Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

Introduction

This guide provides information about configuring a FortiSwitch unit in standalone mode. In standalone mode, you manage the FortiSwitch unit by connecting directly to the unit, either using the web-based manager (also known as the GUI) or the CLI.

If you will be managing your FortiSwitch unit using a FortiGate unit, refer to the following guide: FortiSwitch Managed by FortiOS 6.4.

This chapter covers the following topics:

Supported models

This guide is for all FortiSwitch models that are supported by FortiSwitchOS, which includes all of the D-series, E-series, and F-series models.

Whatʼs new in FortiSwitchOS 6.4.3

Release 6.4.3 provides the following new features:

  • You can now view the details of bidirectional forwarding detection (BFD) neighbors by going to Router > Monitor > BFD Neighbor.
  • You can now view the flow-export data by going to System > Flow Export > Monitor.
  • All log entries can now viewed from the Log > Entries page; they can filtered by subtype, level, user, user interface, action, and status. A new Delete All button allows you to delete all log entries.
  • Packet capture is now supported in the GUI, as well as the CLI and REST API.
  • You can now view or clear all access control list (ACL) counters by going to Switch > Monitor > ACL Counters.
  • You can now check the VRRP status by going to Router > Monitor > VRRP.
  • You can now configure the IGMP-snooping querier version 2 or 3. When the IGMP querier version 2 is configured, the FortiSwitch unit will send IGMP queries version 2 when no external querier is present. When the IGMP querier version 3 is configured, the FortiSwitch unit will send IGMP queries version 3 when no external querier is present.
  • More services are available when configuring the classifier in the GUI for the egress and prelookup policies.
  • Media Access Control security (MACsec) is now supported.
  • You can now use the diagnose switch physical-ports qos-rates list [<list_of_ports>] command to view the real-time egress QoS queue rates, including the data rate, line rate, and drop rate.
  • When a neighboring router has a graceful restart, the FortiSwitch unit now enters the helper (neighbor) mode and keeps the restarting router in the forwarding path for OSPF routing.
  • OSPF database overflow protection is now supported.
  • IPv6 support has been expanded. You can now use IPv6 addresses with BGP routing, IS-IS routing, and RIP routing. Multicast Listener Discovery (MLD) snooping, MLD proxy, and MLD querier are now supported for IPv6 multicast traffic.
  • IPv4 and IPv6 static routes now support virtual routing and forwarding (VRF).
  • You can now view events that violate the IP source-guard settings with the IP source-guard violation log.
  • You can now specify system banner messages in the CLI that will appear when users log in using either the CLI or the GUI.
  • You can now configure the maximum burst size allowed by storm control per port or per switch.
  • You can use the new diagnose certificate {all | ca | local | remote} commands to verify your system certificates.

The following REST API changes were made in this release:

  • You can now use the current release version in the FortiSwitch REST API requests (https://<switch_IP_address>/api/v<x.x.x>/) to get the latest (v6.4.3) schema content in the response. You can still use FortiSwitch REST API requests with https://<switch_IP_address>/api/v2/ to get the older v2 schema in the response.
  • The monitor/switch/log endpoint is now monitor/system/log.
  • The new cmdb/router/ripng endpoint supports RIP routing for IPv6 traffic.
  • The new cmdb/switch.mld-snooping/globals endpoint supports MLD snooping.
  • The cmdb/router/route-map endpoint now supports RIP routing for IPv6 traffic and IS-IS routing for IPv6 traffic.
  • The cmdb/router/isis endpoint now supports IS-IS routing for IPv6 traffic.
  • The cmdb/router/bgp endpoint now supports BGP routing for IPv6 traffic.
  • The cmdb/system/global endpoint now supports specifying system banner messages that will appear when users log in using either the CLI or the GUI.
  • The cmdb/switch/physical-port endpoint and the cmdb/switch/storm-control endpoint now support configuring the maximum burst size allowed by storm control.

The following CLI changes were made in this release:

  • Under the config router ospf command, the set default-information-route-map command has been removed.
  • Under the config router isis command, the set default-information-route-map command has been removed.
  • Under the config switch vlan command, set igmp-fast-leave is now set igmp-snooping-fast-leave.
  • Under the config switch vlan command, set igmp-proxy is now set igmp-snooping-proxy.
  • Under the config switch vlan command, set querier-addr is now set igmp-snooping-querier-addr.
  • Under the config switch vlan command, config igmp-static-group is now config igmp-snooping-static-group.
  • Under the config switch interface command, set igmps-flood-reports is now set igmp-snooping-flood-reports.
  • Under the config switch interface command, set igmps-flood-traffic is now set mcast-snooping-flood-traffic.
  • The set flood-unknown-multicast command moved from under config switch igmp-snooping globals to under config switch global.
  • The get switch igmp-snooping interface command was replaced with get switch igmp-snooping status.
  • The diagnose debug application igmp_snooping command is now diagnose debug application mcast-snooping.
  • Under the config router bgp command, set aspath-filter-list-in is now set filter-list-in.
  • Under the config router bgp command, set aspath-filter-list-out is now set filter-list-out.
  • Under the config router bgp command, log-neighbor-changes is now set neighbour-changes.

