FortiSwitch features configuration

This section describes how to configure global FortiSwitch settings using FortiGate CLI commands. These settings will apply to all of the managed FortiSwitch units. You can also override some of the settings on individual FortiSwitch units.

This chapter covers the following topics:

• Configure VLANs
• Configure IGMP settings
• Configure LLDP-MED
• Configure the MAC sync interval
• Configure STP settings
• Quarantines

Configure VLANs

Use Virtual Local Area Networks (VLANs) to logically separate a LAN into smaller broadcast domains. VLANs allow you to define different policies for different types of users and to set finer control on the LAN traffic. (Traffic is only sent automatically within the VLAN. You must configure routing for traffic between VLANs.)

From the FortiGate unit, you can centrally configure and manage VLANs for the managed FortiSwitch units.

In FortiSwitchOS 3.3.0 and later releases, the FortiSwitch supports untagged and tagged frames in FortiLink mode. The switch supports up to 1,023 user-defined VLANs. You can assign a VLAN number (ranging from 1-4095) to each of the VLANs.

You can configure the default VLAN for each FortiSwitch port as well as a set of allowed VLANs for each FortiSwitch port.

FortiSwitch VLANs display

The WiFi & Switch Controller > FortiSwitch VLANs page displays VLAN information for the managed switches.

Each entry in the VLAN list displays the following information:

• Name—name of the VLAN
• VLAN ID—the VLAN number
• IP/Netmask—address and mask of the subnetwork that corresponds to this VLAN
• Access—administrative access settings for the VLAN
• Ref—number of configuration objects referencing this VLAN

Enabling and disabling switch-controller access VLANs through the FortiGate unit

Access VLANs are VLANs that aggregate client traffic solely to the FortiGate unit. This prevents direct client-to-client traffic visibility at the layer-2 VLAN layer. Clients can only communicate with the FortiGate unit. After the client traffic reaches the FortiGate, the FortiGate unit can then determine whether to allow various levels of access to the client by shifting the client's network VLAN as appropriate.

IPv6 is not supported between clients within a switch-controller access VLAN.

Use enable to allow traffic only to and from the FortiGate and to block FortiSwitch port-to-port traffic on the specified VLAN. Use disable to allow normal traffic on the specified VLAN.

config system interface

edit <VLAN name>

set switch-controller-access-vlan {enable | disable}

next

end

 

You must configure the proxy ARP with the config system proxy-arp CLI command to be able to use the access VLANs. For example:

config system proxy-arp

edit 1

set interface "V100"

set ip 1.1.1.1

set end-ip 1.1.1.200

next

end

Creating VLANs

Setting up a VLAN requires you to create the VLAN and assign FortiSwitch ports to the VLAN. You can do this with either the Web GUI or CLI.

Using the Web administration GUI

To create the VLAN:

1. Go to WiFi & Switch Controller > FortiSwitch VLANS, select Create New, and change the following settings:

   Interface Name	VLAN name
   VLAN ID	Enter a number (1-4094)
   Color	Choose a unique color for each VLAN, for ease of visual display.
   IP/Network Mask	IP address and network mask for this VLAN.

2. Enable DHCP Server and set the IP range.
3. Set the Admission Control options as required.
4. Select OK.

 

To assign FortiSwitch ports to the VLAN:

1. Go to WiFi & Switch Controller > FortiSwitch Ports.
2. Click the desired port row.
3. Click the Native VLAN column in one of the selected entries to change the native VLAN.
4. Select a VLAN from the displayed list. The new value is assigned to the selected ports.
5. Click the + icon in the Allowed VLANs column to change the allowed VLANs.
6. Select one or more of the VLANs (or the value all) from the displayed list. The new value is assigned to the selected port.

Using the FortiSwitch CLI

1. Create the marketing VLAN.

config system interface

edit <vlan name>

set vlanid <1-4094>

set color <1-32>

set interface <FortiLink-enabled interface>

end

 

2. Set the VLAN’s IP address.

config system interface

edit <vlan name>

set ip <IP address> <Network mask>

end

 

3. Enable a DHCP Server.

config system dhcp server

edit 1

set default-gateway <IP address>

set dns-service default

set interface <vlan name>

config ip-range

set start-ip <IP address>

set end-ip <IP address>

end

set netmask <Network mask>

end

 

4. Assign ports to the VLAN.

config switch-controller managed-switch

edit <Switch ID>

config ports

edit <port name>

set vlan <vlan name>

set allowed-vlans <vlan name>

or

set allowed-vlans-all enable

next

end

end

 

Assign untagged VLANs to a managed FortiSwitch port:

config switch-controller managed-switch

edit <managed-switch>

config ports

edit <port>

set untagged-vlans <VLAN-name>

next

end

next

end

Configure IGMP settings

Use the following command to configure the global IGMP settings.

Aging time is the maximum number of seconds that the system will retain a multicast snooping entry. Enter an integer value from 15 to 3600. The default value is 300.

