FortiSwitch features configuration

This section describes how to configure global FortiSwitch settings using FortiGate CLI commands. These settings will apply to all of the managed FortiSwitches. You can also override some of the settings on individual FortiSwitches.

VLAN configuration

Use Virtual Local Area Networks (VLANs) to logically separate a LAN into smaller broadcast domains. VLANs allow you to define different policies for different types of users and to set finer control on the LAN traffic. (Traffic is only sent automatically within the VLAN. You must configure routing for traffic between VLANs.)

From the FortiGate, you can centrally configure and manage VLANs for the managed FortiSwitches.

In FortiSwitchOS 3.3.0 and later releases, the FortiSwitch supports untagged and tagged frames in FortiLink mode. The switch supports up to 1,023 user-defined VLANs. You can assign a VLAN number (ranging from 1-4095) to each of the VLANs.

You can configure the default VLAN for each FortiSwitch port as well as a set of allowed VLANs for each FortiSwitch port.

FortiSwitch VLANs display

The WiFi & Switch Controller > FortiSwitch VLANs page displays VLAN information for the managed switches.

Each entry in the VLAN list displays the following information:

  • Name - name of the VLAN
  • VLAN ID - the VLAN number
  • IP/Netmask - address and mask of the subnetwork that corresponds to this VLAN
  • Access - administrative access settings for the VLAN
  • Ref - number of configuration objects referencing this VLAN

Enabling and disabling switch-controller access VLANs through FortiGate

Access VLANs are VLANs that aggregate client traffic solely to the FortiGate. This prevents direct client-to-client traffic visibility at the layer-2 VLAN layer. Clients can only communicate with the FortiGate. After the client traffic reaches the FortiGate, the FortiGate can then determine whether to allow various levels of access to the client by shifting the client's network VLAN as appropriate.

Use enable to allow traffic only to and from the FortiGate and to block FortiSwitch port-to-port traffic on the specified VLAN. Use disable to allow normal traffic on the specified VLAN.

config system interface

edit <VLAN name>

set switch-controller-access-vlan {enable | disable}

next

end

Creating VLANs

Setting up a VLAN requires you to create the VLAN and assign FortiSwitch ports to the VLAN. You can do this with either the Web GUI or CLI.

Using the Web administration GUI

To create the VLAN:

  1. Go to WiFi & Switch Controller > FortiSwitch VLANs, select Create New, and change the following settings:
    Interface NameVLAN name
    VLAN IDEnter a number (1-4094)
    ColorChoose a unique color for each VLAN, for ease of visual display.
    IP/Network MaskIP address and network mask for this VLAN.
  2. Enable DHCP Server and set the IP range.
  3. Set the Admission Control options as required.
  4. Select OK.

 

To assign FortiSwitch ports to the VLAN:

  1. Go to WiFi & Switch Controller > FortiSwitch Ports.
  2. Click the desired port row.
  3. Click the Native VLAN column in one of the selected entries to change the native VLAN.
  4. Select a VLAN from the displayed list. The new value is assigned to the selected ports.
  5. Click the + icon in the Allowed VLANs column to change the allowed VLANs.
  6. Select one or more of the VLANs (or the value all) from the displayed list. The new value is assigned to the selected port.

Using the FortiSwitch CLI

  1. Create the marketing VLAN.

config system interface

edit <vlan name>

set vlanid <1-4094>

set color <1-32>

set interface <FortiLink-enabled interface>

end

 

  1. Set the VLAN’s IP address.

config system interface

edit <vlan name>

set ip <IP address> <Network mask>

end

 

  1. Enable a DHCP Server.

config system dhcp server

edit 1

set default-gateway <IP address>

set dns-service default

set interface <vlan name>

config ip-range

set start-ip <IP address>

set end-ip <IP address>

end

set netmask <Network mask>

end

 

  1. Assign ports to the VLAN.

config switch-controller managed-switch

edit <Switch ID>

config ports

edit <port name>

set vlan <vlan name>

set allowed-vlans <vlan name>

or

set allowed-vlans-all enable

next

end

end

 

Assign untagged VLANs to a managed FortiSwitch port:

config switch-controller managed-switch

edit <managed-switch>

config ports

edit <port>

set untagged-vlans <VLAN-name>

next

end

next

end

Configure MAC address aging interval

Use the following commands to configure how long an inactive MAC address is saved in the FortiSwitch hardware. The range is 10 to 1,000,000 seconds. The default value is 300. After this amount of time, the inactive MAC address is deleted from the FortiSwitch hardware.

config switch-controller global

set mac-aging-interval <10 to 1000000>

end

Enable multiple FortiLink interfaces

Only the first FortiLink interface has GUI support.

