Fortinet Version 3.2.0 - Manuals

Introduction This guide contains information about the administration of a FortiSwitch unit in standalone mode. In standalonemode, you manage the FortiSwitch by connecting directly to the unit, either using the web-based manager (alsoknown as the GUI) or the CLI. If you will be managing your FortiSw...

Introduction Feature FS-108D-POE FSR-112D-POE FS-224D-POE FS-1024D FS-1048D FS-3032D 802.1x MAC-based security mode ✓ ✓ ✓ ✓ LLDP transmit ✓ ✓ ✓ ✓ Loop guard ✓ ✓ ✓ ✓ Flap guard ✓ ✓ ✓ ✓ LAG min-max bundle ✓ ✓ ✓ ✓ Auto-module max speed detection ✓ ✓ IP conflict detection and notification ✓ ✓ ✓ ✓ Layer ...

System Settings IP Conflict Detection IP conflicts can occur when two systems on the same network are uing the same IP. FortiSwitch monitors thenetwork for conflicts and raises a system log message and an SNMP trap when it detects a conflict. Description The IP Conflict Detection feature provides tw...

System Settings The port flap guard feature will detect a flapping port and the system will shut down the port if necessary. You canmanually reset the port and restore it to the enabled state. Configuring Port Flap Guard Port flap-guard is configured and enabled on a global basis. The default settin...

Management Ports Management Ports This chapter contains information about the initial configuration of your FortiSwitch unit. Configuring the Management Ports Using the web-based manager: First start by editing the default internal interface’s configuration. 1. Go to System > Network > Interfa...

Management Ports Example 1: Port 48 as an inbound management interface In this example, a physical port is used as an inbound management interface. Also, the FortiSwitch in the example has no default VLAN configured to connect its internal interface to any physical port. Using Port 48 of a FortiSwit...

Management Ports Example 2: Internal interface as an inbound management interface In this example, the internal interface is used as an inbound management interface. Also, the FortiSwitch has a default VLAN across all physical ports and its internal port. Using the internaI interface of a FortiSwitc...

Management Ports WAN interface of a FortiSwitch-28C WAN 2 port used as an inbound management port Syntax config system interface edit wan2 set ip 10.105.142.10 255.255.255.0 set allowaccess ping https ssh set type physical next edit wan1 set mode dhcp set allowaccess ping https ssh set type physical...

Management Ports Out of band management on a FortiSwitch-1024D Port 1 used as an Ethernet data port Dedicated MGMT port Syntax config system interface edit mgmt set ip 10.105.142.19 255.255.255.0 set allowaccess ping https http ssh snmp telnet set type physical next edit internal set type physical e...

Physical Port Settings Physical Port Settings This chapter covers features that are associated with FortiSwitch physical ports. Diagnostic Monitoring Interface (DMI) Module Status DMI is only supported on the following models: FortiSwitch-1024D, FortiSwitch-1048D, and FortiSwitch-3032D. The FortiSwi...

Physical Port Settings Auto-Module Speed Detection When you enable auto-module speed detection, the system reads information from the module, and sets the portspeed to the maximum speed that is advertised by the module. If there is a problem reading from the module, thesystem sets the default speed ...

Physical Port Settings Enabling LLDP on a Port config switch physical-port edit <port> set lldp-transmit [ enable | disable ] next end Viewing LLDP Configuration Use the following command to display the LLDP errors: get switch lldp errors LLDP errors: Total memory allocation failures: 0 Total ...

Physical Port Settings Reset the PoE Power on a Port To reset the PoE power on a port, use the following command: execute poe-reset <port> 20 FortiSwitchOS-3.2.0

Spanning Tree Protocol Spanning Tree Protocol Spanning tree protocol is a link-management protocol that ensures a loop-free Layer 2 network topology. FortiSwitch supports the Multiple Spanning Tree Protocol (MSTP), which is defined in the IEEE 802.1Q standard. MSTP Overview and terminology MSTP supp...

Spanning Tree Protocol Within the region, a hop-count mechansim is used to age out the BPDU. The IST root sends out BPDUs with hopcount set to Maximum hops. The hop count is decremented each time the BPDU is forwarded. If the hop countreaches zero, the switch discards the BPDU and ages out the infor...

Spanning Tree Protocol Settings Guidelines Max-Age The maximum age before the switch considers the receivedBPDU information on a port to be expired. Max-age is used when inter-working with switches outside the region.Range of values is 6 to 40.Default value is 20. Max-Hops Maximum hops is used insid...

Spanning Tree Protocol Example: config switch stp instance edit "1" set priority 8192 config stp-port edit "port18" set cost 0 set priority 128 next edit "port19" set cost 0 set priority 128 next end set vlan-range 5 7 11-20 end Interactions outside of the MSTP Region A bound...

VLAN Tagging VLAN Tagging FortiSwitch ports will process tagged and untagged Ethernet frames. Untagged frames do not carry anyVLAN information. Tagged frames include an additional header (the 802.1Q header) after the Source MAC address. This headerincludes a VLAN ID.This allows the VLAN value to be ...

VLAN Tagging Packet Processing Ingress processing ensures that the port accepts only packets with allowed VLAN values (untagged packets areassigned the native VLAN, which is implicitly allowed). At this point, all packets are now tagged with a valid VLAN. The packet is sent to each egress port that ...

VLAN Tagging Example 1 Example flows for tagged and untagged packets. Purple flow: An untagged packet arriving at Port3 is assigned VLAN 100 (the native VLAN), and flows to all egress ports thatwill send VLAN 100 (Port1 and Port4). A tagged packet (VLAN 100) arriving at Port4 is allowed (VLAN 100 is...

VLAN Tagging Example 2 Example of invalid tagged VLAN. Green flow: Between Port1 and Port2, packets are assigned to VLAN 1 at ingress, and then the tag is removed at egress. Blue flow: Incoming on Port 3, a tagged packet with VLAN value 100 is not allowed, because 100 is the native VLAN. 29 FortiSwi...

Layer 2 Interfaces This chapter provides information about configuring FortiSwitch layer 2 interfaces. Configuring Switched Interfaces Default configuration will suffice for regular switch ports. The default VLAN is set to 1, STP is enabled, and allother optional capabilities are disabled. You can c...

Layer 2 Interfaces The loop guard feature is designed to work in concert with STP rather than as a replacement for STP. Each portthat has loop guard enabled will periodically broadcast Loop Guard Data Packets (LGDP) packets to its network.If a broadcast packet sent out on a port is subsequently rece...

Link Aggregation Groups This chapter provides information on how to configure a Link Aggregation Group (LAG). For LAG control,FortiSwitch supports the industry-standard Link Aggregation Control Protocol (LACP). FortlSwitch supports LACP protocol in active and passive modes. In active mode, you can o...

Link Aggregation Groups end Viewing the Configured Trunk In order to see the details of a configured trunk, use the following command: diagnose switch trunk list 34 FortiSwitchOS-3.2.0

Port Mirroring Port Mirroring This chapter contains information on how to configure layer 2 port mirroring. Configuring a Port Mirror Using the web-based manager: 1. Go to Switch > Port > Mirror . 2. Enter a name for the mirror. 3. Set the Status Enable check box to set the mirror to active. 4...

Private VLANs This chapter contains information on the creation and management of private virtual local area networks(VLANs). About Private VLANs A Private VLAN divides the original VLAN, now called the Primary VLAN, into sub-VLANs (Secondary VLANs),while keeping the existing IP subnet and layer 3 c...

Private VLANs set primary-vlan 1000 next edit "port3" set private-vlan sub-vlan set primary-vlan 1000 set sub-vlan 200 next edit "port7" set private-vlan sub-vlan set primary-vlan 1000 set sub-vlan 101 next edit "port19" set private-vlan promiscuous set primary-vlan 1000 next...

Layer 3 Interfaces Layer 3 Interfaces This chapter provides information about configuring Layer 3 interfaces. FortiSwitch supports SwitchedVirtual Interfaces (SVI) and Routed Ports. These interface types are described in detail below. Switched Virtual Interfaces Switched Virtual Interface (or SVI) i...

Layer 3 Interfaces 1. Configure Native VLANs for Port1 & Port2. Also configure “internal” interface to allow the native VLANs for Port1and Port2.: config switch interface edit port1 set native-vlan 4000 edit port2 set native-vlan 2 edit internal set allowed-vlans 2, 4000 end 2. Create L3 system ...

Layer 3 Interfaces Configuring a Routed Interface Using the CLI: Set the Allowed VLAN list on the internal interface. Include the VLANs of the routed ports. config switch interface edit internal set allowed-vlans <vlan list> end Create a Layer 3 virtual interface corresponding to the physical ...

Layer 3 Interfaces edit "i-green" set switch-members "port6" next edit "rVan10" set vlanid 10 set ip 1.1.3.1 255.255.255.0 set interface "i-red" set allowaccess ping telnet next edit "gVlan20" set vlanid 20 set ip 172.168.13.1 255.255.255.0 set allowaccess pin...

Layer 3 Interfaces An ECMP set is formed when the routing table contains multiple next-hop address for the same destination withequal cost. Routes of equal cost have the same preference and metric value. If there is an ECMP set for an active route, theswitch uses a hash algorithm to choose one of th...

Layer 3 Interfaces edit "internal" set type physical next edit "i-blue" set ip 1.1.1.1 255.255.255.0 set allowaccess ping https http ssh snmp telnet set vlanid 10 set interface internal next edit "i-red" set ip 172.16.11.1 255.255.255.0 set allowaccess ping ssh telnet set vla...

Layer 3 Interfaces BFD defines Demand mode and Asynchronous mode operation. The FortiSwitch supports Asynchronous mode.In this mode, the systems periodically send BFD Control packets to one another, and if a number of thosepackets in a row are not received by the other system, the session is declare...

Layer 3 Interfaces IP-MAC Binding Use IP-MAC binding to prevent ARP spoofing. Port accepts a packet only if the source IP address and source MAC address in the packet match an entry in theIP-MAC binding table. You can enable/disable IP-MAC binding for the whole switch, and you can override this glob...

Layer 3 Interfaces Viewing IP-MAC Binding Configuration Display the status of IP-MAC binding using following command show switch ip-mac-binding <entry number> 48 FortiSwitchOS-3.2.0

802.1x Authentication This chapter contains information about how to use IEEE 802.1x authentication on Fortinet switches. About 802.1x FortiSwitch supports IEEE 802.1x authentication to control network access. FortiSwitch implements port-basedand MAC-based access. A supplicant connected to a port on...

TACACS This chapter contains information on using TACACS authetication with your FortiSwitch unit. Administrative Accounts Administrative, or admin, accounts allow access to various aspects of the FortiSwitch configuration. The level ofaccess is determined by the access profile used in the admin acc...

TACACS Using the CLI: config system admin edit tacuser set remote-auth enable set wildcard enable set remote-group <group> set accprofile <profile> end end User Accounts User accounts can be used to identify a network user and determine what parts of the network the user is allowedto acc...