FortiSwitch port features
You can configure the FortiSwitch port feature settings from the FortiGate using the FortiSwitch CLI or Web administration GUI.
FortiSwitch ports display
The WiFi & Switch Controller > FortiSwitch Ports page displays port information about each of the managed switches.
The following figure shows the display for a FortiSwitch 524D-FPOE:
The switch faceplate displays:
- active ports (green)
- PoE-enabled ports (blue rectangle)
- FortiLink port (link icon)
PoE Status displays the total power budget and the actual power currently allocated.
The allocated power displays a blue bar for the used power (currently being consumed) and a green bar for the reserved power (power available for additional devices on the POE ports). See the following figures:
Each entry in the port list displays the following information:
- Port status (red for down, green for up)
- Port name
- Native VLAN
- Allowed VLANs
- Device information
- PoE status
- Bytes sent and received by the port
Configuring ports using the GUI
You can use the WiFi & Switch Controller > FortiSwitch Ports page to do the following with FortiSwitch switch ports:
- Set the native VLAN and add more VLANs
- Edit the description of the port
- Enable or disable the port
- Enable or disable PoE for the port
- Enable or disable DHCP blocking (if supported by the port)
- Enable or disable IGMP snooping (if supported by the port)
- Enable or disable whether a port is an edge port
- Enable or disable STP (if supported by the port)
- Enable or disable loop guard (if supported by the port)
- Enable or disable STP BPDU guard (if supported by the port)
- Enable or disable STP root guard (if supported by the port)
Resetting PoE-enabled ports
If you need to reset PoE-enabled ports, go to WiFi & Switch Control > FortiSwitch Ports, right-click on one or more PoE-enabled ports and select Reset PoE from the context menu.
You can also go to WiFi & Switch Control > Managed FortiSwitch and click on a port icon for the FortiSwitch of interest. In the FortiSwitch Ports page, right-click on one or more PoE-enabled ports and select Reset PoE from the context menu.
Configuring ports using the FortiGate CLI
You can configure the following FortiSwitch port settings using the FortiGate CLI:
- Configuring port speed and status
- Configure a VLAN on the port (see VLAN configuration)
- Configuring the DHCP trust setting
- Configuring PoE
- Configuring edge ports
- Configuring STP
- Configuring STP root guard
- Configuring STP BPDU guard
- Configuring loop guard
- Configuring LLDP settings
- Configuring IGMP settings
Configuring port speed and status
Use the following commands to set port speed and other base port settings:
config switch-controller managed-switch
edit <switch>
config ports
edit <port>
set description <text>
set speed <speed>
set status {down | up}
end
end
For example:
config switch-controller managed-switch
edit S524DF4K15000024
config ports
edit port1
set description "First port"
set speed auto
set status up
end
end
Configuring the DHCP trust setting
The DHCP blocking feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent this, DHCP blocking filters messages on untrusted ports.
Set the port as a trusted or untrusted DHCP-snooping interface:
config switch-controller managed-switch
edit <switch-id>
config ports
edit <port name>
set dhcp-snooping {trusted | untrusted}
end
end
For example:
config switch-controller managed-switch
edit S524DF4K15000024
config ports
edit port1
set dhcp-snooping trusted
end
end
Configuring PoE
The following PoE CLI commands are available starting in FortiSwitchOS 3.3.0.
Enable PoE on the port
config switch-controller managed-switch
edit <switch-id>
config ports
edit <port name>
set poe-status {enable | disable}
end
end
For example:
config switch-controller managed-switch
edit S524DF4K15000024
config ports
edit port1
set poe-status enable
end
end
Reset the PoE port
Power over Ethernet (PoE) describes any system that passes electric power along with data on twisted pair Ethernet cabling. Doing this allows a single cable to provide both data connection and electric power to devices (for example, wireless access points, IP cameras, and VoIP phones).
The following command resets PoE on the port:
execute switch-controller poe-reset <fortiswitch-id> <port>
Display general PoE status
get switch-controller <fortiswitch-id> <port>
The following example displays the PoE status for port 6 on the specified switch:
# get switch-controller poe FS108D3W14000967 port6
Port(6) Power:3.90W, Power-Status: Delivering Power
Power-Up Mode: Normal Mode
Remote Power Device Type: IEEE802.3AT PD
Power Class: 4
Defined Max Power: 30.0W, Priority:3
Voltage: 54.00V
Current: 78mA
Configuring edge ports
Use the following commands to enable or disable an interface as an edge port:
config switch-controller managed-switch
edit <switch>
config ports
edit <port>
set edge-port {enable | disable}
end
end
For example:
config switch-controller managed-switch
edit S524DF4K15000024
config ports
edit port1
set edge-port enable
end
end
Configuring STP
Starting with FortiSwitch Release 3.4.2, STP is enabled by default for the non-FortiLink ports on the managed FortiSwitches. STP is a link-management protocol that ensures a loop-free layer-2 network topology.
To configure global STP settings, see Configure STP settings.
Use the following commands to enable or disable STP on FortiSwitch ports:
config switch-controller managed-switch
edit <switch-id>
config ports
edit <port name>
set stp-state {enabled | disabled}
end
end
For example:
config switch-controller managed-switch
edit S524DF4K15000024
config ports
edit port1
set stp-state enabled
end
end
To check the STP configuration on a FortiSwitch, use the following command:
diagnose switch-controller dump stp <FortiSwitch_serial_number> <instance_number>
For example:
FG100D3G15817028 # diagnose switch-controller dump stp S524DF4K15000024 0 MST Instance Information, primary-Channel: Instance ID : 0 Switch Priority : 24576 Root MAC Address : 085b0ef195e4 Root Priority: 24576 Root Pathcost: 0 Regional Root MAC Address : 085b0ef195e4 Regional Root Priority: 24576 Regional Root Path Cost: 0 Remaining Hops: 20 This Bridge MAC Address : 085b0ef195e4 This bridge is the root Port Speed Cost Priority Role State Edge STP-Status Loop Protection ________________ ______ _________ _________ ___________ __________ ____ __________ ________ port1 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port2 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port3 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port4 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port5 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port6 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port7 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port8 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port9 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port10 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port11 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port12 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port13 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port14 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port15 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port16 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port17 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port18 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port19 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port20 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port21 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port22 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port23 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port25 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port26 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port27 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port28 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port29 - 200000000 128 DISABLED DISCARDING YES ENABLED NO port30 - 200000000 128 DISABLED DISCARDING YES ENABLED NO internal 1G 20000 128 DESIGNATED FORWARDING YES DISABLED NO __FoRtI1LiNk0__ 1G 20000 128 DESIGNATED FORWARDING YES DISABLED NO
Configuring STP root guard
Root guard protects the interface on which it is enabled from becoming the path to root. When enabled on an interface, superior BPDUs received on that interface are ignored or dropped. Without using root guard, any switch that participates in STP maintains the ability to reroute the path to root. Rerouting might cause your network to transmit large amounts of traffic across suboptimal links or allow a malicious or misconfigured device to pose a security risk by passing core traffic through an insecure device for packet capture or inspection. By enabling root guard on multiple interfaces, you can create a perimeter around your existing paths to root to enforce the specified network topology.
Enable root guard on all ports that should not be root bridges. Do not enable root guard on the root port. You must have STP enabled to be able to use root guard.
Use the following commands to enable or disable STP root guard on FortiSwitch ports:
config switch-controller managed-switch
edit <switch-id>
config ports
edit <port name>
set stp-root-guard {enabled | disabled}
end
end
For example:
config switch-controller managed-switch
edit S524DF4K15000024
config ports
edit port1
set stp-root-guard enabled
end
end
Configuring STP BPDU guard
Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard is enabled on STP edge ports, any BPDUs received cause the ports to go down for a specified number of minutes. The BPDUs are not forwarded, and the network edge is enforced.