Use the following command to enable or disable multiple FortiLink interfaces.

config switch-controller global

set allow-multiple-interfaces {enable | disable}

end

Configure IGMP settings

Use the following command to configure the global IGMP settings.

Aging time is the maximum number of seconds that the system will retain a multicast snooping entry. Enter an integer value from 15 to 3600. The default value is 300.

Flood-unknown-multicast controls whether the system will flood unknown multicast messages within the VLAN.

config switch-controller igmp-snooping

set aging-time <15-3600>

set flood-unknown-multicast {enable | disable}

end

Configure LLDP profiles

Use the following commands to configure LLDP profiles:

config switch-controller lldp-profile

edit <profile number>

set 802.1-tlvs port-vlan-id

set 802.3-tlvs max-frame-size

set auto-isl {enable | disable}

set auto-isl-hello-timer <1-30>

set auto-isl-port-group <0-9>

set auto-isl-receive-timeout <3-90>

set med-tlvs (inventory-management | network-policy)

end

Configure LLDP settings

Use the following commands to configure LLDP settings:

config switch-controller lldp-settings

set status < enable | disable >

set tx-hold <int>

set tx-interval <int>

set fast-start-interval <int>

set management-interface {internal | management}

end

 

Variable Description
status Enable or disable
tx-hold Number of tx-intervals before the local LLDP data expires. Therefore, the packet TTL (in seconds) is tx-hold times tx-interval. The range for tx-hold is 1 to 16, and the default value is 4.
tx-interval How often the FortiSwitch transmits the LLDP PDU. The range is 5 to 4095 seconds, and the default is 30 seconds.
fast-start-interval How often the FortiSwitch transmits the first 4 LLDP packets when a link comes up. The range is 2 to 5 seconds, and the default is 2 seconds.
Set this variable to zero to disable fast start.
management-interface Primary management interface to be advertised in LLDP and CDP PDUs.

Create LLDP asset tags for each managed FortiSwitch

You can use the following commands to add an LLDP asset tag for a managed FortiSwitch:

config switch-controller managed-switch

edit <fsw>

set switch-device-tag <string>

end

Add media endpoint discovery (MED) to an LLDP configuration

You can use the following commands to add media endpoint discovery (MED) features to an LLDP profile:

config switch-controller lldp-profile

edit <lldp-profle>

config med-network-policy

edit guest-voice

set status {disable | enable}

next

edit guest-voice-signaling

set status {disable | enable}

next

edit guest-voice-signaling

set status {disable | enable}

next

edit softphone-voice

set status {disable | enable}

next

edit streaming-video

set status {disable | enable}

next

edit video-conferencing

set status {disable | enable}

next

edit video-signaling

set status {disable | enable}

next

edit voice

set status {disable | enable}

next

edit voice-signaling

set status {disable | enable}

end

config custom-tlvs

edit <name>

set oui <identifier>

set subtype <subtype>

set information-string <string>

end

end

Display LLDP information

You can use the following commands to display LLDP information:

diagnose switch-controller dump lldp stats <switch> <port>

diagnose switch-controller dump lldp neighbors-summary <switch>

diagnose switch-controller dump lldp neighbors-detail <switch>

Configure the MAC sync interval

Use the following commands to configure the global MAC synch interval.

The MAC sync interval is the time interval between MAC synchronizations. The range is 30 to 600 seconds, and the default value is 60.

config switch-controller mac-sync-settings

set mac-sync-interval <30-600>

end

Configure STP settings

Use the following CLI commands for global STP configuration. This configuration applies to all managed FortiSwitches:

config switch-controller stp-settings

set name <name>

set revision <stp revision>

set hello-time <hello time>

set forward-time <forwarding delay>

set max-age <maximum aging time>

set max-hops <maximum number of hops>

end

 

You can override the global STP settings for a FortiSwitch using the following commands:

config switch-controller managed-switch

edit <switch-id>

config stp-settings

set local-override enable

Quarantines

Quarantined MAC addresses are blocked on the connected FortiSwitches from the network and the LAN.

Quarantining a MAC address

Using the FortiGate GUI

In the FortiGate GUI, the quarantine feature is automatically enabled when you quarantine a host.

  1. Select the host to quarantine.
    • Go to Security Fabric > Physical Topology, right-click on a host, and select Quarantine Host on FortiSwitch.
    • Go to Security Fabric > Logical Topology, right-click on a host, and select Quarantine Host on FortiSwitch.
    • Go to FortiView > Sources, right-click on an entry in the Source column, and select Quarantine Host on FortiSwitch.
  2. Click OK to confirm that you want to quarantine the host.

Using the FortiGate CLI

You must enable the quarantine feature in the FortiGate CLI using the set quarantine enable command. You can add MAC addresses to the quarantine list before enabling the quarantine feature, but the quarantine does not go into effect until enabled.

config switch-controller quarantine

set quarantine enable

config targets

edit <MAC_address>

set description <string>

set tags <tag1 tag2 tag3 ...>

next

end

end

 

Option Description
MAC_address A layer-2 MAC address in the following format: 12:34:56:aa:bb:cc
string Optional. A description of the MAC address being quarantined.
tag1 tag2 tag3 ... Optional. A list of arbitrary strings.

For example:

config switch-controller quarantine

set quarantine enable

config targets

edit 00:00:00:aa:bb:cc

set description "infected by virus"

set tags "quarantined"

next

end

end

Viewing quarantine entries

Quarantine entries are created on the FortiGate that is managing the FortiSwitch.

Using the FortiGate GUI

  1. Go to Monitor > Quarantine Monitor.
  2. Click Quarantined on FortiSwitch.
    The Quarantined on FortiSwitch button is only available if a device is detected behind the FortiSwitch, which requires Device Detection to be enabled.

Using the FortiGate CLI

Use the following command to view the quarantine list of MAC addresses:

show switch-controller quarantine

 

For example:

show switch-controller quarantine

 

config switch-controller quarantine

set quarantine enable

config targets

edit 00:11:22:33:44:55

next

edit 00:01:02:03:04:05

next

end

end

 

When the quarantine feature is enabled on the FortiGate, it creates a quarantine VLAN (qtn.<FortiLink_port_name>) on the virtual domain. The quarantine VLAN is applied to the allowed and untagged VLANs on all connected FortiSwitch ports.

Use the following command to view the quarantine VLAN:

show system interface qtn.<FortiLink_port_name>

 

For example:

show system interface qtn.port7

 

config system interface

edit "qtn.port7"

set vdom "vdom1"

set description "Quarantine VLAN"

set security-mode captive-portal

set replacemsg-override-group "auth-intf-qtn.port7"

set device-identification enable

set device-identification-active-scan enable

set snmp-index 34

set switch-controller-access-vlan enable

set color 6

set interface "port7"

set vlanid 4093

next

end

 

Use the following command to view how the quarantine VLAN is applied to the allowed and untagged VLANs on all connected FortiSwitch ports:

show switch-controller managed-switch

 

For example:

show switch-controller managed-switch

 

config switch-controller managed-switch

edit "FS1D483Z15000036"

set fsw-wan1-peer "port7"

set fsw-wan1-admin enable

set version 1

set dynamic-capability 503

config ports

edit "port1"

set vlan "vsw.port7"

set allowed-vlans "qtn.port7"

set untagged-vlans "qtn.port7"

next

edit "port2"

set vlan "vsw.port7"

set allowed-vlans "qtn.port7"

set untagged-vlans "qtn.port7"

next

edit "port3"

set vlan "vsw.port7"

set allowed-vlans "qtn.port7"

set untagged-vlans "qtn.port7"

next

...

end

end

Releasing MAC addresses from quarantine

Using the FortiGate GUI

  1. Go to Monitor > Quarantine Monitor.
  2. Click Quarantined on FortiSwitch.
  3. Right-click on one of the entries and select Delete or Remove All.
  4. Click OK to confirm your choice.

Using the FortiGate CLI

Use the following commands to delete a quarantined MAC address:

config switch-controller quarantine

config targets

delete <MAC_address>

end

 

When the quarantine feature is disabled, all quarantined MAC addresses are released from quarantine. Use the following commands to disable the quarantine feature:

config switch-controller quarantine

set quarantine disable

end