Managed Fortiswitch 561
Managed Fortiswitch 561
Managed Fortiswitch 561
6
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com
FORTINET VIDEO GUIDE
http://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com
http://cookbook.fortinet.com/how-to-work-with-fortinet-support/
FORTIGATE COOKBOOK
http://cookbook.fortinet.com
FORTINET TRAINING SERVICES
http://www.fortinet.com/training
FORTIGUARD CENTER
http://www.fortiguard.com
FORTICAST
http://forticast.fortinet.com
FEEDBACK
Email: techdocs@fortinet.com
Change log 7
Introduction 8
Supported models 8
What's new for managed FortiSwitches in FortiOS 5.6.1 with FortiSwitch 3.6.0 (and later
releases) 9
Simplified method to convert a FortiSwitch to standalone mode (393205) 9
Quarantines (410828) 10
Assign untagged VLANs to a managed FortiSwitch port (410828) 12
View, create, and assign multiple 802.1X policy definitions (408389 and 403901) 12
Enable and disable switch-controller access VLANs through FortiGate (406718) 13
Override the admin password for all managed FortiSwitches (416261) 13
Configure an MCLAG with managed FortiSwitches (366617) 14
Configure QoS with managed FortiSwitches (373581) 14
Reset PoE-enabled ports from the GUI (387417) 16
Adding preauthorized FortiSwitches (382774) 16
What's new for managed FortiSwitches in FortiOS 5.6 with FortiSwitch 3.6.0 (and later
releases) 16
IGMP snooping (387515) 16
User-port link aggregation groups (378470) 17
DHCP blocking, STP, and loop guard on managed FortiSwitch ports (375860) 17
Switch profile enhancements (387398) 17
Number of switches per FortiGate based on model (388024) 18
Miscellanous configuration option changes 18
Additional GUI support 18
What's new for managed FortiSwitches in FortiOS 5.6 with FortiSwitch 3.5.4 (and later
releases) 18
Aggregating FortiSwitches into groups (397950) 18
Pre-authentication and replacements of FortiSwitches (298533) 19
LLDP MED on managed FortiSwitches (372288) 19
Enhanced 802.1x including FortiSwitch port security policy framework (389102) 20
Firmware upgrade management and compatible version information (385171) 21
Changed managed-switch display format for 'dynamic-capability' (387239) 21
Connecting to a managed switch CLI from the FortiGate GUI (378119) 21
Firmware upgrade of stacked or tiered switches (355050) 22
More information displayed by the execute switch-controller get-conn-status command
(388751) 22
User-port link aggregation groups available on the GUI (378470) 22
DHCP blocking, STP, and loop guard on managed FortiSwitch ports on the GUI
(375860) 23
New switch profiles (387398) 23
Miscellanous configuration option changes 23
Before you begin 24
How this guide is organized 24
Connecting FortiLink ports 25
1. Enable the switch controller on FortiGate 25
2. Connect the FortiSwitch and FortiGate 25
Auto-discovery of the FortiSwitch ports 25
Choosing the FortiGate ports 26
FortiLink configuration using the FortiGate GUI 27
Summary of the procedure 27
Configure FortiLink as a single link 27
Configure FortiLink as a logical interface 27
FortiLink split interface 28
Authorizing the FortiSwitch 28
Adding preauthorized FortiSwitches 28
Managed FortiSwitch display 29
Edit a managed FortiSwitch 30
Network interface display 30
Add link aggregation groups (Trunks) 30
Configure DHCP blocking, STP, and loop guard on managed FortiSwitch ports 31
FortiLink configuration using the FortiGate CLI 32
Summary of the procedure 32
Configure FortiLink as a single link 32
Configure FortiLink as a logical interface 33
Network topologies for managed FortiSwitches 35
Supported topologies 35
Single FortiGate managing a single FortiSwitch 36
Single FortiGate managing a stack of several FortiSwitches 36
HA-mode FortiGates managing a single FortiSwitch 37
HA-mode FortiGates managing a stack of several FortiSwitches 38
HA-mode FortiGates managing a FortiSwitch two-tier topology 39
Single FortiGate managing multiple FortiSwitches (using a hardware or software switch
interface) 40
HA-mode FortiGates managing two-tier FortiSwitches with access rings 40
Dual-homed servers connected to FortiLink tier-1 FortiSwitches using an MCLAG 42
Standalone FortiGate with dual-homed FortiSwitch access 43
HA-mode FortiGates with dual-homed FortiSwitch access 44
Grouping FortiSwitches 44
Stacking configuration 44
Firmware upgrade of stacked or tiered FortiSwitches 45
Transitioning from a FortiLink split interface to a FortiLink MCLAG 46
Optional setup tasks 48
Configuring the FortiSwitch management port 48
Converting to FortiSwitch standalone mode 49
Changing the admin password on the FortiGate for all managed FortiSwitches 49
FortiSwitch features configuration 51
VLAN configuration 51
FortiSwitch VLANs display 51
Enabling and disabling switch-controller access VLANs through FortiGate 52
Creating VLANs 52
Configure MAC address aging interval 54
Enable multiple FortiLink interfaces 54
Configure IGMP settings 54
Configure LLDP profiles 55
Configure LLDP settings 55
Create LLDP asset tags for each managed FortiSwitch 56
Add media endpoint discovery (MED) to an LLDP configuration 56
Display LLDP information 56
Configure the MAC sync interval 57
Configure STP settings 57
Quarantines 57
Quarantining a MAC address 57
Viewing quarantine entries 59
Releasing MAC addresses from quarantine 60
FortiSwitch Port Features 62
FortiSwitch ports display 62
Configuring ports using the GUI 63
Resetting PoE-enabled ports 63
Configuring ports using the FortiGate CLI 63
Configuring port speed and admin status 63
Configuring DHCP snooping 64
Configuring PoE 64
Configuring STP 64
Configuring loop guard 65
Configuring LLDP 65
Configuring IGMP 65
FortiSwitch port security policy 66
Configure the 802.1X settings for a virtual domain 66
Override the virtual domain settings 67
Define an 802.1X security policy 68
Apply an 802.1X security policy to a FortiSwitch port 69
Additional Capabilities 71
Execute custom FortiSwitch commands 71
Firmware upgrade management and compatible version information 71
FortiSwitch log export 72
FortiSwitch per-port device visibility 73
FortiGate CLI support for FortiSwitch features (on non-FortiLink ports) 73
Configuring a link aggregation group (LAG) 73
Configuring an MCLAG with managed FortiSwitches 73
Configuring storm control 74
Displaying port statistics 75
Configuring QoS with managed FortiSwitches 76
Troubleshooting 79
Troubleshooting FortiLink issues 79
Check the FortiGate configuration 79
Check the FortiSwitch configuration 79
Change log
Change log
Introduction
FortiGate-300 to 5xx 48
Supported models
The following table shows the FortiSwitch models that support FortiLink mode when paired with the
corresponding FortiGate models and the listed minimum software releases.
Earliest
FortiGate and FortiWiFi Models FortiSwitch Models
FortiOS
FSR-112D-POE
FGT-60D
FS-108D-POE
FGT-100D, 140D, 140D-POE, 140D-T1 5.2.3
FS-124D (POE)
FGT-200D, 240D, 280D, 280D-POE
FS-224D-POE and FPOE
FGT-600C
FGT-800C
FGT-1000C, 1200D, 1500D
All FortiSwitch D-series models.
FGT-3700D, FGT-3700DX
5.4.0
FortiSwitchOS 3.3.x or 3.4.0 is
recommended.
Earliest
FortiGate and FortiWiFi Models FortiSwitch Models
FortiOS
What's new for managed FortiSwitches in FortiOS 5.6.1 with FortiSwitch 3.6.0
(and later releases)
This section describes new managed FortiSwitch features in FortiOS 5.6.1 with FortiSwitch 3.6.0.
You can also add or remove entries from the list of FortiSwitches that have FortiLink auto-discovery disabled
using the following commands:
config switch-controller global
append disable-discovery <switch-id>
unselect disable-discovery <switch-id>
end
Quarantines (410828)
Quarantined MAC addresses are blocked on the connected FortiSwitches from the network and the LAN.
NOTE: You must enable the quarantine feature in the FortiGate CLI using the set quarantine enable
command. You can add MAC addresses to the quarantine list before enabling the quarantine feature, but the
quarantine does not go into effect until enabled.
Option Description
Use the following command to view the quarantine list of MAC addresses:
show switch-controller quarantine
When the quarantine feature is enabled on the FortiGate, it creates a quarantine VLAN (qtn.<FortiLink_port_
name>) on the virtual domain. The quarantine VLAN is applied to the allowed and untagged VLANs on all
connected FortiSwitch ports.
Use the following command to view how the quarantine VLAN is applied to the allowed and untagged VLANs on
all connected FortiSwitch ports:
show switch-controller managed-switch
When the quarantine feature is disabled, all quarantined MAC addresses are released from quarantine. Use the
following commands to disable the quarantine feature:
config switch-controller quarantine
set quarantine disable
end
View, create, and assign multiple 802.1X policy definitions (408389 and 403901)
Previously, you could create one 802.1X policy for all managed FortiSwitches in a virtual domain. Now, you can
create multiple 802.1X policies and assign a different 802.1X policy to each managed FortiSwitch port.
Create and assign multiple 802.1X policy definitions for managed FortiSwitches
Previously, you could create one 802.1X policy for all managed FortiSwitches in a virtual domain. Now, you can
create multiple 802.1X policies and assign a different 802.1X policy to each managed FortiSwitch port.
11. Enable or disable whether the session timeout for the RADIUS server will overwrite the local timeout.
12. Click OK.
To apply an 802.1X security policy to a managed FortiSwitch port:
If you had already applied a profile with the override enabled and the password set and then decide to remove the
admin password, you need to apply a profile with the override enabled and use the unset login-passwd
command; otherwise, your previously set password will remain in the FortiSwitch.
1. For each MCLAG peer switch, log into the FortiSwitch to create a LAG:
After the FortiSwitches are configured as MCLAG peer switches, any port that supports advanced features on the
FortiSwitch can become a LAG port. When mclag is enabled and the LAG port names match, an MCLAG peer
set is automatically formed. The member ports for each FortiSwitch in the MCLAG do not need to be identical to
the member ports on the peer FortiSwitch.
4. Configure the overall policy that will be applied to the switch ports.
You can also go to WiFi & Switch Control > Managed FortiSwitch and click on a port icon for the FortiSwitch
of interest. In the FortiSwitch Ports page, right-click on one or more PoE-enabled ports and select Reset PoE
from the context menu.
To preauthorize a FortiSwitch:
What's new for managed FortiSwitches in FortiOS 5.6 with FortiSwitch 3.6.0
(and later releases)
IGMP snooping (387515)
The GUI and CLI support the ability to configure IGMP snooping for managed switch ports.
To enable IGMP snooping from the GUI, go to WiFi & Switch Controller > FortiSwitch VLANs, edit a VLAN
and turn on IGMP Snooping under Networked Devices.
Use the following command to enable IGMP snooping on switch ports, and to override the global parameters for
a specific switch.
config switch-controller managed-switch
edit <switch>
config ports
edit port <number>
set igmp-snooping (enable | disable)
set igmps-flood-reports (enable | disable)
next
config igmp-snooping globals
set aging-time <int>
set flood-unknown-multicast (enable | disable)
end
next
end
DHCP blocking, STP, and loop guard on managed FortiSwitch ports (375860)
The managed FortiSwitch GUI now supports the ability to enable/disable DHCP blocking, STP and loop guard for
FortiSwitch user ports.
Go to to WiFi & Switch Controller > FortiSwitch Ports. For any port you can select DHCP Blocking, STP, or
Loop Guard. STP is enabled on all ports by default. Loop guard is disabled by default on all ports.
FortiGate-300 to 5xx 48
What's new for managed FortiSwitches in FortiOS 5.6 with FortiSwitch 3.5.4
(and later releases)
This section describes new managed FortiSwitch features in FortiOS 5.6 with FortiSwitch 3.5.4.
Use the execute replace-device fortiswitch <sn-old> <sn-new> to transfer the configuration
for the FortiSwitch with serial number <sn-old> to the replacement FortiSwitch with serial number <sn-new>.
You can use the following command to add media endpoint discovery (MED) features to an LLDP profile.
config switch-controller lldp-profile
edit <lldp-profle>
config med-network-policy
edit guest-voice
set status {disable | enable}
next
edit guest-voice-signaling
set status {disable | enable}
next
edit guest-voice-signaling
set status {disable | enable}
next
edit softphone-voice
set status {disable | enable}
next
edit streaming-video
set status {disable | enable}
next
edit video-conferencing
set status {disable | enable}
next
edit video-signaling
set status {disable | enable}
next
edit voice
set status {disable | enable}
next
edit voice-signaling
set status {disable | enable}
end
config custom-tlvs
edit <name>
set oui <identifier>
set subtype <subtype>
set information-string <string>
end
end
end
end
Port settings
STACK-NAME: FortiSwitch-Stack-port3
SWITCH-ID VERSION STATUS ADDRESS JOIN-TIME NAME
FS108D3W16001177 v3.4 Authorized/Down 169.254.1.2 N/A My-Switch
DHCP blocking, STP, and loop guard on managed FortiSwitch ports on the GUI (375860)
The managed FortiSwitch GUI now supports the ability to enable/disable DHCP blocking, STP and loop guard for
FortiSwitch user ports.
Go to WiFi & Switch Controller > FortiSwitch Ports. For any port you can select DHCP Blocking, STP, or
Loop Guard. STP is enabled on all ports by default. Loop guard is disabled by default on all ports.
Within a switch profile, you can control the behavior of the FortiSwitch’s admin account.You can add a password
to a profile or create a new profile and bind that profile to any switch. The password provided in the profile is
configured on the FortiSwitch to the default admin administrator account.
Before you configure the managed FortiSwitch unit, the following assumptions have been made in the writing of
this manual:
l You have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your
FortiSwitch, and you have administrative access to the FortiSwitch Web-based manager and CLI.
l You have installed a FortiGate unit on your network and have administrative access to the FortiGate Web-based
manager and CLI.
l Connecting FortiLink ports - information about connecting FortiSwitch ports to FortiGate ports.
l FortiLink configuration using the FortiGate GUI
l FortiLink configuration using the FortiGate CLI
l Network topologies for managed FortiSwitches - describes the configuration for various stacking topologies.
l Optional setup tasks - describes other setup tasks.
l FortiSwitch features configuration - describes configuring managed FortiSwitch features including VLANs.
l FortiSwitch Port Features - configure ports and PoE from the FortiGate unit.
l FortiSwitch port security policy - describes setting up FortiSwitch security policies.
l Additional Capabilities - describes extra FortiSwitch features.
l Troubleshooting - describes techniques for troubleshooting common problems.
This section contains information about the FortiSwitch and FortiGate ports that you connect to establish a
FortiLink connection.
For all FortiGate models, you can connect up to 16 FortiSwitches to one FortiGate unit.
In FortiSwitchOS 3.3.0 and later releases, you can use any of the switch ports for FortiLink. Some or all of the
switch ports (depending on the model) support auto-discovery of the FortiLink ports.
You can chose to connect a single FortiLink port or multiple FortiLink ports as a logical interface (link-aggregation
group, hardware switch, or software switch).
Before connecting the FortiSwitch and FortiGate units, ensure that the switch controller feature is enabled on the
FortiGate with the FortiGate Web-based manager or CLI to enable the switch controller. Depending on the
FortiGate model and software release, this feature may be enabled by default.
You can use any of the switch ports for FortiLink. Before connecting the switch to the FortiGate, use the following
FortiSwitch CLI commands to configure a port for FortiLink auto-discovery:
config switch interface
edit <port>
set auto-discovery-fortilink enable
end
By default, each FortiSwitch model provides a set of ports that are enabled for FortiLink auto-discovery. If you
connect the FortiLink using one of these ports, no switch configuration is required.
In FortiSwitchOS 3.4.0 and later releases, the last four ports are the default auto-discovery FortiLink ports. You
can also run the show switch interface command on the FortiSwitch to see the ports that have auto-discovery
enabled.
The following table lists the default auto-discovery ports for each switch model. NOTE: Any port can be used for
FortiLink if it is manually configured.
FS-224D-FPOE ports 21, 22, 23, 24, 25, 26, 27, and 28
FS-524D, FS-524D-FPOE ports 21, 22, 23, 24, 25, 26, 27, 28, 29, and 30
FS-548D, FS-548D-FPOE ports 45, 46, 47, 48, 49, 50, 51, 52, 53, and 54
As a general rule, FortiLink is supported on all ports that are not listed as HA ports.
This section describes how to configure a FortiLink between a FortiSwitch and a FortiGate.
You can configure FortiLink using the FortiGate GUI or CLI. Fortinet recommends using the GUI because the
CLI procedures are more complex (and therefore more prone to error).
If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection (single port or
LAG) with no configuration steps on the FortiSwitch and with a few simple configuration steps on the FortiGate.
1. On the FortiGate, configure the FortLink port or create a logical FortLink interface.
2. Authorize the managed FortiSwitch.
LAG is supported on all FortiSwitch models and on FortiGate models FGT-100D and above. Hardware switch is
supported on some FortiGate models.
Connect any of the FortiLink-capable ports on the FortiGate to the FortiSwitch. Ensure that you configure auto-
discovery on the FortiSwitch ports (unless it is so by default).
You can use the FortiLink split interface to connect the FortiLink aggregate interface from one FortiGate to two
FortiSwitches. When the FortiLink split interface is enabled, only one link remains active.
The aggregate interface for this configuration must contain exactly two physical ports (one for each FortiSwitch).
You must enable the split interface on the FortiLink aggregate interface using the FortiGate CLI:
config system interface
edit <name of the FortiLink interface>
set fortilink-split-interface enable
end
If you configured the FortiLink interface to manually authorize the FortiSwitch as a managed switch, perform the
following steps:
After you preauthorize a FortiSwitch, you can assign the FortiSwitch ports to a VLAN.
To preauthorize a FortiSwitch:
Go to WiFi & Switch Controller > Managed FortiSwitch to see all of the switches being managed by your
FortiGate.
When the FortiLink is established successfully, the status is green (next to the FortiGate interface name and on
the FortiSwitch faceplate), and the link between the ports is a solid line.
If the link has gone down for some reason, the line will be dashed, and a broken link icon will appear. You can still
edit the FortiSwitch though and find more information about the status of the switch. The link to the FortiSwitch
may be down for a number of reasons; for example, a problem with the cable linking the two devices, firmware
versions being out of synch, and so on. You need to make sure the firmware running on the FortiSwitch is
compatible with the firmware running on the FortiGate.
From the Managed FortiSwitch page, you can edit any of the managed FortiSwitches, remove a FortiSwitch from
the configuration, refresh the display, connect to the CLI of a FortiSwitch, or deauthorize a FortiSwitch.
On the Network > Interfaces page, you can see the FortiGate interface connected to the FortiSwitch. The GUI
indicates Dedicated to FortiSwitch in the IP/Netmask field.
Configure DHCP blocking, STP, and loop guard on managed FortiSwitch ports
Go to WiFi & Switch Controller > FortiSwitch Ports. For any port, you can select DHCP blocking, STP, or
loop guard. STP is enabled on all ports by default. Loop guard is disabled by default on all ports.
This section describes how to configure FortiLink using the FortiGate CLI. Fortinet recommends using the
FortiGate GUI because the CLI procedures are more complex (and therefore more prone to error).
If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection (single port or
LAG) with no configuration steps on the FortiSwitch and with a few simple configuration steps on the FortiGate.
Configure the FortiLink port on the FortiGate and authorize the FortiSwitch as a managed switch.
edit FS224D3W14000370
set fsw-wan1-admin enable
end
end
NOTE: FortiSwitch will reboot when you issue the set fsw-wan1-admin enable command.
You can configure the FortiLink as a logical interface: link-aggregation group (LAG), hardware switch, or software
switch).
NOTE: LAG is supported on all FortiSwitch models and on FortiGate models FGT-100D and above. Hardware switch
is supported on some FortiGate models.
Connect any of the FortiLink-capable ports on the FortiGate to the FortiSwitch. Ensure that you configure auto-
discovery on the FortiSwitch ports (unless it is auto-discovery by default).
In the following procedure, port 4 and port 5 are configured as a FortiLink LAG.
2. Create a trunk with the two ports that you connected to the switch:
config system interface
edit flink1 (enter a name, 11 characters maximum)
set allowaccess ping capwap https
set vlanforward enable
set type aggregate
set member port4 port5
set lacp-mode static
set fortilink enable
(optional) set fortilink-split-interface enable
next
end
NOTE: If the members of the aggregate interface connect to more than one FortiSwitch, you must enable fortilink-
split-interface.
NOTE: FortiSwitch will reboot when you issue the set fsw-wan1-admin enable command.
The FortiGate requires only one active FortiLink to manage all of the subtending FortiSwitches (called stacking).
You can configure the FortiLink as a physical interface or as a logical interface (associated with one or more
physical interfaces). Depending on the network topology, you may also configure a standby FortiLink.
l All of the managed FortiSwitches will function as one Layer-2 stack where the FortiGate manages each FortiSwitch
separately.
l The active FortiLink carries data as well as management traffic.
Supported topologies
On the FortiGate, the FortiLink interface is configured as physical or aggregate. The 802.3ad aggregate interface
type provides a logical grouping of one or more physical interfaces.
NOTE: For the aggregate interface, you must disable the split interface on the FortiGate.
The FortiGate connects directly to one FortiSwitch device using a physical or aggregate interface. The remaining
FortiSwitches connect in a ring using inter-switch links (that is, ISL).
Optionally, you can connect a standby FortiLink connection to the last FortiSwitch. For this configuration, you
create a FortiLink Split-Interface (an aggregate interface that contains one active link and one standby link).
The master and slave FortiGate units both connect a FortiLink to the FortiSwitch. The FortiLink port(s) and
interface type must match on the two FortiGate units.
The master and slave FortiGate units both connect a FortiLink to the first FortiSwitch and (optionally) to the last
FortiSwitch. The FortiLink ports and interface type must match on the two FortiGate units.
For the active/standby FortiLink configuration, you create a FortiLink Split-Interface (an aggregate interface that
contains one active link and one standby link).
The distribution FortiSwitch connects to the master and slave FortiGate units. The FortiLink port(s) and interface
type must match on the two FortiGate units.
The FortiGate connects directly to each FortiSwitch. Each of these FortiLink ports is added to the logical
hardware-switch or software-switch interface on the FortiGate.
Optionally, you can connect other devices to the FortiGate logical interface. These devices, which must support
IEEE 802.1q VLAN tagging, will have Layer 2 connectivity with the FortiSwitch ports.
HA-mode FortiGates connect to redundant distribution FortiSwitches. Access FortiSwitches are arranged in a
stack in each IDF, connected to both distribution switches.
For the FortiLink connection to each distribution switch, you create a FortiLink split interface (an aggregate
interface that contains one active link and one standby link).
To configure a multichassis LAG, you need to configure FortiSwitch 1 and FortiSwitch 2 as MCLAG peer switches
before creating a two-port LAG. Use the set mclag-icl enable command to create an inter-chassis link
(ICL) on each FortiSwitch. Then you set up two MCLAGs towards the servers, each MCLAG using one port from
each FortiSwitch. You must disable the FortiLink split interface for the FortiGate.
This network topology provides high port density with two tiers of FortiSwitches.
Use the set mclag-icl enable command to create an ICL on each FortiSwitch.
In HA mode, only one FortiGate is active at a time. If the active FortiGate fails, the backup FortiGate becomes
active.
Use the set mclag-icl enable command to create an ICL on each FortiSwitch.
Grouping FortiSwitches
You can simplify the configuration and management of complex topologies by creating FortiSwitch groups. A
group can include one or more FortiSwitches and you can include different models in a group.
config switch-controller switch-group
edit <name>
set description <string>
set members <serial-number> <serial-number> ...
end
end
Grouping FortiSwitches allows you to restart all of the switches in the group instead of individually. For example,
you can use the following command to restart all of the FortiSwitches in a group named my-sw-group:
execute switch-controller restart-swtp my-switch-group
Stacking configuration
To set up stacking:
When you configure the FortiLink interface, the stacking capability is enabled automatically.
If the FortiGate receives discovery requests from two FortiSwitches, the link from one FortiSwitch will be selected
as active, and the link from other FortiSwitch will be selected as standby.
If the active FortiLink fails, FortiGate converts the standby FortiLink to active.
FortiGate will discover and authorize all of the FortiSwitches that are connected. After this, the FortiGate is ready
to manage all of the authorized FortiSwitches.
Disable stacking
To disable stacking, execute the following commands from the FortiGate CLI. In the following example, port4 is
the FortiLink interface:
config system interface
edit port4
set fortilink-stacking disable
end
end
You can upgrade the firmware of all of your managed FortiSwitches in groups. For example, you can use the
following command to update the firmware of all of the FortiSwitches in a stack:
execute switch-controller stage-swtp-image ALL <firmware-image-file>
Use the following command to restart all of the managed FortiSwitches after a 2-minute delay:
execute switch-controller restart-swtp-delayed ALL
In this topology, the FortiLink split interface connects a FortiLink aggregate interface from one FortiGate to two
FortiSwitches.
1. Enable the split interface on the FortiLink aggregate interface. By default, the split interface is enabled. For
example:
2. Log into FortiSwitch 1 using the Connect to CLI button in the FortiGate GUI, use the get switch lldp
auto-isl-status command to find out the name of the trunk connecting the peer switches, and change the
ISL to an ICL. For example:
next
end
3. Log into FortiSwitch 2 and change the ISL to an ICL. For example:
4. Log into the FortiGate and disable the split interface. For example:
If the FortiSwitch model has a dedicated management port, you can configure remote management to the
FortiSwitch. In FortiLink mode, the FortiGate is the default gateway, so you need to configure an explicit route for
the FortiSwitch management port.
In the following example, the FortiSwitch management port is connected to a router with IP address
192.168.0.10:
config router static
edit 1
set device mgmt
set gateway 192.168.0.10
set dst 192.168.0.0 255.255.0.0
end
end
Use one of the following commands to convert a FortiSwitch from FortiLink mode to standalone mode so that it
will no longer be managed by a FortiGate:
For example:
config switch-controller global
set disable-discovery S1234567890
end
You can also add or remove entries from the list of FortiSwitches that have FortiLink auto-discovery disabled
using the following commands:
config switch-controller global
append disable-discovery <switch-id>
unselect disable-discovery <switch-id>
end
For example:
config switch-controller global
append disable-discovery S012345678
unselect disable-discovery S1234567890
end
Changing the admin password on the FortiGate for all managed FortiSwitches
By default, each FortiSwitch has an admin account without a password. To replace the admin passwords for all
FortiSwitches managed by a FortiGate, use the following commands from the FortiGate CLI:
config switch-controller switch-profile
edit default
set login-passwd-override {enable | disable}
set login-passwd <password>
next
end
If you had already applied a profile with the override enabled and the password set and then decide to remove the
admin password, you need to apply a profile with the override enabled and no password set; otherwise, your
previously set password will remain in the FortiSwitch. For example:
config switch-controller switch-profile
edit default
set login-passwd-override enable
unset login-passwd
next
end
This section describes how to configure global FortiSwitch settings using FortiGate CLI commands. These
settings will apply to all of the managed FortiSwitches. You can also override some of the settings on individual
FortiSwitches.
VLAN configuration
Use Virtual Local Area Networks (VLANs) to logically separate a LAN into smaller broadcast domains. VLANs
allow you to define different policies for different types of users and to set finer control on the LAN traffic. (Traffic
is only sent automatically within the VLAN. You must configure routing for traffic between VLANs.)
From the FortiGate, you can centrally configure and manage VLANs for the managed FortiSwitches.
In FortiSwitchOS 3.3.0 and later releases, the FortiSwitch supports untagged and tagged frames in FortiLink
mode. The switch supports up to 1,023 user-defined VLANs. You can assign a VLAN number (ranging from 1-
4095) to each of the VLANs.
You can configure the default VLAN for each FortiSwitch port as well as a set of allowed VLANs for each
FortiSwitch port.
Creating VLANs
Setting up a VLAN requires you to create the VLAN and assign FortiSwitch ports to the VLAN. You can do this
with either the Web GUI or CLI.
1. Go to WiFi & Switch Controller > FortiSwitch VLANs, select Create New, and change the following
settings:
Color Choose a unique color for each VLAN, for ease of visual display.
config ports
edit <port name>
set vlan <vlan name>
set allowed-vlans <vlan name>
or
set allowed-vlans-all enable
next
end
end
Use the following commands to configure how long an inactive MAC address is saved in the FortiSwitch
hardware. The range is 10 to 1,000,000 seconds. The default value is 300. After this amount of time, the inactive
MAC address is deleted from the FortiSwitch hardware.
config switch-controller global
set mac-aging-interval <10 to 1000000>
end
Configure IGMP settings
Aging time is the maximum number of seconds that the system will retain a multicast snooping entry. Enter an
integer value from 15 to 3600. The default value is 300.
Flood-unknown-multicast controls whether the system will flood unknown multicast messages within the VLAN.
config switch-controller igmp-snooping
Configure LLDP profiles
Configure LLDP settings
Variable Description
Number of tx-intervals before the local LLDP data expires. Therefore, the
tx-hold packet TTL (in seconds) is tx-hold times tx-interval. The range for tx-
hold is 1 to 16, and the default value is 4.
tx-interval How often the FortiSwitch transmits the LLDP PDU. The range is 5 to
4095 seconds, and the default is 30 seconds.
How often the FortiSwitch transmits the first 4 LLDP packets when a link
fast-start-interval comes up. The range is 2 to 5 seconds, and the default is 2 seconds.
Set this variable to zero to disable fast start.
Use the following commands to configure the global MAC synch interval.
The MAC sync interval is the time interval between MAC synchronizations. The range is 30 to 600 seconds, and
the default value is 60.
config switch-controller mac-sync-settings
set mac-sync-interval <30-600>
end
Use the following CLI commands for global STP configuration. This configuration applies to all managed
FortiSwitches:
config switch-controller stp-settings
set name <name>
set revision <stp revision>
set hello-time <hello time>
set forward-time <forwarding delay>
set max-age <maximum aging time>
set max-hops <maximum number of hops>
end
You can override the global STP settings for a FortiSwitch using the following commands:
config switch-controller managed-switch
edit <switch-id>
config stp-settings
set local-override enable
Quarantines
Quarantined MAC addresses are blocked on the connected FortiSwitches from the network and the LAN.
l Go to Security Fabric > Logical Topology, right-click on a host, and select Quarantine Host on
FortiSwitch.
l Go to FortiView > Sources, right-click on an entry in the Source column, and select Quarantine Host
on FortiSwitch.
2. Click OK to confirm that you want to quarantine the host.
Option Description
For example:
config switch-controller quarantine
set quarantine enable
config targets
edit 00:00:00:aa:bb:cc
set description "infected by virus"
set tags "quarantined"
next
end
end
For example:
show switch-controller quarantine
When the quarantine feature is enabled on the FortiGate, it creates a quarantine VLAN (qtn.<FortiLink_port_
name>) on the virtual domain. The quarantine VLAN is applied to the allowed and untagged VLANs on all
connected FortiSwitch ports.
For example:
show system interface qtn.port7
Use the following command to view how the quarantine VLAN is applied to the allowed and untagged VLANs on
all connected FortiSwitch ports:
show switch-controller managed-switch
For example:
show switch-controller managed-switch
When the quarantine feature is disabled, all quarantined MAC addresses are released from quarantine. Use the
following commands to disable the quarantine feature:
config switch-controller quarantine
set quarantine disable
end
You can configure the FortiSwitch port feature settings from the FortiGate using the FortiSwitch CLI or Web
administration GUI.
The WiFi & Switch Controller > FortiSwitch Ports page displays port information about each of the
managed switches.
You can use the WiFi & Switch Controller > FortiSwitch Ports GUI page to do the following with FortiSwitch
switch ports:
You can also go to WiFi & Switch Control > Managed FortiSwitch and click on a port icon for the FortiSwitch
of interest. In the FortiSwitch Ports page, right-click on one or more PoE-enabled ports and select Reset PoE
from the context menu.
You can configure the following FortiSwitch port settings using the FortiGate CLI:
config ports
edit <port>
set description <text>
set speed <speed>
set status {down | up}
Configuring DHCP snooping
Set the port as a trusted or untrusted DHCP-snooping interface:
config switch-controller managed-switch
edit <switch-id>
config ports
edit <port name>
set dhcp-snooping {trusted | untrusted}
Configuring PoE
The following PoE CLI commands are available starting in FortiSwitchOS 3.3.0.
The following example displays the POE status for port 6 on the specified switch:
Configuring STP
Starting with FortiSwitch Release 3.4.2, STP is enabled by default for the non-FortiLink ports on the managed
FortiSwitches. Use the following commands to enable or disable STP on FortiSwitch ports:
Configuring LLDP
Use the following commands to configure LLDP on a FortiSwitch port:
config switch-controller managed-switch
edit <switch-id>
config ports
edit <port name>
set lldp-status (rx-only | tx-only | tx-rx | disable)
set lldp-profile <profile name>
Configuring IGMP
config switch-controller managed-switch
edit <switch-id>
config ports
edit <port name>
set igmp-snooping (enable | disable)
set igmps-flood-reports (enable | disable)
The features listed here are valuable in endpoint authorization and access-control within a retail/enterprise LAN
environment. In a FortiLink setup, you can configure these capabilities from the FortiGate while endpoints are
connected to switch ports.
End devices fall into two supported categories: one that supports 8021.X client and one that does not.
Before the Managed Release 5.6.0, only the following configuration was supported per VLAN:
l 802.1X
With Managed Release 5.6.0, additional port security features are available:
in 5.4.x, this is no longer suitable and will be migrated to the switch port.
o Automatic configuration migration is supported.
l Support for client-less devices using mac-auth-bypass (MAB)
o For devices that are incapable of supporting EAPoL/EAP, FortiSwitch will conduct the authentication on
behalf of the device. A maximum of three concurrent MAB devices per port can exist.
l Multiple secured endpoints on single port
o Enforcement is per MAC address
l RADIUS configuration
o Set secret keys for primary and secondary servers.
l User configuration
o Use a RADIUS server to authenticate users.
To configure the 802.1X security policy for a virtual domain, use the following commands:
config switch-controller 802-1X-settings
set reauth-period < int >
set max-reauth-attempt < int >
set link-down-auth < *set-unauth | no-action >
end
Option Description
set link-down-auth If a link is down, this command determines the authentication state.
Choosing set-auth sets the interface to unauthenticated when a link is
down, and reauthentication is needed. Choosing no-auth means that
the interface does not need to be reauthenticated when a link is down.
set max-reauth-attempt This command sets the maximum number of reauthentication attempts.
The range is 1-15. the default is 3. Setting the value to 0 disables
reauthentication.
You can override the virtual domain settings for the 802.1X security policy.
To override the 802.1X settings for a virtual domain, use the following commands:
config switch-controller managed-switch
edit < switch >
config 802-1X-settings
set local-override [ enable | *disable ]
set reauth-period < int > // visible if override enabled
set max-reauth-attempt < int > // visible if override enabled
set link-down-auth < *set-unauth | no-action > // visible if override enabled
end
next
end
For a description of the options, see Configure the 802.1X settings for a virtual domain.
Option Description
set security-mode You can restrict access with 802.1X port-based authentication or with
802.1X MAC-based authentication.
Option Description
set eap-passthrough You can enable or disable EAP pass-through mode on this interface.
set guest-vlan You can enable or disable guest VLANs on this interface to allow
restricted access for some users.
set guest-auth-delay You can set the authentication delay for guest VLANs on this interface.
The range is 60-900 seconds.
set auth-fail-vlan-id You can specify the name of the authentication fail VLAN
"auth-fail-VLAN-name"
set radius-timeout- You can enable or disable whether the session timeout for the RADIUS
overwrite server will overwrite the local timeout.
set policy-type 802.1X You can set the policy type to the 802.1X security policy.
You can apply a different 802.1X security policy to each FortiSwitch port.
To apply an 802.1X security policy to a managed FortiSwitch port, use the following commands:
config switch-controller managed-switch
edit <managed-switch>
config ports
edit <port>
Additional Capabilities
From the FortiGate, you can execute FortiSwitch commands on the managed FortiSwitch.
This feature adds a simple scripting mechanism for users to execute generic commands on the switch.
NOTE: FortiOS 5.6.0 introduces additional capabilities related to the managed FortiSwitch.
Create a command
Use the following syntax to create a command file:
config switch-controller custom-command
edit <cmd-name>
set command " <FortiSwitch commands>"
Execute a command
After you have created a command file, use the following command on the FortiGate to execute the command
file on the target switch:
exec switch-controller custom-command <cmd-name> <target-switch>
The following example runs the stp-age-10 command on the specified target FortiSwitch:
You can view the current firmware version of a FortiSwitch and upgrade the FortiSwitch to a new firmware
version. FortiGate will suggest an upgrade when a new version is available in FortiGuard.
The following example shows how to download the latest image for FS224D:
FG100D3G15801204 (global) # diagnose fdsm fortisw-latest-ver FS224D
FS224D - 3.4.2 b192 03004000FIMG0900904002FG100D3G15801204 (global) #
Download image-03004000FIMG0900904002:
################################################################################
Result=Success
You can enable and disable the managed FortiSwitches to export their syslogs to the FortiGate. The setting is
global, and the default setting is enabled.
To allow a level of filtering, FortiGate sets the user field to "fortiswitch-syslog” for each entry.
You can override the global log settings for a FortiSwitch, using the following commands:
config switch-controller managed-switch
edit <switch-id>
config switch-log
set local-override enable
At this point, you can configure the log settings that apply to this specific switch.
In the FortiGate GUI, User & Device > Device List displays a list of devices attached to the FortiSwitch ports.
For each device, the table displays the IP address of the device and the interface (FortiSwitch name and port).
From the CLI, the following command displays information about the host devices:
diagnose switch-controller dump mac-hosts_switch-ports
You can configure the following FortiSwitch features from the FortiGate CLI.
Notes
l Both peer switches should be of the same hardware model and same software version. Mismatched configurations
might work but are unsupported.
l There is a maximum of two FortiSwitch models per MCLAG.
l The routing feature is not available within an MCLAG.
l For static MAC addresses within an MCLAG, if one FortiSwitch learns the MAC address, the second FortiSwitch will
automatically learn the MAC address.
To configure an MCLAG with managed FortiSwitches:
1. For each MCLAG peer switch, log into the FortiSwitch to create a LAG:
After the FortiSwitches are configured as MCLAG peer switches, any port that supports advanced features on the
FortiSwitch can become a LAG port. When mclag is enabled and the LAG port names match, an MCLAG peer
set is automatically formed. The member ports for each FortiSwitch in the MCLAG do not need to be identical to
the member ports on the peer FortiSwitch.
When the data rate exceeds the configured threshold, storm control drops excess traffic. You can configure the
types of traffic to drop: broadcast, unknown unicast, or multicast.
The storm control settings are global to all of the non-FortiLink ports on the managed switches. Use the following
CLI commands to configure storm control:
config switch-controller storm-control
set rate <rate>
set unknown-unicast (enable | disable)
set unknown-multicast (enable | disable)
set broadcast (enable | disable)
end
You can override the global storm control settings for a FortiSwitch using the following commands:
config switch-controller managed-switch
edit <switch-id>
config storm-control
set local-override enable
At this point, you can configure the storm control settings that apply to this specific switch.
NOTE: FortiGate does not support QoS for hard or soft switch ports.
l Mapping the IEEE 802.1p and Layer 3 QoS values (Differentiated Services and IP Precedence) to an outbound QoS
queue number.
l Providing eight egress queues on each port.
l Policing the maximum data rate of egress traffic on the interface.
To configure the QoS for managed FortiSwitches:
A Dot1p map defines a mapping between IEEE 802.1p class of service (CoS) values (from incoming packets on a
trusted interface) and the egress queue values. Values that are not explicitly included in the map will follow the
default mapping, which maps each priority (0-7) to queue 0. If an incoming packet contains no CoS value, the
switch assigns a CoS value of zero.
NOTE: Do not enable trust for both Dot1p and DSCP at the same time on the same interface. If you do want to
trust both Dot1p and IP-DSCP, the FortiSwitch uses the latter value (DSCP) to determine the queue. The switch
will use the Dot1p value and mapping only if the packet contains no DSCP value.
A DSCP map defines a mapping between IP precedence or DSCP values and the egress queue values. For IP
precedence, you have the following choices:
o network-control—Network control
o internetwork-control—Internetwork control
o critic-ecp—Critic and emergency call processing (ECP)
o flashoverride—Flash override
o flash—Flash
o immediate—Immediate
o priority—Priority
o routine—Routine
In a QoS policy, you set the scheduling mode for the policy and configure one or more CoS queues. Each egress
port supports eight queues, and three scheduling modes are available:
o With strict scheduling, the queues are served in descending order (of queue number), so higher number
4. Configure the overall policy that will be applied to the switch ports.
end
Troubleshooting
If the FortiGate does not establish the FortiLink connection with the FortiSwitch, perform the following
troubleshooting checks.
To use the FortiGate CLI to verify that you have configured the DHCP and NTP settings correctly:
1. Verify that the NTP server is enabled and that the FortiLink interface has been added to the list:
1. Verify that the switch system time matches the time on the FortiGate:
2. Verify that FortiGate has sent an IP address to the FortiSwitch (anticipate an IP address in the range 169.254.x.x):
1. Verify that the connections from the FortiGate to the FortiSwitches are up:
2. Verify that ports for a specific FortiSwitch stack are connected to the correct locations:
3. Verify that all the ports for a specific FortiSwitch are up: