Additional capabilities
This chapter covers the following topics:
- Execute custom FortiSwitch scripts
- View and upgrade the FortiSwitch firmware version
- FortiSwitch log settings
- FortiSwitch per-port device visibility
- FortiOS CLI support for FortiSwitch features (on non-FortiLink ports)
- Synchronizing the FortiGate unit with the managed FortiSwitch units
- Replacing a managed FortiSwitch unit
- FortiSwitch network access control
- Configuring IoT detection
- Optimizing the FortiSwitch network
Execute custom FortiSwitch scripts
From the FortiGate unit, you can execute a custom script on a managed FortiSwitch unit. The custom script contains generic FortiSwitch commands.
NOTE: FortiOS 5.6.0 introduces additional capabilities related to the managed FortiSwitch unit.
Create a custom script
Use the following syntax to create a custom script from the FortiGate unit:
config switch-controller custom-command
edit <cmd-name>
set command "<FortiSwitch_command>"
end
NOTE: You need to use %0a
to indicate a return.
For example, use the custom script to set the STP max-age parameter on a managed FortiSwitch unit:
config switch-controller custom-command
edit "stp-age-10"
set command "config switch stp setting %0a set max-age 10 %0a end %0a"
end
Execute a custom script once
After you have created a custom script, you can manually execute it on any managed FortiSwitch unit. Because the custom script is not bound to any switch, the FortiSwitch unit might reset some parameters when it is restarted.
Use the following syntax on the FortiGate unit to execute the custom script once on a specified managed FortiSwitch unit:
execute switch-controller custom-command <cmd-name> <target-switch>
For example, you can execute the stp-age-10
script on the specified managed FortiSwitch unit:
execute switch-controller custom-command stp-age-10 S124DP3X15000118
Bind a custom script to a managed switch
If you want the custom script to be part of the managed switchʼs configuration, the custom script must be bound to the managed switch. If any of the commands in the custom script are locally controlled by a switch, the commands might be overwritten locally.
Use the following syntax to bind a custom script to a managed switch:
config switch-controller managed-switch
edit "<FortiSwitch_serial_number>"
config custom-command
edit <custom_script_entry>
set command-name "<name_of_custom_script>"
next
end
next
end
For example:
config switch-controller managed-switch
edit "S524DF4K15000024"
config custom-command
edit 1
set command-name "stp-age-10"
next
end
next
end
View and upgrade the FortiSwitch firmware version
You can view the current firmware version of a FortiSwitch unit and upgrade the FortiSwitch unit to a new firmware version. The FortiGate unit will suggest an upgrade when a new version is available in FortiGuard.
Using the FortiGate web interface
To view the FortiSwitch firmware version:
- Go to WiFi & Switch Controller > Managed FortiSwitch.
- In the main panel, select the FortiSwitch faceplate and click Edit.
- In the Edit Managed FortiSwitch panel, the Firmware section displays the current build on the FortiSwitch.
To upgrade the firmware on multiple FortiSwitch units at the same time:
- Go to WiFi & Switch Controller > Managed FortiSwitch.
- Select the faceplates of the FortiSwitch units that you want to upgrade.
- Click Upgrade.The Upgrade FortiSwitches page opens.
- Select FortiGuard or select Upload and then select the firmware file to upload. If you select FortiGuard, all FortiSwitch units that can be upgraded are upgraded. If you select Upload, only one firmware image can be used at a time for upgrading.
- Select Upgrade.
Using the CLI
Use the following command to stage a firmware image on all FortiSwitch units:
diagnose switch-controller switch-software stage all <image id>
Use the following command to upgrade the firmware image on one FortiSwitch unit:
diagnose switch-controller switch-software upgrade <switch id> <image id>
Use the following CLI commands to enable the use of HTTPS to download firmware to managed FortiSwitch units:
config switch-controller global
set https-image-push enable
end
From your FortiGate CLI, you can upgrade the firmware of all of the managed FortiSwitch units of the same model using a single execute
command. The command includes the name of a firmware image file and all of the managed FortiSwitch units compatible with that firmware image file are upgraded. For example:
execute switch-controller switch-software stage all <firmware-image-file>
You can also use the following command to restart all of the managed FortiSwitch units after a 2-minute delay.
execute switch-controller switch-action restart delay all
FortiSwitch log settings
You can export the logs of managed FortiSwitch units to the FortiGate unit or send FortiSwitch logs to a remote Syslog server.
Exporting logs to FortiGate
You can enable and disable whether the managed FortiSwitch units export their logs to the FortiGate unit. The setting is global, and the default setting is enabled. Starting in FortiOS 5.6.3, more details are included in the exported FortiSwitch logs.
To allow a level of filtering, the FortiGate unit sets the user field to “fortiswitch-syslog” for each entry.
Use the following CLI command syntax:
config switch-controller switch-log
set status {*enable | disable}
set severity {emergency | alert | critical | error | warning | notification | *information | debug}
end
You can override the global log settings for a FortiSwitch unit, using the following commands:
config switch-controller managed-switch
edit <switch-id>
config switch-log
set local-override enable
At this point, you can configure the log settings that apply to this specific switch.
Sending logs to a remote Syslog server
Instead of exporting FortiSwitch logs to a FortiGate unit, you can send FortiSwitch logs to one or two remote Syslog servers. After enabling this option, you can select the severity of log messages to send, whether to use comma-separated values (CSVs), and the type of remote Syslog facility. By default, FortiSwitch logs are sent to port 514 of the remote Syslog server.
Use the following CLI command syntax to configure the default syslogd and syslogd2 settings:
config switch-controller remote-log
edit {syslogd | syslogd2}
set status {enable | *disable}
set server <IPv4_address_of_remote_syslog_server>
set port <remote_syslog_server_listening_port>
set severity {emergency | alert | critical | error | warning | notification | *information | debug}
set csv {enable | *disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp | cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local3 | local4 | local5 | local6 | *local7}
next
end
You can override the default syslogd and syslogd2 settings for a specific FortiSwitch unit, using the following commands:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config remote-log
edit {edit syslogd | syslogd2}
set status {enable | *disable}
set server <IPv4_address_of_remote_syslog_server>
set port <remote_syslog_server_listening_port>
set severity {emergency | alert | critical | error | warning | notification | *information | debug}
set csv {enable | *disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp | cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local3 | local4 | local5 | local6 | *local7}
next
end
next
end
FortiSwitch per-port device visibility
In the FortiGate GUI, User & Device > Device List displays a list of devices attached to the FortiSwitch ports. For each device, the table displays the IP address of the device and the interface (FortiSwitch name and port).
From the CLI, the following command displays information about the host devices:
diagnose switch-controller mac-cache show <switch-id>
FortiOS CLI support for FortiSwitch features (on non-FortiLink ports)
You can configure the following FortiSwitch features from the FortiOS CLI.
Configuring a link aggregation group (LAG)
You can configure a link aggregation group (LAG) for non-FortiLink ports on a FortiSwitch unit. You cannot configure ports from different FortiSwitch units in one LAG. When the trunk is in LACP mode, either lacp-passive or lacp-active, members of a trunk can be grouped into the aggregator with the largest bandwidth or the aggregator with the most ports.
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config ports
edit <trunk_name>
set type trunk
set mode {static | lacp-passive | lacp-active}
set aggregator-mode {bandwidth | count}
set bundle {enable | disable}
set min-bundle <int>
set max-bundle <int>
set members <port1 port2 ...>
next
end
end
end
Configuring storm control
Storm control uses the data rate (packets/sec, default 500) of the link to measure traffic activity, preventing traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on a port.
When the data rate exceeds the configured threshold, storm control drops excess traffic. You can configure the types of traffic to drop: broadcast, unknown unicast, or multicast. By default, these three types of traffic are not dropped.
To configure storm control for all switch ports (including both FortiLink ports and non-FortiLink ports) on the managed switches, use the following FortiOS CLI commands:
config switch-controller storm-control
set rate <rate>
set unknown-unicast {enable | disable}
set unknown-multicast {enable | disable}
set broadcast {enable | disable}
end
To configure storm control for a FortiSwitch port, use the FortiOS CLI to select the override storm-control-mode in the storm-control policy and then assigning the storm-control policy for the FortiSwitch port.
config switch-controller storm-control-policy
edit <storm_control_policy_name>
set description <description_of_the_storm_control_policy>
set storm-control-mode override
set rate <1-10000000 or 0 to drop all packets>
set unknown-unicast {enable | disable}
set unknown-multicast {enable | disable}
set broadcast {enable | disable}
next
end
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config ports
edit port5
set storm-control-policy <storm_control_policy_name>
next
end
For example:
config switch-controller storm-control-policy
edit stormpol1
set description "storm control policy for port 5"
set storm-control-mode override
set rate 1000
set unknown-unicast enable
set unknown-multicast enable
set broadcast enable
next
end
config switch-controller managed-switch
edit S524DF4K15000024
config ports
edit port5
set storm-control-policy stormpol1
next
end
Displaying, resetting, and restoring port statistics
For the following commands, if the managed FortiSwitch unit is not specified, the command is applied to all ports of all managed FortiSwitch units.
To display port statistics of a managed FortiSwitch unit:
diagnose switch-controller switch-info port-stats <managed FortiSwitch device ID> <port_name>
For example:
FG100D3G15817028 (global) # diagnose switch-controller switch-info port-stats S524DF4K15000024 port8
Vdom: dmgmt-vdom
Vdom: roort
Vdom: root
S524DF4K15000024:
Port(port8) is Admin up, line protocol is down
Interface Type is Serial Gigabit Media Independent Interface(SGMII/SerDes)
Address is 08:5B:0E:F1:95:ED, loopback is not set
MTU 9216 bytes, Encapsulation IEEE 802.3/Ethernet-II
half-duplex, 0 Mb/s, link type is auto
input : 0 bytes, 0 packets, 0 errors, 0 drops, 0 oversizes
0 unicasts, 0 multicasts, 0 broadcasts, 0 unknowns
output : 0 bytes, 0 packets, 0 errors, 0 drops, 0 oversizes
0 unicasts, 0 multicasts, 0 broadcasts
0 fragments, 0 undersizes, 0 collisions, 0 jabbers
Vdom: vdom-1
To reset the port statistics counters of a managed FortiSwitch unit:
diagnose switch-controller trigger reset-hardware-counters <managed FortiSwitch device ID> <port_name>
For example:
FG100D3G15817028 (global) # diagnose switch-controller trigger reset-hardware-counters S524DF4K15000024 1,3,port6-7
NOTE: This command is provided for debugging; accuracy is not guaranteed when the counters are reset. Resetting the counters might have a negative effect on monitoring tools, such as SNMP and FortiGate. The statistics gathered during the time when the counters are reset might be discarded.
To restore the port statistics counters of a managed FortiSwitch unit:
diagnose switch-controller trigger restore-hardware-counters <managed FortiSwitch device ID> <port_name>
For example:
FG100D3G15817028 (global) # diagnose switch-controller trigger restore-hardware-counters S524DF4K15000024 port10-port11,internal
Configuring QoS with managed FortiSwitch units
Quality of Service (QoS) provides the ability to set particular priorities for different applications, users, or data flows.