Refer to Feature matrix: FortiSwitchOS 6.4.3 for details about the features supported on each FortiSwitch model.

Feature matrix: FortiSwitchOS 6.4.3

The following table lists the FortiSwitch features in release 6.4.3 that are supported on each series of FortiSwitch models. All features are available in release 6.4.3, unless otherwise stated.

Feature

GUI supported

112D-POE

FSR-124D

1xxE, 1xxF

4xxE

200 Series, 400 Series

500 Series

1024D, 1048D, 1048E

3032D, 3032E

Management and Configuration

CPLD software upgrade support for OS

1024D, 1048D

Firmware image rotation (dual-firmware image support)

148E, 148E-POE

HTTP REST APIs for configuration and monitoring

Support for switch SNMP OID

IP conflict detection and notification

FortiSwitch Cloud configuration

Auto topology

Security and Visibility

802.1x port mode

802.1x MAC-based security mode

User-based (802.1x) VLAN assignment

802.1x enhancements, including MAB

MAB reauthentication disabled

open-auth mode

Support of the RADIUS accounting server

Partial

Support of RADIUS CoA and disconnect messages

EAP Pass-Through

Network device detection

IP-MAC binding (IPv4)

sFlow (IPv4)

Flow export (IPv4)

ACL (IPv4)

Multistage ACL (IPv4)

Multiple ingress ACLs (IPv4)

Schedule for ACLs (IPv4)

DHCP snooping

DHCPv6 snooping

Allowed DHCP server list

IP source guard (IPv4)

IP source-guard violation log

Dynamic ARP inspection (IPv4)

ARP timeout value

Access VLANs (See Note 9.)

RMON group 1

Reliable syslog

Packet capture

MACsec (See Note 7.)

Layer 2

Link aggregation group size (maximum number of ports) (See Note 2.)

8

8

8

8

8

24/48

24/48

24, 64

LAG min-max-bundle

IPv6 RA guard

IGMP snooping

IGMP proxy

IGMP querier

MLD snooping

MLD proxy

MLD querier

LLDP-MED

LLDP-MED: ELIN support

Per-port max for learned MACs

MAC learning limit (See Note 4.)

Learning limit violation log (See Note 4.)

set mac-violation-timer

Sticky MAC

Total MAC entries

MSTP instances

0-15

0-15

0-15

0-15

0-15

0-32

0-32

0-32

STP root guard

STP BPDU guard

Rapid PVST interoperation

'forced-untagged' or 'force-tagged' setting on switch interfaces

Private VLANs

Multi-stage load balancing

Priority-based flow control

Ingress pause metering

3032D

Storm control

Per-port storm control

Global burst-size control

MAC/IP/protocol-based VLAN assignment

Virtual wire

Loop guard

Percentage rate control

VLAN stacking (QinQ)

VLAN mapping

SPAN

RSPAN and ERSPAN (IPv4)

RSPAN

Flow control

Layer 3

Link monitor (IPv4)

Static routing (IPv4/IPv6) (See Note 8.)

Hardware routing offload (IPv4/IPv6)

Software routing only (IPv4/IPv6)

OSPF (IPv4/IPv6) (See Note 3.)

OSPF database overflow protection (IPv4)

OSPF graceful restart (helper mode only) (IPv4)

RIP (IPv4/IPv6) (See Note 3.)

VRRP (IPv4/IPv6) (See Note 3.)

BGP (IPv4/IPv6) (See Note 3.)

IS-IS (IPv4/IPv6) (See Note 3.)

PIM (IPv4) (See Note 3.)

Hardware-based ECMP (IPv4)

VRF (IPv4/IPv6)

Static BFD (IPv4/IPv6)

BFD for BGPv6

BFD for RIPng

uRPF

DHCP relay (IPv4)

DHCP server (IPv4)

4xx only

High Availability

MCLAG (multichassis link aggregation)

Partial

STP supported in MCLAGs

IGMP snooping in MCLAG

Quality of Service

802.1p support, including priority queuing trunk and WRED

QoS queue counters

QoS marking (IPv4/IPv6)

Summary of configured queue mappings

Egress priority tagging (IPv4/IPv6)

ECN (IPv4/IPv6)

Real-time egress queue rates

Miscellaneous

PoE-pre-standard detection (See Note 1.)

FS-1xxE POE

PoE modes support: first come, first served or priority based (PoE models)

FS-1xxE POE

Control of temperature alerts

Split port (See Note 6.)

Partial

1048E

TDR (time-domain reflectometer)/cable diagnostics support

Auto module max speed detection and notification

Monitor system temperature (threshold configuration and SNMP trap support)

FS-124E-POE, FS-124E-FPOE, FS-148E, FS-148E-POE

Cut-through switching

Add CLI to show the details of port statistics

Configuration of the QSFP low-power mode

1048D, 1048E

Energy-efficient Ethernet

PHY Forward Error Correction (see Note 5)

1048E

3032E

PTP transparent clock (IPv4/IPv6)

1048E

Notes
  1. PoE features are applicable only to the model numbers with a POE or FPOE suffix.
  2. 24-port LAG is applicable to 524D, 524-FPOE, 1024D, and 3032D models. 48-port LAG is applicable to 548D, 548-FPOE, and 1048D models.
  3. To use the dynamic layer-3 protocols, you must have an advanced features license.
  4. The per-VLAN MAC learning limit and per-trunk MAC learning limit are not supported on the 448D/448D-POE/448D-FPOE/248E-POE/248E-FPOE/248D series.
  5. Supported only in 100G mode (clause 91).
  6. On the 3032E, you can split one port at the full base speed, split one port into four sub-ports of 25 Gbps each (100G QSFP only), or split one port into four sub-ports of 10 Gbps each (40G or 100G QSFP).
  7. Supported on 5xxD 10G ports.
  8. For 1xxE/1xxF models, hardware static routing is not supported. Software static routing is supported instead, with a rate limit for routed packets.
  9. The maximum number of access VLANs on the FS-1xxE models is 16; the maximum number of access VLANs on the FS-148F models is 32.

Before you begin

Before you start administrating your FortiSwitch unit, it is assumed that you have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your FortiSwitch model and have administrative access to the FortiSwitch unit’s GUI and CLI.

How this guide is organized

This guide is organized into the following chapters:

Introduction

This guide provides information about configuring a FortiSwitch unit in standalone mode. In standalone mode, you manage the FortiSwitch unit by connecting directly to the unit, either using the web-based manager (also known as the GUI) or the CLI.

If you will be managing your FortiSwitch unit using a FortiGate unit, refer to the following guide: FortiSwitch Managed by FortiOS 6.4.

This chapter covers the following topics:

Supported models

This guide is for all FortiSwitch models that are supported by FortiSwitchOS, which includes all of the D-series, E-series, and F-series models.

Whatʼs new in FortiSwitchOS 6.4.3

Release 6.4.3 provides the following new features:

  • You can now view the details of bidirectional forwarding detection (BFD) neighbors by going to Router > Monitor > BFD Neighbor.
  • You can now view the flow-export data by going to System > Flow Export > Monitor.
  • All log entries can now viewed from the Log > Entries page; they can filtered by subtype, level, user, user interface, action, and status. A new Delete All button allows you to delete all log entries.
  • Packet capture is now supported in the GUI, as well as the CLI and REST API.
  • You can now view or clear all access control list (ACL) counters by going to Switch > Monitor > ACL Counters.
  • You can now check the VRRP status by going to Router > Monitor > VRRP.
  • You can now configure the IGMP-snooping querier version 2 or 3. When the IGMP querier version 2 is configured, the FortiSwitch unit will send IGMP queries version 2 when no external querier is present. When the IGMP querier version 3 is configured, the FortiSwitch unit will send IGMP queries version 3 when no external querier is present.
  • More services are available when configuring the classifier in the GUI for the egress and prelookup policies.
  • Media Access Control security (MACsec) is now supported.
  • You can now use the diagnose switch physical-ports qos-rates list [<list_of_ports>] command to view the real-time egress QoS queue rates, including the data rate, line rate, and drop rate.
  • When a neighboring router has a graceful restart, the FortiSwitch unit now enters the helper (neighbor) mode and keeps the restarting router in the forwarding path for OSPF routing.
  • OSPF database overflow protection is now supported.
  • IPv6 support has been expanded. You can now use IPv6 addresses with BGP routing, IS-IS routing, and RIP routing. Multicast Listener Discovery (MLD) snooping, MLD proxy, and MLD querier are now supported for IPv6 multicast traffic.
  • IPv4 and IPv6 static routes now support virtual routing and forwarding (VRF).
  • You can now view events that violate the IP source-guard settings with the IP source-guard violation log.
  • You can now specify system banner messages in the CLI that will appear when users log in using either the CLI or the GUI.
  • You can now configure the maximum burst size allowed by storm control per port or per switch.
  • You can use the new diagnose certificate {all | ca | local | remote} commands to verify your system certificates.

