FortiSwitch port features

You can configure the FortiSwitch port feature settings from the FortiGate using the FortiSwitch CLI or Web administration GUI.

FortiSwitch ports display

The WiFi & Switch Controller > FortiSwitch Ports page displays port information about each of the managed switches.

The following figure shows the display for a FortiSwitch 524D-FPOE:

 

The switch faceplate displays:

  • active ports (green)
  • PoE-enabled ports (blue rectangle)
  • FortiLink port (link icon)

PoE Status displays the total power budget and the actual power currently allocated.

The allocated power displays a blue bar for the used power (currently being consumed) and a green bar for the reserved power (power available for additional devices on the POE ports). See the following figures:

Each entry in the port list displays the following information:

  • Port status (red for down, green for up)
  • Port name
  • Native VLAN
  • Allowed VLANs
  • Device information
  • PoE status
  • Bytes sent and received by the port

Configuring ports using the GUI

You can use the WiFi & Switch Controller > FortiSwitch Ports page to do the following with FortiSwitch switch ports:

  • Set the native VLAN and add more VLANs
  • Edit the description of the port
  • Enable or disable the port
  • Enable or disable PoE for the port
  • Enable or disable DHCP blocking (if supported by the port)
  • Enable or disable IGMP snooping (if supported by the port)
  • Enable or disable whether a port is an edge port
  • Enable or disable STP (if supported by the port)
  • Enable or disable loop guard (if supported by the port)
  • Enable or disable STP BPDU guard (if supported by the port)
  • Enable or disable STP root guard (if supported by the port)

Resetting PoE-enabled ports

If you need to reset PoE-enabled ports, go to WiFi & Switch Control > FortiSwitch Ports, right-click on one or more PoE-enabled ports and select Reset PoE from the context menu.

You can also go to WiFi & Switch Control > Managed FortiSwitch and click on a port icon for the FortiSwitch of interest. In the FortiSwitch Ports page, right-click on one or more PoE-enabled ports and select Reset PoE from the context menu.

Configuring ports using the FortiGate CLI

You can configure the following FortiSwitch port settings using the FortiGate CLI:

Configuring port speed and status

Use the following commands to set port speed and other base port settings:

config switch-controller managed-switch

edit <switch>

config ports

edit <port>

set description <text>

set speed <speed>

set status {down | up}

end

end

 

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port1

set description "First port"

set speed auto

set status up

end

end

Configuring the DHCP trust setting

The DHCP blocking feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent this, DHCP blocking filters messages on untrusted ports.

Set the port as a trusted or untrusted DHCP-snooping interface:

config switch-controller managed-switch

edit <switch-id>

config ports

edit <port name>

set dhcp-snooping {trusted | untrusted}

end

end

 

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port1

set dhcp-snooping trusted

end

end

Configuring PoE

The following PoE CLI commands are available starting in FortiSwitchOS 3.3.0.

Enable PoE on the port

config switch-controller managed-switch

edit <switch-id>

config ports

edit <port name>

set poe-status {enable | disable}

end

end

 

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port1

set poe-status enable

end

end

 

Reset the PoE port

Power over Ethernet (PoE) describes any system that passes electric power along with data on twisted pair Ethernet cabling. Doing this allows a single cable to provide both data connection and electric power to devices (for example, wireless access points, IP cameras, and VoIP phones).

The following command resets PoE on the port:

execute switch-controller poe-reset <fortiswitch-id> <port>

Display general PoE status

get switch-controller <fortiswitch-id> <port>

 

The following example displays the PoE status for port 6 on the specified switch:

# get switch-controller poe FS108D3W14000967 port6

Port(6) Power:3.90W, Power-Status: Delivering Power

Power-Up Mode: Normal Mode

Remote Power Device Type: IEEE802.3AT PD

Power Class: 4

Defined Max Power: 30.0W, Priority:3

Voltage: 54.00V

Current: 78mA

Configuring edge ports

Use the following commands to enable or disable an interface as an edge port:

config switch-controller managed-switch

edit <switch>

config ports

edit <port>

set edge-port {enable | disable}

end

end

 

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port1

set edge-port enable

end

end

Configuring STP

Starting with FortiSwitch Release 3.4.2, STP is enabled by default for the non-FortiLink ports on the managed FortiSwitches. STP is a link-management protocol that ensures a loop-free layer-2 network topology.

To configure global STP settings, see Configure STP settings.

Use the following commands to enable or disable STP on FortiSwitch ports:

config switch-controller managed-switch

edit <switch-id>

config ports

edit <port name>

set stp-state {enabled | disabled}

end

end

 

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port1

set stp-state enabled

end

end

 

To check the STP configuration on a FortiSwitch, use the following command:

diagnose switch-controller dump stp <FortiSwitch_serial_number> <instance_number>

 

For example:

FG100D3G15817028 # diagnose switch-controller dump stp S524DF4K15000024 0 MST Instance Information, primary-Channel: Instance ID : 0 Switch Priority : 24576 Root MAC Address : 085b0ef195e4 Root Priority: 24576 Root Pathcost: 0 Regional Root MAC Address : 085b0ef195e4 Regional Root Priority: 24576 Regional Root Path Cost: 0 Remaining Hops: 20 This Bridge MAC Address : 085b0ef195e4 This bridge is the root Port Speed Cost Priority Role State Edge STP-Status Loop Protection ________________ ______ _________ _________ ___________ __________ ____ __________ ________ port1 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port2 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port3 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port4 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port5 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port6 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port7 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port8 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port9 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port10 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port11 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port12 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port13 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port14 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port15 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port16 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port17 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port18 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port19 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port20 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port21 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port22 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port23 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port25 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port26 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port27 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port28 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port29 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port30 - 200000000 128 DISABLED DISCARDING YES ENABLED NO internal 1G 20000 128 DESIGNATED FORWARDING YES DISABLED NO __FoRtI1LiNk0__ 1G 20000 128 DESIGNATED FORWARDING YES DISABLED NO

Configuring STP root guard

Root guard protects the interface on which it is enabled from becoming the path to root. When enabled on an interface, superior BPDUs received on that interface are ignored or dropped. Without using root guard, any switch that participates in STP maintains the ability to reroute the path to root. Rerouting might cause your network to transmit large amounts of traffic across suboptimal links or allow a malicious or misconfigured device to pose a security risk by passing core traffic through an insecure device for packet capture or inspection. By enabling root guard on multiple interfaces, you can create a perimeter around your existing paths to root to enforce the specified network topology.

Enable root guard on all ports that should not be root bridges. Do not enable root guard on the root port. You must have STP enabled to be able to use root guard.

Use the following commands to enable or disable STP root guard on FortiSwitch ports:

config switch-controller managed-switch

edit <switch-id>

config ports

edit <port name>

set stp-root-guard {enabled | disabled}

end

end

 

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port1

set stp-root-guard enabled

end

end

Configuring STP BPDU guard

 

Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard is enabled on STP edge ports, any BPDUs received cause the ports to go down for a specified number of minutes. The BPDUs are not forwarded, and the network edge is enforced.

There are two prerequisites for using BPDU guard:

  • You must define the port as an edge port with the set edge-port enable command.
  • You must enable STP on the switch interface with the set stp-state enabled command.

You can set how long the port will go down when a BPDU is received for a maximum of 120 minutes. The default port timeout is 5 minutes. If you set the timeout value to 0, the port will not go down when a BPDU is received, but you will have manually reset the port.

Use the following commands to enable or disable STP BPDU guard on FortiSwitch ports:

config switch-controller managed-switch

edit <switch-id>

config ports

edit <port name>

set stp-bpdu-guard {enabled | disabled}

set stp-bpdu-guard-time <0-120>

end

end

 

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port1

set stp-bpdu-guard enabled

set stp-bpdu-guard-time 10

end

end

 

To check the configuration of STP BPDU guard on a FortiSwitch, use the following command:

diagnose switch-controller dump bpdu-guard-status <FortiSwitch_serial_number>

 

For example:

FG100D3G15817028 # diagnose switch-controller dump bpdu-guard-status S524DF4K15000024
Managed Switch : S524DF4K15000024 0

Portname             State      Status       Timeout(m)    Count    Last-Event
_________________   _______    _________    ___________    _____   _______________

port1              enabled      -              10            0            -
port2              disabled     -              -             -            -
port3              disabled     -              -             -            -
port4              disabled     -              -             -            -
port5              disabled     -              -             -            -
port6              disabled     -              -             -            -
port7              disabled     -              -             -            -
port8              disabled     -              -             -            -
port9              disabled     -              -             -            -
port10             disabled     -              -             -            -
port11             disabled     -              -             -            -
port12             disabled     -              -             -            -
port13             disabled     -              -             -            -
port14             disabled     -              -             -            -
port15             disabled     -              -             -            -
port16             disabled     -              -             -            -
port17             disabled     -              -             -            -
port18             disabled     -              -             -            -
port19             disabled     -              -             -            -
port20             disabled     -              -             -            -
port21             disabled     -              -             -            -
port22             disabled     -              -             -            -
port23             disabled     -              -             -            -
port25             disabled     -              -             -            -
port26             disabled     -              -             -            -
port27             disabled     -              -             -            -
port28             disabled     -              -             -            -
port29             disabled     -              -             -            -
port30             disabled     -              -             -            -
__FoRtI1LiNk0__    disabled     -              -             -            -

Configuring loop guard

A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects. Fortinet loop guard helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any downstream loops. Loop guard and STP should be used separately for loop protection. By default, loop guard is disabled on all ports.

Use the following commands to configure loop guard on a FortiSwitch port:

config switch-controller managed-switch

edit <switch-id>

config ports

edit <port name>

set loop-guard {enabled | disabled}

set loop-guard-timeout <0-120 minutes>

end

end

 

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port1

set loop-guard enabled

set loop-guard-timeout 10

end

end

Configuring LLDP settings

The Fortinet data center switches support the Link Layer Discovery Protocol (LLDP) for transmission and reception wherein the switch will multicast LLDP packets to advertise its identity and capabilities. A switch receives the equivalent information from adjacent layer-2 peers.

Use the following commands to configure LLDP on a FortiSwitch port:

config switch-controller managed-switch

edit <switch-id>

config ports

edit <port name>

set lldp-status {rx-only | tx-only | tx-rx | disable}

set lldp-profile <profile name>

end

end

 

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port2

set lldp-status tx-rx

set lldp-profile default

end

end

Configuring IGMP settings

IGMP snooping allows the FortiSwitch to passively listen to the Internet Group Management Protocol (IGMP) network traffic between hosts and routers. The switch uses this information to determine which ports are interested in receiving each multicast feed. FortiSwitch can reduce unnecessary multicast traffic on the LAN by pruning multicast traffic from links that do not contain a multicast listener.

config switch-controller managed-switch

edit <switch-id>

config ports

edit <port name>

set igmp-snooping {enable | disable}

set igmps-flood-reports {enable | disable}

end

end

 

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port3

set igmp-snooping enable

set igmps-flood-reports enable

end

end