NOTE: The FortiGate unit does not support QoS for hard or soft switch ports.
The FortiSwitch unit supports the following QoS configuration capabilities:
- Mapping the IEEE 802.1p and Layer 3 QoS values (Differentiated Services and IP Precedence) to an outbound QoS queue number.
- Providing eight egress queues on each port.
- Policing the maximum data rate of egress traffic on the interface.
- If you select
weighted-random-early-detection
for thedrop-policy
, you can enable explicit congestion notification (ECN) marking to indicate that congestion is occurring without just dropping packets.
To configure the QoS for managed FortiSwitch units:
- Configure a Dot1p map.
A Dot1p map defines a mapping between IEEE 802.1p class of service (CoS) values (from incoming packets on a trusted interface) and the egress queue values. Values that are not explicitly included in the map will follow the default mapping, which maps each priority (0-7) to queue 0. If an incoming packet contains no CoS value, the switch assigns a CoS value of zero.
NOTE: Do not enable trust for both Dot1p and DSCP at the same time on the same interface. If you do want to trust both Dot1p and IP-DSCP, the FortiSwitch uses the latter value (DSCP) to determine the queue. The switch will use the Dot1p value and mapping only if the packet contains no DSCP value.config switch-controller qos dot1p-map
edit <Dot1p map name>
set description <text>
set priority-0 <queue number>
set priority-1 <queue number>
set priority-2 <queue number>
set priority-3 <queue number>
set priority-4 <queue number>
set priority-5 <queue number>
set priority-6 <queue number>
set priority-7 <queue number>
next
end
- Configure a DSCP map. A DSCP map defines a mapping between IP precedence or DSCP values and the egress queue values. For IP precedence, you have the following choices:
-
network-control
—Network control -
internetwork-control
—Internetwork control -
critic-ecp
—Critic and emergency call processing (ECP) -
flashoverride
—Flash override -
flash
—Flash -
immediate
—Immediate -
priority
—Priority -
routine
—Routine
config switch-controller qos ip-dscp-map
edit <DSCP map name>
set description <text>
configure map <map_name>
edit <entry name>
set cos-queue <COS queue number>
set diffserv {CS0 | CS1 | AF11 | AF12 | AF13 | CS2 | AF21 | AF22 | AF23 | CS3 | AF31 | AF32 | AF33 | CS4 | AF41 | AF42 | AF43 | CS5 | EF | CS6 | CS7}
set ip-precedence {network-control | internetwork-control | critic-ecp | flashoverride | flash | immediate | priority | routine}
set value <DSCP raw value>
next
end
end
-
- Configure the egress QoS policy. In a QoS policy, you set the scheduling mode for the policy and configure one or more CoS queues. Each egress port supports eight queues, and three scheduling modes are available:
- With strict scheduling, the queues are served in descending order (of queue number), so higher number queues receive higher priority.
- In simple round-robin mode, the scheduler visits each backlogged queue, servicing a single packet from each queue before moving on to the next one.
- In weighted round-robin mode, each of the eight egress queues is assigned a weight value ranging from 0 to 63.
config switch-controller qos queue-policy
edit <QoS egress policy name>
set schedule {strict | round-robin | weighted}
config cos-queue
edit queue-<number>
set description <text>
set min-rate <rate in kbps>
set max-rate <rate in kbps>
set drop-policy {taildrop | weighted-random-early-detection}
set ecn {enable | disable}
set weight <weight value>
next
end
next
end
- Configure the overall policy that will be applied to the switch ports.
config switch-controller qos qos-policy
edit <QoS egress policy name>
set default-cos <default CoS value 0-7>
set trust-dot1p-map <Dot1p map name>
set trust-ip-dscp-map <DSCP map name>
set queue-policy <queue policy name>
next
end
- Configure each switch port.
config switch-controller managed-switch
edit <switch-id>
config ports
edit <port>
set qos-policy <CoS policy>
next
end
next
end
- Check the QoS statistics on each switch port.
diagnose switch-controller switch-info qos-stats <FortiSwitch_serial_number> <port_name>
Configuring PTP transparent-clock mode
Use the Precision Time Protocol (PTP) transparent-clock mode to measure the overall path delay for packets in a network to improve the time precision. There are two transparent-clock modes:
- End-to-end measures the path delay for the entire path
- Peer-to-peer measures the path delay between each pair of nodes
Use the following steps to configure PTP transparent-clock mode:
- Configure the global PTP settings.
By default, PTP is disabled. - Enable the PTP policy.
By default, the PTP policy is enabled. - Apply the PTP policy to a port.
NOTE: PTP policies are hidden on virtual ports
To configure the global PTP settings:
config switch-controller ptp settings
set mode {disable | transparent-e2e | transparent-p2p}
end
To enable the PTP policy:
config switch-controller ptp policy
edit {default | <policy_name>}
set status {enable | disable}
next
end
To apply the PTP policy to a port:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config ports
edit <port_name>
set ptp-policy {default | <policy_name>}
end
end
For example:
config switch-controller ptp settings
set mode transparent-p2p
end
config switch-controller ptp policy
edit ptppolicy1
set status enable
next
end
config switch-controller managed-switch
edit S524DF4K15000024
config ports
edit port5
set ptp-policy ptppolicy1
end
end
Synchronizing the FortiGate unit with the managed FortiSwitch units
You can synchronize the FortiGate unit with the managed FortiSwitch units to check for synchronization errors on each managed FortiSwitch unit.
Use the following command to synchronize the full configuration of a FortiGate unit with a managed FortiSwitch unit:
diagnose switch-controller trigger config-sync <FortiSwitch_serial_number>
Replacing a managed FortiSwitch unit
If a managed FortiSwitch unit fails, you can replace it with another FortiSwitch unit that is managed by the same FortiGate unit. The replacement FortiSwitch unit will inherit the configuration of the FortiSwitch unit that it replaces. The failed FortiSwitch unit is no longer managed by a FortiGate unit or discovered by FortiLink.
NOTE:
- Both FortiSwitch units must be of the same model.
- The replacement FortiSwitch unit must be discovered by FortiLink but not authorized.
- If the replacement FortiSwitch unit is one of an MCLAG pair, you need to manually reconfigure the MCLAG-ICL trunk.
- After replacing the failed FortiSwitch unit, the automatically created trunk name does not change. If you want different trunk name, you need to delete the trunk. The new trunk is created automatically with an updated name. At the end of this section is a detailed procedure for renaming the MCLAG-ICL trunk.
- If the replaced managed FortiSwitch unit is part of an MCLAG, only the ICL should be connected to the new switch to avoid any traffic loops. The other interfaces should be connected only to the switch that is fully managed the FortiGate unit with the correct configuration.
To replace a managed FortiSwitch unit:
- Unplug the failed FortiSwitch unit.
- Plug in the replacement FortiSwitch unit.
- Upgrade the firmware of the replacement FortiSwitch unit to the same version as the firmware on the failed FortiSwitch unit. See View and upgrade the FortiSwitch firmware version.
- Reset the replacement FortiSwitch unit to factory default settings with the
execute factoryreset
command. - Check the serial number of the replacement FortiSwitch unit.
- From the FortiGate unit, go to WiFi & Switch Controller > Managed FortiSwitch.
- Select the faceplate of the failed FortiSwitch unit.
- Select Deauthorize.
- Connect the replacement FortiSwitch unit to the FortiGate unit that was managing the failed FortiSwitch unit.
- If the failed FortiSwitch unit was part of a VDOM, enter the following commands:
config vdom
edit <VDOM_name>
execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_FortiSwitch_serial_number>
For example:
config vdom
edit vdom_new
execute replace-device fortiswitch S124DN3W16002025 S124DN3W16002026
If the failed FortiSwitch unit was not part of a VDOM, enter the following command:
execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_FortiSwitch_serial_number>
An error is returned if the replacement FortiSwitch unit is authorized.
To rename the MCLAG-ICL trunk:
Changing the name of the MCLAG-ICL trunk must be done on both the FortiGate unit and the MCLAG-ICL switches. You need a maintenance window for the change.
- Shut down the FortiLink interface on the FortiGate unit.
- On the FortiGate unit, execute the
show system interface
command. For example:FG3K2D3Z17800156 # show system interface root-lag
config system interface
edit "root-lag"
set vdom "root"
set fortilink enable
set ip 10.105.60.254 255.255.255.0
set allowaccess ping capwap
set type aggregate
set member "port45" "port48"
config managed-device
- Write down the member port information. In this example, port45 and port48 are the member ports.
- Shut down the member ports with the
config system interface
,edit <member-port#>
,set status down
, andend
commands. For example:FG3K2D3Z17800156 # config system interface
FG3K2D3Z17800156 (interface) # edit port48
FG3K2D3Z17800156 (port48) # set status down
FG3K2D3Z17800156 (port48) # next // repeat for each member port
FG3K2D3Z17800156 (interface) # edit port45
FG3K2D3Z17800156 (port45) # set status down
FG3K2D3Z17800156 (port45) # end
- Verify that FortiLink is down with the
exec switch-controller get-conn-status
command. For example:FG3K2D3Z17800156 # exec switch-controller get-conn-status
Managed-devices in current vdom root:
STACK-NAME: FortiSwitch-Stack-root-lag
SWITCH-ID VERSION STATUS ADDRESS JOIN-TIME NAME
FS1D483Z17000282 v6.0.0 Authorized/Down 0.0.0.0 N/A icl-sw2
FS1D483Z17000348 v6.0.0 Authorized/Down 0.0.0.0 N/A icl-sw1
- On the FortiGate unit, execute the
- Rename the MCLAG-ICL trunk name on both MCLAG-ICL switches.
- Execute the
show switch trunk
command on both MCLAG-ICL switches. Locate the ICL trunk that includes theset mclag-icl enable
command in its configuration and write down the member ports and configuration information. For example:icl-sw1 # show switch trunk
config switch trunk
...
edit "D483Z17000282-0"
set mode lacp-active
set auto-isl 1
set mclag-icl enable // look for this line
set members "port27" "port28" // note the member ports
next
end
- Note the output of the
show switch interface <MCLAG-ICL-trunk-name>
,diagnose switch mclag icl
, anddiagnose switch trunk summary <MCLAG-ICL-trunk-name>
commands. For example:icl-sw1 # show switch interface D483Z17000282-0
config switch interface
edit "D483Z17000282-0"
set native-vlan 4094
set allowed-vlans 1,100,2001-2060,4093
set dhcp-snooping trusted
set stp-state disabled
set edge-port disabled
set igmps-flood-reports enable
set igmps-flood-traffic enable
set snmp-index 57
next
end
icl-sw1 # diag switch mclag icl
D483Z17000282-0
icl-ports 27-28
egress-block-ports 3-4,7-12,47-48
interface-mac 70:4c:a5:86:6d:e5
lacp-serial-number FS1D483Z17000348
peer-mac 70:4c:a5:49:50:53
peer-serial-number FS1D483Z17000282
Local uptime 0 days 1h:49m:24s
Peer uptime 0 days 1h:49m:17s
MCLAG-STP-mac 70:4c:a5:49:50:52
keepalive interval 1
keepalive timeout 60
Counters
received keepalive packets 4852
transmited keepalive packets 5293
received keepalive drop packets 20
receive keepalive miss 1
icl-sw1 # diagnose switch trunk sum D483Z17000282-0
Trunk Name Mode PSC MAC Status Up Time
________________ _________________________ ___________ _________________ ___________ _________________________________
D483Z17000282-0 lacp-active(auto-isl,mclag-icl) src-dst-ip 70:4C:A5:86:6E:00 up(2/2) 0 days,0 hours,16 mins,4 secs
- Shut down the ICL member ports using the
config switch physical-port
,edit <member port#>
,set status down
,next
, andend
commands. For example:icl-sw1 # config switch physical-port
icl-sw1 (physical-port) # edit port27
icl-sw1 (port27) # set status down
icl-sw1 (port27) # n // repeat for each ICL member port
icl-sw1 (physical-port) # edit port28
icl-sw1 (port28) # set status down
icl-sw1 (port28) # next
icl-sw1 (physical-port) # end
- Delete the original MCLAG-ICL trunk name on the switch using the
config switch trunk
,delete <mclag-icl-trunk-name>
, andend
commands. For example:icl-sw1 # config switch trunk
icl-sw1 (trunk) # delete D483Z17000282-0
- Use the
show switch trunk
command to verify that the trunk is deleted. - Create a new trunk for the MCLAG ICL using the original ICL trunk configuration collected in step 2b and the
set auto-isl 0
command in the configuration. For example:icl-sw1 # config switch trunk
icl-sw1 (trunk) # edit MCLAG-ICL
new entry 'MCLAG-ICL' added
icl-sw1 (MCLAG-ICL) #set mode lacp-active
icl-sw1 (MCLAG-ICL) #set members "port27" "port28"
icl-sw1 (MCLAG-ICL) #set mclag-icl enable
icl-sw1 (MCLAG-ICL) # end
- Use the
show switch trunk
command to check the trunk configuration. - Start the trunk member ports by using the
config switch physical-port
,edit <member port#>
,set status up
,next
, andend
commands. For example:icl-sw1 # config switch physical-port
icl-sw1 (physical-port) # edit port27
icl-sw1 (port27) # set status up
icl-sw1 (port27) # next // repeat for each trunk member port
icl-sw1 (physical-port) # edit port28
icl-sw1 (port28) # set status up
icl-sw1 (port28) # end
NOTE: Follow steps 2a through 2h on both switches.
- Execute the
- Set up the FortiLink interface on the FortiGate unit. Enter the
config system interface
,edit <interface-member-port>
,set status up
,next
, andend
commands. For example:FG3K2D3Z17800156 # config system interface
FG3K2D3Z17800156 (interface) # edit port45
FG3K2D3Z17800156 (port45) # set status up
FG3K2D3Z17800156 (port45) # next // repeat on all member ports
FG3K2D3Z17800156 (interface) # edit port48
FG3K2D3Z17800156 (port48) # set status up
FG3K2D3Z17800156 (port48) # next
FG3K2D3Z17800156 (interface) # end
- Check the configuration and status on both MCLAG-ICL switches
- Enter the
show switch trunk
,diagnose switch mclag icl
, anddiagnose switch trunk summary <new-trunk-name>
commands. For example:icl-sw1 # show switch trunk
config switch trunk
<snip>
edit "MCLAG-ICL"
set mode lacp-active
set mclag-icl enable
set members "port27" "port28"
next
end
icl-sw1 # show switch interface MCLAG-ICL
config switch interface
edit "MCLAG-ICL"
set native-vlan 4094
set allowed-vlans 1,100,2001-2060,4093
set dhcp-snooping trusted
set stp-state disabled
set igmps-flood-reports enable
set igmps-flood-traffic enable
set snmp-index 56
next
end
icl-sw1 # diagnose switch mclag icl
MCLAG-ICL
icl-ports 27-28
egress-block-ports 3-4,7-12,47-48
interface-mac 70:4c:a5:86:6d:e5
lacp-serial-number FS1D483Z17000348
peer-mac 70:4c:a5:49:50:5
peer-serial-number FS1D483Z17000282
Local uptime 0 days 2h:11m:13s
Peer uptime 0 days 2h:11m: 7s
MCLAG-STP-mac 70:4c:a5:49:50:52
keepalive interval 1
keepalive timeout 60
Counters
received keepalive packets 5838
transmited keepalive packets 6279
received keepalive drop packets 27
receive keepalive miss 1
icl-sw1 # diagnose switch trunk summary MCLAG-ICL
Trunk Name Mode PSC MAC Status Up Time
________________ _________________________ ___________ _________________ ___________ _________________________________
MCLAG-ICL lacp-active(auto-isl,mclag-icl) src-dst-ip 70:4C:A5:86:6E:00 up(2/2) 0 days,1 hours,4 mins,57 secs - Compare the command results in step 4a with the command results in step 2b.
- Enter the
FortiSwitch network access control
You can configure a FortiSwitch network access control (NAC) policy within FortiOS that matches devices with the specified criteria, devices belonging to a specified user group, or devices with a specified FortiClient EMS tag. Devices that match are assigned to a specific VLAN or have port-specific settings applied to them.
NOTE: The FortiSwitch NAC settings must be configured before defining a NAC policy. See Configuring the FortiSwitch NAC settings.
Summary of the procedure
- Define a FortiSwitch NAC VLAN. See Defining a FortiSwitch NAC VLAN.
- Configure the FortiSwitch NAC settings. See Configuring the FortiSwitch NAC settings.
- Create a FortiSwitch NAC policy. See Defining a FortiSwitch NAC policy.
- View the devices that match the NAC policy. See Viewing the devices that match the NAC policy.
Defining a FortiSwitch NAC VLAN
When devices are matched by a NAC policy, you can assign those devices to a FortiSwitch NAC VLAN. By default, there are six VLAN templates:
- default—This VLAN is assigned to all switch ports when the FortiSwitch unit is first discovered.
- quarantine—This VLAN contains quarantined traffic.
- rspan—This VLAN contains RSPAN and ERSPAN mirrored traffic.
- voice—This VLAN is dedicated for voice devices.
- video—This VLAN is dedicated for video devices.
- onboarding—This VLAN is for NAC onboarding devices.
You can use the default onboarding VLAN, edit it, or create a new NAC VLAN. If you want to use the default onboarding NAC VLAN, specify it when you configure the FortiSwitch NAC settings. If you want to edit the default onboarding VLAN or create a new NAC VLAN, use the following procedures.
Creating a NAC VLAN
Using the GUI:
- Go to WiFi & Switch Controller > FortiSwitch VLANs, select Create New, and change the following settings:
Interface Name VLAN name VLAN ID Enter a number (1-4094) Color Choose a unique color for each VLAN, for ease of visual display. Role Select LAN, WAN, DMZ, or Undefined. - Enable DHCP for IPv4 or IPv6.
- Set the Admission access options as required.
- Select OK.
Using the CLI:
config system interface
edit <vlan name>
set vlanid <1-4094>
set color <1-32>
set interface <FortiLink-enabled interface>
end
Editing a NAC VLAN
You can edit the default onboarding
NAC VLAN.
Using the GUI:
- Go to WiFi & Switch Controller > FortiSwitch VLANs.
- Select the
onboarding
NAC VLAN. - Select Edit.
- Make your changes.
- Select OK to save your changes.
Using the CLI:
config switch-controller initial-config template
edit onboarding
set vlanid <1-4094>
set allowaccess {ping | https |ssh | snmp | http | telnet | fgfm | radius-acct | probe-response | fabric | ftm}
set auto-ip {enable | disable}
set dhcp-server {enable | disable}
end
Configuring the FortiSwitch NAC settings
NOTE: The FortiSwitch NAC settings must be configured before defining a NAC policy. You can either manually configure the NAC settings or use the NAC wizard. See Using the NAC wizard.
The local mode uses the local port-level settings of managed FortiSwitch units. The global mode applies the NAC to all managed FortiSwitch ports. Be default, the mode is local.
You can set how many minutes that NAC devices are allowed to be inactive. By default, NAC devices can be inactive for 15 minutes. The range of values is 0 to 1 440 minutes. If you set the inactive-timer to 0, there is no limit to how long the NAC devices can be inactive for.
When NAC devices are discovered, they are assigned to the NAC onboarding VLAN. You can specify the default onboarding
VLAN or specify another existing VLAN. By default, there is no NAC onboarding VLAN assigned.
When NAC devices are discovered and match a NAC policy, they are automatically authorized by default.
When NAC mode is configured on a port, the link of a switch port goes down and then up by default, which restarts the DHCP process for that switch.
When a link goes down, the NAC devices are cleared from all switch ports by default.
Configuring NAC on a global level
Using the GUI:
- Go to WiFi & Switch Controller > FortiLink Interface.
- Move the NAC Settings slider to expand the NAC Settings section.
- Select the onboarding VLAN from the Onboarding VLAN drop-down list. The default onboarding VLAN is onboarding.
- Move the Bounce port slider to enable it if you want the link to go down and then up when the NAC mode is configured on the port.
- Select All or Specify to apply NAC policies to all FortiSwitch ports.
- Select Apply to save your changes.
Using the CLI:
config switch-controller nac-settings
edit <name_of_this_NAC_configuration>
set mode global
set inactive-timer <integer>
set onboarding-vlan <string>
set auto-auth {enable | disable}
set bounce-nac-port {enable | disable}
set link-down-flush {enable | disable}
end
Configuring NAC on a local level
Using the GUI:
- Go to WiFi & Switch Controller > FortiLink Interface.
- Move the NAC Settings slider to expand the NAC Settings section.
- Select the onboarding VLAN from the Onboarding VLAN drop-down list. The default onboarding VLAN is onboarding.
- Move the Bounce port slider to enable it if you want the link to go down and then up when the NAC mode is configured on the port.
- Select Specify to apply NAC policies to specific FortiSwitch ports.
- Select one or more FortiSwitch units and specify which FortiSwitch ports to apply the NAC policies to.
- Select Apply to save your changes.
Using the CLI:
config switch-controller nac-settings
edit <name_of_this_NAC_configuration>
set mode local
set inactive-timer <integer>
set onboarding-vlan <string>
set auto-auth {enable | disable}
set bounce-nac-port {enable | disable}
set link-down-flush {enable | disable}
end
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config ports
edit <port_name>
set access-mode nac
next
end
next
end
Using the GUI:
- Go to WiFi & Switch Controller > FortiSwitch Ports.
- Right-click a port.
- Select Access Mode > NAC.
Using the NAC wizard
The NAC wizard helps with configuring the FortiSwitch NAC settings and defining a FortiSwitch NAC VLAN. If you do not want to manually configure the FortiSwitch NAC settings, use the NAC wizard instead.
NOTE: The FortiSwitch NAC settings must be configured before defining a NAC policy.
- Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
- Select Configure NAC Settings.
- Select the onboarding VLAN from the Onboarding VLAN drop-down list. The default onboarding VLAN is onboarding.
- Move the Bounce port slider to enable it if you want the link to go down and then up when the NAC mode is configured on the port.
- Select All or Specify to apply NAC policies to all FortiSwitch ports or to specific FortiSwitch ports.
- If you selected Specify, select one or more FortiSwitch units and specify which FortiSwitch ports to apply the NAC policies to.
- Select Next.
- Select one of the default NAC VLANs to be the onboarding VLAN, create a new NAC VLAN, or edit one of the default NAC VLANs. The default onboarding VLAN is onboarding. See Defining a FortiSwitch NAC VLAN.
- Select Submit.
Defining a FortiSwitch NAC policy
In the FortiOS GUI, you can create three types of NAC policies:
- Device—The NAC policy matches devices with the specified MAC address, hardware vendor, device family, type, operating system, and user.
- User—The NAC policy matches devices belonging to the specified user group.
- EMS tag—The NAC policy matches devices with the specified FortiClient EMS tag.
Using the CLI, you can specify a port policy and MAC policy to be applied to devices that have been matched by the NAC policy. See Creating a port policy and Creating a MAC policy.
NOTE: The FortiSwitch NAC settings must be configured before defining a FortiSwitch NAC policy. See Configuring the FortiSwitch NAC settings.
Creating a device policy
A device policy matches devices with the specified criteria and then assigns a specific VLAN to those devices or applies port-level settings to those devices. You can specify the MAC address, hardware vendor, device family, type, operating system, and user for the devices to match.
By default, there is a default device policy, Onboarding VLAN
, which uses the default onboarding
NAC VLAN. You can use the default Onboarding VLAN
policy, edit it, or create a new NAC policy.
Using the GUI:
- Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
- Select Create New.
- In the Name field, enter a name for the NAC policy.
- Make certain that the status is set to Enabled.
- Select which FortiSwitch units to apply the NAC policy to or select All.
- Select Device for the category.
- If you want the device to match a MAC address, move the MAC Address slider and enter the MAC address to match.
- If you want the device to match a hardware vendor, move the Hardware Vendor slider and enter the name of the hardware vendor to match.
- If you want the device to match a device family, move the Device Family slider and enter the name of the device family to match.
- If you want the device to match a device type, move the Type slider and enter the device type to match.
- If you want the device to match an operating system, move the Operating System slider and enter the operating system to match.
- If you want the device to match a user, move the User slider and enter the user name to match.
- If you want to assign a specific VLAN to the device that matches the specified criteria, select Assign VLAN and enter the VLAN identifier.
- If you want to assign port-level settings to the device that matches the specified criteria select Apply Port Specific Settings. You can specify the LLDP profile, QoS profile, 802.1x policy, and VLAN policy.
- Select OK to create the new NAC policy.
Using the CLI:
config user nac-policy
edit <policy_name>
set description <description_of_policy>
set category device
set status enable
set mac <MAC_address>
set hw-vendor <hardware_vendor>
set type <device_type>
set family <device_family>
set os <operating_system>
set hw-version <hardware_version>
set sw-version <software_version>
set host <host_name>
set user <user_name>.
set src <source>
set switch-fortilink <FortiLink_interface>
set switch-scope <list_of_managed_FortiSwitch_serial_numbers>
set switch-auto-auth {enable | disable}
set switch-port-policy <switch_port_policy>
set switch-mac-policy <switch_mac_policy>
end
Creating a user policy
A user policy matches devices that are assigned to the specified user group and then assigns a specific VLAN to those devices or applies port-level settings to those devices.
Using the GUI:
- Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
- Select Create New.
- In the Name field, enter a name for the NAC policy.
- Make certain that the status is set to Enabled.
- Select which FortiSwitch units to apply the NAC policy to or select All.
- Select User for the category.
- Select which user group that devices must belong to.
- If you want to assign a specific VLAN to a device assigned to the specified user group, select Assign VLAN and enter the VLAN identifier.
- If you want to assign port-level settings for devices assigned to the specific user group, select Apply Port Specific Settings. You can specify the LLDP profile, QoS profile, 802.1x policy, and VLAN policy.
- Select OK to create the new NAC policy.
Using the CLI:
config user nac-policy
edit <policy_name>
set description <description_of_policy>
set category user
set status enable
set user-group <name_of_user_group>
set switch-fortilink <FortiLink_interface>
set switch-scope <list_of_managed_FortiSwitch_serial_numbers>
set switch-auto-auth {enable | disable}
set switch-port-policy <switch_port_policy>
set switch-mac-policy <switch_mac_policy>
end
Creating an EMS-tag policy
An EMS-tag policy matches devices with a specified MAC address and then assigns a specific VLAN to those devices or applies port-level settings to those devices. The MAC address is derived from an Endpoint Management Server (EMS) tag created in FortiClient.
NOTE: The FortiClient EMS server must be 6.4.1 build 1442 or higher. FortiOS must be 6.4.2 build 1709 or higher.
Before creating an EMS-tag policy on a managed FortiSwitch unit:
- In FortiClient, group FortiClient Fabric Agent endpoints with an EMS tag.
- In FortiClient, share these endpoint groups with a FortiGate unit over the EMS connector.
- In FortiOS, add an on-premise FortiClient EMS server to the Security Fabric:
config endpoint-control fctems
edit <ems_name>
set server <ip_address>
set certificate <string>
next
end
For example:
config endpoint-control fctems
edit EMS_Server
set server 1.2.3.4
set certificate REMOTE_Cert_1
next
end
- In FortiOS, verify the EMS certificate. For example:
execute fctems verify EMS_Server
- In FortiOS, check that the FortiGate unit and FortiClient are connected:
diagnose user device get <FortiClient_MAC_address>
- In FortiOS, verify which MAC addresses the dynamic firewall address resolves to:
diagnose firewall dynamic list
Using the GUI to create an EMS-tag policy:
- Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
- Select Create New.
- In the Name field, enter a name for the NAC policy.
- Make certain that the status is set to Enabled.
- Select which FortiSwitch units to apply the NAC policy to or select All.
- Select EMS Tag for the category.
- Select which FortiClient EMS tag that devices must be assigned.
- If you want to assign a specific VLAN to a device assigned to the specified user group, select Assign VLAN and enter the VLAN identifier.
- If you want to assign port-level settings for devices assigned to the specific user group, select Apply Port Specific Settings. You can specify the LLDP profile, QoS profile, 802.1x policy, and VLAN policy.
- Select OK to create the new NAC policy.
Using the CLI to create an EMS-tag policy:
config user nac-policy
edit <policy_name>
set description <description_of_policy>
set category ems-tag
set ems-tag <string>
set status enable
set switch-fortilink <FortiLink_interface>
set switch-scope <list_of_managed_FortiSwitch_serial_numbers>
set switch-auto-auth {enable | disable}
set switch-port-policy <switch_port_policy>
set switch-mac-policy <switch_mac_policy>
next
end
For example:
config user nac-policy
edit nac_policy_1
set category ems-tag
set ems-tag MAC_FCTEMS0000108427_Low
set switch-fortilink fortilink1
set switch-port-policy port_policy_1
next
end
Creating a port policy
You can apply a port policy to the devices that were matched by the NAC policy. In the port policy, you can specify which LLDP profile, QoS policy, 802.1x policy, and VLAN policy are used on the ports.
config switch-controller port-policy
edit <port_policy_name>
set description <policy_description>
set fortilink <FortiLink_interface>
set lldp-profile <LLDP_profile>
set qos-policy <QoS_policy>
set 802-1x <802.1x_policy>
set vlan-policy <VLAN_policy>
set bounce-port-link {enable | disable}
next
end
For example:
config switch-controller port-policy
edit port_policy_1
set fortilink fortilink1
set vlan-policy vlan_policy_1
next
end
Creating a VLAN policy
You can specify a VLAN policy to be used in the port policy. In the VLAN policy, you can specify the native VLAN to be applied, the allowed VLANs, and the untagged VLANs. You can enable or disable all defined VLANs and select whether to discard untagged or tagged frames or to not discard any frames.
config switch-controller vlan-policy
edit <VLAN_policy_name>
set description <policy_description>
set fortilink <FortiLink_interface>
set vlan <VLAN_name>
set allowed-vlans <lists_of_VLAN_names>
set untagged-vlans <lists_of_VLAN_names>
set allowed-vlans-all {enable | disable}
set discard-mode {none | all-untagged | all-tagged}
next
end
For example:
config switch-controller vlan-policy
edit vlan_policy_1
set fortilink fortilink1
set vlan default
next
end
Creating a MAC policy
You can apply a MAC policy to the devices that were matched by the NAC policy. You can specify which VLAN is applied, select which traffic policy is used, and enable or disable packet count.
config switch-controller mac-policy
edit <MAC_policy_name>
set description <policy_description>
set fortilink <FortiLink_interface>
set vlan <VLAN_name>
set traffic-policy <traffic_policy_name>
set count {enable | disable}
next
end
Viewing the devices that match the NAC policy
Using the GUI:
- Go to WiFi & Switch Controller > FortiSwitch NAC Policies.
- Select View Matched Devices.
- Select Refresh to update the results.
Using the CLI:
To show known NAC devices with a known location that match a NAC policy:
diagnose switch-controller nac-device known
To show pending NAC devices with an unknown location that match a NAC policy:
diagnose switch-controller nac-device pending
Configuring IoT detection
Starting in FortiOS 6.4, FortiSwitch units can use a new FortiGuard service to identify Internet of things (IoT) devices. FortiOS can use the identified devices for storage and display. You can use the FortiOS CLI to configure the IoT detection.
Each detected MAC address of an IoT device has a confidence level assigned to it. If the confidence level is less than the iot-weight-threshold
value, the MAC address is scanned. The default value is 1. Set the iot-weight-threshold
value to 0 to disable IoT detection.
You can control how often a FortiSwitch unit scans for IoT devices. The range of values is 2 to 4,294,967,295 minutes. The default is a scan interval of 60 minutes. Every MAC address will be scanned for a time interval of 60 minutes followed by 60 minutes when it will not be scanned. The start time of every MAC addressʼs 60-minute scan interval is unique. Set the iot-scan-interval
value to 0 to disable IoT detection.
A MAC address of an IoT device must be detected by the FortiSwitch unit for more than a specified number of minutes before the MAC address is passed along to the FortiGuard service for IoT identification. The default number of minutes is 5. The range of values is 0 to 4,294,967,295 minutes. Set the iot-holdoff
value to 0 to disable this setting.
If a MAC address entryʼs last-seen time is greater than the iot-mac-idle
value, the MAC address entry is not considered for IoT detection. By default, the iot-mac-idle
value is 1,440 minutes. The range of values is 0 to 4,294,967,295 minutes.
config switch-controller system
set iot-weight-threshold <0-4294967295>
set iot-scan-interval <2-4294967295>
set iot-holdoff <0-4294967295>
set iot-mac-idle <0-4294967295>
end
Optimizing the FortiSwitch network
Starting in FortiOS 6.4.2 with FortiSwitchOS 6.4.2, you can check your FortiSwitch network and get recommendations on how to optimize it. If you agree with the configuration recommendations, you can accept them, and they are automatically applied.
NOTE: The Security Rating feature is available only when VDOMs are disabled.
To optimize your FortiSwitch network:
- Go to Security Fabric > Security Rating.
- Select Run Now (under Report Details in the right pane) to generate the Security Rating report.
- Select the Optimization section.
- Under Failed, select + next to each item to see more details in the right pane.
- If you agree with a suggestion in the Recommendations section, select Apply for the change to be made.