The following REST API changes were made in this release:

  • You can now use the current release version in the FortiSwitch REST API requests (https://<switch_IP_address>/api/v<x.x.x>/) to get the latest (v6.4.3) schema content in the response. You can still use FortiSwitch REST API requests with https://<switch_IP_address>/api/v2/ to get the older v2 schema in the response.
  • The monitor/switch/log endpoint is now monitor/system/log.
  • The new cmdb/router/ripng endpoint supports RIP routing for IPv6 traffic.
  • The new cmdb/switch.mld-snooping/globals endpoint supports MLD snooping.
  • The cmdb/router/route-map endpoint now supports RIP routing for IPv6 traffic and IS-IS routing for IPv6 traffic.
  • The cmdb/router/isis endpoint now supports IS-IS routing for IPv6 traffic.
  • The cmdb/router/bgp endpoint now supports BGP routing for IPv6 traffic.
  • The cmdb/system/global endpoint now supports specifying system banner messages that will appear when users log in using either the CLI or the GUI.
  • The cmdb/switch/physical-port endpoint and the cmdb/switch/storm-control endpoint now support configuring the maximum burst size allowed by storm control.

The following CLI changes were made in this release:

  • Under the config router ospf command, the set default-information-route-map command has been removed.
  • Under the config router isis command, the set default-information-route-map command has been removed.
  • Under the config switch vlan command, set igmp-fast-leave is now set igmp-snooping-fast-leave.
  • Under the config switch vlan command, set igmp-proxy is now set igmp-snooping-proxy.
  • Under the config switch vlan command, set querier-addr is now set igmp-snooping-querier-addr.
  • Under the config switch vlan command, config igmp-static-group is now config igmp-snooping-static-group.
  • Under the config switch interface command, set igmps-flood-reports is now set igmp-snooping-flood-reports.
  • Under the config switch interface command, set igmps-flood-traffic is now set mcast-snooping-flood-traffic.
  • The set flood-unknown-multicast command moved from under config switch igmp-snooping globals to under config switch global.
  • The get switch igmp-snooping interface command was replaced with get switch igmp-snooping status.
  • The diagnose debug application igmp_snooping command is now diagnose debug application mcast-snooping.
  • Under the config router bgp command, set aspath-filter-list-in is now set filter-list-in.
  • Under the config router bgp command, set aspath-filter-list-out is now set filter-list-out.
  • Under the config router bgp command, log-neighbor-changes is now set neighbour-changes.

Refer to Feature matrix: FortiSwitchOS 6.4.3 for details about the features supported on each FortiSwitch model.

Feature matrix: FortiSwitchOS 6.4.3

The following table lists the FortiSwitch features in release 6.4.3 that are supported on each series of FortiSwitch models. All features are available in release 6.4.3, unless otherwise stated.

Feature

GUI supported

112D-POE

FSR-124D

1xxE, 1xxF

4xxE

200 Series, 400 Series

500 Series

1024D, 1048D, 1048E

3032D, 3032E

Management and Configuration

CPLD software upgrade support for OS

1024D, 1048D

Firmware image rotation (dual-firmware image support)

148E, 148E-POE

HTTP REST APIs for configuration and monitoring

Support for switch SNMP OID

IP conflict detection and notification

FortiSwitch Cloud configuration

Auto topology

Security and Visibility

802.1x port mode

802.1x MAC-based security mode

User-based (802.1x) VLAN assignment

802.1x enhancements, including MAB

MAB reauthentication disabled

open-auth mode

Support of the RADIUS accounting server

Partial

Support of RADIUS CoA and disconnect messages

EAP Pass-Through

Network device detection

IP-MAC binding (IPv4)

sFlow (IPv4)

Flow export (IPv4)

ACL (IPv4)

Multistage ACL (IPv4)

Multiple ingress ACLs (IPv4)

Schedule for ACLs (IPv4)

DHCP snooping

DHCPv6 snooping

Allowed DHCP server list

IP source guard (IPv4)

IP source-guard violation log

Dynamic ARP inspection (IPv4)

ARP timeout value

Access VLANs (See Note 9.)

RMON group 1

Reliable syslog

Packet capture

MACsec (See Note 7.)

Layer 2

Link aggregation group size (maximum number of ports) (See Note 2.)

8

8

8

8

8

24/48

24/48

24, 64

LAG min-max-bundle

IPv6 RA guard

IGMP snooping

IGMP proxy

IGMP querier

MLD snooping

MLD proxy

MLD querier

LLDP-MED

LLDP-MED: ELIN support

Per-port max for learned MACs

MAC learning limit (See Note 4.)

Learning limit violation log (See Note 4.)

set mac-violation-timer

Sticky MAC

Total MAC entries

MSTP instances

0-15

0-15

0-15

0-15

0-15

0-32

0-32

0-32

STP root guard

STP BPDU guard

Rapid PVST interoperation

'forced-untagged' or 'force-tagged' setting on switch interfaces

Private VLANs

Multi-stage load balancing

Priority-based flow control

Ingress pause metering

3032D

Storm control

Per-port storm control

Global burst-size control

MAC/IP/protocol-based VLAN assignment

Virtual wire

Loop guard

Percentage rate control

VLAN stacking (QinQ)

VLAN mapping

SPAN

RSPAN and ERSPAN (IPv4)

RSPAN

Flow control

Layer 3

Link monitor (IPv4)

Static routing (IPv4/IPv6) (See Note 8.)

Hardware routing offload (IPv4/IPv6)

Software routing only (IPv4/IPv6)

OSPF (IPv4/IPv6) (See Note 3.)

OSPF database overflow protection (IPv4)

OSPF graceful restart (helper mode only) (IPv4)

RIP (IPv4/IPv6) (See Note 3.)

VRRP (IPv4/IPv6) (See Note 3.)

BGP (IPv4/IPv6) (See Note 3.)

IS-IS (IPv4/IPv6) (See Note 3.)

PIM (IPv4) (See Note 3.)

Hardware-based ECMP (IPv4)

VRF (IPv4/IPv6)

Static BFD (IPv4/IPv6)

BFD for BGPv6

BFD for RIPng

uRPF

DHCP relay (IPv4)

DHCP server (IPv4)

4xx only

High Availability

MCLAG (multichassis link aggregation)

Partial

STP supported in MCLAGs

IGMP snooping in MCLAG

Quality of Service

802.1p support, including priority queuing trunk and WRED

QoS queue counters

QoS marking (IPv4/IPv6)

Summary of configured queue mappings

Egress priority tagging (IPv4/IPv6)

ECN (IPv4/IPv6)

Real-time egress queue rates

Miscellaneous

PoE-pre-standard detection (See Note 1.)

FS-1xxE POE

PoE modes support: first come, first served or priority based (PoE models)

FS-1xxE POE

Control of temperature alerts

Split port (See Note 6.)

Partial

1048E

TDR (time-domain reflectometer)/cable diagnostics support

Auto module max speed detection and notification

Monitor system temperature (threshold configuration and SNMP trap support)

FS-124E-POE, FS-124E-FPOE, FS-148E, FS-148E-POE

Cut-through switching

Add CLI to show the details of port statistics

Configuration of the QSFP low-power mode

1048D, 1048E

Energy-efficient Ethernet

PHY Forward Error Correction (see Note 5)

1048E

3032E

PTP transparent clock (IPv4/IPv6)

1048E

Notes
  1. PoE features are applicable only to the model numbers with a POE or FPOE suffix.
  2. 24-port LAG is applicable to 524D, 524-FPOE, 1024D, and 3032D models. 48-port LAG is applicable to 548D, 548-FPOE, and 1048D models.
  3. To use the dynamic layer-3 protocols, you must have an advanced features license.
  4. The per-VLAN MAC learning limit and per-trunk MAC learning limit are not supported on the 448D/448D-POE/448D-FPOE/248E-POE/248E-FPOE/248D series.
  5. Supported only in 100G mode (clause 91).
  6. On the 3032E, you can split one port at the full base speed, split one port into four sub-ports of 25 Gbps each (100G QSFP only), or split one port into four sub-ports of 10 Gbps each (40G or 100G QSFP).
  7. Supported on 5xxD 10G ports.
  8. For 1xxE/1xxF models, hardware static routing is not supported. Software static routing is supported instead, with a rate limit for routed packets.
  9. The maximum number of access VLANs on the FS-1xxE models is 16; the maximum number of access VLANs on the FS-148F models is 32.

Before you begin

Before you start administrating your FortiSwitch unit, it is assumed that you have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your FortiSwitch model and have administrative access to the FortiSwitch unit’s GUI and CLI.

How this guide is organized

This guide is organized into the following chapters: