Fortinet FortiSwitchOS 3.x User Manual

FortiSwitchOS 3.x AdministrationGuide

Standalone Mode

Version 3.2.0

FORTINET DOCUMENTLIBRARY

http://docs.fortinet.com

FORTINETVIDEOGUIDE

http://video.fortinet.com

FORTINETBLOG

https://blog.fortinet.com

CUSTOMERSERVICE&SUPPORT

https://support.fortinet.com

FORTIGATECOOKBOOK

http://cookbook.fortinet.com

FORTINETTRAININGSERVICES

http://www.fortinet.com/training

FORTIGUARDCENTER

http://www.fortiguard.com

ENDUSER LICENSE AGREEMENT

http://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK

Email: techdocs@fortinet.com

Wednesday, March 25, 2015

FortiSwitchOS-3.2.0 AdministrationGuide Standalone Mode

TABLEOFCONTENTS

Change Log 6
Introduction 7

Supported Models 7
Supported Features 7
Before You Begin 8
How this Guide is Organized 8

System Settings 10

IPConflict Detection 10

Description 10
Configuring IPConflict Detection 10
Viewing IPConflict Detection 10

Port Flap Guard 10

Configuring Port Flap Guard 11
Viewing Port Flap Guard Configuration 11

Management Ports 12

Configuring the Management Ports 12

Example Configurations 12

Configuring Static Routing for the Internal Management Port 16

Physical Port Settings 17

Diagnostic Monitoring Interface (DMI) Module Status 17
Auto-Module Speed Detection 18

Enabling Auto-Module speed detection on a Port 18
Viewing Auto-Module Configuration 18

Link-Layer Discovery Protocol 18

Enabling LLDP on a Port 19
Viewing LLDP Configuration 19

Power over Ethernet 19

Enabling PoE on a Port 19
Determining the PoE Power Capacity 19
Reset the PoE Power on a Port 20

Spanning Tree Protocol 21

MSTP Overview and terminology 21

Regions 21

IST 21
CST 21
Hop Count and Message Age 21

MSTPconfiguration 22

Configuring STP settings 22
Configuring an MSTinstance 23
Interactions outside of the MSTP Region 25
Viewing the MSTPConfiguration 25

VLANTagging 26

Native VLAN 26
Allowed VLANList 26
Packet Processing 27

Ingress Port 27

Egress Port 27
Example 1 28

Purple flow: 28

Blue flow: 28
Example 2 29

Green flow: 29

Blue flow: 29

Layer 2 Interfaces 30

Configuring Switched Interfaces 30

Viewing Interface Configuration 30
Fortinet Loop Guard 30

Configuring Loop Guard 31

Viewing Loop Guard Configuration 31

Link Aggregation Groups 32

Configuring the Trunk and LAG Ports 32

Example Configuration 32
Viewing the Configured Trunk 34

Port Mirroring 35

Configuring a Port Mirror 35
Multiple Mirror Destination Ports (MTP) 35

Private VLANs 38

About Private VLANs 38

Private VLAN Example 38
Configuring SNMP Access 39

Layer 3 Interfaces 40

Switched VirtualInterfaces 40

Configuring a Switched Virtual Interface 40

Example SVIConfiguration 40

Viewing SVIConfiguration 41

Routed Interfaces 41

Configuring a Routed Interface 42

Example Routed Port Configuration 42

Viewing Routed Port Configuration 43
Equal Cost Multi-Path (ECMP) Routing 43

Configuring ECMP 44

Example ECMPConfiguration 44

Viewing ECMPConfiguration 45
Bidirectional Forwarding Detection 45

Configuring BFD 46

Viewing BFD Configuration 46
IP-MACBinding 47

Configuring IP-MACBinding 47

Viewing IP-MACBinding Configuration 48

802.1x Authentication 49

About 802.1x 49
Authenticating with a RADIUS server 49
Example Configuration 50

TACACS 51

Administrative Accounts 51

Configuring an Access Profile for Admin Accounts 51

Configuring a TACACS Admin Account 51
User Accounts 52

Configuring a User Account 52

Configuring a User Group 52
Example Configuration 52

Change Log

Date Change Description

Oct 24, 2014 Added content for initial 3.0.0 release.

Nov 21, 2014 Added chapter to describe Private VLANs.

Dec 4, 2014 Added content for release 3.0.1

Added a step in "Configuring a Port Mirror" to enable the Packet Switching option if the mirror

Dec 22, 2014

Feb 17, 2015 Added content for release 3.2.0

Mar 6, 2015 Added new chapter for MSTP

Mar 25, 2015 Added MSTPdiagnostic commands. Added chapter to describe VLANTagging.

destination is not a dedicated port.
Added an explanation and examples to clarify the hardware restrictions when configuring mul­tiple mirror destination ports.

Introduction

This guide contains information about the administration of a FortiSwitch unit in standalone mode. In standalone
mode, you manage the FortiSwitch by connecting directly to the unit, either using the web-based manager (also
known as the GUI) or the CLI.

If you will be managing your FortiSwitch unit using a FortiGate, please see the guide Managing a FortiSwitch

unit with a FortiGate, available at the following location:

http://docs.fortinet.com/d/fortiswitch-1u-2u-managing-a-fortiswitch-with-a-fortigate-fortios-5.2.

Supported Models

This guide is for all FortiSwitch models that are supported by FortiSwitchOS. This includes the following models:
FS-108D-POE, FS-224D-POE, FS-1024D, FS-1048D, and FS-3032D.

FortiSwitch Rugged model FSR-112D-POE is also supported.

Note: FS-124D is also supported, using special build 6122.

Supported Features

Release 3.0.0

Release 3.0.0 includes the following new features, which are available on all of the FortiSwitchOS models:

l CLIbios upgrade

l CPU-based static routing

l DMI module reading (for select modules)

l Fan/Temp/PSUmonitoring

l Multi-port mirroring

In addition, FS-1024D, FS-1048D, and FS-3032D support Link Aggregation Groups with up to 24 ports.

Release 3.0.1

The following enhancements are included in FortiSwitchOS v3.0.1:

l Support FS-224D-POE FortiLink remote management mode (see Release Notes for supported FortiGate models).

l Added delay internals between PoE ports when they are enabled during bootup.

Release 3.2.0

The following table lists the new features in Release 3.2.0. and the switch models that support each feature.

7 FortiSwitchOS-3.2.0

FS-108D-POE

Feature

FSR-112D-POE

FS-1024D FS-1048D FS-3032D

FS-224D-POE

802.1x MAC-based security mode ✓ ✓ ✓ ✓

LLDP transmit ✓ ✓ ✓ ✓

Loop guard ✓ ✓ ✓ ✓

Flap guard ✓ ✓ ✓ ✓

LAG min-max bundle ✓ ✓ ✓ ✓

Auto-module max speed detection ✓ ✓

IP conflict detection and notification ✓ ✓ ✓ ✓

Layer 3 routing in Hardware ✓ ✓ ✓

MAC-IP Binding ✓ ✓ ✓

Introduction

Static BFD ✓ ✓ ✓

Hardware-based ECMP ✓ ✓ ✓

48 port LAG support ✓

Release 3.2.0 supports FortiLink remote management mode for FS-108D-POE, FSR-112D-POE, and FS-224D­POE (see Release Notes for supported FortiGate models).

Before You Begin

Before you start administrating your FortiSwitch unit, it is assumed that you have completed the initial
configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your FortiSwitch model and have
administrative access to the FortiSwitch unit’s web-based manager and CLI.

How this Guide is Organized

This guide is organized into the following chapters:

l System Settings contains information about the initial configuration of your FortiSwitch unit.

l Management Ports contains information about configuring the management ports.

l Physical Port Settings contains information about configuring the physical ports.

l Layer 2 Interfaces contains information on configuring Layer 2 interfaces.

8

FortiSwitchOS-3.2.0

Introduction

l Link Aggregation Groups contains information on configuring Link Aggregation Groups.

l Port Mirroring contains information on configuring Port Mirroring.

l Private VLANs contains information on the creation and management of private virtual local area networks (VLANs).

l Layer 3 Interfaces contains information on configuring routed ports, routed VLANinterfaces, switch virtual

interfaces, and features related to these interfaces.

l 802.1x Authentication contains information on configuring 802.1x authentication.

l TACACS contains information on using TACACS authetication.

9 FortiSwitchOS-3.2.0

System Settings

IPConflict Detection

IP conflicts can occur when two systems on the same network are uing the same IP. FortiSwitch monitors the
network for conflicts and raises a system log message and an SNMP trap when it detects a conflict.

Description

The IP Conflict Detection feature provides two methods to detect a conflict. The first method relies on a remote
device to send a broadcast ARP (Address Resolution Protocol) packet claiming ownership of a particular IP
address. If the IP address in the source field of that ARP packet matches any of the system interfaces associated
with the receiving FortiSwitch system, the system logs a message and raises an SNMP trap.

For the second method, the FortiSwitch actively broadcasts gratuitous ARP packets when any of the following
events occurs:

l System boot-up

l Interface status changes from down to up

l MAC address change

l IP address change

If a system is using the same IP address, the FortiSwitch will receive a reply to the gratuitous ARP. If it receives a
reply, the system logs a message.

Configuring IPConflict Detection

IP conflict detection is enabled on a global basis. The default setting is enabled.

Using the CLI:

config system global

set detect-ip-conflict <enable|disable>

Viewing IPConflict Detection

If the system detects an IPConflict, the system generates the following log message:

IP Conflict: conflict detected on system interface mgmt for IP address 10.10.10.1

Port Flap Guard

A flapping port can create instability in protocols such as STP. If a port is flapping, STPmust continually
recalculate the role for each port.

10 FortiSwitchOS-3.2.0

System Settings

The port flap guard feature will detect a flapping port and the system will shut down the port if necessary. You can
manually reset the port and restore it to the enabled state.

Configuring Port Flap Guard

Port flap-guard is configured and enabled on a global basis. The default setting is disabled.

