Additional capabilities
This chapter covers the following topics:
- Execute custom FortiSwitch commands
- Firmware upgrade management and compatible version information
- FortiSwitch log export
- FortiSwitch per-port device visibility
- FortiGate CLI support for FortiSwitch features (on non-FortiLink ports)
Execute custom FortiSwitch commands
From the FortiGate, you can execute FortiSwitch commands on the managed FortiSwitch.
This feature adds a simple scripting mechanism for users to execute generic commands on the switch.
FortiOS 5.6.0 introduces additional capabilities related to the managed FortiSwitch.
Create a command
Use the following syntax to create a command file:
config switch-controller custom-command
edit <cmd-name>
set command " <FortiSwitch commands>"
Next, create a command file to set the STP max-age parameter:
config switch-controller custom-command
edit "stp-age-10"
set command "config switch stp setting
set max-age 10
end
"
next
end
Execute a command
After you have created a command file, use the following command on the FortiGate to execute the command file on the target switch:
exec switch-controller custom-command <cmd-name> <target-switch>
The following example runs the stp-age-10 command on the specified target FortiSwitch:
# exec switch-controller custom-command stp-age-10 S124DP3X15000118
Firmware upgrade management and compatible version information
You can view the current firmware version of a FortiSwitch and upgrade the FortiSwitch to a new firmware version. FortiGate will suggest an upgrade when a new version is available in FortiGuard.
Using the FortiGate Web interface
To view the FortiSwitch firmware version:
- Go to WiFi & Switch Controller>Managed FortiSwitch.
- In the main panel, select the FortiSwitch and click Edit.
- In the Edit Managed FortiSwitch panel, the Firmware section displays the current build on the FortiSwitch.
To update the FortiSwitch firmware version:
- Click Update to open the Update Firmware panel.
- Click Select File. In the file chooser, click the image file and click Open.
- Click Upload and Reboot to install the new image and reboot the FortiSwitch.
Using the CLI
Use the following command to display the latest version:
diagnose fdsm fortisw-latest-ver <model>
Use the following command to download the image:
diagnose fdsm fortisw-download <image id>
The following example shows how to download the latest image for FS224D:
FG100D3G15801204 (global) # diagnose fdsm fortisw-latest-ver FS224D
FS224D - 3.4.2 b192 03004000FIMG0900904002FG100D3G15801204 (global) #
diagnose fdsm fortisw-download 03004000FIMG0900904002
Download image-03004000FIMG0900904002:
################################################################################
Result=Success
FortiSwitch log export
You can enable and disable the managed FortiSwitches to export their syslogs to the FortiGate. The setting is global, and the default setting is enabled. Starting in FortiOS 5.6.3, more details are included in the exported FortiSwitch logs.
To allow a level of filtering, FortiGate sets the user field to "fortiswitch-syslog” for each entry.
The following is the CLI command syntax:
config switch-controller switch-log
set status (*enable | disable)
set severity [emergency | alert | critical | error | warning | notification | *information | debug]
end
You can override the global log settings for a FortiSwitch, using the following commands:
config switch-controller managed-switch
edit <switch-id>
config switch-log
set local-override enable
At this point, you can configure the log settings that apply to this specific switch.
FortiSwitch per-port device visibility
In the FortiGate GUI, User & Device > Device List displays a list of devices attached to the FortiSwitch ports. For each device, the table displays the IP address of the device and the interface (FortiSwitch name and port).
From the CLI, the following command displays information about the host devices:
diagnose switch-controller dump mac-hosts_switch-ports
FortiGate CLI support for FortiSwitch features (on non-FortiLink ports)
You can configure the following FortiSwitch features from the FortiGate CLI.
Configuring a link aggregation group (LAG)
You can configure a link aggregation group (LAG) for non-FortiLink ports on a FortiSwitch. You cannot configure ports from different FortiSwitches in one LAG.
config switch-controller managed-switch
edit <switch-id>
config ports
it <trunk name>
set type trunk
set mode < static | lacp > Link Aggregation mode
set bundle (enable | disable)
set min-bundle <int>
set max-bundle <int>
set members < port1 port2 ...>
next
end
end
end
Configuring an MCLAG with managed FortiSwitches
A multichassis LAG (MCLAG) provides node-level redundancy by grouping two FortiSwitch models together so that they appear as a single switch on the network. If either switch fails, the MCLAG continues to function without any interruption, increasing network resiliency and eliminating the delays associated with the Spanning Tree Protocol (STP). For the network topology, see Dual-homed servers connected to FortiLink tier-1 FortiSwitches using an MCLAG and Standalone FortiGate with dual-homed FortiSwitch access .
Notes
- Both peer switches should be of the same hardware model and same software version. Mismatched configurations might work but are unsupported.
- There is a maximum of two FortiSwitch models per MCLAG.
- The routing feature is not available within an MCLAG.
- For static MAC addresses within an MCLAG, if one FortiSwitch learns the MAC address, the second FortiSwitch will automatically learn the MAC address.
To configure an MCLAG with managed FortiSwitches:
- For each MCLAG peer switch, log into the FortiSwitch to create a LAG:
config switch trunk
edit "LAG-member"
set mode lacp-active
set mclag-icl enable
set members "<port>" "<port>"
next
- Enable the MCLAG on each managed FortiSwitch:
config switch-controller managed-switch
edit "<switch-id>"
config ports
edit "<trunk name>"
set type trunk
set mode {static | lacp-passive | lacp-active}
set bundle {enable | disable}
set members "<port>,<port>"
set mclag {enable | disable}
next
end
next
- Log into each managed FortiSwitch to check the MCLAG configuration:
diagnose switch mclag
After the FortiSwitches are configured as MCLAG peer switches, any port that supports advanced features on the FortiSwitch can become a LAG port. When mclag
is enabled and the LAG port names match, an MCLAG peer set is automatically formed. The member ports for each FortiSwitch in the MCLAG do not need to be identical to the member ports on the peer FortiSwitch.
Configuring storm control
Storm control uses the data rate (packets/sec, default 500) of the link to measure traffic activity, preventing traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on a port.
When the data rate exceeds the configured threshold, storm control drops excess traffic. You can configure the types of traffic to drop: broadcast, unknown unicast, or multicast.
The storm control settings are global to all of the non-FortiLink ports on the managed switches. Use the following CLI commands to configure storm control:
config switch-controller storm-control
set rate <rate>
set unknown-unicast (enable | disable)
set unknown-multicast (enable | disable)
set broadcast (enable | disable)
end
You can override the global storm control settings for a FortiSwitch using the following commands:
config switch-controller managed-switch
edit <switch-id>
config storm-control
set local-override enable
At this point, you can configure the storm control settings that apply to this specific switch.
Displaying port statistics
Port statistics will be accessed using the following FortiSwitch CLI command:
FG100D3G15804763 # diagnose switch-controller dump port-stats
S124DP3X16000413 port8
S124DP3X16000413 0 :
{
"port8":{
"tx-bytes":823526672,
"tx-packets":1402390,
"tx-ucast":49047,
"tx-mcast":804545,
"tx-bcast":548798,
"tx-errors":0,
"tx-drops":3,
"tx-oversize":0,
"rx-bytes":13941793,
"rx-packets":160303,
"rx-ucast":148652,
"rx-mcast":7509,
"rx-bcast":4142,
"rx-errors":0,
"rx-drops":720,
"rx-oversize":0,
"undersize":0,
"fragments":0,
"jabbers":0,
"collisions":0,
"crc-alignments":0,
"l3packets":0
}
}
Configuring QoS with managed FortiSwitches
Quality of Service (QoS) provides the ability to set particular priorities for different applications, users, or data flows.
FortiGate does not support QoS for hard or soft switch ports.
FortiSwitch supports the following QoS configuration capabilities:
- Mapping the IEEE 802.1p and Layer 3 QoS values (Differentiated Services and IP Precedence) to an outbound QoS queue number.
- Providing eight egress queues on each port.
- Policing the maximum data rate of egress traffic on the interface.
To configure the QoS for managed FortiSwitches:
- Configure a Dot1p map.
A Dot1p map defines a mapping between IEEE 802.1p class of service (CoS) values (from incoming packets on a trusted interface) and the egress queue values. Values that are not explicitly included in the map will follow the default mapping, which maps each priority (0-7) to queue 0. If an incoming packet contains no CoS value, the switch assigns a CoS value of zero.
NOTE: Do not enable trust for both Dot1p and DSCP at the same time on the same interface. If you do want to trust both Dot1p and IP-DSCP, the FortiSwitch uses the latter value (DSCP) to determine the queue. The switch will use the Dot1p value and mapping only if the packet contains no DSCP value.config switch-controller qos dot1p-map
edit <Dot1p map name>
set description <text>
set priority-0 <queue number>
set priority-1 <queue number>
set priority-2 <queue number>
set priority-3 <queue number>
set priority-4 <queue number>
set priority-5 <queue number>
set priority-6 <queue number>
set priority-7 <queue number>
next
end
- Configure a DSCP map.
A DSCP map defines a mapping between IP precedence or DSCP values and the egress queue values. For IP precedence, you have the following choices:- network-control—Network control
- internetwork-control—Internetwork control
- critic-ecp—Critic and emergency call processing (ECP)
- flashoverride—Flash override
- flash—Flash
- immediate—Immediate
- priority—Priority
- routine—Routine
config switch-controller qos ip-dscp-map
edit <DSCP map name>
set description <text>
configure map <map_name>
edit <entry name>
set cos-queue <COS queue number>
set diffserv {CS0 | CS1 | AF11 | AF12 | AF13 | CS2 | AF21 | AF22 | AF23 | CS3 | AF31 | AF32 | AF33 | CS4 | AF41 | AF42 | AF43 | CS5 | EF | CS6 | CS7}
set ip-precedence {network-control | internetwork-control | critic-ecp | flashoverride | flash | immediate | priority | routine}
set value <DSCP raw value>
next
end
end
- Configure the egress QoS policy.
In a QoS policy, you set the scheduling mode for the policy and configure one or more CoS queues. Each egress port supports eight queues, and three scheduling modes are available:- With strict scheduling, the queues are served in descending order (of queue number), so higher number queues receive higher priority.
- In simple round-robin mode, the scheduler visits each backlogged queue, servicing a single packet from each queue before moving on to the next one.
- In weighted round-robin mode, each of the eight egress queues is assigned a weight value ranging from 0 to 63.
config switch-controller qos queue-policy
edit <QoS egress policy name>
set schedule {strict | round-robin | weighted}
config cos-queue
edit [queue-<number>]
set description <text>
set min-rate <rate in kbps>
set max-rate <rate in kbps>
set drop-policy {taildrop | random-early-detection}
set weight <weight value>
next
end
next
end
- Configure the overall policy that will be applied to the switch ports.
config switch-controller qos qos-policy
edit <QoS egress policy name>
set default-cos <default CoS value 0-7>
set trust-dot1p-map <Dot1p map name>
set trust-ip-dscp-map <DSCP map name>
set queue-policy <queue policy name>
next
end
- Configure each switch port.
config switch-controller managed-switch
edit <switch-id>
config ports
edit <port>
set qos-policy <CoS policy>
next
end
next
end