Network topologies for managed FortiSwitch units

The FortiGate requires only one active FortiLink to manage all of the subtending FortiSwitch units (called stacking).

You can configure the FortiLink as a physical interface or as a logical interface (associated with one or more physical interfaces). Depending on the network topology, you can also configure a standby FortiLink.

For any of the topologies, note the following:

• All of the managed FortiSwitch units will function as one Layer-2 stack where the FortiGate manages each FortiSwitch separately.
• The active FortiLink carries data as well as management traffic.

Supported topologies

Fortinet recommends the following topologies for managed FortiSwitch units:

l Single FortiGate managing a single FortiSwitch unit on page 38 l Single FortiGate unit managing a stack of several FortiSwitch units on page 39 l HA-mode FortiGate units managing a single FortiSwitch unit on page 40 l HA-mode FortiGate units managing a stack of several FortiSwitch units on page 41 l HA-mode FortiGate units managing a FortiSwitch two-tier topology on page 42 l Single FortiGate unit managing multiple FortiSwitch units (using a hardware or software switch interface) on page

43 l HA-mode FortiGate units managing two-tier FortiSwitch units with access rings on page 44 l Dual-homed servers connected to FortiLink tier-1 FortiSwitch units using an MCLAG on page 45 l Standalone FortiGate unit with dual-homed FortiSwitch access on page 46 l HA-mode FortiGate units with dual-homed FortiSwitch access on page 47 l Multi-tiered MCLAG with HA-mode FortiGate units on page 48

 

Single FortiGate managing a single FortiSwitch unit

Single FortiGate managing a single FortiSwitch unit

On the FortiGate unit, the FortiLink interface is configured as physical or aggregate. The 802.3ad aggregate interface type provides a logical grouping of one or more physical interfaces.

NOTE: For the aggregate interface, you must disable the split interface on the FortiGate unit.

Network topologies for managed FortiSwitch units      Single FortiGate unit managing a stack of several

Single FortiGate unit managing a stack of several FortiSwitch units

The FortiGate unit connects directly to one FortiSwitch unit using a physical or aggregate interface. The remaining FortiSwitch units connect in a ring using inter-switch links (that is, ISL).

Optionally, you can connect a standby FortiLink connection to the last FortiSwitch unit. For this configuration, you create a FortiLink Split-Interface (an aggregate interface that contains one active link and one standby link).

NOTE: External devices shown in the following topology must be compliant endpoints, such as computers. They cannot be third-party switches or appliances.

HA-mode FortiGate units managing a single FortiSwitch unit

HA-mode FortiGate units managing a single FortiSwitch unit

The master and slave FortiGate units both connect a FortiLink to the FortiSwitch unit. The FortiLink port(s) and interface type must match on the two FortiGate units.

 

FortiSwitch       HA-mode FortiGate units managing a stack of several FortiSwitch units          units

HA-mode FortiGate units managing a stack of several FortiSwitch units

The master and slave FortiGate units both connect a FortiLink to the first FortiSwitch unit and (optionally) to the last FortiSwitch unit. The FortiLink ports and interface type must match on the two FortiGate units.

For the active/standby FortiLink configuration, you create a FortiLink Split-Interface (an aggregate interface that contains one active link and one standby link).

HA-mode FortiGate units managing a FortiSwitch two-tier

topology                                                                                                                                      FortiSwitch units

HA-mode FortiGate units managing a FortiSwitch two-tier topology

The distribution FortiSwitch unit connects to the master and slave FortiGate units. The FortiLink port(s) and interface type must match on the two FortiGate units.

Single FortiGate unit managing multiple FortiSwitch units (using a hardware or

FortiSwitch units                                                                                                              software switch interface)

Single FortiGate unit managing multiple FortiSwitch units (using a hardware or software switch interface)

The FortiGate unit connects directly to each FortiSwitch unit. Each of these FortiLink ports is added to the logical hardware-switch or software-switch interface on the FortiGate unit.

Optionally, you can connect other devices to the FortiGate logical interface. These devices, which must support IEEE 802.1q VLAN tagging, will have Layer 2 connectivity with the FortiSwitch ports.

NOTE: Using the hardware or software switch interface in FortiLink mode is not recommended in most cases. It can be used when the traffic on the ports is very light because all traffic across the switches moves through the FortiGate unit.

 

HA-mode FortiGate units managing two-tier FortiSwitch units with Network topologies for managed FortiSwitch access rings          units

HA-mode FortiGate units managing two-tier FortiSwitch units with access rings

NOTE: Before FortiSwitchOS 3.6.4, MCLAG was not supported when access rings were present. Starting with FortiSwitchOS 3.6.4, MCLAG is supported, even with access rings present.

HA-mode FortiGate units connect to redundant distribution FortiSwitch units. Access FortiSwitch units are arranged in a stack in each IDF, connected to both distribution switches.

For the FortiLink connection to each distribution switch, you create a FortiLink split interface (an aggregate interface that contains one active link and one standby link).

NOTE: This is only an example topology. Other combinations of FortiGate units and FortiSwitch units can be used to create a similar topology.

Dual-homed servers connected to FortiLink tier-1 FortiSwitch units using

FortiSwitch units                                                                                                                                  an MCLAG

FortiLink mode over a layer-3 network

This feature allows FortiSwitch islands (FSIs) to operate in FortiLink mode over a layer-3 network, even though they are not directly connected to the switch-controller FortiGate unit. FSIs contain one or more FortiSwitch units.

The following limitations apply to FSIs operating in FortiLink mode over a layer-3 network:

• All FortiSwitch units using this feature must be included in the FortiGate preconfigured switch table.
• No layer-2 data path component, such as VLANs, can span across layer 3 between the FortiGate unit and the FortiSwitch unit.
• All FortiSwitch units within an FSI must be connected to the same FortiGate unit.
• The FortiSwitch unit needs a functioning layer-3 routing configuration to reach the FortiGate unit or any featureconfigured destination, such as syslog or 802.1x.
• Do not connect a layer-2 FortiGate unit and a layer-3 FortiGate unit to the same FortiSwitch unit.
• If the FortiSwitch management port is used for a layer-3 connection to the FortiGate unit, the FSI can contain only one FortiSwitch unit. All switch ports must remain in standalone mode.
• Do not connect a FortiSwitch unit to a layer-3 network and a layer-2 network on the same segment.
• If the network has a wide geographic distribution, some features, such as software downloads, might operate slowly.

 

To configure a FortiSwitch unit to operate in a layer-3 network:

1. Reset the FortiSwitch to factory default settings with the execute factoryreset
2. Manually set the FortiSwitch unit to FortiLink mode:

config system global

set switch-mgmt-mode fortilink end

3. Configure the discovery setting for the FortiSwitch unit. You can either use DHCP discovery or static discovery.

To use DHCP discovery:

config switch-controller global

ac-discovery dhcp

dhcp-option-code <integer>

end end

To use static discovery:

config switch-controller global

ac-discovery static           config ac-list

id <integer>

set ipv4-address <IPv4_address>

next

end

end

4. Configure at least one port of the FortiSwitch unit as an uplink port. When the FortiSwitch is in FortiLink mode, VLAN 4094 is configured on an internal port, which can provide a path to the layer-3 network with the following commands:

config switch interface edit <port_number> set fortilink-l3-mode enable

end

end

NOTE: The NTP server must be configured on the FortiSwitch unit either manually or provided by DHCP. The NTP server must be reachable from the FortiSwitch unit.

FortiLink configuration using the FortiGate CLI

This section describes how to configure FortiLink using the FortiGate CLI. Fortinet recommends using the FortiGate GUI because the CLI procedures are more complex (and therefore more prone to error).

If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection (single port or LAG) with no configuration steps on the FortiSwitch and with a few simple configuration steps on the FortiGate unit.

You can also configure FortiLink mode over a layer-3 network.

Summary of the procedure

1. Configure FortiLink on a physical port or configure FortiLink on a logical interface.
2. Configure NTP.
3. Authorize the managed FortiSwitch unit.
4. Configure DHCP.

Configure FortiLink on a physical port

Configure FortiLink on any physical port on the FortiGate unit and authorize the FortiSwitch unit as a managed switch.

In the following steps, port 1 is configured as the FortiLink port.

1. If required, remove port 1 from the lan interface:

config system virtual-switch edit lan config port delete port1

end

end

end

2. Configure port 1 as the FortiLink interface:

config system interface edit port1 set auto-auth-extension-device enable set fortilink enable

end

end

3. Configure an NTP server on port 1:

config system ntp set server-mode enable set interface port1 end

 

4. Authorize the FortiSwitch unit as a managed switch.

config switch-controller managed-switch edit FS224D3W14000370 set fsw-wan1-admin enable

end

end

NOTE: FortiSwitch will reboot when you issue the set fsw-wan1-admin enable command.

Configure FortiLink on a logical interface

You can configure FortiLink on a logical interface: link-aggregation group (LAG), hardware switch, or software switch).

NOTE: LAG is supported on all FortiSwitch models and on FortiGate models FGT-100D and above. Hardware switch is supported on some FortiGate models.

Connect any of the FortiLink-capable ports on the FortiGate to the FortiSwitch. Ensure that you configure autodiscovery on the FortiSwitch ports (unless it is auto-discovery by default).

In the following procedure, port 4 and port 5 are configured as a FortiLink LAG.

1. If required, remove the FortiLink ports from the lan interface:

config system virtual-switch edit lan config port delete port4 delete port5

end

end

end

2. Create a trunk with the two ports that you connected to the switch:

config system interface edit flink1 (enter a name, 11 characters maximum) set allowaccess ping capwap https set vlanforward enable set type aggregate set member port4 port5 set lacp-mode static set fortilink enable

(optional) set fortilink-split-interface enable next

end

NOTE: If the members of the aggregate interface connect to more than one FortiSwitch, you must enable fortilink-split-interface.

3. Authorize the FortiSwitch unit as a managed switch.

config switch-controller managed-switch edit FS224D3W14000370

set fsw-wan1-admin enable

end

end

NOTE: FortiSwitch will reboot when you issue the set fsw-wan1-admin enable command.

Configure DHCP blocking, IGMP snooping, STP, and loop guard on managed FortiSwitch ports

Go to WiFi & Switch Controller> FortiSwitch Ports. Right-click any port and then enable or disable the following features:

• DHCP blocking—The DHCP blocking feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent this, DHCP blocking filters messages on untrusted ports.
• IGMP snooping—IGMP snooping allows the FortiSwitch to passively listen to the Internet Group Management Protocol (IGMP) network traffic between hosts and routers. The switch uses this information to determine which ports are interested in receiving each multicast feed. FortiSwitch can reduce unnecessary multicast traffic on the LAN by pruning multicast traffic from links that do not contain a multicast listener.
• Spanning Tree Protocol (STP)—STP is a link-management protocol that ensures a loop-free layer-2 network topology.
• Loop guard—A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects. Fortinet loop guard helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any downstream loops. The loop guard feature is designed to work in concert with STP rather than as a replacement for STP.
• STP root guard—Root guard protects the interface on which it is enabled from becoming the path to root. When enabled on an interface, superior BPDUs received on that interface are ignored or dropped. Without using root guard, any switch that participates in STP maintains the ability to reroute the path to root. Rerouting might cause your network to transmit large amounts of traffic across suboptimal links or allow a malicious or misconfigured device to pose a security risk by passing core traffic through an insecure device for packet capture or inspection. By enabling root guard on multiple interfaces, you can create a perimeter around your existing paths to root to enforce the specified network topology.
• STP BPDU guard—Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard is enabled on STP edge ports, any BPDUs received cause the ports to go down for a specified number of minutes. The BPDUs are not forwarded, and the network edge is enforced.

STP is enabled on all ports by default. Loop guard is disabled by default on all ports.

 

 

Connecting FortiLink ports

This section contains information about the FortiSwitch and FortiGate ports that you connect to establish a FortiLink connection.

In FortiSwitchOS 3.3.0 and later releases, you can use any of the switch ports for FortiLink. Some or all of the switch ports (depending on the model) support auto-discovery of the FortiLink ports.

You can chose to connect a single FortiLink port or multiple FortiLink ports as a logical interface (link-aggregation group, hardware switch, or software switch).

1. Enable the switch controller on the FortiGate unit

Before connecting the FortiSwitch and FortiGate units, ensure that the switch controller feature is enabled on the FortiGate unit with the FortiGate web-based manager or CLI to enable the switch controller. Depending on the FortiGate model and software release, this feature might be enabled by default.

Using the FortiGate GUI

1. Go to System > Feature Visibility.
2. Turn on the Switch Controller feature, which is in the Basic Features
3. Select Apply.

The menu option WiFi & Switch Controller now appears.

Using the FortiGate CLI

Use the following commands to enable the switch controller:

config system global set switch-controller enable

end

2. Connect the FortiSwitch unit and FortiGate unit

FortiSwitchOS 3.3.0 and later provides flexibility for FortiLink:

• Use any switch port for FortiLink l Provides auto-discovery of the FortiLink ports on the FortiSwitch
• Choice of a single FortiLink port or multiple FortiLink ports in a link-aggregation group (LAG)

Auto-discovery of the FortiSwitch ports

In FortiSwitchOS 3.3.0 and later releases, D-series FortiSwitch models support FortiLink auto-discovery, on automatic detection of the port connected to the FortiGate unit.

2. Connect the FortiSwitch unit and FortiGate unit Connecting FortiLink ports

You can use any of the switch ports for FortiLink. Before connecting the switch to the FortiGate unit, use the following FortiSwitch CLI commands to configure a port for FortiLink auto-discovery:

config switch interface edit <port>

set auto-discovery-fortilink enable

end

By default, each FortiSwitch model provides a set of ports that are enabled for FortiLink auto-discovery. If you connect the FortiLink using one of these ports, no switch configuration is required.

In FortiSwitchOS 3.4.0 and later releases, the last four ports are the default auto-discovery FortiLink ports. You can also run the show switch interface command on the FortiSwitch unit to see the ports that have autodiscovery enabled.

The following table lists the default auto-discovery ports for each switch model.

NOTE: Any port can be used for FortiLink if it is manually configured.

FortiSwitch Model	Default Auto-FortiLink ports
FS-108D	ports 9 and 10
FS-108D-POE	ports 9 and 10
FSR-112D	ports 9, 10, 11 and 12
FSR-112D-POE	ports 5, 6, 7, 8, 9, 10, 11, and 12
FS-124D, FS-124D-POE	ports 23, 24, 25, and 26
FS-224D-POE	ports 21, 22, 23, and 24
FS-224D-FPOE	ports 21, 22, 23, 24, 25, 26, 27, and 28
FS-248D, FS-248D-FPOE, FS-448D, FS448D-FPOE, FS-448D-POE	ports 45, 46, 47, 48, 49, 50, 51, and 52
FS-248D-POE	ports 47, 48, 49, and 50
FS-424D, FS-424D-POE, FS-424D-FPOE	ports 23, 24, 25, and 26
FS-524D, FS-524D-FPOE	ports 21, 22, 23, 24, 25, 26, 27, 28, 29, and 30
FS-548D, FS-548D-FPOE	ports 45, 46, 47, 48, 49, 50, 51, 52, 53, and 54
FS-1024D, FS-1048D, FS-3032D	all ports

Choosing the FortiGate ports

The FortiGate unit manages all of the switches through one active FortiLink. The FortiLink can consist of one port or multiple ports (for a LAG).

25

Connecting FortiLink ports                                                              2. Connect the FortiSwitch unit and               unit

As a general rule, FortiLink is supported on all ports that are not listed as HA ports.

 

configuration using the FortiGate GUI Summary of the procedure FortiLink configuration using the FortiGate GUI

This section describes how to configure a FortiLink between a FortiSwitch unit and a FortiGate unit.

You can configure FortiLink using the FortiGate GUI or CLI. Fortinet recommends using the GUI because the CLI procedures are more complex (and therefore more prone to error).

If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection (single port or LAG) with no configuration steps on the FortiSwitch and with a few simple configuration steps on the FortiGate unit.

Summary of the procedure

1. On the FortiGate unit, configure the FortLink port or create a logical FortLink interface.
2. Authorize the managed FortiSwitch unit.

Configure FortiLink as a single link

To configure the FortiLink port on the FortiGate unit:

1. Go to Network > Interfaces.
2. (Optional) If the FortiLink physical port is currently included in the internal interface, edit it and remove the desired port from the Physical Interface Members.
3. Edit the FortiLink port.
4. Set Addressing mode to Dedicated to FortiSwitch.
5. Configure the IP/Network Mask for your network.
6. Optionally select Automatically authorize devices or disable to manually authorize the FortiSwitch.
7. Select OK.

Configure FortiLink as a logical interface

You can configure the FortiLink as a logical interface: link-aggregation group (LAG), hardware switch, or software switch).

LAG is supported on all FortiSwitch models and on FortiGate models FGT-100D and above. Hardware switch is supported on some FortiGate models.

Connect any of the FortiLink-capable ports on the FortiGate unit to the FortiSwitch unit. Ensure that you configure auto-discovery on the FortiSwitch ports (unless it is so by default).

