FortiSwitch Manager-7.2.0-Administration Guide

Administration Guide
FortiSwitch Manager 7.2.0

FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET VIDEO GUIDE

https://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com
FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://www.fortiguard.com
END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: [email protected]
May 18, 2022

FortiSwitch Manager 7.2.0 Administration Guide
11-720-765800-20220518
TABLE OF CONTENTS
Change log 7
Introduction 8
Supported models 8
Compatibility 8
Web browser support 8
Virtualization environment support 9
System requirements 9
Supported Switch Controller features 9
Whatʼs new in FortiSwitch Manager 7.2.0 12
How to get started 13
Setting up FortiSwitch Manager 14
Registering the FortiSwitch Manager license 15
Installing the FortiSwitch Manager license 15
Configuring FortiLink 17
Setting up the FortiSwitch units 17
Connecting additional FortiSwitch units to the first FortiSwitch unit 21
Using FortiSwitch Manager 21
How to authorize a FortiSwitch unit 22
Creating a switch group 23
Managing FortiSwitch units 24
Optional configuration required before discovering and authorizing FortiSwitch units 24
Migrating the configuration of standalone FortiSwitch units 24
VLAN interface templates for FortiSwitch units 24
Automatic provisioning of FortiSwitch firmware upon authorization 28
Discovering 29
Authorizing 29
Preparing the FortiSwitch unit 29
Optional management configuration 30
Using the FortiSwitch serial number for automatic name resolution 30
Changing the admin password for all managed FortiSwitch units 31
Disabling the FortiSwitch console port login 31
Using automatic network detection and configuration 32
Limiting the number of parallel processes for FortiSwitch configuration 32
Configuring access to management and internal interfaces 32
Enabling VLAN optimization 33
Grouping FortiSwitch units 33
Configuring FortiSwitch VLANs and ports 35
Configuring VLANs 35
Creating VLANs 35
Viewing FortiSwitch VLANs 37
Configuring ports using the GUI 38
Configuring port speed and status 38
Configuring flap guard 39
FortiSwitch Manager 7.2.0 Administration Guide 3

Fortinet Inc.
Resetting a port 40
Configuring PoE 41
Enabling PoE on the portconfig 41
Enabling PoE pre-standard detection 41
Resetting the PoE port 42
Displaying general PoE status 42
Adding 802.3ad link aggregation groups (trunks) 42
MCLAG trunks 44
Configuring FortiSwitch split ports (phy-mode) in FortiLink mode 45
Configuring split ports on a previously discovered FortiSwitch unit 46
Configuring split ports with a new FortiSwitch unit 46
Configuring forward error correction on switch ports 46
Configuring a split port on the FortiSwitch unit 47
Restricting the type of frames allowed through IEEE 802.1Q ports 49
Configuring switching features 50
Configuring DHCP blocking, STP, and loop guard on managed FortiSwitch ports 50
Configuring edge ports 51
Configuring loop guard 52
Configuring STP settings 52
Configuring STP on FortiSwitch ports 53
Configuring STP root guard 55
Configuring STP BPDU guard 56
Configuring interoperation with per-VLAN RSTP 57
Dynamic MAC address learning 58
Limiting the number of learned MAC addresses on a FortiSwitch interface 59
Controlling how long learned MAC addresses are saved 59
Logging violations of the MAC address learning limit 60
Persistent (sticky) MAC addresses 61
Logging changes to MAC addresses 61
Configuring storm control 62
Configuring IGMP-snooping settings 63
Configuring global IGMP-snooping settings 63
Configuring IGMP-snooping settings on a switch 63
Configuring the IGMP-snooping proxy 64
Configuring the IGMP-snooping querier 64
Configuring PTP transparent-clock mode 65
Device detection 67
Configuring LLDP-MED settings 67
Adding media endpoint discovery (MED) to an LLDP configuration 69
Displaying LLDP information 70
Configuring the LLDP settings 70
FortiSwitch security 72
FortiSwitch security policies 72
Number of devices supported per port for 802.1x MAC-based authentication 73
Configuring the 802.1x settings 73
Overriding the settings 74
Defining an 802.1x security policy 75

Fortinet Inc.
Applying an 802.1x security policy to a FortiSwitch port 76
Testing 802.1x authentication with monitor mode 77
Clearing authorized sessions 77
RADIUS accounting support 78
RADIUS change of authorization (CoA) support 78
Detailed deployment notes 81
Configuring the DHCP trust setting 81
Configuring the DHCP server access list 82
Configuring dynamic ARP inspection (DAI) 84
Configuring IPv4 source guard 84
Enabling IPv4 source guard 85
Creating static entries 85
Checking the IPv4 source-guard entries 86
Configuring layer-3 routing on FortiSwitch units 87
Static routes for IPv4 traffic 88
Switch virtual interfaces 89
Reserved names 91
Routed VLAN interfaces 92
Virtual routing and forwarding 92
Configuring QoS with managed FortiSwitch units 94
Configuring ECN for managed FortiSwitch devices 96
Logging and monitoring 97
FortiSwitch log settings 97
Exporting logs to FortiSwitch Manager 97
Sending logs to a remote Syslog server 98
Configuring FortiSwitch port mirroring 98
Configuring SNMP 100
Configuring SNMP globally 101
Configuring SNMP locally 102
SNMP OIDs 104
Configuring sFlow 105
Configuring flow tracking and export 106
Configuring flow control and ingress pause metering 108
Operation and maintenance 110
Discovering, authorizing, and deauthorizing FortiSwitch units 110
Editing a managed FortiSwitch unit 110
Adding preauthorized FortiSwitch units 111
Using wildcard serial numbers to pre-authorize FortiSwitch units 111
Authorizing the FortiSwitch unit 112
Deauthorizing FortiSwitch units 112
Converting to FortiSwitch standalone mode 113
Diagnostics and tools 113
Making the LEDs blink 115
Running the cable test 115
FortiSwitch ports display 116
Displaying, resetting, and restoring port statistics 116

Fortinet Inc.
Network interface display 120
Synchronizing FortiSwitch Manager with the managed FortiSwitch units 120
Fabric management 121
Viewing and upgrading the FortiSwitch firmware version 123
Canceling pending or downloading FortiSwitch upgrades 124
Replacing a managed FortiSwitch unit 125
Executing custom FortiSwitch scripts 130
Creating a custom script 130
Executing a custom script once 130
Binding a custom script to a managed switch 131
Resetting PoE-enabled ports 131

Fortinet Inc.
Change log
Date Change Description
May 18, 2022 Initial release of FortiSwitch Manager 7.2.0

Fortinet Inc.
Introduction
Introduction
FortiSwitch Manager (FSWM) is the on-premise management platform for the FortiSwitch product. FortiSwitch units
connect to FSWM over the layer-3 network. You can configure a large number of FortiSwitch units with this FortiSwitch-
management-only platform. FortiSwitch Manager provides a user experience consistent with the FortiLink Switch
Controller.
This document provides the following information for FortiSwitch Manager 7.2.0 build 0090.
Supported models
FortiSwitch Manager 7.2.0 supports the following models:
FortiSwitch 1xx FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-

124E, FS-124E-POE, FS-124E-FPOE, FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148E,
FS-148E-POE, FS-148F, FS-148F-POE, FS-148F-FPOE
FortiSwitch 2xx FS-224D-FPOE, FS-224E, FS-224E-POE, FS-248D, FS-248E-POE, FS-248E-FPOE
FortiSwitch 4xx FS-424E, FS-424E-POE, FS-424E-FPOE, FS-424E-Fiber, FS-M426E-FPOE, FS-448E, FS-

448E-POE, FS-448E-FPOE
FortiSwitch 5xx FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE
FortiSwitch 1xxx FS-1024D, FS-1024E, FS-1048E, FS-T1024E
FortiSwitch 3xxx FS-3032E
FortiSwitch Rugged FSR-112D-POE, FSR-124D
Refer to the FortiSwitch feature matrix for details about the features supported by each FortiSwitch model.
Compatibility
FortiSwitch Manager 7.2.0 is compatible with FortiSwitchOS 6.4.6 build 0470 or later.
Web browser support
Web browser l Microsoft Edge

l Mozilla Firefox version 98
l Google Chrome version 99
Other web browsers might function correctly but are not supported by Fortinet.

Fortinet Inc.
Introduction
Virtualization environment support
Hypervisor Recommended versions
Citrix Hypervisor l 8.1 Express Edition, Dec 17, 2019
Linux KVM l Ubuntu 18.0.4 LTS

l Red Hat Enterprise Linux release 8.4
l SUSE Linux Enterprise Server 12 SP3 release 12.3
Microsoft Windows Server l 2012R2 with Hyper-V role
Windows Hyper-V Server l 2019
Open source XenServer l Version 3.4.3

l Version 4.1 and later
VMware ESX l Versions 4.0 and 4.1
VMware ESXi l Versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, 6.5, 6.7, and 7.0.
System requirements
Number of managed vCPU Memory (GB) Hard disk

FortiSwitch units
1-10 8 (minimum 4) 8 (minimum 4) 1 TB (minimum 32 GB)
10-100 16 (minimum 8) 16 (minimum 8) 1 TB (minimum 32 GB)
100-1,000 32 32 (minimum 16) 1 TB (minimum 32 GB)
1,000-2,500 32 32 (minimum 16) 1 TB (minimum 32 GB)
Supported Switch Controller features
Switch Controller Features FortiSwitch Models
Centralized VLAN Configuration D-series, E-series, F-series
Switch POE Control D-series, E-series
Link Aggregation Configuration D-series, E-series, F-series
Spanning Tree Protocol (STP) D-series, E-series, F-series
LLDP/MED D-series, E-series, F-series

Fortinet Inc.
Introduction
IGMP Snooping D-series, E-series, F-series
802.1X Authentication (Port-based, MAC-based, MAB) D-series, E-series, F-series
Syslog Collection D-series, E-series, F-series
DHCP Snooping D-series, E-series, F-series
LAG support D-series, E-series, F-series
sFlow Not supported on FS-1xxE Series
Dynamic ARP Inspection (DAI) D-series, E-series, F-series
Port Mirroring D-series, E-series
RADIUS Accounting D-series, E-series, F-series
Centralized Configuration D-series, E-series, F-series
STP BDPU Guard, Root Guard, Edge Port D-series, E-series, F-series
Loop Guard D-series, E-series, F-series
Switch admin Password D-series, E-series
Storm Control D-series, E-series, F-series
802.1X-Authenticated Dynamic VLAN Assignment D-series, E-series, F-series
QoS Not supported on FSR-112D-POE
Centralized Firmware Management D-series, E-series, F-series
Automatic network detection and configuration D-series, E-series
Dynamic VLAN assignment by group name D-series, E-series
Sticky MAC addresses D-series, E-series, F-series
NetFlow and IPFIX flow tracking and export D-series, E-series
MSTP instances D-series, E-series, F-series
QoS statistics D-series, E-series
Configuring SNMP D-series, E-series, F-series
IPv4 source guard FSR-124D, FS-224D-FPOE, FS-248D, FS-424D-

POE, FS-424D-FPOE, FS-448D-POE, FS-448D-
FPOE, FS-424D, FS-448D, FS-2xxE, and FS-4xxE
Point-to-point layer-2 network supported D-series, E-series, F-series
Dynamic detection of LLDP neighbor devices D-series, E-series
Explicit congestion notification (ECN) FS-1024D, FS-1048D, FS-1048E, FS-3032D, FS-

3032E, FS-4xxE, and FS-5xxD

Fortinet Inc.
Introduction
Aggregation mode selection for trunk members D-series, E-series
Multiple attribute values sent in a RADIUS Access-Request D-series, E-series
PTP transparent-clock mode FS-1048E, FS-224D, FS-224E, FS-3032D, FS-

3032E, FS-424D, FS-4xxE, and FS-5xxD
Rapid PVST interoperation D-series, E-series, F-series
Flash port LEDs D-series, E-series
Cable diagnostics Not supported on FSR-112D-POE, FS-1024D, FS-

1048D, FS-1048E, FS-3032D, or FS-3032E
Flow control D-series, E-series, F-series
Ingress pause metering 200 series, 400D and 400E series, 500 series, FS-
1024D, FS-1048D, FS-1048E, and FS-3032D
NOTE: The following features are not supported:

l Virtual domains (VDOMs)
l High availability (HA)
l FortiLink layer-2 mode
l UTM/security services (These are not needed because FortiSwitch Manager is not in the data path.)
l Network access control (NAC)
l Hardware switch
l Remote SPAN (RSPAN)
l Quarantines

Fortinet Inc.
Whatʼs new in FortiSwitch Manager 7.2.0
Whatʼs new in FortiSwitch Manager 7.2.0
The following list contains new FortiSwitch Manager features added in 7.2.0:
l Zero-touch management is now more efficient. When a new FortiSwitch unit is started, by default, it will connect to
the available manager, which can be FortiSwitch Manager, a FortiGate device, or FortiLAN Cloud. Only one
manager can be used at a time. The FortiSwitch configuration does not need to be backed up before the FortiSwitch
unit is managed, and the FortiSwitch unit does not need to be restarted when it becomes managed. All ports are
enabled for auto discovery. The “internal” interface is the DHCP client in all FortiSwitch models.
l The FortiSwitch Manager GUI is now supported.
l Layer-3 routing is now supported with IPv4 addresses. This support includes the following:
l Switch virtual interfaces (SVIs)
l Routed VLAN interfaces (RVIs)
l Static routing
l Virtual routing and forwarding (VRF)

Fortinet Inc.
How to get started
How to get started
FortiSwitch Manager is offered as a virtual appliance. After you install a hypervisor of your choice, install the FortiSwitch
Manager license as per your scale requirements. The FortiSwitch Manager license SKUs can be added together, so you
can use more than one of the following available license SKUs:
FortiSwitch Manager Description

subscription license
FC1-10-SWMVM-258-01-DD Subscription license for 10 FortiSwitch units managed by FortiSwitch

Manager VM.
24x7 FortiCare support (for FSWM VM) included.
FC2-10-SWMVM-258-01-DD Subscription license for 100 FortiSwitch units managed by FortiSwitch

Manager VM.
FC3-10-SWMVM-258-01-DD Subscription license for 1,000 FortiSwitch units managed by FortiSwitch

Manager VM.
Your licenses control the maximum number of FortiSwitch units that you can manage; however, only authorized
switches are counted by FortiSwitch Manager. Switches that have been discovered but not authorized yet do not count
toward the maximum number of switches that can be managed.
To check how many FortiSwitch units can be managed:
diagnose debug vm-print-license
To check how many FortiSwitch units are managed:
execute switch-controller licensed-switches counts
In the command output, switches are in one of four states:

l managed—Authorized switches are counted as managed. Deauthorized a switch does not remove it from the count
of managed switches.
l reserved— Switches are included in the count of managed switches without being discovered or authorized.
Reserving a place for a switch prevents another switch from being added to count instead.
l pending— A switch that is in the process of becoming managed or being deleted from the configuration. A pending
switch is included in the count of managed switches.
l locked-out—When a configuration has more authorized switches than are licensed, the system will lock out some
switches. Locked-out switches are not included in the count of managed switches.
To delete an authorized switch so that it is no longer included in the count of managed switches:
config switch-controller managed-switch

delete <FortiSwitch-serial-number>
end

Fortinet Inc.
How to get started
To remove a FortiSwitch unit from being managed and to reserve space for a different FortiSwitch unit in
the count of managed switches:
execute switch-controller licensed-switches swap <swap-out-FortiSwitch-serial-number> <swap-

in-FortiSwitch-serial-number>
The command deletes <swap-out-FortiSwitch-serial-number> from the configuration and reserves a place for
<swap-in-FortiSwitch-serial-number>.
The swapped-out switch can still be re-discovered. If automatic authorization is

enabled, the swapped-out switch can be authorized again.
In the following example, S108DV3A17000033 is deleted from the configuration, and S108DV3A17000034 is authorized
and counted by FortiSwitch Manager:
execute switch-controller licensed-switches swap S108DV3A17000033 S108DV3A17000034
To list the switches that are managed and authorized and reserved switches:
execute switch-controller licensed-switches list managed
To list reserved switches:
execute switch-controller licensed-switches list reserved
To delete a reserved switch and remove it from the count of managed switches:
execute switch-controller licensed-switches delete-reserved <FortiSwitch-serial-number>
Setting up FortiSwitch Manager
To set up FortiSwitch Manager, you need to configure the FortiSwitch Manager VM port1 and configure static routes. By
default, port1 has the DHCP client enabled. If necessary, assign a fixed IP address and configure a default route.
The VM platform and hypervisor management environments include a guest console window. On FortiSwitch Manager,
the guest console window provides access to the FortiSwitch Manager console. Before you can access the CLI using
SSH/Telnet, you must configure the FortiSwitch Manager VM port1 with an IP address and administrative access. For
example:
config system interface
edit "port1"
set ip 192.268.2.1 255.255.255.0
set allowaccess ping https ssh http telnet
next
end
To configure static routes:
config router static

edit <ID>
set dst <router-subnet> <subnet-mask>

Fortinet Inc.
How to get started
set gateway <router-IP-address>

set device "<FortiLink-interface>"
next
end
For example:
edit 2
set gateway 192.168.2.11
set device "port1"
next
end
Registering the FortiSwitch Manager license
You need the following to register the FortiSwitch Manager license:

l An Internet connection is required for FortiSwitch Manager to contact FortiGuard to validate its license.
l The UUID is required for registration. Use the following CLI command to obtain the UUID:
diagnose hardware sysinfo vm
Installing the FortiSwitch Manager license
To upload the license file using the GUI:
1. Go to Dashboard > Status.

2. Click in the Virtual Machine widget.
3. Click FortiSwitch Manager VM License.

Fortinet Inc.
How to get started
4. Click Upload.
5. After you upload the license file, click OK.
To upload the license file:
execute restore vmlicense {ftp | tftp} <file-name> <FTP-server>[:FTP-port]
For example:
execute restore vmlicense tftp license.lic 10.0.1.2
To check that the license is valid using the GUI:
Go to Dashboard > Status and hover over the license link in the Virtual Machine widget.

Fortinet Inc.
How to get started
To check that the license status is valid using the CLI:
get system status
Configuring FortiLink
By default, port1 is the FortiLink interface. After the network connectivity is configured, FortiSwitch Manager is ready to
manage FortiSwitch units.
Optionally, enable automatic FortiSwitch authorization:
1. Go to Switch Controller > FortiLink Interface.
2. Select the FortiLink interface and click Edit.
3. Enable Automatically authorize devices.
4. Click OK.
Setting up the FortiSwitch units
Starting with FortiSwitchOS 7.2.0, when using DHCP discovery, FortiSwitch units can automatically connect with
FortiSwitch Manager, either with “internal” or “mgmt” ports, and the FortiSwitch units can then be authorized and
managed. Additional FortiSwitch units connected to another FortiSwitch unit already managed by FortiSwitch Manager
are also discovered and authorized.

Fortinet Inc.
How to get started
If you are using an earlier version of FortiSwitchOS or if you are using static discovery, follow the procedures in this
section.
You need to configure FortiSwitch units with the FortiSwitch Manager IP address to establish connectivity, and you need
to configure the FortiSwitch units to use FortiLink mode over a layer-3 network.
To configure a FortiSwitch unit to operate in a layer-3 network (in-band management):
NOTE: You must enter these commands in the indicated order for this feature to work.
1. Reset the FortiSwitch to factory default settings with the execute factoryreset command.
2. Manually set the FortiSwitch unit to FortiLink mode if you are using FortiSwitchOS 7.0.0 or earlier:
config system global

set switch-mgmt-mode fortilink
end
3. Configure the discovery setting for the FortiSwitch unit. You can either use DHCP discovery or static discovery to
find the IP address of the FortiSwitch Manager. The default ac-dhcp-option-code is 138.
To use DHCP discovery:
config switch-controller global

set ac-discovery-type dhcp
set ac-dhcp-option-code <integer>
end
To use static discovery:

set ac-discovery-type static
config ac-list
edit <id>
set ipv4-address <IPv4-address>
next
end
end
4. Configure only one physical port or LAG interface of the FortiSwitch unit as an uplink port. When the FortiSwitch unit
is in FortiLink mode, VLAN 4094 is configured on an internal port, which can provide a path to the layer-3 network.
NOTE: The uplink port cannot be assigned any VLANs.
config switch interface

edit <port-number>
set fortilink-l3-mode enable
end
end
The fortilink-l3-mode command is only visible after you configure DHCP or static discovery.
5. If you are going to configure another FortiSwitch unit that is connected to the FortiSwitch unit configured in steps 1-
4, you only need to configure the discovery settings. You do not need to enable fortilink-l3-mode on the
uplink port.

Fortinet Inc.
How to get started

end

config ac-list
edit <id>
next
end
end
To configure a FortiSwitch unit to operate in a layer-3 network (out-of-band management):
1. Configure FortiSwitch Manager as the Network Time Protocol (NTP) server:
config system ntp

set allow-unsync-source enable
config ntpserver
edit <ID>
set server "<FortiSwitch-Manager-IP-address>"
next
end
set ntpsync enable
end
For example:
config system ntp

set allow-unsync-source enable
config ntpserver
edit 1
set server "192.168.2.1"
next
end
set ntpsync enable
end
2. Configure the management system interface.
NOTE: You can use DHCP mode for the management system interface (set mode dhcp). If you do use DHCP
mode, configuring NTP and the static route is not necessary.

edit "mgmt"
set ip <IP-address-netmask>
set allowaccess ping https ssh
set type physical
next

Fortinet Inc.
How to get started
end
For example:

edit "mgmt"
set ip 192.168.11.94 255.255.255.0
set allowaccess ping https ssh
set type physical
next
end
3. Configure a static route:

edit <ID>
set device "mgmt"
set dst <destination-IP-address-netmask>
set gateway <gateway-IP-address>
next
end
For example:

edit 1
set device "mgmt"
set dst 0.0.0.0 0.0.0.0
next
end
4. Configure the discovery setting for the FortiSwitch unit. You can either use static discovery or DHCP discovery to
find the IP address of the FortiSwitch Manager. The default ac-dhcp-option-code is 138.

config ac-list
edit <id>
next
end
end
To configure DHCP on the management interface:

edit "mgmt"
set mode dhcp
set allowaccess ping https http ssh telnet
set type physical
next
end

Fortinet Inc.
How to get started

end
Connecting additional FortiSwitch units to the first FortiSwitch unit
In this scenario, the default FortiLink-enabled port of FortiSwitch 2 is connected to FortiSwitch 1, and the two switches
then form an auto-ISL. You only need to configure the discovery settings (see Step 3) for additional switches (FortiSwitch
2 in the following diagram). You do not need to enable fortilink-l3-mode on the uplink port. Check that each
FortiSwitch unit can reach FortiSwitch Manager.
Using FortiSwitch Manager
Go to Dashboard > Status to see the current values for the following:
l System information
l Licenses
l Allocated vCPUs and RAM
l Administrators
l CPU
l Memory

Fortinet Inc.
How to get started
Go to System > Fabric Management to see a list of managed FortiSwitch units, as well as the status, registration status,
firmware version, and upgrade status for each.
How to authorize a FortiSwitch unit
Using the GUI:
1. Go to System > Fabric Management.