Flap duration range is 5 to 300

Flap rate range is is 5 to 300

Using the CLI:

config switch flapguard settings

set status [ disable | enable ]
set flap-rate <integer>
set flap-duration <integer>

Use the following command to reset a port and restore it to service:

execute flapguard reset <port>

Viewing Port Flap Guard Configuration

Display the status of Port Flap Guard configuration using following commands

show switch flapguard settings

Display the Port Flap Guard information for each port using the following command:

diagnose flapguard instance status

11

FortiSwitchOS-3.2.0

Management Ports

This chapter contains information about the initial configuration of your FortiSwitch unit.

Configuring the Management Ports

Using the web-based manager:

First start by editing the default internal interface’s configuration.

1.

Go to System > Network > Interface and edit the internal interface.

2.

Assign an IP/Netmask.

3.

Set Administrative Access to use the desired protocols to connect to the interface.

4.

Select OK.

Next, create a new interface to be used for management.

Management Ports

1.

Go to System > Network > Interface and select Create New to create a management VLAN.

2. Give the interface an appropriate name.

3.

Set Interface to internal.

4.

Set a VLAN ID.

5.

Assign an IP/Netmask.

6.

Set Administrative Access to use the desired protocols to connect to the interface.

7.

Select OK.

Using the CLI:

config system interface

edit internal

set ip <address>
set allowaccess <access_types>

set type physical
next
edit <name>

set ip <address>

set allowaccess <access_types>

set interface internal

set vlanid 10
end

end

Example Configurations

The following are four example configurations for management ports, with the CLI syntax shown to create them.

12 FortiSwitchOS-3.2.0

Management Ports

Port 48 used as an

inbound management interface

Example 1: Port 48 as an inbound management interface

In this example, a physical port is used as an inbound management interface. Also, the FortiSwitch in the

example has no default VLAN configured to connect its internal interface to any physical port.

Using Port 48 of a FortiSwitch-448B unit

Syntax

config system interface

edit internal

set type physical
next
edit mgmt-vlan

set ip 10.105.142.22 255.255.255.0

set allowaccess ping https ssh

set interface "internal"

set vlanid 4090
next

end
config switch interface

edit port48

set native-vlan 4090

set stp-state disabled
next
edit uplink1
next
edit uplink2
next
edit internal

set native-vlan 4095

set allowed-vlans 4090

set stp-state disabled
end

end

13

FortiSwitchOS-3.2.0

Management Ports

Port 1 (part of the internal interface)

used as an inband management interface

Example 2: Internal interface as an inbound management interface

In this example, the internal interface is used as an inbound management interface. Also, the FortiSwitch has a
default VLAN across all physical ports and its internal port.

Using the internaI interface of a FortiSwitch-108D-POE

Syntax

config system interface

edit internal

set ip 192.168.1.99 255.255.255.0

set allowaccess ping https http ssh

set type physical
end

end

Example 3: WAN interface as an inbound management port

In this example, the WAN interface is used as an inbound management port.

14 FortiSwitchOS-3.2.0

WAN interface of a FortiSwitch-28C

WAN 2 port used as an

inbound management port

Management Ports

Syntax

config system interface

edit wan2

set ip 10.105.142.10 255.255.255.0

set allowaccess ping https ssh

set type physical
next
edit wan1

set mode dhcp

set allowaccess ping https ssh

set type physical

set defaultgw enable
next
edit internal

set type physical
end

end

Example 4: Out of band management interface

In the example, an out of band management interface is used as the dedicated management port.

15

FortiSwitchOS-3.2.0

Out of band management on a FortiSwitch-1024D

Port 1 used as an
Ethernet data port

Dedicated

MGMT port

Syntax

Management Ports

config system interface

edit mgmt

set ip 10.105.142.19 255.255.255.0

set allowaccess ping https http ssh snmp telnet

set type physical
next
edit internal

set type physical
end

end

Configuring Static Routing for the Internal Management Port

Using the CLI:

config router static

edit 1

set device <internal>

set default gateway

set gateway 192.168.0.10
end

end

16 FortiSwitchOS-3.2.0

Physical Port Settings

Physical Port Settings

This chapter covers features that are associated with FortiSwitch physical ports.

Diagnostic Monitoring Interface (DMI) Module Status

DMI is only supported on the following models: FortiSwitch-1024D, FortiSwitch-1048D, and FortiSwitch­3032D.

The FortiSwitch-3032D also supports a 40G DMI.

DMI module status can be viewed using the command get switch modules. This allows you to display one of
the following:

l Module details (detail)

l Eeprom contents (eeprom)

l Module limits (limit)

l Module status (status)

l Summary information of all a port’s modules (summary)

Below is an example output for the command switch modules detail:

Port(port38)
identifier SFP/SFP+
connector LC
transceiver 10G Base-SR
encoding 64B/66B
Length Decode Common
length_smf_1km N/A
length_cable N/A
SFP Specific
length_smf_100m N/A
length_50um_om2 80 meter
length_62um_om1 30 meter
length_50um_om3 150 meter
vendor FINISAR CORP.
vendor_oid 0x009065
vendor_pn FTLX8572D3BCL
vendor_rev A
vendor_sn UDK050K
manuf_date 02/20/2009

17

FortiSwitchOS-3.2.0