Flood-unknown-multicast controls whether the system will flood unknown multicast messages within the VLAN.

config switch-controller igmp-snooping

set aging-time <15-3600>

set flood-unknown-multicast {enable | disable}

end

Configure LLDP-MED

To configure LLDP profiles:

config switch-controller lldp-profile

edit <profile number>

set 802.1-tlvs port-vlan-id

set 802.3-tlvs max-frame-size

set auto-isl {enable | disable}

set auto-isl-hello-timer <1-30>

set auto-isl-port-group <0-9>

set auto-isl-receive-timeout <3-90>

set med-tlvs (inventory-management | network-policy)

end

 

To configure LLDP settings:

config switch-controller lldp-settings

set status < enable | disable >

set tx-hold <int>

set tx-interval <int>

set fast-start-interval <int>

set management-interface {internal | management}

end

 

Variable	Description
status	Enable or disable
tx-hold	Number of tx-intervals before the local LLDP data expires. Therefore, the packet TTL (in seconds) is tx-hold times tx-interval. The range for tx-hold is 1 to 16, and the default value is 4.
tx-interval	How often the FortiSwitch transmits the LLDP PDU. The range is 5 to 4095 seconds, and the default is 30 seconds.
fast-start-interval	How often the FortiSwitch transmits the first 4 LLDP packets when a link comes up. The range is 2 to 5 seconds, and the default is 2 seconds. Set this variable to zero to disable fast start.
management-interface	Primary management interface to be advertised in LLDP and CDP PDUs.

Create LLDP asset tags for each managed FortiSwitch

You can use the following commands to add an LLDP asset tag for a managed FortiSwitch:

config switch-controller managed-switch

edit <fsw>

set switch-device-tag <string>

end

Add media endpoint discovery (MED) to an LLDP configuration

You can use the following commands to add media endpoint discovery (MED) features to an LLDP profile:

config switch-controller lldp-profile

edit <lldp-profle>

config med-network-policy

edit guest-voice

set status {disable | enable}

next

edit guest-voice-signaling

set status {disable | enable}

next

edit guest-voice-signaling

set status {disable | enable}

next

edit softphone-voice

set status {disable | enable}

next

edit streaming-video

set status {disable | enable}

next

edit video-conferencing

set status {disable | enable}

next

edit video-signaling

set status {disable | enable}

next

edit voice

set status {disable | enable}

next

edit voice-signaling

set status {disable | enable}

end

config custom-tlvs

edit <name>

set oui <identifier>

set subtype <subtype>

set information-string <string>

end

end

Display LLDP information

You can use the following commands to display LLDP information:

diagnose switch-controller dump lldp stats <switch> <port>

diagnose switch-controller dump lldp neighbors-summary <switch>

diagnose switch-controller dump lldp neighbors-detail <switch>

 

Configure the MAC sync interval

Use the following commands to configure the global MAC synch interval.

The MAC sync interval is the time interval between MAC synchronizations. The range is 30 to 600 seconds, and the default value is 60.

config switch-controller mac-sync-settings

set mac-sync-interval <30-600>

end

Configure STP settings

STP is not supported between a FortiGate unit and a FortiSwitch unit in FortiLink mode.

Use the following CLI commands for global STP configuration. This configuration applies to all managed FortiSwitch units:

config switch-controller stp-settings

set name <name>

set revision <stp revision>

set hello-time <hello time>

set forward-time <forwarding delay>

set max-age <maximum aging time>

set max-hops <maximum number of hops>

end

 

You can override the global STP settings for a FortiSwitch unit using the following commands:

config switch-controller managed-switch

edit <switch-id>

config stp-settings

set local-override enable

Quarantines

Administrators can use MAC addresses to quarantine hosts and users connected to a FortiSwitch unit. Quarantined MAC addresses are isolated from the rest of the network and LAN by using a separate VLAN.

Quarantining MAC addresses

You can use the FortiGate GUI or CLI to quarantine a MAC address.

If you have multiple FortiLink interfaces, only the first quarantine VLAN is created successfully (with an IP address of 10.254.254.254). Additional quarantine VLANs will have an empty IP address.

Using the FortiGate GUI

In the FortiGate GUI, the quarantine feature is automatically enabled when you quarantine a host.

1. Select the host to quarantine.
   • Go to Security Fabric > Physical Topology, right-click on a host, and select Quarantine Host on FortiSwitch.
   • Go to Security Fabric > Logical Topology, right-click on a host, and select Quarantine Host on FortiSwitch.
   • Go to FortiView > Sources, right-click on an entry in the Source column, and select Quarantine Host on FortiSwitch.
2. Select Accept to confirm that you want to quarantine the host.

Using the FortiGate CLI

Previously, this feature used the config switch-controller quarantine CLI command.

By default, the quarantine feature is enabled. When you upgrade a FortiGate unit from an older to a newer firmware version, the FortiGate unit uses the quarantine feature status from the older configuration. If the quarantine feature was disabled in the older configuration, it will be disabled after the upgrade.

You can add MAC addresses to be quarantined even when the quarantine feature is disabled. The MAC addresses are only quarantined when the quarantine feature is enabled.

The table size limit for the quarantine entry is 512. There is no limit for how many MAC addresses can be quarantined per quarantine entry.

config user quarantine

set quarantine enable

config targets

edit <quarantine_entry_name>

set description <string>

config macs

edit <MAC_address_1>

next

edit <MAC_address_2>

next

edit <MAC_address_3>

next

end

end

end

 

Option	Description
quarantine_entry_name	A name for this quarantine entry.
string	Optional. A description of the MAC addresses being quarantined.
MAC_address_1, MAC_address_2, MAC_address_3	A layer-2 MAC address in the following format: 12:34:56:aa:bb:cc

For example:

config user quarantine

set quarantine enable

config targets

edit quarantine1

config macs

set description "infected by virus"

edit 00:00:00:aa:bb:cc

next

edit 00:11:22:33:44:55

next

edit 00:01:02:03:04:05

next

end

end

end

Viewing quarantine entries

Quarantine entries are created on the FortiGate unit that is managing the FortiSwitch unit.

Using the FortiGate GUI

1. Go to Monitor > Quarantine Monitor.
2. Click Quarantined on FortiSwitch.
   The Quarantined on FortiSwitch button is only available if a device is detected behind the FortiSwitch unit, which requires Device Detection to be enabled.

Using the FortiGate CLI

Use the following command to view the quarantine list of MAC addresses:

show user quarantine

 

For example:

show user quarantine

 

config user quarantine

set quarantine enable

config targets

edit quarantine1

config macs

set description "infected by virus"

edit 00:00:00:aa:bb:cc

next

edit 00:11:22:33:44:55

next

edit 00:01:02:03:04:05

next

end

end

end

 

When the quarantine feature is enabled on the FortiGate unit, it creates a quarantine VLAN (qtn.<FortiLink_port_name>) and a quarantine DHCP server (with the quarantine VLAN as default gateway) on the virtual domain. The quarantine VLAN is applied to the allowed and untagged VLANs on all connected FortiSwitch ports.

Use the following command to view the quarantine VLAN:

show system interface qtn.<FortiLink_port_name>

 

For example:

show system interface qtn.port7

 

config system interface

edit "qtn.port7"

set vdom "vdom1"

set ip 10.254.254.254 255.255.255.0

set description "Quarantine VLAN"

set security-mode captive-portal

set replacemsg-override-group "auth-intf-qtn.port7"

set device-identification enable

set device-identification-active-scan enable

set snmp-index 34

set switch-controller-access-vlan enable

set color 6

set interface "port7"

set vlanid 4093

next

end

 

Use the following commands to view the quarantine DHCP server:

show system dhcp server

config system dhcp server

edit 2

set dns-service default

set default-gateway 10.254.254.254

set netmask 255.255.255.0

set interface "qtn.port7"

config ip-range

edit 1

set start-ip 10.254.254.192

set end-ip 10.254.254.253

next

end

set timezone-option default

next

end

 

Use the following command to view how the quarantine VLAN is applied to the allowed and untagged VLANs on all connected FortiSwitch ports:

show switch-controller managed-switch

 

For example:

show switch-controller managed-switch

 

config switch-controller managed-switch

edit "FS1D483Z15000036"

set fsw-wan1-peer "port7"

set fsw-wan1-admin enable

set version 1

set dynamic-capability 503

config ports

edit "port1"

set vlan "vsw.port7"

set allowed-vlans "qtn.port7"

set untagged-vlans "qtn.port7"

next

edit "port2"

set vlan "vsw.port7"

set allowed-vlans "qtn.port7"

set untagged-vlans "qtn.port7"

next

edit "port3"

set vlan "vsw.port7"

set allowed-vlans "qtn.port7"

set untagged-vlans "qtn.port7"

next

...

end

end

Releasing MAC addresses from quarantine

Using the FortiGate GUI

1. Go to Monitor > Quarantine Monitor.
2. Click Quarantined on FortiSwitch.
3. Right-click on one of the entries and select Delete or Remove All.
4. Click OK to confirm your choice.

Using the FortiGate CLI

To release MAC addresses from quarantine, you can delete a single MAC address or delete a quarantine entry, which will delete all of the MAC addresses listed in the entry. You can also disable the quarantine feature, which releases all quarantined MAC addresses from quarantine.

To delete a single quarantined MAC address:

config user quarantine

config targets

edit <quarantine_entry_name>

config macs

delete <MAC_address_1>

end

end

end

To delete all MAC addresses in a quarantine entry:

config user quarantine

config targets

delete <quarantine_entry_name>

end

end

 

To disable the quarantine feature:

config user quarantine

set quarantine disable

end