Managed FortiSwitch

This chapter describes new managed FortiSwitch features added to FortiOS 5.4.

In FortiOS 5.4.2 and 5.4.1, all FortiGate models (except the FortiGate-80C) support managing FortiSwitches (FortiLink). Note that FortiSwitchOS 3.4.2 or later is required by all of the managed switches. See the FortiOS Feature/Platform matrix for more details and up-to-date compatibility info.

In FortiOS 5.4.0, the following FortiGate models support managed FortiSwitch:

FGT-60D, FGT-60D-POE, FWF-60D, FWF-60D-POE,
FGT-90D, FGT-90D-POE, FWF-90D, FWF-90D-POE,
FGT-100D, FGT-140D, FGT-140D_POE, FGT-140D_POE_T1,
FGT-200D, FGT-240D, FGT-280D, FGT-280D_POE,
FGT-600C, FGT-800C, FGT-1000C,
FGT-1200D, FGT-1500D, FGT-3700D

FortiLink is enabled by default on all physical FortiGate models. FortiLink is disabled by default on all of the FortiGate VMs.

FortiLink interface mode available for on all FortiGate models (309382)(279014)

In FortiOS 5.4.1, all FortiGate models (except the FortiGate-80C) support managing FortiSwitches (FortiLink). Note that FortiSwitchOS 3.4.2 or later is required by all of the managed switches. See the FortiOS Feature/Platform matrix for more details and up-to-date compatibility info.

FortiSwitch interface mode (305212) (279014) (294607)

With prior releases, the FortiGate required a separate FortiLink for each managed FortiSwitch. Starting in FortiOS 5.4.1, the FortiGate requires only one active FortiLink to manage all of the subtending FortiSwitches. The FortiSwitches are inter-connected and operate as one Layer 2 stack.

Depending on the network topology, you can also configure a standby FortiLink.

On the FortiGate, you configure the FortiLink as a single port or as a logical interface with multiple ports. The logical interface types supported include link-aggregation group (LAG), hardware switch and software switch.

FortiSwitch stacking (305212) (310481)

You can connect the managed FortiSwitches in a single-tier topology (aka Stack), or in a hierarchical topology.

In a single-tier topology, you connect a FortiLink from the FortiGate to one switch, and connect the switches in a ring using inter-switch links. Optionally, you can connect a standby FortiLink from the FortiGate to one of the other switches. This FortiLink remains in standby mode unless the active link fails. The following figure shows a single-tier topology with FortiGate HA:

In a hierarchical topology, the FortiSwitches are connected in two tiers, and operate as one Layer 2 cluster. You connect a FortiLink from the top-tier switch to the FortiGate, and the FortiGate then manages each switch separately.

Both topologies support FortiGate HA mode. The following figure shows a hierarchical topology with FortiGate HA:

Execute FortiSwitch commands from a FortiGate (300505)

From the FortiGate, you can execute FortiSwitch commands on the managed FortiSwitch.

This feature adds a simple scripting mechanism for users to configure generic commands to be executed on the switch.

Create a command

Use the following syntax to create a command file:

config switch-controller custom-command

edit <cmd-name>

set command " <FortiSwitch commands>"

 

The following example creates a command file to set the STP max-age parameter:

config switch-controller custom-command

edit "stp-age-10"

set command "config switch stp setting

set max-age 10

end

"

next

end

 

Execute a command

After you have created a command file, use the following command on the FortiGate to execute the command file on the target switch:

exec switch-controller custom-command <cmd-name> <target-switch>

 

 

The following example runs command stp-age-10 on the specified target FortiSwitch:

 

FGT30E3U15003273 # exec switch-controller custom-command stp-age-10 S124DP3X15000118

 

Allow all defined VLANs in a FortiSwitch configuration (303818)

New port configuration option enables all defined vlans to be allowed on this port. The default value is disabled. This is a conveniece feature, to avoid having to configure all VLANs explicitly in the allowed-vlans field.

The following example shows the CLI commands to enable all VLANs on port1 of a managed switch:

FG080D3914002825 (managed-switch) # edit S124DN3W14000009

FG080D3914002825 (S124DN3W14000009) # config ports

FG080D3914002825 (ports) # edit port1

FG080D3914002825 (port1) # set allowed-vlans-all enable

 

When allowed-vlans-all is enabled, the allowed-vlans attribute is hidden.

FortiSwitch logs can be configured to be FortiOS system event logs (286258)

You can enable/disable the managed FortiSwitches to export their syslogs to the FortiGate. The setting is global, and the default setting is disabled.

The FortiGate sets the user field to "fortiswitch-syslog” for each entry, to allow a level of filtering.

CLI Command Syntax

config switch-controller switch-log

status (enable | disable)

severity [ emergency | alert | critical | error | warning | notification | information | debug ]

end

 

Stage or schedule FortiSwitch firmware upgrades (290916)

CLI Changes:

Stage FortiSwitch image to a managed FortiSwitch device.

 

execute switch-controller stage-swtp-image <vdom> <fortiswitch-id> <filename>

 

Example:

execute switch-controller stage-swtp-image root S124DN3W14000009 S124DN-IMG.swtp

S124DN3W14000009 # get system status

Version: FortiSwitch-124D v3.4.0,build0156,150929 (Interim)

S124DN3W14000009 # execute reboot

 

Display FortiSwitch port statistics in the FortiGate (303833)

Using the FortiGate CLI, display FortiSwitch port statistics.

Enter the following command. If you omit the port parameter, the FortiGate displays statistics for all of the ports:

diagnose switch-controller dump port-stats <switch id> <port>

 

The following example displays FortiSwitch port statistics for port1:

diagnose switch-controller dump port-stats S124DN3W14000095 port1

S124DN3W14000095 : Port1

tx-bytes 0, tx-packets 0, tx-mcast 0, tx-errors 0, tx-drops 0, tx-egoodpkts 0, rx-bytes 0, rx-packets 0,

rx-mcast 0, rx-errors 0, rx-drops 0, rx-emcasts 0, rx-ebroadcasts 0, rx-eundersize 0, rx-efragments 0, rx-eoversize 0, rx-ejabbers 0

rx-ecollisions 0, rx-ecrcalignments 0, rx-egoodpkts 0, rx-l3packets 0,

 

FortiLink per switch port connected device visibility (356560)(0357579) (302087) (303835) (357579)

In the FGT GUI, User & Device > Device LIst displays a list of devices attached to the FortiSwitch ports. For each device, table displays the IP address of the device, and the interface (FSW name and port).

 

From the CLI, the following command displays information about the host devices:

diagnose switch-controller dump mac-hosts_switch-ports

 

For each device, the CLI displays the IP address of the device, and the interface (FSW name and port).

Display FortiSwitches in Cooperative Security Fabric (CSF) Physical Topology (366873)

Each managed FortiSwitch is displayed as a device subtending the FortiGate.

Log message written when a FortiSwitch connects or disconnects (366519)

Add switch id to the log that is generated when a FortiSwitch connects to the FortiGate, or disconnects.

FS1D483Z14000057 is connected

FS1D483Z14000057 is disconnected

 

FortiGate CLI support for FortiSwitch features (on non-FortiLink ports)

You can configure additional FortiSwitch capabilities (STP, LAG, Storm Control) directly from the FortiGate, without the need to log in to the FortiSwitch.

Configuring STP

Starting in FortiSwitch release 3.4.2, STP is enabled by default for the non-FortiLink ports on the switch.

You can enable or disable STP globally, or per-switch-port.

Use the following CLI commands for global configuration:

config switch-controller stp-settings

set status enable/disable

set name <name>

set revision <stp revision>

set hello-time <hello time>

set forward-time <forwarding delay>

set max-age <maximum aging time>

set max-hops <maximum number of hops>

end

 

Use the following commands for global configuration:

config switch-controller managed-switch

edit <switch-id>

config ports

edit <port name>

set stp-state (enabled | disabled)

end

 

Configuring LAG

You can configure a link aggregation group for non-fortilink ports on a FortiSwitch. You cannot configure ports from different FortiSwitches in one LAG.

config switch-controller managed-switch

edit <switch-id>

config ports

edit <trunk name>

set type trunk

set mode < static | lacp > Link Aggreation mode

set bundle (enable | disable)

set min-bundle <int>

set max-bundle <int>

set members < port1 port2 ...>

next

end

end

end

 

Configuring Storm Control

Storm control prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on a port. Storm control uses the data rate of the link to measure traffic activity.

When the data rate exceeds the configured threshold, storm control drops excess traffic. You can configure the types of traffic to drop: broadcast, unknown unicast, or multicast.

The Storm Control settings are global to all of the non-FortiLink ports on the managed switches. Use the following CLI commands to configure storm control:

config switch-controller switch-storm-control

set rate <rate>

set unknown-unicast (enable | disable)

set unknown-multicast (enable | disable)

set broadcast (enable | disable)

end

 

The Rate units is packets per second. The default value is 500.

 

New FortiLink topology diagram (289005 271675 277441)

For managed FortiSwitches (WIFI & Switch Controller > Managed FortiSwitch), the system now displays the overall topology of the managed FortiSwitches that are connected to this FortiGate.

The topology lists the FortiLink ports on the FortiGate, and displays a full faceplate for each connected FortiSwitch (also showing the FortiLink ports on each FortiSwitch). You can right-click to authorize a managed FortiSwitch or left-click to edit the managed FortiSwitch information.

The topology can displays multiple FortiLinks to each FortiSwitch, as FortiOS 5.4 provides support for FortiLink as a LAG.

New interface option to auto-authorize extension devices 294966

If you enable the auto-authorize option on a FortiGate FortiLink port, the FortiGate will automatically authorize the managed FortiSwitch connected to this FortiLink. The new option is only visible when the interface type is set to Dedicate to Extension Device.

New CLI setting to enable pre-standard PoE detection on managed FortiSwitch ports 293512

This feature is available in FortiSwitchOS 3.3.2 and later releases.

Use the following commands to enable this setting on a managed FortiSwitch port:

config switch-controller managed-switch

edit $FSW

config ports

edit "port1"

set poe-pre-standard-detection enable/disable (the default is disable)

next

end

end

 

Reset any POE port (by toggling the power OFF and then ON):

execute switch-controller poe-reset <fortiswitch-id> <port>

Display general POE status:

get switch-controller <fortiswitch-id> <port>

FortiGate HA cluster support for Managed Switches (276488)

Added the capability to support managed switches from a FortiGate HA cluster. If a standby FortiGate becomes active, it automatically establishes connectivity with the managed switches.

FortiLink GUI updates (288963)

New VLAN view to create and manage VLANs, including setting the VLAN id.

New Ports view of the managed FortiSwitches. The view now displays port status, including the assigned VLAN and the POE status for each port.

This view provides a clearer way to assign VLAN attributes to multiple ports on different FortiSwitches. The VLAN ID and color of each VLAN is clearly visible in the port assignment list. Also, when you configure a VLAN, you can now specify the VLAN ID.