6. Go to Network > Interfaces.
7. (Optional) If the FortiLink physical ports are currently included in the internal interface, edit the internal interface, and remove the desired ports from the Physical Interface Members.
8. Select Create New > Interface.
9. Enter a name for the interface (11 characters maximum).
10. Set the Type to 3ad Aggregate, Hardware Switch, or Software Switch.
11. Select the FortiGate ports for the logical interface.
12. Set Addressing mode to Dedicated to FortiSwitch.
13. Configure the IP/Network Mask for your network.
14. Optionally select Automatically authorize devices or disable to manually authorize the FortiSwitch.
15. Select OK.

FortiLink split interface

You can use the FortiLink split interface to connect the FortiLink aggregate interface from one FortiGate unit to two FortiSwitch units. When the FortiLink split interface is enabled, only one link remains active.

The aggregate interface for this configuration must contain exactly two physical ports (one for each FortiSwitch unit).

You must enable the split interface on the FortiLink aggregate interface using the FortiGate CLI:

config system interface edit <name of the FortiLink interface> set fortilink-split-interface enable

end

Authorizing the FortiSwitch unit

If you configured the FortiLink interface to manually authorize the FortiSwitch unit as a managed switch, perform the following steps:

1. Go to WiFi & Switch Controller > Managed FortiSwitch.
2. Optionally, click on the FortiSwitch faceplate and click Authorize. This step is required only if you disabled the automatic authorization field of the interface.

Adding preauthorized FortiSwitch units

After you preauthorize a FortiSwitch unit, you can assign the FortiSwitch ports to a VLAN.

To preauthorize a FortiSwitch:

1. Go to WiFi & Switch Controller> Managed FortiSwitch.
2. Click Create New.
3. In the New Managed FortiSwitch page, enter the serial number, model name, and description of the FortiSwitch.
4. Move the Authorized slider to the right.
5. Click OK.

The Managed FortiSwitch page shows a FortiSwitch faceplate for the preauthorized switch.

configuration using the FortiGate GUI                                                             Managed FortiSwitch display

Managed FortiSwitch display

Go to WiFi & Switch Controller> Managed FortiSwitch to see all of the switches being managed by your FortiGate.

When the FortiLink is established successfully, the status is green (next to the FortiGate interface name and on the FortiSwitch faceplate), and the link between the ports is a solid line.

If the link has gone down for some reason, the line will be dashed, and a broken link icon will appear. You can still edit the FortiSwitch unit though and find more information about the status of the switch. The link to the FortiSwitch unit might be down for a number of reasons; for example, a problem with the cable linking the two devices, firmware versions being out of synch, and so on. You need to make sure the firmware running on the FortiSwitch unit is compatible with the firmware running on the FortiGate unit.

From the Managed FortiSwitch page, you can edit any of the managed FortiSwitch units, remove a FortiSwitch unit from the configuration, refresh the display, connect to the CLI of a FortiSwitch unit, or deauthorize a FortiSwitch unit.

 

 

Edit a managed FortiSwitch unit

To edit a managed FortiSwitch unit:

1. Go to Wifi & Switch Controller> Managed FortiSwitch.
2. Click on the FortiSwitch to and click Edit, right-click on a FortiSwitch unit and select Edit, or double-click on a FortiSwitch unit.

From the Edit Managed FortiSwitch form, you can:

• Change the Name and Description of the FortiSwitch unit. l View the Status of the FortiSwitch unit.
• Restart the FortiSwitch.
• Authorize or deauthorize the FortiSwitch. l Update the firmware running on the switch.

Network interface display

On the Network > Interfaces page, you can see the FortiGate interface connected to the FortiSwitch unit. The GUI indicates Dedicated to FortiSwitch in the IP/Netmask field.

Add link aggregation groups (Trunks)

To create a link aggregation group for FortiSwitch user ports:

1. Go to WiFi & Switch Controller> FortiSwitch Ports.
2. Click Create New > Trunk.
3. In the New Trunk Group page, enter a Name for the trunk group.
4. Select two or more physical ports to add to the trunk group.
5. Select the Mode: Static, Passive LACP, or Active LACP.
6. Click OK.

FortiLink configuration using the                Configure DHCP blocking, IGMP snooping, STP, and loop guard on managed

 

Whatʼs new in FortiOS 6.0

The following list contains new features added in FortiOS 6.0. Click on a link to navigate to that section for further information.

l “Limiting the number of learned MAC addresses on a FortiSwitch interface (445087)” on page 12 l “Sharing FortiSwitch ports between VDOMs (391878)” on page 13 l “sFlow support (450507)” on page 15 l “Restricting the type of frames allowed through IEEE 802.1Q ports (448505)” on page 17 l “Dynamic ARP inspection (DAI) support (462511)” on page 17 l “FortiSwitch port mirroring support (457122)” on page 17 l “Quarantining MAC addresses (459525)” on page 18 l “Banning IP addresses (459525)” on page 19 l “Synchronizing the FortiGate unit with the managed FortiSwitch units (454664)” on page 19 l “Enabling the use of HTTPS to download firmware to managed FortiSwitch units (454664)” on page 20 l “RADIUS accounting support (451023)” on page 20 l “FortiLink mode supported over a layer-3 network (457103)” on page 20 l “Limiting the number of parallel process for FortiSwitch configuration (457103)” on page 22 l “CLI changes for FortiLink mode (447349, 473773)” on page 22 l “Upgrade the firmware on multiple FortiSwitch units at the same time using the GUI (462553)” on page 23 l “Network-assisted device detection (377467) ” on page 23

FortiOS 6.0

These features first appeared in FortiOS 6.0.

Limiting the number of learned MAC addresses on a FortiSwitch interface (445087)

You can limit the number of MAC addresses learned on a FortiSwitch interface (port or VLAN). The limit ranges from 1 to 128. If the limit is set to the default value zero, there is no learning limit.

NOTE: Static MAC addresses are not counted in the limit. The limit refers only to learned MAC addresses.

Use the following CLI commands to limit MAC address learning on a VLAN:

config switch vlan edit <integer> set switch-controller-learning-limit <limit>

end end

For example:

config switch vlan edit 100 set switch-controller-learning-limit 20

end

end

Use the following CLI commands to limit MAC address learning on a port:

config switch-controller managed-switch edit <FortiSwitch_Serial_Number> config ports edit <port> set learning-limit <limit>

next

end

end

end

For example:

config switch-controller managed-switch edit S524DF4K15000024 config ports edit port3 set learning-limit 50

next

end

end

end

Sharing FortiSwitch ports between VDOMs (391878)

Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual units that function as multiple independent units. VDOMs provide separate security domains that allow separate zones, user authentication, security policies, routing, and VPN configurations.

FortiSwitch ports can now be shared between VDOMs.

NOTE: You cannot use the quarantine feature while sharing FortiSwitch ports between VDOMs.

To share FortiSwitch ports between VDOMs:

1. Create one or more VDOMs.
2. Assign VLANs to each VDOM as required.
3. From these VLANs, select one VLAN to be the default VLAN for the ports in the virtual switch:

config switch-controller global

set default-virtual-switch-vlan <VLAN>

NOTE: You must execute these commands from the VDOM that the default VLAN belongs to.

When you add a new port to the VDOM, the new port will be automatically assigned to the default VLAN. You can

reassign the ports to other VLANs later.

4. Create a virtual port pool (VPP) to contain the ports to be shared:

config switch-controller virtual-port-pool edit <VPP_name> description <string>

next

end

NOTE: You must execute these commands from the VDOM that the default VLAN belongs to.

For example:

config switch-controller virtual-port-pool edit “pool3” description “pool for port3”

next

end

5. Share a FortiSwitch port from the VDOM that the FortiSwitch belongs to with another VDOM or export the FortiSwitch port to a VPP where it can be used by any VDOM:

config switch-controller managed-switch edit <switch.id> config ports edit <port_name> set {export-to-pool <VPP_name> | export-to <VDOM_name>} set export-tags <string1,string2,string3,…>

next

end

next

end

NOTE: You must execute these commands from the VDOM that the default VLAN belongs to.

For example, if you want to export a port to the VPP named pool3:

config switch-controller managed-switch edit “S524DF4K15000024” config ports edit port3 set export-to-pool “pool3” set export-tags “Pool 3”

next

end

next

end

For example, if you want to export a port to the VDOM named vdom3:

config switch-controller managed-switch edit “S524DF4K15000024” config ports edit port3 set export-to “vdom3” set export-tags “VDOM 3” next

end

next

end

6. Request a port in a VPP: execute switch-controller virtual-port-pool request <FortiSwitch_device_ID> <port_name>

NOTE: You must execute this command from the VDOM that is requesting the port.

For example:

execute switch-controller virtual-port-pool request S524DF4K15000024h port3

7. Return a port to a VPP: execute switch-controller virtual-port-pool return <FortiSwitch_device_ID> <port_name>

NOTE: You must execute this command from the VDOM that owns the port.

For example: execute switch-controller virtual-port-pool return S524DF4K15000024h port3

You can create your own export tags using the following CLI commands:

config switch-controller switch-interface-tag edit <tag_name>

end

Use the following CLI command to list the contents of a specific VPP: execute switch-controller virtual-port-pool show-by-pool <VPP_name>

Use the following CLI command to list all VPPs and their contents: execute switch-controller virtual-port-pool show

NOTE: Shared ports do not support the following features: l LLDP

l 802.1x l STP l BPDU guard l Root guard l DHCP snooping l IGMP snooping l QoS

l Port security l MCLAG sFlow support (450507)

sFlow is a method of monitoring the traffic on your network to identify areas on the network that might impact performance and throughput. With sFlow, you can export truncated packets and interface counters. FortiSwitch implements sFlow version 5 and supports trunks and VLANs.

NOTE: Because sFlow is CPU intensive, Fortinet does not recommend high rates of sampling for long periods.

sFlow uses packet sampling to monitor network traffic. The sFlow agent captures packet information at defined intervals and sends them to an sFlow collector for analysis, providing real-time data analysis. To minimize the impact on network throughput, the information sent is only a sampling of the data.

The sFlow collector is a central server running software that analyzes and reports on network traffic. The sampled packets and counter information, referred to as flow samples and counter samples, respectively, are sent as sFlow datagrams to a collector. Upon receiving the datagrams, the sFlow collector provides real-time analysis and graphing to indicate the source of potential traffic issues. sFlow collector software is available from a number of third-party software vendors. You must configure a FortiGate policy to transmit the samples from the FortiSwitch unit to the sFlow collector.

sFlow can monitor network traffic in two ways:

l Flow samples—You specify the percentage of packets (one out of n packets) to randomly sample. l Counter samples—You specify how often (in seconds) the network device sends interface counters.

Use the following CLI commands to specify the IP address and port for the sFlow collector. By default, the IP address is 0.0.0.0, and the port number is 6343.

config switch-controller sflow collector-ip <x.x.x.x> collector-port <port_number>

end

Use the following CLI commands to configure sFlow:

config switch-controller managed-switch <FortiSwitch_serial_number> config ports edit <port_name> set sflow-sampler <disabled | enabled> set sflow-sample-rate <0-99999> set sflow-counter-interval <1-255>

next

next

end

For example:

config switch-controller sflow collector-ip 1.2.3.4 collector-port 10

end

config switch-controller managed-switch S524DF4K15000024 config ports edit port5 set sflow-sampler enabled set sflow-sample-rate 10 set sflow-counter-interval 60

next

next end

Restricting the type of frames allowed through IEEE 802.1Q ports (448505)

You can now specify whether each FortiSwitch port discards tagged 802.1Q frames or untagged 802.1Q frames or allows all frames access to the port. By default, all frames have access to each FortiSwitch port.

Use the following CLI commands:

config switch-controller managed-switch <SN> config ports edit <port_name> set discard-mode <none | all-tagged | all-untagged>

next

next

end

Dynamic ARP inspection (DAI) support (462511)

DAI prevents man-in-the-middle attacks and IP address spoofing by checking that packets from untrusted ports have valid IP-MAC-address binding. DAI allows only valid ARP requests and responses to be forwarded.

To use DAI, you must first enable the DHCP-snooping feature, enable DAI, and then enable DAI for each VLAN. By default, DAI is disabled on all VLANs.

After enabling DHCP snooping with the set switch-controller-dhcp-snooping enable command, use the following CLI commands to enable DAI and then enable DAI for a VLAN:

config system interface edit vsw.test set switch-controller-arp-inpsection <enable | disable>

end

config switch-controller managed-switch edit <sn> config ports edit <VLAN_ID> arp-inspection-trust <untrusted | trusted>

next

end

next

end

Use the following CLI command to check DAI statistics for a FortiSwitch unit: diagnose switch arp-inspection stats <FortiSwitch_Serial_Number>

Use the following CLI command to delete DAI statistics for a specific VLAN:

diagnose switch arp-inspection stats clear <VLAN_ID> <FortiSwitch_Serial_Number>

FortiSwitch port mirroring support (457122)

The FortiSwitch unit can send a copy of any ingress or egress packet on a port to egress on another port of the same FortiSwitch unit. The original traffic is unaffected. This process is known as port mirroring and is typically used for external analysis and capture.

Use the following CLI commands to configure FortiSwitch port mirroring:

config switch-controller managed-switch edit <FortiSwitch_Serial_Number> config mirror edit <mirror_name>

set status <active | inactive> set dst <port_name>

set switching-packet <enable | disable> set src-ingress <port_name> set src-egress <port_name>

next

end

next

NOTE: The set status and set dst commands are mandatory for port mirroring.

For example:

config switch-controller managed-switch edit S524DF4K15000024 config mirror

edit 2

set status active set dst port1 set switching-packet enable set src-ingress port2 port3 set src-egress port4 port5

next

end

next

Quarantining MAC addresses (459525)

To create a permanent quarantine of specific MAC addresses, use the following CLI commands:

config user quarantine

set quarantine enable config targets edit <MAC_address>

set description <string>

set tags <tag1 tag2 tag3 …>

next

end

end

Option	Description
MAC_address_1, MAC_ address_2	A layer-2 MAC address in the following format: 12:34:56:aa:bb:cc
string	Optional. A description of the MAC address being quarantined.
tag1 tag2 tag3 …	Optional. A list of arbitrary strings.

For example:

config user quarantine

set quarantine enable config targets edit 00:00:00:aa:bb:cc set description “infected by virus” set tags “quarantined”

next

end

end

Previously, this feature used the config switch-controller quarantine CLI command.

You can add MAC addresses to be quarantined even when the quarantine feature is disabled. The MAC addresses are only quarantined when the quarantine feature is enabled.

Banning IP addresses (459525)

To temporarily ban an IP address, use the following CLI command: diagnose user ban add src4 <IPv4_address>

Previously, this feature used the diagnose user quarantine CLI command.

Synchronizing the FortiGate unit with the managed FortiSwitch units (454664)

You can now synchronize the FortiGate unit with the managed FortiSwitch units to check for synchronization errors on each managed FortiSwitch unit.

Use the following command to synchronize the full configuration of a FortiGate unit with the managed FortiSwitch unit:

execute switch-controller trigger-config-sync <FortiSwitch_serial_number>

Use one of the following commands to display the synchronization state of a FortiGate unit with a specific managed FortiSwitch unit:

execute switch-controller get-sync-status switch-id <FortiSwitch_serial_number> execute switch-controller get-sync-status name <FortiSwitch_name>

Use the following command to display the synchronization state of a FortiGate unit with a group of managed FortiSwitch units:

execute switch-controller get-sync-status group <FortiSwitch_group_name>

Use the following command to check the synchronization state of all managed FortiSwitch units in the current VDOM: execute switch-controller get-sync-status all

For example:

FG100D3G14813513 (root) # execute switch-controller get-sync-status all Managed-devices in current vdom root:

STACK-NAME: FortiSwitch-Stack-port5

SWITCH (NAME)                               STATUS CONFIG             MAC-SYNC          UPGRADE

FS1D243Z14000173 Up Idle Idle Idle S124DP3X16006228 (Desktop-Switch) Up Idle Idle Idle

Enabling the use of HTTPS to download firmware to managed FortiSwitch units (454664)

Use the following CLI commands to enable the use of HTTPS to download firmware to managed FortiSwitch units:

config switch-controller global set https-image-push enable

end

RADIUS accounting support (451023)

The FortiSwitch unit uses 802.1x-authenticated ports to send five types of RADIUS accounting messages to the RADIUS accounting server to support FortiGate RADIUS single sign-on:

• START—The FortiSwitch has been successfully authenticated, and the session has started.
• STOP—The FortiSwitch session has ended.
• INTERIM—Periodic messages sent based on the value set using the set acct-interim-interval command. l ON—FortiSwitch will send this message when the switch is turned on. l OFF—FortiSwitch will send this message when the switch is shut down.

Use the following commands to set up RADIUS accounting so that FortiOS can send accounting messages to managed FortiSwitch units:

config user radius edit <RADIUS_server_name> set acct-interim-interval <seconds> config accounting-server edit <entry_ID> set status {enable | disable} set server <server_IP_address> set secret <secret_key> set port <port_number>

next

end

next

end

FortiLink mode supported over a layer-3 network (457103)

This feature allows FortiSwitch islands (FSIs) to operate in FortiLink mode over a layer-3 network, even though they are not directly connected to the switch-controller FortiGate unit. FSIs contain one or more FortiSwitch units.