2. Select an unauthorized FortiSwitch unit.
3. Click Authorize.

Fortinet Inc.
How to get started
Using the CLI:

edit <FortiSwitch-serial-number>
set fsw-wan1-admin enable
next
end
Creating a switch group
Grouping switches makes it easier to manage a large number of switches. For example, a switch group can be all
switches in a building, in a city, or in a business unit.
Using the GUI:
1. Go to Switch Controller > Managed FortiSwitches.

2. Click Create New > FortiSwitch Group.
3. Enter a name for the switch group.
4. Select the FortiLink interface.
5. Click + and then select the switches to be grouped.
6. Click Close to return to the New FortiSwitch Group page.
7. Enter a description of the switch group.
8. Click OK.
Using the CLI:
config switch-controller switch-group

edit <name-of-FortiSwitch-group>
set description <description-of-FortiSwitch-group
set fortilink <name-of-FortiLink-interface>
set members <FortiSwitch-serial-number1>, <FortiSwitch-serial-number2>, ...
next
end

Fortinet Inc.
Managing FortiSwitch units
FortiSwitch units, when used in managed mode, support only the default administrative
access HTTPS port (443).
Starting in FortiSwitchOS 7.2.0 with FortiOS 7.2.0, zero-touch management is now more efficient for new FortiSwitch
units. When a new FortiSwitch unit is started, by default, it will connect to the available manager, which can be
FortiSwitch Manager, a FortiGate device, or FortiLAN Cloud. Only one manager can be used at a time. The FortiSwitch
configuration does not need to be backed up before the FortiSwitch unit is managed, and the FortiSwitch unit does not
need to be restarted when it becomes managed. All ports are enabled for auto discovery. The “internal” interface is the
DHCP client in all FortiSwitch models.
This section covers the following topics:
l Optional configuration required before discovering and authorizing FortiSwitch units on page 24
l Discovering on page 29
l Optional management configuration on page 30
Optional configuration required before discovering and authorizing

FortiSwitch units

l Migrating the configuration of standalone FortiSwitch units on page 24
l VLAN interface templates for FortiSwitch units on page 24
l Automatic provisioning of FortiSwitch firmware upon authorization on page 28
Migrating the configuration of standalone FortiSwitch units
When a configured standalone FortiSwitch unit is converted to managed mode, the standalone configuration is lost. To
save time, use the fortilinkify.py utility to migrate your standalone configuration from one or more FortiSwitch
units to a combined FortiSwitch-Manager-compatible configuration.
To get the script and instructions, go to:
https://fndn.fortinet.net/index.php?/tools/file/68-fortiswitch-configuration-migration-tool/
VLAN interface templates for FortiSwitch units
NOTE: You can only create VLAN interface templates when FortiSwitch Manager has not authorized any FortiSwitch
units yet, so only physically connect the FortiSwitch unit to FortiSwitch Manager after completing this section.

Fortinet Inc.
You can create configuration templates that define the VLAN interfaces and are applied to new FortiSwitch devices
when they are discovered and managed by FortiSwitch Manager.
You can create templates, and then assign those templates to the automatically created switch VLAN interfaces for six
types of traffic. The network subnet that is reserved for the switch controller can also be customized.
To ensure that switch VLAN interface names are unique for each system, the interface names are the same as the
template names.
You can also customize the FortiLink management VLAN per FortiLink interface:
edit <fortilink interface>
set fortilink enable
set switch-controller-mgmt-vlan <integer>
next
end
The management VLAN can be a number from 1 to 4094. the default value is 4094.
Create VLAN interface templates
To configure the VLAN interface templates:
config switch-controller initial-config template

edit <template_name>
set vlanid <integer>
set ip <ip/netmask>
set allowaccess {options}
set auto-ip {enable | disable}
set dhcp-server {enable | disable}
next
end
<template_name> The name, or part of the name, of the template.
vlanid <integer> The unique VLAN ID for the type of traffic the template is
assigned to (1-4094; the default is 4094)
ip <ip/netmask> The IP address and subnet mask of the switch VLAN

interface. This can only be configured when auto-ip is
disabled.
allowaccess {options} The permitted types of management access to this

interface.
auto-ip {enable | disable} When enabled, the switch-controller will pick an unused 24
bit subnet from the switch-controller-reserved-network
(configured in config system global).
dhcp-server {enable | disable} When enabled, the switch-controller will create a DHCP
server for the switch VLAN interface
To assign the templates to the specific traffic types:
config switch-controller initial-config vlans

set default-vlan <template>

Fortinet Inc.
set quarantine <template>

set rspan <template>
set voice <template>
set video <template>
set nac <template>
end
default-vlan <template> Default VLAN assigned to all switch ports upon discovery.
quarantine <template> VLAN for quarantined traffic.
rspan <template> VLAN for RSPAN/ERSPAN mirrored traffic.
voice <template> VLAN dedicated for voice devices.
video <template> VLAN dedicated for video devices.
nac <template> VLAN for NAC onboarding devices.
To configure the network subnet that is reserved for the switch controller:
config system global

set switch-controller-reserved-network <ip/netmask>
end
The default value is 169.254.0.0 255.255.0.0.
Example
In this example, six templates are configured with different VLAN IDs. Except for the default template, all of them have
DHCP server enabled. When a FortiSwitch is discovered, VLANs and the corresponding DHCP servers are
automatically created.
To configure six templates and apply them to VLAN traffic types:
config switch-controller initial-config template

edit "default"
set vlanid 1
set auto-ip disable
next
edit "quarantine"
set vlanid 4093
set dhcp-server enable
next
edit "rspan"
set vlanid 4092
next
edit "voice"
set vlanid 4091
next
edit "video"
set vlanid 4090
next

Fortinet Inc.
edit "onboarding"
set vlanid 4089
next
end
config switch-controller initial-config vlans
set default-vlan "default"
set quarantine "quarantine"
set rspan "rspan"
set voice "voice"
set video "video"
set nac "onboarding"
end
To see the automatically created VLANs and DHCP servers:
show system interface

edit "default"
set vdom "root"
set snmp-index 24
set switch-controller-feature default-vlan
set interface "fortilink"
set vlanid 1
next
edit "quarantine"
set vdom "root"
set ip 169.254.11.1 255.255.255.0
set description "Quarantine VLAN"
set security-mode captive-portal
set replacemsg-override-group "auth-intf-quarantine"
set device-identification enable
set snmp-index 25
set switch-controller-access-vlan enable
set switch-controller-feature quarantine
set color 6
set vlanid 4093
next
...
end
show system dhcp server
edit 2
set dns-service local
set ntp-service local
set default-gateway 169.254.1.1
set netmask 255.255.255.0
config ip-range
edit 1
set start-ip 169.254.1.2
set end-ip 169.254.1.254
next
end
set vci-match enable
set vci-string "FortiSwitch" "FortiExtender"
next
edit 3

Fortinet Inc.
set dns-service default

set default-gateway 169.254.11.1
set netmask 255.255.255.0
set interface "quarantine"
config ip-range
edit 1
set start-ip 169.254.11.2
set end-ip 169.254.11.254
next
end
set timezone-option default
next
...
end
Automatic provisioning of FortiSwitch firmware upon authorization
Administrators no longer need to upload the FortiSwitch firmware. Instead, administrators can configure the managed
FortiSwitch units to be automatically upgraded to the latest FortiSwitchOS version available in FortiGuard when the
switches are authorized by FortiSwitch Manager. If the FortiSwitch units are already running the latest version of
FortiSwitchOS when they are authorized, no changes are made.
l You cannot use the one-time automatic upgrade with the automatic provisioning that uses
uploaded firmware. When firmware-provision-latest is set to once, the
firmware-provision and firmware-provision-version commands are unset.
l If a FortiSwitch unit is being upgraded when the one-time automatic upgrade is
configured, the upgrade in progress is paused until the one-time automatic upgrade is
completed.
To configure the automatic provisioning using uploaded FortiSwitch firmware:

edit <FortiSwitch_serial_number>
set firmware-provision {enable | disable}
set firmware-provision-version <version>
next
end
firmware-provision Enable or disable provisioning firmware to the FortiSwitch unit after authorization
{enable | disable} (the default is disable).
firmware-provision- The firmware version to provision the FortiSwitch unit with on bootup.
version <version>
The format is major_version.minor_version.build_number, for example, 6.4.0454.
To set up the one-time automatic upgrade of the FortiSwitch firmware:
1. On FortiSwitch Manager, configure automatic provisioning:

set firmware-provision-on-authorization enable
end

Fortinet Inc.
By default, the set firmware-provision-latest command is set to disable under config switch-
controller managed-switch before the FortiSwitch unit is authorized by FortiSwitch Manager.
2. On FortiSwitch Manager, authorize the FortiSwitch unit.

set fsw-wan1-peer <FortiLink_interface_name>
end
Authorizing the FortiSwitch unit changes the setting of the set firmware-provision-latest command to
once under config switch-controller managed-switch.
3. When the status of the managed FortiSwitch unit is “Authorized/Up,” FortiSwitch Manager downloads the latest
supported version of FortiSwitchOS from FortiGuard and then upgrades the switch.
4. The setting of the set firmware-provision-latest command is changed to disable under config
switch-controller managed-switch.
Instead of enabling firmware-provision-on-authorization, you can leave the

command at its default setting (set firmware-provision-on-authorization
disable) and change the setting of firmware-provision-latest to once.
Discovering

l Authorizing on page 29
l Preparing the FortiSwitch unit on page 29
Authorizing
If automatic authorization is disabled, you need to authorize the FortiSwitch unit as a managed switch:
edit FS224D3W14000370
end
end
NOTE: After authorization, the FortiSwitch unit reboots in managed mode.
Preparing the FortiSwitch unit
If the FortiSwitch unit is in the factory default configuration, it is ready to be connected to FortiSwitch Manager. If the
FortiSwitch unit is not in the factory default configuration, log in to the FortiSwitch unit with the CLI and use the execute
factoryreset command to reset the FortiSwitch unit to the factory defaults

Fortinet Inc.
Optional management configuration

l Using the FortiSwitch serial number for automatic name resolution on page 30
l Changing the admin password for all managed FortiSwitch units on page 31
l Disabling the FortiSwitch console port login on page 31
l Using automatic network detection and configuration on page 32
l Limiting the number of parallel processes for FortiSwitch configuration on page 32
l Configuring access to management and internal interfaces on page 32
l Enabling VLAN optimization on page 33
l Grouping FortiSwitch units on page 33
Using the FortiSwitch serial number for automatic name resolution
By default, you can check that FortiSwitch unit is accessible from FortiSwitch Manager with the execute ping
<FortiSwitch_IP_address> command. If you want to use the FortiSwitch serial number instead of the FortiSwitch
IP address, use the following commands:
set sn-dns-resolution enable
end
NOTE:The set sn-dns-resolution enable configuration is enabled by default.

Then you can use the execute ping <FortiSwitch_serial_ number>.<domain_name> command to check if
the FortiSwitch unit is accessible from FortiSwitch Manager. For example:
FSWMVMTM21000008 (root) # execute ping S524DF4K15000024.fsw
PING S524DF4K15000024.fsw (123.456.7.8): 56 data bytes
64 bytes from 123.456.7.8: icmp_seq=0 ttl=64 time=0.0 ms
Now you can use the execute ping <FortiSwitch_serial_number> command to check if the FortiSwitch unit is
accessible from FortiSwitch Manager. For example:
FSWMVMTM21000008 (root) # execute ping S524DF4K15000024
PING S524DF4K15000024.fsw (123.456.7.8): 56 data bytes
--- S524DF4K15000024.fsw ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

Fortinet Inc.
Changing the admin password for all managed FortiSwitch units
By default, each FortiSwitch has an admin account without a password. To replace the admin passwords for all
managed FortiSwitch units, use the following commands from FortiSwitch Manager:
config switch-controller switch-profile
edit default
set login-passwd-override {enable | disable}
set login-passwd <password>
next
end
If you had already applied a profile with the override enabled and the password set and then decide to remove the admin
password, you need to apply a profile with the override enabled and no password set; otherwise, your previously set
password will remain in the FortiSwitch. For example:
edit default
set login-passwd-override enable
unset login-passwd
next
end
Disabling the FortiSwitch console port login
Administrators can use the FortiSwitch profile to control whether users can log in with the managed FortiSwitchOS
console port. By default, users can log in with the managed FortiSwitchOS console port.
To change the FortiSwitch profile:

edit {default | <FortiSwitch_profile_name>}
set login {enable | disable} enabled by default
end
To disable logging in to the managed FortiSwitch consort port in the default FortiSwitch profile:

edit default
set login disable
end
To change which FortiSwitch profile is used by a managed switch

set switch-profile {default | <FortiSwitch_profile_name>}
end
For example:
edit S524DF4K15000024
set switch-profile new_switch_profile
end

Fortinet Inc.
Using automatic network detection and configuration
There are three commands that let you use automatic network detection and configuration.
To specify which policies can override the defaults for a specific ISL, ICl, or FortiLink interface:
config switch-controller auto-config custom
edit <automatically configured FortiLink, ISL, or ICL interface name>
config switch-binding
edit "switch serial number"
set policy "custom automatic-configuation policy"
end
To specify policies that are applied automatically for all ISL, ICL, and FortiLink interfaces:
config switch-controller auto-config default
set fgt-policy <default FortiLink automatic-configuration policy>
set isl-policy <default ISL automatic-configuration policy>
set icl-policy <default ICL automatic-configuration policy>
end
To specify policy definitions that define the behavior on automatically configured interfaces:
config switch-controller auto-config policy
edit <policy_name>
set qos-policy <automatic-configuration QoS policy>
set storm-control-policy <automatic-configuation storm-control policy>
set poe-status {enable | disable}
set igmp-flood-report {enable | disable}
set igmp-flood-traffic {enable | disable}
end
Limiting the number of parallel processes for FortiSwitch configuration
Use the following CLI commands to reduce the number of parallel processes that the switch controller uses for
configuring FortiSwitch units:
config global
config switch-controller system
set parallel-process-override enable
set parallel-process <1-300>
end
end
Configuring access to management and internal interfaces
The set allowaccess command configures access to all interfaces on a FortiSwitch unit. If you need to have different
access to the FortiSwitch management interface and the FortiSwitch internal interface, you can set up a local-access
security policy with the following commands:
config switch-controller security-policy local-access
edit <policy_name>
set mgmt-allowaccess {https | ping | ssh | snmp | http | telnet | radius-acct}
set internal-allowaccess {https | ping | ssh | snmp | http | telnet | radius-acct}
end

Fortinet Inc.
set access-profile <name_of_policy>
end
For example:
edit policy1
set mgmt-allowaccess https ping ssh radius-acct
set internal-allowaccess https ssh snmp telnet
end
edit S524DF4K15000024
set access-profile policy1
end
Enabling VLAN optimization
When inter-switch links (ISLs) are automatically formed on trunks, the switch controller allows VLANs 1-4093 on ISL
ports. This configuration can increase data processing on the FortiSwitch unit. When VLAN optimization is enabled, the
FortiSwitch unit allows only user-defined VLANs on the automatically generated trunks.
NOTE: VLAN optimization is enabled by default.
To enable VLAN optimization on FortiSwitch units from FortiSwitch Manager:

set vlan-optimization enable
end
NOTE: You cannot use the set vlan-all-mode all command with the set vlan-optimization enable
command.
Grouping FortiSwitch units
You can simplify the configuration and management of complex topologies by creating FortiSwitch groups. A group can
include one or more FortiSwitch units and you can include different models in a group.
Using the GUI:
1. Go to Switch Controller > Managed FortiSwitch.

2. Select Create New > FortiSwitch Group.
3. In the Name field, enter a name for the FortiSwitch group.
4. In the Members field, click + to select which switches to include in the FortiSwitch group.
5. In the Description field, enter a description of the FortiSwitch group.
6. Select OK.
Using the CLI:
config switch-controller switch-group

edit <name>
set description <string>

Fortinet Inc.
set members <serial-number> <serial-number> ...

end
end
Grouping FortiSwitch units allows you to restart all of the switches in the group instead of individually. For example, you
can use the following command to restart all of the FortiSwitch units in a group named my-sw-group:
execute switch-controller switch-action restart delay switch-group my-sw-group
Upgrading the firmware of FortiSwitch groups is easier, too, because fewer commands are needed. See the next section
for the procedure.

Fortinet Inc.
Configuring FortiSwitch VLANs and ports

l Configuring VLANs on page 35
l Configuring ports using the GUI on page 38
l Configuring port speed and status on page 38
l Configuring flap guard on page 39
l Configuring PoE on page 41
l Adding 802.3ad link aggregation groups (trunks) on page 42
l Configuring FortiSwitch split ports (phy-mode) in FortiLink mode on page 45
l Restricting the type of frames allowed through IEEE 802.1Q ports on page 49
Configuring VLANs
Use Virtual Local Area Networks (VLANs) to logically separate a LAN into smaller broadcast domains. VLANs allow you
to define different policies for different types of users and to set finer control on the LAN traffic. (Traffic is only sent
automatically within the VLAN. You must configure routing for traffic between VLANs.)
From FortiSwitch Manager, you can centrally configure and manage VLANs for the managed FortiSwitch units.
The FortiSwitch unit supports untagged and tagged frames in FortiLink mode. The switch supports up to 1,023 user-
defined VLANs. You can assign a VLAN number (ranging from 1-4095) to each of the VLANs. For FortiSwitch units in
FortiLink mode, you can assign a name to each VLAN.
You can configure the default VLAN for each FortiSwitch port as well as a set of allowed VLANs for each FortiSwitch
port.
l Creating VLANs on page 35
l Viewing FortiSwitch VLANs on page 37
Creating VLANs
Setting up a VLAN requires you to create the VLAN and assign FortiSwitch ports to the VLAN. You can do this with either
the Web GUI or CLI.

Fortinet Inc.
Using the GUI
To create the VLAN:

1. Go to Switch Controller > FortiSwitch VLANs, select Create New, and change the following settings:
Name VLAN name
VLAN ID Enter a number (1-4094)
Color Choose a unique color for each VLAN, for ease of visual display.
Role Select LAN, WAN, DMZ, or Undefined.
2. Enable DHCP for IPv4 or IPv6.

3. Set the Administrative Access options as required.
4. Click OK.
To assign FortiSwitch ports to the VLAN:
1. Go to Switch Controller > FortiSwitch Ports.

2. Click a port row.
3. Click the pencil icon in the Native VLAN column to change the native VLAN.
4. Select a VLAN from the displayed list and then click Apply. The new value is assigned to the selected ports.
5. Click the pencil icon in the Allowed VLANs column to change the allowed VLANs.
6. Select one or more of the VLANs (or All) from the displayed list and then click Apply. The new value is assigned to
the selected port.
Using the FortiSwitch CLI
1. Create the marketing VLAN.

edit <VLAN_name>
set vlanid <1-4094>
set color <1-32>
set interface <FortiLink-enabled interface>
set vdom <VDOM_name>
end
2. Set the VLAN’s IP address.

edit <VLAN_name>
set ip <IP_address> <network_mask>
end
3. Enable a DHCP Server.
config system dhcp server

edit 1
set default-gateway <IP address>
set dns-service default

Fortinet Inc.
set interface <vlan name>

config ip-range
set start-ip <IP address>
set end-ip <IP address>
end
set netmask <Network mask>
end
4. Assign ports to the VLAN.

config ports
edit <port name>
set vlan <vlan name>
set allowed-vlans <vlan name>
or
set allowed-vlans-all enable
next
end
end
5. Assign untagged VLANs to a managed FortiSwitch port:

config ports
edit <port>
set untagged-vlans <VLAN-name>
next
end
next
end
Viewing FortiSwitch VLANs
The Switch Controller > FortiSwitch VLANs page displays VLAN information for the managed switches.
Each entry in the VLAN list displays the following information:

l Name—name of the VLAN
l VLAN ID—the VLAN number
l IP—address and mask of the subnetwork that corresponds to this VLAN
l Administrative Access—administrative access settings for the VLAN
l Ref.—number of configuration objects referencing this VLAN

Fortinet Inc.
Configuring ports using the GUI
You can use the Switch Controller > FortiSwitch Ports page to do the following with FortiSwitch switch ports:
l Set the native VLAN and add more VLANs
l Edit the description of the port
l Enable or disable the port
l Set the access mode of the port in Port view:
l Static—The port does not use a dynamic port policy or FortiSwitch network access control (NAC) policy.
l Assign Port Policy—The port uses a dynamic port policy.
l NAC—The port uses a FortiSwitch NAC policy.
l Set the LACP mode of the trunk in Trunk view:

l Static—In this mode, no control messages are sent, and received control messages are ignored.
l Passive LACP—The port passively uses LACP to negotiate 802.3ad aggregation.
l Active LACP—The port actively used LACP to negotiate 802.3ad aggregation.
l Double-click a port to display the Port Statistics pane, which shows the transmitted and received traffic, frame errors
by type, and transmitted and received frames. You can also select a port and then click the View Statistics button in
the upper right corner. The Compare with dropdown list allows you to select another port to compare with the
currently selected port. The statistics are refreshed every 15 seconds.
l Clear port counters by right-clicking a port and selecting Clear port counters.
l Enable or disable PoE for the port
l Enable or disable DHCP snooping (if supported by the port)
l Enable or disable whether a port is an edge port
l Enable or disable STP (if supported by the port)
l Enable or disable loop guard (if supported by the port)
l Enable or disable STP BPDU guard (if supported by the port)
l Enable or disable STP root guard (if supported by the port)
Configuring port speed and status
To set port speed and other base port settings:

config ports
edit <port_name>
set description <text>
set speed <speed>
set status {down | up}
end
end
For example:
edit S524DF4K15000024
config ports
edit port1

Fortinet Inc.
set description "First port"

set speed auto
set status up
end
end
To check the port properties:
diagnose switch-controller switch-info port-properties [<FortiSwitch_serial_number>] [<port_

name>]
If the FortiSwitch serial number is not specified, results for all FortiSwitch units are returned. If the port name is not
specified, results for all ports are returned.
For example:
FSWMVMTM21000005 (vdom1) # diagnose switch-controller switch-info port-properties
S108DVTM20002500 port2
Switch: S108DVTM20002500
Port: port2
PoE :
Connector : RJ45
Speed :
Configuring flap guard
A flapping port is a port that changes status rapidly from up to down. A flapping port can create instability in protocols
such as Spanning Tree Protocol (STP). If a port is flapping, STP must continually recalculate the role for each port. Flap
guard also prevents unwanted access to the physical ports.
Flap guard detects how many times a port changes status during a specified number of seconds, and the system shuts
down the port if necessary. You can manually reset the port and restore it to the active state.
Flap guard is configured and enabled on each port through the switch controller. The default setting is disabled.
The flap rate counts how many times a port changes status during a specified number of seconds. The range is 1 to 30
with a default setting of 5.
The flap duration is the number of seconds during which the flap rate is counted. The range is 5 to 300 seconds with a
default setting of 30 seconds.
The flap timeout is the number of minutes before the flap guard is reset. The range is 0 to 120 minutes. The default
setting of 0 means that there is no timeout.

Fortinet Inc.
l If a triggered port times out while the switch is in a down state, the port is initially in a
triggered state until the switch has fully booted up and calculated that the timeout has
occurred.
l The following models do not store time across reboot; therefore, any triggered port is
initially in a triggered state until the switch has fully booted up—at which point the trigger
is cleared:
l FS-1xxE
l FS-2xxD/E
l FS-4xxD
l FS-4xxE
To configure flap guard on a port through the switch controller:

config ports
edit <port_name>
set flapguard {enable | disable}
set flap-rate <1-30>
set flap-duration <5-300 seconds>
set flap-timeout <0-120 minutes>
next
end
end
For example:
edit S424ENTF19000007
config ports
edit port10
set flapguard enable
set flap-rate 15
set flap-duration 100
set flap-timeout 30
next
end
end
Resetting a port
After flap guard detects that a port is changing status rapidly and the system shuts down the port, you can reset the port
and restore it to service.
To reset a port:
execute switch-controller flapguard reset <FortiSwitch_serial_number> <port_name>
For example:
execute switch-controller flapguard reset S424ENTF19000007 port10

Fortinet Inc.
Configuring PoE

l Enabling PoE on the portconfig on page 41
l Enabling PoE pre-standard detection on page 41
l Resetting the PoE port on page 42
l Displaying general PoE status on page 42
Enabling PoE on the portconfig

config ports
edit <port_name>
set poe-status {enable | disable}
end
end
For example:
edit S524DF4K15000024
config ports
edit port1
set poe-status enable
end
end
Enabling PoE pre-standard detection
Depending on the FortiSwitch model, you can manually change the PoE pre-standard detection setting on the global
level or on the port level. The factory default setting for poe-pre-standard-detection is disable.
PoE pre-standard detection is a global setting for the following FortiSwitch models: FSR-
112D-POE, FS-548DFPOE, FS-524D-FPOE, FS-108D-POE, FS-224D-POE, FS-108E-POE,
FS-108E-FPOE, FS-124E-POE, and FS-124EFPOE. For the other FortiSwitch PoE models,
PoE pre-standard detection is set on each port.
On the global level, set poe-pre-standard-detection with the following commands:

set poe-pre-standard-detection {enable | disable}
next
end
On the port level, set poe-pre-standard-detection with the following commands:

config ports

Fortinet Inc.
edit <port_name>
set poe-pre-standard-detection {enable | disable}
next
end
next
end
Resetting the PoE port
Power over Ethernet (PoE) describes any system that passes electric power along with data on twisted pair Ethernet
cabling. Doing this allows a single cable to provide both data connection and electric power to devices (for example,
wireless access points, IP cameras, and VoIP phones).
The following command resets PoE on the port:
execute switch-controller poe-reset <FortiSwitch_serial_number> <port_name>
Displaying general PoE status

get switch-controller poe <FortiSwitch_serial_number> <port_name>
The following example displays the PoE status for port 6 on the specified switch:
# get switch-controller poe FS108D3W14000967 port6
Port(6) Power:3.90W, Power-Status: Delivering Power
Power-Up Mode: Normal Mode
Remote Power Device Type: IEEE802.3AT PD
Power Class: 4
Defined Max Power: 30.0W, Priority:3
Voltage: 54.00V
Current: 78mA
Adding 802.3ad link aggregation groups (trunks)
If the trunk is in LACP mode and has ports with different speeds, the ports of the same negotiated speed are grouped in
an aggregator.
If multiple aggregators exist, one and only one of the aggregators is used by the trunk.
You can use the CLI to specify how the aggregator is selected:
l When the aggregator-mode is set to bandwidth, the aggregator with the largest bandwidth is selected. This
mode is the default.
l When the aggregator-mode is set to count, the aggregator with the largest number of ports is selected.
Using the FortiSwitch Manager GUI:
2. Click Create New > Trunk Group.
3. In the New Trunk Group page, enter a Name for the trunk group.

Fortinet Inc.
4. Select Enabled or Disabled for the MCLAG.

l An MCLAG peer group must be configured before adding a trunk with MCLAG enabled.
l Make sure to select ports from switches that are part of the same MCLAG peer group.
5. Select the Mode: Static, Passive LACP, or Active LACP.

6. Select two or more physical ports to add to the trunk group and then click Apply.
7. Click OK.
Using the FortiSwitch Manager CLI:

config ports
edit <trunk_name>
set type trunk
set mode {static | lacp-passive | lacp-active}
set mclag {enable | disable}
set bundle {enable | disable}
set min-bundle <int>
set max-bundle <int>
set members <port1 port2 ...>
next
end
end
end

Fortinet Inc.
MCLAG trunks
The MCLAG trunk consists of 802.3ad link aggregation groups with members that belong to different FortiSwitch units.
To configure an MCLAG trunk, you need an MCLAG peer group. The MCLAG trunk members are selected from the
same MCLAG peer group.
Using the GUI

2. Select Create New > Trunk Group.
3. Enter a name for the MCLAG trunk.
4. For the MCLAG status, select Enabled to create an active MCLAG trunk.
5. For the mode, select Static, Passive LACP, or Active LACP.
l Set to Static for static aggregation. In this mode, no control messages are sent, and received control messages
are ignored.
l Set to Passive LACP to passively use LACP to negotiate 802.3ad aggregation.
l Set to Active LACP to actively use LACP to negotiate 802.3ad aggregation.
6. For trunk members, click Select Members, select the ports to include in the MCLAG trunk, and then click Apply to
save the trunk members. NOTE: The members must belong to the same MCLAG peer group.
7. Select OK to save the MCLAG configuration.
The ports are listed as part of the MCLAG trunk on the FortiSwitch Ports page.
Using the CLI
Configure a trunk in each switch that is part of the MCLAG pair:

l The trunk name for each switch must be the same.
l The port members for each trunk can be different.
l After you enable MCLAG, you can enable LACP if needed.


Fortinet Inc.
config ports
edit "<trunk name>"
set type trunk
set mode {static | lacp-passive | lacp-active}
set members "<port>,<port>"
set mclag enable
next
end
next
Variable Description Default
<switch-id> FortiSwitch serial number. No default
<trunk name> Enter a name for the MCLAG trunk. No default
NOTE: Each FortiSwitch unit that is part of the MCLAG must have the same
MCLAG trunk name configured.
type trunk Set the interface type to a trunk port. physical
mode {static | lacp- Set the LACP mode. lacp-active

passive | lacp- l Set to static for static aggregation. In this mode, no control messages
active} are sent, and received control messages are ignored.

l Set to lacp-passive to passively use LACP to negotiate 802.3ad
aggregation.
l Set to lacp-active to actively use LACP to negotiate 802.3ad
aggregation.
members Set the aggregated LAG bundle interfaces. No default

"<port>,<port>"
mclag enable Enable or disable the MCLAG. disable
Configuring FortiSwitch split ports (phy-mode) in FortiLink mode
On FortiSwitch models that provide 40G/100G QSFP (quad small form-factor pluggable) interfaces, you can install a
breakout cable to convert one 40G/100G interface into four 10G/25G interfaces. See the list of supported FortiSwitch
models in the notes in this section.
l Configuring split ports on a previously discovered FortiSwitch unit on page 46
l Configuring split ports with a new FortiSwitch unit on page 46
l Configuring forward error correction on switch ports on page 46
l Configuring a split port on the FortiSwitch unit on page 47

Fortinet Inc.
Notes
l Split ports are not configured for pre-configured FortiSwitch units.

l Splitting ports is supported on the following FortiSwitch models:
o FS-3032D (ports 5 to 28 are splittable)
o FS-3032E (Ports can be split into 4 x 25G when configured in 100G QSFP28 mode or can be split into 4 x 10G
when configured in 40G QSFP mode. Use the set <port_name>-phy-mode disabled command to
disable some 100G ports to allow up to sixty-two 100G/25G/10G ports.)
o FS-524D and FS-524D-FPOE (ports 29 and 30 are splittable)
o FS-548D and FS-548D-FPOE (ports 53 and 54 are splittable)
o FS-1048E (In the 4 x 100G configuration, ports 49, 50, 51, and 52 are splittable as 4 x 25G. In the 6 x 40G
configuration, ports 49, 50, 51, 52, 53, 54 are splittable as 4 x 10G.)
Use the set port-configuration ? command to check which ports are supported for each model.
l Currently, the maximum number of ports supported in software is 64 (including the management port). Therefore,
only 10 QSFP ports can be split. This limitation applies to all of the models, but only the FS-3032D, FS-3032E, and
the FS-1048E models have enough ports to encounter this limit.
l Use 10000full for the general 10G interface configuration. If that setting does not work, use 10000cr for copper
connections (with copper cables such as 10GBASE-CR) or use 10000sr for fiber connections (fiber optic
transceivers such as 10GBASE-SR/-LR/-ER/-ZR).
l FortiSwitch Manager automatically updates the port list after split ports are changed and the FortiSwitch unit
restarts. When split ports are added or removed, the changes are logged.
Configuring split ports on a previously discovered FortiSwitch unit
1. On the FortiSwitch unit, configure the split ports. See Configuring a split port on the FortiSwitch unit on page 47.
2. Restart the FortiSwitch unit.
Configuring split ports with a new FortiSwitch unit
1. Discover the FortiSwitch unit.

2. Authorize the FortiSwitch unit.
3. On the FortiSwitch unit, configure the split ports. See Configuring a split port on the FortiSwitch unit on page 47.
4. Restart the FortiSwitch unit.
Configuring forward error correction on switch ports
Supported managed-switch ports of the FS-1048E and FS-3032E can be configured with a forward error correction
(FEC) state of Clause 74 FC-FEC for 25-Gbps ports and Clause 91 RS-FEC for 100-Gbps ports.
config ports
edit <port_name>
set fec-capable {0 | 1}
set fec-state {disabled | cl74 | cl91}
next
end

Fortinet Inc.
next
end
fec-capable {0 | 1} Set whether the port is FEC capable.

l 0: The port is not FEC capable.
l 1: The port is FEC capable.

fec-state {disabled | Set the FEC state:
cl74 | cl91} l disabled: Disable FEC on the port.
l c174: Enable Clause 74 FC-FEC. This option is only available for on FS-
1048E and FS-3032E ports that have been split to 4x25G.
l c191: Enable Clause 91 RS-FEC. This option is only available for on FS-
1048E and FS-3032E ports that have been split to 4x100G.
In this example, a managed FortiSwitch FS-3032E is configured with Clause 74 FC-FEC on port 16.1 and Clause 91 RS-
FEC on port 8.
edit FS3E32T419000000
config ports
edit port16.1
set fec-state cl74
next
edit port8
set fec-state cl91
next
end
next
end
Configuring a split port on the FortiSwitch unit
To configure a split port:
config switch phy-mode

set port-configuration <default | disable-port54 | disable-port41-48 | 4x100G | 6x40G |
4x4x25G}
set {<port-name>-phy-mode <single-port| 4x25G | 4x10G | 4x1G | 2x50G}
...
(one entry for each port that supports split port)
end
The following settings are available:

l disable-port54—For 548D and 548D-FPOE, only port53 is splittable; port54 is unavailable.
l disable-port41-48—For 548D and 548D-FPOE, port41 to port48 are unavailable, but you can configure port53
and port54 in split-mode.
l 4x100G—For 1048E, enable the maximum speed (100G) of ports 49 through 52. Ports 53 and 54 are disabled.
l 6x40G—For 1048E, enable the maximum speed (40G) of ports 49 through 54.
l 4x4x25G—For 1048E, enable the maximum speed (100G) of ports 49 through 52; each split port has a maximum
speed of 25G. Ports 47 and 48 are disabled.
l single-port—Use the port at the full base speed without splitting it.
l 4x25G—For 100G QSFP only, split one port into four subports of 25 Gbps each.

Fortinet Inc.
l 4x10G—For 40G or 100G QSFP only, split one port into four subports of 10Gbps each.
l 4x1G—For 40G or 100G QSFP only, split one port into four subports of 1 Gbps each.
l 2x50G—For 100G QSFP only, split one port into two subports of 50 Gbps each.
In the following example, a FortiSwitch 3032D is configured with ports 10, 14, and 28 set to 4x10G:
config switch phy-mode
set port5-phy-mode 1x40G
end
The system applies the configuration only after you enter the end command, displaying the following message:
This change will cause a ports to be added and removed, this will cause loss of
configuration on removed ports. The system will have to reboot to apply this change.
Do you want to continue? (y/n)y
To configure one of the split ports, use the notation ".x" to specify the split port:
config switch physical-port

edit "port1"
set lldp-profile "default-auto-isl"
set speed 40000full
next
edit "port2"
set speed 40000full
next
edit "port3"
set speed 40000full
next
edit "port4"
set speed 40000full
next

Fortinet Inc.
edit "port5.1"
set speed 10000full
next
edit "port5.2"
set speed 10000full
next
edit "port5.3"
set speed 10000full
next
edit "port5.4"
set speed 10000full
next
end
Restricting the type of frames allowed through IEEE 802.1Q ports
You can now specify whether each FortiSwitch port discards tagged 802.1Q frames or untagged 802.1Q frames or
allows all frames access to the port. By default, all frames have access to each FortiSwitch port.
Use the following CLI commands:
config switch-controller managed-switch <SN>
config ports
edit <port_name>
set discard-mode <none | all-tagged | all-untagged>
next
next
end

Fortinet Inc.
Configuring switching features
This section covers the following features:

l Configuring DHCP blocking, STP, and loop guard on managed FortiSwitch ports on page 50
l Configuring edge ports on page 51
l Configuring loop guard on page 52
l Configuring STP settings on page 52
l Dynamic MAC address learning on page 58
l Configuring storm control on page 62
l Configuring IGMP-snooping settings on page 63
l Configuring PTP transparent-clock mode on page 65
Configuring DHCP blocking, STP, and loop guard on managed

FortiSwitch ports
Go to Switch Controller > FortiSwitch Ports. Right-click any port and then enable or disable the following features:
l DHCP Snooping—The DHCP blocking feature monitors the DHCP traffic from untrusted sources (for example,
typically host ports and unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent
this, DHCP blocking filters messages on untrusted ports.
l Spanning Tree Protocol (STP)—STP is a link-management protocol that ensures a loop-free layer-2 network
topology.
l Loop guard—A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects.
Fortinet loop guard helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its
subtending network for any downstream loops. The loop guard feature is designed to work in concert with STP
rather than as a replacement for STP.
l STP BPDU guard—Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard
is enabled on STP edge ports, any BPDUs received cause the ports to go down for a specified number of minutes.
The BPDUs are not forwarded, and the network edge is enforced.
l STP root guard—Root guard protects the interface on which it is enabled from becoming the path to root. When
enabled on an interface, superior BPDUs received on that interface are ignored or dropped. Without using root
guard, any switch that participates in STP maintains the ability to reroute the path to root. Rerouting might cause
your network to transmit large amounts of traffic across suboptimal links or allow a malicious or misconfigured
device to pose a security risk by passing core traffic through an insecure device for packet capture or inspection. By
enabling root guard on multiple interfaces, you can create a perimeter around your existing paths to root to enforce
the specified network topology.
STP and IGMP snooping are enabled on all ports by default. Loop guard is disabled by default on all ports.

Fortinet Inc.
Configuring edge ports
Use the following commands to enable or disable an interface as an edge port:

config ports
edit <port_name>
set edge-port {enable | disable}
end
end
For example:
edit S524DF4K15000024
config ports
edit port1
set edge-port enable
end
end

Fortinet Inc.
Configuring loop guard
A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects. Fortinet loop guard
helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any
downstream loops. Loop guard and STP should be used separately for loop protection. By default, loop guard is disabled
on all ports.
Use the following commands to configure loop guard on a FortiSwitch port:
config ports
edit <port_name>
set loop-guard {enabled | disabled}
set loop-guard-timeout <0-120 minutes>
end
end
For example:
edit S524DF4K15000024
config ports
edit port1
set loop-guard enabled
set loop-guard-timeout 10
end
end
Configuring STP settings
The managed FortiSwitch unit supports Spanning Tree Protocol (a link-management protocol that ensures a loop-free
layer-2 network topology) as well as Multiple Spanning Tree Protocol (MSTP), which is defined in the IEEE 802.1Q
standard.
MSTP supports multiple spanning tree instances, where each instance carries traffic for one or more VLANs (the
mapping of VLANs to instances is configurable). MSTP is backward-compatible with STP and Rapid Spanning Tree
Protocol (RSTP). A layer-2 network can contain switches that are running MSTP, STP, or RSTP. MSTP is built on RSTP,
so it provides fast recovery from network faults and fast convergence times.
l Configuring STP on FortiSwitch ports on page 53
l Configuring STP root guard on page 55
l Configuring STP BPDU guard on page 56
l Configuring interoperation with per-VLAN RSTP on page 57
To configure STP for all managed FortiSwitch units:
config switch-controller stp-settings

set name <name>
set revision <stp revision>
set hello-time <hello time>

Fortinet Inc.
set forward-time <forwarding delay>

set max-age <maximum aging time>
set max-hops <maximum number of hops>
end
To override the global STP settings for a specific FortiSwitch unit:

edit <FortiSwitch_serial_number>>
config stp-settings
set local-override enable
end
To configure MSTP instances:
config switch-controller stp-instance

edit <id>
config vlan-range <list of VLAN names>
end
config stp-instance
edit <id>
set priority <0 | 4096 | 8192 | 12288 | 16384 | 20480 | 24576 | 28672 | 32768 |
36864 | 40960 | 45056 | 49152 | 53248 | 57344 | 61440>
next
end
next
end
For example:
config switch-controller stp-instance
edit 1
config vlan-range vlan1 vlan2 vlan3
end
edit S524DF4K15000024
config stp-instance
edit 1
set priority 16384
next
end
next
end
Configuring STP on FortiSwitch ports
STP is enabled by default for the non-FortiLink ports on the managed FortiSwitch units. STP is a link-management
protocol that ensures a loop-free layer-2 network topology.
Use the following commands to enable or disable STP on FortiSwitch ports:
config ports
edit <port_name>

Fortinet Inc.
set stp-state {enabled | disabled}

end
end
For example:
edit S524DF4K15000024
config ports
edit port1
set stp-state enabled
end
end
To check the STP configuration on a FortiSwitch, use the following command:

diagnose switch-controller switch-info stp <FortiSwitch_serial_number> <instance_number>
For example:
FSWMVMTM21000008 # diagnose switch-controller switch-info stp S524DF4K15000024 0
MST Instance Information, primary-Channel:
Instance ID : 0
Switch Priority : 24576
Root MAC Address : 085b0ef195e4
Root Priority: 24576
Root Pathcost: 0
Regional Root MAC Address : 085b0ef195e4
Regional Root Priority: 24576
Regional Root Path Cost: 0
Remaining Hops: 20
This Bridge MAC Address : 085b0ef195e4
This bridge is the root
Port Speed Cost Priority Role State Edge STP-Status

Loop Protection
________________ ______ _________ _________ ___________ __________ ____ __________
________
port1 - 200000000 128 DISABLED DISCARDING YES ENABLED

NO
NO
NO
NO
NO
NO
NO
NO
NO
NO

Fortinet Inc.

NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
internal 1G 20000 128 DESIGNATED FORWARDING YES DISABLED
NO
__FoRtI1LiNk0__ 1G 20000 128 DESIGNATED FORWARDING YES DISABLED
NO
Configuring STP root guard
Root guard protects the interface on which it is enabled from becoming the path to root. When enabled on an interface,
superior BPDUs received on that interface are ignored or dropped. Without using root guard, any switch that participates
in STP maintains the ability to reroute the path to root. Rerouting might cause your network to transmit large amounts of
traffic across suboptimal links or allow a malicious or misconfigured device to pose a security risk by passing core traffic
through an insecure device for packet capture or inspection. By enabling root guard on multiple interfaces, you can
create a perimeter around your existing paths to root to enforce the specified network topology.
Enable root guard on all ports that should not be root bridges. Do not enable root guard on the root port. You must have
STP enabled to be able to use root guard.

Fortinet Inc.
Use the following commands to enable or disable STP root guard on FortiSwitch ports:
config ports
edit <port_name>
set stp-root-guard {enabled | disabled}
end
end
For example:
edit S524DF4K15000024
config ports
edit port1
set stp-root-guard enabled
end
end
Configuring STP BPDU guard
Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard is enabled on STP edge
ports, any BPDUs received cause the ports to go down for a specified number of minutes. The BPDUs are not
forwarded, and the network edge is enforced.
There are two prerequisites for using BPDU guard:
l You must define the port as an edge port with the set edge-port enable command.
l You must enable STP on the switch interface with the set stp-state enabled command.
You can set how long the port will go down when a BPDU is received for a maximum of 120 minutes. The default port
timeout is 5 minutes. If you set the timeout value to 0, the port will not go down when a BPDU is received, but you will
have manually reset the port.
Use the following commands to enable or disable STP BPDU guard on FortiSwitch ports:
config ports
edit <port_name>
set stp-bpdu-guard {enabled | disabled}
set stp-bpdu-guard-time <0-120>
end
end
For example:
edit S524DF4K15000024
config ports
edit port1
set stp-bpdu-guard enabled
set stp-bpdu-guard-time 10
end
end
To check the configuration of STP BPDU guard on a FortiSwitch unit, use the following command:
diagnose switch-controller switch-info bpdu-guard-status <FortiSwitch_serial_number>

Fortinet Inc.
For example:
FSWMVMTM21000008 # diagnose switch-controller switch-info bpdu-guard-status S524DF4K15000024
Managed Switch : S524DF4K15000024 0
Portname State Status Timeout(m) Count Last-Event

_________________ _______ _________ ___________ _____ _______________
port1 enabled - 10 0 -
port2 disabled - - - -
__FoRtI1LiNk0__ disabled - - - -
Configuring interoperation with per-VLAN RSTP
Managed FortiSwitch units can interoperate with a network that is running RPVST+. The existing networkʼs configuration
can be maintained while adding managed FortiSwitch units as an extended region. By default, interoperation with
RPVST+ is disabled.
When an MSTP domain is connected with an RPVST+ domain, FortiSwitch interoperation with the RPVST+ domain
works in two ways:
l If the root bridge for the CIST is within an MSTP region, the boundary FortiSwitch unit of the MSTP region duplicates
instance 0 information, creates one BPDU for every VLAN, and sends the BPDUs to the RPVST+ domain.
In this case, follow this rule: If the root bridge for the CIST is within an MSTP region, VLANs other than VLAN 1
defined in the RPVST+ domains must have their bridge priorities worse (numerically greater) than that of the CIST
root bridge within MSTP region.

Fortinet Inc.
l If the root bridge for the CIST is within an RPVST+ domain, the boundary FortiSwitch unit processes only the VLAN
1 information received from the RPVST+ domain. The other BPDUs (VLANs 2 and above) sent from the connected
RPVST+ domain are used only for consistency checks.
In this case, follow this rule: If the root bridge for the CIST is within the RPVST+ domain, the root bridge priority of
VLANs other than VLAN 1 within that domain must be better (numerically less) than that of VLAN 1.
To configure interoperation with RPVST+:

config ports
edit <port_name>
set rpvst-port {enabled | disabled}
next
end
For example:
FSWMVMTM21000008 (testvdom) # config switch-controller managed-switch
FSWMVMTM21000008 (managed-switch) # edit FS3E32T419000006
FSWMVMTM21000008 (FS3E32T419000006) # config ports
FSWMVMTM21000008 (ports) # edit port5
FSWMVMTM21000008 (port5) # set rpvst-port enabled
FSWMVMTM21000008 (port5) # next
FSWMVMTM21000008 (ports) # end
To check your configuration and to diagnose any problems:
diagnose switch-controller switch-info rpvst <FortiSwitch_serial_number> <port_name>
For example:
diagnose switch-controller switch-info rpvst FS3E32T419000006 port5
Dynamic MAC address learning
You can enable or disable dynamic MAC address learning on a port or VLAN. The existing dynamic MAC entries are
flushed when you change this setting. If you disable MAC address learning, you can set the behavior for an incoming
packet with an unknown MAC address (to drop or forward the packet).
l Limiting the number of learned MAC addresses on a FortiSwitch interface on page 59
l Controlling how long learned MAC addresses are saved on page 59
l Logging violations of the MAC address learning limit on page 60
l Persistent (sticky) MAC addresses on page 61
l Logging changes to MAC addresses on page 61

Fortinet Inc.
Limiting the number of learned MAC addresses on a FortiSwitch interface
You can limit the number of MAC addresses learned on a FortiSwitch interface (port or VLAN). The limit ranges from 1 to
128. If the limit is set to the default value zero, there is no learning limit.
NOTE: Static MAC addresses are not counted in the limit. The limit refers only to learned MAC addresses.
Use the following CLI commands to limit MAC address learning on a VLAN:
config switch vlan
edit <integer>
set switch-controller-learning-limit <limit>
end
end
For example:
config switch vlan
edit 100
set switch-controller-learning-limit 20
end
end
Use the following CLI commands to limit MAC address learning on a port:
config ports
edit <port_name>
set learning-limit <limit>
next
end
end
end
For example:
edit S524DF4K15000024
config ports
edit port3
set learning-limit 50
next
end
end
end
Controlling how long learned MAC addresses are saved
You can change how long learned MAC addresses are stored. By default, each learned MAC address is aged out after
300 seconds. After this amount of time, the inactive MAC address is deleted from the FortiSwitch hardware. The value
ranges from 10 to 1000,000 seconds. Set the value to 0 to disable MAC address aging.
set mac-aging-interval <10 to 1000000>
end

Fortinet Inc.
For example:
set mac-aging-interval 500
end
If the mac-aging-interval is disabled by being set to 0, you can still control when inactive MAC addresses are removed
from the FortiSwitch hardware. By default, inactive MAC addresses are removed after 24 hours. The value ranges from 0
to 168 hours. Set the value to 0 to use the mac-aging-interval setting to control when inactive MAC addresses are
deleted.
set mac-retention-period <0 to 168>
end
For example:
set mac-retention-period 36
end
Logging violations of the MAC address learning limit
If you want to see the first MAC address that exceeded the learning limit for an interface or VLAN, you can enable the
learning-limit violation log for a managed FortiSwitch unit. Only one violation is recorded per interface or VLAN.
By default, logging is disabled. The most recent violation that occurred on each interface or VLAN is recorded in the
system log. After that, no more violations are logged until the log is reset for the triggered interface or VLAN. Only the
most recent 128 violations are displayed in the console.
Use the following commands to control the learning-limit violation log and to control how long learned MAC addresses
are saved:
set mac-violation-timer <0-1500>
set log-mac-limit-violations {enable | disable}
end
For example:
set mac-violation-timer 1000
set log-mac-limit-violations enable
end
To view the content of the learning-limit violation log for a managed FortiSwitch unit, use one of the following commands:
l diagnose switch-controller switch-info mac-limit-violations all <FortiSwitch_
serial_number>
l diagnose switch-controller switch-info mac-limit-violations interface <FortiSwitch_
serial_number> <port_name>
l diagnose switch-controller switch-info mac-limit-violations vlan <FortiSwitch_
serial_number> <VLAN_ID>
For example, to set the learning-limit violation log for VLAN 5 on a managed FortiSwitch unit:
diagnose switch-controller switch-info mac-limit-violations vlan S124DP3XS12345678 5

Fortinet Inc.
To reset the learning-limit violation log for a managed FortiSwitch unit, use one of the following commands:
l execute switch-controller mac-limit-violation reset all <FortiSwitch_serial_number>
l execute switch-controller mac-limit-violation reset vlan <FortiSwitch_serial_
number> <VLAN_ID>
l execute switch-controller mac-limit-violation reset interface <FortiSwitch_serial_
number> <port_name>
For example, to clear the learning-limit violation log for port 5 of a managed FortiSwitch unit:
execute switch-controller mac-limit-violation reset interface S124DP3XS12345678 port5
Persistent (sticky) MAC addresses
You can make dynamically learned MAC addresses persistent when the status of a FortiSwitch port changes (goes
down or up). By default, MAC addresses are not persistent.
Use the following commands to configure the persistence of MAC addresses on an interface:
config ports
edit <port_name>
set sticky-mac {enable | disable}
next
end
You can also save persistent MAC addresses to the FortiSwitch configuration file so that they are automatically loaded
when the FortiSwitch unit is rebooted. By default, persistent entries are lost when a FortiSwitch unit is rebooted. Use the
following commands to save persistent MAC addresses for a specific interface or all interfaces:
execute switch-controller switch-action sticky-mac save interface <FortiSwitch_serial_
number> <port_name>
execute switch-controller switch-action sticky-mac save all <FortiSwitch_serial_number>
Use one of the following commands to delete the persistent MAC addresses instead of saving them in the FortiSwitch
configuration file:
execute switch-controller switch-action delete sticky-mac delete-unsaved all <FortiSwitch_
serial_number>
execute switch-controller switch-action delete sticky-mac delete-unsaved interface
<FortiSwitch_serial_number> <port_name>
Logging changes to MAC addresses
Use the following commands to create syslog entries for when MAC addresses are learned, aged out, and removed:
set mac-event-logging enable
end

Fortinet Inc.
Configuring storm control
Storm control uses the data rate (packets/sec, default 500) of the link to measure traffic activity, preventing traffic on a
LAN from being disrupted by a broadcast, multicast, or unicast storm on a port.
When the data rate exceeds the configured threshold, storm control drops excess traffic. You can configure the types of
traffic to drop: broadcast, unknown unicast, or multicast. By default, these three types of traffic are not dropped.
To configure storm control for all switch ports (including both FortiLink ports and non-FortiLink ports) on the managed
switches, use the following FortiSwitch Manager CLI commands:
config switch-controller storm-control
set rate <rate>
set unknown-unicast {enable | disable}
set unknown-multicast {enable | disable}
set broadcast {enable | disable}
end
To configure storm control for a FortiSwitch port, use the FortiSwitch Manager CLI to select the override storm-control-
mode in the storm-control policy and then assigning the storm-control policy for the FortiSwitch port.
config switch-controller storm-control-policy
edit <storm_control_policy_name>
set description <description_of_the_storm_control_policy>
set storm-control-mode override
set rate <1-10000000 or 0 to drop all packets>
set unknown-unicast {enable | disable}
set unknown-multicast {enable | disable}
set broadcast {enable | disable}
next
end

config ports
edit port5
set storm-control-policy <storm_control_policy_name>
next
end
For example:
config switch-controller storm-control-policy
edit stormpol1
set description "storm control policy for port 5"
set storm-control-mode override
set rate 1000
set unknown-unicast enable
set unknown-multicast enable
set broadcast enable
next
end

edit S524DF4K15000024
config ports
edit port5

Fortinet Inc.
set storm-control-policy stormpol1

next
end
Configuring IGMP-snooping settings
You need to configure global IGMP-snooping settings and IGMP-snooping settings on a FortiSwitch unit before
configuring the IGMP-snooping proxy and IGMP-snooping querier.
l Configuring global IGMP-snooping settings on page 63
l Configuring IGMP-snooping settings on a switch on page 63
l Configuring the IGMP-snooping proxy on page 64
l Configuring the IGMP-snooping querier on page 64
Configuring global IGMP-snooping settings
Use the following commands to configure the global IGMP-snooping settings.

Aging time is the maximum number of seconds that the system will retain a multicast snooping entry. Enter an integer
value from 15 to 3600. The default value is 300.
The flood-unknown-multicast setting controls whether the system will flood unknown multicast messages within
the VLAN.
config switch-controller igmp-snooping
set aging-time <15-3600>
set flood-unknown-multicast {enable | disable}
end
Configuring IGMP-snooping settings on a switch
IGMP snooping allows the FortiSwitch to passively listen to the Internet Group Management Protocol (IGMP) network
traffic between hosts and routers. The switch uses this information to determine which ports are interested in receiving
each multicast feed. FortiSwitch can reduce unnecessary multicast traffic on the LAN by pruning multicast traffic from
links that do not contain a multicast listener.
NOTE: When an inter-switch link (ISL) is formed automatically in FortiLink mode, the igmps-flood-reports and
igmps-flood-traffic options are disabled by default.
Use the following commands to configure IGMP settings on a FortiSwitch port:
config ports
edit <port_name>
set igmps-flood-reports {enable | disable}
set igmps-flood-traffic {enable | disable}
end
end

Fortinet Inc.
For example:
edit S524DF4K15000024
config ports
edit port3
set igmps-flood-reports enable
set igmps-flood-traffic enable
end
end
Configuring the IGMP-snooping proxy
You can use the CLI to enable IGMP proxy per FortiSwitch unit.
By default, IGMP snooping is disabled. You need to enable IGMP snooping on FortiSwitch Manager before you can
enable the IGMP-snooping proxy.
To enable IGMP snooping and the IGMP-snooping proxy:

edit <VLAN_interface>
set switch-controller-igmp-snooping enable
set switch-controller-igmp-snooping-proxy enable
next
end
For example, you can enable IGMP snooping and the IGMP-snooping proxy on VLAN 100:
edit vlan100
set switch-controller-igmp-snooping enable
set switch-controller-igmp-snooping-proxy enable
next
end
Configuring the IGMP-snooping querier
You can configure the IGMP-snooping querier version 2 or 3. When the IGMP querier version 2 is configured, the
managed FortiSwitch unit will send IGMP version-2 queries when no external querier is present. When the IGMP querier
version 3 is configured, the managed FortiSwitch unit will send IGMP version-3 queries when no external querier is
present.
If you have IGMP snooping and the IGMP-snooping proxy enabled on a VLAN, you can then configure the IGMP-
snooping querier on the same VLAN on a managed switch. By default, the IGMP-snooping querier is disabled.
You must enable the overriding of the global IGMP-snooping configuration with the set local-override enable
command.
By default, the maximum time (aging-time) that multicast snooping entries without any packets are kept is for 300
seconds. This value can be in the range of 15-3,600 seconds.

Fortinet Inc.
By default, flood-unknown-multicast is disabled, and unregistered multicast packets are forwarded only to
mRouter ports. If you enable flood-unknown-multicast, unregistered multicast packets are forwarded to all ports in
the VLAN.
The IGMP-snooping proxy uses the global IGMP-snooping configuration by default. You can enable or disable the
IGMP-snooping on the VLAN.
You can optionally specify the IPv4 address that IGMP reports are sent to. You can also set the IGMP-snooping querier
version. The default IGMP querier version is 2.
config igmp-snooping
set aging-time <15-3600>
set flood-unknown-multicast {enable | disable}
config vlans
edit <VLAN_interface>
set proxy {disable | enable | global}
set querier enable
set querier-addr <IPv4_address>
set version {2 | 3}
next
end
end
end
For example:
edit S524DF4K15000024
config igmp-snooping
set aging-time 1000
set flood-unknown-multicast enable
config vlans
edit vlan100
set proxy disable
set querier enable
set querier-addr 1.2.3.4
set version 3
next
end
end
end
Configuring PTP transparent-clock mode
Use the Precision Time Protocol (PTP) transparent-clock mode to measure the overall path delay for packets in a
network to improve the time precision. There are two transparent-clock modes:
l End-to-end measures the path delay for the entire path
l Peer-to-peer measures the path delay between each pair of nodes
Use the following steps to configure PTP transparent-clock mode:

Fortinet Inc.
1. Configure the global PTP settings.

By default, PTP is disabled.
2. Enable the PTP policy.
By default, the PTP policy is enabled.
3. Apply the PTP policy to a port.
NOTE: PTP policies are hidden on virtual ports
To configure the global PTP settings:
config switch-controller ptp settings

set mode {disable | transparent-e2e | transparent-p2p}
end
To enable the PTP policy:
config switch-controller ptp policy

edit {default | <policy_name>}
set status {enable | disable}
next
end
To apply the PTP policy to a port:

config ports
edit <port_name>
set ptp-policy {default | <policy_name>}
end
end
For example:
config switch-controller ptp settings
set mode transparent-p2p
end
config switch-controller ptp policy

edit ptppolicy1
set status enable
next
end

edit S524DF4K15000024
config ports
edit port5
set ptp-policy ptppolicy1
end
end

Fortinet Inc.
Device detection
Device detection

l Configuring LLDP-MED settings on page 67
Configuring LLDP-MED settings
LLDP neighbor devices are dynamically detected. By default, this feature is enabled in FortiSwitch Manager but disabled
in managed FortiSwitch units. Dynamic detection must be enabled in both FortiSwitch Manager and FortiSwitchOS for
this feature to work.
l Adding media endpoint discovery (MED) to an LLDP configuration on page 69
l Displaying LLDP information on page 70
l Configuring the LLDP settings on page 70
To configure LLDP profiles in FortiSwitch Manager:
config switch-controller lldp-profile

edit <profile_name>
set med-tlvs (inventory-management | network-policy | power-management | location-
identification)
set 802.1-tlvs port-vlan-id
set 802.3-tlvs {max-frame-size | power-negotiation}
set auto-isl {enable | disable}
set auto-isl-hello-timer <1-30>
set auto-isl-port-group <0-9>
set auto-isl-receive-timeout <3-90>
config med-network-policy
edit {guest-voice | guest-voice-signaling | softphone-voice | streaming-video |
video-conferencing | video-signaling | voice | voice-signaling}
set vlan-intf <string>
set priority <0-7>
set dscp <0-63>
next
end
config med-location-service
edit {address-civic | coordinates | elin-number}
set sys-location-id <string>
next
end
config-tlvs
edit <TLV_name>
set oui <hexadecimal_number>
set subtype <0-255>
set information-string <0-507>

Fortinet Inc.
Device detection
next
end
next
end
Variable Description
<profile_name> Enable or disable
med-tlvs (inventory-management Select which LLDP-MED type-length-value descriptions (TLVs) to transmit:

| network-policy | power-management | inventory-managment TLVs, network-policy TLVs, power-management
location-identification) TLVs for PoE, and location-identification TLVs. You can select one or more
option. Separate multiple options with a space.
802.1-tlvs port-vlan-id Transmit the IEEE 802.1 port native-VLAN TLV.
802.3-tlvs {max-frame-size | power- Select whether to transmit the IEEE 802.3 maximum frame size TLV, the
negotiation} power-negotiation TLV for PoE, or both. Separate multiple options with a
space.
auto-isl {enable | disable} Enable or disable the automatic inter-switch LAG.
auto-isl-hello-timer <1-30> If you enabled auto-isl, you can set the number of seconds for the automatic
inter-switch LAG hello timer. The default value is 3 seconds.
auto-isl-port-group <0-9> If you enabled auto-isl, you can set the automatic inter-switch LAG port
group identifier.
auto-isl-receive-timeout <3-90> If you enabled auto-isl, you can set the number of seconds before the
automatic inter-switch LAG times out if no response is received. The default
value is 9 seconds.
{guest-voice | guest-voice-signaling | Select which Media Endpoint Discovery (MED) network policy type-length-
softphone-voice | streaming-video | value (TLV) category to edit.
video-conferencing | video-signaling |
voice | voice-signaling}
status {enable | disable} Enable or disable whether this TLV is transmitted.
vlan-intf <string> If you enabled the status, you can enter the VLAN interface to advertise.
The maximum length is 15 characters.
priority <0-7> If you enabled the status, you can enter the advertised Layer-2 priority. Set
to 7 for the highest priority.
dscp <0-63> If you enabled the status, you can enter the advertised Differentiated
Services Code Point (DSCP) value to indicate the level of service requested
for the traffic.
config med-location-service
{address-civic | coordinates | elin- Select which Media Endpoint Discovery (MED) location type-length-value
number} (TLV) category to edit.
status {enable | disable} Enable or disable whether this TLV is transmitted.

Fortinet Inc.
Device detection
sys-location-id <string> If you enabled the status, you can enter the location service identifier. The
maximum length is 63 characters.
config-tlvs
<TLV_name> Enter the name of a custom TLV entry.
oui <hexadecimal_number> Ener the organizationally unique identifier (OUI), a 3-byte hexadecimal
number, for this TLV.
subtype <0-255> Enter the organizationally defined subtype.
information-string <0-507> Enter the organizationally defined information string in hexadecimal bytes.
To configure LLDP settings in FortiSwitch Manager:
config switch-controller lldp-settings

set tx-hold <int>
set tx-interval <int>
set fast-start-interval <int>
set management-interface {internal | management}
set device-detection {enable | disable}
end
tx-hold Number of tx-intervals before the local LLDP data expires. Therefore, the
packet TTL (in seconds) is tx-hold times tx-interval. The range for tx-
hold is 1 to 16, and the default value is 4.
tx-interval How often the FortiSwitch transmits the LLDP PDU. The range is 5 to 4095
seconds, and the default is 30 seconds.
fast-start-interval How often the FortiSwitch transmits the first 4 LLDP packets when a link
comes up. The range is 2 to 5 seconds, and the default is 2 seconds. Set this
variable to zero to disable fast start.
management-interface Primary management interface to be advertised in LLDP and CDP PDUs.
device-detection {enable | disable} Enable or disable whether LLDP neighbor devices are dynamically detected.
By default, this setting is disabled.
To configure dynamic detection of LLDP neighbor devices in FortiSwitchOS:
config switch lldp settings

set device-detection enable
end
Adding media endpoint discovery (MED) to an LLDP configuration
You can use the following commands to add media endpoint discovery (MED) features to an LLDP profile:
config switch-controller lldp-profile

Fortinet Inc.
Device detection
edit <lldp-profle>
edit guest-voice
set status {disable | enable}
next
edit guest-voice-signaling
next
edit guest-voice-signaling
next
edit softphone-voice
next
edit streaming-video
next
edit video-conferencing
next
edit video-signaling
next
edit voice
next
edit voice-signaling
end
config custom-tlvs
edit <name>
set oui <identifier>
set subtype <subtype>
set information-string <string>
end
end
Displaying LLDP information
You can use the following commands to display LLDP information:

diagnose switch-controller switch-info lldp stats <switch> <port>
diagnose switch-controller switch-info lldp neighbors-summary <switch>
diagnose switch-controller switch-info lldp neighbors-detail <switch>
Configuring the LLDP settings
The Fortinet data center switches support the Link Layer Discovery Protocol (LLDP) for transmission and reception
wherein the switch will multicast LLDP packets to advertise its identity and capabilities. A switch receives the equivalent
information from adjacent layer-2 peers.
Use the following commands to configure LLDP on a FortiSwitch port:

Fortinet Inc.
Device detection
config ports
edit <port_name>
set lldp-status {rx-only | tx-only | tx-rx | disable}
set lldp-profile <profile_name>
end
end
For example:
edit S524DF4K15000024
config ports
edit port2
set lldp-status tx-rx
set lldp-profile default
end
end
Use the following commands to configure LLDP on a virtual FortiSwitch port:

config ports
edit <port_name>
set lldp-status {rx-only | tx-only | tx-rx | disable}
set lldp-profile <profile_name>
next
end
end
end
For example:
edit "S424ENTF19000007"
config ports
edit port28
set lldp-status tx-rx
set lldp-profile lldpprofile1
next
end
end
end

Fortinet Inc.
FortiSwitch security

l FortiSwitch security policies on page 72
l Configuring the DHCP trust setting on page 81
l Configuring the DHCP server access list on page 82
l Configuring dynamic ARP inspection (DAI) on page 84
l Configuring IPv4 source guard on page 84
FortiSwitch security policies
To control network access, the managed FortiSwitch unit supports IEEE 802.1x authentication. A supplicant connected
to a port on the switch must be authenticated by a RADIUS/Diameter server to gain access to the network. The
supplicant and the authentication server communicate using the switch using the EAP protocol. The managed
FortiSwitch unit supports EAP-PEAP, EAP-TTLS, EAP-TLS, and EAP-MD5.
To use the RADIUS server for authentication, you must configure the server before configuring the users or user groups
on the managed FortiSwitch unit.
NOTE: In FortiLink mode, you must manually create a firewall policy to allow RADIUS traffic for 802.1x authentication
from the FortiSwitch unit (for example, from the FortiLink interface) to the RADIUS server through FortiSwitch Manager.
The managed FortiSwitch unit implements MAC-based authentication. The switch saves the MAC address of each
supplicantʼs device. The switch provides network access only to devices that have successfully been authenticated.
You can enable the MAC Authentication Bypass (MAB) option for devices (such as network printers) that cannot
respond to the 802.1x authentication request. With MAB enabled on the port, the system will use the device MAC
address as the user name and password for authentication. If a link goes down, you can select whether the impacted
devices must reauthenticate. By default, reauthentication is disabled.
You can configure a guest VLAN for unauthorized users and a VLAN for users whose authentication was unsuccessful.
If the RADIUS server cannot be reached for 802.1x authentication, you can specify a RADIUS timeout VLAN for users
after the authentication server timeout period expires.
When you are testing your system configuration for 802.1x authentication, you can use the monitor mode to allow
network traffic to flow, even if there are configuration problems or authentication failures.
Fortinet recommends an 802.1x setup rate of 5 to 10 sessions per second.

l Number of devices supported per port for 802.1x MAC-based authentication on page 73
l Configuring the 802.1x settings on page 73
l Overriding the settings on page 74
l Defining an 802.1x security policy on page 75

Fortinet Inc.
l Applying an 802.1x security policy to a FortiSwitch port on page 76

l Testing 802.1x authentication with monitor mode on page 77
l Clearing authorized sessions on page 77
l RADIUS accounting support on page 78
l RADIUS change of authorization (CoA) support on page 78
l Detailed deployment notes on page 81
Number of devices supported per port for 802.1x MAC-based authentication
The FortiSwitch unit supports up to 20 devices per port for 802.1x MAC-based authentication. System-wide, the
FortiSwitch unit now supports a total of 10 times the number of interfaces for 802.1x MAC-based authentication. See the
following table.
Model Total number of devices supported per switch
108 80
112 60
124/224/424/524/1024 240
148/248/448/548/1048 480
3032 320
Configuring the 802.1x settings
To configure the 802.1x security policy:
config switch-controller 802-1X-settings

set link-down-auth {set-unauth | no-action}
set reauth-period <integer>
set max-reauth-attempt <integer>
set tx-period <integer>
set mab-reauth {enable | disable}
end
Option Description Default

link-down-auth {set-unauth | If a link is down, this command determines the authentication set-
no-action} state. Choosing set-unauth sets the interface to unauth
unauthenticated when a link is down, and reauthentication is
needed. Choosing no-action means that the interface does
not need to be reauthenticated when a link is down.

Fortinet Inc.
Option Description Default

reauth-period <integer> This command sets how often reauthentication is needed. The 60
range is 1-1440 minutes. Setting the value to 0 minutes
disables reauthentication.
NOTE: Setting the reauth-period to 0 is supported only in the

CLI. The RADIUS dynamic session timeout and CoA session
timeout do not support setting the Session Timeout to 0.
max-reauth-attempt <integer> This command sets the maximum number of reauthentication 3
attempts. The range is 1-15. Setting the value to 0 disables
reauthentication.
tx-period <integer> This command sets the 802.1x transmission period in 30
seconds. The range is 4-60.
mab-reauth {enable | This command enables or disables MAB reauthentication. disable
disable}
Overriding the settings
You can override the settings for the 802.1x security policy.
Using the FortiSwitch Manager GUI
To override the 802.1x settings:

2. Right-click on a switch name and select Edit.
3. In the Edit Managed FortiSwitch page, enable Override 802-1X settings.
4. In the Reauthentication Interval field, enter the number of minutes before reauthentication is required. The
maximum interval is 1,440 minutes. Setting the value to 0 minutes disables reauthentiction.
5. In the Max Reauthentication Attempts field, enter the maximum times that reauthentication is attempted. The
maximum number of attempts is 15. Setting the value to 0 disables reauthentication.
6. Select Deauthenticate or None for the link down action. Selecting Deauthenticate sets the interface to
unauthenticated when a link is down, and reauthentication is needed. Selecting None means that the interface does
not need to be reauthenticated when a link is down.
7. Click OK.
Using the FortiSwitch Manager CLI
To override the 802.1x settings:

config 802-1X-settings
set local-override {enable | *disable}
set reauth-period <integer> // visible if override enabled
set max-reauth-attempt <integer> // visible if override enabled
set link-down-auth {*set-unauth | no-action} // visible if override enabled
set mab-reauth {enable | disable} // visible if override enabled

Fortinet Inc.
end
next
end
For a description of the options, see Configuring the 802.1x settings.
Defining an 802.1x security policy
You can define multiple 802.1x security policies.
To create an 802.1x security policy:

1. Go to Switch Controller > FortiSwitch Port Policies.
2. Under Security Policies, click Create New.
3. Enter a name for the new FortiSwitch security policy.
4. For the security mode, click Port-based or MAC-based.
5. Select + to select which user groups will have access.
6. Enable or disable guest VLANs on this interface to allow restricted access for some users.
7. Enter the number of seconds for authentication delay for guest VLANs. The range is 1-900 seconds.
8. Enable or disable authentication fail VLAN on this interface to allow restricted access for users who fail to access
the guest VLAN.
9. Enable or disable MAC authentication bypass (MAB) on this interface.
10. Enable or disable EAP pass-through mode on this interface.
11. Enable or disable whether the session timeout for the RADIUS server will overwrite the local timeout.
12. Select OK.
To create an 802.1x security policy, use the following commands:

config switch-controller security-policy 802-1X
edit "<policy.name>"
set security-mode {802.1X | 802.1X-mac-based}
set user-group <*group_name | Guest-group | SSO_Guest_Users>
set mac-auth-bypass {enable | *disable}
set eap-passthru {enable | disable}
set guest-vlan {enable | *disable}
set guest-vlan-id "<guest-VLAN-name>"
set guest-auth-delay <integer>
set auth-fail-vlan {enable | *disable}
set auth-fail-vlan-id "<auth-fail-VLAN-name>"
set radius-timeout-overwrite {enable | *disable}
set policy-type 802.1X
set authserver-timeout-vlan {enable | disable}
set authserver-timeout-period <integer>
set authserver-timeout-vlanid "<RADIUS-timeout-VLAN-name>"
end
end

Fortinet Inc.
Option Description
set security-mode You can restrict access with 802.1x port-based authentication or with
802.1x MAC-based authentication.
set user-group You can set a specific group name, Guest-group, or SSO_Guest_Users to
have access. This setting is mandatory.
set mac-auth-bypass You can enable or disable MAB on this interface.
set eap-passthrough You can enable or disable EAP pass-through mode on this interface.
set guest-vlan You can enable or disable guest VLANs on this interface to allow restricted
access for some users.
set guest-vlan-id "<guest- You can specify the name of the guest VLAN.
VLAN-name>"
set guest-auth-delay You can set the authentication delay for guest VLANs on this interface. The
range is 1-900 seconds.
set auth-fail-vlan You can enable or disablethe authentication fail VLAN on this interface to
allow restricted access for users who fail to access the guest VLAN.
set auth-fail-vlan-id You can specify the name of the authentication fail VLAN
"<auth-fail-VLAN-name>"
set radius-timeout-overwrite You can enable or disable whether the session timeout for the RADIUS
server will overwrite the local timeout.
set policy-type 802.1X You can set the policy type to the 802.1x security policy.
set authserver-timeout-vlan Enable or disable the RADIUS timeout VLAN on this interface to allow
limited access for users when the RADIUS server times out before finishing
authentication.
By default, this option is disabled.
set authserver-timeout- You can set how many seconds the RADIUS server has to authenticate
period users. The range of values is 3-15 seconds; the default time is 3 seconds.
This option is only visible when authserver-timeout-vlan is enabled.
set authserver-timeout- The VLAN name that is used for users when the RADIUS server times out
vlanid "<RADIUS-timeout- before finishing authentication.
VLAN-name>" This option is only visible when authserver-timeout-vlan is enabled.
Applying an 802.1x security policy to a FortiSwitch port
You can apply a different 802.1x security policy to each FortiSwitch port.
To apply an 802.1x security policy to a managed FortiSwitch port:

2. Select the + next to a FortiSwitch unit.

Fortinet Inc.
3. In the Security Policy column for a port, click + to select a security policy.
4. Select OK to apply the security policy to that port.
To apply an 802.1x security policy to a managed FortiSwitch port, use the following commands:
edit <managed-switch>
config ports
edit <port>
set port-security-policy <802.1x-policy>
next
end
next
end
Testing 802.1x authentication with monitor mode
Use the monitor mode to test your system configuration for 802.1x authentication. You can use monitor mode to test
port-based authentication, MAC-based authentication, EAP pass-through mode, and MAC authentication bypass.
Monitor mode is disabled by default. After you enable monitor mode, the network traffic will continue to flow, even if the
users fail authentication.
To enable or disable monitor mode:
config switch-controller security-policy 802-1X

edit "<policy_name>"
set open-auth {enable | disable}
next
end
Clearing authorized sessions
You can clear authorized sessions associated with a specific interface or a specific MAC address.
To clear the 802.1x-authorized session associated with a specific MAC address:
execute switch-controller switch-action 802-1X clear-auth-mac <FortiSwitch_serial_number>

<MAC_address>
For example:
execute switch-controller switch-action 802-1X clear-auth-mac S548DF5018000776
4f:8d:c2:73:dd:fe
To clear the 802.1x-authorized sessions associated with a specific interface:
execute switch-controller switch-action 802-1X clear-auth-port <FortiSwitch_serial_number>

<port_name>
For example:
execute switch-controller switch-action 802-1X clear-auth-port S524DF4K15000024 port1

Fortinet Inc.
RADIUS accounting support
The FortiSwitch unit uses 802.1x-authenticated ports to send five types of RADIUS accounting messages to the
RADIUS accounting server to support FortiSwitch Manager RADIUS single sign-on:
l START—The FortiSwitch unit has been successfully authenticated, and the session has started.
l STOP—The FortiSwitch session has ended.
l INTERIM—Periodic messages sent based on the value set using the set acct-interim-interval command.
l ON—The FortiSwitch unit will send this message when the switch is turned on.
l OFF—The FortiSwitch unit will send this message when the switch is shut down.
You can specify more than one value to be sent in the RADIUS Service-Type attribute. Use a space between multiple
values.
Use the following commands to set up RADIUS accounting so that FortiSwitch Manager can send accounting messages
to managed FortiSwitch units:
config user radius
edit <RADIUS_server_name>
set acct-interim-interval <seconds>
set switch-controller-service-type {administrative | authenticate-only | callback-
administrative | callback-framed | callback-login | callback-nas-prompt | call-
check | framed | login | nas-prompt | outbound}
config accounting-server
edit <entry_ID>
set server <server_IP_address>
set secret <secret_key>
set port <port_number>
next
end
next
end
RADIUS change of authorization (CoA) support
For increased security, each subnet interface that will be receiving CoA requests must be configured with the set
allowaccess radius-acct command.
RADIUS accounting and CoA support EAP and MAB 802.1x authentication.
The FortiSwitch unit supports two types of RADIUS CoA messages:
l CoA messages to change session authorization attributes (such as data filters and the session-timeout setting )
during an active session.
l Disconnect messages (DMs) to flush an existing session. For MAC-based authentication, all other sessions are
unchanged, and the port stays up. For port-based authentication, only one session is deleted.
RADIUS CoA messages use the following Fortinet proprietary attribute:
Fortinet-Host-Port-AVPair 42 string
The format of the value is as follows:

Fortinet Inc.
Attribute Value Description
Fortinet-Host-Port-AVPair action=bounce-port The FortiSwitch unit disconnects all sessions on a

port. The port goes down for 10 seconds and then
up again.
Fortinet-Host-Port-AVPair action=disable-port The FortiSwitch unit disconnects all session on a

port. The port goes down until the user resets it.
Fortinet-Host-Port-AVPair action=reauth-port The FortiSwitch unit forces the reauthentication of

the current session.
In addition, RADIUS CoA use the session-timeout attribute:
Attribute Value Description
session-timeout <session_timeout_ The FortiSwitch unit disconnects a session after

value> the specified number of seconds of idleness. This
value must be more than 60 seconds. NOTE: To
use the session-timeout attribute, you must
enable the set radius-timeout-overwrite
command first.
The FortiSwitch unit sends the following Error-Cause codes in RADIUS CoA-NAK and Disconnect-NAK messages.
Error Cause Error Code Description
Unsupported Attribute 401 This error is a fatal error, which is sent if a request
contains an attribute that is not supported.
NAS Identification Mismatch 403 This error is a fatal error, which is sent if one or more
NAS-Identifier Attributes do not match the identity of the
NAS receiving the request.
Invalid Attribute Value 407 This error is a fatal error, which is sent if a CoA-Request
or Disconnect-Request message contains an attribute
with an unsupported value.
Session Context Not Found 503 This error is a fatal error if the session context identified
in the CoA-Request or Disconnect-Request message
does not exist on the NAS.
Configuring CoA and disconnect messages
Use the following commands to enable a FortiSwitch unit to receive CoA and disconnect messages from a RADIUS
server:
edit "mgmt"
set ip <address> <netmask>
set allowaccess <access_types>
set type physical
next
config user radius

Fortinet Inc.
edit <RADIUS_server_name>
set radius-coa {enable | disable}
set radius-port <port_number>
set secret <secret_key>
set server <server_name_IPv4>
end
ip <address> <netmask> Enter the interface IP address and netmask.
allowaccess <access_types> Enter the types of management access permitted on this interface.
Valid types are as follows: http https ping snmp ssh telnet
radius-acct. Separate each type with a space. You must include
radius-acct to receive CoA and disconnect messages.
<RADIUS_server_name> Enter the name of the RADIUS server that will be sending CoA and
disconnect messages to the FortiSwitch unit. By default, the messages
use port 3799.
config user radius
radius-coa {enable | disable} Enable or disable whether the FortiSwitch unit will accept CoA and
disconnect messages. The default is disable.
radius-port <port_number> Enter the RADIUS port number. By default, the value is 0 for
FortiSwitch Manager, which uses port 1812 for the FortiSwitch unit in
FortiLink mode.
secret <secret_key> Enter the shared secret key for authentication with the RADIUS server.
There is no default.
server <server_name_IPv4> Enter the domain name or IPv4 address for the RADIUS server. There
is no default.
Example: RADIUS CoA
The following example uses the FortiSwitch Manager CLI to enable the FortiSwitch unit to receive CoA and disconnect
messages from the specified RADIUS server:
edit default
set internal-allowaccess ping https http ssh snmp telnet radius-acct
next
end
config user radius
edit "Radius-188-200"
set radius-coa enable
set radius-port 0
set secret ENC
+2NyBcp8JF3/OijWl/w5nOC++aDKQPWnlC8Ug2HKwn4RcmhqVYE+q07yI9eSDhtiIw63kR/oMBLGwFQoe
ZfOQWengIlGTb+YQo/lYJn1V3Nwp9sdkcblfyayfc9gTeqe+mFltKl5IWNI7WRYiJC8sxaF9Iyr2/l4hp
CiVUMiPOU6fSrj
set server "10.105.188.200"

Fortinet Inc.
next
end
Detailed deployment notes
l Using more than one security group (with the set security-groups command) per security profile is not
supported.
l CoA and single sign-on are supported only by the CLI in this release.
l RADIUS CoA is supported in standalone mode. In addition, RADIUS CoA is supported in FortiLink mode when NAT
is disabled in the firewall policy (set nat disable under the config firewall policy command), and the
interfaces on the link between FortiSwitch Manager and FortiSwitch unit are assigned routable addresses other
than 169.254.1.x.
l The FortiSwitch unit supports using FortiAuthenticator, FortiConnect, Microsoft Network Policy Server (NPS), Aruba
ClearPass, and Cisco Identity Services Engine (ISE) as the RADIUS server for CoA and RSSO.
l Each RADIUS CoA server can support only one accounting manager in this release.
l RADIUS accounting/CoA/VLAN-by-name features are supported only with eap-passthru enable.
l Fortinet recommends a unique secret key for each accounting server.
l For CoA to correctly function with FortiAuthenticator or FortiConnect, you must include the User-Name attribute
(you can optionally include the Framed-IP-Address attribute) or the User-Name and Calling-Station-ID attributes in
the CoA request.
l To obtain a valid Framed-IP-Address attribute value, you need to manually configure DHCP snooping in the 802.1x-
authenticated ports of your VLAN network for both port and MAC modes.
l Port-based basic statistics for RADIUS accounting messages are supported in the Accounting Stop request.
l By default, the accounting server is disabled. You must enable the accounting server with the set status
enable command.
l The default port for FortiAuthenticator single sign-on is 1813 for the FortiSwitch unit.
l In MAC-based authentication, the maximum number of client MAC addresses is 20. Each model has its own
maximum limit.
l Static MAC addresses and sticky MAC addresses are mechanisms for manual/local authorization; 802.1x is a
mechanism for protocol-based authorization. Do not mix them.
l Fortinet recommends an 802.1x setup rate of 5 to 10 sessions per second.
l When 802.1x authentication is configured, the EAP pass-through mode (set eap-passthru) is enabled by
default.
l For information about the RADIUS attributes supported by FortiSwitchOS, refer to the “Supported attributes for
RADIUS CoA and RSSO” appendix in the FortiSwitchOS Administration Guide—Standalone Mode.
Configuring the DHCP trust setting
The DHCP blocking feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and
unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent this, DHCP blocking filters
messages on untrusted ports.
Set the port as a trusted or untrusted DHCP-snooping interface:
config ports
edit <port_name>

Fortinet Inc.
set dhcp-snooping {trusted | untrusted}

end
end
For example:
edit S524DF4K15000024
config ports
edit port1
set dhcp-snooping trusted
end
end
Configuring the DHCP server access list
You can configure which DHCP servers that DHCP snooping includes in the server access list. These servers on the list
are allowed to respond to DHCP requests.
NOTE: You can add 255 servers per table. The maximum number of DHCP servers that can be added to all instances of
the table is 2,048. This maximum is a global limit and applies across all VLANs.
Configuring the DHCP server access list consists of the following steps:
1. Enable the DHCP server access list on a VDOM level or switch-wide level.
By default, the server access list is disabled, which means that all DHCP servers are allowed. When the server
access list is enabled, only the DHCP servers in the server access list are allowed.
2. Configure the VLAN settings for the managed switch port.
You can set the DHCP server access list to global to use the VDOM or system-wide setting, or you can set the
DHCP server access list to enable to override the global settings and enable the DHCP server access list.
In the managed FortiSwitch unit, all ports are untrusted by default, and DHCP snooping is disabled on all untrusted
ports. You must set the managed switch port to be trusted to allow DHCP snooping.
3. Configure DHCP snooping and the DHCP access list for the managed FortiSwitch interface.
By default, DHCP snooping is disabled on the managed FortiSwitch interface.
To enable the DHCP sever access list on a global level:

set dhcp-server-access-list enable
end
For example:
FSWMVMTM21000008 (root) # config switch-controller global
FSWMVMTM21000008 (global) # set dhcp-server-access-list enable
FSWMVMTM21000008 (global) # end
To configure the VLAN settings:

set dhcp-server-access-list {global | enable | disable}
config ports
edit <port_name>

Fortinet Inc.
set vlan <VLAN_name>

next
end
next
end
For example:
edit "S524DN4K16000116"
set fsw-wan1-peer "port11"
set dhcp-server-access-list enable
config ports
edit "port19"
set vlan "_default.13"
set allowed-vlans "quarantine.13"
set untagged-vlans "quarantine.13"
set export-to "vdom1"
next
end
next
end
To configure the interface settings:

edit <VLAN_name>
set switch-controller-dhcp-snooping enable
config dhcp-snooping-server-list
edit <DHCP_server_name>
set server-ip <IPv4_address_of_DHCP_server>
next
end
next
end
For example:
edit "_default.13"
set vdom "vdom1"
set ip 5.4.4.1 255.255.255.0
set allowaccess ping https ssh http fabric
set alias "_default.port11"
set snmp-index 30
set switch-controller-dhcp-snooping enable
config dhcp-snooping-server-list
edit "server1"
set server-ip 10.20.20.1
next
end
set switch-controller-feature default-vlan
set interface "port11"
set vlanid 1
next
end

Fortinet Inc.
Configuring dynamic ARP inspection (DAI)
DAI prevents man-in-the-middle attacks and IP address spoofing by checking that packets from untrusted ports have
valid IP-MAC-address binding. DAI allows only valid ARP requests and responses to be forwarded.
To use DAI, you must first enable the DHCP-snooping feature, enable DAI, and then enable DAI for each VLAN. By
default, DAI is disabled on all VLANs.
After enabling DHCP snooping with the set switch-controller-dhcp-snooping enable command, use the
following CLI commands to enable DAI and then enable DAI for a VLAN:
edit vsw.test
set switch-controller-arp-inpsection {enable | disable}
end

config ports
edit <port_name>
arp-inspection-trust <untrusted | trusted>
next
end
next
end
Use the following CLI command to check DAI statistics for a FortiSwitch unit:
diagnose switch-controller switch-info arp-inspection stats <FortiSwitch_serial_number>
Use the following CLI command to delete DAI statistics for a specific VLAN:
diagnose switch-controller switch-info arp-inspection stats-clear <VLAN_ID> <FortiSwitch_
serial_number>
Configuring IPv4 source guard
IPv4 source guard protects a network from IPv4 spoofing by only allowing traffic on a port from specific IPv4 addresses.
Traffic from other IPv4 addresses is discarded. The discarded addresses are not logged.
IPv4 source guard allows traffic from the following sources:
l Static entries—IP addresses that have been manually associated with MAC addresses.
l Dynamic entries—IP addresses that have been learned through DHCP snooping.
By default, IPv4 source guard is disabled. You must enable it on each port that you want protected.
If you add more than 2,048 IP source guard entries from FortiSwitch Manager, you will get an error. When there is a
conflict between static entries and dynamic entries, static entries take precedence over dynamic entries.
IPv4 source guard can be configured in FortiSwitch Manager. The following FortiSwitch models support IP source guard:
l FSR-124D
l FS-224D-FPOE

Fortinet Inc.
l FS-248D
l FS-424D-POE
l FS-424D-FPOE
l FS-448D-POE
l FS-448D-FPOE
l FS-424D
l FS-448D
l FSW-2xxE
Configuring IPv4 source guard consists of the following steps:
1. Enabling IPv4 source guard on page 85
2. Creating static entries on page 85
3. Checking the IPv4 source-guard entries on page 86
Enabling IPv4 source guard
You must enable IPv4 source guard in the FortiSwitch Manager CLI before you can configure it.
To enable IPv4 source guard:

edit <FortiSwitch_serial_number
config ports
edit <port_name>
set ip-source-guard enable
next
end
end
For example:
edit S424DF4K15000024
config ports
edit port20
set ip-source-guard enable
next
end
end
Creating static entries
After you enable IPv4 source guard in the FortiSwitch Manager CLI, you can create static entries in the FortiSwitch
Manager CLI by binding IPv4 addresses with MAC addresses. For IPv4 source-guard dynamic entries, you need to
configure DHCP snooping. See Configuring DHCP blocking, STP, and loop guard on managed FortiSwitch ports on
page 50.
To create static entries:


Fortinet Inc.
config ip-source-guard
edit <port_name>
config binding-entry
edit <id>
set ip <xxx.xxx.xxx.xxx>
set mac <XX:XX:XX:XX:XX:XX>
next
end
next
end
next
end
For example:
edit S424DF4K15000024
config ip-source-guard
edit port4
config binding-entry
edit 1
set ip 172.168.20.1
set mac 00:21:cc:d2:76:72
next
end
next
end
next
end
Checking the IPv4 source-guard entries
After you configure IPv4 source guard , you can check the entries.
Static entries are manually added by the config switch ip-source-guard command. Dynamic entries are added
by DHCP snooping.
Use this command in the FortiSwitch Manager CLI to display all IP source-guard entries:
diagnose switch-controller switch-info ip-source-guard hardware <FortiSwitch_serial_number>

Fortinet Inc.
Configuring layer-3 routing on FortiSwitch units
To use layer-3 routing on FortiSwitch units, the managed switches must be running
FortiSwitchOS 7.2.0 or later.
You can configure the following layer-3 routing on FortiSwitch units:

l Static routes for IPv4 traffic on page 88
You add static routes to manually control traffic exiting the FortiSwitch unit. You configure routes by specifying
destination IP addresses and network masks and adding gateways for these destination addresses. Gateways are
the next-hop routers to which traffic that matches the destination addresses in the route are forwarded.
l Switch virtual interfaces on page 89
A switch virtual interface (SVI) is a logical interface that is associated with a VLAN and supports routing and
switching protocols.
You can assign an IP address to the SVI to enable routing between VLANs. For example, SVIs can route between
two different VLANs connected to a switch (no need to connect through a layer-3 router).
l Routed VLAN interfaces on page 92
A routed VLAN interface (RVI) is a physical port or trunk interface that supports layer-3 routing protocols. When the
physical port or trunk is administratively down, the RVI for that physical port or trunk goes down as well. All RVIs use
the same VLAN, 4095.
RVIs support ECMP, multiple IP addresses, IPv4 addresses, IPv6 addresses, BFD, VRRP, DHCP server, DHCP
relay, RIP, OSPF, ISIS, BGP, and PIM. VRF support of RVIs on managed switches requires FortiSwitchOS 7.2.1 or
later.
l Virtual routing and forwarding on page 92
You can use the virtual routing and forwarding (VRF) feature to create multiple routing tables within the same router.
After you create a VRF instance, you can assign the VRF instance to an SVI or RVI when you create the SVI or RVI
or assign the VRF instance to an IPv4 static route when you create the static route.
You need to configure VRF before using the VRF instance in an SVI or RVI configuration.

Fortinet Inc.
Static routes for IPv4 traffic
If you use the same sequence number for a static route in FortiSwitch Manager and an existing
route on a managed switch, the FortiSwitch Manager static route will overwrite the managed
switch static route. Managed switches might have existing static routes that are necessary for
the management connection or for networking, such as VXLAN. To avoid overwriting any
existing static routes on managed switches, use higher numbers (such as 100 and higher) for
the sequence numbers for FortiSwitch Manager static routes.
You cannot use the management port of a FortiSwitch unit in the set device command.
FortiSwitch Manager cannot create static routes that use the management port of a
FortiSwitch unit as the device. If static routes must include the management port, add the
routes using custom commands or add the static route directly on the FortiSwitch unit.

edit <FortiSwitch-serial-number>
config router-static
edit <sequence_number>
set switch-id <FortiSwitch-serial-number>
set blackhole {enable | disable}
set comment <string>
set device <interface_name>
set distance <1-255>
set dst <destination-address_IPv4mask>
set dynamic-gateway {enable | disable}
set gateway <gateway-address_IPv4>
set vrf <VRF_name>
next
end
next
end
<sequence_number> Enter a sequence number for the static route. No default
NOTE: To avoid overwriting any existing static routes on

managed switches, use higher numbers (such as 100 and
higher) for the sequence numbers for FortiSwitch Manager
static routes.
switch-id <FortiSwitch-serial- Enter the serial number for the managed FortiSwitch unit. No default
number>
blackhole {enable | disable} Enable or disable dropping all packets that match this route. disable
comment <string> Optionally enter a descriptive comment. No default

Fortinet Inc.
device <interface_name> Enter the name of the interface through which to route traffic. No default
Enter ‘?’ to see a list of interfaces.
NOTE: You cannot use the management port of a FortiSwitch

unit in the set device command
distance <1-255> Enter the administrative distance for the route. 10
dst <destination-address_ Enter the destination IPv4 address and network mask for this 0.0.0.0 0.0.0.0
IPv4mask> route. You can enter 0.0.0.0/0 to create a new static default
route.
dynamic-gateway {enable | When enabled, the route gateway IP is obtained using DHCP disable
disable} running on the provided routeʼs device interface.
gateway <gateway-address_ Enter the IPv4 address of the next-hop router to which traffic is 0.0.0.0
IPv4> forwarded.
status {enable | disable} Enable this setting for the route to be added to the routing table. enable
vrf <VRF_name> Enter the name of the VRF instance. No default
For example:
edit S548DF5018000776
config router-static
edit 1
set switch-id "S108DVM4HDA47J08"
set comment "staticroute1.1.1.1"
set device "vlan101"
set distance 101
set dst 5.5.5.0 255.255.255.0
set vrf "vpn1"
next
end
next
end
Switch virtual interfaces

config system-interface
edit <SVI_name>
set switch-id <FortiSwitch_serial_number>
set allowaccess {https | http | ping | radius-acct | snmp | ssh | telnet}
set distance
set interface <interface_name>
set ip <IP_address_and_mask>
set mode {static | dhcp}
set status {up | down}

Fortinet Inc.
set type vlan

set vlan <id_number>
set vrf <VRF_name>
next
end
next
end
<SVI_name> Enter the name for the new SVI. No default
NOTE: Avoid reserved names or system-created names, such

as those listed in Reserved names on page 91.
switch-id <FortiSwitch-serial- Enter the serial number for the managed FortiSwitch unit. No default
number>
allowaccess {https | http | ping | Enter the types of management access permitted on this No default
radius-acct | snmp | ssh | telnet} interface or secondary IP address.
Separate each type with a space. To add or remove an option
from the list, retype the complete list as required.
distance <1-255> Enter the distance for routes learned through PPPoE or DHCP, 5
with the lowest number indicating the preferred route. This
option is available when mode is set to dhcp.
interface <interface_name> Enter the name of the interface. This option is only available internal
when vlanid is set.
ip <IP_address_and_mask> Enter the interface IP address and netmask. This option is 0.0.0.0 0.0.0.0
available when mode is set to static. You can set the IP and
netmask, but they are not displayed. This is only available in
NAT/Route mode. The IP address cannot be on the same
subnet as any other interface.
mode {static | dhcp} Configure the connection mode for the interface as one of: static
l static — configure a static IP address for the interface.
l dhcp — configure the interface to receive its IP address
from an external DHCP server.
status {up | down} Start or stop the interface. If the interface is stopped, it does not up
accept or send packets. If you stop a physical interface,
associated virtual interfaces such as VLAN interfaces will also
stop.
type vlan Enter vlan for a virtual LAN interface. This is the type of vlan
interface created by default on any existing physical interface.
VLANs increase the number of network interfaces beyond the
physical connections on the system. VLANs cannot be
configured on a switch mode interface in Transparent mode.

Fortinet Inc.
vlan <id_number> NOTE: This VLAN must have been created in FortiSwitch No default
Manager using the config system interface command.
Enter a VLAN ID that matches the VLAN ID of the packets to be
received by this VLAN subinterface. The VLAN ID can be any
number between 1 and 4094, as 0 and 4095 are reserved, but it
must match the VLAN ID added by the IEEE 802.1Q-compliant
router on the other end of the connection. Two VLAN
subinterfaces added to the same physical interface cannot
have the same VLAN ID. However, you can add two or more
VLAN subinterfaces with the same VLAN ID to different
physical interfaces, and you can add more multiple VLANs with
different VLAN IDs to the same physical interface. This is
available only when editing an interface with a type of vlan.
vrf <VRF_name> Enter the name of the VRF instance. No default
For example:
edit "svi1"
set switch-id "S108DVM4HDA47J08"
set ip 101.1.1.2 255.255.255.0
set distance 100
set allowaccess ping https http ssh snmp telnet radius-acct
set type vlan
set vlan "vlan101"
set vrf "vpn2"
next
end
next
end
Reserved names
Using FortiSwitch reserved names or system-created names for RVI, SVI, or VRF names can cause synchronization
errors. Avoid using the following names:
l flink.sniffer
l flink
l rpsan
l internal
l mgmt
l mgmtn, such as mgmt1, mgmt2, mgmt3, …, mgmt10, mgmt11, mgmt12, …
l spn, such as sp1, sp2, sp3, …, sp10, sp11, sp12, …
l ppp
l pn, such as p1, p2, p3, …, p10, p11, p12,…
l __port__n, such as __port__1, __port__2, __port__3, …, __port__10, __port__11, __port__12, …

Fortinet Inc.
Routed VLAN interfaces
Avoid using a reserved name or system-created name for the RVI name. See Reserved
names on page 91.

edit <RVI_name>
set switch-id <FortiSwitch_serial_number>
set allowaccess {https | http | ping | radius-acct | snmp | ssh | telnet}
set ip <IP_address_and_netmask>
set type physical
set interface <existing_interface_name>
set vrf <VRF_name>
next
end
next
end
For example:
edit "RVI31"
set switch-id "S548DF4K17000019"
set ip 50.31.1.2 255.255.255.0
set allowaccess ping https http ssh snmp telnet radius-acct
set type physical
set interface "port21"
set vrf "vpn31"
next
end
next
end
Virtual routing and forwarding
You need to configure VRF before using the VRF instance in an SVI or RVI configuration.
Use the following steps to configure VRF:

1. Create a VRF instance.
2. Assign the VRF instance to an SVI or RVI or assign the VRF to an IPv4 static route.

Fortinet Inc.
NOTE:
l The VRF name cannot be the same as a reserved name or system-created name, such as those listed in Reserved
names on page 91.
The VRF name cannot match any SVI name.
l The VRF identifier is a number in the range of 1-1023, except for 252, 253, 254, and 255. You cannot assign the
same VRF identifier to more than one VRF instance. After the VRF instance is created, the VRF identifier cannot be
changed.
l After the SVI or RVI is created, the VRF instance cannot be changed or unset. You can assign the same VRF
instance to more than one SVI or RVI. The VRF instance cannot be assigned to an internal SVI.
l After the static route is created, the VRF instance cannot be changed or unset. You can assign the same VRF
instance to more than one static route.
To create the VRF instance:

config router-vrf
edit <VRF_name>
set vrfid <VRF_identifier>
next
end
next
end
For example:
set switch-id "S548DF4K17000019"
config router-vrf
edit vrfv4
set vrfid 1
next
edit vrfv6
set vrfid 2
next
end
next
end

Fortinet Inc.
Configuring QoS with managed FortiSwitch units
Quality of Service (QoS) provides the ability to set particular priorities for different applications, users, or data flows.
NOTE: FortiSwitch Manager does not support QoS for hard or soft switch ports.
The FortiSwitch unit supports the following QoS configuration capabilities:
l Mapping the IEEE 802.1p and Layer 3 QoS values (Differentiated Services and IP Precedence) to an outbound
QoS queue number.
l Providing eight egress queues on each port.
l Policing the maximum data rate of egress traffic on the interface.
l If you select weighted-random-early-detection for the drop-policy, you can enable explicit congestion
notification (ECN) marking to indicate that congestion is occurring without just dropping packets.
To configure the QoS for managed FortiSwitch units:
1. Configure a Dot1p map.
A Dot1p map defines a mapping between IEEE 802.1p class of service (CoS) values (from incoming packets on a
trusted interface) and the egress queue values. Values that are not explicitly included in the map will follow the
default mapping, which maps each priority (0-7) to queue 0. If an incoming packet contains no CoS value, the switch
assigns a CoS value of zero.
NOTE: Do not enable trust for both Dot1p and DSCP at the same time on the same interface. If you do want to trust
both Dot1p and IP-DSCP, the FortiSwitch uses the latter value (DSCP) to determine the queue. The switch will use
the Dot1p value and mapping only if the packet contains no DSCP value.
config switch-controller qos dot1p-map

edit <Dot1p map name>
set priority-0 <queue number>
next
end
2. Configure a DSCP map. A DSCP map defines a mapping between IP precedence or DSCP values and the egress
queue values. For IP precedence, you have the following choices:
l network-control—Network control
l internetwork-control—Internetwork control
l critic-ecp—Critic and emergency call processing (ECP)
l flashoverride—Flash override
l flash—Flash
l immediate—Immediate

Fortinet Inc.
l priority—Priority
l routine—Routine
config switch-controller qos ip-dscp-map

edit <DSCP map name>
configure map <map_name>
edit <entry name>
set cos-queue <COS queue number>
set diffserv {CS0 | CS1 | AF11 | AF12 | AF13 | CS2 | AF21 | AF22 | AF23 | CS3
| AF31 | AF32 | AF33 | CS4 | AF41 | AF42 | AF43 | CS5 | EF | CS6 | CS7}
set ip-precedence {network-control | internetwork-control | critic-ecp |
flashoverride | flash | immediate | priority | routine}
set value <DSCP raw value>
next
end
end
3. Configure the egress QoS policy. In a QoS policy, you set the scheduling mode for the policy and configure one or
more CoS queues. Each egress port supports eight queues, and three scheduling modes are available:
o With strict scheduling, the queues are served in descending order (of queue number), so higher number
queues receive higher priority.

o In simple round-robin mode, the scheduler visits each backlogged queue, servicing a single packet from each
queue before moving on to the next one.

o In weighted round-robin mode, each of the eight egress queues is assigned a weight value ranging from 0 to
63.
config switch-controller qos queue-policy

edit <QoS egress policy name>
set schedule {strict | round-robin | weighted}
config cos-queue
edit queue-<number>
set min-rate <rate in kbps>
set max-rate <rate in kbps>
set drop-policy {taildrop | weighted-random-early-detection}
set ecn {enable | disable}
set weight <weight value>
next
end
next
end
4. Configure the overall policy that will be applied to the switch ports.
config switch-controller qos qos-policy

edit <QoS egress policy name>
set default-cos <default CoS value 0-7>
set trust-dot1p-map <Dot1p map name>
set trust-ip-dscp-map <DSCP map name>
set queue-policy <queue policy name>
next
end

Fortinet Inc.
5. Configure each switch port.

edit <switch-id>
config ports
edit <port>
set qos-policy <CoS policy>
next
end
next
end
6. Check the QoS statistics on each switch port.
diagnose switch-controller switch-info qos-stats <FortiSwitch_serial_number> <port_name>
Configuring ECN for managed FortiSwitch devices
Explicit Congestion Notification (ECN) allows ECN enabled endpoints to notify each other when they are experiencing
congestion. It is supported on the following FortiSwitch models: FS-3032E, FS-3032D, FS-1048E, FS-1048D, FS-5xxD
series, and FS-4xxE series.
On FortiSwitch Manager, ECN can be enabled for each class of service (CoS) queue to enable packet marking to drop
eligible packets. The command is only available when the dropping policy is weighted random early detection. It is
disabled by default.
To configure FortiSwitch to enable ECN packet marking to drop eligible packets:
config switch-controller qos queue-policy

edit "ECN_marking"
set schedule round-robin
set rate-by kbps
config cos-queue
edit "queue-0"
set drop-policy weighted-random-early-detection
set ecn enable
next
edit "queue-1"
next
edit "queue-2"
next
...
end
next
end

Fortinet Inc.
Logging and monitoring

l FortiSwitch log settings on page 97
l Configuring FortiSwitch port mirroring on page 98
l Configuring SNMP on page 100
l Configuring sFlow on page 105
l Configuring flow tracking and export on page 106
l Configuring flow control and ingress pause metering on page 108
FortiSwitch log settings
You can export the logs of managed FortiSwitch units to FortiSwitch Manager or send FortiSwitch logs to a remote
Syslog server.
l Exporting logs to FortiSwitch Manager on page 97
l Sending logs to a remote Syslog server on page 98
Exporting logs to FortiSwitch Manager
You can enable and disable whether the managed FortiSwitch units export their logs to FortiSwitch Manager. The setting
is global, and the default setting is enabled.
To allow a level of filtering, FortiSwitch Manager sets the user field to “fortiswitch-syslog” for each entry.
Use the following CLI command syntax:
config switch-controller switch-log
set status {*enable | disable}
set severity {emergency | alert | critical | error | warning | notification |
*information | debug}
end
You can override the global log settings for a FortiSwitch unit, using the following commands:
edit <switch-id>
config switch-log
At this point, you can configure the log settings that apply to this specific switch.

Fortinet Inc.
Sending logs to a remote Syslog server
Instead of exporting FortiSwitch logs to FortiSwitch Manager, you can send FortiSwitch logs to one or two remote Syslog
servers. After enabling this option, you can select the severity of log messages to send, whether to use comma-
separated values (CSVs), and the type of remote Syslog facility. By default, FortiSwitch logs are sent to port 514 of the
remote Syslog server.
Use the following CLI command syntax to configure the default syslogd and syslogd2 settings:
config switch-controller remote-log
edit {syslogd | syslogd2}
set status {enable | *disable}
set server <IPv4_address_of_remote_syslog_server>
set port <remote_syslog_server_listening_port>
set csv {enable | *disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp | cron
| authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 |
local3 | local4 | local5 | local6 | *local7}
next
end
You can override the default syslogd and syslogd2 settings for a specific FortiSwitch unit, using the following commands:
config remote-log
edit {edit syslogd | syslogd2}
set status {enable | *disable}
set server <IPv4_address_of_remote_syslog_server>
set port <remote_syslog_server_listening_port>
set csv {enable | *disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp |
cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 |
local2 | local3 | local4 | local5 | local6 | *local7}
next
end
next
end
Configuring FortiSwitch port mirroring
The FortiSwitch unit can send a copy of any ingress or egress packet on a port to egress on another port of the same
FortiSwitch unit. The original traffic is unaffected. This process is known as port-based mirroring and is typically used for
external analysis and capture.
Using encapsulated RSPAN (ERSPAN) allows you to send the collected packets across layer-2 domains for analysis.
You can have only one ERSPAN session.
In ERSPAN mode, traffic is encapsulated in Ethernet, IPv4, and generic routing encapsulation (GRE) headers. By
focusing on traffic to and from specified ports and traffic to a specified MAC or IP address, ERSPAN reduces the amount

Fortinet Inc.
of traffic being mirrored. The ERSPAN traffic is sent to a specified IP address, which must be reachable by IPv4 ICMP
ping. If no IP address is specified, the traffic is not mirrored.
NOTE: ERSPAN is supported on FSR-124D and platforms 2xx and higher. ERSPAN cannot be used with the other
FortiSwitch port-mirroring method.
To configure FortiSwitch port-based mirroring:

config mirror
edit <mirror_name>
set status {active | inactive} // Required
set dst <port_name> // Required
set switching-packet {enable | disable}
set src-ingress <port_name>
set src-egress <port_name>
next
end
next
For example:
edit S524DF4K15000024
config mirror
edit 2
set status active
set dst port1
set switching-packet enable
set src-ingress port2 port3
set src-egress port4 port5
next
end
next
end
To configure FortiSwitch ERSPAN:
config switch-controller traffic-sniffer

set mode erspan-auto
set erspan-ip <xxx.xxx.xxx.xxx> // IPv4 address where ERSPAN traffic is sent
config target-mac
edit <MM:MM:MM:SS:SS:SS> // mirror traffic sent to this MAC address
end
config target-ip
edit <xxx.xxx.xxx.xxx> // mirror traffic sent to this IPv4 address
end
config target-port
set in-ports <portx porty portz ...> // mirror traffic sent to these ports
set out-ports <portx porty portz ...> // mirror traffic sent from these ports
end
end

Fortinet Inc.
For example:
set mode erspan-auto
set erspan-ip 10.254.254.254
config target-mac
edit 00:00:00:aa:bb:cc
set description MACtarget1
end
config target-ip
edit 10.254.254.192
set description IPtarget1
end
config target-port
edit S524DF4K15000024
set description PortTargets1
set in-ports port5 port6 port7
set out-ports port10
end
end
To disable FortiSwitch port mirroring:

set mode none
end
Configuring SNMP
Simple Network Management Protocol (SNMP) enables you to monitor hardware on your network.
The managed FortiSwitch SNMP implementation is read-only. SNMP v1-compliant and v2c-compliant SNMP managers
have read-only access to FortiSwitch system information through queries and can receive trap messages from the
managed FortiSwitch unit.
To monitor FortiSwitch system information and receive FortiSwitch traps, you must first compile the Fortinet and
FortiSwitch management information base (MIB) files. A MIB is a text file that describes a list of SNMP data objects that
are used by the SNMP manager. These MIBs provide information that the SNMP manager needs to interpret the SNMP
trap, event, and query messages sent by the FortiSwitch SNMP agent.
FortiSwitch core MIB files are available for download by going to System > Config > SNMP > Settings and selecting the
FortiSwitch MIB File download link.
You configure SNMP on a global level so that all managed FortiSwitch units use the same settings. If you want one of the
FortiSwitch units to use different settings from the global settings, configure SNMP locally.
The maximum number of hosts for SNMP traps on a FortiSwitch unit is 8.

Fortinet Inc.

l Configuring SNMP globally on page 101
l Configuring SNMP locally on page 102
l SNMP OIDs on page 104
Configuring SNMP globally
To configure SNMP globally:
1. Add SNMP access on the switch-management interface.