There are two prerequisites for using BPDU guard:
- You must define the port as an edge port with the
set edge-port enable
command. - You must enable STP on the switch interface with the
set stp-state enabled
command.
You can set how long the port will go down when a BPDU is received for a maximum of 120 minutes. The default port timeout is 5 minutes. If you set the timeout value to 0, the port will not go down when a BPDU is received, but you will have manually reset the port.
Use the following commands to enable or disable STP BPDU guard on FortiSwitch ports:
config switch-controller managed-switch
edit <switch-id>
config ports
edit <port name>
set stp-bpdu-guard {enabled | disabled}
set stp-bpdu-guard-time <0-120>
end
end
For example:
config switch-controller managed-switch
edit S524DF4K15000024
config ports
edit port1
set stp-bpdu-guard enabled
set stp-bpdu-guard-time 10
end
end
To check the configuration of STP BPDU guard on a FortiSwitch, use the following command:
diagnose switch-controller dump bpdu-guard-status <FortiSwitch_serial_number>
For example:
FG100D3G15817028 # diagnose switch-controller dump bpdu-guard-status S524DF4K15000024 Managed Switch : S524DF4K15000024 0 Portname State Status Timeout(m) Count Last-Event _________________ _______ _________ ___________ _____ _______________ port1 enabled - 10 0 - port2 disabled - - - - port3 disabled - - - - port4 disabled - - - - port5 disabled - - - - port6 disabled - - - - port7 disabled - - - - port8 disabled - - - - port9 disabled - - - - port10 disabled - - - - port11 disabled - - - - port12 disabled - - - - port13 disabled - - - - port14 disabled - - - - port15 disabled - - - - port16 disabled - - - - port17 disabled - - - - port18 disabled - - - - port19 disabled - - - - port20 disabled - - - - port21 disabled - - - - port22 disabled - - - - port23 disabled - - - - port25 disabled - - - - port26 disabled - - - - port27 disabled - - - - port28 disabled - - - - port29 disabled - - - - port30 disabled - - - - __FoRtI1LiNk0__ disabled - - - -
Configuring loop guard
A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects. Fortinet loop guard helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any downstream loops. Loop guard and STP should be used separately for loop protection. By default, loop guard is disabled on all ports.
Use the following commands to configure loop guard on a FortiSwitch port:
config switch-controller managed-switch
edit <switch-id>
config ports
edit <port name>
set loop-guard {enabled | disabled}
set loop-guard-timeout <0-120 minutes>
end
end
For example:
config switch-controller managed-switch
edit S524DF4K15000024
config ports
edit port1
set loop-guard enabled
set loop-guard-timeout 10
end
end
Configuring LLDP settings
The Fortinet data center switches support the Link Layer Discovery Protocol (LLDP) for transmission and reception wherein the switch will multicast LLDP packets to advertise its identity and capabilities. A switch receives the equivalent information from adjacent layer-2 peers.
Use the following commands to configure LLDP on a FortiSwitch port:
config switch-controller managed-switch
edit <switch-id>
config ports
edit <port name>
set lldp-status {rx-only | tx-only | tx-rx | disable}
set lldp-profile <profile name>
end
end
For example:
config switch-controller managed-switch
edit S524DF4K15000024
config ports
edit port2
set lldp-status tx-rx
set lldp-profile default
end
end
Configuring IGMP settings
IGMP snooping allows the FortiSwitch to passively listen to the Internet Group Management Protocol (IGMP) network traffic between hosts and routers. The switch uses this information to determine which ports are interested in receiving each multicast feed. FortiSwitch can reduce unnecessary multicast traffic on the LAN by pruning multicast traffic from links that do not contain a multicast listener.
config switch-controller managed-switch
edit <switch-id>
config ports
edit <port name>
set igmp-snooping {enable | disable}
set igmps-flood-reports {enable | disable}
end
end
For example:
config switch-controller managed-switch
edit S524DF4K15000024
config ports
edit port3
set igmp-snooping enable
set igmps-flood-reports enable
end
end