The following limitations apply to FSIs operating in FortiLink mode over a layer-3 network:

• All FortiSwitch units using this feature must be included in the FortiGate preconfigured switch table.
• No layer-2 data path component, such as VLANs, can span across layer 3 between the FortiGate unit and the FortiSwitch unit.
• All FortiSwitch units within an FSI must be connected to the same FortiGate unit.
• The FortiSwitch unit needs a functioning layer-3 routing configuration to reach the FortiGate unit or any featureconfigured destination, such as syslog or 802.1x.
• Do not connect a layer-2 FortiGate unit and a layer-3 FortiGate unit to the same FortiSwitch unit.
• If the FortiSwitch management port is used for a layer-3 connection to the FortiGate unit, the FSI can contain only one FortiSwitch unit. All switch ports must remain in standalone mode.
• Do not connect a FortiSwitch unit to a layer-3 network and a layer-2 network on the same segment.
• If the network has a wide geographic distribution, some features, such as software downloads, might operate slowly.

To configure a FortiSwitch unit to operate in a layer-3 network:

1. Reset the FortiSwitch to factory default settings with the execute factoryreset
2. Manually set the FortiSwitch unit to FortiLink mode:

config system global

set switch-mgmt-mode fortilink end

3. Configure the discovery setting for the FortiSwitch unit. You can either use DHCP discovery or static discovery.

To use DHCP discovery:

config switch-controller global

ac-discovery dhcp

dhcp-option-code <integer>

end end

To use static discovery:

config switch-controller global

ac-discovery static           config ac-list

id <integer>

set ipv4-address <IPv4_address>

next

end

end

4. Configure at least one port of the FortiSwitch unit as an uplink port. When the FortiSwitch is in FortiLink mode, VLAN 4094 is configured on an internal port, which can provide a path to the layer-3 network with the following commands:

config switch interface edit <port_number> set fortilink-l3-mode enable

end

end

NOTE: The NTP server must be configured on the FortiSwitch unit either manually or provided by DHCP. The NTP server must be reachable from the FortiSwitch unit.

Limiting the number of parallel process for FortiSwitch configuration (457103)

Use the following CLI commands to reduce the number of parallel process that the switch controller uses for configuring FortiSwitch units: config global config switch-controller system set parallel-process-override enable set parallel-process <1-300>

end

end

CLI changes for FortiLink mode (447349, 473773)

There are changes to the execute switch-controller get-physical-connection, execute switch-controller get-conn-status, and diagnose switch-controller dump networkupgrade status CLI commands.

• The execute switch-controller get-physical-connection CLI command has new parameters:

Use the execute switch-controller get-physical-connection standard command to get the FortiSwitch stack connectivity graph in the standard output format.

Use the execute switch-controller get-physical-connection dot command to get the

FortiSwitch stack connectivity graph in a .dot (Graphviz) output format.

• The execute switch-controller get-conn-status CLI command output now includes virtual

FortiSwitch units. Virtual FortiSwitch units are indicated by an asterisk (*) after the switch identifier. For example:

execute switch-controller get-conn-status

STACK-NAME: FortiSwitch-Stack-port2
SWITCH-ID            VERSION	STATUS	ADDRESS	JOIN-TIME		NAME
S108DV2EJZDAC42F     v3.6.0	Authorized/Up	169.254.2.4	Thu Feb	8 17:07:35 2018	–
S108DV4FQON40Q07     v3.6.0	Authorized/Up	169.254.2.5	Thu Feb	8 17:08:37 2018	–
S108DVBWVLH4QGEB     v3.6.0	Authorized/Up	169.254.2.6	Thu Feb	8 17:09:13 2018	–
S108DVCY19SA0CD8     v3.6.0	Authorized/Up	169.254.2.2	Thu Feb	8 17:04:41 2018	–
S108DVD98KMQGC44* v3.6.0	Authorized/Up	169.254.2.7	Thu Feb	8 17:10:50 2018	–
S108DVGGBJLQQO48* v3.6.0	Authorized/Up	169.254.2.3	Thu Feb	8 17:06:57 2018	–
S108DVKM5T2QEA92     v3.6.0	Authorized/Up	169.254.2.8	Thu Feb	8 17:11:00 2018	–
S108DVZX3VTAOO45     v3.6.0	Authorized/Up	169.254.2.9	Thu Feb	8 17:11:00 2018	–
Managed-Switches: 8	UP: 8	DOWN: 0

• The diagnose switch-controller dump network-upgrade status CLI command output now

includes the location of the image that is loaded when the FortiSwitch unit is restarted. If the Next boot column is blank, the FortiSwitch unit uses the same location each it is restarted. The status column shows the percentage downloaded, the percentage erased in flash memory, and the percentage written to flash memory.

For example:

diagnose switch-controller dump network-upgrade status

Running                                       Status       Next boot

__________________ ________________________________________ _________ ___________________________ VDOM : root

S108DVCY19SA0CD8 S108DV-v3.6.0-build4277,171207 (Interim) (0/0/0) S108DV-v3.7.0build4277,171207 (Interim)

S108DV2EJZDAC42F S108DV-v3.6.0-build4277,171207 (Interim) (0/0/0)

Upgrade the firmware on multiple FortiSwitch units at the same time using the GUI (462553)

To upgrade the firmware on multiple FortiSwitch units at the same time:

1. Go to WiFi & Switch Controller> Managed FortiSwitch.
2. Select the faceplates of the FortiSwitch units that you want to upgrade.
3. Click Upgrade.

The Upgrade FortiSwitches page opens.

4. Select FortiGuard or select Upload and then select the firmware file to upload.

You can select only one firmware image to use to upgrade the selected FortiSwitch units. If the FortiSwitch unit already has the latest firmware image, it will not be upgraded.

5. Select Upgrade.

Network-assisted device detection (377467)

Network-assisted device detection allows the FortiGate unit to use the information about connected devices detected by the managed FortiSwitch unit.

To enable network-assisted device detection on a VDOM:

config switch-controller network-monitor-settings set network-monitoring enable end

 

Connecting FortiLink ports                                                            1. Enable the switch controller on the               unit

Supported models

Introduction

NOTE: FortiLink is not supported in Transparent mode.

The maximum number of supported FortiSwitch units depends on the FortiGate model:

FortiGate Model Range

Number of FortiSwitch Units Supported

Up to FortiGate-98 and FortiGate-VM01                                8

FortiGate-100 to 280 and FortiGate-VM02                             24

FortiGate-300 to 5xx                                                           48

FortiGate-600 to 900 and FortiGate-VM04                             64

FortiGate-1000 and up                                                        128

FortiGate-3xxx and up and FortiGate-VM08 and up                300

Supported models

The following table shows the FortiSwitch models that support FortiLink mode when paired with the corresponding FortiGate models and the listed minimum software releases. For example, the FGT-500E model with FortiOS 5.6.3 and later supports all FortiSwitch D-series and E-series models running FortiSwitchOS 3.6.0 and later.

Each row includes support for earlier FortiGate models. For example, the FGT-500E row includes support by the FortiGate models in the rows above it.

		FortiSwitch Models
FortiGate and FortiWiFi Models	Earliest FortiOS
FGT-90D	5.2.2	FS-224D-POE

Supported models

FortiGate and FortiWiFi Models	Earliest FortiOS	FortiSwitch Models
FGT-60D FGT-100D, 140D, 140D-POE, 140D-T1 FGT-200D, 240D, 280D, 280D-POE FGT-600C FGT-800C FGT-1000C, 1200D, 1500D FGT-3700D, FGT-3700DX	5.2.3	FSR-112D-POE FS-108D-POE FS-124D (POE) FS-224D-POE and FPOE
	5.4.0	All FortiSwitch D-series models. FortiSwitchOS 3.3.x or 3.4.0 is recommended.
FGT and FWF-30D, 30D-POE, 30E FGT and FWF-50E, 51E FGR-60D FGT-70D, 70D-POE FGT-80D FGR-90D FGT and FWF-92D FGT-94D-POE, 98D-POE FGT-300D FGT-400D FGT-500D FGT-600D FGT-900D FGT-1000D FGT-3000D, 3100D, 3200D, 3240C, 3600C, 3810D, 3815D FGT_VM, VM64, VM64-AWS, VM64AWSONDEMAND, VM64-HV, VM64-KVM, VMVMX, VM64-XEN	5.4.1	All FortiSwitch D-series models. FortiSwitchOS 3.4.2 or later is required for all managed switches.
FGT and FWF- 60E, 61E FGT-100E, 101E	5.4.2	All FortiSwitch D-series models. FortiSwitchOS 3.4.2 or later is required for all managed switches.
FGT-80E, 80E-POE, 81E, 81E-POE FGT-100EF	5.4.3	All FortiSwitch D-series models. FortiSwitchOS 3.4.2 or later is required for all managed switches.
FGT-90E, 91E FGT-200E, 201E FGT-2000E, 2500E	5.6.0	All FortiSwitch D-series models. FortiSwitchOS 3.5.4 or later is required for all managed switches.

Support of FortiLink features

		FortiSwitch Models
FortiGate and FortiWiFi Models	Earliest FortiOS
FGT-500E	5.6.3	All FortiSwitch D-series and E-series models. FortiSwitchOS 3.6.0 or later is required for all managed switches.

Support of FortiLink features

The following table lists the FortiSwitch models supported by FortiLink features.

FortiLink Features	FortiSwitch Models
Centralized VLAN Configuration	D-series, E-series
Switch POE Control	D-series, E-series
Link Aggregation Configuration	D-series, E-series
Spanning Tree Protocol (STP)	D-series, E-series
LLDP/MED	D-series, E-series
IGMP Snooping	Not supported on 112D-POE, 1xxE-Series
802.1x Authentication (Port-based, MAC-based, MAB)	D-series, E-series
Syslog Collection	D-series, E-series
DHCP Snooping	Not supported on 1xxE-Series
Device Detection	D-series, E-series
Support FortiLink FortiGate in HA Cluster	D-series, E-series
LAG support for FortiLink Connection	D-series, E-series
Active-Active Split MLAG from FortiGate to FortiSwitch units for Advanced Redundancy	Not supported on FS-1xx Series
sFlow	Not supported on 1xxE-Series
Dynamic ARP Inspection (DAI)	Not supported on 1xxE-Series
Port Mirroring	D-series, E-series

Before you begin

FortiLink Features	FortiSwitch Models
RADIUS Accounting Support	Not supported on 1xxE-Series
Centralized Configuration	D-series, E-series
Access VLAN	Not supported on 1xxE-Series, 112D-POE
STP BDPU Guard, Root Guard, Edge Port	D-series, E-series
Loop Guard	D-series, E-series
Switch admin Password	D-series, E-series
Storm Control	D-series, E-series
802.1x-Authenticated Dynamic VLAN Assignment	D-series, E-series
Host Quarantine on Switch Port	Not supported on 1xxE Series, 112D-POE
QoS	Not supported on 1xxE-Series, 112D-POE
Centralized Firmware Management	D-series, E-series

Before you begin

Before you configure the managed FortiSwitch unit, the following assumptions have been made in the writing of this manual:

• You have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your FortiSwitch model, and you have administrative access to the FortiSwitch web-based manager and CLI.
• You have installed a FortiGate unit on your network and have administrative access to the FortiGate web-based manager and CLI.

How this guide is organized

This guide contains the following sections:

• Whatʼs new in FortiOS 6.0 describes the new features for this release. l Connecting FortiLink ports describes how to connect FortiSwitch ports to FortiGate ports. l FortiLink configuration using the FortiGate GUI describes how to use the FortiGate GUI for FortiLink configuration. l FortiLink configuration using the FortiGate CLI describes how to use the FortiGate CLI for FortiLink configuration. l Network topologies for managed FortiSwitch units describes the configuration for various network topologies.
• Optional setup tasks describes other setup tasks that are optional. l FortiSwitch features configuration describes how to configure managed FortiSwitch features, including VLANs. l FortiSwitch port features describe how to configure ports and PoE from the FortiGate unit.