2. Configure the SNMP system information.
3. Configure the SNMP community.
4. Configure the SNMP trap threshold values.
5. Configure the SNMP user.
To add SNMP access on the switch-management interface:

edit "{default | <policy_name>}"
set mgmt-allowaccess <options> snmp
set internal-allowaccess <options>
next
end
To configure the SNMP system information globally:
config switch-controller snmp-sysinfo

set status enable
set engine-id <local_SNMP_engine_ID (the maximum is 24 characters)>
set description <system_description>
set contact-info <contact_information>
set location <FortiSwitch_location>
end
NOTE: Each SNMP engine maintains a value, snmpEngineID, which uniquely identifies the SNMP engine. This value is
included in each message sent to or from the SNMP engine. The engine-id is part of the snmpEngineID but does not
include the Fortinet prefix 0x8000304404.
To configure the SNMP community globally:
config switch-controller snmp-community

edit <SNMP_community_entry_identifier>
set name <SNMP_community_name>
set status enable
set query-v1-status enable
set query-v1-port <0-65535; the default is 161>
set query-v2c-status enable
set query-v2c-port <0-65535; the default is 161>
set trap-v1-status enable
set trap-v1-lport <0-65535; the default is 162>
set trap-v1-rport <0-65535; the default is 162>
set trap-v2c-status enable

Fortinet Inc.
set trap-v2c-lport <0-65535; the default is 162>

set trap-v2c-rport <0-65535; the default is 162>
set events {cpu-high mem-low log-full intf-ip ent-conf-change}
config hosts
edit <host_entry_ID>
set ip <IPv4_address_of_the_SNMP_manager>
end
next
end
To configure the SNMP trap threshold values globally:
config switch-controller snmp-trap-threshold

set trap-high-cpu-threshold <percentage_value; the default is 80>
set trap-low-memory-threshold <percentage_value; the default is 80>
set trap-log-full-threshold <percentage_value; the default is 90>
end
To configure the SNMP user globally:
config switch-controller snmp-user

edit <SNMP_user_name>
set queries enable
set query-port <0-65535; the default is 161>
set security-level {auth-priv | auth-no-priv | no-auth-no-priv}
set auth-proto {md5 | sha1 | sha224 | sha256 | sha384 | sha512}
set auth-pwd <password_for_authentication_protocol>
set priv-proto {aes128 | aes192 | aes192c | aes256 | aes256c | des}}
set priv-pwd <password_for_encryption_protocol>
end
Configuring SNMP locally
To configure SNMP for a specific FortiSwitch unit:
1. Configure the SNMP system information.

2. Configure the SNMP community.
3. Configure the SNMP trap threshold values.
4. Configure the SNMP user.
You can set up one or more SNMP v3 notifications (traps) in the CLI. The following notifications are supported:
l The CPU usage is too high.
l The configuration of an entity was changed.
l The IP address for an interface was changed.
l The available log space is low.
l The available memory is low.
By default, all SNMP notifications are enabled. Notifications are sent to one or more IP addresses.
To configure the SNMP system information locally:


Fortinet Inc.
set override-snmp-sysinfo enable

config snmp-sysinfo
set status enable
set engine-id <local_SNMP_engine_ID (the maximum is 24 characters)>
set description <system_description>
set contact-info <contact_information>
set location <FortiSwitch_location>
end
next
end
NOTE: Each SNMP engine maintains a value, snmpEngineID, which uniquely identifies the SNMP engine. This value is
included in each message sent to or from the SNMP engine. The engine-id is part of the snmpEngineID but does not
include the Fortinet prefix 0x8000304404.
To configure the SNMP community locally:

set override-snmp-community enable
config snmp-community
edit <SNMP_community_entry_identifier>
set name <SNMP_community_name>
set status enable
set query-v1-status enable
set query-v1-port <0-65535; the default is 161>
set query-v2c-status enable
set query-v2c-port <0-65535; the default is 161>
set trap-v1-status enable
set trap-v1-lport <0-65535; the default is 162>
set trap-v1-rport <0-65535; the default is 162>
set trap-v2c-status enable
set trap-v2c-lport <0-65535; the default is 162>
set trap-v2c-rport <0-65535; the default is 162>
set events {cpu-high mem-low log-full intf-ip ent-conf-change}
config hosts
edit <host_entry_ID>
set ip <IPv4_address_of_the_SNMP_manager>
end
next
end
To configure the SNMP trap threshold values locally:

set override-snmp-trap-threshold enable
config snmp-trap-threshold
set trap-high-cpu-threshold <percentage_value; the default is 80>
set trap-low-memory-threshold <percentage_value; the default is 80>
set trap-log-full-threshold <percentage_value; the default is 90>
end
next
end

Fortinet Inc.
To configure the SNMP user locally:

set override-snmp-user enable
config snmp-user
edit <SNMP_user_name>
set queries enable
set query-port <0-65535; the default is 161>
set security-level {auth-priv | auth-no-priv | no-auth-no-priv}
set auth-proto {md5 | sha1 | sha224 | sha256 | sha384 | sha512}
set auth-pwd <password_for_authentication_protocol>
set priv-proto {aes128 | aes192 | aes192c | aes256 | aes256c | des}
set priv-pwd <password_for_encryption_protocol>
end
next
end
SNMP OIDs
Three SNMP OIDs report the FortiSwitch port status and FortiSwitch CPU and memory statistics.
SNMP OID Description
fgSwDeviceInfo.fgSwDeviceTable.fgSwDeviceEntry.fgSwDeviceEntry.fgSwCpu Percentage of the CPU

1.3.6.1.4.1.12356.101.24.1.1.1.11 being used.
fgSwDeviceInfo.fgSwDeviceTable.fgSwDeviceEntry.fgSwDeviceEntry.fgSwMemory Percentage of memory

1.3.6.1.4.1.12356.101.24.1.1.1.12 being used.
fgSwPortInfo.fgSwPortTable.fgSwPortEntry.fgSwPortStatus Whether a managed

1.3.6.1.4.1.12356.101.24.2.1.1.6 FortiSwitch port is up or
down.
These OIDs require FortiSwitchOS 7.0.0 or higher. FortiLink and SNMP must be configured on FortiSwitch Manager.
FortiSwitch units update the CPU and memory statistics every 30 seconds. This interval cannot be changed.
Sample queries
To find out how much CPU is being used on a FortiSwitch 1024D with the serial number
FS1D243Z17000032:
root@PC05:~# snmpwalk -v2c -Cc -c REGR-SYS 172.16.200.1

1.3.6.1.4.1.12356.101.24.1.1.1.11.2.8.17000032
To find out how much memory is being used on a FortiSwitch 1024D with the serial number
FS1D243Z17000032:

1.3.6.1.4.1.12356.101.24.1.1.1.12.2.8.17000032

Fortinet Inc.
To find out the status of port1 of a FortiSwitch 1024D with the serial number FS1D243Z17000032:

1.3.6.1.4.1.12356.101.24.2.1.1.6.2.8.17000032.1
Configuring sFlow
sFlow is a method of monitoring the traffic on your network to identify areas on the network that might impact
performance and throughput. With sFlow, you can export truncated packets and interface counters. FortiSwitch
implements sFlow version 5 and supports trunks and VLANs.
NOTE: Because sFlow is CPU intensive, Fortinet does not recommend high rates of sampling for long periods.
sFlow uses packet sampling to monitor network traffic. The sFlow agent captures packet information at defined intervals
and sends them to an sFlow collector for analysis, providing real-time data analysis. To minimize the impact on network
throughput, the information sent is only a sampling of the data.
The sFlow collector is a central server running software that analyzes and reports on network traffic. The sampled
packets and counter information, referred to as flow samples and counter samples, respectively, are sent as sFlow
datagrams to a collector. Upon receiving the datagrams, the sFlow collector provides real-time analysis and graphing to
indicate the source of potential traffic issues. sFlow collector software is available from a number of third-party software
vendors. You must configure a FortiSwitch Manager policy to transmit the samples from the FortiSwitch unit to the sFlow
collector.
sFlow can monitor network traffic in two ways:
l Flow samples—You specify the percentage of packets (one out of n packets) to randomly sample.
l Counter samples—You specify how often (in seconds) the network device sends interface counters.
Use the following CLI commands to specify the IP address and port for the sFlow collector. By default, the IP address is
0.0.0.0, and the port number is 6343.
config switch-controller sflow
collector-ip <x.x.x.x>
collector-port <port_number>
end
Use the following CLI commands to configure sFlow:

config ports
edit <port_name>
set sflow-sampler {disabled | enabled}
set sflow-sample-rate <0-99999>
set sflow-counter-interval <1-255>
next
next
end
For example:
config switch-controller sflow
collector-ip 1.2.3.4
collector-port 10
end

Fortinet Inc.

edit S524DF4K15000024
config ports
edit port5
set sflow-sampler enabled
set sflow-sample-rate 10
set sflow-counter-interval 60
next
next
end
Configuring flow tracking and export
You can sample IP packets on managed FortiSwitch units and then export the data in NetFlow format or Internet
Protocol Flow Information Export (IPFIX) format. You can choose to sample on a single ingress or egress port, on all
FortiSwitch units, or on all FortiSwitch ingress ports.
When a new FortiSwitch unit or trunk port is added, the flow-tracking configuration is updated automatically based on the
specified sampling mode. When a FortiSwitch port becomes part of an ISL or ICL or is removed, the flow-tracking
configuration is updated automatically based on the specified sampling mode.
The maximum number of concurrent flows is defined by the FortiSwitch model. When this limit is exceeded, the oldest
flow expires and is exported.
You can configure multiple flow-export collectors using the config collectors command. For each collector, you
can specify the collector IP address, the collector port number, and the collector layer-4 transport protocol for exporting
packets.
Using multiple flow-export collectors requires FortiSwitchOS 7.0.0 or later. If you are using an
earlier version of FortiSwitchOS, only the first flow-export collector is supported.
You can specify how often a template packet is sent using the set template-export-period command. By default,
a template packet is sent every 5 minutes. The range of values is 1-60 minutes.
To configure flow tracking on managed FortiSwitch units:
config switch-controller flow-tracking

set sample-mode {local | perimeter | device-ingress}
set sample-rate <0-99999>
set format {netflow1 | netflow5 | netflow9 | ipfix}
set level {vlan | ip | port | proto}
set max-export-pkt-size <512-9216 bytes; default is 512>
set template-export-period <1-60 minutes, default is 5>
set timeout-general <60-604800 seconds; default is 3600>
set timeout-icmp <60-604800 seconds; default is 300>
set timeout-max <60-604800 seconds; default is 604800>
set timeout-tcp <60-604800 seconds; default is 3600>
set timeout-tcp-fin <60-604800 seconds; default is 300>
set timeout-tcp-rst <60-604800 seconds; default is 120>
set timeout-udp <60-604800 seconds; default is 300>
config collectors

Fortinet Inc.
edit <collector_name>
set ip <IPv4_address>
set port <0-65535>
set transport {udp | tcp | sctp}
end
config aggregates
edit <aggregate_ID>
set <IPv4_address>
end
end
For example:
config switch-controller flow-tracking
config collectors
edit "Analyzer_1"
set ip 172.16.201.55
set port 4739
set transport sctp
next
edit "Collector_HQ"
set ip 172.16.116.82
set port 2055
next
end
set template-export-period 10
end
Configure the sampling mode

You can set the sampling mode to local, perimeter, or device-ingress.
l The local mode samples packets on a specific FortiSwitch port.
l The perimeter mode samples packets on all FortiSwitch ports that receive data traffic, except for ISL and ICL ports.
For perimeter mode, you can also configure the sampling rate.
l The device-ingress mode samples packets on all FortiSwitch ports that receive data traffic for hop-by-hop tracking.
For device-ingress mode, you can also configure the sampling rate.
Configure the sampling rate
For perimeter or device-ingress sampling, you can set the sampling rate, which samples 1 out of the specified number of
packets. The default sampling rate is 1 out of 512 packets.
Configure the flow-tracking protocol
You can set the format of exported flow data as NetFlow version 1, NetFlow version 5, NetFlow version 9, or IPFIX
sampling.
Configure collector IP address
The default is 0.0.0.0. Setting the value to “0.0.0.0” or “” disables this feature. The format is xxx.xxx.xxx.xxx.
Configure the transport protocol
You can set exported packets to use UDP, TCP, or SCTP for transport.
Configure the flow-tracking level
You can set the flow-tracking level to one of the following:
l vlan—The FortiSwitch unit collects source IP address, destination IP address, source port, destination port,
protocol, Type of Service, and VLAN from the sample packet.

Fortinet Inc.
l ip—The FortiSwitch unit collects source IP address and destination IP address from the sample packet.
l port—The FortiSwitch unit collects source IP address, destination IP address, source port, destination port, and
protocol from the sample packet.
l proto—The FortiSwitch unit collects source IP address, destination IP address, and protocol from the sample
packet.
Configure the maximum exported packet size
You can set the maximum size of exported packets in the application level.
To remove flow reports from a managed FortiSwitch unit:
execute switch-controller switch-action flow-tracking {delete-flows-all | expire-flows-all}

<FortiSwitch_serial_number>
Expired flows are exported.
To view flow statistics for a managed FortiSwitch unit:
diagnose switch-controller switch-info flow-tracking statistics <FortiSwitch_serial_number>
To view raw flow records for a managed FortiSwitch unit:
diagnose switch-controller switch-info flow-tracking flows-raw <FortiSwitch_serial_number>
To view flow record data for a managed FortiSwitch unit:
diagnose switch-controller switch-info flow-tracking flows {number_of_records | all} {IP_

address | all} <FortiSwitch_serial_number> <FortiSwitch_port_name>
For example:
diagnose switch-controller switch-info flow-tracking flows 100 all S524DF4K15000024 port6
Configuring flow control and ingress pause metering
Flow control allows you to configure a port to send or receive a “pause frame” (that is, a special packet that signals a
source to stop sending flows for a specific time interval because the buffer is full). By default, flow control is disabled on
all ports.
config ports
edit <port_name>
set flow-control {both | rx | tx | disable}
next
end
end
Parameters enable flow control to do the following:

l rx—receive pause control frames
l tx—transmit pause control frames
l both—transmit and receive pause control frames

Fortinet Inc.
If you enable flow control to transmit pause control frames or to transmit and receive pause control frames, you can also
use ingress pause metering to limit the input bandwidth of an ingress port. Because ingress pause metering stops the
traffic temporarily instead of dropping it, ingress pause metering can provide better performance than policing when the
port is connected to a server or end station. To use ingress pause metering, you need to set the ingress metering rate in
kilobits and set the percentage of the threshold for resuming traffic on the ingress port.
config ports
edit <port_name>
set flow-control {tx | both}
set pause-meter <128–2147483647; set to 0 to disable>
set pause-meter-resume {25% | 50% | 75%}
next
end
end
For example:
edit S424ENTF19000007
config ports
edit port29
set flow-control tx
set pause-meter 900
set pause-meter-resume 50%
next
end
end

Fortinet Inc.
Operation and maintenance

l Discovering, authorizing, and deauthorizing FortiSwitch units on page 110
l Diagnostics and tools on page 113
l FortiSwitch ports display on page 116
l Displaying, resetting, and restoring port statistics on page 116
l Network interface display on page 120
l Synchronizing FortiSwitch Manager with the managed FortiSwitch units on page 120
l Fabric management on page 121
l Viewing and upgrading the FortiSwitch firmware version on page 123
l Canceling pending or downloading FortiSwitch upgrades on page 124
l Replacing a managed FortiSwitch unit on page 125
l Executing custom FortiSwitch scripts on page 130
l Resetting PoE-enabled ports on page 131
Discovering, authorizing, and deauthorizing FortiSwitch units

l Editing a managed FortiSwitch unit on page 110
l Adding preauthorized FortiSwitch units on page 111
l Using wildcard serial numbers to pre-authorize FortiSwitch units on page 111
l Authorizing the FortiSwitch unit on page 112
l Deauthorizing FortiSwitch units on page 112
l Converting to FortiSwitch standalone mode on page 113
Editing a managed FortiSwitch unit
To edit a managed FortiSwitch unit:

2. Click on the FortiSwitch unit and then click Edit or right-click on a FortiSwitch unit and select Edit.
From the Edit Managed FortiSwitch form, you can:
l Change the Name and Description of the FortiSwitch unit.
l View the Status of the FortiSwitch unit.
l Restart the FortiSwitch.
l Authorize or deauthorize the FortiSwitch unit.
l Upgrade the firmware running on the switch.
l Override 802.1x settings, including the reauthentication interval, maximum reauthentication attempts, and link-
down action.

Fortinet Inc.
Adding preauthorized FortiSwitch units
After you preauthorize a FortiSwitch unit, you can assign the FortiSwitch ports to a VLAN.
To preauthorize a FortiSwitch:
2. Click Create New.
3. In the New Managed FortiSwitch page, enter the serial number, model name, and description of the FortiSwitch.
4. Move the Authorized slider to the right.
5. Select OK. The Managed FortiSwitches page lists the preauthorized switch.
Using wildcard serial numbers to pre-authorize FortiSwitch units
You can use asterisks as a wildcard character when you pre-authorize FortiSwitch units. Using a FortiSwitch template,
you can name the managed switch and configure the ports. When the FortiSwitch unit is turned on and discovered by
FortiSwitch Manager, the wildcard serial number is replaced by the actual serial number and the settings in the
FortiSwitch template are applied to the discovered FortiSwitch unit.
When you create the FortiSwitch template, use the following format for the wildcard serial number:
PREFIX****nnnnnn
PREFIX The first six digits of a valid FortiSwitch serial number, such as S248EP, S124EN,
S548DF, and S524DF.
**** Asterisks are the only wildcard characters allowed. You can have any number of
asterisks, as long as ****nnnnnn is no longer than 10 characters.
nnnnnn You can have any number of valid alphanumeric characters, as long as
****nnnnnn is no longer than 10 characters.
To pre-authorize FortiSwitch units using a FortiSwitch template:
1. Create a FortiSwitch template.

edit <PREFIX****nnnnnn>
...
next
end
For example:
edit "S248EP****000000"
set name "fortilink-FSW248EP1"
set fsw-wan1-peer "fortilink"
.......
config ports
edit "port1"
set vlan "onboarding"
set allowed-vlans "quarantine" "nac_segment"
set untagged-vlans "quarantine" "nac_segment"
set access-mode nac
set export-to "root"

Fortinet Inc.
next
edit "port2"
set vlan "_default"
set allowed-vlans "quarantine"
set untagged-vlans "quarantine"
set access-mode dynamic
set port-policy "aggr1"
set export-to "root"
next
end
next
end
2. Turn on the FortiSwitch unit so that FortiSwitch Manager will discover it.
The FortiSwitch unit is matched with the FortiSwitch template using the order of entries in the CMDB table from top
to bottom. The settings in the FortiSwitch template are applied to the discovered FortiSwitch unit. Once a match is
made for a wildcard entry, that particular entry is consumed.
Authorizing the FortiSwitch unit
If you configured the FortiLink interface to manually authorize the FortiSwitch unit as a managed switch, perform the
following steps:
2. Right-click on the FortiSwitch name and select Authorize. This step is required only if you disabled the automatic
authorization field of the interface.
Deauthorizing FortiSwitch units
A device can be deauthorized to remove it from the Security Fabric.
To deauthorize a device:

2. Right-click on the FortiSwitch name and select Deauthorize.
After devices are deauthorized, the devicesʼ serial numbers are saved in a trusted list that can be viewed in the CLI using
the show system csf command. For example, this result shows a deauthorized FortiSwitch:
show system csf
config system csf
set status enable
set group-name "Office-Security-Fabric"
set group-password ENC 1Z2X345V678
config trusted-list
edit "FSWMVMTM21000008"
next
edit "S248DF3X17000482"
set action deny
next
end
end
end

Fortinet Inc.
Converting to FortiSwitch standalone mode
Use one of the following commands to convert a FortiSwitch unit from managed mode to standalone mode so that it will
no longer be managed by FortiSwitch Manager:
l execute switch-controller factory-reset <FortiSwitch_serial_number>—This command
returns the FortiSwitch unit to the factory defaults and then reboots the FortiSwitch unit. By default, the FortiSwitch
unit will connect to the available manager, which can be FortiSwitch Manager, a FortiGate device, or FortiLAN
Cloud. For example:execute switch-controller factory-reset S1234567890
l execute switch-controller switch-action set-standalone <FortiSwitch_serial_number>—
This command returns the FortiSwitch unit to the factory defaults, reboots the FortiSwitch, and prevents FortiSwitch
Manager from automatically detecting and authorizing the FortiSwitch. For example:execute switch-
controller set-standalone S1234567890
You can disable FortiLink auto-discovery on multiple FortiSwitch units using the following commands:
set disable-discovery <FortiSwitch_serial_number>
end
For example:
set disable-discovery S1234567890
end
You can also add or remove entries from the list of FortiSwitch units that have FortiLink auto-discovery disabled using
the following commands:
append disable-discovery <FortiSwitch_serial_number>
unselect disable-discovery <FortiSwitch_serial_number>
end
For example:
append disable-discovery S012345678
unselect disable-discovery S1234567890
end
Diagnostics and tools
The Diagnostics and Tools pane reports the general health of the FortiSwitch unit, displays details about the FortiSwitch
unit, and allows you to run diagnostic tests.

Fortinet Inc.
To view the Diagnostics and Tools pane:

2. Right-click the FortiSwitch unit and then select Diagnostics and Tools.
From the Diagnostics and Tools pane, you can do the following:
l Authorize or deauthorize the FortiSwitch.
l Upgrade the firmware running on the switch.
l Restart the FortiSwitch unit.
l Connect to CLI to run CLI commands.
l Show in List to return to the Switch Controller > Managed FortiSwitch page.
l Go to the Edit Managed FortiSwitch form.
l Start or stop the LED Blink to identify a specific FortiSwitch unit. See Making the LEDs blink on page 115.
l Display a list of FortiSwitch ports and trunks and configuration details.

Fortinet Inc.
l Run a Cable Test on a selected port. See Running the cable test on page 115.
l View the Logs for the FortiSwitch unit.
l Click the Legend button in the General pane to display the Health Thresholds pane, which lists the thresholds for the
good, fair, and poor ratings of the general health, port health, and MC-LAG health.
Making the LEDs blink
When you have multiple FortiSwitch units and need to locate a specific switch, you can flash all port LEDs on and off for
a specified number of minutes.
To identify a specific FortiSwitch unit:

3. Select LED Blink > Start and then select 5 minutes, 15 minutes, 30 minutes, or 60 minutes.
4. After you locate the FortiSwitch unit, select LED Blink > Stop.
NOTE: For the 5xx switches, LED Blink flashes only the SFP port LEDs, instead of all the port LEDs.
Running the cable test
NOTE: Running cable diagnostics on a port that has the link up interrupts the traffic for several seconds.
You can check the state of cables connected to a specific port. The following pair states are supported:
l Open
l Short
l Ok
l Open_Short
l Unknown
l Crosstalk
If no cable is connected to the specific port, the state is Open, and the cable length is 0 meters.
Using the GUI:

3. Select Cable Test.
4. Select a port.
5. Select Diagnose.
NOTE: There are some limitations for cable diagnostics on the FS-108E, FS-124E, FS-108E-POE, FS-108E-FPOE, FS-
124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models:
l Crosstalk cannot be detected.
l There is a 5-second delay before results are displayed.
l The value for the cable length is inaccurate.
l The results are inaccurate for open and short cables.

Fortinet Inc.
FortiSwitch ports display
The Switch Controller > FortiSwitch Ports page displays port information about each of the managed switches.
Select Faceplates to get the following information:

l Active ports (green)
l FortiLink port (link icon)
Each entry in the port list displays the following information:
l Port status (red for down, green for up)
l Port name
l If the port is a member of a trunk
l Access mode
l Port policy
l Enabled features
l Native VLAN
l Allowed VLANs
l Dynamic VLANs
l PoE status
l Device information
l DHCP snooping status
l Transceiver information
Displaying, resetting, and restoring port statistics
For the following commands, if the managed FortiSwitch unit is not specified, the command is applied to all ports of all
managed FortiSwitch units.
To display port statistics using the GUI:

2. Select a port.
3. Click View Statistics.

Fortinet Inc.
4. Click the Traffic tab to see transmitted and received traffic and transmitted and received frames. Click the Issues tab
to see frame errors by type.
To display port statistics using the CLI:
diagnose switch-controller switch-info port-stats <managed FortiSwitch device ID> <port_

name>
For example:
diagnose switch-controller switch-info port-stats S524DF4K15000024 port8

Fortinet Inc.
To reset the port statistics counters using the GUI:

2. Select a port.
3. Click View Statistics.

Fortinet Inc.
4. Click Reset Port Statistics.
To reset the port statistics counters using the CLI:
diagnose switch-controller trigger reset-hardware-counters <managed FortiSwitch device ID>

<port_name>
For example:
diagnose switch-controller trigger reset-hardware-counters S524DF4K15000024 1,3,port6-7

Fortinet Inc.
NOTE: This command is provided for debugging; accuracy is not guaranteed when the counters are reset. Resetting the
counters might have a negative effect on monitoring tools, such as SNMP and FortiSwitch Manager. The statistics
gathered during the time when the counters are reset might be discarded.
To restore the port statistics counters of a managed FortiSwitch unit:
diagnose switch-controller trigger restore-hardware-counters <managed FortiSwitch device ID>

<port_name>
For example:
diagnose switch-controller trigger restore-hardware-counters S524DF4K15000024 port10-
port11,internal
Network interface display
On the Network > Interfaces page, you can see the FortiSwitch Manager interface connected to the FortiSwitch unit. The
GUI indicates Dedicated to FortiSwitch in the IP/Netmask field.
Synchronizing FortiSwitch Manager with the managed FortiSwitch

units
You can synchronize FortiSwitch Manager with the managed FortiSwitch units to check for synchronization errors on
each managed FortiSwitch unit.
Use the following command to synchronize the full configuration of FortiSwitch Manager with a managed FortiSwitch
unit:
diagnose switch-controller trigger config-sync <FortiSwitch_serial_number>

Fortinet Inc.
Fabric management
Using fabric management, you can see the whole picture of your network security. The pie charts show what type of
devices are in the fabric and whether any of the online switches need to be upgraded.

Fortinet Inc.
To use fabric management:
1. Go to System > Fabric Management.

2. Click Fabric Upgrade to upgrade FortiSwitch Manager.
3. Select one or more FortiSwitch units and then click Upgrade to update the FortiSwitchOS firmware.
4. If the registration status is Not registered, select the FortiSwitch unit and click Register.
5. If the status is Waiting for authorization, select the FortiSwitch unit and click Authorize.
6. Hover over any of the FortiSwitch units to see more information.

Fortinet Inc.
7. Click Diagnostics and Tools to open the Diagnostics and Tools pane.
Viewing and upgrading the FortiSwitch firmware version
You can view the current firmware version of a FortiSwitch unit and upgrade the FortiSwitch unit to a new firmware
version. FortiSwitch Manager will suggest an upgrade when a new version is available in FortiGuard.
To view the FortiSwitch firmware version:

2. Select the FortiSwitch name and click Edit.
3. In the Edit Managed FortiSwitch panel, the Firmware section displays the current build on the FortiSwitch unit.

Fortinet Inc.
To upgrade the firmware on multiple FortiSwitch units at the same time:

2. Select the FortiSwitch units that you want to upgrade.
3. Right-click and select Upgrade.The Upgrade FortiSwitches page opens.
4. Select FortiGuard or select Upload and then select the firmware file to upload. If you select FortiGuard, all
FortiSwitch units that can be upgraded are upgraded. If you select Upload, only one firmware image can be used at
a time for upgrading.
5. Select Upgrade.
Use the following command to stage a firmware image on all FortiSwitch units:
execute switch-controller switch-software stage all <image id>
Use the following command to upgrade the firmware image on one FortiSwitch unit:
execute switch-controller switch-software upgrade <switch id> <image id>
Use the following CLI commands to enable the use of HTTPS to download firmware to managed FortiSwitch units:
set https-image-push enable
end
NOTE: The HTTPS download is enabled by default.

From your FortiSwitch Manager CLI, you can upgrade the firmware of all of the managed FortiSwitch units of the same
model using a single execute command. The command includes the name of a firmware image file and all of the
managed FortiSwitch units compatible with that firmware image file are upgraded. For example:
execute switch-controller switch-software stage all <firmware-image-file>
You can also use the following command to restart all of the managed FortiSwitch units after a 2-minute delay.
execute switch-controller switch-action restart delay all
Canceling pending or downloading FortiSwitch upgrades
A managed FortiSwitch unit can be upgrade using FortiSwitch Manager.

If a connectivity issue occurs during the upgrade process and the FortiSwitch unit loses contact with FortiSwitch
Manager, the FortiSwitch upgrade status can get stuck at Upgrading. Use the following CLI command to cancel the
process:
execute switch-controller switch-software cancel {all | sn <FortiSwitch_serial_number> |
switch-group <switch_group ID>}
all Cancel the firmware upgrade for all FortiSwitch units.

sn <FortiSwitch_serial_number> Cancel the firmware upgrade for the FortiSwitch unit with the specified
serial number.
switch-group <switch_group ID> Cancel the firmware upgrade for the FortiSwitch units belonging to the
specified switch group.

Fortinet Inc.
For example, to cancel the upgrade of a FortiSwitch unit with the specified serial number:
execute switch-controller switch-software cancel sn S248EPTF180018XX
Replacing a managed FortiSwitch unit
If a managed FortiSwitch unit fails, you can replace it with another FortiSwitch unit that is managed by the same
FortiSwitch Manager. The replacement FortiSwitch unit will inherit the configuration of the FortiSwitch unit that it
replaces. The failed FortiSwitch unit is no longer managed by FortiSwitch Manager or discovered by FortiLink.
NOTE:
l Both FortiSwitch units must be of the same model.
l The replacement FortiSwitch unit must be discovered by FortiLink but not authorized.
l If the replacement FortiSwitch unit is one of an MCLAG pair, you need to manually reconfigure the MCLAG-ICL
trunk.
l After replacing the failed FortiSwitch unit, the automatically created trunk name does not change. If you want
different trunk name, you need to delete the trunk. The new trunk is created automatically with an updated name. At
the end of this section is a detailed procedure for renaming the MCLAG-ICL trunk.
l If the replaced managed FortiSwitch unit is part of an MCLAG, only the ICL should be connected to the new switch
to avoid any traffic loops. The other interfaces should be connected only to the switch that is fully managed by
FortiSwitch Manager with the correct configuration.
l The best way to replace a MCLAG FortiSwitch unit in FortiLink:
a. Back up the configuration of the failed FortiSwitch unit.
b. Restore the configuration to the replaced Fortiswitch unit while it is offline.
c. Enter the replace-device command in FortiOS.
d. Physically replace the failed FortiSwitch unit.
To replace a managed FortiSwitch unit:
1. Unplug the failed FortiSwitch unit.

2. Plug in the replacement FortiSwitch unit.
3. Upgrade the firmware of the replacement FortiSwitch unit to the same version as the firmware on the failed
FortiSwitch unit. See Viewing and upgrading the FortiSwitch firmware version on page 123.
4. Reset the replacement FortiSwitch unit to factory default settings with the execute factoryreset command.
5. Check the serial number of the replacement FortiSwitch unit.
6. From FortiSwitch Manager, go to Switch Controller > Managed FortiSwitches.
7. Select the faceplate of the failed FortiSwitch unit.
8. Select Deauthorize.
9. Connect the replacement FortiSwitch unit to FortiSwitch Manager.
NOTE: If the replaced managed FortiSwitch unit is part of an MCLAG, only the ICL should be connected to the new
switch to avoid any traffic loops. The other interfaces should be connected only to the switch that is fully managed
by FortiSwitch Manager with the correct configuration.
10. Enter the following command:
execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_
FortiSwitch_serial_number>
An error is returned if the replacement FortiSwitch unit is authorized.

Fortinet Inc.
11. Authorize the replaced managed FortiSwitch unit.

12. Connect the rest of the cables required for the uplinks and downlinks for the MCLAG FortiSwitch units.
To rename the MCLAG-ICL trunk:
After replacing the failed FortiSwitch unit, the automatically created trunk name does not change. If you want different
trunk name, you need to delete the trunk. The new trunk is created automatically with an updated name.
Changing the name of the MCLAG-ICL trunk must be done on both FortiSwitch Manager and the MCLAG-ICL switches.
You need a maintenance window for the change.
1. Shut down the FortiLink interface on FortiSwitch Manager.
a. On FortiSwitch Manager, execute the show system interface command. For example:
FSWMVMTM21000008 # show system interface root-lag

edit "root-lag"
set vdom "root"
set fortilink enable
set ip 10.105.60.254 255.255.255.0
set allowaccess ping capwap
set type aggregate
set member "port45" "port48"
config managed-device
b. Write down the member port information. In this example, port45 and port48 are the member ports.
c. Shut down the member ports with the config system interface, edit <member-port#>, set
status down, and end commands. For example:
FSWMVMTM21000008 # config system interface

FSWMVMTM21000008 (interface) # edit port48
FSWMVMTM21000008 (port48) # set status down
FSWMVMTM21000008 (port48) # next // repeat for each member port
FSWMVMTM21000008 (port45) # set status down
FSWMVMTM21000008 (port45) # end
d. Verify that FortiLink is down with the exec switch-controller get-conn-status command. For
example:
FSWMVMTM21000008 # exec switch-controller get-conn-status

Managed-devices in current vdom root:
STACK-NAME: FortiSwitch-Stack-root-lag
SWITCH-ID VERSION STATUS ADDRESS JOIN-TIME NAME
FS1D483Z17000282 v6.0.0 Authorized/Down 0.0.0.0 N/A icl-sw2
FS1D483Z17000348 v6.0.0 Authorized/Down 0.0.0.0 N/A icl-sw1
2. Rename the MCLAG-ICL trunk name on both MCLAG-ICL switches.

a. Execute the show switch trunk command on both MCLAG-ICL switches. Locate the ICL trunk that
includes the set mclag-icl enable command in its configuration and write down the member ports and
configuration information. For example:
icl-sw1 # show switch trunk

Fortinet Inc.
config switch trunk

...
edit "D483Z17000282-0"
set mode lacp-active
set auto-isl 1
set mclag-icl enable // look for this line
set members "port27" "port28" // note the member ports
next
end
b. Note the output of the show switch interface <MCLAG-ICL-trunk-name>, diagnose switch
mclag icl, and diagnose switch trunk summary <MCLAG-ICL-trunk-name> commands. For
example:
icl-sw1 # show switch interface D483Z17000282-0

edit "D483Z17000282-0"
set native-vlan 4094
set allowed-vlans 1,100,2001-2060,4093
set stp-state disabled
set edge-port disabled
set snmp-index 57
next
end
icl-sw1 # diag switch mclag icl

D483Z17000282-0
icl-ports 27-28
egress-block-ports 3-4,7-12,47-48
interface-mac 70:4c:a5:86:6d:e5
lacp-serial-number FS1D483Z17000348
peer-mac 70:4c:a5:49:50:53
peer-serial-number FS1D483Z17000282
Local uptime 0 days 1h:49m:24s
Peer uptime 0 days 1h:49m:17s
MCLAG-STP-mac 70:4c:a5:49:50:52
keepalive interval 1
keepalive timeout 60
Counters
received keepalive packets 4852
transmited keepalive packets 5293
received keepalive drop packets 20
receive keepalive miss 1
icl-sw1 # diagnose switch trunk sum D483Z17000282-0

Trunk Name Mode PSC MAC Status Up Time
________________ _________________________ ___________ _________________ _______
____ _________________________________
D483Z17000282-0 lacp-active(auto-isl,mclag-icl) src-dst-ip 70:4C:A5:86:6E:00 up

Fortinet Inc.
(2/2) 0 days,0 hours,16 mins,4 secs
c. Shut down the ICL member ports using the config switch physical-port, edit <member port#>,
set status down, next, and end commands. For example:
icl-sw1 # config switch physical-port

icl-sw1 (physical-port) # edit port27
icl-sw1 (port27) # set status down
icl-sw1 (port27) # n // repeat for each ICL member port
icl-sw1 (port28) # set status down
icl-sw1 (port28) # next
icl-sw1 (physical-port) # end
d. Delete the original MCLAG-ICL trunk name on the switch using the config switch trunk, delete
<mclag-icl-trunk-name>, and end commands. For example:
icl-sw1 # config switch trunk

icl-sw1 (trunk) # delete D483Z17000282-0
e. Use the show switch trunk command to verify that the trunk is deleted.
f. Create a new trunk for the MCLAG ICL using the original ICL trunk configuration collected in step 2b and the
set auto-isl 0 command in the configuration. For example:
icl-sw1 # config switch trunk
icl-sw1 (trunk) # edit MCLAG-ICL

new entry 'MCLAG-ICL' added
icl-sw1 (MCLAG-ICL) #set mode lacp-active
icl-sw1 (MCLAG-ICL) #set members "port27" "port28"
icl-sw1 (MCLAG-ICL) #set mclag-icl enable
icl-sw1 (MCLAG-ICL) # end
g. Use the show switch trunk command to check the trunk configuration.
h. Start the trunk member ports by using the config switch physical-port, edit <member port#>,
set status up, next, and end commands. For example:
icl-sw1 # config switch physical-port

icl-sw1 (port27) # set status up
icl-sw1 (port27) # next // repeat for each trunk member port
icl-sw1 (port28) # set status up
icl-sw1 (port28) # end
NOTE: Follow steps 2a through 2h on both switches.

3. Set up the FortiLink interface on FortiSwitch Manager. Enter the config system interface, edit
<interface-member-port>, set status up, next, and end commands. For example:
FSWMVMTM21000008 # config system interface

FSWMVMTM21000008 (port45) # set status up
FSWMVMTM21000008 (port45) # next // repeat on all member ports

Fortinet Inc.

FSWMVMTM21000008 (port48) # set status up
FSWMVMTM21000008 (port48) # next
FSWMVMTM21000008 (interface) # end
4. Check the configuration and status on both MCLAG-ICL switches

a. Enter the show switch trunk, diagnose switch mclag icl, and diagnose switch trunk
summary <new-trunk-name> commands. For example:
icl-sw1 # show switch trunk
config switch trunk
<snip>
edit "MCLAG-ICL"
set mode lacp-active
set mclag-icl enable
set members "port27" "port28"
next
end
icl-sw1 # show switch interface MCLAG-ICL

edit "MCLAG-ICL"
set native-vlan 4094
set allowed-vlans 1,100,2001-2060,4093
set stp-state disabled
set snmp-index 56
next
end
icl-sw1 # diagnose switch mclag icl

MCLAG-ICL
icl-ports 27-28
egress-block-ports 3-4,7-12,47-48
interface-mac 70:4c:a5:86:6d:e5
lacp-serial-number FS1D483Z17000348
peer-mac 70:4c:a5:49:50:5
peer-serial-number FS1D483Z17000282
Local uptime 0 days 2h:11m:13s
Peer uptime 0 days 2h:11m: 7s
MCLAG-STP-mac 70:4c:a5:49:50:52
keepalive interval 1
keepalive timeout 60
Counters
received keepalive packets 5838
transmited keepalive packets 6279
received keepalive drop packets 27
receive keepalive miss 1

Fortinet Inc.
icl-sw1 # diagnose switch trunk summary MCLAG-ICL
Trunk Name Mode PSC MAC Status Up Time

________________ _________________________ ___________ _________________ ______
_____ _________________________________
MCLAG-ICL lacp-active(auto-isl,mclag-icl) src-dst-ip 70:4C:A5:86:6E:00 up(2/2)

0 days,1 hours,4 mins,57 secs
b. Compare the command results in step 4a with the command results in step 2b.
Executing custom FortiSwitch scripts
From FortiSwitch Manager, you can execute a custom script on a managed FortiSwitch unit. The custom script contains
generic FortiSwitch commands.
l Creating a custom script on page 130
l Executing a custom script once on page 130
l Binding a custom script to a managed switch on page 131
Creating a custom script
Use the following syntax to create a custom script from FortiSwitch Manager:
config switch-controller custom-command
edit <cmd-name>
set command "<FortiSwitch_command>"
end
NOTE: You need to use %0a to indicate a return.

For example, use the custom script to set the STP max-age parameter on a managed FortiSwitch unit:
config switch-controller custom-command
edit "stp-age-10"
set command "config switch stp setting %0a set max-age 10 %0a end %0a"
end
Executing a custom script once
After you have created a custom script, you can manually execute it on any managed FortiSwitch unit. Because the
custom script is not bound to any switch, the FortiSwitch unit might reset some parameters when it is restarted.
Use the following syntax on FortiSwitch Manager to execute the custom script once on a specified managed FortiSwitch
unit:
execute switch-controller custom-command <cmd-name> <target-switch>

Fortinet Inc.
For example, you can execute the stp-age-10 script on the specified managed FortiSwitch unit:
execute switch-controller custom-command stp-age-10 S124DP3X15000118
Binding a custom script to a managed switch
If you want the custom script to be part of the managed switchʼs configuration, the custom script must be bound to the
managed switch. If any of the commands in the custom script are locally controlled by a switch, the commands might be
overwritten locally.
Use the following syntax to bind a custom script to a managed switch:
edit "<FortiSwitch_serial_number>"
config custom-command
edit <custom_script_entry>
set command-name "<name_of_custom_script>"
next
end
next
end
For example:
edit "S524DF4K15000024"
config custom-command
edit 1
set command-name "stp-age-10"
next
end
next
end
Resetting PoE-enabled ports
If you need to reset PoE-enabled ports, go to Switch Controller > FortiSwitch Ports, right-click on one or more PoE-
enabled ports and select Reset PoE from the context menu.

Fortinet Inc.
www.fortinet.com
Copyright© 2022 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

FortiSwitch Manager-7.2.0-Administration Guide

Uploaded by

Copyright:

Available Formats

FortiSwitch Manager-7.2.0-Administration Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiSwitch Manager-7.2.0-Administration Guide

Uploaded by

Copyright:

Available Formats

Administration Guide

FortiSwitch Manager 7.2.0

FORTINET VIDEO GUIDE

CUSTOMER SERVICE & SUPPORT

FORTINET TRAINING & CERTIFICATION PROGRAM

END USER LICENSE AGREEMENT

May 18, 2022

FortiSwitch Manager 7.2.0 Administration Guide 3

FortiSwitch Manager 7.2.0 Administration Guide 4

FortiSwitch Manager 7.2.0 Administration Guide 5

FortiSwitch Manager 7.2.0 Administration Guide 6

Date Change Description

May 18, 2022 Initial release of FortiSwitch Manager 7.2.0

FortiSwitch Manager 7.2.0 Administration Guide 7

FortiSwitch Manager 7.2.0 supports the following models:

FortiSwitch 1xx FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-

FortiSwitch 2xx FS-224D-FPOE, FS-224E, FS-224E-POE, FS-248D, FS-248E-POE, FS-248E-FPOE

FortiSwitch 4xx FS-424E, FS-424E-POE, FS-424E-FPOE, FS-424E-Fiber, FS-M426E-FPOE, FS-448E, FS-

FortiSwitch 5xx FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE

FortiSwitch 1xxx FS-1024D, FS-1024E, FS-1048E, FS-T1024E

FortiSwitch 3xxx FS-3032E

FortiSwitch Rugged FSR-112D-POE, FSR-124D

Web browser support

Web browser l Microsoft Edge

FortiSwitch Manager 7.2.0 Administration Guide 8

Virtualization environment support

Hypervisor Recommended versions

Citrix Hypervisor l 8.1 Express Edition, Dec 17, 2019

Linux KVM l Ubuntu 18.0.4 LTS

Microsoft Windows Server l 2012R2 with Hyper-V role

Windows Hyper-V Server l 2019

Open source XenServer l Version 3.4.3

VMware ESX l Versions 4.0 and 4.1

Number of managed vCPU Memory (GB) Hard disk

1-10 8 (minimum 4) 8 (minimum 4) 1 TB (minimum 32 GB)

10-100 16 (minimum 8) 16 (minimum 8) 1 TB (minimum 32 GB)

100-1,000 32 32 (minimum 16) 1 TB (minimum 32 GB)

1,000-2,500 32 32 (minimum 16) 1 TB (minimum 32 GB)

Supported Switch Controller features

Switch Controller Features FortiSwitch Models

Centralized VLAN Configuration D-series, E-series, F-series

Switch POE Control D-series, E-series

Link Aggregation Configuration D-series, E-series, F-series

Spanning Tree Protocol (STP) D-series, E-series, F-series

LLDP/MED D-series, E-series, F-series

FortiSwitch Manager 7.2.0 Administration Guide 9

Switch Controller Features FortiSwitch Models

IGMP Snooping D-series, E-series, F-series

802.1X Authentication (Port-based, MAC-based, MAB) D-series, E-series, F-series

Syslog Collection D-series, E-series, F-series

DHCP Snooping D-series, E-series, F-series

LAG support D-series, E-series, F-series

sFlow Not supported on FS-1xxE Series

Dynamic ARP Inspection (DAI) D-series, E-series, F-series

Port Mirroring D-series, E-series

RADIUS Accounting D-series, E-series, F-series

Centralized Configuration D-series, E-series, F-series

Loop Guard D-series, E-series, F-series

Switch admin Password D-series, E-series