining the network topology
You can use a LAG connected to a single intermediary router or switch. A topology with multiple ports connected to different intermediary routers or switches is not supported.
Limitations
The following limitations apply to FortiSwitch islands operating in FortiLink mode over a layer-3 network: l FortiSwitch NAC is not supported. l No layer-2 data path component, such as VLANs, can span across layer 3 between the FortiGate unit and the FortiSwitch unit. l All FortiSwitch units within an FortiSwitch island must be connected to the same FortiGate unit. l The FortiSwitch unit needs a functioning layer-3 routing configuration to reach the FortiGate unit or any featureconfigured destination, such as syslog or 802.1x. l Do not connect a layer-2 FortiGate unit and a layer-3 FortiGate unit to the same FortiSwitch unit. l If the FortiSwitch management port is used for a layer-3 connection to the FortiGate unit, the FortiSwitch island can contain only one FortiSwitch unit. All switch ports must remain in standalone mode. If you need more than one physical link, you can group the links as a link aggregation group (LAG). l Do not connect a FortiSwitch unit to a layer-3 network and a layer-2 network on the same segment. l If the network has a wide geographic distribution, some features, such as software downloads, might operate slowly. l After a topology change, make certain that every FortiSwitch unit can reach the FortiGate unit. l NAT is not supported between the FortiSwitch unit and FortiGate unit.
Starting in FortiOS 7.2.1, the set fortilink-l3-mode command is deprecated. Instead, you can create a static inter-switch link (ISL) trunk and then enable or disable automatic VLAN configuration on the manually created (static) ISL trunk: config switch trunk
edit <trunk_name> set static-isl enable set static-isl-auto-vlan {enable | disable}
next end
Managing FortiSwitch units on VXLAN interfaces
You can use Virtual Extensible LAN (VXLAN) interfaces to create a layer-2 overlay network when managing a FortiSwitch unit over a layer-3 network. After a VXLAN tunnel is set up between a FortiGate device and a FortiSwitch unit, the FortiGate device can use the VXLAN interface to manage the FortiSwitch unit. Only the management traffic uses the VXLAN tunnel; the FortiSwitch data traffic does not go through the VXLAN tunnel to the FortiGate device. In the following configuration example, the FG-500E device is connected with a VXLAN tunnel to the FS-524D unit. After FortiLink is enabled on the VXLAN interface, the FortiGate device can manage the FortiSwitch unit.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
60
Fortinet Inc.
Determining the network topology
To manage the FortiSwitch unit with the VXLAN interface:
1. Configure the FortiSwitch unit. 2. Configure the FortiGate device.
Configure the FortiSwitch unit
1. Configure a VLAN to use as the VXLAN interface. config system interface edit "vlan-1000" set ip 10.200.1.2 255.255.255.0 set allowaccess ping set vlanid 1000 set interface "internal" next end
2. Configure the VXLAN interface with the remote IP address of the FortiGate device. config system vxlan edit "vx-4094" set vni 123456 set vlanid 4094 set interface "vlan-1000" set remote-ip "10.100.1.1" next end
3. Configure a static route with the VXLAN remote IP address as the destination. config router static edit 1 set device "vlan-1000" set dst 10.100.1.1 255.255.255.255 set gateway 10.200.1.50 next end
4. Configure the switch trunk to make it static and disable the automatic VLAN provisioning. config switch trunk edit "__FoRtILnk0L3__" set auto-isl 1 set static-isl enable set static-isl-auto-vlan disable set members "port19" next end
5. Configure the FortiLink interface to set the native VLAN to match the VLAN used for the VXLAN defined in step 1. config switch interface edit "__FoRtILnk0L3__"
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
61
Fortinet Inc.
Determining the network topology
set native-vlan 1000 set allowed-vlans 1,1000,4088-4094 set dhcp-snooping trusted .... next end 6. If you are not using DHCP option 138 to inform the FortiSwitch unit of the FortiGate IP address, enable static discovery. config switch-controller global set ac-discovery-type static config ac-list edit 1
set ipv4-address 10.255.2.1 next end end 7. Assign VLAN ID 4094 to the "internal" interface, which will be used to establish the FortiLink connection with the FortiGate device over VXLAN. config switch interface edit "internal" set native-vlan 4094 next end 8. Make certain that the FortiSwitch unit can be discovered by the FortiGate device over VXLAN. config switch global set auto-fortilink-discovery enable end
Configure the FortiGate device
1. Configure the system interface. config system interface edit "port2" set vdom "root" set ip 10.100.1.1 255.255.255.0 set allowaccess ping https http next end
2. Configure the VXLAN interface. config system vxlan edit "flk-vxlan" set interface "port2" set vni 123456 set remote-ip "10.200.1.2" next end
3. Configure the FortiLink interface as the VXLAN type and set the IP address. config system interface edit "flk-vxlan" set fortilink enable set ip 10.255.2.1 255.255.255.0 next
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
62
Fortinet Inc.
Determining the network topology
end 4. Configure a static route.
config router static edit 0 set dst 10.200.1.0 255.255.255.0 set gateway 10.100.1.50 set distance 5 set device "port2" next
end 5. Configure the DHCP server with option 138 to provide the switch-controller IP address to the FortiSwitch unit. DNS
and NTP services are provided by the FortiGate device. config system dhcp server
edit 0 set dns-service local set ntp-service local set default-gateway 10.255.2.1 set netmask 255.255.255.0 set interface "flk-vxlan" config ip-range edit 1 set start-ip 10.255.2.2 set end-ip 10.255.2.254 next end config options edit 1 set code 138 set type ip set ip "10.255.2.1" next end set vci-match enable set vci-string "FortiSwitch"
next end
FortiSwitch VLANs over VXLAN
On some FortiSwitch models, you can send user traffic over a VXLAN tunnel, creating a layer-2 overlay over a layer-3 network, allowing Security Fabric functionality to be applied to devices connecting to the FortiSwitch unit.
In the following configuration example, the FG-1800F device is connected with a VXLAN tunnel to the FS-1048E unit. After FortiLink is enabled on the VXLAN interface, the FortiGate device can manage the FortiSwitch unit.
1. Configure a VLAN to use as the VXLAN interface. config system interface edit "vlan-1000"
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
63
Fortinet Inc.
Determining the network topology
set ip 10.200.1.2 255.255.255.0 set vlanid 1000 set interface "internal" next end 2. Configure a static route with the VXLAN remote IP address as the destination. config router static edit 1 set device "vlan-1000" set dst 10.100.1.1 255.255.255.255 set gateway 10.200.1.50 next end 3. Configure the link monitor to monitor access to the gateway. config system link-monitor edit "1" set srcintf "vlan-1000" set protocol ping set gateway-ip 10.200.1.50 set interval 60 next end 4. Configure the switch trunk to make it static and disable the automatic VLAN provisioning. config switch trunk edit "__FoRtILnk0L3__" set auto-isl 1 set static-isl enable set static-isl-auto-vlan disable set members "port19" next end 5. Configure the FortiLink interface so that the native VLAN matches the VLAN used for the VXLAN defined in step 1. config switch interface edit "__FoRtILnk0L3__" set native-vlan 1000 next end 6. Assign VLAN ID 4094 to the "internal" interface that will be used to establish the FortiLink connection with the FortiGate device over VXLAN. config switch interface edit "internal" set native-vlan 4094 next end 7. If you are not using DHCP option 138 to inform the FortiSwitch unit of the FortiGate IP address, enable static discovery. config switch-controller global set ac-discovery-type static config ac-list edit 1
set ipv4-address 10.255.2.1 next end end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
64
Fortinet Inc.
Determining the network topology
8. Connect two physical ports to each other as a loopback. In this example, port23 and port24 are connected. 9. Create two trunks, each trunk with one physical link that is connected as a loopback. In this example, trunk tr1 is
created with port23 as a member. Trunk tr2 is created with port24 as a member. port24 forms a loopback with port23. 10. Configure trunk tr2 as static-isl. Leave the rest of the values at the defaults. config switch trunk
edit "tr2" set auto-isl 1 set static-isl enable set static-isl-auto-vlan disable set members "port24"
next end 11. Configure the tr2 interface with a native VLAN of 4094 and the allowed VLANs as 1-4094. config switch interface
edit "tr2" set native-vlan 4094 set allowed-vlans 1-4094
next end 12. Configure trunk tr1 as static-isl and static-isl-auto-vlan. Leave the rest of the values at the defaults. This trunk will be used in the VXLAN tunnel-loopback interface. port23 forms a loopback with port24. config switch trunk
edit "tr1" set auto-isl 1 set static-isl enable set static-isl-auto-vlan disable set members "port23"
next end 13. Configure the tr1 interface with a native VLAN of 4087 and disable STP. config switch interface
edit "tr1" set native-vlan 4087 set stp-state disabled
next end 14. Configure the VXLAN interface with tr1 as the tunnel-loopback interface. Set the interface to a normal SVI from step 1 to reach the Internet. The remote-ip address is the remote VTEP; in this case, the remote VTEP is the FortiGate interface being used for the VXLAN tunnel. With this configuration, all VLAN traffic from the switch, including all FortiSwitch VLANs, will loop to tr1 and initiate the VXLAN tunnel to the FortiGate device. config system vxlan
edit vx1 set interface vlan-1000 set vni 4094 set remote-ip 10.100.1.1 set tunnel-loopback "tr1"
next end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
65
Fortinet Inc.
Determining the network topology
Verifying VXLAN management
Starting in FortiOS 7.4.0 with FortiSwitchOS 7.4.0, you can use the execute switch-controller get-connstatus command to show when the managed FortiSwitch unit is controlled by VXLAN. In the following example, the V flag indicates that the managed FortiSwitch unit is controlled by VXLAN: FGVMULTM22004064 # execute switch-controller get-conn-status Managed-devices in current vdom root:
FortiLink interface : vx100 SWITCH-ID VERSION STATUS FLAG ADDRESS JOIN-TIME SERIAL S108DV3A17000071 v7.2.0 (5029) Authorized/Up V 1.2.3.4 Wed Mar 29 17:23:24 2023 S108DV3A17000071
Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=config sync error, 3=L3, V=VXLAN
Managed-Switches: 1 (UP: 1 DOWN: 0 MAX: 300)
Switch redundancy with MCLAG
The following network topologies provide switch redundancy with MCLAG: l Standalone FortiGate unit with dual-homed FortiSwitch access on page 66 l HA-mode FortiGate units with dual-homed FortiSwitch access on page 67 l HA-mode one-tier MCLAG on page 68 l FortiLink with an HA cluster of four FortiGate units on page 69 l HA-mode FortiGate units in different sites on page 71 l Isolated LAN/WAN with multiple FortiLink interfaces on page 71 l Three-tier FortiLink MCLAG configuration on page 72 l Dual-homed servers connected to a pair of FortiSwitch units using an MCLAG on page 73
Standalone FortiGate unit with dual-homed FortiSwitch access
This network topology provides high port density with two tiers of FortiSwitch units. See Transitioning from a FortiLink split interface to a FortiLink MCLAG on page 74. After the MCLAG peer group is created between FortiSwitch 1 and FortiSwitch 2, the MCLAG trunks are automatically established with the access switches (FortiSwitch 3 and FortiSwitch 4). NOTE:
l On the global switch level, mclag-stp-aware must be enabled, and STP must be enabled on all ICL trunks. They are both enabled by default.
l Fortinet recommends using at least two links for ICL redundancy. NOTE: If you are going to use IGMP snooping with an MCLAG topology:
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
66
Fortinet Inc.
Determining the network topology
l On the global switch level, mclag-igmpsnooping-aware must be enabled. It is enabled by default. l The mcast-snooping-flood-traffic and igmp-snooping-flood-reports settings must be disabled on
the ISL and FortiLink trunks; but the mcast-snooping-flood-traffic and igmp-snooping-floodreports settings must be enabled on ICL trunks. These settings are enabled by default. l IGMP proxy must be enabled.
HA-mode FortiGate units with dual-homed FortiSwitch access
In HA mode, only one FortiGate is active at a time. If the active FortiGate unit fails, the backup FortiGate unit becomes active.
See Transitioning from a FortiLink split interface to a FortiLink MCLAG on page 74.
After the MCLAG peer group is created between FortiSwitch 1 and FortiSwitch 2, the MCLAG trunks are automatically established with the access switches (FortiSwitch 3, FortiSwitch 4, and FortiSwitch 5).
NOTE:
l Before FortiOS 6.2.0, when using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be active-passive. Starting in FortiOS 6.2.0, the FortiGate HA mode can be either active-passive or active-active.
l On the global switch level, mclag-stp-aware must be enabled, and STP must be enabled on all ICL trunks. They are both enabled by default.
l Fortinet recommends using at least two links for ICL redundancy.
NOTE: If you are going to use IGMP snooping with an MCLAG topology:
l On the global switch level, mclag-igmpsnooping-aware must be enabled. It is enabled by default. l The mcast-snooping-flood-traffic and igmp-snooping-flood-reports settings must be disabled on
the ISL and FortiLink trunks; but the mcast-snooping-flood-traffic and igmp-snooping-floodreports settings must be enabled on ICL trunks. These settings are enabled by default. l IGMP proxy must be enabled.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
67
Fortinet Inc.
Determining the network topology
HA-mode one-tier MCLAG
HA-mode FortiGate units connect to redundant distribution FortiSwitch units. Access FortiSwitch units are arranged in a stack in each IDF, connected to both distribution switches.
For the FortiLink connection to each distribution switch, you create a FortiLink split interface (an aggregate interface that contains one active link and one standby link).
NOTE:
l Before FortiSwitchOS 3.6.4, MCLAG was not supported when access rings were present. Starting with FortiSwitchOS 3.6.4, MCLAG is supported, even with access rings present.
l Before FortiOS 6.2.0, when using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be active-passive. Starting in FortiOS 6.2.0, the FortiGate HA mode can be either active-passive or active-active.
l When you are using the aggregate interface on the FortiGate unit for the FortiLink interface, the lacp-mode of the FortiLink aggregate interface must be set to static. Unless MCLAG is enabled and you are using 6.2.0 or later, see Transitioning from a FortiLink split interface to a FortiLink MCLAG on page 74 for details.
l On the global switch level, mclag-stp-aware must be enabled, and STP must be enabled on all ICL trunks. They are both enabled by default.
l This is only an example topology. Other combinations of FortiGate units and FortiSwitch units can be used to create a similar topology.
l Fortinet recommends using at least two links for ICL redundancy.
NOTE: If you are going to use IGMP snooping with an MCLAG topology:
l On the global switch level, mclag-igmpsnooping-aware must be enabled. It is enabled by default. l The mcast-snooping-flood-traffic and igmp-snooping-flood-reports settings must be disabled on
the ISL and FortiLink trunks; but the mcast-snooping-flood-traffic and igmp-snooping-floodreports settings must be enabled on ICL trunks. These settings are enabled by default. l IGMP proxy must be enabled.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
68
Fortinet Inc.
Determining the network topology
FortiLink with an HA cluster of four FortiGate units
A FortiGate HA cluster consists of two to four FortiGate units configured for HA operation. Each FortiGate in a cluster is called a cluster unit. All cluster units must be the same FortiGate model with the same FortiOS firmware build installed. All cluster units must also have the same hardware configuration (for example, the same number of hard disks) and be running in the same operating mode (NAT mode or transparent mode).
In addition, the cluster units must be able to communicate with each other through their heartbeat interfaces. This heartbeat communication is required for the cluster to be created and to continue operating. Without it, the cluster acts like a collection of standalone FortiGate units.
On startup, after configuring the cluster units with the same HA configuration and connecting their heartbeat interfaces, the cluster units use the FortiGate Clustering Protocol (FGCP) to find other FortiGate units configured for HA operation and to negotiate to create a cluster. During cluster operation, the FGCP shares communication and synchronization
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
69
Fortinet Inc.
Determining the network topology
information among the cluster units over the heartbeat interface link. This communication and synchronization is called the FGCP heartbeat or the HA heartbeat. Often, this is shortened to just heartbeat.
NOTE: You can create an FGCP cluster of up to four FortiGate units.
The cluster uses the FGCP to select the primary unit, and to provide device, link, and session failover. The FGCP also manages the two HA modes; active-passive (failover HA) and active-active (load-balancing HA).
The FGCP supports a cluster of two, three, or four FortiGate units. You can add more than two units to a cluster to improve reliability: if two cluster units fail the third will continue to operate and so on. A cluster of three or four units in active-active mode may improve performance because another cluster unit is available for security profile processing. However, active-active FGCP HA results in diminishing performance returns as you add units to the cluster, so the additional performance achieved by adding the third cluster unit might not be worth the cost.
There are no special requirements for clusters of more than two units. Here are a few recommendations though:
l The matching heartbeat interfaces of all of the cluster units must be able to communicate with each other. So each units matching heartbeat interface should be connected to the same switch. If the ha1 interface is used for heartbeat communication, the ha1 interfaces of all of the units in the cluster must be connected together so communication can happen between all of the cluster units over the ha1 interface.
l Redundant heartbeat interfaces are recommended. You can reduce the number of points of failure by connecting each matching set of heartbeat interfaces to a different switch. This is not a requirement; however, and you can connect both heartbeat interfaces of all cluster units to the same switch. However, if that switch fails the cluster will stop forwarding traffic.
l For any cluster, a dedicated switch for each heartbeat interface is recommended because of the large volume of heartbeat traffic and to keep heartbeat traffic off of other networks, but it is not required.
l Full mesh HA can scale to three or four FortiGate units. Full mesh HA is not required if you have more than two units in a cluster.
l Virtual clustering can only be done with two FortiGate units. l Fortinet recommends using at least two links for ICL redundancy. l FortiSwitch units must be connected on a NAT VDOM.
The following network topology uses four FortiGate units; each is a 3200D model and is running FortiOS 6.4.0 build 1533. The FortiSwitch models are 1048E, 448D, and 426EF; they are running FortiSwitchOS 6.2.0 build 0202:
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
70
Fortinet Inc.
Determining the network topology
HA-mode FortiGate units in different sites
There are two sites in this topology, each with a FortiGate unit connected to the WAN/Internet. The two sites share the FortiGate units in active-passive HA mode. The FortiGate units use the FortiSwitch units in FortiLink mode as the heartbeat connections because of limited physical connections between the two sites. FortiOS 6.4.2 or higher and FortiSwitchOS 6.4.2 or higher are required. For example steps, refer to Deploying MCLAG topologies on page 77. NOTE: Fortinet recommends using at least two links for ICL redundancy.
Isolated LAN/WAN with multiple FortiLink interfaces
This topology makes use of two FortiLink interfaces to provide a dedicated switching layer for each part of the network, LAN and WAN. Each FortiLink interface is independent with its own FortiSwitch VLANs, providing two separate FortiLink stacks.
In this specific example, the FortiLink stack for the LAN networks consists of a two-tier MCLAG topology with dualhomed access switches, whereas the WAN FortiLink stack has a one-tier MCLAG peer group connected to the ISP routers.
Starting with FortiOS 6.4.2, you can use the GUI to entirely manage multiple FortiLink stacks.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
71
Fortinet Inc.
Determining the network topology
Three-tier FortiLink MCLAG configuration
To create a three-tier FortiLink MCLAG topology, use FortiOS 6.2.3 GA or later and FortiSwitchOS 6.2.3 GA or later. MCLAG can be deployed in up to three tiers to expand the FortiSwitch stack, offering link and switch redundancy with the efficient use of the bandwidth because all links are active. For the procedure, see Deploying MCLAG topologies on page 77.
NOTE: Fortinet recommends using at least two links for ICL redundancy.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
72
Fortinet Inc.
Determining the network topology
Dual-homed servers connected to a pair of FortiSwitch units using an MCLAG
To configure a multichassis LAG, you need to configure FortiSwitch 1 and FortiSwitch 2 as MCLAG peer switches before creating a two-port LAG. Then you set up two MCLAGs towards the servers, each MCLAG using one port from each FortiSwitch unit. For the procedure, see Deploying MCLAG topologies on page 77. This topology is supported when the FortiGate unit is in HA mode. NOTE:
l On the global switch level, mclag-stp-aware must be enabled, and STP must be enabled on all ICL trunks. They are both enabled by default.
l Fortinet recommends using at least two links for ICL redundancy. NOTE: If you are going to use IGMP snooping with an MCLAG topology:
l On the global switch level, mclag-igmpsnooping-aware must be enabled. It is enabled by default. l The mcast-snooping-flood-traffic and igmp-snooping-flood-reports settings must be disabled on
the ISL and FortiLink trunks; but the mcast-snooping-flood-traffic and igmp-snooping-floodreports settings must be enabled on ICL trunks. These settings are enabled by default. l IGMP proxy must be enabled.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
73
Fortinet Inc.
MCLAG peer groups
A multichassis LAG (MCLAG) provides node-level redundancy by grouping two FortiSwitch models together so that they appear as a single switch on the network. If either switch fails, the MCLAG continues to function without any interruption, increasing network resiliency and eliminating the delays associated with the Spanning Tree Protocol (STP). This section covers the following topics:
l MCLAG requirements on page 74 l Transitioning from a FortiLink split interface to a FortiLink MCLAG on page 74 l Deploying MCLAG topologies on page 77
MCLAG requirements
l There is a maximum of two FortiSwitch units per MCLAG. Both peer switches should be of the same hardware model and same software version. Mismatched configurations might work but are unsupported.
l The routing feature is not available within an MCLAG. l When min_bundle or max_bundle is combined with MCLAG, the bundle limit properties are applied only to the local
aggregate interface. l On the global switch level, mclag-stp-aware must be enabled, and STP must be enabled on all ICL trunks. They
are both enabled by default. NOTE: If you are going to use IGMP snooping with an MCLAG topology:
l On the global switch level, mclag-igmpsnooping-aware must be enabled. By default, mclag-igmpsnoopingaware is enabled in the FortiSwitchOS CLI.
l The mcast-snooping-flood-traffic and igmp-snooping-flood-reports settings must be disabled on the ISL and FortiLink trunks; but the mcast-snooping-flood-traffic and igmp-snooping-floodreports settings must be enabled on ICL trunks. These settings are enabled by default.
l IGMP proxy must be enabled.
Transitioning from a FortiLink split interface to a FortiLink MCLAG
You can use the FortiLink split interface to connect the FortiLink aggregate interface from one FortiGate unit to two FortiSwitch units. When the FortiLink split interface is enabled, only one link remains active. In this topology, the FortiLink split interface connects a FortiLink aggregate interface from one FortiGate unit to two FortiSwitch units. The aggregate interface of the FortiGate unit for this configuration contains at least one physical port connected to each FortiSwitch unit.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
74
Fortinet Inc.
MCLAG peer groups
NOTE:
l Make sure that the split interface is enabled. l This procedure also applies to a FortiGate unit in HA mode. l More links can be added between the FortiGate unit and FortiSwitch unit. l On the global switch level, mclag-stp-aware must be enabled, and STP must be enabled on all ICL trunks. They
are both enabled by default. l Fortinet recommends using at least two links for ICL redundancy.
NOTE: If you are going to use IGMP snooping with an MCLAG topology:
l On the global switch level, mclag-igmpsnooping-aware must be enabled. It is enabled by default. l The mcast-snooping-flood-traffic and igmp-snooping-flood-reports settings must be disabled on
the ISL and FortiLink trunks; but the mcast-snooping-flood-traffic and igmp-snooping-floodreports settings must be enabled on ICL trunks. These settings are enabled by default. l IGMP proxy must be enabled.
Use the FortiGate CLI to change the FortiSwitch units configuration without losing their management from the FortiGate unit. You do not need to change anything on the individual FortiSwitch units.
1. You can use the GUI (starting in FortiOS 7.2.4) or CLI to form the MCLAG between two switches.
To use the FortiGate GUI:
a. Go to Security Fabric > Security Rating. Look under Failed > Enable MC-LAG to find which pair of switches can form a tier-1 MCLAG.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
75
Fortinet Inc.
MCLAG peer groups
b. Go to WiFi & Switch Controller > Managed FortiSwitches. In the Topology view, hover over the inter-switch link between the pair of switches and then click Create MC-LAG pair in the dialog.
To use the FortiGate CLI:
a. Assign the LLDP profile "default-auto-mclag-icl" to the ports that should form the MCLAG ICL in FortiSwitch unit 1. For example:
FGT_Switch_Controller # config switch-controller managed-switch FGT_Switch_Controller (managed-switch) # edit FS1E48T419000051 FGT_Switch_Controller (FS1E48T419000051) # config ports FGT_Switch_Controller (ports) # edit port49 FGT_Switch_Controller (port49) # set lldp-profile default-auto-mclag-icl FGT_Switch_Controller (port49) # end FGT_Switch_Controller (FS1E48T419000051) # end
b. Assign the LLDP profile "default-auto-mclag-icl" to the ports that should form the MCLAG ICL in FortiSwitch unit 2. The port numbers can be different.
2. Disable the split interface in the FortiLink interface. For example:
config system interface
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
76
Fortinet Inc.
MCLAG peer groups
edit <aggregate_name> set fortilink-split-interface disable
next end
3. From the FortiGate unit, enable the LACP active mode if not already set:
config system interface edit <aggregate_name> set lacp-mode active next
end
NOTE: If you are using FortiOS 6.2 or earlier, use the set lacp-mode static command instead. 4. Check that the LAG is working correctly. For example:
diagnose netlink aggregate name <aggregate_name>
If you disable the MCLAG ICL, you need to enable the fortilink-split-interface.
Deploying MCLAG topologies
This section covers the following topics: l Dual-homed servers connected to a pair of FortiSwitch units using an MCLAG on page 78 l Multi-tiered MCLAG with HA-mode FortiGate units on page 79 l HA-mode FortiGate units in different sites on page 81 l Interconnecting FortiLink fabrics on page 85
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
77
Fortinet Inc.
MCLAG peer groups
Dual-homed servers connected to a pair of FortiSwitch units using an MCLAG
To configure a multichassis LAG, you need to configure FortiSwitch 1 and FortiSwitch 2 as MCLAG peer switches before creating a two-port LAG. See Transitioning from a FortiLink split interface to a FortiLink MCLAG on page 74. Then you set up two MCLAGs towards the servers, each MCLAG using one port from each FortiSwitch unit. This topology is also supported when the FortiGate unit is in HA mode. NOTE:
l On the global switch level, mclag-stp-aware must be enabled, and STP must be enabled on all ICL trunks. They are both enabled by default.
l Fortinet recommends using at least two links for ICL redundancy. NOTE: If you are going to use IGMP snooping with an MCLAG topology:
l On the global switch level, mclag-igmpsnooping-aware must be enabled. It is enabled by default. l The mcast-snooping-flood-traffic and igmp-snooping-flood-reports settings must be disabled on
the ISL and FortiLink trunks; but the mcast-snooping-flood-traffic and igmp-snooping-floodreports settings must be enabled on ICL trunks. These settings are enabled by default. l IGMP proxy must be enabled.
Step 1: Ensure the MCLAG ICL is already configured between FortiSwitch 1 and FortiSwitch 2. diagnose switch-controller switch-info mclag icl
Step 2: For each server, configure a trunk with MCLAG enabled. For server 1, select port10 on FortiSwitch 1 and FortiSwitch 2. For server 2, select port15 on FortiSwitch 1 and FortiSwitch 2. For details, refer to MCLAG trunks on page 103.
Step 3: Verify the MCLAG configuration. diagnose switch-controller switch-info mclag list
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
78
Fortinet Inc.
MCLAG peer groups
Multi-tiered MCLAG with HA-mode FortiGate units
Use the following procedure to deploy tier-2 and tier-3 MCLAG peer groups from the FortiGate switch controller without the need for direct console access to the FortiSwitch units.
NOTE:
l Fortinet recommends using at least two links for ICL redundancy. l Before FortiOS 6.2.0, when using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be
active-passive. Starting in FortiOS 6.2.0, the FortiGate HA mode can be either active-passive or active-active. l In this topology, you must use the auto-isl-port-group setting as described in the following configuration
example. This setting instructs the switches to group ports from MCLAG peers together into one MCLAG when the inter-switch link (ISL) is formed. l The auto-isl-port-group setting must be done directly on the FortiSwitch unit. l On the global switch level, mclag-stp-aware must be enabled, and STP must be enabled on all ICL trunks. They are both enabled by default.
NOTE: If you are going to use IGMP snooping with an MCLAG topology:
l On the global switch level, mclag-igmpsnooping-aware must be enabled. It is enabled by default. l The mcast-snooping-flood-traffic and igmp-snooping-flood-reports settings must be disabled on
the ISL and FortiLink trunks; but the mcast-snooping-flood-traffic and igmp-snooping-floodreports settings must be enabled on ICL trunks. These settings are enabled by default. l IGMP proxy must be enabled.
To create a three-tier FortiLink MCLAG topology, use FortiOS 6.2.3 GA or later and FortiSwitchOS 6.2.3 GA or later.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
79
Fortinet Inc.
MCLAG peer groups
Tier-1 MCLAG
Wire the two core FortiSwitch units to the FortiGate devices. To configure the FortiSwitch units in the core, see Transitioning from a FortiLink split interface to a FortiLink MCLAG on page 74.
Tier-2 and Tier-3 MCLAGs
1. Connect only the tier-2 MCLAG FSW-3 and FSW-4 to FSW-1 and FSW-2 (leaving the other switches in Closet 1 disconnected). Wait until they are discovered and authorized (authorization must be done manually if autoauthorization is disabled).
2. Using the FortiGate CLI, assign the LLDP profile "default-auto-mclag-icl" to the ports that should form the MCLAG ICL in the tier-2 MCLAG FSW-3 and FSW-4. For example:
FGT_Switch_Controller # config switch-controller managed-switch FGT_Switch_Controller (managed-switch) # edit FS1E48T419000051 FGT_Switch_Controller (FS1E48T419000051) # config ports FGT_Switch_Controller (ports) # edit port49 FGT_Switch_Controller (port49) # set lldp-profile default-auto-mclag-icl FGT_Switch_Controller (port49) # end FGT_Switch_Controller (FS1E48T419000051) # end
3. On each of the tier-1 MCLAG switches, add an auto-isl-port-group for each tier-2 MCLAG peer group:
config switch auto-isl-port-group edit tier2-closet-1 set members port1 port2 next edit tier2-closet-2 // (not in the diagram) set members port3 port4 next
end
This configuration is done directly in the FortiSwitch CLI (or by binding a custom script using custom commands on the FortiGate device. See Executing custom FortiSwitch scripts on page 309. If there is not a tier-3 MCLAG, skip to step 7.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
80
Fortinet Inc.
MCLAG peer groups
4. Wire the tier-3 MCLAG FSW-5, FSW-6, FSW-7, and FSW-8. Wait until they are discovered and authorized (authorization must be done manually if auto-authorization is disabled).
5. For each tier-3 MCLAG peer group, add two auto-isl-port-groups for the tier-3 MCLAG switches on both tier2 MCLAG switches (FSW-3 and FSW-4):
config switch auto-isl-port-group edit tier-2-closet-<1>-downlink-trunk-A set member <port_name> next edit tier-2-closet-<1>-downlink-trunk-B set member <port_name> next
end
This configuration is done directly in the FortiSwitch CLI (or by binding a custom script using custom commands on the FortiGate device. See Executing custom FortiSwitch scripts on page 309. 6. Using the FortiGate CLI, assign the LLDP profile "default-auto-mclag-icl" to the ports that should form the ICL in the tier-3 MCLAG peers FSW-5 and FSW-6 and FSW-7 and FSW-8. For example:
FGT_Switch_Controller # config switch-controller managed-switch FGT_Switch_Controller (managed-switch) # edit FS1E48T419000051 FGT_Switch_Controller (FS1E48T419000051) # config ports FGT_Switch_Controller (ports) # edit port49 FGT_Switch_Controller (port49) # set lldp-profile default-auto-mclag-icl FGT_Switch_Controller (port49) # end FGT_Switch_Controller (FS1E48T419000051) # end
7. Connect the access switches to the MCLAG peer groups, and the inter-switch links are formed automatically. Wait until they are discovered and authorized (authorization must be done manually if auto-authorization is disabled).
8. Wire only the tier-2 MCLAG FortiSwitch units from Closet 2 (leaving the other switches in Closet 2 disconnected). Wait until they are discovered and authorized (authorization must be done manually if auto-authorization is disabled). Return to step 3 to complete the process for Closet 2.
9. All FortiSwitch units are now authorized, and all MCLAG peer groups are enabled. Proceed with the configuration of the FortiSwitch units by assigning VLANs to the access ports and any other functionality required.
HA-mode FortiGate units in different sites
There are two sites in this topology, each with a FortiGate unit. The two sites share the FortiGate units in active-passive HA mode. The FortiGate units use the FortiSwitch units in FortiLink mode as the heartbeat connections because of limited physical connections between the two sites.
FortiOS 6.4.2 or higher and FortiSwitchOS 6.4.2 or higher are required.
Refer to the other network topologies in Deploying MCLAG topologies on page 77.
NOTE: Fortinet recommends using at least two links for ICL redundancy.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
81
Fortinet Inc.
MCLAG peer groups
The following steps are an example of how to configure this topology:
1. Disconnect the physical connections between the two sites. 2. On Site 1:
a. Use the FortiGate unit to establish the FortiLinks on Site 1. See Configuring FortiLink on page 24. b. Enable the MCLAG-ICL on the core switches of Site 1. See Transitioning from a FortiLink split interface to a
FortiLink MCLAG on page 74. c. Enable the HA mode and set the heartbeat ports on FortiGate-1. FortiGate port1 and port2 are used as HA
heartbeat ports in this example. For example, set hbdev "port1" 242 "port2" 25. d. Create a switch VLAN or VLANs dedicated to the FortiGate HA heartbeats between the two FortiGate units.
For example:
config system interface edit "hb1" set vdom "vdom name" set vlanid 998 next edit "hb2" set vdom "vdom name" set vlanid 999 next
end
e. Under the config switch-controller managed-switch command, set the native VLAN of the switch ports connected to the heartbeat ports using the VLAN created in step 2d.
In this example, you need to assign port1 of core-switch1 to vlan998 and connect port1 of the active FortiGate
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
82
Fortinet Inc.
MCLAG peer groups
unit to port1 of core-switch1. Then you need to assign port1 of core-switch2 to vlan999 and connect port2 of the active FortiGate unit to port1 of core-switch2.
config switch-controller managed-switch edit <site1-core-switch1> edit "port1" set vlan "hb1" next end edit <site1-core-switch2> edit "port1" set vlan "hb2" next end
f. Make sure all FortiLinks are up. 3. On Site 2:
a. Configure Site 2 using the same configuration as step 2, except for the HA priority. b. Make sure all FortiLinks are up. 4. Disconnect the physical connections for the FortiGate HA and FortiLink interface on Site 2. 5. Connect the cables between the two pairs of core switches in Site 1 and Site 2. 6. On both sites: a. On the MCLAG Peer Group switches at Site 1, use the config switch auto-isl-port-group command
in the FortiSwitch CLI to group the ports to Site 2. See Deploying MCLAG topologies on page 77. b. On the MCLAG Peer Group switches at Site 2 , use the config switch auto-isl-port-group
command in the FortiSwitch CLI to group the ports to Site 1. See Deploying MCLAG topologies on page 77. c. Make sure all the FortiLinks are up. 7. Connect the FortiGate HA and FortiLink interface connections on Site 2. 8. Check the configuration: a. On both sites, enter the get system ha status command on the FortiGate unit to check the HA status. b. On the active (master) FortiGate unit, enter the execute switch-controller get-conn-status
command to check the FortiLink state.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
83
Fortinet Inc.
MCLAG peer groups 9. In the GUI, the example configuration looks like the following:
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
84
Fortinet Inc.
MCLAG peer groups
Interconnecting FortiLink fabrics
Each FortiLink fabric is a set of FortiSwitch units controlled by a FortiGate device. When you interconnect FortiLink fabrics, each FortiGate device manages its own FortiSwitch units. The FortiLink fabric interconnection points are seen as access ports from each FortiGate unit; no inter-switch links are formed.
In this example:
l The interconnecting ports (port15) on FS-CORE-1, FS-CORE-2, FS-DIST-1, and FS-DIST-2 have the LLDP profile set to default with auto-isl disabled.
l Optionally, you can disable the management of FS-DIST-1 and FS-DIST-2 by the FGT-CORE switch controller. l FGT-CORE-1 and FGT-CORE-2 have the MCLAG trunk MCLAG_to_DIST. l FGT-DIST-1 and FGT-DIST-2 have the MCLAG trunk MCLAG_to_CORE. l The allowed VLANs on the MCLAG_to_DIST and MCLAG_to_CORE trunks match.
This topology requires the following:
l Disable auto-isl on the interconnection links to avoid one FortiGate device discovering or managing FortiSwitch units that should be discoverd and managed by the other FortiGate device.
l Optionally, on one FortiGate device, disable discovery for the FortiSwitch serial numbers managed by the other FortiGate device.
l Configure matching native VLANs and allowed VLANs on both sides to allow communication between FortiLink fabrics.
l The VLAN IDs must match, but the names can be different.
Deployment steps
1. Deploy each FortiGate device and respective FortiSwitch units separately. See Transitioning from a FortiLink split interface to a FortiLink MCLAG on page 74.
2. (Optional) Disable discovery for the FortiSwitch units from the other FortiGate device. 3. Assign the "default" LLDP profile to the interconnecting ports. See Configuring ports using the GUI on page 96. 4. Create the MCLAG trunk for the interconnection. See Adding 802.3ad link aggregation groups (trunks) on page 102. 5. Assign matching native VLANs and allowed VLANs to the MCLAG trunk. See Configuring ports using the GUI on
page 96. 6. Connect the cables to interconnect the FortiLink fabrics.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
85
Fortinet Inc.
MCLAG peer groups
Configuration example
This configuration example assumes that each FortiLink fabric has been deployed already.
To configure the core FortiLink fabric:
1. Configure the FortiLink interface that will be used to interconnect the two FortiLink fabrics. config system interface edit "INTERCON" set vdom "root" set ip 10.255.255.1 255.255.255.252 set allowaccess ping ssh set color 20 set interface "fortilink" set vlanid 500 next end
2. Assign the "default" LLDP profile to the switch ports and configure the MCLAG trunk toward the core FortiLink fabric (FS-CORE-1 and FS-CORE-2). config switch-controller managed-switch edit "FS-CORE-1" config ports edit "port15" set port-owner "MCLAG_to_DIST" set lldp-profile "default" next edit "port16" set port-owner "MCLAG_to_DIST" set lldp-profile "default" next edit "MCLAG_to_DIST" set vlan "INTERCON" set type trunk set mode lacp-active set mclag enable set members "port15" "port16" next end next end
config switch-controller managed-switch edit "FS-CORE-2" config ports edit "port15" set port-owner "MCLAG_to_DIST" set lldp-profile "default" next edit "port16" set port-owner "MCLAG_to_DIST" set lldp-profile "default"
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
86
Fortinet Inc.
MCLAG peer groups
next edit "MCLAG_to_DIST"
set vlan "INTERCON" set type trunk set mode lacp-active set mclag enable set members "port15" "port16" next end next end 3. Optionally, prevent the core FortiGate devices from discovering the distribution FortiSwitch units. config switch-controller global set disable-discovery "FS-DIST-1" "FS-DIST-2" end
To configure the distribution FortiLink fabric:
1. Configure the FortiLink interface that will be used to interconnect the two FortiLink fabrics. config system interface edit "INTERCON" set vdom "root" set ip 10.255.255.2 255.255.255.252 set allowaccess ping ssh set color 20 set interface "fortilink" set vlanid 500 next end
2. Assign the "default" LLDP profile to the switch ports and configure the MCLAG trunk toward the core FortiLink fabric (FS-DIST-1 and FS-DIST-2). config switch-controller managed-switch edit "FS-DIST-1" config ports edit "port15" set port-owner "MCLAG_to_CORE" set lldp-profile "default" next edit "port16" set port-owner "MCLAG_to_CORE" set lldp-profile "default" next edit "MCLAG_to_CORE" set vlan "INTERCON" set type trunk set mode lacp-active set mclag enable set members "port15" "port16" next end next end
config switch-controller managed-switch edit "FS-DIST-2"
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
87
Fortinet Inc.
MCLAG peer groups
config ports edit "port15" set port-owner "MCLAG_to_CORE" set lldp-profile "default" next edit "port16" set port-owner "MCLAG_to_CORE" set lldp-profile "default" next edit "MCLAG_to_CORE" set vlan "INTERCON" set type trunk set mode lacp-active set mclag enable set members "port15" "port16" next
end next end 3. Optionally, prevent the distribution FortiGate devices from discovering the core FortiSwitch units. config switch-controller global set disable-discovery "FS-CORE-1" "FS-CORE-2" end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
88
Fortinet Inc.
Configuring FortiSwitch VLANs and ports
This section covers the following topics: l Configuring VLANs on page 89 l Configuring ports using the GUI on page 96 l Configuring port speed and status on page 97 l Configuring flap guard on page 98 l Configuring PoE on page 100 l Adding 802.3ad link aggregation groups (trunks) on page 102 l Configuring FortiSwitch split ports (phy-mode) in FortiLink mode on page 106 l Restricting the type of frames allowed through IEEE 802.1Q ports on page 111 l Multitenancy and VDOMs on page 111
Configuring VLANs
Use Virtual Local Area Networks (VLANs) to logically separate a LAN into smaller broadcast domains. VLANs allow you to define different policies for different types of users and to set finer control on the LAN traffic. (Traffic is only sent automatically within the VLAN. You must configure routing for traffic between VLANs.) From the FortiGate unit, you can centrally configure and manage VLANs for the managed FortiSwitch units. In FortiSwitchOS 3.3.0 and later releases, the FortiSwitch supports untagged and tagged frames in FortiLink mode. The switch supports up to 1,023 user-defined VLANs. You can assign a VLAN number (ranging from 1-4095) to each of the VLANs. For FortiSwitch units in FortiLink mode (FortiOS 6.2.0 and later), you can assign a name to each VLAN. You can configure the default VLAN for each FortiSwitch port as well as a set of allowed VLANs for each FortiSwitch port. This section covers the following topics:
l Creating VLANs on page 89 l Viewing FortiSwitch VLANs on page 92 l Changing the VLAN configuration mode on page 92 l Configuring multiple managed FortiSwitch VLANs to be used in a software switch on page 93 l Configuring inter-VLAN routing offload on page 94
Creating VLANs
Setting up a VLAN requires you to create the VLAN and assign FortiSwitch ports to the VLAN. You can do this with either the Web GUI or CLI. You can specify native, allowed, and untagged VLANs.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
89
Fortinet Inc.
Configuring FortiSwitch VLANs and ports
Native VLAN
You can configure a native VLAN for each port. The native VLAN is like a default VLAN for untagged incoming frames. Outgoing frames for the native VLAN are sent as untagged frames. The native VLAN is assigned to any untagged frame arriving at an ingress port. At an egress port, if the frame tag matches the native VLAN, the frame is sent out without the VLAN header.
Allowed VLAN list
The allowed VLAN list for each port specifies the VLAN tag values for which the port can transmit or receive frames. For a tagged frame arriving at an ingress port, the tag value must match a VLAN on the allowed VLAN list or the native VLAN. At an egress port, the frame tag must match the native VLAN or a VLAN on the allowed VLAN list.
Untagged VLAN list
The untagged VLAN list on a port specifies the VLAN tag values for which the port will transmit frames without the VLAN tag. Any VLAN in the untagged VLAN list must also be a member of the allowed VLAN list. The untagged VLAN list applies only to egress traffic on a port.
Using the GUI
To create the VLAN: 1. Go to WiFi & Switch Controller > FortiSwitch VLANs, select Create New, and change the following settings:
Interface Name VLAN ID Color Role
VLAN name
Enter a number (1-4094)
Choose a unique color for each VLAN, for ease of visual display.
Select LAN, WAN, DMZ, or Undefined. NOTE: If you are using the FortiGate units security rating feature, you need to assign a role of LAN, WAN, or DMZ to your FortiLink VLAN interfaces before referencing them in any firewall policies. If this is not done, the security rating score is lowered until the issue is remedied, due to failing the "Interface Classification" requirement.
2. Enable DHCP for IPv4 or IPv6. 3. Set the Administrative access options as required. 4. Select OK.
To assign FortiSwitch ports to the VLAN:
1. Go to WiFi & Switch Controller > FortiSwitch Ports. 2. Click a port row.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
90
Fortinet Inc.
Configuring FortiSwitch VLANs and ports
3. Click the Native VLAN column in one of the selected entries to change the native VLAN. 4. Select a VLAN from the displayed list. The new value is assigned to the selected ports. 5. Click the + icon in the Allowed VLANs column to change the allowed VLANs. 6. Select one or more of the VLANs (or the value all) from the displayed list. The new value is assigned to the selected
port.
Using the FortiSwitch CLI
1. Create the marketing VLAN.
config system interface edit <vlan name> set vlanid <1-4094> set color <1-32> set interface <FortiLink-enabled interface> end
2. Set the VLAN's IP address.
config system interface edit <vlan name> set ip <IP address> <Network mask> end
3. Enable a DHCP server.
config system dhcp server edit 1 set default-gateway <IP address> set dns-service default set interface <vlan name> config ip-range set start-ip <IP address> set end-ip <IP address> end set netmask <Network mask> end
4. Assign ports to the VLAN.
config switch-controller managed-switch edit <Switch ID> config ports edit <port name> set vlan <vlan name> set allowed-vlans <vlan name> or set allowed-vlans-all enable next end end
5. Assign untagged VLANs to a managed FortiSwitch port: config switch-controller managed-switch
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
91
Fortinet Inc.
Configuring FortiSwitch VLANs and ports
edit <managed-switch> config ports edit <port> set untagged-vlans <VLAN-name> next end
next end
Viewing FortiSwitch VLANs
The WiFi & Switch Controller > FortiSwitch VLANs page displays VLAN information for the managed switches.
Each entry in the VLAN list displays the following information: l Name--name of the VLAN l VLAN ID--the VLAN number l IP/Netmask--address and mask of the subnetwork that corresponds to this VLAN l Access--administrative access settings for the VLAN l Ref--number of configuration objects referencing this VLAN
Changing the VLAN configuration mode
You can change which VLANs the set allowed-vlans command affects. If you want the set allowed-vlans command to apply to all user-defined VLANs, use the following CLI commands: config switch-controller global
set vlan-all-mode defined end If you want the set allowed-vlans command to apply to all possible VLANs (1-4094), use the following CLI commands: config switch-controller global
set vlan-all-mode all end
NOTE: You cannot use the set vlan-all-mode all command with the set vlan-optimization enable command.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
92
Fortinet Inc.
Configuring FortiSwitch VLANs and ports
Configuring multiple managed FortiSwitch VLANs to be used in a software switch
Starting in FortiOS 7.2.0 with FortiSwitchOS 7.2.0, you can add multiple managed FortiSwitch VLANs to a software switch using the GUI or CLI. In previous releases, you could add only one managed FortiSwitch VLAN per FortiGate device to a software switch. Traffic between two VLANs is controlled by the intra-switch-policy setting under the config system switchinterface command. By default, intra-switch-policy is set to implicit, which allows traffic between software switch members.
The FortiSwitch VLANs must be configured without IP addresses.
Using the GUI
1. Go to Network > Interfaces. 2. Create or edit a software switch interface 3. In Interface members, select multiple FortiSwitch VLANs. 4. Click OK.
Using the CLI
In the following example, you create two managed FortiSwitch VLANs and then add them to a software switch. config system interface
edit "vlan1" set vdom "root" set device-identification enable set role lan set snmp-index 46 set interface "fortilink" set vlanid 3501
next edit "vlan2"
set vdom "root" set device-identification enable set role lan set snmp-index 47 set interface "fortilink" set vlanid 3502 next end
config system switch-interface edit "softwareswitch" set vdom "root" set member "vlan1" "vlan2" next
end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
93
Fortinet Inc.
Configuring FortiSwitch VLANs and ports
Configuring inter-VLAN routing offload
Inter-VLAN routing offload requires an advanced features license. For more information, refer to Adding a license.
Starting in FortOS 7.4.1 with FortiSwitchOS 7.4.1, managed FortiSwitch units can perform inter-VLAN routing. The FortiGate device can program the FortiSwitch unit to do the layer-3 routing of trusted traffic between specific VLANs. In this case, the traffic flows are trusted by the user and do not need to be inspected by the FortiGate device. Inter-VLAN routing offload is applied to the supported FortiSwitch model located closest to FortiGate device in the topology. Refer to the FortiLink Compatibility table to find which FortiSwitchOS models support this feature. You can use an MCLAG with inter-VLAN routing.
To configure inter-VLAN routing offload:
1. Configure both VLANs for routing offload. 2. Configure the switches for routing offload.
Configure both VLANs for routing offload
By default, switch-controller-offload and switch-controller-offload-gw are disabled. The switch-controller-offload-ip option is available only when switch-controller-offload is enabled. The set allowaccess ping command is configured automatically if it is not already specified. Enable switch-controller-offload-gw on a single VLAN interface. The clients can use the offload IP addresses (configured in the set switch-controller-offload-ip command) as the default gateway, which is executed on the FortiSwitch unit. If you are using a DHCP server on the offloaded FortiSwitch VLANs, adjust the DHCP gateway address to match the switch-controller-offload-ip address. config system interface
edit <VLAN_name> set ip <IP_address_netmask> set switch-controller-offload {enable | disable} set switch-controller-offload-ip <IP_address> set switch-controller-offload-gw {enable | disable}
next end
Configure the switches for routing offload
By default, route-offload and route-offload-mclag are disabled. When you have an MCLAG configured, you need to enable route-offload-mclag and configure config routeoffload. The config route-offload commands are available only when route-offload-mclag is enabled. Use router-ip to specify the router IP address for VRRP. config switch-controller managed-switch
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
94
Fortinet Inc.
Configuring FortiSwitch VLANs and ports
edit <FortiSwitch_serial_number> set route-offload {enable | disable} set route-offload-mclag {enable | disable} config route-offload edit <VLAN_name_1> set router-ip <IP_address_1> next edit <VLAN_name_2> set router-ip <IP_address_2> next end
next end
Configuration example
The following example shows how the default routing between Host A and Host B uses the active FortiGate device in HA mode. When inter-VLAN routing is enabled, VLAN10 on Host A routes through FortiSwitch 3, FortiSwitch 1, FortiSwitch 2, and FortiSwitch 5 to VLAN 20 on Host B.
1. Configure both VLANs for routing offloading
config system interface edit "vlan.10" set ip 192.168.10.1/24 set switch-controller-offload enable set switch-controller-offload-ip 192.168.10.2 set switch-controller-offload-gw enable next edit "vlan.20" set ip 192.168.20.1/24 set switch-controller-offload enable
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
95
Fortinet Inc.
Configuring FortiSwitch VLANs and ports
set switch-controller-offload-ip 192.168.20.2 next end 2. Configure FortiSwitch 1 to route to Host A and Host B. Because this example uses MCLAG, you need to enable route-offload-mclag and configure config route-offload. config switch-controller managed-switch edit ST1E24TF21000347
set route-offload enable set route-offload-mclag enable config route-offload
edit "vlan.10" set router-ip 192.168.10.3
next edit "vlan.20"
set router-ip 192.168.20.3 next end next end 3. Configure FortiSwitch 2 to route to route to Host A and Host B. Because this example uses MCLAG, you need to enable route-offload-mclag and configure config route-offload. config switch-controller managed-switch edit ST1E24TF21000408 set route-offload enable set route-offload-mclag enable config route-offload edit "vlan.10"
set router-ip 192.168.10.4 next edit "vlan.20"
set router-ip 192.168.20.4 next end next end
When inter-VLAN routing is enabled on a VLAN, the FortiGate device configures the following on a FortiSwitch unit:
l A switch virtual interface (SVI) for each FortiSwitch VLAN, configured with the switch-controller-offloadip address.
l A default route in vrf1: l with the gateway set to the IP address on the FortiGate device of the VLAN with switch-controlleroffload-gw enabled l with set gw-l2-switch enabled to forward packets to the FortiGate device without modifying the VLAN and source MAC address
Configuring ports using the GUI
You can use the WiFi & Switch Controller > FortiSwitch Ports page to do the following with FortiSwitch switch ports: l Set the native VLAN and add more VLANs l Edit the description of the port
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
96
Fortinet Inc.
Configuring FortiSwitch VLANs and ports
l Enable or disable the port l Set the access mode of the port in Port view:
l Static--The port does not use a dynamic port policy or FortiSwitch network access control (NAC) policy. l Assign Port Policy--The port uses a dynamic port policy. l NAC--The port uses a FortiSwitch NAC policy. l Set the LACP mode of the trunk in Trunk view: l Static--In this mode, no control messages are sent, and received control messages are ignored. l Passive LACP--The port passively uses LACP to negotiate 802.3ad aggregation. l Active LACP--The port actively used LACP to negotiate 802.3ad aggregation. l Double-click a port to display the Port Statistics pane, which shows the transmitted and received traffic, frame errors by type, and transmitted and received frames. You can also select a port and then click the View Statistics button in the upper right corner. The Compare with dropdown list allows you to select another port to compare with the currently selected port. The statistics are refreshed every 15 seconds. l Clear port counters by right-clicking a port and selecting Clear port counters. l Enable or disable PoE for the port l Enable or disable DHCP snooping (if supported by the port) l Enable or disable whether a port is an edge port l Enable or disable STP (if supported by the port) l Enable or disable loop guard (if supported by the port) l Enable or disable STP BPDU guard (if supported by the port) l Enable or disable STP root guard (if supported by the port)
Configuring port speed and status
To set port speed and other base port settings:
config switch-controller managed-switch edit <FortiSwitch_serial_number> config ports edit <port_name> set description <text> set speed <speed> set status {down | up} end end
For example:
config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set description "First port" set speed auto set status up end end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
97
Fortinet Inc.
Configuring FortiSwitch VLANs and ports
To check the port properties:
diagnose switch-controller switch-info port-properties [<FortiSwitch_serial_number>] [<port_ name>]
If the FortiSwitch serial number is not specified, results for all FortiSwitch units are returned. If the port name is not specified, results for all ports are returned.
For example:
FortiGate-100F # diagnose switch-controller switch-info port-properties S524DF4K15000024 port18
Vdom: root
Switch: S524DF4K15000024
Port: port18
PoE
: 802.3af/at,30.0W
Connector
: RJ45
Speed
: 10Mhalf/10Mfull/100Mhalf/100Mfull/1Gauto/auto
Configuring flap guard
A flapping port is a port that changes status rapidly from up to down. A flapping port can create instability in protocols such as Spanning Tree Protocol (STP). If a port is flapping, STP must continually recalculate the role for each port. Flap guard also prevents unwanted access to the physical ports.
Flap guard detects how many times a port changes status during a specified number of seconds, and the system shuts down the port if necessary. You can manually reset the port and restore it to the active state.
Flap guard is configured and enabled on each port through the switch controller. The default setting is disabled.
The flap rate counts how many times a port changes status during a specified number of seconds. The range is 1 to 30 with a default setting of 5.
The flap duration is the number of seconds during which the flap rate is counted. The range is 5 to 300 seconds with a default setting of 30 seconds.
The flap timeout is the number of minutes before the flap guard is reset. The range is 0 to 120 minutes. The default setting of 0 means that there is no timeout.
l If a triggered port times out while the switch is in a down state, the port is initially in a triggered state until the switch has fully booted up and calculated that the timeout has occurred.
l The following models do not store time across reboot; therefore, any triggered port is initially in a triggered state until the switch has fully booted up--at which point the trigger is cleared: l FS-1xxE l FS-2xxD/E l FS-4xxD l FS-4xxE
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
98
Fortinet Inc.
Configuring FortiSwitch VLANs and ports
To configure flap guard on a port through the switch controller:
config switch-controller managed-switch edit <FortiSwitch_serial_number> config ports edit <port_name> set flapguard {enable | disable} set flap-rate <1-30> set flap-duration <5-300 seconds> set flap-timeout <0-120 minutes> next end end
For example: config switch-controller managed-switch
edit S424ENTF19000007 config ports edit port10 set flapguard enable set flap-rate 15 set flap-duration 100 set flap-timeout 30 next end
end
Resetting a port
After flap guard detects that a port is changing status rapidly and the system shuts down the port, you can reset the port and restore it to service.
To reset a port:
execute switch-controller flapguard reset <FortiSwitch_serial_number> <port_name> For example: execute switch-controller flapguard reset S424ENTF19000007 port10
Viewing the flap-guard configuration
To display flap-guard information for all ports of a FortiSwitch unit:
diagnose switch-controller switch-info flapguard status <FortiSwitch_serial_number> For example: diagnose switch-controller switch-info flapguard status S424ENTF19000007
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
99
Fortinet Inc.
Configuring FortiSwitch VLANs and ports
Configuring PoE
NOTE: The following PoE CLI commands are available starting in FortiSwitchOS 3.3.0. This section covers the following topics:
l Enabling PoE on the port on page 100 l Enabling PoE pre-standard detection on page 100 l Configuring PoE port settings on page 101 l Resetting the PoE port on page 101 l Displaying general PoE status on page 102
Enabling PoE on the port
config switch-controller managed-switch edit <FortiSwitch_serial_number> config ports edit <port_name> set poe-status {enable | disable} end end
For example: config switch-controller managed-switch
edit S524DF4K15000024 config ports edit port1 set poe-status enable end end
Enabling PoE pre-standard detection
Depending on the FortiSwitch model, you can manually change the PoE pre-standard detection setting on the global level or on the port level. Starting with FortiOS 6.4.5, the factory default setting for poe-pre-standard-detection is disable.
PoE pre-standard detection is a global setting for the following FortiSwitch models: FSR112D-POE, FS-548DFPOE, FS-524D-FPOE, FS-108D-POE, FS-224D-POE, FS-108E-POE, FS-108E-FPOE, FS-124E-POE, and FS-124EFPOE. For the other FortiSwitch PoE models, PoE pre-standard detection is set on each port.
On the global level, set poe-pre-standard-detection with the following commands: config switch-controller managed-switch
edit <FortiSwitch_serial_number> set poe-pre-standard-detection {enable | disable}
next end
On the port level, set poe-pre-standard-detection with the following commands:
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
100
Fortinet Inc.
Configuring FortiSwitch VLANs and ports
config switch-controller managed-switch edit <FortiSwitch_serial_number> config ports edit <port_name> set poe-pre-standard-detection {enable | disable} next end next
end
Configuring PoE port settings
Starting in FortiOS 7.2.4 with FortiSwitchOS 7.2.3, you can configure the following PoE port settings on managed switches:
l Port mode--You can set the port mode to IEEE802.3 AF or IEEE802.3 AT. l Port priority--You can set the port priority to critical, high, medium, or low. If there is not enough power, power is
allotted first to critical-priority ports, then to high-priority ports, then to medium-priority ports, and then to low-priority ports. Medium priority is available only on the following models: FS-224D-FPOE, FS-224E-POE, FS-248E-POE, FS-248E-FPOE, FS-424E-POE, FS-424E-FPOE, FS-M426E-FPOE, FS-448E-POE, FS-448E-FPOE, FS-524DFPOE, and FS-548D-FPOE. l Port power--You can set the port to use normal, power, perpetual power, or perpetual-fast power. Refer to the FortiSwitchOS feature matrix to see which FortiSwitch models support this feature.
Port power setting normal perpetual perpetual-fast
Description PoE power is not provided while a switch restarts. PoE power is provided during a soft reboot (switch is restarted while powered up). PoE power is provided during a hard reboot (the switchs power is physically turned off and then on again).
To configure the PoE port settings:
config switch-controller managed-switch edit <FortiSwitch_serial_number> config ports edit <port_name> set poe-port-mode {IEEE802_3AF | IEEE802_3AT} set poe-port-priority {critical-priority | high-priority | low-priority | mediumpriority} set poe-port-power {normal | perpetual | perpetual-fast} next end next
end
Resetting the PoE port
Power over Ethernet (PoE) describes any system that passes electric power along with data on twisted pair Ethernet cabling. Doing this allows a single cable to provide both data connection and electric power to devices (for example,
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
101
Fortinet Inc.
Configuring FortiSwitch VLANs and ports
wireless access points, IP cameras, and VoIP phones). The following command resets PoE on the port: execute switch-controller poe-reset <FortiSwitch_serial_number> <port_name>
Displaying general PoE status
get switch-controller <FortiSwitch_serial_number> <port_name> The following example displays the PoE status for port 6 on the specified switch: # get switch-controller poe FS108D3W14000967 port6 Port(6) Power:3.90W, Power-Status: Delivering Power Power-Up Mode: Normal Mode Remote Power Device Type: IEEE802.3AT PD Power Class: 4 Defined Max Power: 30.0W, Priority:3 Voltage: 54.00V Current: 78mA
Adding 802.3ad link aggregation groups (trunks)
If the trunk is in LACP mode and has ports with different speeds, the ports of the same negotiated speed are grouped in an aggregator. If multiple aggregators exist, one and only one of the aggregators is used by the trunk. You can use the CLI to specify how the aggregator is selected:
l When the aggregator-mode is set to bandwidth, the aggregator with the largest bandwidth is selected. This mode is the default.
l When the aggregator-mode is set to count, the aggregator with the largest number of ports is selected. Using the FortiGate GUI: 1. Go to WiFi & Switch Controller > FortiSwitch Ports. 2. Click Create New > Trunk. 3. In the New Trunk Group page, enter a Name for the trunk group. 4. Select two or more physical ports to add to the trunk group and then select Apply. 5. Select the Mode: Static, Passive LACP, or Active LACP. 6. Select Enabled or Disabled for the MCLAG.
l An MCLAG peer group must be configured before adding a trunk with MCLAG enabled. See MCLAG peer groups on page 74.
l Make sure to select ports from switches that are part of the same MCLAG peer group. 7. Select OK.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
102
Fortinet Inc.
Configuring FortiSwitch VLANs and ports
Using the FortiGate CLI:
config switch-controller managed-switch edit <FortiSwitch_serial_number> config ports edit <trunk_name> set type trunk set mode {static | lacp-passive | lacp-active} set aggregator-mode {bandwidth | count} set bundle {enable | disable} set min-bundle <int> set max-bundle <int> set members <port1 port2 ...> next end end
end
MCLAG trunks
The MCLAG trunk consists of 802.3ad link aggregation groups with members that belong to different FortiSwitch units. To configure an MCLAG trunk, you need an MCLAG peer group (see MCLAG peer groups on page 74). The MCLAG trunk members are selected from the same MCLAG peer group.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
103
Fortinet Inc.
Configuring FortiSwitch VLANs and ports
Using the GUI
1. Go to WiFi & Switch Controller > FortiSwitch Ports. 2. Select Create New > Trunk. 3. Enter a name for the MCLAG trunk. 4. For the MCLAG status, select Enabled to create an active MCLAG trunk. 5. For the mode, select Static, Passive LACP, or Active LACP.
l Set to Static for static aggregation. In this mode, no control messages are sent, and received control messages are ignored.
l Set to Passive LACP to passively use LACP to negotiate 802.3ad aggregation. l Set to Active LACP to actively use LACP to negotiate 802.3ad aggregation. 6. For trunk members, select Select Members, select the ports to include in the MCLAG trunk, and then select OK to save the trunk members. NOTE: The members must belong to the same MCLAG peer group. 7. Select OK to save the MCLAG configuration. The ports are listed as part of the MCLAG trunk on the FortiSwitch Ports page.
Using the CLI
Configure a trunk in each switch that is part of the MCLAG pair: l The trunk name for each switch must be the same. l The port members for each trunk can be different. l After you enable MCLAG, you can enable LACP if needed.
config switch-controller managed-switch edit "<switch-id>" config ports edit "<trunk name>" set type trunk set mode {static | lacp-passive | lacp-active} set members "<port>,<port>" set mclag enable next end next
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
104
Fortinet Inc.
Configuring FortiSwitch VLANs and ports
Variable <switch-id> <trunk name>
Description FortiSwitch serial number. Enter a name for the MCLAG trunk.
type trunk mode {static | lacppassive | lacpactive}
members "<port>,<port>" mclag enable
NOTE: Each FortiSwitch unit that is part of the MCLAG must have the same MCLAG trunk name configured.
Set the interface type to a trunk port.
Set the LACP mode. l Set to static for static aggregation. In this mode, no control messages are sent, and received control messages are ignored. l Set to lacp-passive to passively use LACP to negotiate 802.3ad aggregation. l Set to lacp-active to actively use LACP to negotiate 802.3ad aggregation.
Set the aggregated LAG bundle interfaces.
Enable or disable the MCLAG.
Default No default No default
physical lacp-active
No default disable
LACP fallback mode
Starting in FortiOS 7.4.4, LACP fallback mode is supported in the CLI. LACP fallback mode allows a selected port to stay up so that a device not running LACP can still connect to the network. LACP fallback mode is useful if you have a preboot execution environment (PXE) and need to download an image from the network before running LACP in active mode.
When you select the fallback port for a switch trunk, the aggregate interface will use the LACP fallback mode if the trunk does not receive any LACP protocol data units (PDUs). The fallback port is set to up, and all other ports are blocked. When the trunk starts receiving LACP PDUs again, the switch trunk changes from fallback mode to LACP active mode.
When the switch trunk is running LACP in active mode and stops receiving LACP PDUs:
l There is a 90-second delay before LACP fallback mode if the lacp-speed for the switch trunk is set to slow. l There is a 30-second delay before LACP fallback mode if the lacp-speed for the switch trunk is set to fast.
The following are the requirements and limitations for LACP fallback mode:
l The switch trunk must be running in lacp-active mode. l If you are using MCLAG, do not configure fallback mode on more than one MCLAG switch. If you configure fallback
mode on both MCLAG switches, the diagnose switch mclag peer-consistency-check command will report it as a mismatch. l You cannot use fallback mode with the min_bundle or max_bundle setting. l You cannot use fallback mode with an MCLAG split-brain state.
To configure LACP fallback mode:
config switch-controller managed-switch edit <FortiSwitch_serial_number> config ports edit <port_name>
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
105
Fortinet Inc.
Configuring FortiSwitch VLANs and ports
set type trunk set mode lacp-active set members <port_name_1> <port_name_2> ... set fallback-port <port_name> next end next end
For example:
config switch-controller managed-switch edit S524DF4K15000024 config ports edit "first-mclag" set vlan "_default.39" set allowed-vlans "quarantine.39" set untagged-vlans "quarantine.39" set type trunk set mac-addr 80:80:2c:a3:c5:58 set mode lacp-active set mclag enable set members "port7" "port8" set fallback-port "port8" next end next
end
Configuring FortiSwitch split ports (phy-mode) in FortiLink mode
On FortiSwitch models that provide 40G/100G QSFP (quad small form-factor pluggable) interfaces, you can install a breakout cable to convert one 40G/100G interface into four 10G/25G interfaces. See the list of supported FortiSwitch models in the notes in this section.
FortiLink mode supports the FortiSwitch split-port configuration: l Configuring split ports on a previously discovered FortiSwitch unit on page 107 l Configuring split ports with a new FortiSwitch unit on page 108 l Configuring forward error correction on switch ports on page 108 l Configuring a split port on the FortiSwitch unit on page 109
Notes
l Split ports are not configured for pre-configured FortiSwitch units. l Splitting ports is supported on the following FortiSwitch models:
o FS-3032D (ports 5 to 28 are splittable) o FS-3032E (Ports can be split into 4 x 25G when configured in 100G QSFP28 mode or can be split into 4 x 10G
when configured in 40G QSFP mode. Use the set <port_name>-phy-mode disabled command to disable some 100G ports to allow up to sixty-two 100G/25G/10G ports.) o FS-524D and FS-524D-FPOE (ports 29 and 30 are splittable) o FS-548D and FS-548D-FPOE (ports 53 and 54 are splittable)
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
106
Fortinet Inc.
Configuring FortiSwitch VLANs and ports
o FS-1048E--In the 4 x 100G configuration, ports 49, 50, 51, and 52 are splittable as 4 x 25G, 4 x 10G, 4 x 1G, or 2 x 50G. Only two of the available ports can be split.
o FS-1048E--In the 4 x 4 x 25G configuration, ports 49, 50, 51, and 52 are splittable as 4 x 4 x 25G or 2 x 50G. All four ports can be split, but ports 47 and 48 are disabled.
o FS-1048E--In the 6 x 40G configuration, ports 49, 50, 51, 52, 53, 54 are splittable as 4 x 10G or 4 x 1G. o FS-T1024E--Ports 25 and 26 have a maximum speed of 100G; each port can be split into four subports of 25G
or 10G. o FS-1024E--Ports 25 and 26 have a maximum speed of 100G; each port can be split into four subports of 25G
or 10G. Use the set port-configuration ? command to check which ports are supported for each model. l Currently, the maximum number of ports supported in software is 64 (including the management port). Therefore, only 10 QSFP ports can be split. This limitation applies to all of the models, but only the FS-3032D, FS-3032E, and the FS-1048E models have enough ports to encounter this limit. l Use 10000full for the general 10G interface configuration. If that setting does not work, use 10000cr for copper connections (with copper cables such as 10GBASE-CR) or use 10000sr for fiber connections (fiber optic transceivers such as 10GBASE-SR/-LR/-ER/-ZR). l Starting in FortiOS 7.2.0 and FortiSwitchOS 7.2.0, the FortiGate device automatically updates the port list after split ports are changed and the FortiSwitch unit restarts. When split ports are added or removed, the changes are logged.
Configuring split ports on a previously discovered FortiSwitch unit
Using FortiLink mode over a layer-3 network requires both FortiOS 7.2.x (and later) and FortiSwitchOS 7.2.x (and later).
Before FortiOS 7.2.0: 1. On the FortiSwitch unit, configure the split ports. See Configuring a split port on the FortiSwitch unit on page 109. 2. Restart the FortiSwitch unit. 3. Remove the FortiSwitch from being managed:
config switch-controller managed-switch delete <FortiSwitch_serial_number>
end
4. Discover the FortiSwitch unit. 5. Authorize the FortiSwitch unit. Starting with FortiOS 7.2.0: 1. On the FortiSwitch unit, configure the split ports. See Configuring a split port on the FortiSwitch unit on page 109. 2. Restart the FortiSwitch unit.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
107
Fortinet Inc.
Configuring FortiSwitch VLANs and ports
Configuring split ports with a new FortiSwitch unit
Using FortiLink mode over a layer-3 network requires both FortiOS 7.2.x (and later) and FortiSwitchOS 7.2.x (and later).
Before FortiOS 7.2.0:
1. Discover the FortiSwitch unit. 2. Authorize the FortiSwitch unit. 3. On the FortiSwitch unit, configure the split ports. See Configuring a split port on the FortiSwitch unit on page 109. 4. Restart the FortiSwitch unit. 5. Remove the FortiSwitch from being managed:
config switch-controller managed-switch delete <FortiSwitch_serial_number>
end
6. Discover the FortiSwitch unit. 7. Authorize the FortiSwitch unit.
Starting with FortiOS 7.2.0:
1. Discover the FortiSwitch unit. 2. Authorize the FortiSwitch unit. 3. On the FortiSwitch unit, configure the split ports. See Configuring a split port on the FortiSwitch unit on page 109. 4. Restart the FortiSwitch unit.
Configuring forward error correction on switch ports
Supported managed-switch ports of the FS-1048E and FS-3032E can be configured with a forward error correction (FEC) state of Clause 74 FC-FEC for 25-Gbps ports and Clause 91 RS-FEC for 100-Gbps ports.
Starting in FortiOS 7.4.2, when a FortiSwitch unit is capable of FEC, the default setting for fec-state is detect-bymodule, which automatically detects whether FEC is supported by the module.
config switch-controller managed-switch edit <FortiSwitch_serial_number> config ports edit <port_name> set fec-capable {0 | 1} set fec-state {cl74 | cl91 | detect-by-module | disabled} next end next
end
fec-capable {0 | 1}
Set whether the port is FEC capable. l 0: The port is not FEC capable. l 1: The port is FEC capable.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
108
Fortinet Inc.
Configuring FortiSwitch VLANs and ports
fec-state {cl74 | cl91 | detect-by-module | disabled}
Set the FEC state: l c174: Enable Clause 74 FC-FEC. This option is only available for on FS1048E, FS-3032E, FS-1024E, and FS-T1024E ports that have been split to 4x25G.
l c191: Enable Clause 91 RS-FEC. This option is only available for on FS1048E and FS-3032E ports that have been split to 4x100G.
l detect-by-module: Automatically detect whether FEC is supported by the module.
l disabled: Disable FEC on the port.
In this example, a FortiSwitch FS-3032E that is managed by a FortiGate device is configured with Clause 74 FC-FEC on port 16.1 and Clause 91 RS-FEC on port 8.
config switch-controller managed-switch edit FS3E32T419000000 config ports edit port16.1 set fec-state cl74 next edit port8 set fec-state cl91 next end next
end
Configuring a split port on the FortiSwitch unit
To configure a split port:
config switch phy-mode set port-configuration <default | disable-port54 | disable-port41-48 | 4x100G | 6x40G | 4x4x25G} set {<port-name>-phy-mode <single-port| 4x25G | 4x10G | 4x1G | 2x50G} ... (one entry for each port that supports split port)
end
The following settings are available:
l disable-port54--For 548D and 548D-FPOE, only port53 is splittable; port54 is unavailable. l disable-port41-48--For 548D and 548D-FPOE, port41 to port48 are unavailable, but you can configure port53
and port54 in split-mode. l 4x100G--For 1048E, enable the maximum speed (100G) of ports 49 through 52. Ports 53 and 54 are disabled. l 6x40G--For 1048E, enable the maximum speed (40G) of ports 49 through 54. l 4x4x25G--For 1048E, enable the maximum speed (100G) of ports 49 through 52; each split port has a maximum
speed of 25G. Ports 47 and 48 are disabled. l single-port--Use the port at the full base speed without splitting it. l 4x25G--For 100G QSFP only, split one port into four subports of 25 Gbps each.
NOTE: For the FS-T1024E and FS-1024E models, the auto-module selects the correct speed for the subports. If you insert a 100G QSFP28 module, the subports are automatically changed to 4x25G. If you insert a 40G QSFP+ module, the subports are automatically changed to 4x10G.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
109
Fortinet Inc.
Configuring FortiSwitch VLANs and ports
l 4x10G--For 40G or 100G QSFP only, split one port into four subports of 10Gbps each. l 4x1G--For 40G or 100G QSFP only, split one port into four subports of 1 Gbps each. l 2x50G--For 100G QSFP only, split one port into two subports of 50 Gbps each.
In the following example, a FortiSwitch 524D is configured with port29 set to 4x10G:
config switch phy-mode set port29-phy-mode 4x10G
end
The system applies the configuration only after you enter the end command, displaying the following message:
This change will cause a ports to be added and removed, this will cause loss of configuration on removed ports. The system will have to reboot to apply this change.
Do you want to continue? (y/n)y
To configure one of the split ports, use the notation ".x" to specify the split port:
config switch physical-port edit "port1" set lldp-profile "default-auto-isl" set speed auto next edit "port2" set lldp-profile "default-auto-isl" set speed auto next . . . edit "port29.1" set lldp-profile "default-auto-isl" set speed auto-module next edit "port29.2" set lldp-profile "default-auto-isl" set speed auto-module next edit "port29.3" set lldp-profile "default-auto-isl" set speed auto-module next edit "port29.4" set lldp-profile "default-auto-isl" set speed auto-module next edit "port30" set lldp-profile "default-auto-isl" set speed auto-module next
end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
110
Fortinet Inc.
Configuring FortiSwitch VLANs and ports
Restricting the type of frames allowed through IEEE 802.1Q ports
You can now specify whether each FortiSwitch port discards tagged 802.1Q frames or untagged 802.1Q frames or allows all frames access to the port. By default, all frames have access to each FortiSwitch port. Use the following CLI commands: config switch-controller managed-switch <SN>
config ports edit <port_name> set discard-mode <none | all-tagged | all-untagged> next
next end
Multitenancy and VDOMs
This section covers the following topics: l FortiSwitch ports dedicated to VDOMs on page 111 l FortiSwitch VLANs from different VDOMs sharing the same FortiSwitch ports on page 114
FortiSwitch ports dedicated to VDOMs
Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual units that function as multiple independent units. VDOMs provide separate security domains that allow separate zones, user authentication, security policies, routing, and VPN configurations. FortiSwitch ports can now be shared between VDOMs. Starting in FortiOS 6.2.0, the following features are supported on FortiSwitch ports shared between VDOMs:
l POE pre-standard detection (on a per-port basis if the FortiSwitch model supports this feature) l Learning limit for dynamic MAC addresses on ports, trunks, and VLANs (if the FortiSwitch unit supports this feature) l QoS egress CoS queue policy (if the FortiSwitch unit supports this feature) l Port security policy
The following example shows how to share FortiSwitch ports between VDOMs:
1. In the tenant VDOM named bbb, create a VLAN interface using the following CLI commands (not supported in the GUI):
FG5H0E3917900081 (bbb) # config system interface edit "bbb-vlan99" set vdom "bbb" set allowaccess ping set device-identification enable set role lan set snmp-index 58
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
111
Fortinet Inc.
Configuring FortiSwitch VLANs and ports
set switch-controller-dhcp-snooping enable set interface "flink-lag" // this is the FortiLink interface in the root VDOM set vlanid 99 next end
config switch-controller global set default-virtual-switch-vlan "bbb-vlan99"
end
2. Go back to the root VDOM. Pick a switch port to share between VDOMs, port10 in this case.
FG5H0E3917900081 (vdom) # edit root current vf=root:0 FG5H0E3917900081 (root) # config switch-controller managed-switch FG5H0E3917900081 (managed-switch) # edit S548DF4K15000276 FG5H0E3917900081 (S548DF4K15000276) # config ports FG5H0E3917900081 (ports) # edit port10 FG5H0E3917900081 (port10) # set export-to bbb
If you want to use the virtual-pool feature instead:
FG5H0E3917900081 (root) # config switch-controller virtual-port-pool edit "bbb-pool" set description "bbb-vlan-pool" end
FG5H0E3917900081 (root) # config switch-controller managed-switch FG5H0E3917900081 (managed-switch) # edit S548DF4K15000276 FG5H0E3917900081 (S548DF4K15000276) # config port FG5H0E3917900081 (ports) # edit port11 FG5H0E3917900081 (port11) # set export-to-pool bbb-pool
3. Go back to the bbb VDOM to claim port11 because it is in the virtual pool but not directly exported to the VDOM yet. (The administrator might want to pre-assign some ports in the tenant VDOM and let the tenant VDOM administrator claim them before they are used.)
FG5H0E3917900081 (bbb) # execute switch-controller virtual-port-pool request S548DF4K15000276 port11
FG5H0E3917900081 (bbb) # config switch-controller managed-switch // The switch port is now in the bbb VDOM even though there is no FortiLink interface in the bbb VDOM.
FG5H0E3917900081 (managed-switch) # show config switch-controller managed-switch
edit "S548DF4K15000276" set poe-detection-type 1 set type virtual set owner-vdom "root" config ports edit "port10" set poe-capable 1 set vlan "bbb-vlan99" next edit "port11" set poe-capable 1 set vlan "bbb-vlan99" next
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
112
Fortinet Inc.
Configuring FortiSwitch VLANs and ports
end next end
4. Check your configuration on the root VDOM:
FG5H0E3917900081 (port10) # show config ports
edit "port10" set poe-capable 1 set export-to "bbb"
next end
FG5H0E3917900081 (port11) # show config ports
edit "port11" set poe-capable 1 set export-to-pool "bbb-pool" set export-to "bbb"
next end
5. Check your configuration on the tenant VDOM:
FG5H0E3917900081 (ports) # show config ports
edit "port10" set poe-capable 1 set vlan "bbb-vlan99"
next edit "port11"
set poe-capable 1 set vlan "bbb-vlan99" next end
You can create your own export tags using the following CLI commands:
config switch-controller switch-interface-tag edit <tag_name>
end
Use the following CLI command to list the contents of a specific VPP:
execute switch-controller virtual-port-pool show-by-pool <VPP_name>
Use the following CLI command to list all VPPs and their contents:
execute switch-controller virtual-port-pool show
NOTE: Shared ports do not support the following features:
l LLDP l STP l BPDU guard l Root guard l DHCP snooping
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
113
Fortinet Inc.
Configuring FortiSwitch VLANs and ports
l IGMP snooping l MCLAG l Quarantines NOTE: After you export a switch port to a pool, if you need to export the switch port to a different pool, you need to exit/abort and then re-enter into the FortiSwitch CLI port configuration.
FortiSwitch VLANs from different VDOMs sharing the same FortiSwitch ports
In this scenario, there is no administrative separation, and all FortiSwitch ports and VLANs are created and assigned by the administrator of the VDOM where the FortiSwitch unit is controlled, usually root. 1. From the global level, go to Network > Interfaces and click Create New to create the VLANs and then assign them to
their respective VDOMs. 2. From the CLI, assign the VLANs to the FortiSwitch ports. The assigned VLANs are displayed in the GUI (WiFi &
Switch Controller > FortiSwitch Ports) in the root VDOM.
NOTE: FortiSwitch units are not visible in non-root VDOMs.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
114
Fortinet Inc.
Configuring switching features
This section covers the following features:
l Configuring DHCP blocking, STP, and loop guard on managed FortiSwitch ports on page 115 l Configuring edge ports on page 116 l Configuring loop guard on page 117 l Configuring STP settings on page 117 l Dynamic MAC address learning on page 124 l Configuring storm control on page 127 l Configuring IGMP-snooping settings on page 128 l Configuring PTP transparent-clock mode on page 131
Configuring DHCP blocking, STP, and loop guard on managed FortiSwitch ports
Go to WiFi & Switch Controller > FortiSwitch Ports. Right-click any port and then enable or disable the following features:
l DHCP Snooping--The DHCP blocking feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent this, DHCP blocking filters messages on untrusted ports.
l Spanning Tree Protocol (STP)--STP is a link-management protocol that ensures a loop-free layer-2 network topology.
l Loop guard--A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects. Fortinet loop guard helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any downstream loops. The loop guard feature is designed to work in concert with STP rather than as a replacement for STP.
l STP BPDU guard--Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard is enabled on STP edge ports, any BPDUs received cause the ports to go down for a specified number of minutes. The BPDUs are not forwarded, and the network edge is enforced.
l STP root guard--Root guard protects the interface on which it is enabled from becoming the path to root. When enabled on an interface, superior BPDUs received on that interface are ignored or dropped. Without using root guard, any switch that participates in STP maintains the ability to reroute the path to root. Rerouting might cause your network to transmit large amounts of traffic across suboptimal links or allow a malicious or misconfigured device to pose a security risk by passing core traffic through an insecure device for packet capture or inspection. By enabling root guard on multiple interfaces, you can create a perimeter around your existing paths to root to enforce the specified network topology.
STP and IGMP snooping are enabled on all ports by default. Loop guard is disabled by default on all ports.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
115
Fortinet Inc.
Configuring switching features
Configuring edge ports
Use the following commands to enable or disable an interface as an edge port:
config switch-controller managed-switch edit <FortiSwitch_serial_number> config ports edit <port_name> set edge-port {enable | disable} end end
For example:
config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set edge-port enable end end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
116
Fortinet Inc.
Configuring switching features
Configuring loop guard
A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects. Fortinet loop guard helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any downstream loops. Loop guard and STP should be used separately for loop protection. By default, loop guard is disabled on all ports. Use the following commands to configure loop guard on a FortiSwitch port: config switch-controller managed-switch
edit <FortiSwitch_serial_number> config ports edit <port_name> set loop-guard {enabled | disabled} set loop-guard-timeout <0-120 minutes> end end
For example: config switch-controller managed-switch
edit S524DF4K15000024 config ports edit port1 set loop-guard enabled set loop-guard-timeout 10 end end
Configuring STP settings
The managed FortiSwitch unit supports Spanning Tree Protocol (a link-management protocol that ensures a loop-free layer-2 network topology) as well as Multiple Spanning Tree Protocol (MSTP), which is defined in the IEEE 802.1Q standard. MSTP supports multiple spanning tree instances, where each instance carries traffic for one or more VLANs (the mapping of VLANs to instances is configurable). MSTP is backward-compatible with STP and Rapid Spanning Tree Protocol (RSTP). A layer-2 network can contain switches that are running MSTP, STP, or RSTP. MSTP is built on RSTP, so it provides fast recovery from network faults and fast convergence times.
Changing the auto-stp-priority setting causes FortiLink to go down temporarily.
This section covers the following topics: l Configuring STP on FortiSwitch ports on page 119 l Configuring STP root guard on page 121 l Configuring STP BPDU guard on page 121 l Configuring interoperation with per-VLAN RSTP on page 123
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
117
Fortinet Inc.
Configuring switching features
To configure STP for all managed FortiSwitch units:
config switch-controller stp-settings set name <name> set revision <stp revision> set hello-time <hello time> set forward-time <forwarding delay> set max-age <maximum aging time> set max-hops <maximum number of hops>
end
To override the global STP settings for a specific FortiSwitch unit:
config switch-controller managed-switch edit <switch-id> config stp-settings set local-override enable end
To configure MSTP instances:
config switch-controller stp-instance edit <id> config vlan-range <list of VLAN names> end
config switch-controller managed-switch edit <FortiSwitch_serial_number> config stp-instance edit <id> set priority <0 | 4096 | 8192 | 12288 | 16384 | 20480 | 24576 | 28672 | 32768 | 36864 | 40960 | 45056 | 49152 | 53248 | 57344 | 61440> next end next
end
For example:
config switch-controller stp-instance edit 1 config vlan-range vlan1 vlan2 vlan3 end
config switch-controller managed-switch edit S524DF4K15000024 config stp-instance edit 1 set priority 16384 next end next
end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
118
Fortinet Inc.
Configuring switching features
Configuring STP on FortiSwitch ports
Starting with FortiSwitch Release 3.4.2, STP is enabled by default for the non-FortiLink ports on the managed FortiSwitch units. STP is a link-management protocol that ensures a loop-free layer-2 network topology.
NOTE: STP is not supported between a FortiGate unit and a FortiSwitch unit in FortiLink mode.
Use the following commands to enable or disable STP on FortiSwitch ports:
config switch-controller managed-switch edit <FortiSwitch_serial_number> config ports edit <port_name> set stp-state {enabled | disabled} end end
For example:
config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set stp-state enabled end end
To check the STP configuration on a FortiSwitch, use the following command:
diagnose switch-controller switch-info stp <FortiSwitch_serial_number> <instance_number>
For example:
FG100D3G15817028 # diagnose switch-controller switch-info stp S524DF4K15000024 0
MST Instance Information, primary-Channel:
Instance ID : 0
Switch Priority : 24576
Root MAC Address : 085b0ef195e4
Root Priority: 24576
Root Pathcost: 0
Regional Root MAC Address : 085b0ef195e4
Regional Root Priority: 24576
Regional Root Path Cost: 0
Remaining Hops:
20
This Bridge MAC Address : 085b0ef195e4
This bridge is the root
Port Loop Protection ________________ ________
Speed Cost
Priority Role
State
Edge STP-Status
______ _________ _________ ___________ __________ ____ __________
port1 NO
port2 NO
port3 NO
port4
-
200000000 128
-
200000000 128
-
200000000 128
-
200000000 128
DISABLED DISABLED DISABLED DISABLED
DISCARDING YES DISCARDING YES DISCARDING YES DISCARDING YES
ENABLED ENABLED ENABLED ENABLED
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
119
Fortinet Inc.
Configuring switching features
NO
port5
-
NO
port6
-
NO
port7
-
NO
port8
-
NO
port9
-
NO
port10
-
NO
port11
-
NO
port12
-
NO
port13
-
NO
port14
-
NO
port15
-
NO
port16
-
NO
port17
-
NO
port18
-
NO
port19
-
NO
port20
-
NO
port21
-
NO
port22
-
NO
port23
-
NO
port25
-
NO
port26
-
NO
port27
-
NO
port28
-
NO
port29
-
NO
port30
-
NO
internal
1G
NO
__FoRtI1LiNk0__ 1G
NO
200000000 128
200000000 128
200000000 128
200000000 128
200000000 128
200000000 128
200000000 128
200000000 128
200000000 128
200000000 128
200000000 128
200000000 128
200000000 128
200000000 128
200000000 128
200000000 128
200000000 128
200000000 128
200000000 128
200000000 128
200000000 128
200000000 128
200000000 128
200000000 128
200000000 128
20000
128
20000
128
DISABLED
DISCARDING YES
DISABLED
DISCARDING YES
DISABLED
DISCARDING YES
DISABLED
DISCARDING YES
DISABLED
DISCARDING YES
DISABLED
DISCARDING YES
DISABLED
DISCARDING YES
DISABLED
DISCARDING YES
DISABLED
DISCARDING YES
DISABLED
DISCARDING YES
DISABLED
DISCARDING YES
DISABLED
DISCARDING YES
DISABLED
DISCARDING YES
DISABLED
DISCARDING YES
DISABLED
DISCARDING YES
DISABLED
DISCARDING YES
DISABLED
DISCARDING YES
DISABLED
DISCARDING YES
DISABLED
DISCARDING YES
DISABLED
DISCARDING YES
DISABLED
DISCARDING YES
DISABLED
DISCARDING YES
DISABLED
DISCARDING YES
DISABLED
DISCARDING YES
DISABLED
DISCARDING YES
DESIGNATED FORWARDING YES
DESIGNATED FORWARDING YES
ENABLED ENABLED ENABLED ENABLED ENABLED ENABLED ENABLED ENABLED ENABLED ENABLED ENABLED ENABLED ENABLED ENABLED ENABLED ENABLED ENABLED ENABLED ENABLED ENABLED ENABLED ENABLED ENABLED ENABLED ENABLED DISABLED DISABLED
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
120
Fortinet Inc.
Configuring switching features
Configuring STP root guard
Root guard protects the interface on which it is enabled from becoming the path to root. When enabled on an interface, superior BPDUs received on that interface are ignored or dropped. Without using root guard, any switch that participates in STP maintains the ability to reroute the path to root. Rerouting might cause your network to transmit large amounts of traffic across suboptimal links or allow a malicious or misconfigured device to pose a security risk by passing core traffic through an insecure device for packet capture or inspection. By enabling root guard on multiple interfaces, you can create a perimeter around your existing paths to root to enforce the specified network topology.
Enable root guard on all ports that should not be root bridges. Do not enable root guard on the root port. You must have STP enabled to be able to use root guard.
Use the following commands to enable or disable STP root guard on FortiSwitch ports:
config switch-controller managed-switch edit <FortiSwitch_serial_number> config ports edit <port_name> set stp-root-guard {enabled | disabled} end end
For example:
config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set stp-root-guard enabled end end
Configuring STP BPDU guard
Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard is enabled on STP edge ports, any BPDUs received cause the ports to go down for a specified number of minutes. The BPDUs are not forwarded, and the network edge is enforced.
There are two prerequisites for using BPDU guard:
l You must define the port as an edge port with the set edge-port enable command. l You must enable STP on the switch interface with the set stp-state enabled command.
You can set how long the port will go down when a BPDU is received for a maximum of 120 minutes. The default port timeout is 5 minutes. If you set the timeout value to 0, the port will not go down when a BPDU is received, but you will have manually reset the port.
Use the following commands to enable or disable STP BPDU guard on FortiSwitch ports:
config switch-controller managed-switch edit <FortiSwitch_serial_number> config ports edit <port_name> set stp-bpdu-guard {enabled | disabled} set stp-bpdu-guard-time <0-120> end end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
121
Fortinet Inc.
Configuring switching features
For example:
config switch-controller managed-switch edit S524DF4K15000024 config ports edit port1 set stp-bpdu-guard enabled set stp-bpdu-guard-time 10 end end
To check the configuration of STP BPDU guard on a FortiSwitch unit, use the following command:
diagnose switch-controller switch-info bpdu-guard-status <FortiSwitch_serial_number>
For example:
FG100D3G15817028 # diagnose switch-controller switch-info bpdu-guard-status S524DF4K15000024 Managed Switch : S524DF4K15000024 0
Portname
State
_________________ _______
Status _________
Timeout(m) ___________
Count Last-Event _____ _______________
port1
enabled
-
port2
disabled
-
port3
disabled
-
port4
disabled
-
port5
disabled
-
port6
disabled
-
port7
disabled
-
port8
disabled
-
port9
disabled
-
port10
disabled
-
port11
disabled
-
port12
disabled
-
port13
disabled
-
port14
disabled
-
port15
disabled
-
port16
disabled
-
port17
disabled
-
port18
disabled
-
port19
disabled
-
port20
disabled
-
port21
disabled
-
port22
disabled
-
port23
disabled
-
port25
disabled
-
port26
disabled
-
port27
disabled
-
port28
disabled
-
port29
disabled
-
port30
disabled
-
__FoRtI1LiNk0__ disabled
-
10
0
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
122
Fortinet Inc.
Configuring switching features
Configuring interoperation with per-VLAN RSTP
Starting in FortiOS 6.4.2, managed FortiSwitch units can now interoperate with a network that is running RPVST+. The existing networks configuration can be maintained while adding managed FortiSwitch units as an extended region. By default, interoperation with RPVST+ is disabled. When an MSTP domain is connected with an RPVST+ domain, FortiSwitch interoperation with the RPVST+ domain works in two ways:
l If the root bridge for the CIST is within an MSTP region, the boundary FortiSwitch unit of the MSTP region duplicates instance 0 information, creates one BPDU for every VLAN, and sends the BPDUs to the RPVST+ domain.
In this case, follow this rule: If the root bridge for the CIST is within an MSTP region, VLANs other than VLAN 1 defined in the RPVST+ domains must have their bridge priorities worse (numerically greater) than that of the CIST root bridge within MSTP region.
l If the root bridge for the CIST is within an RPVST+ domain, the boundary FortiSwitch unit processes only the VLAN 1 information received from the RPVST+ domain. The other BPDUs (VLANs 2 and above) sent from the connected RPVST+ domain are used only for consistency checks.
In this case, follow this rule: If the root bridge for the CIST is within the RPVST+ domain, the root bridge priority of VLANs other than VLAN 1 within that domain must be better (numerically less) than that of VLAN 1.
To configure interoperation with RPVST+:
config switch-controller managed-switch edit <FortiSwitch_serial_number> config ports edit <port_name> set rpvst-port {enabled | disabled} next end
For example: FGT-1 (testvdom) # config switch-controller managed-switch FGT-1 (managed-switch) # edit FS3E32T419000006 FGT-1 (FS3E32T419000006) # config ports FGT-1 (ports) # edit port5 FGT-1 (port5) # set rpvst-port enabled FGT-1 (port5) # next FGT-1 (ports) # end
A maximum of 16 VLANs is supported; the maximum number of VLANs includes native VLANs. You must configure the same VLANs as those used in the RPVST+ domain.
To check your configuration and to diagnose any problems: diagnose switch-controller switch-info rpvst <FortiSwitch_serial_number> <port_name> For example:
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
123
Fortinet Inc.
Configuring switching features diagnose switch-controller switch-info rpvst FS3E32T419000006 port5
Dynamic MAC address learning
You can enable or disable dynamic MAC address learning on a port or VLAN. The existing dynamic MAC entries are flushed when you change this setting. If you disable MAC address learning, you can set the behavior for an incoming packet with an unknown MAC address (to drop or forward the packet).
This section covers the following topics:
l Limiting the number of learned MAC addresses on a FortiSwitch interface on page 124 l Controlling how long learned MAC addresses are saved on page 125 l Logging violations of the MAC address learning limit on page 125 l Persistent (sticky) MAC addresses on page 126 l Logging changes to MAC addresses on page 127
Limiting the number of learned MAC addresses on a FortiSwitch interface
You can limit the number of MAC addresses learned on a FortiSwitch interface (port or VLAN). The limit ranges from 1 to 128. If the limit is set to the default value zero, there is no learning limit.
NOTE: Static MAC addresses are not counted in the limit. The limit refers only to learned MAC addresses.
Use the following CLI commands to limit MAC address learning on a VLAN:
config switch vlan edit <integer> set switch-controller-learning-limit <limit> end
end
For example:
config switch vlan edit 100 set switch-controller-learning-limit 20 end
end
Use the following CLI commands to limit MAC address learning on a port:
config switch-controller managed-switch edit <FortiSwitch_serial_number> config ports edit <port_name> set learning-limit <limit> next end end
end
For example:
config switch-controller managed-switch edit S524DF4K15000024
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
124
Fortinet Inc.
Configuring switching features
config ports edit port3 set learning-limit 50 next
end end end
Controlling how long learned MAC addresses are saved
You can change how long learned MAC addresses are stored. By default, each learned MAC address is aged out after 300 seconds. After this amount of time, the inactive MAC address is deleted from the FortiSwitch hardware. The value ranges from 10 to 1000,000 seconds. Set the value to 0 to disable MAC address aging.
config switch-controller global set mac-aging-interval <10 to 1000000>
end
For example: config switch-controller global set mac-aging-interval 500 end
If the mac-aging-interval is disabled by being set to 0, you can still control when inactive MAC addresses are removed from the FortiSwitch hardware. By default, inactive MAC addresses are removed after 24 hours. The value ranges from 0 to 168 hours. Set the value to 0 to use the mac-aging-interval setting to control when inactive MAC addresses are deleted.
config switch-controller global set mac-retention-period <0 to 168>
end
For example: config switch-controller global set mac-retention-period 36 end
Logging violations of the MAC address learning limit
If you want to see the first MAC address that exceeded the learning limit for an interface or VLAN, you can enable the learning-limit violation log for a managed FortiSwitch unit. Only one violation is recorded per interface or VLAN.
By default, logging is disabled. The most recent violation that occurred on each interface or VLAN is recorded in the system log. After that, no more violations are logged until the log is reset for the triggered interface or VLAN. Only the most recent 128 violations are displayed in the console.
Use the following commands to control the learning-limit violation log and to control how long learned MAC addresses are saved: config switch-controller global
set mac-violation-timer <0-1500> set log-mac-limit-violations {enable | disable} end
For example:
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
125
Fortinet Inc.
Configuring switching features
config switch-controller global set mac-violation-timer 1000 set log-mac-limit-violations enable
end
To view the content of the learning-limit violation log for a managed FortiSwitch unit, use one of the following commands:
l diagnose switch-controller switch-info mac-limit-violations all <FortiSwitch_ serial_number>
l diagnose switch-controller switch-info mac-limit-violations interface <FortiSwitch_ serial_number> <port_name>
l diagnose switch-controller switch-info mac-limit-violations vlan <FortiSwitch_ serial_number> <VLAN_ID>
For example, to set the learning-limit violation log for VLAN 5 on a managed FortiSwitch unit: diagnose switch-controller switch-info mac-limit-violations vlan S124DP3XS12345678 5
To reset the learning-limit violation log for a managed FortiSwitch unit, use one of the following commands:
l execute switch-controller mac-limit-violation reset all <FortiSwitch_serial_number> l execute switch-controller mac-limit-violation reset vlan <FortiSwitch_serial_
number> <VLAN_ID> l execute switch-controller mac-limit-violation reset interface <FortiSwitch_serial_
number> <port_name>
For example, to clear the learning-limit violation log for port 5 of a managed FortiSwitch unit: execute switch-controller mac-limit-violation reset interface S124DP3XS12345678 port5
Persistent (sticky) MAC addresses
You can make dynamically learned MAC addresses persistent when the status of a FortiSwitch port changes (goes down or up). By default, MAC addresses are not persistent.
Use the following commands to configure the persistence of MAC addresses on an interface: config switch-controller managed-switch
edit <FortiSwitch_serial_number> config ports edit <port_name> set sticky-mac {enable | disable} next end
You can also save persistent MAC addresses to the FortiSwitch configuration file so that they are automatically loaded when the FortiSwitch unit is rebooted. By default, persistent entries are lost when a FortiSwitch unit is rebooted. Use the following commands to save persistent MAC addresses for a specific interface or all interfaces: execute switch-controller switch-action sticky-mac save interface <FortiSwitch_serial_
number> <port_name> execute switch-controller switch-action sticky-mac save all <FortiSwitch_serial_number>
Use one of the following commands to delete the persistent MAC addresses instead of saving them in the FortiSwitch configuration file: execute switch-controller switch-action sticky-mac delete-unsaved all <FortiSwitch_serial_
number>
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
126
Fortinet Inc.
Configuring switching features
execute switch-controller switch-action sticky-mac delete-unsaved interface <FortiSwitch_ serial_number> <port_name>
Logging changes to MAC addresses
Use the following commands to create syslog entries for when MAC addresses are learned, aged out, and removed: config switch-controller global
set mac-event-logging enable end
Configuring storm control
Storm control uses the data rate (packets/sec, default 500) of the link to measure traffic activity, preventing traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on a port.
When the data rate exceeds the configured threshold, storm control drops excess traffic. You can configure the types of traffic to drop: broadcast, unknown unicast, or multicast. By default, these three types of traffic are not dropped.
To configure storm control for all switch ports (including both FortiLink ports and non-FortiLink ports) on the managed switches, use the following FortiOS CLI commands:
config switch-controller storm-control set rate <rate> set unknown-unicast {enable | disable} set unknown-multicast {enable | disable} set broadcast {enable | disable}
end
To configure storm control for a FortiSwitch port, use the FortiOS CLI to select the override storm-control-mode in the storm-control policy and then assigning the storm-control policy for the FortiSwitch port.
config switch-controller storm-control-policy edit <storm_control_policy_name> set description <description_of_the_storm_control_policy> set storm-control-mode override set rate <1-10000000 or 0 to drop all packets> set unknown-unicast {enable | disable} set unknown-multicast {enable | disable} set broadcast {enable | disable} next
end
config switch-controller managed-switch edit <FortiSwitch_serial_number> config ports edit port5 set storm-control-policy <storm_control_policy_name> next end
For example:
config switch-controller storm-control-policy
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
127
Fortinet Inc.
Configuring switching features
edit stormpol1 set description "storm control policy for port 5" set storm-control-mode override set rate 1000 set unknown-unicast enable set unknown-multicast enable set broadcast enable
next end
config switch-controller managed-switch edit S524DF4K15000024 config ports edit port5 set storm-control-policy stormpol1 next end
Configuring IGMP-snooping settings
You need to configure global IGMP-snooping settings and IGMP-snooping settings on a FortiSwitch unit before configuring the IGMP-snooping proxy and IGMP-snooping querier.
You cannot use IGMP snooping when network access control (NAC) has been enabled on a global scale with set mode global under the config switchcontroller nac-settings command.
This section covers the following topics: l Configuring global IGMP-snooping settings on page 128 l Configuring IGMP-snooping settings on a switch on page 129 l Configuring the IGMP-snooping proxy on page 129 l Configuring the IGMP-snooping querier on page 130
Configuring global IGMP-snooping settings
Use the following commands to configure the global IGMP-snooping settings. Aging time is the maximum number of seconds that the system will retain a multicast snooping entry. The range of values is 15 to 3,600 seconds. The default value is 300 seconds. The flood-unknown-multicast setting controls whether the system will flood unknown multicast messages within the VLAN. Starting in FortOS 7.2.1 with FortiSwitchOS 7.2.1, you can specify how often the managed FortiSwitch unit will send IGMP version-2 queries when the IGMP-snooping querier is configured. The range of values is 10-1,200 seconds. By default, queries are sent every 125 seconds. The value for aging-time must be greater than the value for queryinterval.
config switch-controller igmp-snooping set aging-time <15-3600>
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
128
Fortinet Inc.
Configuring switching features
set flood-unknown-multicast {enable | disable} set query-interval <10-1200> end
Configuring IGMP-snooping settings on a switch
IGMP snooping allows the FortiSwitch to passively listen to the Internet Group Management Protocol (IGMP) network traffic between hosts and routers. The switch uses this information to determine which ports are interested in receiving each multicast feed. FortiSwitch can reduce unnecessary multicast traffic on the LAN by pruning multicast traffic from links that do not contain a multicast listener. NOTE: When an inter-switch link (ISL) is formed automatically in FortiLink mode, the igmp-snooping-floodreports and mcast-snooping-flood-traffic options are disabled by default. Use the following commands to configure IGMP settings on a FortiSwitch port: config switch-controller managed-switch
edit <FortiSwitch_serial_number> config ports edit <port_name> set igmp-snooping-flood-reports {enable | disable} set mcast-snooping-flood-traffic {enable | disable} end end
For example: config switch-controller managed-switch
edit S524DF4K15000024 config ports edit port3 set igmp-snooping-flood-reports enable set mcast-snooping-flood-traffic enable end end
Configuring the IGMP-snooping proxy
Before FortiOS 7.0.2, you could use the CLI to enable IGMP proxy on a system-wide basis. Starting in FortiOS 7.0.2, you can use the CLI to enable IGMP proxy per FortiSwitch unit. By default, IGMP snooping is disabled. You need to enable IGMP snooping on the FortiGate device before you can enable the IGMP-snooping proxy.
To enable IGMP snooping and the IGMP-snooping proxy:
config system interface edit <VLAN_interface> set switch-controller-igmp-snooping enable set switch-controller-igmp-snooping-proxy enable next
end
For example, you can enable IGMP snooping and the IGMP-snooping proxy on VLAN 100:
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
129
Fortinet Inc.
Configuring switching features
config system interface edit vlan100 set switch-controller-igmp-snooping enable set switch-controller-igmp-snooping-proxy enable next
end
Configuring the IGMP-snooping querier
Starting in FortiOS 7.0.2, you can configure the IGMP-snooping querier version 2 or 3. When the IGMP querier version 2 is configured, the managed FortiSwitch unit will send IGMP version-2 queries when no external querier is present. When the IGMP querier version 3 is configured, the managed FortiSwitch unit will send IGMP version-3 queries when no external querier is present.
If you have IGMP snooping and the IGMP-snooping proxy enabled on a VLAN, you can then configure the IGMPsnooping querier on the same VLAN on a managed switch. By default, the IGMP-snooping querier is disabled.
You must enable the overriding of the global IGMP-snooping configuration with the set local-override enable command.
By default, the maximum time (aging-time) that multicast snooping entries without any packets are kept is for 300 seconds. This value can be in the range of 15-3,600 seconds.
By default, flood-unknown-multicast is disabled, and unregistered multicast packets are forwarded only to mRouter ports. If you enable flood-unknown-multicast, unregistered multicast packets are forwarded to all ports in the VLAN.
The IGMP-snooping proxy uses the global IGMP-snooping configuration by default. You can enable or disable the IGMP-snooping on the VLAN.
You can optionally specify the IPv4 address that IGMP reports are sent to. You can also set the IGMP-snooping querier version. The default IGMP querier version is 2.
config switch-controller managed-switch edit <FortiSwitch_serial_number> config igmp-snooping set local-override enable set aging-time <15-3600> set flood-unknown-multicast {enable | disable} config vlans edit <VLAN_interface> set proxy {disable | enable | global} set querier enable set querier-addr <IPv4_address> set version {2 | 3} next end end
end
For example:
config switch-controller managed-switch edit S524DF4K15000024 config igmp-snooping set local-override enable set aging-time 1000 set flood-unknown-multicast enable
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
130
Fortinet Inc.
Configuring switching features
config vlans edit vlan100 set proxy disable set querier enable set querier-addr 1.2.3.4 set version 3 next
end end end
Configuring PTP transparent-clock mode
Use the Precision Time Protocol (PTP) transparent-clock mode to measure the overall path delay for packets in a network to improve the time precision. There are two transparent-clock modes:
l End-to-end measures the path delay for the entire path l Peer-to-peer measures the path delay between each pair of nodes
For more information about using PTP on FortiSwitch units, see Precision Time Protocol.
Use the following steps to configure PTP transparent-clock mode:
1. Configure a PTP profile or use the default profile. 2. Configure the PTP settings.
By default, PTP is disabled. Enable PTP and select which PTP profile will use these PTP settings. The default profile is automatically selected. If you have multiple PTP profiles, each managed switch can use a different PTP profile. 3. Configure the default PTP policy or create a custom PTP policy. Select which VLAN will use the PTP policy and the priority of the VLAN. The default PTP policy is applied to all ports. If you want to select which ports to apply the PTP policy to, you need to create a custom PTP policy. Each switch port can be configured with a different PTP policy. 4. If you are not using the default PTP policy, select which port to apply your custom PTP policy to. By default, the PTP status is enabled. NOTE: Setting ptp-policy on a switch interface is valid only in peer-to-peer mode.
To configure a PTP profile:
config switch-controller ptp profile edit {default | name_of_PTP_profile} set description <description_of_PTP_profile> set mode {transparent-e2e | transparent-p2p} set ptp-profile C37.238-2017 set transport l2-mcast set domain <0-255> // the default is 254 set pdelay-req-interval {1sec | 2sec | 4sec | 8sec | 16sec | 32sec} // 1sec default next
end
For example:
config system ptp profile edit newPTPprofile
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
131
Fortinet Inc.
Configuring switching features
set description "New PTP profile" set mode transparent-p2p set ptp-profile C37.238-2017 set transport l2-mcast set domain 1 set pdelay-req-interval 2sec next end
To configure the PTP settings:
config switch-controller managed-switch edit <FortiSwitch_serial_number> set ptp-status {enable | disable} // the default is disable set ptp-profile {default | name_of_PTP_profile} // the default is "default" next
end
For example:
config switch-controller managed-switch edit S524DF4K15000024 set ptp-status enable set ptp-profile newPTPprofile next
end
To configure the default PTP policy or create a custom PTP policy:
config switch-controller ptp interface-policy edit {default | <policy_name>} set description <description_of_PTP_policy> set vlan <VLAN_name> //no default set vlan-pri <0-7> // the default is 4 next
end
For example:
config switch-controller ptp interface-policy edit ptppolicy1 set description "New custom PTP policy" set vlan vlan10 set vlan-pri 3 next
end
To apply your custom PTP policy to a port:
config switch-controller managed-switch edit <FortiSwitch_serial_number> config ports edit <port_name> set ptp-status {enable | disable} // the default is enable set ptp-policy {default | <policy_name>} // the default is "default" end end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
132
Fortinet Inc.
Configuring switching features
For example:
config switch-controller managed-switch edit S524DF4K15000024 config ports edit port5 set ptp-status enable set ptp-policy ptppolicy1 end end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
133
Fortinet Inc.
Device detection
This section covers the following topics: l Enabling network-assisted device detection on page 134 l Voice device detection on page 134 l Configuring IoT detection on page 141 l Configuring LLDP-MED settings on page 142
Enabling network-assisted device detection
Network-assisted device detection allows the FortiGate unit to use the information about connected devices detected by the managed FortiSwitch unit. To enable network-assisted device detection on a VDOM: config switch-controller network-monitor-settings
set network-monitoring enable end You can display a list of detected devices from the Device Inventory menu in the GUI. To list the detected devices in the CLI, enter the following command: diagnose user device list
Voice device detection
FortiSwitchOS is able to parse LLDP messages from voice devices such as FortiFone and pass this information to a FortiGate device for device detection. You can use a dynamic port policy to assign a device to an LLDP profile, QoS policy, and VLAN policy. When a detected device is matched to the dynamic port policy, the corresponding policy actions are applied on the switch port. In the following example, FortiFone is connected to port2 of the FortiSwitch unit. A dynamic port policy is created to apply a VLAN policy, LLDP policy, and QoS policy to the device family FortiFone.
The following is a summary of the procedure:
1. Use the FortiGate CLI to configure the VLAN policy, LLDP profile, and Quality of Service (QoS) policy. You can use the predefined voice-qos policy for QoS and the predefined fortivoice.fortilink profile for LLDP.
2. Use the FortiGate GUI to configure a dynamic port policy to match the FortiFone device family with the actions from
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
134
Fortinet Inc.
Device detection
the assigned LLDP profile, QoS policy, and VLAN policy. 3. Use the FortiGate GUI to assign the dynamic port policy to the FortiSwitch port.
To create a dynamic port policy in the GUI and then assign it to a FortiSwitch port: 1. Go to WiFi & Switch Controller > FortiSwitch Port Policies and click Dynamic Port Policies.
a. Click Create New to create a dynamic port policy. b. In the Name field, enter FortiFone.
c. Click Create new to create a dynamic port policy rule. d. In the Name field, enter FortiFone. e. Disable MAC address. f. Enable Device family and enter FortiFone. g. Enable LLDP profile and select a voice profile. h. Enable QoS policy and select a voice policy.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
135
Fortinet Inc.
Device detection i. Enable VLAN policy and select a voice policy.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
136
Fortinet Inc.
Device detection j. Click OK to save the dynamic port policy rule.
k. Click OK to save the dynamic port policy. 2. Go to WiFi & Switch Controller > FortiSwitch Ports.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
137
Fortinet Inc.
Device detection 3. Right-click port2 and select Mode > Assign Port Policy.
4. Click the pencil icon in the Port Policy column, select the FortiFone dynamic port policy, and then click Apply.
5. Plug the FortiFone into port2 of the FortiSwitch unit.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
138
Fortinet Inc.
Device detection 6. Go to Dashboard > Users & Devices and verify that the FortiFone is displayed in the FortiSwitch NAC VLANs pane.
To configure voice device detection in the CLI:
1. Use the FortiGate CLI to configure the VLAN policy, LLDP profile, and QoS policy.
config switch-controller lldp-profile edit "fortivoice.fortilink" set med-tlvs inventory-management network-policy location-identification set auto-isl disable config med-network-policy edit "voice" set status enable set vlan-intf "voice" set assign-vlan enable set dscp 46 next edit "voice-signaling" set status enable set vlan-intf "voice" set assign-vlan enable set dscp 46 next edit "guest-voice" next edit "guest-voice-signaling" next edit "softphone-voice" next edit "video-conferencing" next edit "streaming-video" next edit "video-signaling" next end config med-location-service edit "coordinates" next edit "address-civic" next edit "elin-number" next end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
139
Fortinet Inc.
Device detection
next end
config switch-controller qos qos-policy edit "voice-qos" set trust-dot1p-map "voice-dot1p" set trust-ip-dscp-map "voice-dscp" set queue-policy "voice-egress" next
end
config switch-controller vlan-policy edit "fon" set fortilink "fortilink" set vlan "default_10" set allowed-vlans "quarantine" "voice" set untagged-vlans "quarantine" next
end
2. Configure a dynamic port policy to match the FortiFone device family with the actions from the assigned LLDP profile, QoS policy, and VLAN policy.
config switch-controller dynamic-port-policy edit "FortiFone" set fortilink "fortilink" config policy edit "FortiFone" set family "FortiFone" set lldp-profile "fortivoice.fortilink" set qos-policy "voice-qos" set vlan-policy "fon" next end next
end
3. Assign the dynamic port policy to port2 of the FortiSwitch unit.
config switch-controller managed-switch edit S108DVIJAK1VGG54 config ports edit "port2" set vlan "default_10" set allowed-vlans "quarantine" set untagged-vlans "quarantine" set access-mode dynamic set port-policy "FortiFone" set export-to "root" set mac-addr 02:09:0f:00:2c:01 next end
4. The FortiSwitch unit receives an LLDP message from FortiFone after it is plugged into port2. 5. Run the diagnose switch-controller mac-device dynamic command to check the device information on
FortiGate device. The FortiFone is identified.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
140
Fortinet Inc.
Device detection
FGT_Switch_Controller (root) # diagnose switch-controller mac-device dynamic
Vdom: root
MAC
LAST-KNOWN-SWITCH LAST-KNOWN-PORT DYNAMIC-PORT-POLICY
LAST-SEEN COMMENTS
00:15:65:83:cb:16 S108DVIJAK1VGG54 port2
FortiFone
FortiFone
148
auto detected @ 2021-04-29 19:12:42
POLICY
Configuring IoT detection
NOTE: This feature requires an IoT Detection Service license.
Starting in FortiOS 6.4, FortiSwitch units can use a new FortiGuard service to identify Internet of things (IoT) devices. FortiOS can use the identified devices for storage and display. You can use the FortiOS CLI to configure IoT detection.
Each detected MAC address of an IoT device has a confidence level assigned to it. If the confidence level is less than the iot-weight-threshold value, the MAC address is scanned. The default value is 1. Set the iot-weightthreshold value to 0 to disable IoT detection.
You can control how often a FortiSwitch unit scans for IoT devices. The range of values is 2 to 10,080 minutes. By default, the scan interval is 60 minutes. Every MAC address will be scanned for a time interval of 60 minutes followed by 60 minutes when it will not be scanned. The start time of every MAC addresss 60-minute scan interval is unique. Set the iot-scan-interval value to 0 to disable IoT detection.
A MAC address of an IoT device must be detected by the FortiSwitch unit for more than a specified number of minutes before the MAC address is passed along to the FortiGuard service for IoT identification. The default number of minutes is 5. The range of values is 0 to 10,080 minutes. Set the iot-holdoff value to 0 to disable this setting.
If a MAC address entrys last-seen time is greater than the iot-mac-idle value, the MAC address entry is not considered for IoT detection. By default, the iot-mac-idle value is 1,440 minutes. The range of values is 0 to 10,080 minutes.
To configure system-wide settings for IoT detection:
config switch-controller system set iot-weight-threshold <0-255> set iot-scan-interval <2-10080> set iot-holdoff <0-10080> set iot-mac-idle <0-10080>
end
Starting in FortiOS 6.4.3, IoT detection can be managed per FortiLink interface as well. IoT detection is disabled by default on the FortiLink interface. Use the FortiOS CLI or GUI to enable IoT detection on the FortiLink interface so that the FortiSwitch unit starts scanning for IoT devices.
Using the GUI:
1. Go to WiFi & Switch Controller > FortiLink Interface. 2. Enable IoT scanning.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
141
Fortinet Inc.
Device detection
Using the CLI:
config system interface edit <FortiLink_interface> set switch-controller-iot-scanning enable end
Configuring LLDP-MED settings
Starting in FortiOS 6.4.0 and FortiSwitchOS 6.4.0, LLDP neighbor devices are dynamically detected. By default, this feature is enabled in FortiOS but disabled in managed FortiSwitch units. Dynamic detection must be enabled in both FortiOS and FortiSwitchOS for this feature to work.
This section covers the following topics:
l Creating LLDP asset tags for each managed FortiSwitch on page 144 l Adding media endpoint discovery (MED) to an LLDP configuration on page 145 l Displaying LLDP information on page 145 l Configuring the LLDP settings on page 146
To configure LLDP profiles in FortiOS:
config switch-controller lldp-profile edit <profile_name> set med-tlvs (inventory-management | network-policy | power-management | locationidentification) set 802.1-tlvs port-vlan-id set 802.3-tlvs {max-frame-size | power-negotiation} set auto-isl {enable | disable} set auto-isl-hello-timer <1-30> set auto-isl-port-group <0-9> set auto-isl-receive-timeout <3-90> config med-network-policy edit {guest-voice | guest-voice-signaling | softphone-voice | streaming-video | video-conferencing | video-signaling | voice | voice-signaling} set status {enable | disable} set vlan-intf <string> set priority <0-7> set dscp <0-63> next end config med-location-service edit {address-civic | coordinates | elin-number} set status {enable | disable} set sys-location-id <string> next end config-tlvs edit <TLV_name> set oui <hexadecimal_number> set subtype <0-255> set information-string <0-507> next
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
142
Fortinet Inc.
Device detection
end next end
Variable
Description
<profile_name>
Enable or disable
med-tlvs (inventory-management | network-policy | power-management | location-identification)
Select which LLDP-MED type-length-value descriptions (TLVs) to transmit: inventory-managment TLVs, network-policy TLVs, power-management TLVs for PoE, and location-identification TLVs. You can select one or more option. Separate multiple options with a space.
802.1-tlvs port-vlan-id
Transmit the IEEE 802.1 port native-VLAN TLV.
802.3-tlvs {max-frame-size | powernegotiation}
Select whether to transmit the IEEE 802.3 maximum frame size TLV, the power-negotiation TLV for PoE, or both. Separate multiple options with a space.
auto-isl {enable | disable}
Enable or disable the automatic inter-switch LAG.
auto-isl-hello-timer <1-30>
If you enabled auto-isl, you can set the number of seconds for the automatic inter-switch LAG hello timer. The default value is 3 seconds.
auto-isl-port-group <0-9>
If you enabled auto-isl, you can set the automatic inter-switch LAG port group identifier.
auto-isl-receive-timeout <3-90>
If you enabled auto-isl, you can set the number of seconds before the automatic inter-switch LAG times out if no response is received. The default value is 9 seconds.
config med-network-policy
{guest-voice | guest-voice-signaling | softphone-voice | streaming-video | video-conferencing | video-signaling | voice | voice-signaling}
Select which Media Endpoint Discovery (MED) network policy type-lengthvalue (TLV) category to edit.
status {enable | disable}
Enable or disable whether this TLV is transmitted.
vlan-intf <string>
If you enabled the status, you can enter the VLAN interface to advertise. The maximum length is 15 characters.
priority <0-7>
If you enabled the status, you can enter the advertised Layer-2 priority. Set to 7 for the highest priority.
dscp <0-63>
If you enabled the status, you can enter the advertised Differentiated Services Code Point (DSCP) value to indicate the level of service requested for the traffic.
config med-location-service
{address-civic | coordinates | elinnumber}
Select which Media Endpoint Discovery (MED) location type-length-value (TLV) category to edit.
status {enable | disable}
Enable or disable whether this TLV is transmitted.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
143
Fortinet Inc.
Device detection
Variable sys-location-id <string>
config-tlvs <TLV_name> oui <hexadecimal_number>
subtype <0-255> information-string <0-507>
Description If you enabled the status, you can enter the location service identifier. The maximum length is 63 characters.
Enter the name of a custom TLV entry. Ener the organizationally unique identifier (OUI), a 3-byte hexadecimal number, for this TLV. Enter the organizationally defined subtype. Enter the organizationally defined information string in hexadecimal bytes.
To configure LLDP settings in FortiOS:
config switch-controller lldp-settings set tx-hold <int> set tx-interval <int> set fast-start-interval <int> set management-interface {internal | management} set device-detection {enable | disable}
end
Variable tx-hold
tx-interval fast-start-interval
management-interface device-detection {enable | disable}
Description
Number of tx-intervals before the local LLDP data expires. Therefore, the packet TTL (in seconds) is tx-hold times tx-interval. The range for tx-hold is 1 to 16, and the default value is 4.
How often the FortiSwitch transmits the LLDP PDU. The range is 5 to 4095 seconds, and the default is 30 seconds.
How often the FortiSwitch transmits the first 4 LLDP packets when a link comes up. The range is 2 to 5 seconds, and the default is 2 seconds. Set this variable to zero to disable fast start.
Primary management interface to be advertised in LLDP and CDP PDUs.
Enable or disable whether LLDP neighbor devices are dynamically detected. By default, this setting is disabled.
To configure dynamic detection of LLDP neighbor devices in FortiSwitchOS:
config switch lldp settings set device-detection enable
end
Creating LLDP asset tags for each managed FortiSwitch
You can use the following commands to add an LLDP asset tag for a managed FortiSwitch: config switch-controller managed-switch
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
144
Fortinet Inc.
Device detection
edit <FortiSwitch_serial_number> set switch-device-tag <string>
end
Adding media endpoint discovery (MED) to an LLDP configuration
You can use the following commands to add media endpoint discovery (MED) features to an LLDP profile:
config switch-controller lldp-profile edit <lldp-profle> config med-network-policy edit guest-voice set status {disable | enable} next edit guest-voice-signaling set status {disable | enable} next edit guest-voice-signaling set status {disable | enable} next edit softphone-voice set status {disable | enable} next edit streaming-video set status {disable | enable} next edit video-conferencing set status {disable | enable} next edit video-signaling set status {disable | enable} next edit voice set status {disable | enable} next edit voice-signaling set status {disable | enable} end config custom-tlvs edit <name> set oui <identifier> set subtype <subtype> set information-string <string> end end
Displaying LLDP information
You can use the following commands to display LLDP information:
diagnose switch-controller switch-info lldp stats <switch> <port> diagnose switch-controller switch-info lldp neighbors-summary <switch> diagnose switch-controller switch-info lldp neighbors-detail <switch>
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
145
Fortinet Inc.
Device detection
Configuring the LLDP settings
The Fortinet data center switches support the Link Layer Discovery Protocol (LLDP) for transmission and reception wherein the switch will multicast LLDP packets to advertise its identity and capabilities. A switch receives the equivalent information from adjacent layer-2 peers.
Starting in FortiOS 6.4.3, you can also configure the lldp-status and lldp-profile settings of a virtual switch port in a tenant VDOM. NOTE: The auto-isl setting in config switch-controller lldp-profile is ignored, and the setting remains disabled for the tenants ports.
Use the following commands to configure LLDP on a FortiSwitch port:
config switch-controller managed-switch edit <FortiSwitch_serial_number> config ports edit <port_name> set lldp-status {rx-only | tx-only | tx-rx | disable} set lldp-profile <profile_name> end end
For example:
config switch-controller managed-switch edit S524DF4K15000024 config ports edit port2 set lldp-status tx-rx set lldp-profile default end end
Use the following commands to configure LLDP on a virtual FortiSwitch port in a tenant VDOM:
config vdom edit <VDOM_name> config switch-controller managed-switch edit <FortiSwitch_serial_number> config ports edit <port_name> set lldp-status {rx-only | tx-only | tx-rx | disable} set lldp-profile <profile_name> next end end end
For example:
config vdom edit VDOM_1 config switch-controller managed-switch edit "S424ENTF19000007" config ports edit port28 set lldp-status tx-rx set lldp-profile lldpprofile1 next end end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
146
Fortinet Inc.
Device detection end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
147
Fortinet Inc.
FortiSwitch security
This section covers the following topics: l FortiLink secure fabric on page 148 l FortiSwitch network access control on page 152 l Configuring dynamic port policy rules on page 180 l FortiSwitch security policies on page 185 l Configuring the DHCP trust setting on page 205 l Configuring the DHCP server access list on page 206 l Including option-82 data on page 208 l Configuring dynamic ARP inspection (DAI) on page 210 l Configuring DHCP-snooping static entries on page 211 l Configuring IPv4 source guard on page 212 l Configuring an ACL on page 215 l Showing Security Fabric information on page 218 l Blocking intra-VLAN traffic on page 219 l Quarantines on page 221
FortiLink secure fabric
The FortiLink secure fabric provides authentication and encryption to all fabric links, wherever possible, making your Security Fabric more secure. By default, authentication and encryption are disabled on the Security Fabric. After you specify the authentication mode and encryption mode for the FortiLink secure fabric in the LLDP profile: 1. FortiOS authenticates the connected LLDP neighbors. 2. FortiOS forms an authenticated secure inter-switch link (ISL) trunk. 3. Ports that are members of the authenticated secure ISL trunk are encrypted with Media Access Control security
(MACsec) (IEEE 802.1AE-2018). 4. After the peer authentication (and MACsec encryption, if enabled) is complete, FortiOS configures the user VLANs. 5. If FortiOS detects a new FortiSwitch unit in the Security Fabric, one of the FortiSwitch peers validates whether the
new switch has a Fortinet factory SSL certificate chain. If the new FortiSwitch unit has a valid certificate, it becomes a FortiSwitch peer in the FortiLink secure fabric.
l When set static-isl is enabled, authentication and encryption are not supported. l When you are using the FortiLink secure fabric, locking down the Security Fabric topology
from the Security Fabric > Security Rating page is not supported. l When you are using the FortiLink secure fabric, the diagnose switch-controller
switch-recommendation fabric-lockdown-enable command is not supported.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
148
Fortinet Inc.
FortiSwitch security
The following figure shows the FortiLink secure fabric. The links between the FortiGate device and the managed FortiSwitch units are always unencrypted. The green links between FortiSwitch peers are encrypted ISLs. The orange links between FortiSwitch peers are unencrypted ISLs.
Authentication modes
By default, there is no authentication. You can select one of three authentication modes:
l Legacy--This mode is the default. There is no authentication. l Relax--If authentication succeeds, FortiOS forms a secure ISL trunk. If authentication fails, FortiOS forms a
restricted ISL trunk. A restricted ISL trunk is the same as a regular ISL trunk, but FortiOS does not add any user VLANs. The restricted ISL trunk allows limited access so that users can authenticate unauthenticated switches. Use a restricted ISL trunk for a new FortiSwitch unit that was just added to the Security Fabric or a FortiSwitch unit that does not support authentication or encryption. l Strict--If authentication succeeds, FortiOS forms a secure ISL trunk. If authentication fails, no ISL trunk is formed.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
149
Fortinet Inc.
FortiSwitch security
Encryption modes
By default, there is no encryption. You must select the strict or relax authentication mode before you can select the mixed or must encryption mode.
l None--There is no encryption, and FortiOS does not enable MACsec on the ISL trunk members. l Mixed--FortiOS enables MACsec on the ISL trunk ports that support MACsec; the ISL trunk members act as
encrypted links. FortiOS disables MACsec on the ISL members that do not support MACsec; these ISL trunk members act as unencrypted links. l Must--FortiOS enables MACsec on all ISL trunk members. If the port supports MACsec, the port acts as an encrypted link. If the port does not support MACsec, the port is removed from the ISL trunk, but the port still functions as a user port.
Configuring the FortiLink secure fabric
To configure the FortiLink secure fabric: 1. Configure the LLDP profile. 2. Assign the LLDP profile to a FortiSwitch physical port.
To configure the LLDP profile:
config switch-controller lldp-profile edit {LLDP_profile_name | default-auto-isl | default-auto-mclag-icl} set auto-isl-auth {legacy | relax | strict} set auto-isl-auth-user <string> set auto-isl-auth-identity <string> set auto-isl-auth-reauth <10-3600> set auto-isl-auth-encrypt {none | mixed | must} set auto-isl-auth-macsec-profile default-macsec-auto-isl next
end
Option {LLDP_profile_name | default-auto-isl | default-auto-mclag-icl}
auto-isl-auth {legacy | relax | strict} auto-isl-auth-user <string>
auto-isl-auth-identity <string>
Description
Default
Select one of the two default LLDP profiles (default-auto-isl or default-automclag-icl) or create your own LLDP profile.
No default
Select the authentication mode.
legacy
Select the user certificate, such as Fortinet_Factory.
This option is available when auto-islauth is set to relax or strict.
No default
Enter the identity, such as fortilink. This option is available when auto-islauth is set to relax or strict.
No default
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
150
Fortinet Inc.
FortiSwitch security
Option auto-isl-auth-reauth <10-3600>
auto-isl-auth-encrypt {none | mixed | must} auto-isl-auth-macsec-profile <string>
Description
Enter the reauthentication period in minutes. This option is available when auto-islauth is set to relax or strict.
Select the encryption mode. This option is available when auto-islauth is set to strict or relax.
Use the default-macsec-auto-isl profile. This option is available when auto-islauth-encrypt is set to mixed or must.
Default 3600
none default-macsec-auto-isl
Configuration example
config switch-controller lldp-profile edit customLLDPprofile set auto-isl-auth relax set auto-isl-auth-user Fortinet_Factory set auto-isl-auth-identity fortilink set auto-isl-auth-encrypt mixed set auto-isl-auth-macsec-profile default-macsec-auto-isl next
end
config switch-controller managed-switch edit S524DF4K15000024 config ports edit port49 set lldp-profile customLLDPprofile next end next
end
Viewing the FortiLink secure fabric
To get information from the FortiGate device about which FortiSwitch units ports are authenticated, secured, or restricted: execute switch-controller get-physical-conn {dot | standard} <FortiLink_interface>
To get the FortiLink authentication status for the port from the FortiSwitch unit: diagnose switch fortilink-auth status <port_name>
To get the FortiLink authentication traffic statistics for the port from the FortiSwitch unit: diagnose switch fortilink-auth statistics <port_name>
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
151
Fortinet Inc.
FortiSwitch security
To delete the FortiLink authentication traffic statistics for the port from the FortiSwitch unit: execute fortilink-auth clearstat physical-port <port_name>
To reauthenticate FortiLink secure fabric peers from the specified port from the FortiSwitch unit: execute fortilink-auth reauth physical-port <port_name>
To reset the authentication for the FortiLink secure fabric from the FortiSwitch unit on the specified port: execute fortilink-auth reset physical-port <port_name>
To display statistics and status of the FortiLink secure fabric for the port from the FortiSwitch unit: get switch lldp auto-isl-status <port_name>
To display the status of the FortiLink secure fabric for the trunk from the FortiSwitch unit: get switch trunk
Requirements and limitations
l FortiOS 7.4.1 or later and FortiSwitchOS 7.4.1 or later are required. l FortiLink mode over a layer-2 network and FortiLink mode over a layer-3 network are supported. l VXLAN is not supported. l When a new FortiSwitch unit is added to the fabric, it must have a Fortinet factory SSL certificate before it is allowed
to become an authenticated peer within the FortiLink secure fabric. l When a new FortiSwitch unit is added to the FortiLink secure fabric with the strict authentication mode, the
restricted ISL trunk is not formed. You must configure the FortiSwitch unit manually (under the config switch lldp-profile command). l You need to manually import a custom certificate on the managed FortiSwitch units first; then you can specify the custom certificate on the FortiLink secure fabric with the set auto-isl-auth-user command under config switch-controller lldp-profile. After that, you can configure the custom certificate on the running Security Fabric.
FortiSwitch network access control
You can configure a FortiSwitch network access control (NAC) policy within FortiOS that matches devices with the specified criteria, devices belonging to a specified user group, or devices with a specified FortiClient EMS tag. Devices that match are assigned to a specific VLAN or have port-specific settings applied to them.
NAC settings are enabled automatically on the fortilink interface when the first FortiSwitch unit is discovered. If no FortiSwitch unit has been discovered yet or the NAC configuration has been deleted from the fortilink interface, you need to configure the FortiSwitch NAC settings before defining a NAC policy. See Configuring the FortiSwitch NAC settings on page 154.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
152
Fortinet Inc.
FortiSwitch security
Summary of the procedure
1. Define a FortiSwitch NAC VLAN. See Defining a FortiSwitch NAC VLAN on page 153. 2. Configure the FortiSwitch NAC settings. See Configuring the FortiSwitch NAC settings on page 154. 3. Create a FortiSwitch NAC policy. See Defining a FortiSwitch NAC policy on page 158. 4. View the devices that match the NAC policy. See Viewing the devices that match the NAC policy on page 173. 5. View device statistics. See Viewing device statistics on page 174.
Defining a FortiSwitch NAC VLAN
When devices are matched by a NAC policy, you can assign those devices to a FortiSwitch NAC VLAN. By default, there are six VLAN templates:
l default--This VLAN is assigned to all switch ports when the FortiSwitch unit is first discovered. l quarantine--This VLAN contains quarantined traffic. l rspan--This VLAN contains RSPAN and ERSPAN mirrored traffic. l voice--This VLAN is dedicated for voice devices. l video--This VLAN is dedicated for video devices. l onboarding--This VLAN is for NAC onboarding devices.
You can use the default onboarding VLAN, edit it, or create a new NAC VLAN. If you want to use the default onboarding NAC VLAN, specify it when you configure the FortiSwitch NAC settings. If you want to edit the default onboarding VLAN or create a new NAC VLAN, use the following procedures.
Creating a NAC VLAN
Using the GUI:
1. Go to WiFi & Switch Controller > FortiSwitch VLANs, click Create New, and change the following settings:
Name VLAN ID Color Role
VLAN name Enter a number (1-4094) Choose a unique color for each VLAN, for ease of visual display. Select LAN, WAN, DMZ, or Undefined.
2. Enable DHCP for IPv4 or IPv6. 3. Set the Administrative Access options as required. 4. Click OK.
Using the CLI:
config system interface edit <VLAN_name> set vlanid <1-4094> set color <1-32> set interface <FortiLink-enabled interface> end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
153
Fortinet Inc.
FortiSwitch security
Editing a NAC VLAN
You can edit the default onboarding NAC VLAN.
Using the GUI:
1. Go to WiFi & Switch Controller > FortiSwitch VLANs. 2. Select the onboarding.fortilink (onboarding) NAC VLAN. 3. Click Edit. 4. Make your changes. 5. Click OK to save your changes.
Configuring the FortiSwitch NAC settings
NAC settings are enabled automatically on the fortilink interface when the first FortiSwitch unit is discovered. If no FortiSwitch unit has been discovered yet or the NAC configuration has been deleted from the fortilink interface, you need to configure the FortiSwitch NAC settings before defining a NAC policy. See Configuring the FortiSwitch NAC settings on page 154.
You can set how many minutes that NAC devices are allowed to be inactive. By default, NAC devices can be inactive for 15 minutes. The range of values is 1 to 1,440 minutes. When NAC devices are discovered, they are assigned to the NAC onboarding VLAN. You can specify the default onboarding VLAN or specify another existing VLAN. By default, there is no NAC onboarding VLAN assigned. When NAC devices are discovered and match a NAC policy, they are automatically authorized by default. Starting in FortiOS 7.0.0, you can use the set nac-periodic-interval command to specify how often the NAC engine runs in case any events are missed. The range is 5 to 180 seconds, and the default setting is 60 seconds. When NAC mode is configured on a port, the link of a switch port goes down and then up by default, which restarts the DHCP process for that device. When a link goes down, the NAC devices are cleared from the switch port that bounced. Bouncing the switch port and restarting DHCP changes the IP addresses of hosts and invalidates firewall sessions. Starting in FortiOS 7.0.1, you can avoid these problems by assigning each VLAN to a separate LAN segment. LAN segments prevent the IP addresses of hosts from changing but still provide physical isolation. For example, the following figure shows how four LAN segments have been assigned to four separate VLANs.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
154
Fortinet Inc.
FortiSwitch security
The switch controls traffic between LAN segments. Enable Block Intra-VLAN Traffic in the GUI or use the set switchcontroller-access-vlan command to allow or prevent traffic between hosts in a LAN segment.
An RSPAN VLAN interface cannot be a member of a LAN segment group.
LAN segments require the following: l FortiGate devices running FortiOS 7.0.1 or higher with managed FortiSwitch units running FortiSwitchOS 7.0.1 or higher. l To see which FortiSwitch models support this feature, refer to the FortiSwitch feature matrix.
The FortiGate device supports only one LAN segment. LAN segments on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models have the following limitations:
l After you enable LAN segments, FortiSwitchOS automatically assigns a VLAN for internal use. This VLAN cannot be used for any other purpose. If you want to assign a different internal VLAN, type set lan-internal-vlan ? to see a range of VLANs; however, these VLANs might not be available. If no VLANs are available to be used as an internal VLAN, the LAN segment configuration returns an error message.
l These models cannot be directly connected to a FortiGate device; they should be connected using another FortiSwitch model.
l FortiSwitchOS 7.2.0 or later is required. l All LAN segment VLANs (both primary VLANs and sub-VLANs) must belong to the same STP instance. Multiple
STP instances are not supported within the same LAN segment VLANs. l For packets coming from sub-VLANs or primary VLANs, MAC learning occurs on the internal VLAN, not the primary
VLAN or sub-VLAN. Starting in FortiSwitchOS 7.2.0 and FortiOS 7.2.0, IGMP snooping and MLD snooping are supported on FortiLink NAC LAN segments.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
155
Fortinet Inc.
FortiSwitch security
If you want to enable IGMP snooping in a LAN segment, IGMP snooping must be enabled on all VLANs in the segment, including the primary VLAN, sub-VLANs, and onboarding VLANs. Multicast data streams are expected to come in ONLY on the primary VLAN.
To use LAN segments:
l Configure FortiSwitch VLANs without layer-3 properties (unset the IP address, set the access mode to static, unset allowaccess, and disable the DHCP server).
l Optionally, enable Block Intra-VLAN Traffic. l Enable LAN segments. l Specify the NAC LAN interface. l Specify which VLANs belong to that LAN segment.
Do not make changes after assigning a VLAN to a LAN segment. Changing VLANs assigned to LAN segments might have unexpected results.
Configuring NAC settings
Using the CLI:
config switch-controller fortilink-settings edit <name_of_FortiLink_interface> set inactive-timer <integer> set link-down-flush {enable | disable} config nac-ports set onboarding-vlan <string> set bounce-nac-port {enable | disable} set lan-segment {enabled | disabled} set nac-lan-interfaces <string> set nac-segment-vlans <VLAN_interface_name> end next
end
config switch-controller system set nac-periodic-interval <5-180 seconds>
end
For example:
config switch-controller fortilink-settings edit "fortilink" config nac-ports set onboarding-vlan "onboarding" set lan-segment enabled set nac-lan-interface "nac_segment" set nac-segment-vlans "voice" "video" end next
end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
156
Fortinet Inc.
FortiSwitch security
config switch-controller system set nac-periodic-interval 100
end
Using the GUI:
1. Go to WiFi & Switch Controller > NAC Policies. 2. Select a NAC LAN and click Edit. 3. For the NAC VLAN segmentation, click Enabled. 4. From the Primary Interface dropdown list, select the primary interface.
The IP address and DHCP server of the primary interface are shared by the segment VLANs. 5. From the Onboarding VLAN dropdown list, select the onboarding VLAN. 6. In the Segment VLANs field, click + and select one or more segment VLANs. 7. Click OK.
Enabling NAC on a FortiSwitch port
Using the CLI:
config switch-controller managed-switch edit <FortiSwitch_serial_number> config ports edit <port_name> set access-mode nac next end next
end
Using the GUI:
1. Go to WiFi & Switch Controller > FortiSwitch Ports. 2. Right-click a port. 3. Select Mode > NAC.
Synchronizing MAC events
config switch interface edit <FortiSwitch_interface> set nac enable end
For example: config switch interface
edit port20 set nac enable
end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
157
Fortinet Inc.
FortiSwitch security
Defining a FortiSwitch NAC policy
In the FortiOS GUI, you can create five types of NAC policies:
l Device--The NAC policy matches devices with the specified MAC address, hardware vendor, device family, type, operating system, and user. See Creating a device policy on page 159. Visit https://filestore.fortinet.com/productdownloads/fortilink/HTFO_list.json to see a list of values for hardware vendor, type, device family, and operating system.
l User--The NAC policy matches devices belonging to the specified user group. See Creating a user policy on page 162.
l EMS tag--The NAC policy matches devices with the specified FortiClient EMS tag. See Creating an EMS-tag policy on page 164.
l FortiVoice tag--The NAC policy matches the specified FortiVoice tag. See Creating a FortiVoice-tag policy on page 166.
l Vulnerability--The NAC policy matches devices with the specified severity level, which indicates how vulnerable an IoT device is. See Creating a vulnerability policy on page 170.
NAC policies are matched in the order that they are listed in the configuration. You can change the order of the policies in the GUI and CLI. To change the priority of NAC policies in the GUI, go to WiFi & Switch Controller > NAC Policies and drag the NAC policy above or below other NAC policies. To change the priority of NAC policies in the CLI, enter the following commands: config user nac-policy
move <NAC_policy_name> {after | before} <NAC_policy_name> end
Using the CLI, you can specify a MAC policy to be applied to devices that have been matched by the NAC policy. See Creating a MAC policy on page 172.
Starting in FortiOS 7.0.2, you can specify FortiSwitch groups in NAC policies instead of specifying individual managed FortiSwitch units when creating a NAC policy. In FortiOS 7.0.2, the set switch-scope command has been replaced with the set switch-group command. You can select more than one FortiSwitch group in the CLI and GUI, and the same FortiSwitch unit can be included in more than one FortiSwitch group. If no FortiSwitch group is specified in the set switch-group command, all FortiSwitch groups are used for the NAC policy.
When you upgrade to FortiOS 7.0.2, the individual FortiSwitch units selected for the NAC policy are assigned to a new FortiSwitch group, and the new FortiSwitch group replaces the individual FortiSwitch units in the NAC policy. If you downgrade from FortiOS 7.0.2, the individual FortiSwitch units in the FortiSwitch group are listed in the set switchscope command in the NAC policy, and the set switch-group command is removed from the NAC policy.
NOTE: The FortiSwitch NAC settings must be configured before defining a FortiSwitch NAC policy. See Configuring the FortiSwitch NAC settings on page 154.
Starting in FortiOS 7.2.4 with FortiSwitchOS 7.2.2 or later, NAC supports more connected devices--up to 48 times the maximum number of managed FortiSwitch units supported on the FortiGate device. You can use the diagnose switch-controller mac-device nac known command to check the number of known devices. When 95 percent of the maximum number of devices is reached, a warning icon is displayed in the Matched NAC Devices widget in the FortiOS GUI. When the maximum number is reached, a switch-controller event is logged.
Starting in FortiOS 7.4.0 with FortiSwitchOS 7.4.0, you can use NAC to identify Internet of Things (IoT) and Operational Technology (OT) devices that need to be patched and isolate these devices in a separate VLAN segment. You can specify how severe the IoT and OT vulnerabilities must be for the devices to be isolated
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
158
Fortinet Inc.
FortiSwitch security
This feature requires that the FortiGate device has a valid Attack Surface Security Rating service license. You can check whether the FortiGate device has the Attack Surface Security Rating service license (FGSA) in the FortiOS CLI with the diagnose test update info command. You can also check the Attack Surface Security Rating field on the System > FortiGuard page. Starting in FortiOS 7.4.4, the NAC policy will match a dynamic MAC address group of all FortiFones registered with a FortiVoice unit. Starting in FortiOS 7.4.4, you can use the CLI to control how long matched devices are kept for NAC policies. In previous releases, matched devices were deleted when the connection-ID table entry was deleted, the port link status went down, the device was inactive, or the switch was offline.
To control how long matched devices are kept:
1. Change the set match-type setting from dynamic to override. 2. Select the number of days to keep matched devices with the set match-period command. By default, match-
period is set to 0, and the matched devices are kept forever or until a user-configured event occurs in the CLI or the FortiGate device is restarted.You can change the value to 1 to 120 days to keep matched devices.
Creating a device policy
A device policy matches devices with the specified criteria and then assigns a specific VLAN to those devices or applies port-level settings to those devices. You can specify the MAC address, hardware vendor, device family, type, operating system, and user for the devices to match. By default, there is a default device policy, Onboarding VLAN, which uses the default onboarding NAC VLAN. You can use the default Onboarding VLAN policy, edit it, or create a new NAC policy. Starting in FortiOS 7.0.1, you can configure a dynamic firewall address for devices and use it in a NAC policy. When a device matches the NAC policy, the MAC address for that device is automatically assigned to the dynamic firewall address, which can be used in firewall policies to control traffic from/to these devices. Configuring a dynamic firewall address requires setting the address type to dynamic and the address subtype to swc-tag. Using the dynamic firewall address in a NAC policy requires specifying the conditions that a device must match and setting the firewall address to the name of the dynamic firewall address.
To identify devices to add to a device policy:
l Use the diagnose user device list command to see devices connected to your FortiGate device.
l Use the FortiGuard Device Detection service (https://www.fortiguard.com/learnmore#dds) to provide information about an IoT device based on its MAC address.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
159
Fortinet Inc.
FortiSwitch security
Using the GUI to configure a NAC policy and a dynamic firewall address: 1. Go to WiFi & Switch Controller > NAC Policies. 2. Click Create New.
3. In the Name field, enter a name for the NAC policy. You can enter a number as the NAC policy name, although names are string values.
4. Make certain that the status is set to Enabled. 5. Click Specify to select which FortiSwitch groups to apply the NAC policy to or click All. 6. Select Device for the category. 7. If you want the device to match a MAC address, enable MAC address and enter the MAC address to match. Starting
in FortiOS 6.4.6, you can use the wildcard * character when entering the MAC address (for example, xx:xx:xx:**:**:**). 8. If you want the device to match a hardware vendor, enable Hardware vendor and enter the name of the hardware vendor to match. Starting in FortiOS 6.4.6, you can use the wildcard * character when entering the hardware vendor. 9. If you want the device to match a device family, enable Device family and enter the name of the device family to match. Starting in FortiOS 6.4.6, you can use the wildcard * character when entering the device family. 10. If you want the device to match a device type, enable Type and enter the device type to match. Starting in FortiOS 6.4.6, you can use the wildcard * character when entering the device type.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
160
Fortinet Inc.
FortiSwitch security
11. If you want the device to match an operating system, enable Operating system and enter the operating system to match. Starting in FortiOS 6.4.6, you can use the wildcard * character when entering the operating system.
12. If you want the device to match a user, enable User and enter the user name to match. Starting in FortiOS 6.4.6, you can use the wildcard * character when entering the user name.
13. If you want to assign a specific VLAN to the device that matches the specified criteria, select Assign VLAN and enter the VLAN identifier.
14. If you do not want to bounce the switch port (administratively bringing the link down and then up) when NAC mode is configured, disable Bounce port.
15. To use a dynamic firewall address for matching a device, enable Assign device to dynamic address and, from the dropdown list, click Create. a. In the Name field, enter the name of the dynamic firewall address. b. To change the color, click Change and select the color used for the corresponding icon in the GUI. c. The address type is set to Dynamic by default and the subtype is set to Switch Controller NAC Policy Tag by default. d. For the interface, select the interface whose IP address is to be used. e. In the Comments field, enter a description of the dynamic firewall address. f. Click OK to save the dynamic firewall address.
16. Click OK to create the new NAC policy.
Using the CLI to configure a dynamic firewall address:
config firewall address edit <name_of_dynamic_firewall_address> set type dynamic set sub-type swc-tag next
end
For example:
config firewall address edit "office_vm_device" set type dynamic set sub-type swc-tag next
end
To view the dynamic MAC addresses attached to the firewall:
diagnose firewall dynamic list
Using the CLI to configure a NAC policy:
config user nac-policy edit <policy_name> set description <description_of_policy> set category device set status enable set mac <MAC_address> set hw-vendor <hardware_vendor> set type <device_type> set family <device_family> set os <operating_system> set hw-version <hardware_version>
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
161
Fortinet Inc.
FortiSwitch security
set sw-version <software_version> set host <host_name> set user <user_name>. set src <source> set switch-fortilink <FortiLink_interface> set switch-group <list_of_FortiSwitch_groups> set switch-auto-auth {enable | disable} set switch-mac-policy <switch_mac_policy> set firewall-address <name_of_dynamic_firewall_address> set match-type {dynamic | override} set match-period <0-120> end
For example:
config user nac-policy edit "OFFICE_VM" set hw-vendor "VMware" set switch-fortilink "fortilink" set switch-mac-policy "OFFICE_VM" set firewall-address "office_vm_device" next
end
Creating a user policy
A user policy matches devices that are assigned to the specified user group and then assigns a specific VLAN to those devices or applies port-level settings to those devices.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
162
Fortinet Inc.
FortiSwitch security
Using the GUI to create a user policy: 1. Go to WiFi & Switch Controller > NAC Policies. 2. Click Create New.
3. In the Name field, enter a name for the NAC policy. You can enter a number as the NAC policy name, although names are string values.
4. Make certain that the status is set to Enabled. 5. Click Specify to select which FortiSwitch groups to apply the NAC policy to or click All. 6. Select User for the category. 7. Select which user group that devices must belong to. 8. If you want to assign a specific VLAN to a device assigned to the specified user group, select Assign VLAN and
enter the VLAN identifier. 9. Click OK to create the new NAC policy.
Using the CLI to create a user policy:
config user nac-policy edit <policy_name> set description <description_of_policy> set category firewall-user user set status enable
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
163
Fortinet Inc.
FortiSwitch security
set user-group <name_of_user_group> set switch-fortilink <FortiLink_interface> set switch-group <list_of_FortiSwitch_groups> set switch-auto-auth {enable | disable} set switch-mac-policy <switch_mac_policy> set match-type {dynamic | override} set match-period <0-120> end
Creating an EMS-tag policy
An EMS-tag policy matches devices with a specified MAC address and then assigns a specific VLAN to those devices or applies port-level settings to those devices. The MAC address is derived from an Endpoint Management Server (EMS) tag created in FortiClient. NOTE: The FortiClient EMS server must be 6.4.1 build 1442 or higher. FortiOS must be 6.4.2 build 1709 or higher. Before creating an EMS-tag policy on a managed FortiSwitch unit: 1. On the FortiGate device, create a firewall policy to allow FortiClient endpoints to always reach FortiClient EMS
before and after matching the FortiLink NAC policy. 2. In FortiClient EMS, group FortiClient Fabric Agent endpoints with an EMS tag. 3. In FortiClient EMS, share these endpoint groups with a FortiGate unit over the EMS connector. 4. In FortiOS, add an on-premise FortiClient EMS server to the Security Fabric:
config endpoint-control fctems edit <ems_name> set server <ip_address> set certificate <string> next
end
For example:
config endpoint-control fctems edit EMS_Server set server 1.2.3.4 set certificate REMOTE_Cert_1 next
end
5. In FortiOS, verify the EMS certificate. For example:
execute fctems verify EMS_Server
6. In FortiOS, check that the FortiGate unit and FortiClient are connected:
diagnose user device get <FortiClient_MAC_address>
7. In FortiOS, verify which MAC addresses the dynamic firewall address resolves to:
diagnose firewall dynamic list
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
164
Fortinet Inc.
FortiSwitch security
Using the GUI to create an EMS-tag policy: 1. Go to WiFi & Switch Controller > NAC Policies. 2. Click Create New.
3. In the Name field, enter a name for the NAC policy. You can enter a number as the NAC policy name, although names are string values.
4. Make certain that the status is set to Enabled. 5. Click Specify to select which FortiSwitch groups to apply the NAC policy to or click All. 6. Select EMS Tag for the category. 7. Select which FortiClient EMS tag that devices must be assigned. 8. If you want to assign a specific VLAN to a device assigned to the specified EMS tag, select Assign VLAN and enter
the VLAN identifier. 9. Click OK to create the new NAC policy.
Using the CLI to create an EMS-tag policy:
config user nac-policy edit <policy_name> set description <description_of_policy> set category ems-tag set ems-tag <string> set status enable
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
165
Fortinet Inc.
FortiSwitch security
set switch-fortilink <FortiLink_interface> set switch-group <list_of_FortiSwitch_groups> set switch-auto-auth {enable | disable} set switch-mac-policy <switch_mac_policy> set match-type {dynamic | override} set match-period <0-120> next end
For example:
config user nac-policy edit nac_policy_1 set category ems-tag set ems-tag MAC_FCTEMS0000108427_Low set switch-fortilink fortilink1 next
end
Creating a FortiVoice-tag policy
A FortiVoice-tag policy matches devices with a specified FortiVoice tag and then assigns a specific VLAN to those devices. The FortiVoice tag identifies a dynamic MAC address group of all FortiFones registered with a FortiVoice unit.
The required FortiVoice version for this feature is 7.0.1 or higher. FortiOS must be 7.4.4 or higher.
Before creating an FortiVoice-tag policy:
1. On the FortiGate device, create a firewall policy to allow FortiFones to always reach FortiVoice before and after matching the FortiLink NAC policy.
2. Connect the FortiFones to the managed-switch ports and enable NAC on the ports. 3. Connect FortiVoice to the FortiGate device on a different subnet. 4. Ensure that the FortiFones get connected and registered to FortiVoice on the onboarding VLAN.
The FortiVoice connector pushes the FortiVoice tags to the FortiGate device, along with the registered FortiFone MAC/IP address. 5. In FortiOS, verify which FortiFone MAC/IP address is added to the dynamic firewall list when it gets registered with FortiVoice: diagnose firewall dynamic list 6. Configure the fortivoice-tag NAC policy, which helps NAC to move the FortiFone to the data VLAN.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
166
Fortinet Inc.
FortiSwitch security
Using the GUI to create a FortiVoice-tag policy: 1. Go to WiFi & Switch Controller > NAC Policies. 2. Click Create New.
3. In the Name field, enter a name for the NAC policy. You can enter a number as the NAC policy name, although names are string values.
4. Make certain that the status is set to Enabled. 5. Click Specify to select which FortiSwitch groups to apply the NAC policy to or click All. 6. Select FortiVoice tag for the category.
NOTE: The object type of the FortiVoice tag must be MAC. 7. Select which FortiVoice tag that devices must be assigned. 8. If you want to assign a specific VLAN to a device assigned to the specified FortiVoice tag, select Assign VLAN and
enter the VLAN identifier. 9. Click OK to create the new NAC policy.
Using the CLI to create a FortiVoice-tag policy:
config user nac-policy edit <policy_name> set description <description_of_policy> set category fortivoice-tag set status enable
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
167
Fortinet Inc.
FortiSwitch security
set fortivoice-tag <string> set switch-fortilink <FortiLink_interface> set switch-group <list_of_FortiSwitch_groups> set switch-mac-policy <switch_mac_policy> set firewall-address <firewall_address_name> set ssid-policy <policy_name> set match-type {dynamic | override} set match-period <0-120> next end
Configuration example
The NAC policy on the FortiGate matches the dynamic FortiVoice-tag MAC address. The MAC address is connected to a FortiSwitch port (port6). After the MAC address is matched, port6 is moved to vlan12, where traffic is controlled for registered FortiFones.
To configure this example in the GUI:
1. Configure the NAC policy: a. Go to WiFi & Switch Controller > NAC Policies and click Create New. b. Select FortiVoice tag for the category. c. Enter user::nac-policy::category.fortivoice-tag in the FortiVoice tag field. d. Use the CLI to configure the NAC policy to match the FortiVoice tag. e. Enable Assign VLAN and select vlan12. f. Configure the other settings as needed. g. Click OK.
2. Enable NAC on port6: a. Go to WiFi & Switch Controller > FortiSwitch Ports. b. Right-click port6 and set the Mode to NAC.
3. Configure a firewall policy to control the outbound internet access for FortiFones (vlan12 to wan1). a. Go to Policy & Objects > Firewall Policy and click Create New. b. In the Name field, enter a name for the policy.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
168
Fortinet Inc.
FortiSwitch security
c. From the Incoming Interface dropdown list, select vlan12. d. From the Outgoing Interface dropdown list, select wan1. e. In the Source field, click +, select all from the Select Entries pane, and click Close. f. In the Destination field, click +, select all from the Select Entries pane, and click Close. g. In the Schedule dropdown list, select always. h. For the Action field, click ACCEPT. i. Configure the other settings as needed. j. Click OK 4. Generate traffic from the FortiFone. 5. After the NAC policy is matched, go to WiFi & Switch Controller > NAC Policies to view the device matched to the policy.
The FortiFone is also shown on Dashboard > Assets & Identities in the Matched NAC Devices widget.
6. Go to WiFi & Switch Controller > FortiSwitch Ports and locate the port that the FortiFone is connected to.
The port has been dynamically assigned vlan12.
To configure this example in the CLI:
1. Configure the FortiVoice-tag NAC policy. config user nac-policy edit "nac-policy-fortivoice" set category fortivoice-tag set fortivoice-tag "MAC_FortiVoice_Registered_Phones" set switch-fortilink "fortilink" set switch-mac-policy "mac-policy-1" next
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
169
Fortinet Inc.
FortiSwitch security
end 2. Configure the VLAN in the MAC policy.
config switch-controller mac-policy edit "mac-policy-1" set fortilink "fortilink" set vlan "vlan12" next
end 3. Enable NAC on the FortiSwitch port connected to the FortiFone.
config switch-controller managed-switch edit "Access-FortiSwitch-1" config ports edit "port6" set access-mode nac next end next
end 4. Configure the firewall policy.
config firewall policy edit 1 set name "fortivoice_policy" set srcintf "vlan12" set dstintf "wan1" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set logtraffic all set nat enable next
end
Creating a vulnerability policy
To use a vulnerability policy requires to following:
l A valid Attack Surface Security Rating service license to download the IoT signature package. l Enable device detection on the LAN interface used by the IoT devices.
l In the GUI, go to Network > Interfaces, edit a LAN interface, enable Device detection, and click OK. l In the CLI, enter:
config system interface edit <name> set device-identification enable next
end l Configure a firewall policy with an application control sensor.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
170
Fortinet Inc.
FortiSwitch security
The NAC policy matches IoT devices with the specified severity levels, which indicate how vulnerable an IOT device is. The following severity levels are available:
l Critical (4) l High (3) l Medium (2) l Low (1) l Information (0)
Using the GUI to create a vulnerability policy:
1. Go to WiFi & Switch Controller > NAC Policies. 2. Click Create New.
3. In the Name field, enter a name for the NAC policy. You can enter a number as the NAC policy name, although names are string values.
4. Make certain that the status is set to Enabled. 5. For the FortiSwitches buttons, click Specify to select which FortiSwitch groups to apply the NAC policy to or click All. 6. In the Description field, enter a description of the vulnerability policy. 7. Select Vulnerability for the category.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
171
Fortinet Inc.
FortiSwitch security
8. For the Match buttons, click Specify and + to select one or more severity levels to match or select Severity is at least and + to specify the lowest level of severity and above to match.
9. If you want to assign a specific VLAN to the device that matches the specified criteria, select Assign VLAN and enter the VLAN identifier.
10. If you do not want to bounce the switch port (administratively bringing the link down and then up) when NAC mode is configured, disable Bounce port.
11. To use a dynamic firewall address for matching a device, enable Assign device to dynamic address and, from the dropdown list, click Create. a. In the Name field, enter the name of the dynamic firewall address. b. To change the color, click Change and select the color used for the corresponding icon in the GUI. c. The address type is set to Dynamic by default and the subtype is set to Switch Controller NAC Policy Tag by default. d. For the interface, select the interface whose IP address is to be used. e. In the Comments field, enter a description of the dynamic firewall address. f. Click OK to save the dynamic firewall address.
12. Click OK to create the new NAC policy.
Using the CLI to create a vulnerability policy:
config user nac-policy edit <policy_name> set description <description_of_policy> set category vulnerability set severity {0 | 1 | 2 | 3 | 4} set status enable set switch-fortilink <FortiLink_interface> set switch-group <list_of_FortiSwitch_groups> set switch-auto-auth {enable | disable} set switch-mac-policy <switch_mac_policy> set match-type {dynamic | override} set match-period <0-120> next
end
For example:
config user nac-policy edit nac_policy_1 set category vulnerability set severity 3 4 set switch-fortilink fortilink1 next
end
Creating a MAC policy
You can apply a MAC policy to the devices that were matched by the NAC policy. You can specify which VLAN is applied, select which traffic policy is used, and enable or disable packet count.
config switch-controller mac-policy edit <MAC_policy_name> set description <policy_description> set fortilink <FortiLink_interface>
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
172
Fortinet Inc.
FortiSwitch security
set vlan <VLAN_name> set traffic-policy <traffic_policy_name> set count {enable | disable} next end
Viewing the devices that match the NAC policy
Using the GUI: 1. Go to WiFi & Switch Controller > NAC Policies.
2. Click View Matched Devices. 3. Click Refresh to update the results. When a NAC device is matched to a NAC policy and assigned to a VLAN, an event log is created.
Using the CLI: To show known NAC devices with a known location that match a NAC policy: diagnose switch-controller mac-device nac known
To show pending NAC devices with an unknown location that match a NAC policy: diagnose switch-controller mac-device nac onboarding
To view the NAC clients: diagnose switch-controller mac-device cache
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
173
Fortinet Inc.
FortiSwitch security
To display the NAC cache of MAC addresses on the FortiSwitch unit: execute switch-controller get-nac-mac-cache
Viewing device statistics
Starting in FortiOS 7.2.4 with FortiSwitchOS 7.2.3, you can use the FortiOS CLI to report device statistics when NAC is enabled. The device statistics report the MAC addresses of known devices, the number of packets and bytes received, the number of seconds since the last update, and the age of the MAC counter in seconds.
l Only statistics for receive counters are reported. l If a device moves to a different FortiSwitch unit, the MAC counters are reallocated. l If a FortiSwitch unit cannot track both bytes and packets, a zero is displayed for whichever
value cannot be tracked. If a FortiSwitch unit cannot track device statistics at all, the entry will be missing from the CLI command output. l This feature is supported on the following FortiSwitch models: FSR-124D, FSR-224FFPOE, FS-224D-FPOE, FS-224E, FS-224E-POE, FS-248D, FS-248E-POE, FS-248EFPOE, FS-424E, FS-424E-POE, FS-424E-FPOE, FS-M426E-FPOE, FS-424E-Fiber, FS-448E, FS-448E-POE, FS-448E-FPOE, FS-524D, FS-524D-FPOE, FS-548D, FS548D-FPOE, FS-1024D, FS-1024E, FS-T1024E, FS-1048E, and FS-3032E. l Accuracy is not guaranteed.
To display device statistics:
1. Enable NAC. config user nac-policy edit <NAC_policy_name> set status enable next end
2. Enable packet counting in the MAC policy. By default, packet counting is disabled. config switch-controller mac-policy edit <MAC_policy_name> set count enable next end
3. Specify how long inactive MAC addresses are kept before being removed from the client database. By default, MAC addresses are kept for 24 hours. The range of values is 0-168 hours. If you set this option to 0, the value for the mac-aging-interval setting is used instead. config switch-controller global set mac-retention-period <number_of_hours> end
4. Enter the following command to display the device statistics: diagnose switch-controller telemetry show mac-stats
For example:
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
174
Fortinet Inc.
FortiSwitch security
diagnose switch-controller telemetry show mac-stats
MAC
Packets
Bytes
Last Update (secs ago) Age
------------------------------------------------------------------------------------
00:00:00:00:00:0f
234562 2356546842
41
23433
00:00:00:00:14:21
44273
456346
68
7477
00:03:7a:a8:82:e7
12346
34545
30
983452
00:04:f2:f3:2b:7f
4357
345345
30
23423
00:04:f2:f6:77:05
463453
4564564
430
362456265
00:04:f2:f6:7a:6a
34535
1312354
30
23423
00:04:f2:f6:7b:66
73821
345345
68
374546
00:05:9a:3c:7a:00
43
9144
68
456725
Example of using LAN segments with NAC
In this example, devices are initially placed in the onboarding VLAN and receive IP addresses from the nac_segment DHCP server. Ports connected to the devices are configured with the NAC access mode. NAC policies are used to identify devices by OS and place them into the appropriate VLAN segment and dynamic firewall address. Firewall policies match traffic from the nac_segment interface by the dynamic firewall address and apply the appropriate security profiles to each.
1. Configure the FortiSwitch VLANs for Office 1 and Office 2.
config system interface edit "Office2" set vdom "root" set device-identification enable set role lan set snmp-index 33 set color 10 set interface "fortilink" set vlanid 2000 next edit "Office1" set vdom "root" set device-identification enable set role lan set snmp-index 34 set color 5 set interface "fortilink"
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
175
Fortinet Inc.
FortiSwitch security
set vlanid 2001 next end
2. The following is the configuration for the nac_segment interface and its corresponding DHCP server settings. These settings are the default.
config system interface edit "nac_segment" set vdom "root" set ip 10.255.13.1 255.255.255.0 set description "NAC Segment VLAN" set alias "nac_segment.fortilink" set device-identification enable set snmp-index 32 set switch-controller-feature nac-segment set interface "fortilink" set vlanid 4088 next
end config system dhcp server
edit 5 set lease-time 300 set dns-service default set default-gateway 10.255.13.1 set netmask 255.255.255.0 set interface "nac_segment" config ip-range edit 1 set start-ip 10.255.13.2 set end-ip 10.255.13.254 next end set timezone-option default
next end
3. Add the Office 1 VLAN and Office 2 VLAN to the LAN segment VLANs.
config switch-controller fortilink-settings edit "fortilink" config nac-ports set onboarding-vlan "onboarding" set lan-segment enabled set nac-lan-interface "nac_segment" set nac-segment-vlans "voice" "video" "Office2" "Office1" end next
end
4. Configure the NAC policy for devices in Office 1 and Office 2.
If you configure the NAC policy from the GUI, you can create the office2_device and office1_device dynamic firewall addresses inline. However, if you create the NAC policy from the CLI, first create the firewall addresses and then create the MAC policy and NAC policies.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
176
Fortinet Inc.
FortiSwitch security
config firewall address edit "office2_device" set type dynamic set sub-type swc-tag set color 19 next edit "office1_device" set type dynamic set sub-type swc-tag set color 10 next
end
config switch-controller mac-policy edit "Office2_FAP" set fortilink "fortilink" set vlan "Office2" next edit "Office2_PC" set fortilink "fortilink" set vlan "Office2" next edit "Office1_PC" set fortilink "fortilink" set vlan "Office1" next
end
config user nac-policy edit "OFFICE2_FAP" set hw-vendor "Fortinet" set family "FortiAP" set os "FortiAP OS" set switch-fortilink "fortilink" set switch-group "Office2switches" set switch-mac-policy "Office2_FAP" set firewall-address "office2_device" next edit "OFFICE2_PC" set os "Linux" set switch-fortilink "fortilink" set switch-group "Office2switches" set switch-mac-policy "Office2_PC" set firewall-address "office2_device" next edit "OFFICE1_PC" set hw-vendor "VMware" set switch-fortilink "fortilink" set switch-group "Office1switches" set switch-mac-policy "Office1_PC" set firewall-address "office1_device" next
end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
177
Fortinet Inc.
FortiSwitch security
5. Configure the firewall policy for devices in Office 1 or Office 2.
The source of all traffic is nac_segment, but the traffic is filtered on the srcaddr by the dynamic firewall address previously assigned by the NAC policies.
config firewall policy edit 5 set name "Office1_Device" set uuid d3e2bbdc-d9c1-51eb-dbd3-cb534366b58d set srcintf "nac_segment" set dstintf "port1" set action accept set srcaddr "office1_device" set dstaddr "all" set schedule "always" set service "ALL" set ssl-ssh-profile "certificate-inspection" set logtraffic all set nat enable next edit 4 set name "Office2_Device" set uuid a724c2fc-d9c1-51eb-e8d8-a501419308b3 set srcintf "nac_segment" set dstintf "port1" set action accept set srcaddr "office2_device" set dstaddr "all" set schedule "always" set service "ALL_ICMP" "FTP" "FTP_GET" "FTP_PUT" "HTTP" "HTTPS" "TFTP" set ssl-ssh-profile "certificate-inspection" set logtraffic all set nat enable next edit 3 set name "All_devices" set uuid 0accfbae-d9c1-51eb-b0bf-2ba0b00647c0 set srcintf "nac_segment" set dstintf "port1" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set av-profile "default" set webfilter-profile "default" set dnsfilter-profile "default" set ips-sensor "default" set application-list "default" set logtraffic all set nat enable next
end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
178
Fortinet Inc.
FortiSwitch security
6. Place the ports in NAC mode.
config switch-controller managed-switch edit "S524DN4K16000116" config ports edit "port7" set vlan "onboarding" set allowed-vlans "quarantine" "nac_segment" set untagged-vlans "quarantine" "nac_segment" set access-mode nac next end next edit "S248EPTF18001384" config ports edit "port1" set vlan "onboarding" set allowed-vlans "quarantine" "nac_segment" set untagged-vlans "quarantine" "nac_segment" set access-mode nac next edit "port6" set vlan "onboarding" set allowed-vlans "quarantine" "nac_segment" set untagged-vlans "quarantine" "nac_segment" set access-mode nac next end next
end
Using the FortiSwitch NAC VLAN widget
The widget shows a pie chart of the assigned FortiSwitch NAC VLANs. When expanded to the full screen, the widget shows a full list of devices grouped by VLAN, NAC policy, or last seen.
The widget is added to the Users & Devices dashboard after a dashboard reset or can be manually added to a dashboard. It can also be accessed by going to WiFi & Switch Controller > NAC Policies and clicking View Matched Devices.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
179
Fortinet Inc.
FortiSwitch security
The expanded view of the widget shows Assigned VLAN and Last Seen pie charts and a full device list. The list can be organized By VLAN, By NAC Policy, or By Policy Type.
Click View NAC Policies to go to WiFi & Switch Controller > NAC Policies.
Configuring dynamic port policy rules
Dynamic port policies allow you to specify rules that dynamically determine port policies. After you create the FortiLink policy settings, you define the dynamic port policy rules. When a rule matches the specified device patterns, the switchcontroller actions control the ports properties. NOTE: Visit https://filestore.fortinet.com/product-downloads/fortilink/HTFO_list.json to see a list of values for hardware vendor, type, device family, and operating system. When you add dynamic port policy rules to the FortiLink policy settings, the rules are processed sequentially, from the first rule to the last rule. The last rule in the FortiLink policy settings should indicate the default properties for any port that has been assigned these FortiLink policy settings.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
180
Fortinet Inc.
FortiSwitch security
To identify devices to add to a dynamic port policy rule, try the following: l Use the diagnose user device list command to see devices connected to your FortiGate device. l Use the FortiGuard Device Detection service (https://www.fortiguard.com/learnmore#dds) to provide information about an IoT device based on its MAC address.
To configure dynamic port policy rules:
1. Set the access mode and port policy for the port on page 181 2. Set the FortiLink policy settings to the FortiLink interface on page 181 3. Create the FortiLink policy settings on page 181 4. Create the dynamic port policy rule on page 182 5. Set how often the dynamic port policy engine runs on page 184
Set the access mode and port policy for the port
config switch-controller managed-switch edit <FortiSwitch_serial_number> config ports edit <port_name> set access-mode dynamic set port-policy <dynamic_port_policy> next end next
end
Set the FortiLink policy settings to the FortiLink interface
Enable the dynamic port policy on the FortiLink interface by specifying the FortilLink policy settings on the FortiLink interface. config system interface
edit fortilink set switch-controller-dynamic <FortiLink_policy_settings>
next end
Create the FortiLink policy settings
Using the GUI
1. Go to WiFi & Switch Controller > FortiSwitch Port Policies. 2. Click Dynamic Port Policies. 3. Click Configure Dynamic Port Settings. 4. Select the onboarding VLAN from the Onboarding VLAN dropdown list. The default onboarding VLAN is
onboarding.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
181
Fortinet Inc.
FortiSwitch security
5. Move the Bounce port slider to enable it if you want the link to go down and then up when the NAC mode is configured on the port.
6. If you are using the dynamic port policy with FortiSwitch network access control, move the Apply rule to NAC policies slider to enable it.
7. Click Next. 8. When devices are matched by a dynamic port policy, you can assign those devices to a dynamic port VLAN. By
default, there are six VLAN templates: l default--This VLAN is assigned to all switch ports when the FortiSwitch unit is first discovered. l onboarding--This VLAN is for NAC onboarding devices. l quarantine--This VLAN contains quarantined traffic. l rspan--This VLAN contains RSPAN and ERSPAN mirrored traffic. l video--This VLAN is dedicated for video devices. l voice--This VLAN is dedicated for voice devices.
You can select one of the default VLAN templates, edit one of the default VLAN templates, or create a dynamic port VLAN. 9. Click Submit.
Using the CLI
config switch-controller fortilink-settings edit <name_of_this_FortiLink_configuration> set inactive-timer <integer> set link-down-flush {enable | disable} config nac-ports set onboarding-vlan <string> set bounce-nac-port {enable | disable} end next
end
Create the dynamic port policy rule
Starting in FortiOS 7.4.4, you can use the CLI to control how long matched devices are kept for dynamic port policies. In previous releases, matched devices were deleted when the connection-ID table entry was deleted, the port link status went down, the device was inactive, or the switch was offline.
To control how long matched devices are kept:
1. Change the set match-type setting from dynamic to override. 2. Select the number of days to keep matched devices with the set match-period command. By default, match-
period is set to 0, and the matched devices are kept forever or until a user-configured event occurs in the CLI or the FortiGate device is restarted.You can change the value to 1 to 120 days to keep matched devices.
Starting in FortiOS 7.4.4, devices matched by dynamic port policies are now matched according to the priority, instead of using First Come, First Serve (FCFS) matching.
Using the GUI
1. On the Dynamic Port Policies page, select the dynamic port policy that you want to add dynamic port policy rules to. 2. Click Edit.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
182
Fortinet Inc.
FortiSwitch security
3. Click Create New. 4. In the Name field, enter a name for the dynamic port policy rule. 5. Make certain that the status is set to Enabled. 6. In the Description field, enter a description of the dynamic port policy rule. 7. If you want the device to match a MAC address, enable MAC Address and enter the MAC address to match. 8. If you want the device to match a host name or IP address, enable Host and enter the host name or IP address to
match. 9. If you want the device to match a hardware vendor, enable Hardware vendor and enter the name of the hardware
vendor to match in the Hardware vendor field. This option is available in FortiOS 7.0.4 and higher. 10. If you want the device to match a device family, enable Device Family and enter the name of the device family to match. 11. If you want the device to match a device type, enable Type and enter the device type to match. 12. If you want to assign an LLDP profile to the device that matches the specified criteria, enable LLDP profile and select the LLDP profile. 13. If you want to assign a QoS policy to the device that matches the specified criteria, enable QoS policy and select the QoS policy. 14. If you want to assign an 802.1x policy to the device that matches the specified criteria, enable 802.1X policy and select the 802.1x policy. 15. If you want to assign a VLAN policy to the device that matches the specified criteria, enable VLAN policy and select the VLAN policy. 16. Click OK.
Using the CLI
config switch-controller dynamic-port-policy edit <dynamic_port_policy_name> set description <string> set fortilink <FortiLink_interface_name> config policy edit <policy_name> set description <string> set status {enable | disable} set category {device | interface-tag} set hw-vendor <hardware_vendor> set mac <MAC_address> set type <device_type> set family <device_family_name> set host <host_name_or_IP_address> set lldp-profile <LLDP_profile_name> set qos-policy <QoS_policy_name> set 802-1x <802.1x_policy_name> set vlan-policy <VLAN_policy_name> set bounce-port-link {disable | enable} set match-type {dynamic | override} set match-period <0-120> next end next
end
For example:
config switch-controller dynamic-port-policy
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
183
Fortinet Inc.
FortiSwitch security
edit DPP1 set description "Policy for VMware devices" set fortilink "flink" config policy edit policy1 set description "Rule applies only to VMware devices" set status enable set hw-vendor "VMware" set lldp-profile "LLDPprofile1" set bounce-port-link enable next end
next end
Creating a VLAN policy
You can specify a VLAN policy to be used in the port policy. In the VLAN policy, you can specify the native VLAN to be applied, the allowed VLANs, and the untagged VLANs. You can enable or disable all defined VLANs and select whether to discard untagged or tagged frames or to not discard any frames.
config switch-controller vlan-policy edit <VLAN_policy_name> set description <policy_description> set fortilink <FortiLink_interface> set vlan <VLAN_name> set allowed-vlans <lists_of_VLAN_names> set untagged-vlans <lists_of_VLAN_names> set allowed-vlans-all {enable | disable} set discard-mode {none | all-untagged | all-tagged} next
end
For example:
config switch-controller vlan-policy edit vlan_policy_1 set fortilink fortilink1 set vlan default next
end
Set how often the dynamic port policy engine runs
In the FortiOS CLI, you can change how often the dynamic port policy engine runs. By default, it runs every 60 seconds. The range of values is 5-180 seconds.
config switch-controller system set dynamic-periodic-interval <5-180 seconds>
end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
184
Fortinet Inc.
FortiSwitch security
FortiSwitch security policies
To control network access, the managed FortiSwitch unit supports IEEE 802.1X authentication. A supplicant connected to a port on the switch must be authenticated by a RADIUS/Diameter server to gain access to the network. The supplicant and the authentication server communicate using the switch using the Extensible Authentication Protocol (EAP). The managed FortiSwitch unit supports EAP-PEAP, EAP-TTLS, and EAP-TLS. To use the RADIUS server for authentication, you must configure the server before configuring the users or user groups on the managed FortiSwitch unit. NOTE: In FortiLink mode, you must manually create a firewall policy to allow RADIUS traffic for 802.1X authentication from the FortiSwitch unit (for example, from the FortiLink interface) to the RADIUS server through the FortiGate device. The managed FortiSwitch unit implements MAC-based authentication. The switch saves the MAC address of each supplicants device. The switch provides network access only to devices that have successfully been authenticated. You can enable the MAC Authentication Bypass (MAB) option for devices (such as network printers) that cannot respond to the 802.1X authentication request. With MAB enabled on the port, the system will use the device MAC address as the user name and password for authentication. If a link goes down, you can select whether the impacted devices must reauthenticate. By default, reauthentication is disabled. You can configure a guest VLAN for unauthorized users and a VLAN for users whose authentication was unsuccessful. Starting in FortiSwitchOS 6.4.3, if the RADIUS server cannot be reached for 802.1X authentication, you can specify a untagged VLAN for users after the authentication server timeout period expires. Starting in FortiOS 7.4.4, you can specify a tagged VLAN for users to be assigned to when the authentication server is unavailable. This feature is available with 802.1x MAC-based authentication. It is compatible with both EAP and MAB. When you are testing your system configuration for 802.1X authentication, you can use the monitor mode to allow network traffic to flow, even if there are configuration problems or authentication failures.
Fortinet recommends an 802.1X setup rate of 5 to 10 sessions per second.
This section covers the following topics: l Number of devices supported per port for 802.1X MAC-based authentication on page 186 l Configuring the 802.1X settings for a virtual domain on page 186 l Overriding the virtual domain settings on page 187 l Specifying how RADIUS request attributes are formatted on page 188 l Dynamically and manually assigning the NAS-IP-Address attribute on page 188 l Dynamic VLAN assignment on page 189 l Dynamic access control lists on page 192 l Defining an 802.1X security policy on page 196 l Applying an 802.1X security policy to a FortiSwitch port on page 198 l Testing 802.1X authentication with monitor mode on page 199 l Clearing authorized sessions on page 199 l RADIUS accounting support on page 200 l RADIUS change of authorization (CoA) support on page 200
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
185
Fortinet Inc.
FortiSwitch security
l 802.1X authentication deployment example on page 203 l Detailed deployment notes on page 205
Number of devices supported per port for 802.1X MAC-based authentication
The FortiSwitch unit supports up to 20 devices per port for 802.1X MAC-based authentication. System-wide, the FortiSwitch unit now supports a total of 10 times the number of interfaces for 802.1X MAC-based authentication. See the following table.
Model 108 112 124/224/424/524/1024 148/248/448/548/1048 3032
Total number of devices supported per switch 80 60 240 480 320
Configuring the 802.1X settings for a virtual domain
To configure the 802.1X security policy for a virtual domain:
config switch-controller 802-1X-settings set link-down-auth {set-unauth | no-action} set reauth-period <integer> set max-reauth-attempt <integer> set tx-period <integer> set mab-reauth {enable | disable}
end
Option
Description
Default
link-down-auth {set-unauth | no-action}
If a link is down, this command determines the authentication state. Choosing set-unauth sets the interface to unauthenticated when a link is down, and reauthentication is needed. Choosing no-action means that the interface does not need to be reauthenticated when a link is down.
setunauth
reauth-period <integer>
This command sets how often reauthentication is needed. The 60 range is 1-1440 minutes. Setting the value to 0 minutes disables reauthentication.
NOTE: Setting the reauth-period to 0 is supported only in the CLI. The RADIUS dynamic session timeout and CoA session timeout do not support setting the Session Timeout to 0. For MAB authentication, the host entry is automatically reauthenticated after the reauth-period. To clear the host entry, you need to clear the entry manually.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
186
Fortinet Inc.
FortiSwitch security
Option
Description
max-reauth-attempt <integer>
This command sets the maximum number of reauthentication attempts. The range is 1-15. Setting the value to 0 disables reauthentication.
tx-period <integer>
This command sets the 802.1X transmission period in seconds. The range is 4-60.
mab-reauth {enable | disable}
This command enables or disables MAB reauthentication.
Default 3
30 disable
Overriding the virtual domain settings
You can override the virtual domain settings for the 802.1X security policy.
Using the FortiGate GUI
To override the 802.1X settings for a virtual domain:
1. Go to WiFi & Switch Controller > Managed FortiSwitches. 2. Click on a FortiSwitch faceplate and select Edit. 3. In the Edit Managed FortiSwitch page, move the Override 802-1X settings slider to the right. 4. In the Reauthentication Interval field, enter the number of minutes before reauthentication is required. The
maximum interval is 1,440 minutes. Setting the value to 0 minutes disables reauthentiction. 5. In the Max Reauthentication Attempts field, enter the maximum times that reauthentication is attempted. The
maximum number of attempts is 15. Setting the value to 0 disables reauthentication. 6. Select Deauthenticate or None for the link down action. Selecting Deauthenticate sets the interface to
unauthenticated when a link is down, and reauthentication is needed. Selecting None means that the interface does not need to be reauthenticated when a link is down. 7. Select OK.
Using the FortiGate CLI
To override the 802.1X settings for a virtual domain:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config 802-1X-settings
set local-override {enable | *disable}
set reauth-period <integer>
// visible if override enabled
set max-reauth-attempt <integer>
// visible if override enabled
set link-down-auth {*set-unauth | no-action} // visible if override enabled
set mab-reauth {enable | disable}
// visible if override enabled
end
next
end
For a description of the options, see Configuring the 802.1X settings for a virtual domain.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
187
Fortinet Inc.
FortiSwitch security
Specifying how RADIUS request attributes are formatted
Starting in FortiOS 7.4.2 with FortiSwitchOS 7.4.1, you can specify how the following RADIUS request attributes are formatted when they are sent to the RADIUS server:
l User-Name You can select a colon, hyphen, or single hyphen to use as a delimiter, or you can select none for no delimiter. By default, you can use a hyphen as the delimiter.
l User-Password You can select a colon, hyphen, or single hyphen to use as a delimiter, or you can select none for no delimiter. By default, you can use a hyphen as the delimiter.
l Called-Station-Id You can select a colon, hyphen, or single hyphen to use as a delimiter, or you can select none for no delimiter. By default, you can use a hyphen as the delimiter.
l Calling-Station-Id You can select a colon, hyphen, or single hyphen to use as a delimiter, or you can select none for no delimiter. By default, you can use a hyphen as the delimiter.
The following are examples of MAC addresses with the different delimiters:
l Using a colon as a delimiter: 00:11:22:33:44:55 l Using a hyphen as a delimiter: 00-11-22-33-44-55 l Using a single hyphen as a delimiter: 001122-334455 l Using none for no delimiter: 001122334455
You can also select whether to use lowercase or uppercase letters in MAC addresses. By default, lowercase letters are used.
To specify how RADIUS request attributes are formatted:
config switch-controller managed-switch edit <FortiSwitch_serial_number> config 802-1X-settings set local-override enable set mac-username-delimiter {colon| hyphen | none | single-hyphen} set mac-password-delimiter {colon| hyphen | none | single-hyphen} set mac-calling-station-delimiter {colon| hyphen | none | single-hyphen} set mac-called-station-delimiter {colon| hyphen | none | single-hyphen} set mac-case {lowercase | uppercase} end next
end
Dynamically and manually assigning the NAS-IP-Address attribute
Starting in FortiOS 7.4.2, you can dynamically assign a different NAS-IP-Address attribute to the managed switches when authenticating users with a RADIUS server. When this feature is enabled, the NAS-IP-Address attribute is based on the FortiLink IP address when the IP address is IPv4.
If needed, you can override the dynamic NAS-IP-Address attribute and manually assign the NAS-IP-Address attribute to individual managed switches.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
188
Fortinet Inc.
FortiSwitch security
Note:
l FortiSwitchOS supports only IPv4 addresses for the NAS-IP-Address attribute. l You can enable switch-controller-nas-ip-dynamic only when the nas-ip value
is not set (under the config user radius command). l When radius-nas-ip-override is enabled and the radius-nas-ip value is set,
the IP address is assigned to the NAS-IP-Address attribute, even if switchcontroller-nas-ip-dynamic is not enabled and the nas-ip value is not set.
To dynamically assign a different NAS-IP-Address attribute on the FortiGate device to all managed switches:
config user radius edit <RADIUS_server_name> set switch-controller-nas-ip-dynamic enable next
end
To override the dynamic NAS-IP-Address attribute on the FortiGate device for a specific managed switch:
config switch-controller managed-switch edit <FortiSwitch_serial_number> set radius-nas-ip-override enable set radius-nas-ip <IPv4_address> next
end
For example:
config switch-controller managed-switch edit S524DF4K15000024 set radius-nas-ip-override enable set radius-nas-ip 1.2.3.4 next
end
Dynamic VLAN assignment
You can configure the RADIUS server to return a VLAN in the authentication reply message.
Starting in FortiOS 6.2, when the FortiSwitch unit receives a VLAN assignment from RADIUS, it determines if the data is an integer or string representation. If the representation is an integer, the FortiSwitch unit assigns the VLAN. If the representation is a string, the 802.1X agent will search each VLANs description field for all VLANs (names defined by the FortiOS VLAN name). If found, the 802.1X agent will make the assignment.
On the FortiGate device, all VLANs are specified as a system interface. Each system interface has a well-defined and unique name. The switch controller synchronizes the FortiGate system interface name (maximum of 15 characters) to the FortiSwitch VLAN description.
Starting in FortiOS 7.4.1, the FortiOS switch controller also supports the synchronization of the FortiGate system interface description to the switch VLAN description (up to the first 63 characters of FortiSwitch VLAN description field in FortiOS). This allows a more flexible use of the Tunnel-Private-Group-Id RADIUS attribute. To use the maximum length
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
189
Fortinet Inc.
FortiSwitch security
of 63 characters, set the vlan-identity command to description (under config switch-controller global).
Configuration examples
To configure dynamic VLAN name assignment:
1. Configure a RADIUS server. In this example, the Tunnel-Private-Group-Id is set to the VLAN name, instead of the VLAN identifier. l Set Tunnel-Type to "VLAN". l Set Tunnel-Medium-Type to "IEEE-802". l Set Tunnel-Private-Group-Id to "my.vlan.10".
2. Configure the FortiGate device: config system interface edit "my.vlan.10" set vdom "root" set ip 1.1.1.254 255.255.255.0 set allowaccess ping set interface "my.fortlink" set vlanid 10 next end
3. Check the FortiSwitch unit. The VLAN name is stored in the value for the set description command. # show switch vlan config switch vlan edit 10 set description "my.vlan.10" next end
To synchronize the FortiGate system interface description to the switch VLAN description:
1. Configure the FortiSwitch VLAN on the FortiGate device: config system interface edit "vlan11" set vdom "vdom1" set ip 6.6.6.1 255.255.255.0
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
190
Fortinet Inc.
FortiSwitch security
set allowaccess ping https ssh http fabric set description "Test VLAN" set device-identification enable set role lan set snmp-index 45 set interface "port11" set vlanid 111 next end
2. On the FortiSwitch unit, check that the FortiLink interface name is stored in the value for the set description command.
config switch vlan edit 11 set description "Test VLAN" next
end
Setting the priority for dynamic or egress VLAN assignment
Starting in FortiOS 7.4.2 with FortiSwitchOS 7.4.2, you can change how a managed FortiSwitch unit searches for VLANs with names (specified in the set description command) that match the Tunnel-Private-Group-Id or Egress-VLANName attribute.
Before FortiOS 7.4.2 and FortiSwitchOS 7.4.2, if there was more than one VLAN with the same name (specified in the set description command), the managed FortiSwitch unit selected the VLAN with the lowest VLAN ID that matched the Tunnel-Private-Group-Id or Egress-VLAN-Name attribute.
In the following example, the Tunnel-Private-Group-Id attribute is set to testVLAN, and three VLANs have the same name of testVLAN. The managed FortiSwitch unit matches the Tunnel-Private-Group-Id attribute with the VLAN with the lowest ID, VLAN 4.
VLAN ID 4 5 6
VLAN name testVLAN testVLAN testVLAN
In FortiOS 7.4.2 with FortiSwitchOS 7.4.2, you can assign a priority to each VLAN. If there is more than one VLAN with the same name (specified in the set description command), the managed FortiSwitch unit selects the VLAN with the lowest assignment-priority value (which is the highest priority) of the VLANs with names that match the RADIUS Tunnel-Private-Group-Id or Egress-VLAN-Name attribute. The assignment-priority value can be 1-255. By default, the assignment-priority is 128. The lowest assignment-priority value gets the highest priority.
In the following example, the Tunnel-Private-Group-Id attribute is set to localVLAN, and four VLANs have the same name of localVLAN. The managed FortiSwitch unit matches the Tunnel-Private-Group-Id attribute with the VLAN with the lowest priority, VLAN 5.
VLAN ID 4
VLAN name localVLAN
VLAN priority 50
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
191
Fortinet Inc.
FortiSwitch security
VLAN ID 5 6 7
VLAN name localVLAN localVLAN localVLAN
VLAN priority 25 75 100
To set the priority on the managed FortiSwitch unit for matching VLAN names:
config switch-controller managed-switch edit <FortiSwitch_serial_number> config vlan edit <VLAN_name> set assignment-priority <1-255> next end next
end
For example:
config switch-controller managed-switch edit "S524DF4K15000024" config vlan edit vlan5 set assignment-priority 200 next end next
end
Dynamic access control lists
Starting in FortiOS 7.4.4, you can use RADIUS attributes to configure dynamic access control lists (DACLs) on the 802.1x ports of managed switches. DACLs are configured on a switch or saved on a RADIUS server. You can use DACLs to control traffic per user session or per port for switch ports directly connected to user clients. DACLs apply to hardware only when 802.1x authentication is successful.
You can use DACLs with 802.1X port-based authentication and 802.1X MAC-based authentication. IPv4 is supported, but IPv6 is not supported. You can use DACLs with monitor mode (open-auth) and with static ACLs.
DACLs are disabled by default. After you enable DACL in an 802.1X security policy, you must apply the 802.1X security policy to a managed FortiSwitch port. See Applying an 802.1X security policy to a FortiSwitch port on page 198.
The maximum number of ACL entries per port is 45. The maximum number of entries includes both static ACL entries and DACL entries. Duplicate entries might cause an error.
FortiSwitch models 124D
Maximum number of static ACL and DACL entries 896
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
192
Fortinet Inc.
FortiSwitch security
FortiSwitch models 2xxD/2xxE 4xxD 424E/426E 448E/424E-Fiber 5xx 1024D/1048D 1024E 1048E 3032D 3032E
Maximum number of static ACL and DACL entries 896 896 1,792 2,816 3,584 1,792 3,034 6,144 3,072 986
Two RADIUS attributes are supported:
l Filter-Id --You need to use a custom command to use the Filter-Id attribute. l NAS-Filter-Rule--The NAS-Filter-Rule attribute defines the filter rules at the RADIUS server. After authentication,
the DACL applies to the port. l The NAS-Filter-Rule supports a maximum of 80 characters, and you can specify a maximum of 45 entries per authentication session or a maximum of 45 entries per port. l Do not include blank spaces in the NAS-Filter-Rule. Commas and dashes are allowed. l A syntax error in one NAS-Filter-Rule causes the entire DACL to fail.
The following is the Filter-Id format:
Filter-Id += "<filter-name>"
For example:
Filter-Id += "filter-id-service1"
Changing the name of Filter-Id after authentication causes errors in the output of the diagnose switch-controller switch-info 802.1X-dacl command when the session is using Filter-Id.
The following is the NAS-Filter-Rule format:
NAS-Filter-Rule = " <deny|permit> in <ip|ip-protocol-value> from <any|<ip-addr>|ipv4addr/mask> [<tcp/udp-port|tcp/udp min-max port>] to <any|<ip-addr>|ipv4-addr/mask> [<tcp/udp-port|tcp/udp min-max port>] [cnt] "
The following table explains the syntax of the NAS-Filter-Rule:
Option <deny|permit>
Description
Select one of the following: l permit--Allow packets that match the rule. l deny--Drop packets that match the rule.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
193
Fortinet Inc.
FortiSwitch security
Option in <ip|ip-protocol-value>
from <any|<ip-addr>|ipv4addr/mask>
[<tcp/udp-port|tcp/udp minmax port>] to <any|<ip-addr>|ipv4addr/mask>
[<tcp/udp-port|tcp/udp minmax port>]
[cnt]
Description
The in keyword specifies that the ACL applies only to the inbound traffic from the authenticated client.
Specify one of the following for the type of traffic to filter: l ip--Any protocol will match. l ip-protocol-value--IP traffic specified by either a protocol number or by tcp, udp, icmp, or (for IPv4 only) igmp. The range of protocol numbers is 0-255.
Required. Specify one of the following for the authenticated client source: ll any--Specifies any IPv4 source address l <ip-addr>|ipv4-addr/mask>--Enter a series of contiguous source addresses or all source addresses in a subnet. The <mask> is the number of leftmost bits in a packets source IPv4 address that must match the corresponding bits in the source IPv4 address. For example, 10.100.24.1/24 will match an inbound traffic from the authenticated client that has a source IPv4 address where the first three octets are 10.100.24.
Specify the TCP or UDP port or range of ports. Used when the access control entry is intended to filter client TCP or UDP traffic with one or more specific TCP or UDP source port numbers. You can specify a single port or a single port range, such as 10.105.0.1/24 80 or 10.105.0.1/24 80-100.
Specify one of the following: l any--Specifies any IPv4 destination address l <ip-addr>|ipv4-addr/mask>--Enter a series of contiguous destination addresses or all destination addresses in a subnet. The <mask> is the number of leftmost bits in a packets destination IPv4 address that must match the corresponding bits in the destination IPv4 address. For example, 10.100.24.1/24 will match an inbound traffic from the authenticated client that has a destination IPv4 address where the first three octets are 10.100.24.
Specify the TCP or UDP port or range of ports. Used when the access control entry is intended to filter client TCP or UDP traffic with one or more specific TCP or UDP destination port numbers. You can specify a single port or a single port range, such as 10.105.0.1/24 80 or 10.105.0.1/24 80-100. For example, to deny any UDP traffic from an authenticated client that has a destination address of any address and a UDP destination port of 357-457: deny in udp from any to any 357-457
Specify the counter for a RADIUS-assigned access control entry.
For example: l NAS-Filter-Rule += "permit in 20 from any to any cnt" l NAS-Filter-Rule += "deny in tcp from any to 10.10.10.1 23"
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
194
Fortinet Inc.
FortiSwitch security
l NAS-Filter-Rule += "permit in tcp from any to any 23"
When you use the NAS-Filter-Rule attribute, follow these guidelines: l You can use 8 port ranges (source or destination ports) on the FS-148E, FS148E-POE, and FS-148E-FPOE models. l You can use 16 port ranges (source or destination ports) on the FS-108E, FS108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS124E, FS-124E-POE, FS-124E-FPOE, FS-124F, FS-124F-POE, FS-124FFPOE, FS-148F, FS-148F-POE, and FS-148F-FPOE models. l You can use up to 32 port ranges (source or destination ports) on the FS1024D, FS-1024E, FS-T1024E, FS-1048E, FS-3032E, FS-424E, FS-424EPOE, FS-424E-FPOE, FS-M426E-FPOE, FSR-124D, FS-224D-FPOE, FS248D, FS-224E, FS-224E-POE, FS-248E-POE, FS-248E-FPOE, FS-424EFiber, FS-448E, FS-448E-POE, FS-448E-FPOE, FS-524D, FS-524D-FPOE, FS-548D, and FS-548D-FPOE models. l Port ranges must have the smaller port number as the first number in the range and the larger port number as the second number in the range. For example, you can specify a port range of 8-10 but not 10-8. l If you specify a layer-4 port or layer-4 port range (for example, permit in TCP from any to any 100-200 cnt) when defining the source or destination in a dynamic ACL entry, FortiSwitchOS discards any port configurations made after the layer-4 configuration.
To enable DACL:
config switch-controller security-policy 802-1X edit <policy_name> set dacl enable next
end
For example:
config switch-controller security-policy 802-1X edit "802-1X-policy-default" set user-group "radius-users" set mac-auth-bypass enable set open-auth disable set eap-passthru enable set eap-auto-untagged-vlans enable set guest-vlan disable set auth-fail-vlan disable set framevid-apply enable set radius-timeout-overwrite disable set authserver-timeout-vlan disable set dacl enable next
end
To configure a value for NAS-Filter-Rule:
config switch acl service custom edit <ACL_service>
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
195
Fortinet Inc.
FortiSwitch security
set comment <string> set color <0-32> set protocol {ICMP | IP | TCP/UDP/SCTP} set protocol-number <IP protocol number> set tcp-portrange <port_number>-<port_number> set udp-portrange <port_number>-<port_number> next end For example: config switch acl service custom edit nas-filter-rule-service1 set comment "NAS filter rule for service 1" set udp-portrange 10000-20000 next end
To use a custom command to configure Filter-Id:
1. Define the Filter-Id attribute. 2. Define the action and classifier. For example: set command "config switch acl 802-1X %0a edit 403 %0a set filter-id %22 111111 %22 %0a next
%0a edit 403 %0a config access-list-entry %0a edit 1 %0a config action %0a set count enable %0a end %0a config classifier %0a set ether-type 0x800 %0a end %0a end %0a"
To display the status of DACLs on a specific FortiSwitch unit:
diagnose switch-controller switch-info 802.1X-dacl <FortiSwitch_serial_number> For example: diagnose switch-controller switch-info 802.1X-dacl S548DF5018000776
To display the status of DACLs on a specified 802.1X port:
diagnose switch-controller switch-info 802.1X-dacl <FortiSwitch_serial_number> <port_name> For example: diagnose switch-controller switch-info 802.1X-dacl S548DF5018000776 port10
Defining an 802.1X security policy
You can define multiple 802.1X security policies.
Using the FortiGate GUI
To create an 802.1X security policy:
1. Go to WiFi & Switch Controller > FortiSwitch Port Policies. 2. Under Security Policies, click Create New. 3. Enter a name for the new FortiSwitch security policy.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
196
Fortinet Inc.
FortiSwitch security
4. For the security mode, click Port-based or MAC-based. 5. Select + to select which user groups will have access. 6. Enable or disable guest VLANs on this interface to allow restricted access for some users. 7. Enter the number of seconds for authentication delay for guest VLANs. The range is 1-900 seconds. 8. Enable or disable authentication fail VLAN on this interface to allow restricted access for users who fail to access
the guest VLAN. 9. Enable or disable MAC authentication bypass (MAB) on this interface. 10. Enable or disable EAP pass-through mode on this interface. 11. Enable or disable whether the session timeout for the RADIUS server will overwrite the local timeout. 12. Select OK.
Using the FortiGate CLI
To create an 802.1X security policy, use the following commands:
config switch-controller security-policy 802-1X edit "<policy_name>" set security-mode {802.1X | 802.1X-mac-based} set user-group <*group_name | Guest-group | SSO_Guest_Users> set mac-auth-bypass {enable | *disable} set eap-passthru {enable | disable} set guest-vlan {enable | *disable} set guest-vlan-id "<guest-VLAN-name>" set guest-auth-delay <integer> set auth-fail-vlan {enable | *disable} set auth-fail-vlan-id "<auth-fail-VLAN-name>" set radius-timeout-overwrite {enable | *disable} set policy-type 802.1X set authserver-timeout-period <integer> set authserver-timeout-tagged {lldp-voice | static | disable} set authserver-timeout-tagged-vlanid <1-4094> set authserver-timeout-vlan {enable | disable} set authserver-timeout-vlanid "<RADIUS-timeout-VLAN-name>" end
end
Option set security-mode
set user-group set mac-auth-bypass set eap-passthrough
Description
You can restrict access with 802.1X port-based authentication or with 802.1X MAC-based authentication. Use port-based authentication when the client is connected directly to a switch port and is capable of 802.1X authentication. Use MAC-based authentication when more than one device needs to be authenticated on the same switch port, and you need to authenticate based on the MAC address.
You can set a specific group name, Guest-group, or SSO_Guest_Users to have access. This setting is mandatory.
You can enable or disable MAB on this interface.
You can enable or disable EAP pass-through mode on this interface.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
197
Fortinet Inc.
FortiSwitch security
Option
Description
set guest-vlan
You can enable or disable guest VLANs on this interface to allow restricted access for some users.
set guest-vlan-id "<guestVLAN-name>"
You can specify the name of the guest VLAN.
set guest-auth-delay
You can set the authentication delay for guest VLANs on this interface. The range is 1-900 seconds.
set auth-fail-vlan
You can enable or disablethe authentication fail VLAN on this interface to allow restricted access for users who fail to access the guest VLAN.
set auth-fail-vlan-id "<auth-fail-VLAN-name>"
You can specify the name of the authentication fail VLAN
set radius-timeout-overwrite You can enable or disable whether the session timeout for the RADIUS server will overwrite the local timeout.
set policy-type 802.1X
You can set the policy type to the 802.1X security policy.
set authserver-timeoutperiod
You can set how many seconds the RADIUS server has to authenticate users. The range of values is 3-15 seconds; the default time is 3 seconds. This option is only visible when authserver-timeout-vlan is enabled.
set authserver-timeouttagged {lldp-voice | static | disable}
Select whether users are assigned to the specified VLAN when the authentication server times out:
l lldp-voice--Users are assigned to the VLAN specified in the set lldp-profile command (under config switch-controller managed-switch).
l static--Users are assigned to the tagged VLAN specified in the set authserver-timeout-tagged-vlanid command.
l disable--Users are not assigned to a specified VLAN when the authentication server times out.
The default is disable.
set authserver-timeouttagged-vlanid <1-4094>
Enter the identifier for the tagged VLAN that the system assigns to users when the authentication server times out.
set authserver-timeout-vlan
Enable or disable the RADIUS timeout VLAN on this interface to allow limited access for users when the RADIUS server times out before finishing authentication.
By default, this option is disabled.
set authserver-timeoutvlanid "<RADIUS-timeoutVLAN-name>"
The VLAN name that is used for users when the RADIUS server times out before finishing authentication. This option is only visible when authserver-timeout-vlan is enabled.
Applying an 802.1X security policy to a FortiSwitch port
You can apply a different 802.1X security policy to each FortiSwitch port.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
198
Fortinet Inc.
FortiSwitch security
Using the FortiGate GUI
To apply an 802.1X security policy to a managed FortiSwitch port:
1. Go to WiFi & Switch Controller > FortiSwitch Ports. 2. Select the + next to a FortiSwitch unit. 3. In the Security Policy column for a port, click + to select a security policy. 4. Select OK to apply the security policy to that port.
Using the FortiGate CLI
To apply an 802.1X security policy to a managed FortiSwitch port, use the following commands: config switch-controller managed-switch
edit <managed-switch> config ports edit <port> set port-security-policy <802.1x-policy> next end
next end
Testing 802.1X authentication with monitor mode
Use the monitor mode to test your system configuration for 802.1X authentication. You can use monitor mode to test port-based authentication, MAC-based authentication, EAP pass-through mode, and MAC authentication bypass. Monitor mode is disabled by default. After you enable monitor mode, the network traffic will continue to flow, even if the users fail authentication. To enable or disable monitor mode, use the following commands: config switch-controller security-policy 802-1X
edit "<policy_name>" set open-auth {enable | disable}
next end
Clearing authorized sessions
You can clear authorized sessions associated with a specific interface or a specific MAC address.
To clear the 802.1X-authorized session associated with a specific MAC address:
execute switch-controller switch-action 802-1X clear-auth-mac <FortiSwitch_serial_number> <MAC_address>
For example: execute switch-controller switch-action 802-1X clear-auth-mac S548DF5018000776
4f:8d:c2:73:dd:fe
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
199
Fortinet Inc.
FortiSwitch security
To clear the 802.1X-authorized sessions associated with a specific interface:
execute switch-controller switch-action 802-1X clear-auth-port <FortiSwitch_serial_number> <port_name>
For example: execute switch-controller switch-action 802-1X clear-auth-port S524DF4K15000024 port1
RADIUS accounting support
The FortiSwitch unit uses 802.1X-authenticated ports to send five types of RADIUS accounting messages to the RADIUS accounting server to support FortiGate RADIUS single sign-on:
l START--The FortiSwitch has been successfully authenticated, and the session has started. l STOP--The FortiSwitch session has ended. l INTERIM--Periodic messages sent based on the value set using the set acct-interim-interval command. l ON--FortiSwitch will send this message when the switch is turned on. l OFF--FortiSwitch will send this message when the switch is shut down. You can specify more than one value to be sent in the RADIUS Service-Type attribute. Use a space between multiple values. Use the following commands to set up RADIUS accounting so that FortiOS can send accounting messages to managed FortiSwitch units: config user radius
edit <RADIUS_server_name> set acct-interim-interval <seconds> set switch-controller-service-type {administrative | authenticate-only | callbackadministrative | callback-framed | callback-login | callback-nas-prompt | callcheck | framed | login | nas-prompt | outbound} config accounting-server edit <entry_ID> set status {enable | disable} set server <server_IP_address> set secret <secret_key> set port <port_number> next end
next end
RADIUS change of authorization (CoA) support
For increased security, each subnet interface that will be receiving CoA requests must be configured with the set allowaccess radius-acct command. Starting in FortiSwitchOS 6.2.1, RADIUS accounting and CoA support EAP and MAB 802.1X authentication. The FortiSwitch unit supports two types of RADIUS CoA messages:
l CoA messages to change session authorization attributes (such as data filters and the session-timeout setting ) during an active session.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
200
Fortinet Inc.
FortiSwitch security
l Disconnect messages (DMs) to flush an existing session. For MAC-based authentication, all other sessions are unchanged, and the port stays up. For port-based authentication, only one session is deleted.
RADIUS CoA messages use the following Fortinet proprietary attribute: Fortinet-Host-Port-AVPair 42 string
The format of the value is as follows:
Attribute Fortinet-Host-Port-AVPair
Fortinet-Host-Port-AVPair Fortinet-Host-Port-AVPair
Value action=bounce-port
action=disable-port action=reauth-port
Description
The FortiSwitch unit disconnects all sessions on a port. The port goes down for 10 seconds and then up again.
The FortiSwitch unit disconnects all session on a port. The port goes down until the user resets it.
The FortiSwitch unit forces the reauthentication of the current session.
In addition, RADIUS CoA uses the session-timeout attribute:
Attribute session-timeout
Value
<session_timeout_ value>
Description
The FortiSwitch unit disconnects a session after the specified number of seconds of idleness. This value must be more than 60 seconds. NOTE: To use the session-timeout attribute, you must enable the set radius-timeout-overwrite command first.
The FortiSwitch unit sends the following Error-Cause codes in RADIUS CoA-NAK and Disconnect-NAK messages.
Error Cause Unsupported Attribute NAS Identification Mismatch
Invalid Attribute Value
Session Context Not Found
Error Code Description
401
This error is a fatal error, which is sent if a request
contains an attribute that is not supported.
403
This error is a fatal error, which is sent if one or more
NAS-Identifier Attributes do not match the identity of the
NAS receiving the request.
407
This error is a fatal error, which is sent if a CoA-Request
or Disconnect-Request message contains an attribute
with an unsupported value.
503
This error is a fatal error if the session context identified
in the CoA-Request or Disconnect-Request message
does not exist on the NAS.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
201
Fortinet Inc.
FortiSwitch security
Configuring CoA and disconnect messages
Use the following commands to enable a FortiSwitch unit to receive CoA and disconnect messages from a RADIUS server:
config system interface edit "mgmt" set ip <address> <netmask> set allowaccess <access_types> set type physical next
config user radius edit <RADIUS_server_name> set radius-coa {enable | disable} set radius-port <port_number> set secret <secret_key> set server <server_name_IPv4> end
Variable config system interface ip <address> <netmask> allowaccess <access_types>
<RADIUS_server_name>
config user radius radius-coa {enable | disable} radius-port <port_number> secret <secret_key> server <server_name_IPv4>
Description
Enter the interface IP address and netmask. Enter the types of management access permitted on this interface. Valid types are as follows: http https ping snmp ssh telnet radius-acct. Separate each type with a space. You must include radius-acct to receive CoA and disconnect messages. Enter the name of the RADIUS server that will be sending CoA and disconnect messages to the FortiSwitch unit. By default, the messages use port 3799.
Enable or disable whether the FortiSwitch unit will accept CoA and disconnect messages. The default is disable. Enter the RADIUS port number. By default, the value is 0 for FortiOS, which uses port 1812 for the FortiSwitch unit in FortiLink mode. Enter the shared secret key for authentication with the RADIUS server. There is no default. Enter the domain name or IPv4 address for the RADIUS server. There is no default.
Example: RADIUS CoA
The following example uses the FortiOS CLI to enable the FortiSwitch unit to receive CoA and disconnect messages from the specified RADIUS server: config switch-controller security-policy local-access
edit default set internal-allowaccess ping https http ssh snmp telnet radius-acct
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
202
Fortinet Inc.
FortiSwitch security
next end config user radius
edit "Radius-188-200" set radius-coa enable set radius-port 0 set secret ENC +2NyBcp8JF3/OijWl/w5nOC++aDKQPWnlC8Ug2HKwn4RcmhqVYE+q07yI9eSDhtiIw63kR/oMBLGwFQoe ZfOQWengIlGTb+YQo/lYJn1V3Nwp9sdkcblfyayfc9gTeqe+mFltKl5IWNI7WRYiJC8sxaF9Iyr2/l4hp CiVUMiPOU6fSrj set server "10.105.188.200"
next end
802.1X authentication deployment example
To control network access, you can configure 802.1X authentication from a FortiGate unit managing FortiSwitch units. A supplicant connected to a port on the switch must be authenticated by a RADIUS/Diameter server to gain access to the network.
To use the RADIUS server for authentication, you must configure the server before configuring the users or user groups on the FortiSwitch unit. You also need a firewall policy on the FortiGate unit to allow traffic from the FortiSwitch unit to the RADIUS server.
To create a firewall policy to allow the FortiSwitch unit to reach the RADIUS server:
config firewall policy edit 1 set name "fortilink-to-radius" set srcintf "fortilink" set dstintf "accounting-server" set action accept set service "ALL" set nat enable end
To create a group for users who will be authenticated by 802.1X:
config user radius edit "dot1x-radius"
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
203
Fortinet Inc.
FortiSwitch security
set server "192.168.174.10" set secret ENC *** set radius-port 1812 config accounting-server
edit 1 set status enable set server "192.168.174.10" set secret ENC *** set port 1813
next end next end
config user group edit "radius users" set member "dot1x-radius" next
end
To create an 802.1X security policy:
You can create an 802.1X security policy using the FortiGate GUI by going to WiFi & Switch Controller > FortiSwitch Security Policies and selecting Create New.
config switch-controller security-policy 802-1X edit "802-1X-policy-default" set security-mode 802.1X-mac-based set user-group "dot1x-local" set mac-auth-bypass enable set eap-passthru enable set guest-vlan enable set guest-vlan-id "guest-VLAN" set auth-fail-vlan enable set auth-fail-vlan-id "auth-fail-VLAN" set radius-timeout-overwrite disable next
end
To configure the global 802.1X settings:
config switch-controller 802-1X-settings set link-down-auth no-action set reauth-period 90 set max-reauth-attempt 4
end
To apply an 802.1X security policy to a managed FortiSwitch port:
You can apply an 802.1X security policy to a managed FortiSwitch port using the FortiGate GUI by going to WiFi & Switch Controller > FortiSwitch Ports.
config switch-controller managed-switch edit S548DN4K16000360 config ports edit "port1" set dhcp-snooping trusted
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
204
Fortinet Inc.
FortiSwitch security
set dhcp-snoop-option82-trust enable set port-security-policy "802-1X-policydefault" next end
Detailed deployment notes
l Using more than one security group (with the set security-groups command) per security profile is not supported.
l CoA and single sign-on are supported only by the CLI in this release. l RADIUS CoA is supported in standalone mode. In addition, RADIUS CoA is supported in FortiLink mode when NAT
is disabled in the firewall policy (set nat disable under the config firewall policy command), and the interfaces on the link between the FortiGate unit and FortiSwitch unit are assigned routable addresses other than 169.254.1.x. l The FortiSwitch unit supports using FortiAuthenticator, FortiConnect, Microsoft Network Policy Server (NPS), Aruba ClearPass, and Cisco Identity Services Engine (ISE) as the RADIUS server for CoA and RSSO. l Each RADIUS CoA server can support only one accounting manager in this release. l RADIUS accounting/CoA/VLAN-by-name features are supported only with eap-passthru enable. l Fortinet recommends a unique secret key for each accounting server. l For CoA to correctly function with FortiAuthenticator or FortiConnect, you must include the User-Name attribute (you can optionally include the Framed-IP-Address attribute) or the User-Name and Calling-Station-ID attributes in the CoA request. l To obtain a valid Framed-IP-Address attribute value, you need to manually configure DHCP snooping in the 802.1X-authenticated ports of your VLAN network for both port and MAC modes. l Port-based basic statistics for RADIUS accounting messages are supported in the Accounting Stop request. l By default, the accounting server is disabled. You must enable the accounting server with the set status enable command. l The default port for FortiAuthenticator single sign-on is 1813 for the FortiSwitch unit. l In MAC-based authentication, the maximum number of client MAC addresses is 20. Each model has its own maximum limit. l Static MAC addresses and sticky MAC addresses are mechanisms for manual/local authorization; 802.1X is a mechanism for protocol-based authorization. Do not mix them. l Fortinet recommends an 802.1X setup rate of 5 to 10 sessions per second. l Starting in FortiSwitch 6.2.0, when 802.1X authentication is configured, the EAP pass-through mode (set eappassthru) is enabled by default. l For information about the RADIUS attributes supported by FortiSwitchOS, refer to the "Supported attributes for RADIUS CoA and RSSO" appendix in the FortiSwitchOS Administration Guide--Standalone Mode. l EAP-MD5 is not supported.
Configuring the DHCP trust setting
The DHCP blocking feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent this, DHCP blocking filters messages on untrusted ports.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
205
Fortinet Inc.
FortiSwitch security
Set the port as a trusted or untrusted DHCP-snooping interface: config switch-controller managed-switch
edit <FortiSwitch_serial_number> config ports edit <port_name> set dhcp-snooping {trusted | untrusted} end end
For example: config switch-controller managed-switch
edit S524DF4K15000024 config ports edit port1 set dhcp-snooping trusted end end
Configuring the DHCP server access list
Starting in FortiOS 7.0.1, you can configure which DHCP servers that DHCP snooping includes in the server access list. These servers on the list are allowed to respond to DHCP requests.
NOTE: You can add 255 servers per table. The maximum number of DHCP servers that can be added to all instances of the table is 2,048. This maximum is a global limit and applies across all VLANs.
Configuring the DHCP server access list consists of the following steps: 1. Enable the DHCP server access list on a VDOM level or switch-wide level.
By default, the server access list is disabled, which means that all DHCP servers are allowed. When the server access list is enabled, only the DHCP servers in the server access list are allowed. 2. Configure the VLAN settings for the managed switch port. You can set the DHCP server access list to global to use the VDOM or system-wide setting, or you can set the DHCP server access list to enable to override the global settings and enable the DHCP server access list. In the managed FortiSwitch unit, all ports are untrusted by default, and DHCP snooping is disabled on all untrusted ports. You must set the managed switch port to be trusted to allow DHCP snooping. 3. Configure DHCP snooping and the DHCP access list for the managed FortiSwitch interface. By default, DHCP snooping is disabled on the managed FortiSwitch interface.
To enable the DHCP sever access list on a global level:
config switch-controller global set dhcp-server-access-list enable
end
For example: FGT_A (vdom1) # config switch-controller global FGT_A (global) # set dhcp-server-access-list enable FGT_A (global) # end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
206
Fortinet Inc.
FortiSwitch security
To configure the VLAN settings:
config switch-controller managed-switch edit <FortiSwitch_serial_number> set dhcp-server-access-list {global | enable | disable} config ports edit <port_name> set vlan <VLAN_name> set dhcp-snooping trusted next end next
end
For example:
config switch-controller managed-switch edit "S524DN4K16000116" set fsw-wan1-peer "port11" set fsw-wan1-admin enable set dhcp-server-access-list enable config ports edit "port19" set vlan "_default.13" set allowed-vlans "quarantine.13" set untagged-vlans "quarantine.13" set dhcp-snooping trusted set export-to "vdom1" next end next
end
To configure the interface settings:
config system interface edit <VLAN_name> set switch-controller-dhcp-snooping enable config dhcp-snooping-server-list edit <DHCP_server_name> set server-ip <IPv4_address_of_DHCP_server> next end next
end
For example:
config system interface edit "_default.13" set vdom "vdom1" set ip 5.4.4.1 255.255.255.0 set allowaccess ping https ssh http fabric set alias "_default.port11" set snmp-index 30 set switch-controller-dhcp-snooping enable config dhcp-snooping-server-list edit "server1" set server-ip 10.20.20.1
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
207
Fortinet Inc.
FortiSwitch security
next end set switch-controller-feature default-vlan set interface "port11" set vlanid 1 next end
Including option-82 data
This feature requires FortiOS 7.4.0 or later and FortiSwitchOS 7.2.2 or later.
You can now include option-82 data in the DHCP request for DHCP snooping. DHCP option-82 data provides additional security by enabling a controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources. You can select a fixed format (set dhcp-option82-format legacy) for the Circuit ID and Remote ID fields or select which values appear in the Circuit ID and Remote ID fields (set dhcp-option82-format ascii). The following is the fixed format for the option-82 Circuit ID field: hostname-[<vlan:16><mod:8><port:8>].32bit The following is the fixed format for the option-82 Remote ID field: [mac(0..6)].48bit If you want to select which values appear in the Circuit ID and Remote ID fields:
l For the Circuit ID field, you can include the interface name, VLAN name, host name, mode, and description. l For the Remote ID field, you can include the MAC address, host name, and IP address. You can specify whether the DHCP-snooping client only broadcasts packets on trusted ports in the VLAN (set dhcpsnoop-client-req drop-untrusted) or broadcasts packets on all ports in the VLAN (set dhcp-snoopclient-req forward-untrusted). You can set a limit for how many entries are in the DHCP-snooping binding database for each port with the set dhcpsnoop-db-per-port-learn-limit command. By default, the number of entries is 64. The range of values depends on the switch model.
Before configuring the learning limit, check the range for your switch model by typing set dhcp-snoop-db-per-port-learn-limit ?.
You can also specify how long entries are kept in the DHCP-snooping server database with the set dhcp-snoopclient-db-exp command. By default, the entries are kept for 86,400 seconds. The range of values is 300-259,200 seconds. You can use the diagnose switch-controller switch-info option82-mapping snooping command to display option-82 Circuit ID and Remote ID values in ASCII or hexadecimal format. This command requires the serial number of the managed switch unit and VLAN identifier. Specifying the port name is optional.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
208
Fortinet Inc.
FortiSwitch security
If you have included option-82 data in the DHCP request, it applies globally. You can override the global option-82 setting to specify plain text strings for the Circuit ID field and the Remote ID field for a specific VLAN on a port. If dhcpsnoop-option82-override is not configured for the incoming VLAN and switch interface, the settings for the Circuit ID and Remote ID fields are taken from the global option-82 configuration.
NOTE: The values for the Circuit ID and Remote ID field are either both taken from the global option-82 configuration or both taken from the dhcp-snoop-option82-override settings. The system cannot take one value at the global level and the other value from the override settings.
Each plain text string can be a maximum of 256 characters long. Together, the combined length of both plain text strings can be a maximum of 256 characters long.
NOTE: You can override the option-82 settings for DHCP snooping but not for DHCP relay.
To configure the option-82 data on a global level:
config switch-controller global set dhcp-option82-format {ascii | legacy} set dhcp-option82-circuit-id {intfname <interface_name> | vlan <VLAN_name> | hostname <host_name> | mode <mode> | description <string>} set dhcp-option82-remote-id {mac <MAC_address> | hostname <host_name> | ip <IP_address>} set dhcp-snoop-client-req {drop-untrusted | forward-untrusted} set dhcp-snoop-client-db-exp <300-259200> set dhcp-snoop-db-per-port-learn-limit <integer>
end
To display option-82 Circuit ID and Remote ID values in ASCII format:
diagnose switch-controller switch-info option82-mapping snooping ascii <FortiSwitch_serial_ number> <VLAN_ID> <port_name>
For example: diagnose switch-controller switch-info option82-mapping snooping ascii S524DN4K16000116
vlan11 port3
To display option-82 Circuit ID and Remote ID values in hexadecimal format:
diagnose switch-controller switch-info option82-mapping snooping hex <FortiSwitch_serial_ number> <VLAN_ID> <port_name>
For example: diagnose switch-controller switch-info option82-mapping snooping hex S524DN4K16000116
vlan11 port5
To override the option-82 global settings for a specific VLAN on a port:
config switch-controller managed-switch edit "<FortiSwitch_serial_number>" config ports edit "<port_name>" config dhcp-snoop-option82-override edit <VLAN_name> set remode-id <string> set circuit-id <string> next end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
209
Fortinet Inc.
FortiSwitch security
next end next end
For example:
config switch-controller managed-switch edit "S524DF4K15000024" config ports edit "port10" config dhcp-snoop-option82-override edit vlan15 set remode-id "remote-id test" set circuit-id "circuit-id test" next end next end next
end
Configuring dynamic ARP inspection (DAI)
DAI prevents man-in-the-middle attacks and IP address spoofing by checking that packets from untrusted ports have valid IP-MAC-address binding. DAI allows only valid ARP requests and responses to be forwarded.
To use DAI, you must first enable the DHCP-snooping feature, enable DAI, and then enable DAI for each VLAN. By default, DAI is disabled on all VLANs.
After enabling DHCP snooping with the set switch-controller-dhcp-snooping enable command, use the following CLI commands to enable DAI and then enable DAI for a VLAN:
config system interface edit vsw.test set switch-controller-arp-inpsection {enable | disable} end
config switch-controller managed-switch edit <FortiSwitch_serial_number> config ports edit <port_name> arp-inspection-trust <untrusted | trusted> next end next
end
To check DAI statistics for a FortiSwitch unit:
diagnose switch-controller switch-info arp-inspection stats <FortiSwitch_serial_number>
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
210
Fortinet Inc.
FortiSwitch security
To delete DAI statistics for a specific VLAN:
diagnose switch-controller switch-info arp-inspection stats-clear <VLAN_ID> <FortiSwitch_ serial_number>
Monitoring ARP packets
Starting in FortiOS 7.4.4, you can monitor ARP packets for a specific VLAN on a DHCP-snooping trusted port of a managed switch and save the VLAN ID, MAC addresses, and IP addresses in the DHCP-snooping database. The static IP addresses can be used in RADIUS accounting.
To monitor ARP packets:
1. Enable DHCP snooping and enable the monitoring of ARP packets for a specific VLAN. config system interface edit <VLAN_ID> set switch-controller-dhcp-snooping enable set switch-controller-arp-inspection monitor next end
2. Enable the monitoring of ARP packets on a DHCP-snooping trusted port. config switch-controller managed-switch edit <FortiSwitch_serial_number> config ports edit <port_name> set dhcp-snooping trusted set allow-arp-monitor enable next end next end
Configuring DHCP-snooping static entries
After you enable DHCP snooping for a VLAN, you can configure static entries by binding an IPv4 address with a MAC address for a specific switch interface:
l Specify a VLAN that has DHCP snooping enabled. The VLAN must be a native VLAN or allowed VLAN for the port. l Specify a port that is not defined as trusted. l Specify the MAC address in the form of xx:xx:xx:xx:xx:xx. l Bind a single MAC address to a single IPv4 address. Multiple IP addresses cannot be bound to the same MAC
address. The MAC address cannot be used in more than one static entry. Duplicate static entries are not supported on a VLAN.
DHCP-snooping static entries must be configured to be able to use DAI for IP/MAC entries not discovered by DHCP snooping.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
211
Fortinet Inc.
FortiSwitch security
Specifying the VLAN, IP address, MAC address, and interface name is required.
You can specify a maximum of 64 DHCP static entries for the entire FortiSwitch unit.
l You cannot use a DHCP trusted switch interface or an 802.1X interface for the static entrys switch interface.
l After you configure a DHCP-snooping static entry for a VLAN, you cannot remove that VLAN from the switch interface.
l After you configure a DHCP-snooping static entry for a switch interface, the switch interface cannot be included as a member of a trunk until the DHCP-snooping static entry is deleted.
l If you configure a DHCP-snooping static entry for a trunk, the trunk cannot be deleted until the DHCP-snooping static entry is deleted.
To create a static entry for DHCP snooping and DAI:
config switch-controller managed-switch edit <FortiSwitch_serial_number> config dhcp-snooping-static-client edit <DHCP_static_client_name> set vlan <VLAN_ID> set ip <DHCP_static_client_static_IP_address> set mac <DHCP_static_client_MAC_address> set port <interface_name> next next end
For example:
config switch-controller managed-switch edit S524DN4K16000116 config dhcp-snooping-static-client edit DHCPclient set vlan 100 set ip 192.168.101.1 set mac 00:21:cc:d2:76:72 set port port19 next next end
Configuring IPv4 source guard
IPv4 source guard protects a network from IPv4 spoofing by only allowing traffic on a port from specific IPv4 addresses. Traffic from other IPv4 addresses is discarded. The discarded addresses are not logged.
IPv4 source guard allows traffic from the following sources: l Static entries--IP addresses that have been manually associated with MAC addresses. l Dynamic entries--IP addresses that have been learned through DHCP snooping.
By default, IPv4 source guard is disabled. You must enable it on each port that you want protected.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
212
Fortinet Inc.
FortiSwitch security
If you add more than 2,048 IP source guard entries from a FortiGate unit, you will get an error. When there is a conflict between static entries and dynamic entries, static entries take precedence over dynamic entries.
IPv4 source guard can be configured in FortiOS only for managed FortiSwitch units that support IP source guard. The following FortiSwitch models support IP source guard:
l FSR-124D l FS-224D-FPOE l FS-248D l FS-424D-POE l FS-424D-FPOE l FS-448D-POE l FS-448D-FPOE l FS-424D l FS-448D l FSW-2xxE
Configuring IPv4 source guard consists of the following steps:
1. Enabling IPv4 source guard on page 213 2. Creating static entries on page 214 3. Checking the IPv4 source-guard entries on page 214
Enabling IPv4 source guard
You must enable IPv4 source guard in the FortiOS CLI before you can configure it.
To enable IPv4 source guard:
config switch-controller managed-switch edit <FortiSwitch_serial_number config ports edit <port_name> set ip-source-guard enable next end end
For example:
config switch-controller managed-switch edit S424DF4K15000024 config ports edit port20 set ip-source-guard enable next end end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
213
Fortinet Inc.
FortiSwitch security
Creating static entries
After you enable IPv4 source guard in the FortiOS CLI, you can create static entries in the FortiOS CLI by binding IPv4 addresses with MAC addresses. For IPv4 source-guard dynamic entries, you need to configure DHCP snooping. See Configuring DHCP blocking, STP, and loop guard on managed FortiSwitch ports on page 115.
To create static entries:
config switch-controller managed-switch edit <FortiSwitch_serial_number> config ip-source-guard edit <port_name> config binding-entry edit <id> set ip <xxx.xxx.xxx.xxx> set mac <XX:XX:XX:XX:XX:XX> next end next end next
end
For example:
config switch-controller managed-switch edit S424DF4K15000024 config ip-source-guard edit port4 config binding-entry edit 1 set ip 172.168.20.1 set mac 00:21:cc:d2:76:72 next end next end next
end
Checking the IPv4 source-guard entries
After you configure IPv4 source guard , you can check the entries.
Static entries are manually added by the config switch ip-source-guard command. Dynamic entries are added by DHCP snooping.
Use this command in the FortiOS CLI to display all IP source-guard entries:
diagnose switch-controller switch-info ip-source-guard hardware <FortiSwitch_serial_number>
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
214
Fortinet Inc.
FortiSwitch security
Configuring an ACL
Starting in FortiOS 7.4.0 with FortiSwitchOS 7.4.0, you can use an access control list (ACL) to configure a policy for the ingress stage of the pipeline for incoming traffic. After creating an ACL group for the ingress policy, you apply the ACL group to a managed switch port.
A user-configurable ACL might conflict with or be overridden by an ACL implemented by other managed FortiSwitch features. If a user-configurable ACL and an internal ACL do not conflict, the resulting behavior depends on the FortiSwitch model. Fortinet recommends validating user-configurable ACLs to make certain that they operate correctly with other enabled features.
To use an ACL:
1. Create an ACL ingress policy. 2. Create an ACL group and add the ingress policy to it. 3. Apply the ACL group to a managed switch port. 4. View the counters on page 217.
Create an ACL ingress policy
The ACL ingress policy includes the following key attributes:
l Interface--The port on which traffic arrives at the switch. The policy applies to ingress traffic only (not egress traffic). l Classifier--The classifier identifies the packets that the policy will act on. Each packet can be classified based on
one or more criteria. The supported criteria are source and destination MAC address, VLAN identifier, and source and destination IP address. l Actions--If a packet matches the classifier criteria for a given ACL, the following types of action can be applied to the packet:
l Allow or block the packet l Count the number of ingress packets
The switch uses specialized TCAM memory to perform ACL matching.
The order of the classifiers provided during group creation (or during an ACL update in a group when new classifiers are added) matter. Hardware resources are allocated as best fit at the time of creation, which can cause some fragmentation and segmentation of hardware resources because not all classifiers are available at all times. Because the availability of classifiers is order dependent, some allocations succeed or fail at different times.
To create an ACL ingress policy in the CLI:
config switch-controller acl ingress edit <policy_identifier> config action set count {enable | disable} set drop {enable | disable} end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
215
Fortinet Inc.
FortiSwitch security
config classifier set dst-ip-prefix <IPv4_address> <netmask> set dst-mac <destination_MAC_address> set src-ip-prefix <IPv4_address> <netmask> set src-mac <source_MAC_address> set vlan <1-4094>
end next end
Create an ACL group
An ACL group contains one or more ACLs.
The ACL ingress policies are assigned to ACL group 3 in the managed FortiSwitch unit. If the managed FortiSwitch unit does not support ACL group 3, the user-configurable ACL is not supported.
To create an ACL group in the CLI:
config switch-controller acl group edit "<ACL_group_name>" set ingress <policy_identifier1> <policy_identifier2> ... next
end For example: config switch-controller acl group
edit "ACLgroup1" set ingress 2 3 4
next end
Apply the ACL group to a managed switch port
You can apply one or more ACL groups to a managed switch port.
To apply an ACL group to a managed switch port in the CLI:
config switch-controller managed-switch edit <FortiSwitch_serial_number> config ports edit <managed_switch_port_name> set acl-group "<ACL_group_name1> <ACL_group_name2> ..." next end next
end For example: config switch-controller managed-switch
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
216
Fortinet Inc.
FortiSwitch security
edit FS1D243Z14000016 config ports edit port10 set acl-group "ACLgroup1 ACLgroup2 ACLgroup3" next end
next end
View the counters
On the FS-4xxE, FS-1xxE, and FS-1xxF platforms, the ACL byte counters are not available (they will always show as 0 on the CLI). The packet counters are available.
You can use the CLI to view the counters associated with the ingress policies.
To view the counters in the CLI: diagnose switch-controller switch-info acl-counters <FortiSwitch_serial_number> For example: diagnose switch-controller switch-info acl-counters FS1D243Z14000016
Configuration example
In the following example, the ingress ACL policy prevents a PC connected to S248EPTF18001384 (which is managed by a FortiGate device) from accessing 8.8.8.8 255.255.255.255.
config switch-controller acl ingress edit 1 config action set drop enable end config classifier set dst-ip-prefix 8.8.8.8 255.255.255.255 set src-mac 00:0c:29:d4:4f:3c end next
end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
217
Fortinet Inc.
FortiSwitch security
config switch-controller acl group edit "group1" set ingress 1 next
end
config switch-controller managed-switch edit "S248EPTF18001384" config ports edit "port6" set acl-group "group1" next end next
end
Showing Security Fabric information
This example shows one of the key components in the concept of Security Fabric: FortiSwitch units in FortiLink. In the FortiGate GUI, you can see the whole picture of the Security Fabric working for your network security.
Sample topology
To show Security Fabric information:
1. Go to Security Fabric > Physical Topology. 2. To see the connection between FortiGates and managed FortiSwitches, hover the pointer over the icons to see
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
218
Fortinet Inc.
FortiSwitch security information about each network element.
Blocking intra-VLAN traffic
If you are blocking intra-VLAN traffic on a FortiGate device for a packet with ingress and egress on the same interface, you must disable the set allow-traffic-redirect command before blocking intra-VLAN traffic. For example: config system global
set allow-traffic-redirect disable end
You can block intra-VLAN traffic by aggregating traffic using solely the FortiGate unit. This prevents direct client-to-client traffic visibility at the layer-2 VLAN layer. Clients can only communicate with the FortiGate unit. After the client traffic reaches the FortiGate unit, the FortiGate unit can then determine whether to allow various levels of access to the client by shifting the client's network VLAN as appropriate, if allowed by a firewall policy and proxy ARP is enabled. Use enable to allow traffic only to and from the FortiGate and to block FortiSwitch port-to-port traffic on the specified VLAN. Use disable to allow normal traffic on the specified VLAN. Starting in FortiOS 7.4.1 with FortiSwitchOS 7.4.1, you can allow or block intra-VLAN traffic on the managed FortiSwitch units when the connection to the FortiGate device is lost.
To block intra-VLAN traffic using the FortiGate GUI:
1. Go to Network > Interfaces. 2. Select the interface and then select Edit.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
219
Fortinet Inc.
FortiSwitch security 3. In the Edit Interface form, enable Block intra-VLAN traffic under Network.
To block intra-VLAN traffic using the FortiGate CLI:
config system interface edit <VLAN name> set switch-controller-access-vlan {enable | disable} next
end
NOTE:
l IPv6 is not supported between clients when intra-VLAN traffic blocking is enabled. l Intra-VLAN traffic blocking is not supported when the FortiLink interface type is hardware switch or software switch. l When intra-VLAN traffic blocking is enabled, to allow traffic between hosts, you need to configure the proxy ARP
with the config system proxy-arp CLI command and configure a firewall policy. For example:
config system proxy-arp edit 1 set interface "V100" set ip 1.1.1.1 set end-ip 1.1.1.200 next
end
config firewall policy edit 4 set name "Allow intra-VLAN traffic" set srcintf "V100" set dstintf "V100" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next
end
To allow or block intra-VLAN traffic when the connection to the FortiGate device is lost:
config switch-controller fortilink-settings
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
220
Fortinet Inc.
FortiSwitch security
edit "<FortiLink_interface>" set access-vlan-mode { legacy | fail-open | fail-close}
next end
Option legacy fail-open
fail-close
Description
This is the default, which is backward compatible with 7.4.1 and earlier.
When the connection to the FortiGate device is lost, intra-VLAN traffic on the managed FortiSwitch units is allowed.
When the connection to the FortiGate device is lost, intra-VLAN traffic on the managed FortiSwitch units is blocked.
Quarantines
Administrators can use MAC addresses to quarantine hosts and users connected to a FortiSwitch unit. Quarantined MAC addresses are isolated from the rest of the network and LAN. This section covers the following topics:
l Quarantining MAC addresses on page 221 l Using quarantine with DHCP on page 225 l Using quarantine with 802.1x MAC-based authentication on page 225 l Viewing quarantine entries on page 227 l Releasing MAC addresses from quarantine on page 229
Quarantining MAC addresses
You can use the FortiGate GUI or CLI to quarantine a MAC address. NOTE: If you have multiple FortiLink interfaces, only the first quarantine VLAN is created successfully (with an IP address of 10.254.254.254). Additional quarantine VLANs will have an empty IP address.
Using the FortiGate GUI
In the FortiGate GUI, the quarantine feature is automatically enabled when you quarantine a host. 1. Select the host to quarantine.
l Go to Security Fabric > Physical Topology, right-click on a host, and select Quarantine Host on FortiSwitch. l Go to Security Fabric > Logical Topology, right-click on a host, and select Quarantine Host on FortiSwitch. l Go to FortiView > Sources, right-click on an entry in the Source column, and select Quarantine Host on
FortiSwitch. 2. Select Accept to confirm that you want to quarantine the host.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
221
Fortinet Inc.
FortiSwitch security
Using the FortiGate CLI
NOTE: Previously, this feature used the config switch-controller quarantine CLI command.
There are two kinds of quarantines: l Quarantine-by-VLAN sends quarantined device traffic to the FortiGate unit on a separate quarantine VLAN (starting in FortiOS 6.0.0 and FortiSwitchOS 6.0.0). l Quarantine-by-redirect redirects quarantined device traffic to a firewall address group on the FortiGate unit (starting in FortiOS 6.4.0 and FortiSwitchOS 6.4.0).
By default, the quarantine feature is enabled. When you upgrade a FortiGate unit from an older to a newer firmware version, the FortiGate unit uses the quarantine feature status from the older configuration. If the quarantine feature was disabled in the older configuration, it will be disabled after the upgrade.
You can add MAC addresses to be quarantined even when the quarantine feature is disabled. The MAC addresses are only quarantined when the quarantine feature is enabled.
The table size limit for the quarantine entry is 512. There is no limit for how many MAC addresses can be quarantined per quarantine entry.
Optionally, you can configure a traffic policy for quarantined devices to control how much bandwidth and burst they use and which class of service (CoS) queue they are assigned to. Without a traffic policy, you cannot control how much network resources quarantined devices use.
Starting in FortiOS 6.4.1, quarantine-by-VLAN is the default. If you have a quarantine-by-VLAN configuration and want to migrate to a quarantine-by-redirect configuration: 1. Disable quarantine. 2. Change the quarantine-mode to by-redirect. 3. Remove the quarantine VLAN from the switch ports. 4. Enable quarantine.
To set up a quarantine in FortiOS:
config switch-controller global set quarantine-mode {by-vlan | by-redirect}
end
config user quarantine
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
222
Fortinet Inc.
FortiSwitch security
set quarantine enable set traffic-policy <traffic_policy_name> set firewall-groups <firewall_address_group> config targets
edit <quarantine_entry_name> set description <string> config macs edit <MAC_address_1> set drop {enable | disable} next edit <MAC_address_2> set drop {enable | disable} next edit <MAC_address_3> set drop {enable | disable} next
end end end
Option quarantine-mode {by-vlan | by-redirect}
traffic-policy <traffic_policy_name>
firewall-groups <firewall_address_ group> quarantine_entry_name description <string> MAC_address_1, MAC_address_2, MAC_address_3 drop {enable | disable}
Description
Select the quarantine mode: l by-vlan sends quarantined device traffic to the FortiGate unit on a separate quarantine VLAN.This mode is the default. l by-redirect redirects quarantined device traffic to a firewall address group on the FortiGate unit.
Optional. A name for the traffic policy that controls quarantined devices. If you do add a traffic policy, you need to configure it with the config switch-controller traffic-policy command.
Optional. By default, the firewall address group is QuarantinedDevices. If you are using quarantine-by-redirect, you must use the default firewall address group.
A name for this quarantine entry.
Optional. A description of the MAC addresses being quarantined.
A layer-2 MAC address in the following format: 12:34:56:aa:bb:cc
Enable to drop quarantined device traffic. Disable to send quarantined device traffic to the FortiGate unit.
For example:
config switch-controller global set quarantine-mode by-redirect
end
config user quarantine set quarantine enable set traffic-policy qtrafficp set firewall-groups QuarantinedDevices config targets
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
223
Fortinet Inc.
FortiSwitch security
edit quarantine1 config macs
set description "infected by virus" edit 00:00:00:aa:bb:cc
set drop disable next edit 00:11:22:33:44:55
set drop disable next edit 00:01:02:03:04:05
set drop disable next end next end
To configure a traffic policy for quarantined devices in FortiOS:
config switch-controller traffic-policy edit <traffic_policy_name> set description <string> set policer-status enable set guaranteed-bandwidth <0-524287000> set guaranteed-burst <0-4294967295> set maximum-burst <0-4294967295> set cos-queue <0-7> end
Option
Description
traffic-policy <traffic_policy_name>
Enter a name for the traffic policy that controls quarantined devices.
description <string>
Enter an optional description of the traffic policy.
policer-status enable
Enable the policer configuration to control quarantined devices. It is enabled by default.
guaranteed-bandwidth <0-524287000> Enter the guaranteed bandwidth in kbps. The maximum value is 524287000. The default value is 0.
guaranteed-burst <0-4294967295>
Enter the guaranteed burst size in bytes. The maximum value is 4294967295. The default value is 0.
maximum-burst <0-4294967295>
The maximum burst size is in bytes. The maximum value is 4294967295. The default value is 0.
set cos-queue <0-7>
Set the class of service for the VLAN traffic. Use the unset cos-queue command to disable this setting.
For example:
config switch-controller traffic-policy edit qtrafficp set description "quarantined traffic policy" set policer-status enable set guaranteed-bandwidth 10000 set guaranteed-burst 10000 set maximum-burst 10000
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
224
Fortinet Inc.
FortiSwitch security
unset cos-queue end
Using quarantine with DHCP
When a device using DHCP is quarantined, the device becomes inaccessible until the DHCP is renewed. To avoid this problem, enable the bounce-quarantined-link option, which shuts down the switch port where the quarantined device was last seen and then brings it back up again. Bouncing the port when the device is quarantined and when the device is released from quarantine causes the DHCP to be renewed so that the device is connected to the correct network. By default, the bounce-quarantined-link option is disabled.
To bounce the switch port where a quarantined device was last seen:
config switch-controller global set bounce-quarantined-link {enable | disable}
end
Using quarantine with 802.1x MAC-based authentication
After a device is authorized with IEEE 802.1x MAC-based authentication, you can quarantine that device. If the device was quarantined before 802.1x MAC-based authentication was enabled, the devices traffic remains in the quarantine VLAN 4093 after 802.1x MAC-based authentication is enabled.
To use quarantines with IEEE 802.1x MAC-based authentication:
1. By default, detecting the quarantine VLAN is enabled on a global level on the managed FortiSwitch unit. You can verify that quarantine-vlan is enabled with the following commands:
S448DF3X16000118 # config switch global
S448DF3X16000118 (global) # config port-security
S448DF3X16000118 (port-security) # get link-down-auth : set-unauth mab-reauth : disable quarantine-vlan : enable reauth-period : 60 max-reauth-attempt : 0
2. By default, 802.1x MAC-based authentication and quarantine VLAN detection are enabled on a port level on the managed FortiSwitch unit. You can verify the settings for the port-security-mode and quarantine-vlan. For example:
S448DF3X16000118 (port17) # show switch interface port17 config switch interface
edit "port17" set allowed-vlans 4093 set untagged-vlans 4093 set security-groups "group1" set snmp-index 17 config port-security set auth-fail-vlan disable set eap-passthru enable
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
225
Fortinet Inc.
FortiSwitch security
set framevid-apply enable set guest-auth-delay 30 set guest-vlan disable set mac-auth-bypass enable set open-auth disable set port-security-mode 802.1X-mac-based set quarantine-vlan enable set radius-timeout-overwrite disable set auth-fail-vlanid 200 set guest-vlanid 100 end next end
3. On the FortiGate unit, quarantine a MAC address. For example:
config user quarantine edit "quarantine1" config macs edit 00:05:65:ad:15:03 next end next
end
4. The FortiGate unit pushes the MAC-VLAN binding to the managed FortiSwitch unit. You can verify that the managed FortiSwitch unit received the MAC-VLAN binding with the following command:
S448DF3X16000118 # show switch vlan 4093 config switch vlan
edit 4093 set description "qtn.FLNK10" set dhcp-snooping enable set access-vlan enable config member-by-mac edit 1 set mac 00:05:65:ad:15:03 next end next
end
5. The 802.1x session shows that the MAC address is quarantined in VLAN 4093. You can verify that the managed FortiSwitch port has the quarantined MAC address. For example:
S448DF3X16000118 # diagnose switch 8 status port17
port17: Mode: mac-based (mac-by-pass enable) Link: Link up Port State: authorized: ( ) EAP pass-through mode : Enable Quarantine VLAN (4093) detection : Enable Native Vlan : 1 Allowed Vlan list: 1,4093 Untagged Vlan list: 1,4093 Guest VLAN :
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
226
Fortinet Inc.
FortiSwitch security
Auth-Fail Vlan :
Switch sessions 3/480, Local port sessions:1/20 Client MAC Type Vlan Dynamic-Vlan Quarantined 00:05:65:ad:15:03 802.1x 1 4093
Sessions info: 00:50:56:ad:51:81 Type=802.1x,PEAP,state=AUTHENTICATED,etime=0,eap_cnt=41
params:reAuth=1800
6. The MAC address table also shows the MAC address in VLAN 4093. You can verify the entries in the MAC address table with the following commands:
S448DF3X16000118 # diagnose switch vlan assignment mac list 00:05:65:ad:15:03 VLAN: 4093 Installed: yes Source: 802.1X-MAC-Radius Description: port17
S448DF3X16000118 # diagnose switch mac list | grep "VLAN: 4093" MAC: 00:05:65:ad:15:03 VLAN: 4093 Port: port17(port-id 17)
Viewing quarantine entries
Quarantine entries are created on the FortiGate unit that is managing the FortiSwitch unit.
Using the FortiGate GUI
1. Go to Monitor > Quarantine Monitor. 2. Click Quarantined on FortiSwitch.The Quarantined on FortiSwitch button is only available if a device is detected
behind the FortiSwitch unit, which requires Device Detection to be enabled.
Using the FortiGate CLI
Use the following command to view the quarantine list of MAC addresses: show user quarantine
For example: show user quarantine
config user quarantine set quarantine enable config targets edit quarantine1 config macs set description "infected by virus"
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
227
Fortinet Inc.
FortiSwitch security
edit 00:00:00:aa:bb:cc next edit 00:11:22:33:44:55 next edit 00:01:02:03:04:05 next end end end
When the quarantine feature is enabled on the FortiGate unit, it creates a quarantine VLAN (qtn.<FortiLink_port_name>) and a quarantine DHCP server (with the quarantine VLAN as default gateway) on the virtual domain. The quarantine VLAN is applied to the allowed and untagged VLANs on all connected FortiSwitch ports.
Use the following command to view the quarantine VLAN:
show system interface qtn.<FortiLink_port_name>
For example:
show system interface qtn.port7
config system interface edit "qtn.port7" set vdom "vdom1" set ip 10.254.254.254 255.255.255.0 set description "Quarantine VLAN" set security-mode captive-portal set replacemsg-override-group "auth-intf-qtn.port7" set device-identification enable set device-identification-active-scan enable set snmp-index 34 set switch-controller-access-vlan enable set color 6 set interface "port7" set vlanid 4093 next
end
Use the following commands to view the quarantine DHCP server:
show system dhcp server config system dhcp server
edit 2 set dns-service default set default-gateway 10.254.254.254 set netmask 255.255.255.0 set interface "qtn.port7" config ip-range edit 1 set start-ip 10.254.254.192 set end-ip 10.254.254.253 next end set timezone-option default
next end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
228
Fortinet Inc.
FortiSwitch security
Use the following command to view how the quarantine VLAN is applied to the allowed and untagged VLANs on all connected FortiSwitch ports: show switch-controller managed-switch
For example: show switch-controller managed-switch
config switch-controller managed-switch edit "FS1D483Z15000036" set fsw-wan1-peer "port7" set fsw-wan1-admin enable set version 1 set dynamic-capability 503 config ports edit "port1" set vlan "vsw.port7" set allowed-vlans "qtn.port7" set untagged-vlans "qtn.port7" next edit "port2" set vlan "vsw.port7" set allowed-vlans "qtn.port7" set untagged-vlans "qtn.port7" next edit "port3" set vlan "vsw.port7" set allowed-vlans "qtn.port7" set untagged-vlans "qtn.port7" next ... end
end
Releasing MAC addresses from quarantine
Using the FortiGate GUI
1. Go to Monitor > Quarantine Monitor. 2. Click Quarantined on FortiSwitch. 3. Right-click on one of the entries and select Delete or Remove All. 4. Click OK to confirm your choice.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
229
Fortinet Inc.
FortiSwitch security
Using the FortiGate CLI
To release MAC addresses from quarantine, you can delete a single MAC address or delete a quarantine entry, which will delete all of the MAC addresses listed in the entry. You can also disable the quarantine feature, which releases all quarantined MAC addresses from quarantine.
To delete a single quarantined MAC address:
config user quarantine config targets edit <quarantine_entry_name> config macs delete <MAC_address_1> end end end
To delete all MAC addresses in a quarantine entry:
config user quarantine config targets delete <quarantine_entry_name> end
end
To disable the quarantine feature:
config user quarantine set quarantine disable
end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
230
Fortinet Inc.
Optimizing the FortiSwitch network
Starting in FortiOS 6.4.2 with FortiSwitchOS 6.4.2, you can check your FortiSwitch network and get recommendations on how to optimize it. If you agree with the configuration recommendations, you can accept them, and they are automatically applied. The following tests have been added:
l Managed Switch Capacity Exceeded on FortiGate This test checks for the number of FortiSwitch units managed by the downstream FortiGate devices that have exceeded 80% of the limit. The score is calculated individually and then averaged out. If the number of connected FortiSwitch units is equal or greater than the maximum limit, then the result is a fail. You can upgrade to higher capacity FortiGate devices or add more FortiGate devices to the Security Fabric so the FortiSwitch units can be split between multiple FortiGate devices. In the following example, the downstream FortiGate device passed.
l Redundant FortiLinks
This test checks for redundant FortiLinks between the FortiGate device and the FortiSwitch unit. There are multiple ports dedicated to FortiLink on FortiSwitch units directly connected to FortiGate devices. FortiSwitch units that are not directly connected to the FortiGate device are exempt from this test. If there are no redundant FortiLinks, then the result is a fail.
In the following example, the FortiGate device failed. The Recommendations section lists which FortiSwitch units require redundant FortiLinks.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
231
Fortinet Inc.
Optimizing the FortiSwitch network
l Redundant ISL For FortiSwitch units with inter-switch links (ISLs), this test checks for two redundant links. If there is only one link, then the result is a fail. The Recommendations section lists which devices require an additional link. FortiSwitch units with inter-chassis links (ICLs) are exempt from the test. In the following example, the devices passed.
l Enable MCLAG This test checks for candidate FortiSwitch units that can form a tier-1 MCLAG. To do this, the FortiSwitch units must be connected to each other and directly connected to the FortiGate device. The FortiSwitch unit must support
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
232
Fortinet Inc.
Optimizing the FortiSwitch network
MCLAG. If an MCLAG already exists, this check is skipped. In the following example, three devices passed the test and two devices were exempt.
l Lockdown LLDP Profile This test ensures that there are no accidental changes to the topology. For edge ports (not FortiLink or ISL), FortiOS suggests using the default LLDP profile. The test verifies the following: l Looks for an edge port that has an auto-ISL LLDP profile l Checks if the edge port BPDU guard is disabled l Check if the FortiGate DHCP server and switches do not have a DHCP key In the following example, the devices failed. The EZ (Easy Apply) symbol appears, and port configurations to optimize the Security Fabric can be applied in the Recommendations section.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
233
Fortinet Inc.
Optimizing the FortiSwitch network
l Enable STP This test checks if STP is enabled on edge ports. After the network topology is stable, edge ports should have STP enabled to optimize the Security Fabric. In the following example, the devices passed.
In FortiOS 7.2.4 with FortiSwitchOS 7.2.3, more tests have been added to the FortiSwitch recommendations to help optimize your network:
l If port 8 of an FS-108E or FS-108 unit is used for an inter-switch link (ISL), FortiOS recommends creating a custom auto-config policy.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
234
Fortinet Inc.
Optimizing the FortiSwitch network
l If the configured speed is less than the maximum speed for a switch port, FortiOS recommends changing the port speed to the maximum amount.
l FortiOS checks if the ISLs and inter-chassis links (ICLs) are static to increase stability during events such as cable disconnections or power outages. If any ISLs or ICLs are not static, FortiOS recommends locking down the Security Fabric topology to prevent the automatically created ISLs and ICLs from being accidentally deleted. In the following figure, two ISL configurations need to be locked down.
l When a multichassis link-aggregation group (MCLAG) is recommended between two FortiSwitch units, there is a Create MCLAG button available under WiFi & Switch Controller > Managed FortiSwitches in the Topology view.
In FortiOS 7.4.0 with FortiSwitchOS 7.4.0, more tests have been added to the FortiSwitch recommendations to help optimize your network:
l Check if the switch port where a quarantined device was last seen has bouncing enabled. l Check if the Basic Input/Output System (BIOS) on the FortiSwitch unit needs to be upgraded before FortiSwitchOS
can be upgraded. l If the poe-status has been enabled under the config switch-controller auto-config policy
command, FortiOS recommends that you disable it to prevent unpredictable problems caused by connecting two power sourcing equipment (PSE) ports.
In FortiOS 7.4.1 with FortiSwitchOS 7.4.1, more tests have been added to the FortiSwitch recommendations to help optimize your network:
l When a connected tier-1 MCLAG peer group is detected and FortiOS detects a possible tier-2 MCLAG pair of switches, FortiOS recommends forming a tier-2 MCLAG. After you accept the recommendation, the set lldp-profile default-auto-mclag-icl command is configured on the two switches with the recommended interchassis link (ICL) ports, and the config switch
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
235
Fortinet Inc.
Optimizing the FortiSwitch network
auto-isl-port-group command is configured on the parent MCLAG peer group. l When a connected tier-2 MCLAG peer group is detected and FortiOS detects a possible tier-3 MCLAG pair of
switches, FortiOS recommends forming a tier-3 MCLAG. After you accept the recommendation, the set lldp-profile default-auto-mclag-icl command is configured on the two switches with the recommended ICL ports, and the config switch auto-isl-portgroup command is configured on the parent MCLAG peer group. NOTE: For detection to be successful, there must be fully meshed connection (each tier-2 FortiSwitcch unit must have a connection to each tier-1 FortiSwitch unit; each tier-3 FortiSwitch unit must have a connection to each tier-2 FortiSwitch unit. NOTE: The Security Rating feature is available only when VDOMs are disabled.
To optimize your FortiSwitch network: 1. Go to Security Fabric > Security Rating. 2. Select Run Now (under Report Details in the right pane) to generate the Security Rating report.
3. Select the Optimization section.
4. Under Failed, select + next to each item to see more details in the right pane.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
236
Fortinet Inc.
Optimizing the FortiSwitch network 5. If you agree with a suggestion in the Recommendations section, select Apply for the change to be made.
After accepting a recommended change to the network, you must go to Security Fabric > Security Rating and click Run Now again after the network change is made to update the recommendations based on the new network topology.
Example
In this example, a FortiGate device manages four FortiSwitch units. Two of the switches already form an MCLAG, and the user wants a second MCLAG tier for redundancy.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
237
Fortinet Inc.
Optimizing the FortiSwitch network
1. In the FortiOS GUI, go to WiFi & Switch Controller > Managed FortiSwitches and verify that the two tier-2 FortiSwitch units are the same model so that they can form an MCLAG.
2. Go to Security Fabric > Security Rating and click Run Now.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
238
Fortinet Inc.
Optimizing the FortiSwitch network
3. After the security rating report has run, expand the Optimization results to see Enable MC-LAG Tier 2/3.
4. Go to WiFi & Switch Controller > Managed FortiSwitches and hover over the link connecting the two tier-2 FortiSwitch units. Click Create MC-LAG pair.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
239
Fortinet Inc.
Optimizing the FortiSwitch network
5. In the Create MC-LAG Pair panel, enter the ISL port group name.
6. The Managed FortiSwitches page shows that the MCLAG is formed for the tier-2 managed FortiSwitch units.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
240
Fortinet Inc.
Optimizing the FortiSwitch network
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
241
Fortinet Inc.
Configuring QoS with managed FortiSwitch units
Quality of Service (QoS) provides the ability to set particular priorities for different applications, users, or data flows.
l The FortiGate unit does not support QoS for hard or soft switch ports. l The FS-1xxE and FS-1xxF models support a single QoS map. If there is more than one
QoS map, the first configured map is used.
The FortiSwitch unit supports the following QoS configuration capabilities:
l Mapping the IEEE 802.1p and Layer 3 QoS values (Differentiated Services and IP Precedence) to an outbound QoS queue number.
l Providing eight egress queues on each port. l Policing the maximum data rate of egress traffic on the interface. l If you select weighted-random-early-detection for the drop-policy, you can enable explicit congestion
notification (ECN) marking to indicate that congestion is occurring without just dropping packets.
To configure the QoS for managed FortiSwitch units:
1. Configure a Dot1p map.
A Dot1p map defines a mapping between IEEE 802.1p class of service (CoS) values (from incoming packets on a trusted interface) and the egress queue values. Values that are not explicitly included in the map will follow the default mapping, which maps each priority (0-7) to queue 0. If an incoming packet contains no CoS value, the switch assigns a CoS value of zero.
NOTE: Do not enable trust for both Dot1p and DSCP at the same time on the same interface. If you do want to trust both Dot1p and IP-DSCP, the FortiSwitch uses the latter value (DSCP) to determine the queue. The switch will use the Dot1p value and mapping only if the packet contains no DSCP value.
config switch-controller qos dot1p-map edit <Dot1p map name> set description <text> set priority-0 <queue number> set priority-1 <queue number> set priority-2 <queue number> set priority-3 <queue number> set priority-4 <queue number> set priority-5 <queue number> set priority-6 <queue number> set priority-7 <queue number> next
end
2. Configure a DSCP map. A DSCP map defines a mapping between IP precedence or DSCP values and the egress queue values. For IP precedence, you have the following choices: l network-control--Network control l internetwork-control--Internetwork control
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
242
Fortinet Inc.
Configuring QoS with managed FortiSwitch units
l critic-ecp--Critic and emergency call processing (ECP) l flashoverride--Flash override l flash--Flash l immediate--Immediate l priority--Priority l routine--Routine
config switch-controller qos ip-dscp-map edit <DSCP map name> set description <text> configure map <map_name> edit <entry name> set cos-queue <COS queue number> set diffserv {CS0 | CS1 | AF11 | AF12 | AF13 | CS2 | AF21 | AF22 | AF23 | CS3 | AF31 | AF32 | AF33 | CS4 | AF41 | AF42 | AF43 | CS5 | EF | CS6 | CS7} set ip-precedence {network-control | internetwork-control | critic-ecp | flashoverride | flash | immediate | priority | routine} set value <DSCP raw value> next end end
3. Configure the egress QoS policy. In a QoS policy, you set the scheduling mode for the policy and configure one or more CoS queues. Each egress port supports eight queues, and three scheduling modes are available: o With strict scheduling, the queues are served in descending order (of queue number), so higher number queues receive higher priority. o In simple round-robin mode, the scheduler visits each backlogged queue, servicing a single packet from each queue before moving on to the next one. o In weighted round-robin mode, each of the eight egress queues is assigned a weight value ranging from 0 to 63.
config switch-controller qos queue-policy edit <QoS egress policy name> set schedule {strict | round-robin | weighted} config cos-queue edit queue-<number> set description <text> set min-rate <rate in kbps> set max-rate <rate in kbps> set drop-policy {taildrop | weighted-random-early-detection} set ecn {enable | disable} set weight <weight value> next end next
end
4. Configure the overall policy that will be applied to the switch ports.
config switch-controller qos qos-policy edit <QoS egress policy name> set default-cos <default CoS value 0-7> set trust-dot1p-map <Dot1p map name> set trust-ip-dscp-map <DSCP map name>
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
243
Fortinet Inc.
Configuring QoS with managed FortiSwitch units
set queue-policy <queue policy name> next end
5. Configure each switch port.
config switch-controller managed-switch edit <switch-id> config ports edit <port> set qos-policy <CoS policy> next end next
end
6. Check the QoS statistics on each switch port.
diagnose switch-controller switch-info qos-stats <FortiSwitch_serial_number> <port_name>
Configuring ECN for managed FortiSwitch devices
Explicit Congestion Notification (ECN) allows ECN enabled endpoints to notify each other when they are experiencing congestion. It is supported on the following FortiSwitch models: FS-3032E, FS-3032D, FS-1048E, FS-1048D, FS-5xxD series, and FS-4xxE series. On the FortiGate unit that is managing the compatible FortiSwitch unit, ECN can be enabled for each class of service (CoS) queue to enable packet marking to drop eligible packets. The command is only available when the dropping policy is weighted random early detection. It is disabled by default.
To configure FortiSwitch to enable ECN packet marking to drop eligible packets:
config switch-controller qos queue-policy edit "ECN_marking" set schedule round-robin set rate-by kbps config cos-queue edit "queue-0" set drop-policy weighted-random-early-detection set ecn enable next edit "queue-1" next edit "queue-2" next ... end next
end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
244
Fortinet Inc.
Logging and monitoring
This section covers the following topics: l FortiSwitch log settings on page 245 l Configuring FortiSwitch port mirroring on page 246 l Configuring the FortiOS one-arm sniffer on page 251 l Configuring SNMP on page 255 l Configuring sFlow on page 260 l Configuring flow tracking and export on page 261 l Using the FortiView Internal Hubs monitor on page 264 l Configuring flow control and ingress pause metering on page 267
FortiSwitch log settings
You can export the logs of managed FortiSwitch units to the FortiGate unit or send FortiSwitch logs to a remote Syslog server. This section covers the following topics:
l Exporting logs to FortiGate on page 245 l Sending logs to a remote Syslog server on page 246
Exporting logs to FortiGate
You can enable and disable whether the managed FortiSwitch units export their logs to the FortiGate unit. The setting is global, and the default setting is enabled. Starting in FortiOS 5.6.3, more details are included in the exported FortiSwitch logs. To allow a level of filtering, the FortiGate unit sets the user field to "fortiswitch-syslog" for each entry. Use the following CLI command syntax: config switch-controller switch-log
set status {*enable | disable} set severity {emergency | alert | critical | error | warning | notification |
*information | debug} end You can override the global log settings for a FortiSwitch unit, using the following commands: config switch-controller managed-switch
edit <switch-id> config switch-log set local-override enable
At this point, you can configure the log settings that apply to this specific switch.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
245
Fortinet Inc.
Logging and monitoring
Sending logs to a remote Syslog server
Instead of exporting FortiSwitch logs to a FortiGate unit, you can send FortiSwitch logs to one or two remote Syslog servers. After enabling this option, you can select the severity of log messages to send, whether to use commaseparated values (CSVs), and the type of remote Syslog facility. By default, FortiSwitch logs are sent to port 514 of the remote Syslog server.
Use the following CLI command syntax to configure the default syslogd and syslogd2 settings:
config switch-controller remote-log edit {syslogd | syslogd2} set status {enable | *disable} set server <IPv4_address_of_remote_syslog_server> set port <remote_syslog_server_listening_port> set severity {emergency | alert | critical | error | warning | notification | *information | debug} set csv {enable | *disable} set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp | cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local3 | local4 | local5 | local6 | *local7} next
end
You can override the default syslogd and syslogd2 settings for a specific FortiSwitch unit, using the following commands:
config switch-controller managed-switch edit <FortiSwitch_serial_number> config remote-log edit {edit syslogd | syslogd2} set status {enable | *disable} set server <IPv4_address_of_remote_syslog_server> set port <remote_syslog_server_listening_port> set severity {emergency | alert | critical | error | warning | notification | *information | debug} set csv {enable | *disable} set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp | cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local3 | local4 | local5 | local6 | *local7} next end next
end
Configuring FortiSwitch port mirroring
The FortiSwitch unit can send a copy of any ingress or egress packet on a port to egress on another port of the same FortiSwitch unit. The original traffic is unaffected. This process is known as port-based mirroring and is typically used for external analysis and capture.
Using remote SPAN (RSPAN) or encapsulated RSPAN (ERSPAN) allows you to send the collected packets across layer-2 domains for analysis. You can have one RSPAN session or one ERSPAN session.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
246
Fortinet Inc.
Logging and monitoring
In RSPAN mode, traffic is encapsulated in VLAN 4092 and sent toward the FortiGate device, where it can be captured using packet capture. The FortiSwitch unit assigns the uplink port and the dst port. The switching functionality is enabled on the dst interface when mirroring.
In ERSPAN mode, traffic is encapsulated in Ethernet, IPv4, and generic routing encapsulation (GRE) headers. By focusing on traffic to and from specified ports and traffic to a specified MAC or IP address, ERSPAN reduces the amount of traffic being mirrored. The ERSPAN traffic is sent to a specified IP address, which is the device acting as an ERSPAN collector. The collector must be reachable by the FortiSwitch unit using IPv4 ICMP ping (NOTE: A firewall policy might be required on the FortiGate device.). If the collector IP address is not specified, the traffic is not mirrored.
NOTE: ERSPAN cannot be used with SPAN or RSPAN.
When you are using RSPAN or ERSPAN, the switch controller automatically configures a policer to limit the traffic. For example:
config switch-controller traffic-policy edit "sniffer" set description "Rate control for sniffer mirrored traffic" set guaranteed-bandwidth 50000 set guaranteed-burst 8192 set maximum-burst 163840 set cos-queue 0 next
end
config system interface edit "rspan" set switch-controller-traffic-policy "sniffer" next
end
Refer to the FortiSwitchOS feature matrix to see which FortiSwitch models support the policer.
To configure FortiSwitch port-based mirroring:
config switch-controller managed-switch edit <FortiSwitch_serial_number> config mirror edit <mirror_name> set status {active | inactive} // Required set dst <port_name> // Required set switching-packet {enable | disable} set src-ingress <port_name> set src-egress <port_name> next end next
In the following example, the ingress traffic from port2 and port3 and the egress traffic from port4 and port5 are mirrored to port1, where the traffic-monitoring device is connected.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
247
Fortinet Inc.
Logging and monitoring
config switch-controller managed-switch edit S524DF4K15000024 config mirror edit 2 set status active set dst port1 set switching-packet enable set src-ingress port2 port3 set src-egress port4 port5 next end next
To configure FortiSwitch RSPAN:
config switch-controller traffic-sniffer set mode rspan config target-mac edit <MM:MM:MM:SS:SS:SS> // mirror traffic sent FROM this source MAC address set description <string> end config target-ip edit <xxx.xxx.xxx.xxx> // mirror traffic sent FROM this source IP address set description <string> end config target-port edit <FortiSwitch_serial_number> set description <string> set in-ports <portx porty portz ...> // mirror any traffic sent to these ports set out-ports <portx porty portz ...> // mirror any traffic sent from these ports end end
In the following example, traffic matching any of the target-mac, target-ip, and target-port parameters is captured.
To monitor the traffic on a FortiGate device, go to Network > Diagnostics > Packet Capture and capture the traffic on the "rspan" VLAN. The traffic can also be downloaded as a PCAP file. For more details, see Using the packet capture tool.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
248
Fortinet Inc.
Logging and monitoring
config switch-controller traffic-sniffer set mode rspan config target-mac edit 00:00:00:aa:bb:cc set description MACtarget1 end config target-ip edit 10.254.254.192 set description IPtarget1 end config target-port edit S524DF4K15000024 set description PortTargets1 set in-ports port5 port6 port7 set out-ports port10 end end
To configure FortiSwitch ERSPAN:
config switch-controller traffic-sniffer set mode erspan-auto set erspan-ip <xxx.xxx.xxx.xxx> // IPv4 address where ERSPAN traffic is sent config target-mac edit <MM:MM:MM:SS:SS:SS> // mirror traffic sent from this MAC address set description <string> end config target-ip edit <xxx.xxx.xxx.xxx> // mirror traffic sent from this IPv4 address set description <string> end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
249
Fortinet Inc.
Logging and monitoring
config target-port edit <FortiSwitch_serial_number> set description <string> set in-ports <portx porty portz ...> // mirror traffic sent to these ports set out-ports <portx porty portz ...> // mirror traffic sent from these ports end
end
For example:
config switch-controller traffic-sniffer set mode erspan-auto set erspan-ip 10.255.12.201 config target-mac edit 00:00:00:aa:bb:cc set description MACtarget1 end config target-ip edit 10.254.254.192 set description IPtarget1 end config target-port edit S524DF4K15000024 set description PortTargets1 set in-ports port5 port6 port7 set out-ports port10 end end
To disable FortiSwitch port mirroring:
config switch-controller traffic-sniffer
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
250
Fortinet Inc.
Logging and monitoring
set mode none end
Configuring the FortiOS one-arm sniffer
Starting in FortiOS 7.4.1 with FortiSwitchOS 7.4.1, you can use the FortiOS one-arm sniffer to configure a VLAN interface on a managed FortiSwitch unit as an intrusion detection system (IDS). Traffic sent to the interface is examined for matches to the configured security profile. The matches are logged, and the unmatched sniffed traffic is not forwarded to the FortiGate device. Sniffing only reports on attacks; it does not deny or influence traffic. Traffic scanned on the FortiOS one-arm sniffer interface is processed by the CPU. The FortiOS one-arm sniffer might cause higher CPU usage and perform at a lower level than traditional inline scanning. The absence of high CPU usage does not indicate the absence of packet loss. Packet loss might occur due to the capacity of the TAP devices hitting maximum traffic volume during mirroring or, on the FortiGate device, when the kernel buffer size is exceeded and it is unable to handle bursts of traffic.
To configure the FortiOS one-arm sniffer in the CLI:
1. Specify the managed switch port to use to mirror traffic in RSPAN or ERSPAN mode on page 251. 2. Enable the FortiOS one-arm sniffer on the VLAN interface that will mirror traffic on page 252. 3. Configure the FortiOS one-arm sniffer in a firewall policy on page 252. 4. Generate traffic on the client. 5. Review the logs for the sniffer policy on page 253.
1. Specify the managed switch port to use to mirror traffic in RSPAN or ERSPAN mode
You can mirror traffic in RSPAN or ERSPAN mode on a layer-2 VLAN. Specify which ingress port you want to use for a mirroring source.
config switch-controller traffic-sniffer set mode {rspan | erspan-auto} config target-port edit <FortiSwitch_serial_number> set in-ports <port_name> next end
end
For example:
config switch-controller traffic-sniffer set mode rspan config target-port edit S524DF4K15000024 set in-ports port6 next end
end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
251
Fortinet Inc.
Logging and monitoring
2. Enable the FortiOS one-arm sniffer on the VLAN interface that will mirror traffic
After you enable ips-sniffer-mode, switch-controller-access-vlan and switch-controller-rspanmode are enabled by default, and switch-controller-traffic-policy is set to sniffer by default.
config system interface edit <interface_name> set ips-sniffer-mode enable set switch-controller-access-vlan enable set switch-controller-traffic-policy sniffer set switch-controller-rspan-mode enable next
end
For example:
config system interface edit rspan set ips-sniffer-mode enable set switch-controller-access-vlan enable set switch-controller-traffic-policy sniffer set switch-controller-rspan-mode enable next
end
3. Configure the FortiOS one-arm sniffer in a firewall policy
Specify the same interface that you used in step 2. Enable the security profiles that you want to use and specify the sniffer-profile profile for each security profile. By default, all security profiles are disabled.
config firewall sniffer edit <sniffer_ID> set logtraffic {all | utm} set interface <interface_name> set av-profile-status {enable | disable} set av-profile "sniffer-profile" set webfilter-profile-status {enable | disable} set webfilter-profile "sniffer-profile" set application-list-status {enable | disable} set application-list "sniffer-profile" set ips-sensor-status {enable | disable} set ips-sensor "sniffer-profile" set file-filter-profile-status {enable | disable} set file-filter-profile "sniffer-profile" next
end
For example:
config firewall sniffer edit 50 set logtraffic all set interface rspan set av-profile-status enable set av-profile sniffer-profile set webfilter-profile-status enable set webfilter-profile sniffer-profile
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
252
Fortinet Inc.
Logging and monitoring
set application-list-status enable set application-list sniffer-profile set ips-sensor-status enable set ips-sensor sniffer-profile set file-filter-profile-status enable set file-filter-profile sniffer-profile next end
5. Review the logs for the sniffer policy
execute log display
Configuration example
The following example shows how a managed FortiSwitch unit mirrors traffic from a client and then sends the traffic to the FortiGate device for analysis. In this example, enable the FortiOS one-arm sniffer in the FortiOS CLI and then use the FortiOS GUI for the rest of the example.
1. Enable the FortiOS one-arm sniffer. config system interface edit "rspan.17" set ips-sniffer-mode enable set vdom root set interface port11 set vlanid 4092 next end
2. Go to Network > Interfaces. 3. Select rspan.17 (under port11) and click Edit. 4. Enable the security profiles that you want to use.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
253
Fortinet Inc.
Logging and monitoring
5. Click OK. 6. Generate traffic on the client. 7. Go to Log & Report > Sniffer Traffic.
The logs generated from the mirrored traffic are listed.
In the FortiOS CLI, use the execute log display command to view the logs: 784 logs found.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
254
Fortinet Inc.
Logging and monitoring
10 logs returned. 1: date=2023-07-31 time=16:28:13 eventtime=1690846092971957519 tz="-0700"
logid="0004000017" type="traffic" subtype="sniffer" level="notice" vd="vdom1" srcip=5.4.4.2 srcport=51293 srcintf="rspan.17" srcintfrole="undefined" dstip=96.45.45.45 dstport=53 dstintf="rspan.17" dstintfrole="undefined" srccountry="Germany" dstcountry="United States" sessionid=784 proto=17 action="accept" policyid=1 policytype="sniffer" service="DNS" trandisp="snat" transip=0.0.0.0 transport=0 duration=180 sentbyte=70 rcvdbyte=0 sentpkt=1 rcvdpkt=0 appid=16195 app="DNS" appcat="Network.Service" apprisk="elevated" utmaction="allow" countapp=1 sentdelta=70 rcvddelta=0 mastersrcmac="00:0c:29:38:2a:c6" srcmac="00:0c:29:38:2a:c6" srcserver=0 masterdstmac="04:d5:90:bf:f3:50" dstmac="04:d5:90:bf:f3:50" dstserver=0 2: date=2023-07-31 time=16:27:39 eventtime=1690846059062169260 tz="-0700" logid="0004000017" type="traffic" subtype="sniffer" level="notice" vd="vdom1" srcip=5.4.4.2 srcport=37800 srcintf="rspan.17" srcintfrole="undefined" dstip=96.45.45.45 dstport=53 dstintf="rspan.17" dstintfrole="undefined" srccountry="Germany" dstcountry="United States" sessionid=782 proto=17 action="accept" policyid=1 policytype="sniffer" service="DNS" trandisp="snat" transip=0.0.0.0 transport=0 duration=180 sentbyte=70 rcvdbyte=0 sentpkt=1 rcvdpkt=0 appid=16195 app="DNS" appcat="Network.Service" apprisk="elevated" utmaction="allow" countapp=1 sentdelta=70 rcvddelta=0 mastersrcmac="00:0c:29:38:2a:c6" srcmac="00:0c:29:38:2a:c6" srcserver=0 masterdstmac="04:d5:90:bf:f3:50" dstmac="04:d5:90:bf:f3:50" dstserver=0 utmref=0-6524 3: date=2023-07-31 time=16:27:39 eventtime=1690846059062027560 tz="-0700" logid="0004000017" type="traffic" subtype="sniffer" level="notice" vd="vdom1" srcip=5.4.4.2 srcport=52702 srcintf="rspan.17" srcintfrole="undefined" dstip=96.45.45.45 dstport=53 dstintf="rspan.17" dstintfrole="undefined" srccountry="Germany" dstcountry="United States" sessionid=780 proto=17 action="accept" policyid=1 policytype="sniffer" service="DNS" trandisp="snat" transip=0.0.0.0 transport=0 duration=180 sentbyte=61 rcvdbyte=0 sentpkt=1 rcvdpkt=0 appid=16195 app="DNS" appcat="Network.Service" apprisk="elevated" utmaction="allow" countapp=1 sentdelta=61 rcvddelta=0 mastersrcmac="00:0c:29:38:2a:c6" srcmac="00:0c:29:38:2a:c6" srcserver=0 masterdstmac="04:d5:90:bf:f3:50" dstmac="04:d5:90:bf:f3:50" dstserver=0 utmref=0-6510
Configuring SNMP
Simple Network Management Protocol (SNMP) enables you to monitor hardware on your network.
The managed FortiSwitch SNMP implementation is read-only. SNMP v1-compliant and v2c-compliant SNMP managers have read-only access to FortiSwitch system information through queries and can receive trap messages from the managed FortiSwitch unit.
To monitor FortiSwitch system information and receive FortiSwitch traps, you must first compile the Fortinet and FortiSwitch management information base (MIB) files. A MIB is a text file that describes a list of SNMP data objects that are used by the SNMP manager. These MIBs provide information that the SNMP manager needs to interpret the SNMP trap, event, and query messages sent by the FortiSwitch SNMP agent.
FortiSwitch core MIB files are available for download by going to System > Config > SNMP > Settings and selecting the FortiSwitch MIB File download link.
You configure SNMP on a global level so that all managed FortiSwitch units use the same settings. If you want one of the FortiSwitch units to use different settings from the global settings, configure SNMP locally.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
255
Fortinet Inc.
Logging and monitoring
The maximum number of hosts for SNMP traps on a FortiSwitch unit is 8.
This section covers the following topics:
l Configuring SNMP globally on page 256 l Configuring SNMP locally on page 258 l SNMP OIDs on page 259
Configuring SNMP globally
To configure SNMP globally:
1. Configure a firewall policy on the FortiGate device managing the FortiSwitch unit to allow the SNMP server to use the FortiLink interface for SNMP polling. For SNMP traps on the managed FortiSwitch unit, you need to configure a firewall policy to allow the managed FortiSwitch unit to communicate with the SNMP server through the FortiLink interface.
2. Add SNMP access on the managed FortiSwitch unit. Add SNMP access to the internal-allowaccess setting. If you are using FortiLink mode over a layer-3 network with out-of-band management, add SNMP access to the mgmt-allowaccess setting.
3. Configure the SNMP system information. 4. Configure the SNMP community. 5. Configure the SNMP trap threshold values. 6. Configure the SNMP user.
To configure a firewall policy for SNMP polling:
config firewall policy edit <policy_ID> set name <policy_name> set srcintf <FortiGate port that communicates with the SNMP server> set dstintf <FortiLink port that communicates with the managed FortiSwitch unit> set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service {"SNMP" | <port_used_for_SNMP_polling>} set ssl-ssh-profile "certificate-inspection" set logtraffic all next
end
To add SNMP access on the managed FortiSwitch unit:
config switch-controller security-policy local-access edit "{default | <policy_name>}" set mgmt-allowaccess <options> snmp set internal-allowaccess <options> snmp next
end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
256
Fortinet Inc.
Logging and monitoring
To configure the SNMP system information globally:
config switch-controller snmp-sysinfo set status enable set engine-id <local_SNMP_engine_ID (the maximum is 24 characters)> set description <system_description> set contact-info <contact_information> set location <FortiGate_location>
end
NOTE: Each SNMP engine maintains a value, snmpEngineID, which uniquely identifies the SNMP engine. This value is included in each message sent to or from the SNMP engine. The engine-id is part of the snmpEngineID but does not include the Fortinet prefix 0x8000304404.
To configure the SNMP community globally:
config switch-controller snmp-community edit <SNMP_community_entry_identifier> set name <SNMP_community_name> set status enable set query-v1-status enable set query-v1-port <0-65535; the default is 161> set query-v2c-status enable set query-v2c-port <0-65535; the default is 161> set trap-v1-status enable set trap-v1-lport <0-65535; the default is 162> set trap-v1-rport <0-65535; the default is 162> set trap-v2c-status enable set trap-v2c-lport <0-65535; the default is 162> set trap-v2c-rport <0-65535; the default is 162> set events {cpu-high mem-low log-full intf-ip ent-conf-change} config hosts edit <host_entry_ID> set ip <IPv4_address_of_the_SNMP_manager> end next end
To configure the SNMP trap threshold values globally:
config switch-controller snmp-trap-threshold set trap-high-cpu-threshold <percentage_value; the default is 80> set trap-low-memory-threshold <percentage_value; the default is 80> set trap-log-full-threshold <percentage_value; the default is 90>
end
To configure the SNMP user globally:
config switch-controller snmp-user edit <SNMP_user_name> set queries enable set query-port <0-65535; the default is 161> set security-level {auth-priv | auth-no-priv | no-auth-no-priv} set auth-proto {md5 | sha1 | sha224 | sha256 | sha384 | sha512} set auth-pwd <password_for_authentication_protocol> set priv-proto {aes128 | aes192 | aes192c | aes256 | aes256c | des}}
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
257
Fortinet Inc.
Logging and monitoring
set priv-pwd <password_for_encryption_protocol> end
Configuring SNMP locally
To configure SNMP for a specific FortiSwitch unit:
1. Configure the SNMP system information. 2. Configure the SNMP community. 3. Configure the SNMP trap threshold values. 4. Configure the SNMP user.
Starting in FortiSwitchOS 7.0.0, you can set up one or more SNMP v3 notifications (traps) in the CLI. The following notifications are supported:
l The CPU usage is too high. l The configuration of an entity was changed. l The IP address for an interface was changed. l The available log space is low. l The available memory is low.
By default, all SNMP notifications are enabled. Notifications are sent to one or more IP addresses.
To configure the SNMP system information locally:
config switch-controller managed-switch edit <FortiSwitch_serial_number> set override-snmp-sysinfo enable config snmp-sysinfo set status enable set engine-id <local_SNMP_engine_ID (the maximum is 24 characters)> set description <system_description> set contact-info <contact_information> set location <FortiGate_location> end next
end
NOTE: Each SNMP engine maintains a value, snmpEngineID, which uniquely identifies the SNMP engine. This value is included in each message sent to or from the SNMP engine. The engine-id is part of the snmpEngineID but does not include the Fortinet prefix 0x8000304404.
To configure the SNMP community locally:
config switch-controller managed-switch edit <FortiSwitch_serial_number> set override-snmp-community enable config snmp-community edit <SNMP_community_entry_identifier> set name <SNMP_community_name> set status enable set query-v1-status enable set query-v1-port <0-65535; the default is 161> set query-v2c-status enable
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
258
Fortinet Inc.
Logging and monitoring
set query-v2c-port <0-65535; the default is 161> set trap-v1-status enable set trap-v1-lport <0-65535; the default is 162> set trap-v1-rport <0-65535; the default is 162> set trap-v2c-status enable set trap-v2c-lport <0-65535; the default is 162> set trap-v2c-rport <0-65535; the default is 162> set events {cpu-high mem-low log-full intf-ip ent-conf-change} config hosts
edit <host_entry_ID> set ip <IPv4_address_of_the_SNMP_manager>
end next end
To configure the SNMP trap threshold values locally:
config switch-controller managed-switch edit <FortiSwitch_serial_number> set override-snmp-trap-threshold enable config snmp-trap-threshold set trap-high-cpu-threshold <percentage_value; the default is 80> set trap-low-memory-threshold <percentage_value; the default is 80> set trap-log-full-threshold <percentage_value; the default is 90> end next
end
To configure the SNMP user locally:
config switch-controller managed-switch edit <FortiSwitch_serial_number> set override-snmp-user enable config snmp-user edit <SNMP_user_name> set queries enable set query-port <0-65535; the default is 161> set security-level {auth-priv | auth-no-priv | no-auth-no-priv} set auth-proto {md5 | sha1 | sha224 | sha256 | sha384 | sha512} set auth-pwd <password_for_authentication_protocol> set priv-proto {aes128 | aes192 | aes192c | aes256 | aes256c | des} set priv-pwd <password_for_encryption_protocol> end next end
SNMP OIDs
Three SNMP OIDs have been added to the FortiOS enterprise MIB 2 tables in FortiOS 7.0.1. They report the FortiSwitch port status and FortiSwitch CPU and memory statistics.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
259
Fortinet Inc.
Logging and monitoring
SNMP OID
fgSwDeviceInfo.fgSwDeviceTable.fgSwDeviceEntry.fgSwDeviceEntry.fgSwCpu 1.3.6.1.4.1.12356.101.24.1.1.1.11
fgSwDeviceInfo.fgSwDeviceTable.fgSwDeviceEntry.fgSwDeviceEntry.fgSwMemory 1.3.6.1.4.1.12356.101.24.1.1.1.12
fgSwPortInfo.fgSwPortTable.fgSwPortEntry.fgSwPortStatus 1.3.6.1.4.1.12356.101.24.2.1.1.6
Description
Percentage of the CPU being used.
Percentage of memory being used.
Whether a managed FortiSwitch port is up or down.
These OIDs require FortiSwitchOS 7.0.0 or higher. FortiLink and SNMP must be configured on the FortiGate device.
FortiSwitch units update the CPU and memory statistics every 30 seconds. This interval cannot be changed.
FortiOS versions 6.4.2 through 7.0.0 show the port status in the configuration management database (CMDB) for managed ports; FortiOS 7.0.1 and higher show the link status that has been retrieved from the switch port as the port status for managed ports.
Sample queries
To find out how much CPU is being used on a FortiSwitch 1024D with the serial number FS1D243Z17000032:
root@PC05:~# snmpwalk -v2c -Cc -c REGR-SYS 172.16.200.1 1.3.6.1.4.1.12356.101.24.1.1.1.11.2.8.17000032
To find out how much memory is being used on a FortiSwitch 1024D with the serial number FS1D243Z17000032:
root@PC05:~# snmpwalk -v2c -Cc -c REGR-SYS 172.16.200.1 1.3.6.1.4.1.12356.101.24.1.1.1.12.2.8.17000032
To find out the status of port1 of a FortiSwitch 1024D with the serial number FS1D243Z17000032:
root@PC05:~# snmpwalk -v2c -Cc -c REGR-SYS 172.16.200.1 1.3.6.1.4.1.12356.101.24.2.1.1.6.2.8.17000032.1
Configuring sFlow
sFlow is a method of monitoring the traffic on your network to identify areas on the network that might impact performance and throughput. With sFlow, you can export truncated packets and interface counters. FortiSwitch implements sFlow version 5 and supports trunks and VLANs. NOTE: Because sFlow is CPU intensive, Fortinet does not recommend high rates of sampling for long periods. sFlow uses packet sampling to monitor network traffic. The sFlow agent captures packet information at defined intervals and sends them to an sFlow collector for analysis, providing real-time data analysis. To minimize the impact on network throughput, the information sent is only a sampling of the data.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
260
Fortinet Inc.
Logging and monitoring
The sFlow collector is a central server running software that analyzes and reports on network traffic. The sampled packets and counter information, referred to as flow samples and counter samples, respectively, are sent as sFlow datagrams to a collector. Upon receiving the datagrams, the sFlow collector provides real-time analysis and graphing to indicate the source of potential traffic issues. sFlow collector software is available from a number of third-party software vendors. You must configure a FortiGate policy to transmit the samples from the FortiSwitch unit to the sFlow collector.
sFlow can monitor network traffic in two ways:
l Flow samples--You specify the percentage of packets (one out of n packets) to randomly sample. l Counter samples--You specify how often (in seconds) the network device sends interface counters.
Use the following CLI commands to specify the IP address and port for the sFlow collector. By default, the IP address is 0.0.0.0, and the port number is 6343.
config switch-controller sflow collector-ip <x.x.x.x> collector-port <port_number>
end
Use the following CLI commands to configure sFlow:
config switch-controller managed-switch edit <FortiSwitch_serial_number> config ports edit <port_name> set sflow-sampler {disabled | enabled} set sflow-sample-rate <0-99999> set sflow-counter-interval <1-255> next next end
For example:
config switch-controller sflow collector-ip 1.2.3.4 collector-port 10
end
config switch-controller managed-switch edit S524DF4K15000024 config ports edit port5 set sflow-sampler enabled set sflow-sample-rate 10 set sflow-counter-interval 60 next next end
Configuring flow tracking and export
You can sample IP packets on managed FortiSwitch units and then export the data in NetFlow format or Internet Protocol Flow Information Export (IPFIX) format. You can choose to sample on a single ingress or egress port, on all FortiSwitch units, or on all FortiSwitch ingress ports.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
261
Fortinet Inc.
Logging and monitoring
When a new FortiSwitch unit or trunk port is added, the flow-tracking configuration is updated automatically based on the specified sampling mode. When a FortiSwitch port becomes part of an ISL or ICL or is removed, the flow-tracking configuration is updated automatically based on the specified sampling mode.
The maximum number of concurrent flows is defined by the FortiSwitch model. When this limit is exceeded, the oldest flow expires and is exported.
Starting in FortiOS 7.2.0, you can configure multiple flow-export collectors using the config collectors command. For each collector, you can specify the collector IP address, the collector port number, and the collector layer-4 transport protocol for exporting packets.
Using multiple flow-export collectors requires FortiSwitchOS 7.0.0 or later. If you are using an earlier version of FortiSwitchOS, only the first flow-export collector is supported.
Starting in FortiOS 7.2.0 with FortiSwitchOS 7.2.0, you can specify how often a template packet is sent using the set template-export-period command. By default, a template packet is sent every 5 minutes. The range of values is 160 minutes.
Configuring flow tracking
To configure flow tracking on managed FortiSwitch units:
config switch-controller flow-tracking set sample-mode {local | perimeter | device-ingress} set sample-rate <0-99999> set format {netflow1 | netflow5 | netflow9 | ipfix} set level {vlan | ip | port | proto} set max-export-pkt-size <512-9216 bytes; default is 512> set template-export-period <1-60 minutes, default is 5> set timeout-general <60-604800 seconds; default is 3600> set timeout-icmp <60-604800 seconds; default is 300> set timeout-max <60-604800 seconds; default is 604800> set timeout-tcp <60-604800 seconds; default is 3600> set timeout-tcp-fin <60-604800 seconds; default is 300> set timeout-tcp-rst <60-604800 seconds; default is 120> set timeout-udp <60-604800 seconds; default is 300> config collectors edit <collector_name> set ip <IPv4_address> set port <0-65535> set transport {udp | tcp | sctp} end config aggregates edit <aggregate_ID> set <IPv4_address> end
end
For example:
config switch-controller flow-tracking config collectors edit "Analyzer_1" set ip 172.16.201.55
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
262
Fortinet Inc.
Logging and monitoring
set port 4739 set transport sctp next edit "Collector_HQ" set ip 172.16.116.82 set port 2055 next end set template-export-period 10 end
Configure the sampling mode
You can set the sampling mode to local, perimeter, or device-ingress. l The local mode samples packets on a specific FortiSwitch port. l The perimeter mode samples packets on all FortiSwitch ports that receive data traffic, except for ISL and ICL ports. For perimeter mode, you can also configure the sampling rate. l The device-ingress mode samples packets on all FortiSwitch ports that receive data traffic for hop-by-hop tracking. For device-ingress mode, you can also configure the sampling rate.
Configure the sampling rate
For perimeter or device-ingress sampling, you can set the sampling rate, which samples 1 out of the specified number of packets. The default sampling rate is 1 out of 512 packets.
Configure the flow-tracking protocol
You can set the format of exported flow data as NetFlow version 1, NetFlow version 5, NetFlow version 9, or IPFIX sampling.
Configure collector IP address
The default is 0.0.0.0. Setting the value to "0.0.0.0" or "" disables this feature. The format is xxx.xxx.xxx.xxx.
Configure the transport protocol
You can set exported packets to use UDP, TCP, or SCTP for transport.
Configure the flow-tracking level
You can set the flow-tracking level to one of the following: l vlan--The FortiSwitch unit collects source IP address, destination IP address, source port, destination port, protocol, Type of Service, and VLAN from the sample packet. l ip--The FortiSwitch unit collects source IP address and destination IP address from the sample packet. l port--The FortiSwitch unit collects source IP address, destination IP address, source port, destination port, and protocol from the sample packet. l proto--The FortiSwitch unit collects source IP address, destination IP address, and protocol from the sample packet.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
263
Fortinet Inc.
Logging and monitoring
Configure the maximum exported packet size
You can set the maximum size of exported packets in the application level.
To remove flow reports from a managed FortiSwitch unit: execute switch-controller switch-action flow-tracking {delete-flows-all | expire-flows-all}
<FortiSwitch_serial_number> Expired flows are exported.
To view flow statistics for a managed FortiSwitch unit: diagnose switch-controller switch-info flow-tracking statistics <FortiSwitch_serial_number>
To view raw flow records for a managed FortiSwitch unit: diagnose switch-controller switch-info flow-tracking flows-raw <FortiSwitch_serial_number>
To view flow record data for a managed FortiSwitch unit: diagnose switch-controller switch-info flow-tracking flows {number_of_records | all} {IP_
address | all} <FortiSwitch_serial_number> <FortiSwitch_port_name> For example: diagnose switch-controller switch-info flow-tracking flows 100 all S524DF4K15000024 port6
To check the status of the flow collector on a managed FortiSwitch unit: diagnose switch-controller flow-collector status For example: FGT_A (vdom1) # diagnose switch-controller flow-collector status status : enabled interface : port11 netflow packets : 1300 unknown packets : 0 flows : 42 flows filtered : 201 flowsets skipped : 17129
Using the FortiView Internal Hubs monitor
Starting in FortiOS 7.2.4 with FortiSwitchOS 7.2.3, you can use the FortiView Internal Hubs monitor in FortiOS to monitor the connections between devices in private networks, as specified in RFC 1918 (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16). The FortiView Internal Hubs monitor reports the IP addresses and the number of bytes collected from devices behind a FortiSwitch unit. If you drill down on one of the devices, you can see a chart displaying the devices and how they are connected.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
264
Fortinet Inc.
Logging and monitoring
To use the FortiView Internal Hubs monitor:
l The IP address for the flow collector (collector-ip) must be the same IP address as the FortiLink interface.
l The FortiGate model must have a hard drive, and you must enable historical FortiView and disk logging in the Log & Report > Log Settings page.
l FortiAnalyzer is not supported.
To enable the FortiView Internal Hubs monitor on a managed FortiSwitch unit:
config system interface edit <FortiLink_interface> set ip <IP_address_and_netmask> set switch-controller-netflow-collect enable next
end
config switch-controller flow-tracking config collectors edit <name> set ip <FortiLink_interface_IPv4_address> next end
end
To add the FortiView Internal Hubs monitor:
1. Under Dashboard and click + to add a monitor. 2. In the Add Monitor pane, click the + by FortiView Internal Hubs. 3. From the FortiGate dropdown list, select which FortiGate device to monitor. 4. From the Time Period dropdown list, select how long to monitor (5 minutes, 1 hour, or 24 hours).
5. Click Add Monitor. 6. Under Dashboard, select FortiView Internal Hubs to display the FortiView Internal Hubs page.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
265
Fortinet Inc.
Logging and monitoring
7. Right-click on one of the devices and select Drill Down to Details. 8. You can select the Chart or Table tab to change how the details are displayed.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
266
Fortinet Inc.
Logging and monitoring
Configuring flow control and ingress pause metering
Flow control allows you to configure a port to send or receive a "pause frame" (that is, a special packet that signals a source to stop sending flows for a specific time interval because the buffer is full). By default, flow control is disabled on all ports.
config switch-controller managed-switch edit <FortiSwitch_serial_number> config ports edit <port_name> set flow-control {both | rx | tx | disable} next end end
Parameters enable flow control to do the following:
l rx--receive pause control frames l tx--transmit pause control frames l both--transmit and receive pause control frames
If you enable flow control to transmit pause control frames or to transmit and receive pause control frames, you can also use ingress pause metering to limit the input bandwidth of an ingress port. Because ingress pause metering stops the traffic temporarily instead of dropping it, ingress pause metering can provide better performance than policing when the port is connected to a server or end station. To use ingress pause metering, you need to set the ingress metering rate in kilobits and set the percentage of the threshold for resuming traffic on the ingress port.
config switch-controller managed-switch edit <FortiSwitch_serial_number> config ports
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
267
Fortinet Inc.
Logging and monitoring
edit <port_name> set flow-control {tx | both} set pause-meter <1282147483647; set to 0 to disable> set pause-meter-resume {25% | 50% | 75%}
next end end
For example:
config switch-controller managed-switch edit S424ENTF19000007 config ports edit port29 set flow-control tx set pause-meter 900 set pause-meter-resume 50% next end end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
268
Fortinet Inc.
Operation and maintenance
This section covers the following topics: l Defining names for managed switches on page 269 l Discovering, authorizing, and deauthorizing FortiSwitch units on page 271 l Managed FortiSwitch display on page 274 l FortiSwitch clients on page 278 l Diagnostics and tools on page 280 l FortiSwitch ports display on page 283 l FortiSwitch per-port device visibility on page 283 l Displaying, resetting, and restoring port statistics on page 284 l Managing DSL transceivers (FN-TRAN-DSL) on page 288 l Network interface display on page 290 l Data statistics on page 290 l Synchronizing the FortiGate unit with the managed FortiSwitch units on page 291 l Viewing and upgrading the FortiSwitch firmware version on page 292 l Firmware upgrade of stacked or tiered FortiSwitch units on page 293 l Configuring automatic federated firmware updates on page 297 l Canceling pending or downloading FortiSwitch upgrades on page 299 l Configuring automatic backups on page 299 l Registering FortiSwitch to FortiCloud on page 300 l Replacing a managed FortiSwitch unit on page 302 l Executing custom FortiSwitch scripts on page 309 l Resetting PoE-enabled ports on page 310
Defining names for managed switches
Starting in FortiOS 7.4.0, you can use names for managed FortiSwitch units in switch-controller CLI commands. The user-defined name is also used in the FortiOS GUI and logs. The FortiSwitch units serial number is saved in a new readonly field. Follow these rules for defining a managed FortiSwitch name:
l The name can be a maximum of 16 characters in length. l Use numbers (0-9), letters (a-z and A-Z), dashes, and underscores for the managed FortiSwitch name. When you upgrade from FortiOS 7.4.0, the FortiSwitch units serial number is used as the managed FortiSwitch name if a managed FortiSwitch name has not been defined. If you downgrade from FortiOS 7.4.0 to FortiOS 6.4.x, the managed FortiSwitch name is changed to the FortiSwitch units serial number.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
269
Fortinet Inc.
Operation and maintenance
Using the GUI
1. Go to WiFi & Switch Controller > Managed FortiSwitches. 2. Select an unauthorized FortiSwitch unit and then click Edit. 3. In the Name field, enter a name for the managed FortiSwitch unit. 4. Click OK to save the new name.
Using the CLI
config switch-controller managed-switch rename <FortiSwitch_serial_number> to <managed_FortiSwitch_name>
end
For example:
config switch-controller managed-switch rename S524DN4K16000116 to Distribution
end
Other CLI changes
In FortiOS 7.4.0, the following CLI changes were made:
l When you pre-configure a managed switch, you must use the set sn command under config switchcontroller managed-switch to store the FortiSwitch serial number. For example: config switch-controller managed-switch edit switch1 set sn S524DNTV21000212 set fsw-wan1-peer fortilink set fsw-wan1-admin enable next end
l The execute switch-controller get-sync-status switch-id <managed_FortiSwitch_name> command uses the user-defined switch name, and the execute switch-controller get-sync-status serial <FortiSwitch_serial_number> command uses the FortiSwitch serial number. For example: l execute switch-controller get-sync-status serial S524DN4K16000116 l execute switch-controller get-sync-status switch-id Racktray-127
l There is a new set isl-peer-device-sn command under config switch-controller managedswitch to store the serial number of the ISL peer device. For example: config switch-controller managed-switch edit Distribution config ports edit port2 set isl-local-trunk-name isltrunk1 set isl-peer-port-name port23 set isl-peer-device-name islpeerswitch set isl-peer-device-sn S124EN5918003682 next end next end
l The following switch-controller CLI commands now use the user-defined FortiSwitch name:
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
270
Fortinet Inc.
Operation and maintenance
l diagnose switch-controller trigger config-sync <managed_FortiSwitch_name> l execute switch-controller get-conn-status l execute switch-controller get-physical-conn standard <port_name> l execute switch-controller get-sync-status all l execute switch-controller get-upgrade-status
Discovering, authorizing, and deauthorizing FortiSwitch units
This section covers the following topics: l Editing a managed FortiSwitch unit on page 271 l Adding preauthorized FortiSwitch units on page 271 l Using wildcard serial numbers to pre-authorize FortiSwitch units on page 272 l Authorizing the FortiSwitch unit on page 273 l Deauthorizing FortiSwitch units on page 273 l Converting to FortiSwitch standalone mode on page 273
Editing a managed FortiSwitch unit
To edit a managed FortiSwitch unit: 1. Go to WiFi & Switch Controller > Managed FortiSwitch. 2. Click on the FortiSwitch unit and then click Edit or right-click on a FortiSwitch unit and select Edit. From the Edit Managed FortiSwitch form, you can:
l Change the Name and Description of the FortiSwitch unit. l View the Status of the FortiSwitch unit. l Restart the FortiSwitch. l Authorize or deauthorize the FortiSwitch unit. l Update the firmware running on the switch. l Override 802.1x settings, including the reauthentication interval, maximum reauthentication attempts, and link-
down action.
Adding preauthorized FortiSwitch units
After you preauthorize a FortiSwitch unit, you can assign the FortiSwitch ports to a VLAN. To preauthorize a FortiSwitch: 1. Go to WiFi & Switch Controller > Managed FortiSwitch. 2. Click Create New. 3. In the New Managed FortiSwitch page, enter the serial number, model name, and description of the FortiSwitch. 4. Move the Authorized slider to the right. 5. Select OK. The Managed FortiSwitch page lists the preauthorized switch.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
271
Fortinet Inc.
Operation and maintenance
Using wildcard serial numbers to pre-authorize FortiSwitch units
You can now use asterisks as a wildcard character when you pre-authorize FortiSwitch units. Using a FortiSwitch template, you can name the managed switch and configure the ports. When the FortiSwitch unit is turned on and discovered by the FortiGate device, the wildcard serial number is replaced by the actual serial number and the settings in the FortiSwitch template are applied to the discovered FortiSwitch unit.
When you create the FortiSwitch template, use the following format for the wildcard serial number:
PREFIX****nnnnnn
PREFIX **** nnnnnn
The first six digits of a valid FortiSwitch serial number, such as S248EP, S124EN, S548DF, and S524DF.
Asterisks are the only wildcard characters allowed. You can have any number of asterisks, as long as ****nnnnnn is no longer than 10 characters.
You can have any number of valid alphanumeric characters, as long as ****nnnnnn is no longer than 10 characters.
To pre-authorize FortiSwitch units using a FortiSwitch template:
1. Create a FortiSwitch template. config switch-controller managed-switch edit <PREFIX****nnnnnn> ... next end For example: config switch-controller managed-switch edit "S248EP****000000" set name "fortilink-FSW248EP1" set fsw-wan1-peer "fortilink" ....... config ports edit "port1" set vlan "onboarding" set allowed-vlans "quarantine" "nac_segment" set untagged-vlans "quarantine" "nac_segment" set access-mode nac set export-to "root" next edit "port2" set vlan "_default" set allowed-vlans "quarantine" set untagged-vlans "quarantine" set access-mode dynamic set port-policy "aggr1" set export-to "root" next end next end
2. Turn on the FortiSwitch unit so that the FortiGate device will discover it.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
272
Fortinet Inc.
Operation and maintenance
The FortiSwitch unit is matched with the FortiSwitch template using the order of entries in the CMDB table from top to bottom. The settings in the FortiSwitch template are applied to the discovered FortiSwitch unit. Once a match is made for a wildcard entry, that particular entry is consumed.
Authorizing the FortiSwitch unit
If you configured the FortiLink interface to manually authorize the FortiSwitch unit as a managed switch, perform the following steps: 1. Go to WiFi & Switch Controller > Managed FortiSwitch. 2. Optionally, click on the FortiSwitch faceplate and click Authorize. This step is required only if you disabled the
automatic authorization field of the interface.
Deauthorizing FortiSwitch units
A device can be deauthorized to remove it from the Security Fabric.
To deauthorize a device:
1. On the root FortiGate, go to Security Fabric > Fabric Connectors 2. In the topology tree, click the device and select Deauthorize. After devices are deauthorized, the devices serial numbers are saved in a trusted list that can be viewed in the CLI using the show system csf command. For example, this result shows a deauthorized FortiSwitch: show system csf
config system csf set status enable set group-name "Office-Security-Fabric" set group-password ENC 1Z2X345V678 config trusted-list edit "FGT6HD391806070" next edit "S248DF3X17000482" set action deny next end
end end
Converting to FortiSwitch standalone mode
Use one of the following commands to convert a FortiSwitch from FortiLink mode to standalone mode so that it will no longer be managed by a FortiGate:
l execute switch-controller factory-reset <switch-id>--This command returns the FortiSwitch to the factory defaults and then reboots the FortiSwitch. If the FortiSwitch is configured for FortiLink auto-discovery, FortiGate can detect and automatically authorize the FortiSwitch. For example:execute switch-controller factory-reset S1234567890
l execute switch-controller switch-action set-standalone <switch-id>--This command returns the FortiSwitch to the factory defaults, reboots the FortiSwitch, and prevents the FortiGate from
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
273
Fortinet Inc.
Operation and maintenance
automatically detecting and authorizing the FortiSwitch. For example:execute switch-controller setstandalone S1234567890 You can disable FortiLink auto-discovery on multiple FortiSwitch units using the following commands: config switch-controller global set disable-discovery <switch-id> end For example: config switch-controller global set disable-discovery S1234567890 end You can also add or remove entries from the list of FortiSwitch units that have FortiLink auto-discovery disabled using the following commands: config switch-controller global append disable-discovery <switch-id> unselect disable-discovery <switch-id> end For example: config switch-controller global append disable-discovery S012345678 unselect disable-discovery S1234567890 end
Managed FortiSwitch display
Go to WiFi & Switch Controller > Managed FortiSwitch to see all of the switches being managed by your FortiGate. Select Topology from the drop-down menu in the upper right corner to see which devices are connected. When the FortiLink is established successfully, the status is green (next to the FortiGate interface name and on the FortiSwitch faceplate), and the link between the ports is a solid line.
If the link has gone down for some reason, the line will be dashed, and a broken link icon will appear. You can still edit the FortiSwitch unit though and find more information about the status of the switch. The link to the FortiSwitch unit might be down for a number of reasons; for example, a problem with the cable linking the two devices, firmware versions being out
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
274
Fortinet Inc.
Operation and maintenance
of synch, and so on. You need to make sure the firmware running on the FortiSwitch unit is compatible with the firmware running on the FortiGate unit. From the Managed FortiSwitch page, you can edit any of the managed FortiSwitch units, remove a FortiSwitch unit from the configuration, refresh the display, connect to the CLI of a FortiSwitch unit, or deauthorize a FortiSwitch unit.
Cloud icon indicates that the FortiSwitch unit is managed over layer 3
A new cloud icon indicates when the FortiSwitch unit is being managed over layer 3. The cloud icon is displayed in two places in the GUI. Go to WiFi Controller > Managed FortiSwitch and select Topology. In the following figure, the cloud icon over the connection line indicates that S548DF4K16000730 is being managed over layer 3.
Go to Security Fabric > Physical Topology. In the following figure, the cloud icon over the connection line indicates that S548DF4K16000730 is being managed over layer 3.
Re-ordering FortiSwitch units in the Topology view
Starting in FortiOS 7.0.1, you can change the order in which FortiSwitch units are displayed in the Topology view.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
275
Fortinet Inc.
Operation and maintenance
To rearrange the FortiSwitch units in the GUI: 1. Go to WiFi & Switch Controller > Managed FortiSwitches. 2. In the View dropdown list, select Topology. 3. Click Reorder or the double-arrow button next to the FortiSwitch serial number.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
276
Fortinet Inc.
Operation and maintenance 4. In the Change FortiSwitch Order window, drag-and-drop each FortiSwitch unit to change the order.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
277
Fortinet Inc.
Operation and maintenance 5. If you want FortiOS to determine the arrangement with the fewest edge crossings, click Auto-arrange FortiLink Stack in the Change FortiSwitch Order window and then click OK in the Confirm window.
To rearrange the FortiSwitch units in the FortiOS CLI: config switch-controller managed-switch
edit <FortiSwitch_serial_number> move <FortiSwitch_serial_number1> before <FortiSwitch_serial_number2>
next end FortiSwitch_serial_number1 is now listed above FortiSwitch_serial_number2.
FortiSwitch clients
Starting in FortiOS 7.2.0, new WiFi & Switch Controller > FortiSwitch Clients page lists all devices connected to the FortiSwitch unit for a particular VDOM.
Double-click a row to display the Device Info pane.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
278
Fortinet Inc.
Operation and maintenance
The Device Info pane displays the NAC policies and dynamic port policies that the device matches. From the Actions dropdown menu, you can do the following:
l Create a firewall device address. l Quarantine the host. Hover over the device name in the FortiSwitch Clients page to get more details.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
279
Fortinet Inc.
Operation and maintenance
From the detail window, you can do the following: l Create a firewall device address. l Create a firewall IP address. l Quarantine the host.
To create the firewall device address:
1. Click Firewall Device Address. 2. In the Name field, enter a name for the firewall device address. 3. Click Change if you want a different color for the icon on the GUI. 4. If you want a different MAC address or range of MAC addresses, click + and then enter the MAC address or range of
MAC addresses. 5. From the Interface dropdown list, select an interface. 6. In the Comments field, enter a description of the firewall device address. 7. Click OK.
To create the firewall IP address:
1. Click Firewall IP Address. 2. In the Name field, enter a name for the firewall IP address. 3. Click Change if you want a different color for the icon on the GUI. 4. In the IP/Netmask field, change the value as needed. 5. From the Interface dropdown list, select an interface. 6. Enable or disable Static route configuration. 7. In the Comments field, enter a description of the firewall device address. 8. Click OK.
To quarantine the host:
1. Click Quarantine Host. 2. In the Description field, enter the reason for quarantining the host. 3. Click OK.
Diagnostics and tools
The Diagnostics and Tools pane reports the general health of the FortiSwitch unit, displays details about the FortiSwitch unit, and allows you to run diagnostic tests.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
280
Fortinet Inc.
Operation and maintenance
To view the Diagnostics and Tools pane:
1. Go to WiFi & Switch Controller > Managed FortiSwitch. 2. Click on the FortiSwitch unit and then click Diagnostics and Tools.
From the Diagnostics and Tools pane, you can do the following:
l Authorize or deauthorize the FortiSwitch. l Upgrade the firmware running on the switch. l Restart the FortiSwitch unit. l Connect to CLI to run CLI commands. l Show in List to return to the WiFi & Switch Controller > Managed FortiSwitch page. l Go to the Edit Managed FortiSwitch form. l Start or stop the LED Blink to identify a specific FortiSwitch unit. See Making the LEDs blink on page 282. l Display a list of FortiSwitch ports and trunks and configuration details. l Run a Cable Test on a selected port. See Running the cable test on page 282. l View the Logs for the FortiSwitch unit. l Use the Clients tab to list the clients connected to each port of the selected FortiSwitch unit.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
281
Fortinet Inc.
Operation and maintenance
l Click the Legend button in the General pane to display the Health Thresholds pane, which lists the thresholds for the good, fair, and poor ratings of the general health, port health, and MC-LAG health.
You can also access the Diagnostics and Tools pane from the Security Fabric > Physical Topology page.
Making the LEDs blink
When you have multiple FortiSwitch units and need to locate a specific switch, you can flash all port LEDs on and off for a specified number of minutes.
To identify a specific FortiSwitch unit:
1. Go to WiFi & Switch Controller > Managed FortiSwitch. 2. Click on the FortiSwitch unit and then click Diagnostics and Tools. 3. Select LED Blink > Start and then select 5 minutes, 15 minutes, 30 minutes, or 60 minutes. 4. After you locate the FortiSwitch unit, select LED Blink > Stop. NOTE: For the 5xx switches, LED Blink flashes only the SFP port LEDs, instead of all the port LEDs.
Running the cable test
NOTE: Running cable diagnostics on a port that has the link up interrupts the traffic for several seconds. You can check the state of cables connected to a specific port. The following pair states are supported:
l Open l Short l Ok l Open_Short l Unknown l Crosstalk If no cable is connected to the specific port, the state is Open, and the cable length is 0 meters.
Using the GUI:
1. Go to WiFi & Switch Controller > Managed FortiSwitch. 2. Click on the FortiSwitch unit and then click Diagnostics and Tools. 3. Select Cable Test. 4. Select a port. 5. Select Diagnose. NOTE: There are some limitations for cable diagnostics on the FS-108E, FS-124E, FS-108E-POE, FS-108E-FPOE, FS124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models:
l Crosstalk cannot be detected. l There is a 5-second delay before results are displayed. l The value for the cable length is inaccurate. l The results are inaccurate for open and short cables.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
282
Fortinet Inc.
Operation and maintenance
FortiSwitch ports display
The WiFi & Switch Controller > FortiSwitch Ports page displays port information about each of the managed switches. The following figure shows the display for a FortiSwitch 248E-FPOE:
Select Faceplates to get the following information: l active ports (green) l PoE-enabled ports (blue rectangle) l FortiLink port (link icon)
If you device has PoE, the Faceplates page displays the total power budget and the actual power currently allocated. The allocated power displays a blue bar for the used power (currently being consumed) and a green bar for the reserved power (power available for additional devices on the POE ports). Each entry in the port list displays the following information:
l Port status (red for down, green for up) l Port name l If the port is a member of a trunk l Access mode l Enabled features l Native VLAN l Allowed VLANs l PoE status l Device information l DHCP snooping status l Transceiver information
FortiSwitch per-port device visibility
In the FortiGate GUI, User & Device > Device List displays a list of devices attached to the FortiSwitch ports. For each device, the table displays the IP address of the device and the interface (FortiSwitch name and port). From the CLI, the following command displays information about the host devices: diagnose switch-controller mac-cache show <switch-id>
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
283
Fortinet Inc.
Operation and maintenance
Displaying, resetting, and restoring port statistics
For the following commands, if the managed FortiSwitch unit is not specified, the command is applied to all ports of all managed FortiSwitch units. To display port statistics using the GUI: 1. Go to WiFi & Switch Controller > FortiSwitch Ports. 2. Select a port. 3. Click View Statistics.
4. Click the Traffic tab to see transmitted and received traffic and transmitted and received frames. Click the Issues tab
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
284
Fortinet Inc.
Operation and maintenance to see frame errors by type.
To display port statistics using the CLI:
diagnose switch-controller switch-info port-stats <managed FortiSwitch device ID> <port_ name>
For example:
FG100D3G15817028 (global) # diagnose switch-controller switch-info port-stats S524DF4K15000024 port8
Vdom: dmgmt-vdom Vdom: root Vdom: root
S524DF4K15000024: Port(port8) is Admin up, line protocol is down Interface Type is Serial Gigabit Media Independent Interface(SGMII/SerDes) Address is 08:5B:0E:F1:95:ED, loopback is not set MTU 9216 bytes, Encapsulation IEEE 802.3/Ethernet-II half-duplex, 0 Mb/s, link type is auto
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
285
Fortinet Inc.
Operation and maintenance
input : 0 bytes, 0 packets, 0 errors, 0 drops, 0 oversizes 0 unicasts, 0 multicasts, 0 broadcasts, 0 unknowns output : 0 bytes, 0 packets, 0 errors, 0 drops, 0 oversizes 0 unicasts, 0 multicasts, 0 broadcasts 0 fragments, 0 undersizes, 0 collisions, 0 jabbers
Vdom: vdom-1
To reset the port statistics counters using the GUI: 1. Go to WiFi & Switch Controller > FortiSwitch Ports. 2. Select a port. 3. Click View Statistics.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
286
Fortinet Inc.
Operation and maintenance 4. Click Reset Port Statistics.
To reset the port statistics counters using the CLI:
diagnose switch-controller trigger reset-hardware-counters <managed FortiSwitch device ID> <port_name>
For example: FG100D3G15817028 (global) # diagnose switch-controller trigger reset-hardware-counters
S524DF4K15000024 1,3,port6-7
NOTE: This command is provided for debugging; accuracy is not guaranteed when the counters are reset. Resetting the counters might have a negative effect on monitoring tools, such as SNMP and FortiGate. The statistics gathered during the time when the counters are reset might be discarded.
To restore the port statistics counters of a managed FortiSwitch unit:
diagnose switch-controller trigger restore-hardware-counters <managed FortiSwitch device ID> <port_name>
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
287
Fortinet Inc.
Operation and maintenance
For example: FG100D3G15817028 (global) # diagnose switch-controller trigger restore-hardware-counters
S524DF4K15000024 port10-port11,internal
Managing DSL transceivers (FN-TRAN-DSL)
A Procend 180-T DSL transceiver (FN-TRAN-DSL) that is plugged in to a FortiGate-managed FortiSwitch port can now be managed by a FortiGate unit. The management of the DSL transceiver and the FortiSwitch port includes the ability to program the physical-layer attributes on the DSL module, retrieve the status and statistics from the module, upgrade the module's firmware, and reset the module.
You can use the following FortiGate models to manage FN-TRAN-DSL: FG-80F, FG-81F, FG-80F-BP, FGR-60F, FGR60F-3G4G, FG-60F, and FG-40F-3G4G. The FortiSwitch unit must be running FortiSwitchOS 7.0.1, build 0038 or later. A FortiSwitch unit running in standalone mode cannot program the physical-layer attributes on the DSL module.
To create a DSL policy:
config switch-controller dsl policy edit <DSL_policy_name> set type Procend set us-bitswap {enable | disable} set ds-bitswap {enable | disable} set profile {auto-30a | auto-17a | auto-12ab} set cs {A43, B43, A43C, V43} set pause-frame {enable | disable} set cpe_aele {enable | disable} set cpe_aele-mode {ELE_M0 | ELE_DS | ELE_PB | ELE_MIN} set append_padding {enable | disable} next
end
Option
Description
Default value
<DSL_policy_name> Enter a name for the DSL policy.
No default
type Procend
You can only select the Procend type.
Procend
us-bitswap {enable | Enable or disable whether the upstream bits are exchanged. enable disable}
ds-bitswap {enable | Enable or disable whether the downstream bits are
disable}
exchanged.
enable
profile {auto-30a |
Select which very-high-bit-rate digital subscriber line (VDSL) auto-30a
auto-17a | auto-12ab} customer premises equipment (CPE) profile to use.
cs {A43, B43, A43C, Select which CPE carrier set to use. V43}
A43 B43 A43C
pause-frame {enable | Enable or disable device pause frames. disable}
enable
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
288
Fortinet Inc.
Operation and maintenance
Option
Description
cpe_aele {enable | disable}
Enable or disable CPE alternative electrical length estimation (AELE) mode.
cpe_aele-mode {ELE_M0 | ELE_DS | ELE_PB | ELE_MIN}
Select the CPE AELE mode to use.
append_padding {enable | disable}
Enable or disable whether to append padding.
Default value enable ELE_MIN
enable
To specify the DSL policy to use:
config switch-controller managed-switch edit <FortiSwitch_serial_number> config ports edit <port> set dsl-profile <DSL_policy_name> next end next
end
To display DSL statistics:
get switch-controller dsl link-time <FortiSwitch_serial_number> <port_name> get switch-controller dsl pkt-count <FortiSwitch_serial_number> <port_name> get switch-controller dsl pm-line-curr <FortiSwitch_serial_number> <port_name> get switch-controller dsl policy get switch-controller dsl rate <FortiSwitch_serial_number> <port_name> get switch-controller dsl status <FortiSwitch_serial_number> <port_name> get switch-controller dsl summary <FortiSwitch_serial_number> <port_name> get switch-controller dsl version <FortiSwitch_serial_number> <port_name>
Option
Description
link-time <FortiSwitch_serial_ number> <port_name>
Display the link time for the DSL module plugged in to the specified FortiSwitch port.
pkt-count <FortiSwitch_serial_ number> <port_name>
Display the packet count for the DSL module plugged in to the specified FortiSwitch port.
pm-line-curr <FortiSwitch_serial_ Display the line current for the DSL module plugged in to the specified FortiSwitch
number> <port_name>
port.
policy
List the available DSL policies and their settings.
rate <FortiSwitch_serial_ number> <port_name>
Display the rate for the DSL module plugged in to the specified FortiSwitch port.
status <FortiSwitch_serial_ number> <port_name>
Display the status of the DSL module plugged in to the specified FortiSwitch port.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
289
Fortinet Inc.
Operation and maintenance
Option
summary <FortiSwitch_serial_ number> <port_name>
version <FortiSwitch_serial_ number> <port_name>
Description
Display a summary for the DSL module plugged in to the specified FortiSwitch port.
Display the version of the DSL module plugged in to the specified FortiSwitch port.
To reset the DSL module on a FortiSwitch port:
execute switch-controller dsl reset <FortiSwitch_serial_number> <port_name>
To upload a FortiSwitch image to the FortiGate local storage:
execute switch-controller dsl update ftp <DSL_image_name_on_FTP_server> <FTP_server>[:<FTP_ port>] <FTP_user_name> <FTP_password> <FortiSwitch_serial_number> <port_name>
execute switch-controller dsl update tftp <DSL_image_name_on_TFTP_server> <TFTP_server> <FortiSwitch_serial_number> <port_name>
Network interface display
On the Network > Interfaces page, you can see the FortiGate interface connected to the FortiSwitch unit. The GUI indicates Dedicated to FortiSwitch in the IP/Netmask field.
Data statistics
This example shows a FortiLink scenario where the FortiGate acts as the switch controller that collects the data statistics of managed FortiSwitch ports. This is counted by each FortiSwitch and concentrated in the controller.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
290
Fortinet Inc.
Operation and maintenance
Sample topology
To show data statistics using the GUI:
1. Go to WiFi & Switch Controller > FortiSwitch Ports. 2. Select Configure Table. 3. Select Bytes, Errors and Packets to make them visible.
The related data statistic of each managed FortiSwitch port is shown.
To show data statistics using the CLI:
# diagnose switch-controller switch-info port-stats S248EPTF180XXXX ......
Port(port50) is Admin up, line protocol is down Interface Type is Gigabit Media Independent Interface(GMII)
Address is 70:4C:A5:E0:F3:8D, loopback is not set MTU 9216 bytes, Encapsulation IEEE 802.3/Ethernet-II full-duplex, 1000 Mb/s, link type is manual input : 0 bytes, 0 packets, 0 errors, 0 drops, 0 oversizes
0 unicasts, 0 multicasts, 0 broadcasts, 0 unknowns output : 0 bytes, 0 packets, 0 errors, 0 drops, 0 oversizes
0 unicasts, 0 multicasts, 0 broadcasts 0 fragments, 0 undersizes, 0 collisions, 0 jabbers
......
Synchronizing the FortiGate unit with the managed FortiSwitch units
You can synchronize the FortiGate unit with the managed FortiSwitch units to check for synchronization errors on each managed FortiSwitch unit.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
291
Fortinet Inc.
Operation and maintenance
Use the following command to synchronize the full configuration of a FortiGate unit with a managed FortiSwitch unit: diagnose switch-controller trigger config-sync <FortiSwitch_serial_number>
Viewing and upgrading the FortiSwitch firmware version
You can view the current firmware version of a FortiSwitch unit and upgrade the FortiSwitch unit to a new firmware version. The FortiGate unit will suggest an upgrade when a new version is available in FortiGuard.
Using the FortiGate GUI
To view the FortiSwitch firmware version: 1. Go to WiFi & Switch Controller > Managed FortiSwitch. 2. In the main panel, select the FortiSwitch faceplate and click Edit. 3. In the Edit Managed FortiSwitch panel, the Firmware section displays the current build on the FortiSwitch.
To upgrade the firmware on multiple FortiSwitch units at the same time:
1. Go to WiFi & Switch Controller > Managed FortiSwitch. 2. Select the faceplates of the FortiSwitch units that you want to upgrade. 3. Click Upgrade.The Upgrade FortiSwitches page opens. 4. Select FortiGuard or select Upload and then select the firmware file to upload. If you select FortiGuard, all
FortiSwitch units that can be upgraded are upgraded. If you select Upload, only one firmware image can be used at a time for upgrading. 5. Select Upgrade.
Using the FortiGate CLI
Use the following command to stage a firmware image on all FortiSwitch units: execute switch-controller switch-software stage all <image id>
Use the following command to upgrade the firmware image on one FortiSwitch unit: execute switch-controller switch-software upgrade <switch id> <image id>
Use the following CLI commands to enable the use of HTTPS to download firmware to managed FortiSwitch units: config switch-controller global set https-image-push enable end
NOTE: The HTTPS download is enabled by default. From your FortiGate CLI, you can upgrade the firmware of all of the managed FortiSwitch units of the same model using a single execute command. The command includes the name of a firmware image file and all of the managed FortiSwitch units compatible with that firmware image file are upgraded. For example:
execute switch-controller switch-software stage all <firmware-image-file> You can also use the following command to restart all of the managed FortiSwitch units after a 2-minute delay.
execute switch-controller switch-action restart delay all
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
292
Fortinet Inc.
Operation and maintenance
Firmware upgrade of stacked or tiered FortiSwitch units
In this topology, the core FortiSwitch units are model FS-224E, and the access FortiSwitch units are model FS-108EFPOE. Because the switches are stacked or tiered, the procedure to update the firmware is simpler. The FortiGate unit is running FortiOS 6.2.2 GA. In the following procedure, the four FortiSwitch units are upgraded from 6.2.1 to 6.2.2.
To upgrade the firmware of stacked or tiered FortiSwitch units:
1. Check that all of the FortiSwitch units are connected and which firmware versions they are running. For example:
FGT81ETK19001274 # execute switch-controller get-conn-status Managed-devices in current vdom root:
STACK-NAME: FortiSwitch-Stack-flink
SWITCH-ID
VERSION
STATUS
NAME
S108EF5918003577 v6.2.1 (176)
Authorized/Up
10:47:27 2019 -
S108EP5918008265 v6.2.1 (176)
Authorized/Up
10:47:20 2019 -
S224ENTF18001408 v6.2.1 (176)
Authorized/Up
10:44:36 2019 -
S224ENTF18001432 v6.2.1 (176)
Authorized/Up
10:44:49 2019 -
FLAG ADDRESS - 10.105.22.6 - 10.105.22.5 - 10.105.22.2 - 10.105.22.3
JOIN-TIME Thu Oct 24 Thu Oct 24 Thu Oct 24 Thu Oct 24
Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=configuration sync error Managed-Switches: 4 (UP: 4 DOWN: 0)
2. (Optional) To speed up how fast the image is pushed from the FortiGate unit to the FortiSwitch units, enable the HTTPS image push instead of the CAPWAP image push. For example:
FGT81ETK19001274 # config switch-controller global FGT81ETK19001274 (global) # set https-image-push enable FGT81ETK19001274 (global) # end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
293
Fortinet Inc.
Operation and maintenance
3. Download the file for the FortiSwitchOS 6.2.2 GA build 194 in the FortiGate unit. For example:
FGT81ETK19001274 # execute switch-controller switch-software upload tftp FSW_224E-v6build0194-FORTINET.out 10.105.16.15
Downloading file FSW_224E-v6-build0194-FORTINET.out from tftp server 10.105.16.15... ######################### Image checking ... Image MD5 calculating ... Image Saving S224EN-IMG.swtp ... Successful!
File Syncing...
FGT81ETK19001274 # execute switch-controller switch-software upload tftp FSW_108E_POEv6-build0194-FORTINET.out 10.105.16.15
Downloading file FSW_108E_POE-v6-build0194-FORTINET.out from tftp server 10.105.16.15... ################## Image checking ... Image MD5 calculating ... Image Saving S108EP-IMG.swtp ... Successful!
File Syncing...
FGT81ETK19001274 # execute switch-controller switch-software upload tftp FSW_108E_FPOEv6-build0194-FORTINET.out 10.105.16.15
Downloading file FSW_108E_FPOE-v6-build0194-FORTINET.out from tftp server 10.105.16.15... ################## Image checking ... Image MD5 calculating ... Image Saving S108EF-IMG.swtp ... Successful!
File Syncing...
FGT81ETK19001274 # 4. Check the downloaded FortiSwitch image. For example:
FGT81ETK19001274 # execute switch-controller switch-software list-available
ImageName S108EF-IMG.swtp S108EP-IMG.swtp S224EN-IMG.swtp
ImageSize(B) 19574769 19583362 27159659
ImageInfo S108EF-v6.2-build194 S108EP-v6.2-build194 S224EN-v6.2-build194
Uploaded Time Thu Oct 24 13:03:51 2019 Thu Oct 24 13:03:23 2019 Thu Oct 24 13:03:02 2019
FGT81ETK19001274 #
5. Start the image staging. For example:
FGT81ETK19001274 # execute switch-controller switch-software stage all S224EN-IMG.swtp Staged Image Version S224EN-v6.2-build194 Image staging operation is started for FortiSwitch S224ENTF18001408 ... Image staging operation is started for FortiSwitch S224ENTF18001432 ...
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
294
Fortinet Inc.
Operation and maintenance
FGT81ETK19001274 # execute switch-controller switch-software stage all S108EF-IMG.swtp Staged Image Version S108EF-v6.2-build194 Image staging operation is started for FortiSwitch S108EF5918003577 ...
FGT81ETK19001274 # execute switch-controller switch-software stage all S108EP-IMG.swtp Staged Image Version S108EP-v6.2-build194 Image staging operation is started for FortiSwitch S108EP5918008265 ...
6. Check the status of the image staging. The Status column reports (from left to right) the percentage of the new firmware downloaded, the percentage of data erased to make space in the switchs local storage, and the percentage of the new firmware saved to the switchs local storage. For example:
FGT81ETK19001274 # execute switch-controller get-upgrade-status
Device Running-version
Status
Next-boot
========================================================================================
VDOM : root
S224ENTF18001408 S224EN-v6.2.1-build176,190620 (GA)
(100/0/0) S224EN-
v6.2-build176
(Staging)
S224ENTF18001432 S224EN-v6.2.1-build176,190620 (GA)
(100/0/0) S224EN-
v6.2-build176
(Staging)
S108EP5918008265 S108EP-v6.2.1-build176,190620 (GA)
(18/0/0) S108EP-v6.2-
build176
(Staging)
S108EF5918003577 S108EF-v6.2.1-build176,190620 (GA)
(25/0/0) S108EF-v6.2-
build176
(Staging)
7. Verify that the image staging has completed. For example:
FGT81ETK19001274 # execute switch-controller get-upgrade-status
Device Running-version
Status
Next-boot
========================================================================================
VDOM : root
S224ENTF18001408 S224EN-v6.2.1-build176,190620 (GA)
(0/100/100) S224EN-
v6.2-build194
(Idle)
S224ENTF18001432 S224EN-v6.2.1-build176,190620 (GA)
(0/100/100) S224EN-
v6.2-build194
(Idle)
S108EP5918008265 S108EP-v6.2.1-build176,190620 (GA)
(0/100/100) S108EP-
v6.2-build194
(Idle)
S108EF5918003577 S108EF-v6.2.1-build176,190620 (GA)
(0/100/100) S108EF-
v6.2-build194
(Idle)
8. Reboot all switches (or reboot the switches by group). For example:
FGT81ETK19001274 # execute switch-controller switch-action restart delay all Delayed restart operation is requested for FortiSwitch S224ENTF18001408 ... Delayed restart operation is requested for FortiSwitch S224ENTF18001432 ... Delayed restart operation is requested for FortiSwitch S108EP5918008265 ... Delayed restart operation is requested for FortiSwitch S108EF5918003577 ...
9. Check the status of the switch reboot. For example:
FGT81ETK19001274 # execute switch-controller switch-action restart delay all Delayed restart operation is requested for FortiSwitch S224ENTF18001408 ... Delayed restart operation is requested for FortiSwitch S224ENTF18001432 ... Delayed restart operation is requested for FortiSwitch S108EP5918008265 ... Delayed restart operation is requested for FortiSwitch S108EF5918003577 ...
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
295
Fortinet Inc.
Operation and maintenance
FGT81ETK19001274 # execute switch-controller get-upgrade-status
Device Running-version
Status
Next-boot
========================================================================================
VDOM : root
S224ENTF18001408
Prepping for delayed restart triggered ...
please wait for switch to reboot in a moment
S224ENTF18001432
Prepping for delayed restart triggered ...
please wait for switch to reboot in a moment
S108EP5918008265
Prepping for delayed restart triggered ...
please wait for switch to reboot in a moment
S108EF5918003577
Prepping for delayed restart triggered ...
please wait for switch to reboot in a moment
FGT81ETK19001274 # execute switch-controller get-conn-status Managed-devices in current vdom root:
STACK-NAME: FortiSwitch-Stack-flink
SWITCH-ID
VERSION
STATUS
FLAG ADDRESS
NAME
S108EF5918003577 v6.2.1 ()
Authorized/Down D 0.0.0.0
-
S108EP5918008265 v6.2.1 ()
Authorized/Down D 0.0.0.0
-
S224ENTF18001408 v6.2.1 ()
Authorized/Down D 0.0.0.0
-
S224ENTF18001432 v6.2.1 ()
Authorized/Down D 0.0.0.0
-
JOIN-TIME N/A N/A N/A N/A
Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=configuration sync error Managed-Switches: 4 (UP: 0 DOWN: 4)
FGT81ETK19001274 #
10. Wait for a while before checking that all switches are online. For example:
FGT81ETK19001274 # execute switch-controller get-upgrade-status
Device Running-version
Status
Next-boot
========================================================================================
VDOM : root
S224ENTF18001408 S224EN-v6.2.2-build194,191018 (GA)
(0/100/100) S224EN-
v6.2-build194
(Idle)
S224ENTF18001432 S224EN-v6.2.2-build194,191018 (GA)
(0/100/100) S224EN-
v6.2-build194
(Idle)
S108EP5918008265 S108EP-v6.2.2-build194,191018 (GA)
(0/100/100) S108EP-
v6.2-build194
(Idle)
S108EF5918003577 S108EF-v6.2.2-build194,191018 (GA)
(0/100/100) S108EF-
v6.2-build194
(Idle)
FGT81ETK19001274 # execute switch-controller get-conn-status Managed-devices in current vdom root:
STACK-NAME: FortiSwitch-Stack-flink
SWITCH-ID
VERSION
STATUS
NAME
FLAG ADDRESS
JOIN-TIME
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
296
Fortinet Inc.
Operation and maintenance
S108EF5918003577 v6.2.2 (194) 13:22:27 2019 S108EP5918008265 v6.2.2 (194) 13:22:41 2019 S224ENTF18001408 v6.2.2 (194) 13:20:11 2019 S224ENTF18001432 v6.2.2 (194) 13:19:58 2019 -
Authorized/Up - 10.105.22.6 Authorized/Up - 10.105.22.5 Authorized/Up - 10.105.22.2 Authorized/Up - 10.105.22.3
Thu Oct 24 Thu Oct 24 Thu Oct 24 Thu Oct 24
Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=configuration sync error Managed-Switches: 4 (UP: 4 DOWN: 0)
FGT81ETK19001274 #
config switch-controller global append disable-discovery S012345678 unselect disable-discovery S1234567890
end
Configuring automatic federated firmware updates
When the automatic firmware updates setting is enabled, in addition to an automatic federated upgrade being performed on the FortiGate device, automatic federated upgrades are now performed on managed FortiSwitch units, starting in FortiOS 7.4.1. The federated upgrades of these LAN edge devices adhere to the FortiOS-FortiSwitch compatibility matrix information maintained on the FortiGuard Distribution Network (FDN).
Configuration example
In this example, automatic firmware updates are enabled on a FortiGate device that is running FortiOS 7.4.1. Two FortiSwitch units with older firmware are upgraded after the federated update.
To configure automatic federated firmware updates:
config system fortiguard set auto-firmware-upgrade enable
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
297
Fortinet Inc.
Operation and maintenance
set auto-firmware-upgrade-day tuesday set auto-firmware-upgrade-delay 0 set auto-firmware-upgrade-start-hour 11 set auto-firmware-upgrade-end-hour 12 end
The auto-upgrade time is scheduled on Tuesday, between 11:00 a.m. and 12:00 p.m.
To verify that the federated update occurs:
1. Verify that the update is scheduled:
FGT_A (global) # diagnose test application forticldd 13 Scheduled push image upgrade: no Scheduled Config Restore: no Scheduled Script Restore: no Automatic image upgrade: Enabled.
Next upgrade check scheduled at (local time) Tue Sep
5 11:06:58 2023
2. Verify if there are managed FortiSwitch that can be upgraded:
FGT_A (vdom1) # execute switch-controller get-conn-status Managed-devices in current vdom vdom1:
FortiLink interface : flink
SWITCH-ID
VERSION
SERIAL
FS1D243Z17000032 v7.2.5 (453)
10:16:26 2023 FS1D243Z17000032
S548DF4K16000730 v7.0.7 (096)
10:16:51 2023 S548DF4K16000730
STATUS
FLAG ADDRESS
Authorized/Up 2 169.254.1.4
Authorized/Up 2 169.254.1.5
JOIN-TIME Tue Sep 5 Tue Sep 5
Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=config sync error, 3=L3, V=VXLAN
Managed-Switches: 2 (UP: 2 DOWN: 0 MAX: 72)
3. Verify the compatibility matrix:
FGT_A (global) # diagnose test application forticldd 16 Last update: 3 secs ago
FS1D24: 7.4.0 b767 07004000FIMG0900304000 (FGT Version 7.4.1 b0)
4. Wait for the FortiGate device to perform the federated update. 5. After the federated update is complete, verify that the managed FortiSwitch units were upgraded to the latest
version:
FGT_A (vdom1) # execute switch-controller get-conn-status Managed-devices in current vdom vdom1:
FortiLink interface : flink
SWITCH-ID
VERSION
SERIAL
FS1D243Z17000032 v7.4.0 (767)
11:22:44 2023 FS1D243Z17000032
S548DF4K16000730 v7.4.0 (767)
11:23:37 2023 S548DF4K16000730
STATUS
FLAG ADDRESS
Authorized/Up 2 169.254.1.2
Authorized/Up 2 169.254.1.5
JOIN-TIME Tue Sep 5 Tue Sep 5
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
298
Fortinet Inc.
Operation and maintenance
Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=config sync error, 3=L3, V=VXLAN
Managed-Switches: 2 (UP: 2 DOWN: 0 MAX: 72)
Canceling pending or downloading FortiSwitch upgrades
A FortiSwitch device in FortiLink mode can be upgrade using the FortiGate device.
If a connectivity issue occurs during the upgrade process and the FortiSwitch unit loses contact with the FortiGate device, the FortiSwitch upgrade status can get stuck at Upgrading. Use the following CLI command to cancel the process:
execute switch-controller switch-software cancel {all | sn <FortiSwitch_serial_number> | switch-group <switch_group ID>}
all sn <FortiSwitch_serial_number>
switch-group <switch_group ID>
Cancel the firmware upgrade for all FortiSwitch units.
Cancel the firmware upgrade for the FortiSwitch unit with the specified serial number.
Cancel the firmware upgrade for the FortiSwitch units belonging to the specified switch group.
For example, to cancel the upgrade of a FortiSwitch unit with the specified serial number: execute switch-controller switch-software cancel sn S248EPTF180018XX
Configuring automatic backups
Starting in FortiOS 7.2.1, you can specify whether your managed FortiSwitch configuration is automatically backed up each time a user logs out or before a system upgrade is started. By default, both options are disabled.
To specify that the managed FortiSwitch unit creates a revision configuration file each time a user logs out:
config switch-controller switch-profile edit {default | FortiSwitch_profile_name} set revision-backup-on-logout enable next
end
To specify that the managed FortiSwitch unit creates a revision configuration file before a system upgrade is started:
config switch-controller switch-profile edit {default | FortiSwitch_profile_name} set revision-backup-on-upgrade enable next
end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
299
Fortinet Inc.
Operation and maintenance
Registering FortiSwitch to FortiCloud
After authorizing a FortiSwitch, administrators can register the FortiSwitch to FortiCloud directly from the FortiOS GUI. To register the FortiSwitch in the GUI: 1. Go to WiFi & Switch Controller > Managed FortiSwitch and ensure the Topology view is selected. 2. In the topology, right-click on an unregistered device and click Registration.
3. Complete the device registration wizard: a. Click Register to proceed.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
300
Fortinet Inc.
Operation and maintenance b. Enter the FortiCloud account information and click Submit.
The registration information is submitted to FortiCare, and FortiOS attempts to collect the registration status from FortiGuard. Since FortiGuard and FortiCare synchronize periodically, the registration status may not update immediately (it may take up to a few hours).
c. Click Close. 4. After a while, go back to WiFi & Switch Controller > Managed FortiSwitch. 5. Right-click on the device and click Registration. The device is shown as Registered to the corresponding FortiCloud
account.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
301
Fortinet Inc.
Operation and maintenance
To register the FortiSwitch in the CLI:
# diagnose forticare direct-registration product-registration -N S124DP3X15000000 -a xxxx@fortinet.com -p LDAP -T "CA" -R "other" -e 1 Account info:
contract_number=[] account_id=[xxxx@fortinet.com] password=[***] reseller_id=0 reseller=[other] first_name=[] last_name=[] company=[] title=[] address=[] city=[] state=[] state_code=[] country_code=0 post_code=[] phone=[] fax=[] industry=[] industry_id=0 orgsize=[] orgsize_id=0 version=0 SN=[S124DP3X15000000] existing=1 Prepare to register product into this account. Do you want to continue? (y/n)y Registration successful
Replacing a managed FortiSwitch unit
If a managed FortiSwitch unit fails, you can replace it with another FortiSwitch unit that is managed by the same FortiGate unit. The replacement FortiSwitch unit will inherit the configuration of the FortiSwitch unit that it replaces. The failed FortiSwitch unit is no longer managed by a FortiGate unit or discovered by FortiLink.
NOTE:
l Both FortiSwitch units must be of the same model. l After replacing the failed FortiSwitch unit, the automatically created trunk name does not change. If you want
different trunk name, you need to delete the trunk. The new trunk is created automatically with an updated name. At the end of this section is a detailed procedure for renaming the MCLAG-ICL trunk. l If the replaced managed FortiSwitch unit is part of an MCLAG, only the ICL should be connected to the new switch to avoid any traffic loops. The other interfaces should be connected only to the switch that is fully managed the FortiGate unit with the correct configuration.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
302
Fortinet Inc.
Operation and maintenance
To replace a managed FortiSwitch unit when split ports are not enabled:
1. Remove the failed FortiSwitch unit from the network. 2. Deauthorize the failed switch:
config switch-controller managed-switch edit <failed_FortiSwitch_serial_number> set fsw-wan1-admin disable end
3. If the replacement switch is not new, reset the replacement FortiSwitch unit to factory default settings with the execute factoryreset command.
4. Without connecting to the existing network, upgrade the firmware of the replacement FortiSwitch unit to the same version as the firmware on the failed FortiSwitch unit. See Viewing and upgrading the FortiSwitch firmware version on page 292.
5. On the FortiGate device, use the execute replace-device fortiswitch <failed_FortiSwitch_ serial_number> <replacement_FortiSwitch_serial_number> command to change the replacement switch name to match the failed switch name.
6. Authorize the replacement switch: config switch-controller managed-switch edit <replacement_FortiSwitch_serial_number> set fsw-wan1-admin enable end
7. Connect the replacement switch to the network.
To replace a managed FortiSwitch unit when split ports are enabled:
1. Remove the failed FortiSwitch unit from the network. 2. Deauthorize the failed switch:
config switch-controller managed-switch edit <failed_FortiSwitch_serial_number> set fsw-wan1-admin disable end
3. If the replacement switch is not new, reset the replacement FortiSwitch unit to factory default settings with the execute factoryreset command.
4. Without connecting to the existing network, upgrade the firmware of the replacement FortiSwitch unit to the same version as the firmware on the failed FortiSwitch unit. See Viewing and upgrading the FortiSwitch firmware version on page 292.
5. Log in to the replacement switch and use the config switch phy-mode commands to configure the split ports with the same configuration that was on the failed switch.
6. On the FortiGate device, use the execute replace-device fortiswitch <failed_FortiSwitch_ serial_number> <replacement_FortiSwitch_serial_number> command to change the replacement switch name to match the failed switch name.
7. Authorize the replacement switch: config switch-controller managed-switch edit <replacement_FortiSwitch_serial_number> set fsw-wan1-admin enable end
8. Connect the replacement switch to the network.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
303
Fortinet Inc.
Operation and maintenance
To replace a managed FortiSwitch unit of an MCLAG pair:
1. Remove the failed FortiSwitch unit from the network. 2. Deauthorize the failed switch:
config switch-controller managed-switch edit <failed_FortiSwitch_serial_number> set fsw-wan1-admin disable end
3. If the replacement switch is not new, reset the replacement FortiSwitch unit to factory default settings with the execute factoryreset command.
4. Without connecting to the existing network, upgrade the firmware of the replacement FortiSwitch unit to the same version as the firmware on the failed FortiSwitch unit. See Viewing and upgrading the FortiSwitch firmware version on page 292.
5. On the FortiGate device, use the execute replace-device fortiswitch <failed_FortiSwitch_ serial_number> <replacement_FortiSwitch_serial_number> command to change the replacement switch name to match the failed switch name.
6. Authorize the replacement switch: config switch-controller managed-switch edit <replacement_FortiSwitch_serial_number> set fsw-wan1-admin enable end
7. Connect the ICL physical port(s) of the replacement MCLAG switch to the peer switch's ICL ports. An ISL trunk with the peer's name is formed on the replacement switch. Wait until the replacement switch's FortiLink is up. l On the FortiGate device, if the failed switch had "set lldp-profile default-auto-mclag-icl" configured in the ICL ports of the switch, the replaced-switch will have those settings as well. On the replacement switch, the auto-formed ISL trunk is deleted, and the FlInK1_ICL0_ trunk with "set mclagicl enable" configured is created automatically. l On the FortiGate device, if the failed switch did not have "set lldp-profile default-auto-mclagicl" configured in the ICL ports of the switch, the replacement switch will not have the setting as well. SSH to the replacement switch, manually configure "set mclag-icl enable" in the ISL trunk with the peer switch's name. Then SSH to the peer switch to delete the ICL trunk (with the failed switch's name) and configure "set mclag-icl enable" after a new ISL trunk with the replacement switch's name forms automatically.
8. Use the diagnose switch mclag icl command to make sure that there are no errors and that the ICL trunk is up.
9. Check the neighbor peer switch to see if it has auto-isl-port-group configured. If it does, you need to configure the replacement switch with the same auto-isl-port-group name.
10. Connect the rest of the links to the replacement switch. 11. Execute the diagnose switch mlcag peer-consistency-check command to make sure there is no error
with the peer MCLAG trunks.
To rename the MCLAG-ICL trunk:
After replacing the failed FortiSwitch unit, the automatically created trunk name does not change. If you want different trunk name, you need to delete the trunk. The new trunk is created automatically with an updated name.
Changing the name of the MCLAG-ICL trunk must be done on both the FortiGate unit and the MCLAG-ICL switches. You need a maintenance window for the change.
1. Shut down the FortiLink interface on the FortiGate unit. a. On the FortiGate unit, execute the show system interface command. For example:
FG3K2D3Z17800156 # show system interface root-lag
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
304
Fortinet Inc.
Operation and maintenance
config system interface edit "root-lag" set vdom "root" set fortilink enable set ip 10.105.60.254 255.255.255.0 set allowaccess ping capwap set type aggregate set member "port45" "port48" config managed-device
b. Write down the member port information. In this example, port45 and port48 are the member ports. c. Shut down the member ports with the config system interface, edit <member-port#>, set
status down, and end commands. For example:
FG3K2D3Z17800156 # config system interface FG3K2D3Z17800156 (interface) # edit port48 FG3K2D3Z17800156 (port48) # set status down FG3K2D3Z17800156 (port48) # next // repeat for each member port FG3K2D3Z17800156 (interface) # edit port45 FG3K2D3Z17800156 (port45) # set status down FG3K2D3Z17800156 (port45) # end
d. Verify that FortiLink is down with the exec switch-controller get-conn-status command. For example:
FG3K2D3Z17800156 # exec switch-controller get-conn-status Managed-devices in current vdom root:
STACK-NAME: FortiSwitch-Stack-root-lag SWITCH-ID VERSION STATUS ADDRESS JOIN-TIME NAME FS1D483Z17000282 v6.0.0 Authorized/Down 0.0.0.0 N/A icl-sw2 FS1D483Z17000348 v6.0.0 Authorized/Down 0.0.0.0 N/A icl-sw1
2. Rename the MCLAG-ICL trunk name on both MCLAG-ICL switches. a. Execute the show switch trunk command on both MCLAG-ICL switches. Locate the ICL trunk that includes the set mclag-icl enable command in its configuration and write down the member ports and configuration information. For example:
icl-sw1 # show switch trunk config switch trunk ... edit "D483Z17000282-0" set mode lacp-active set auto-isl 1 set mclag-icl enable // look for this line set members "port27" "port28" // note the member ports next end
b. Note the output of the show switch interface <MCLAG-ICL-trunk-name>, diagnose switch mclag icl, and diagnose switch trunk summary <MCLAG-ICL-trunk-name> commands. For example:
icl-sw1 # show switch interface D483Z17000282-0
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
305
Fortinet Inc.
Operation and maintenance
config switch interface edit "D483Z17000282-0" set native-vlan 4094 set allowed-vlans 1,100,2001-2060,4093 set dhcp-snooping trusted set stp-state disabled set edge-port disabled set igmp-snooping-flood-reports enable set mcast-snooping-flood-traffic enable set snmp-index 57 next end
icl-sw1 # diag switch mclag icl D483Z17000282-0 icl-ports 27-28 egress-block-ports 3-4,7-12,47-48 interface-mac 70:4c:a5:86:6d:e5 lacp-serial-number FS1D483Z17000348 peer-mac 70:4c:a5:49:50:53 peer-serial-number FS1D483Z17000282 Local uptime 0 days 1h:49m:24s Peer uptime 0 days 1h:49m:17s MCLAG-STP-mac 70:4c:a5:49:50:52 keepalive interval 1 keepalive timeout 60
Counters received keepalive packets 4852 transmited keepalive packets 5293 received keepalive drop packets 20 receive keepalive miss 1
icl-sw1 # diagnose switch trunk sum D483Z17000282-0 Trunk Name Mode PSC MAC Status Up Time ________________ _________________________ ___________ _________________ _______ ____ _________________________________ D483Z17000282-0 lacp-active(auto-isl,mclag-icl) src-dst-ip 70:4C:A5:86:6E:00 up (2/2) 0 days,0 hours,16 mins,4 secs
c. Shut down the ICL member ports using the config switch physical-port, edit <member port#>, set status down, next, and end commands. For example:
icl-sw1 # config switch physical-port icl-sw1 (physical-port) # edit port27 icl-sw1 (port27) # set status down icl-sw1 (port27) # n // repeat for each ICL member port icl-sw1 (physical-port) # edit port28 icl-sw1 (port28) # set status down icl-sw1 (port28) # next icl-sw1 (physical-port) # end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
306
Fortinet Inc.
Operation and maintenance
d. Delete the original MCLAG-ICL trunk name on the switch using the config switch trunk, delete <mclag-icl-trunk-name>, and end commands. For example:
icl-sw1 # config switch trunk icl-sw1 (trunk) # delete D483Z17000282-0
e. Use the show switch trunk command to verify that the trunk is deleted. f. Create a new trunk for the MCLAG ICL using the original ICL trunk configuration collected in step 2b and the
set auto-isl 0 command in the configuration. For example:
icl-sw1 # config switch trunk
icl-sw1 (trunk) # edit MCLAG-ICL new entry 'MCLAG-ICL' added icl-sw1 (MCLAG-ICL) #set mode lacp-active icl-sw1 (MCLAG-ICL) #set members "port27" "port28" icl-sw1 (MCLAG-ICL) #set mclag-icl enable icl-sw1 (MCLAG-ICL) # end
g. Use the show switch trunk command to check the trunk configuration. h. Start the trunk member ports by using the config switch physical-port, edit <member port#>,
set status up, next, and end commands. For example:
icl-sw1 # config switch physical-port icl-sw1 (physical-port) # edit port27 icl-sw1 (port27) # set status up icl-sw1 (port27) # next // repeat for each trunk member port icl-sw1 (physical-port) # edit port28 icl-sw1 (port28) # set status up icl-sw1 (port28) # end
NOTE: Follow steps 2a through 2h on both switches. 3. Set up the FortiLink interface on the FortiGate unit. Enter the config system interface, edit <interface-
member-port>, set status up, next, and end commands. For example:
FG3K2D3Z17800156 # config system interface FG3K2D3Z17800156 (interface) # edit port45 FG3K2D3Z17800156 (port45) # set status up FG3K2D3Z17800156 (port45) # next // repeat on all member ports FG3K2D3Z17800156 (interface) # edit port48 FG3K2D3Z17800156 (port48) # set status up FG3K2D3Z17800156 (port48) # next FG3K2D3Z17800156 (interface) # end
4. Check the configuration and status on both MCLAG-ICL switches a. Enter the show switch trunk, diagnose switch mclag icl, and diagnose switch trunk summary <new-trunk-name> commands. For example: icl-sw1 # show switch trunk config switch trunk <snip> edit "MCLAG-ICL" set mode lacp-active
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
307
Fortinet Inc.
Operation and maintenance
set mclag-icl enable set members "port27" "port28" next end
icl-sw1 # show switch interface MCLAG-ICL config switch interface edit "MCLAG-ICL" set native-vlan 4094 set allowed-vlans 1,100,2001-2060,4093 set dhcp-snooping trusted set stp-state disabled set igmp-snooping-flood-reports enable set mcast-snooping-flood-traffic enable set snmp-index 56 next end
icl-sw1 # diagnose switch mclag icl MCLAG-ICL icl-ports 27-28 egress-block-ports 3-4,7-12,47-48 interface-mac 70:4c:a5:86:6d:e5 lacp-serial-number FS1D483Z17000348 peer-mac 70:4c:a5:49:50:5 peer-serial-number FS1D483Z17000282 Local uptime 0 days 2h:11m:13s Peer uptime 0 days 2h:11m: 7s MCLAG-STP-mac 70:4c:a5:49:50:52 keepalive interval 1 keepalive timeout 60
Counters received keepalive packets 5838 transmited keepalive packets 6279 received keepalive drop packets 27 receive keepalive miss 1
icl-sw1 # diagnose switch trunk summary MCLAG-ICL
Trunk Name Mode PSC MAC Status Up Time ________________ _________________________ ___________ _________________ ______ _____ _________________________________
MCLAG-ICL lacp-active(auto-isl,mclag-icl) src-dst-ip 70:4C:A5:86:6E:00 up(2/2) 0 days,1 hours,4 mins,57 secs b. Compare the command results in step 4a with the command results in step 2b.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
308
Fortinet Inc.
Operation and maintenance
Executing custom FortiSwitch scripts
From the FortiGate unit, you can execute a custom script on a managed FortiSwitch unit. The custom script contains generic FortiSwitch commands. NOTE: FortiOS 5.6.0 introduces additional capabilities related to the managed FortiSwitch unit. This section covers the following topics:
l Creating a custom script on page 309 l Executing a custom script once on page 309 l Binding a custom script to a managed switch on page 309
Creating a custom script
Use the following syntax to create a custom script from the FortiGate unit: config switch-controller custom-command
edit <cmd-name> set command "<FortiSwitch_command>"
end
NOTE: You need to use %0a to indicate a return. For example, use the custom script to set the STP max-age parameter on a managed FortiSwitch unit: config switch-controller custom-command
edit "stp-age-10" set command "config switch stp setting %0a set max-age 10 %0a end %0a"
end
Executing a custom script once
After you have created a custom script, you can manually execute it on any managed FortiSwitch unit. Because the custom script is not bound to any switch, the FortiSwitch unit might reset some parameters when it is restarted. Use the following syntax on the FortiGate unit to execute the custom script once on a specified managed FortiSwitch unit: execute switch-controller custom-command <cmd-name> <target-switch> For example, you can execute the stp-age-10 script on the specified managed FortiSwitch unit: execute switch-controller custom-command stp-age-10 S124DP3X15000118
Binding a custom script to a managed switch
If you want the custom script to be part of the managed switchs configuration, the custom script must be bound to the managed switch. If any of the commands in the custom script are locally controlled by a switch, the commands might be overwritten locally. Use the following syntax to bind a custom script to a managed switch:
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
309
Fortinet Inc.
Operation and maintenance
config switch-controller managed-switch edit "<FortiSwitch_serial_number>" config custom-command edit <custom_script_entry> set command-name "<name_of_custom_script>" next end next
end
For example: config switch-controller managed-switch
edit "S524DF4K15000024" config custom-command edit 1 set command-name "stp-age-10" next end
next end
Resetting PoE-enabled ports
If you need to reset PoE-enabled ports, go to WiFi & Switch Control > FortiSwitch Ports, right-click on one or more PoEenabled ports and select Reset PoE from the context menu. You can also go to WiFi & Switch Control > Managed FortiSwitch and click on a port icon for the FortiSwitch of interest. In the FortiSwitch Ports page, right-click on one or more PoE-enabled ports and select Reset PoE from the context menu.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
310
Fortinet Inc.
Appendix A: Configuring the Media Redundancy Protocol
Appendix A: Configuring the Media Redundancy Protocol
A ring of Ethernet switches can use the Media Redundancy Protocol (MRP) to overcome a failure faster than with STP. An MRP network consists of a ring of switches with one manager switch; the rest of the switches are clients. The switches in the ring must use physical ports to form the ring or a single port configured as a static trunk. The MRP ring ports are disabled in STP. If a ring has more than one switch that can be manager, MRP selects the switch with the highest priority (numerically lower number) as the manager. If a ring has more than one switch that can be manager and the switches have the same priority, MRP selects the switch with the lowest MAC address as the manager. Each node of the MRP network must be configured as an automanager (manager switch) or a client. The MRP automanager and client switches must have matching parameters, such as MRP VLAN and domain identifier, for the MRP ring to function properly. MRP sends three types of frames through the ring ports:
l MRP_Test frames detect a failure or recovery of a ring port link. l MRP_LinkChange frames indicate a failure or recovery of a ring port link. l MRP_TopologyChange frames indicate that the MRP network topology has changed. Starting in FortiSwitchOS 7.0.0, the FortiSwitch unit supports the following: l One MRP ring l Ring-check mode l The media redundancy interconnection manager (MIM) is not supported. l The media redundancy interconnection client (MIC) is not supported. l Fortinet recommends configuring no more than two automanagers in a ring. Refer to the FortiSwitchOS feature matrix to see which FortiSwitch models support MRP.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
311
Fortinet Inc.
Appendix A: Configuring the Media Redundancy Protocol To configure MRP in FortiLink mode:
NOTE: The FortiSwitch units must be first configured in standalone mode without being connected to any FortiGate devices.
1. Enable auto-network using a management VLAN of 4094. By default, auto-network is enabled in FortiSwitchOS 7.2.0 and later. For example: config switch auto-network set mgmt-vlan 4094 end
2. Let the ISL trunks automatically form between the FortiSwitch units. For example: config switch trunk edit "2DP4F16000319-0" set auto-isl 1 set static-isl disable set members "port3" next edit "2DP4F14000094-0" set auto-isl 1 set static-isl disable set members "port5" next end
3. Change the ISL trunks to static-isl trunks. For example: config switch trunk edit "2DP4F16000319-0" set auto-isl 1
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
312
Fortinet Inc.
Appendix A: Configuring the Media Redundancy Protocol
set static-isl enable set members "port3" next edit "2DP4F14000094-0" set auto-isl 1 set static-isl enable set members "port5" next end 4. Configure the MRP settings with VLAN 4094. Use the physical ports of the static-isl trunk members as MRP ring ports. For example: config switch mrp settings set status enable set vlan-id 4094 set ring-port1 "port3" set ring-port2 "port5" end 5. Connect the link to the FortiGate device and authorize the FortiSwitch units.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
313
Fortinet Inc.
Appendix B: Configuring HSR and PRP with FortiLink
Appendix B: Configuring HSR and PRP with FortiLink
Starting in FortiSwitchOS 7.2.4, High-Availability Seamless Redundancy (HSR) and Parallel Redundancy Protocol (PRP) are supported. Refer to the FortiSwitchOS feature matrix to see which FortiSwitch models support HSR and PRP. This section covers the following topics:
l Configuring HSR with FortiLink on page 314 l Configuring HSR and PRP with FortiLink on page 319 l Limitations for HSR and PRP with FortiLink on page 327
Configuring HSR with FortiLink
HSR is defined in the international standard IEC 62439-3-2016 clause 5. HSR provides seamless communication with fault tolerance by duplicating every unicast frame sent in HSR networks. Although HSR can be used in different topologies such as ring, bus, and mesh, the most commonly used topology is a single ring topology. This document focuses on the HSR ring topology. A simple HSR network consists of doubly attached bridging nodes, each having two ring ports, interconnected by full-duplex links. The simplest HSR topology contains two switches with two links between them; the ports connected to these two links serve as the HSR ring ports. The following figure shows HSR being used with FortiLink.
You need to first configure HSR and the static-isl trunks on the physical loopbacks on the FortiSwitch units before authorizing and managing them on the FortiGate device.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
314
Fortinet Inc.
Appendix B: Configuring HSR and PRP with FortiLink
In the preceding figure, the HSR ring ports (port5-port6) belong to the hsr-internal-vlan 4000. The hsr-internal-vlan cannot be same as the FortiLink management VLAN 4094 because the loopback static-isl trunk cannot have the native VLAN 4094 configured if the hsr-internal-vlan is set to 4094. The switch management VLAN 4094 uses port26 for output with the native VLAN set to 4094 in all switches (port26 is the static ISL trunk with a native VLAN of 4094, which allows other normal data VLANs except for hsr-internal-vlan 4000). The native control packets in VLAN 4094 are sent to the port25 interlink port (VLAN 4000) through the physical loopback connection. Therefore, the native control packets go through the HSR ring to reach the tier-1 switch. In the tier-1 switch, the native control packets are forwarded from the HSR ring to port28 (the interlink port of the FortiLink trunk) and then to the FortiLink interface. Therefore, the FortiGate device can manage all switches. NOTE: The switch control plane (VLAN 4094) and intelligent electronic device (IED) data plane (hsr-internal-vlan 4000) are in same layer-2 broadcast domain. All IED hosts in the VLAN 4000 go out of port28 (FortiLink trunk) of the tier-1 switch with native packets. The FortiLink interface in the FortiGate device receives these packets from all IED hosts. Therefore, the traffic of all IED hosts are in the FortiLink management VLAN on the FortiGate device (the management VLAN is 4094). NOTE: The data traffic in VLAN 4000 will use the FortiLink interface as a gateway. FortiLink can manage other normal data VLANs as usual.
Configuration example
To configure FGR-70F:
config system interface edit "fortilink" set vdom "root" set fortilink enable
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
315
Fortinet Inc.
Appendix B: Configuring HSR and PRP with FortiLink
set ip 10.255.1.1 255.255.255.0 set allowaccess ping fabric set type aggregate set member "port3" set lldp-reception enable set lldp-transmission enable set lacp-mode static next end
To configure FSR-424F-POE-1:
config switch hsr ring edit 1 set status enable set ring-port-pair port5-port6 set hsr-internal-vlan 4000 next
end
config switch trunk edit "HSR1" // automatically created set mode prp-hsr set static-isl enable set static-isl-auto-vlan disable set members "port5" "port6" next edit "trunk11" set auto-isl 1 set static-isl enable set static-isl-auto-vlan disable set members "port11" next edit "trunk1" set auto-isl 1 set static-isl enable set static-isl-auto-vlan disable set members "port1" next edit "trunk2" set auto-isl 1 set static-isl enable set static-isl-auto-vlan disable set members "port2" next
end
config switch interface edit "trunk11" set native-vlan 4000 set dhcp-snooping trusted set edge-port disabled next
end
config switch interface edit "trunk1"
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
316
Fortinet Inc.
Appendix B: Configuring HSR and PRP with FortiLink
set native-vlan 4000 set dhcp-snooping trusted set stp-state disabled set edge-port disabled next end
config switch interface edit "trunk2" set native-vlan 4094 set allowed-vlans 1-3999,4001-4094 set dhcp-snooping trusted set edge-port disabled next
end
config switch interface edit "HSR1" // automatically created set native-vlan 4000 set dhcp-snooping trusted set stp-state disabled set edge-port disabled next
end
To configure FSR-424F-POE-2:
config switch hsr ring edit 1 set status enable set ring-port-pair port5-port6 set hsr-internal-vlan 4000 next
end
config switch trunk edit "trunk1" set auto-isl 1 set static-isl enable set static-isl-auto-vlan disable set members "port1" next edit "trunk2" set auto-isl 1 set static-isl enable set static-isl-auto-vlan disable set members "port2" next edit "HSR1" // automatically created set mode prp-hsr set static-isl enable set static-isl-auto-vlan disable set members "port5" "port6" next
end
config switch interface
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
317
Fortinet Inc.
Appendix B: Configuring HSR and PRP with FortiLink
edit "trunk1" set native-vlan 4000 set dhcp-snooping trusted set stp-state disabled set edge-port disabled set snmp-index 49
next end
config switch interface edit "trunk2" set native-vlan 4094 set allowed-vlans 1-3999,4001-4094 set dhcp-snooping trusted set edge-port disabled next
end
config switch interface edit "HSR1" // automatically created set native-vlan 4000 set dhcp-snooping trusted set stp-state disabled set edge-port disabled next
end
To configure FSR-424F-POE-3:
config switch hsr ring edit 1 set status enable set ring-port-pair port5-port6 set hsr-internal-vlan 4000 next
end
config switch trunk edit "trunk1" set auto-isl 1 set static-isl enable set static-isl-auto-vlan disable set members "port1" next edit "trunk2" set auto-isl 1 set static-isl enable set static-isl-auto-vlan disable set members "port2" next edit "HSR1" // automatically created set mode prp-hsr set static-isl enable set static-isl-auto-vlan disable set members "port5" "port6" next
end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
318
Fortinet Inc.
Appendix B: Configuring HSR and PRP with FortiLink
config switch interface edit "trunk1" set native-vlan 4000 set dhcp-snooping trusted set stp-state disabled set edge-port disabled next
end
config switch interface edit "trunk2" set native-vlan 4094 set allowed-vlans 1-3999,4001-4094 set dhcp-snooping trusted set edge-port disabled next
end
config switch interface edit "HSR1" // automatically created set native-vlan 4000 set dhcp-snooping trusted set stp-state disabled set edge-port disabled next
end
Configuring HSR and PRP with FortiLink
The PRP is defined in the international standard IEC 62439-3-2016 clause 4. PRP provides seamless communication with fault tolerance by duplicating every unicast frame sent in PRP networks. You can use PRP in different topologies such as ring, bus, or meshed.
A doubly attached node with PRP (DANP) is attached to two independent local area networks (LANs) with similar topologies, named LAN_A and LAN_B, which operate in parallel. A source DANP sends the same frame over both LANs, and a destination DANP receives it from both LANs within a certain time, consumes the first frame, and discards the duplicate. If a LAN fails, a DANP destination continues to operate with the frames from the other LAN.
Uncritical nodes, such as laptops or printers, are usually attached to just one LAN as single attached nodes (SANs). SANs that need to communicate with each other must be on the same LAN. If a critical node without PRP capability needs to communicate with all other nodes, it can be attached to a redundancy box (RedBox). The RedBox allows the single interface node to be attached to both networks and communicate with all other nodes. Because a node behind a RedBox appears to be a doubly attached node (DAN) to the other nodes, it is called a virtual DAN (VDAN). The RedBox itself is a DANP and acts as a proxy on behalf of its VDANs. Because both LAN A and LAB B must be independent, any connections among DANs and RedBoxes are not allowed.
The simplest PRP topology configuration is two switches with two links between them; the ports connected to these two links serve as PRP channel ports. PRP channel ports are always a pair of an odd-numbered switch port and an evennumbered switch port. The pair of switch ports are hard coded, for example, port1-port2, port3-port4,...port27-port28.
The following figure shows HSR and PRP being used with FortiLink.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
319
Fortinet Inc.
Appendix B: Configuring HSR and PRP with FortiLink
You need to first configure HSR and PRP and the static-isl trunks on the physical loopbacks on the FortiSwitch units before authorizing and managing them on the FortiGate device.
NOTE: l The IEDs and the GPS clock are PRP cable stations. The hosts are normal hosts without PRP support. l All hosts receive packets with the PRP trailer, so the host applications need to ignore the PRP trailer in the packets to make the applications work.
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
320
Fortinet Inc.
Appendix B: Configuring HSR and PRP with FortiLink
Configuration example
To configure FSR-424F-POE-1:
config switch prp channel edit 1 set status enable set channel-port-pair port17-port18 set prp-internal-vlan 4000 next
end
config switch trunk edit "trunk11" set auto-isl 1 set static-isl enable set static-isl-auto-vlan disable set members "port11" next edit "trunk1" set auto-isl 1 set static-isl enable set static-isl-auto-vlan disable set members "port25" next edit "trunk2" set auto-isl 1 set static-isl enable set static-isl-auto-vlan disable set members "port26" next edit "PRP1"
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
321
Fortinet Inc.
Appendix B: Configuring HSR and PRP with FortiLink
set mode prp-hsr set static-isl enable set static-isl-auto-vlan disable set members "port17" "port18" next end
config switch interface edit "trunk11" set native-vlan 4000 set dhcp-snooping trusted set edge-port disabled next
end
config switch interface edit "trunk1" set native-vlan 4000 set dhcp-snooping trusted set stp-state disabled set edge-port disabled next
end
config switch interface edit "trunk2" set native-vlan 4094 set allowed-vlans 1-3999,4001-4094 set dhcp-snooping trusted set edge-port disabled next
end
config switch interface edit "PRP1" set native-vlan 4000 set stp-state disabled set snmp-index 50 next
end
To configure FSR-424F-POE-2:
config switch hsr ring edit 1 set status enable set ring-port-pair port5-port6 set hsr-internal-vlan 4000 next
end
config switch trunk edit "trunk1" set auto-isl 1 set static-isl enable set static-isl-auto-vlan disable set members "port25"
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
322
Fortinet Inc.
Appendix B: Configuring HSR and PRP with FortiLink
next edit "trunk2"
set auto-isl 1 set static-isl enable set static-isl-auto-vlan disable set members "port26" next edit "trunk10" set auto-isl 1 set static-isl enable set static-isl-auto-vlan disable set members "port10" next edit "HSR1" set mode prp-hsr set static-isl enable set static-isl-auto-vlan disable set members "port5" "port6" next end
config switch interface edit "trunk1" set native-vlan 4000 set dhcp-snooping trusted set stp-state disabled set edge-port disabled next
end
config switch interface edit "trunk2" set native-vlan 4094 set allowed-vlans 1-3999,4001-4094 set dhcp-snooping trusted set edge-port disabled next
end
config switch interface edit "trunk10" set native-vlan 4000 set dhcp-snooping trusted set edge-port disabled next
end
config switch interface edit "HSR1" set native-vlan 4000 set dhcp-snooping trusted set stp-state disabled set edge-port disabled next
end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
323
Fortinet Inc.
Appendix B: Configuring HSR and PRP with FortiLink
To configure FSR-424F-POE-3:
config switch hsr ring edit 1 set status enable set ring-port-pair port5-port6 set hsr-internal-vlan 4000 next
end
config switch trunk edit "trunk1" set auto-isl 1 set static-isl enable set static-isl-auto-vlan disable set members "port25" next edit "trunk2" set auto-isl 1 set static-isl enable set static-isl-auto-vlan disable set members "port26" next edit "HSR1" set mode prp-hsr set static-isl enable set static-isl-auto-vlan disable set members "port5" "port6" next
end
config switch interface edit "trunk1" set native-vlan 4000 set dhcp-snooping trusted set stp-state disabled set edge-port disabled next
end
config switch interface edit "trunk2" set native-vlan 4094 set allowed-vlans 1-3999,4001-4094 set dhcp-snooping trusted set edge-port disabled next
end
config switch interface edit "HSR1" set native-vlan 4000 set stp-state disabled next
end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
324
Fortinet Inc.
Appendix B: Configuring HSR and PRP with FortiLink
To configure FSR-424F-POE-4:
config switch hsr ring edit 1 set status enable set ring-port-pair port5-port6 set hsr-internal-vlan 4000 next
end
config switch trunk edit "trunk1" set auto-isl 1 set static-isl enable set static-isl-auto-vlan disable set members "port25" next edit "trunk2" set auto-isl 1 set static-isl enable set static-isl-auto-vlan disable set members "port26" next edit "trunk10" set auto-isl 1 set static-isl enable set static-isl-auto-vlan disable set members "port10" next edit "HSR1" set mode prp-hsr set static-isl enable set static-isl-auto-vlan disable set members "port5" "port6" next
end
config switch interface edit "trunk1" set native-vlan 4000 set dhcp-snooping trusted set stp-state disabled set edge-port disabled next
end
config switch interface edit "trunk2" set native-vlan 4094 set allowed-vlans 1-3999,4001-4094 set dhcp-snooping trusted set edge-port disabled next
end
config switch interface edit "trunk10"
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
325
Fortinet Inc.
Appendix B: Configuring HSR and PRP with FortiLink
set native-vlan 4000 set dhcp-snooping trusted set edge-port disabled next end
config switch interface edit "HSR1" set native-vlan 4000 set dhcp-snooping trusted set stp-state disabled set edge-port disabled next
end
To configure FSR-424F-POE-5:
config switch hsr ring edit 1 set status enable set ring-port-pair port5-port6 set hsr-internal-vlan 4000 next
end
config switch trunk edit "trunk1" set auto-isl 1 set static-isl enable set static-isl-auto-vlan disable set members "port25" next edit "trunk2" set auto-isl 1 set static-isl enable set static-isl-auto-vlan disable set members "port26" next edit "HSR1" set mode prp-hsr set static-isl enable set static-isl-auto-vlan disable set members "port5" "port6" next
end
config switch interface edit "trunk1" set native-vlan 4000 set dhcp-snooping trusted set stp-state disabled set edge-port disabled next
end
config switch interface edit "trunk2"
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
326
Fortinet Inc.
Appendix B: Configuring HSR and PRP with FortiLink
set native-vlan 4094 set allowed-vlans 1-3999,4001-4094 set dhcp-snooping trusted set edge-port disabled next end
config switch interface edit "HSR1" set native-vlan 4000 set stp-state disabled next
end
Limitations for HSR and PRP with FortiLink
l You have to configure the static-isl trunk on the loopback trunk and the interlink port connected to the loopback trunk, and you have to set static-isl-auto-vlan to disable.
l The HSR and PRP internal VLANs must be defined on the FortiGate device with the default options and without an IP address. This VLAN can be assigned as the native VLAN on those HSR and PRP interlink ports. In the following example, VLAN 4000 is the hsr-internal-vlan and prp-internal-vlan: a. Configure VLAN 4000 in the FortiGate system interface: config system interface edit "vlan4000" set vdom "root" set allowaccess ping https ssh http set device-identification enable set role lan set snmp-index 109 set interface "fortilink1" set vlanid 4000 next end b. Configure VLAN 4000 in the FortiGate switch controller: config switch-controller managed-switch edit SR24FPTF21000005 config ports edit port8 set vlan vlan4000 unset allowed-vlans unset untagged-vlans end end
FortiSwitchOS 7.4.3 FortiLink Guide (FortiOS 7.4.4)
327
Fortinet Inc.
www.fortinet.com
Copyright© 2024 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet's Chief Legal Officer, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet's internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
madbuild