Fortinet black logo

Administration Guide

Home FortiSwitch 6.4.6 Administration Guide

Layer-2 interfaces

6.4.6
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.9
7.0.8
7.0.6
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.11
6.4.6
6.4.5
6.4.3
6.4.2
6.4.0
6.2.5
6.2.2
6.2.1
6.2.0
Copy Link
Copy Doc ID d49b948d-6c99-11eb-9995-00505692583a:287001
Download PDF

Layer-2 interfaces

This chapter covers the following topics:

Switched interfaces

Default configuration will suffice for regular switch ports. By default, VLAN is set to 1, STP is enabled, and all other optional capabilities are disabled.

You can configure optional capabilities such as Spanning Tree Protocol, sFlow , 802.1x authentication, and Private VLANs. These capabilities are covered in subsequent sections of this document.

Using the GUI:
  1. Go to Switch > Interface > Physical.
  2. Select one or more interfaces to update and select Edit.
    If you selected more than one port, the port names are displayed in the name field, separated by commas.
  3. Enter new values as required for the Native VLAN and Allowed VLANs fields.
  4. Select OK to save your changes.
Using the CLI:

config switch interface

edit <port>

set native-vlan <vlan>

set allowed-vlans <vlan> [<vlan>] [<vlan> - <vlan>]

set untagged-vlans <vlan> [<vlan>] [<vlan> - <vlan>]

set stp-state {enabled | disabled}

set edge-port {enabled | disabled}

Viewing interface configuration

Using the GUI:

Go to Switch > Interface > Physical.

Using the CLI:

show switch interface <port>

Display port settings using following command:

config switch interface

edit <port>

get

Dynamic MAC address learning

You can enable or disable dynamic MAC address learning on a port. The existing dynamic MAC entries are deleted when you change this setting. If you disable MAC address learning, you can set the behavior for an incoming packet with an unknown MAC address (to drop or forward the packet).

You can limit the number of learned MAC addresses on an interface or VLAN. The limit ranges from 1 to 128. If the learning limit is set to zero (the default), no limit exists. When the limit is exceeded, the FortiSwitch unit adds a warning to the system log.

Configuring dynamic MAC address learning

Use the following CLI commands to configure dynamic MAC address learning:

config switch physical-port

edit <port>

set l2-learning (enable | disable)

set l2-unknown (drop | forward)

end

config switch interface

edit <port>

set learning-limit <0-128>

end

config switch vlan

edit <VLAN_ID>

set learning {enable | disable}

set learning-limit <0-128>

end

NOTE: If you enable 802.1x MAC-based authorization on a port, you cannot change the l2-learning setting.

Changing when MAC addresses are deleted

By default, each learned MAC address is deleted after 300 seconds. The value ranges from 10 to 1000,000 seconds. Set the value to zero to not delete learned MAC addresses.

Use the following command to change this value:

config switch global

set mac-aging-interval 200

end

Logging dynamic MAC address events

By default, dynamic MAC address events are not logged. When you enable logging for an interface, the following events are logged:

  • When a dynamic MAC address is learned
  • When a dynamic MAC address is moved
  • When a dynamic MAC address is deleted

NOTE: Some dynamic MAC address events might take a long time to be logged. If too many events happen within a short period of time, some events might not be logged.

To enable the logging of dynamic MAC address events:

config switch interface

edit <interface_name>

set log-mac-event enable

end

To view the log entries:

execute log display

Using the learning-limit violation log

If you want to see the first MAC address that exceeded a learning limit for an interface or VLAN, you can enable the learning-limit violation log for a FortiSwitch unit. Only one violation is recorded per interface or VLAN.

To enable or disable the learning-limit violation log, use the following commands. By default, the learning-limit violation log is disabled. The most recent violation that occurred on each interface or VLAN is logged. After that, no more violations are logged until the log is reset for the triggered interface or VLAN. Only the most recent 128 violations are displayed in the console.

NOTE: The set log-mac-limit-violations command is only displayed if your FortiSwitch model supports it.

config switch global

set log-mac-limit-violations {enable | disable}

end

To view the content of the learning-limit violation log, use one of the following commands:

  • get switch mac-limit-violations all—to see the first MAC address that exceeded the learning limit on any interface or VLAN. An asterisk by the interface name indicates that the interface-based learning limit was exceeded. An asterisk by the VLAN identifier indicates the VLAN-based learning limit was exceeded.
  • get switch mac-limit-violations interface <interface_name>—to see the first MAC address that exceeded the learning limit on a specific interface
  • get switch mac-limit-violations vlan <VLAN_ID>—to see the first MAC address that exceeded the learning limit on a specific VLAN. This command is only displayed if your FortiSwitch model supports it.

To reset the learning-limit violation log, use one of the following commands:

  • execute mac-limit-violation reset all—to clear all learning-limit violation logs
  • execute mac-limit-violation reset interface <interface_name>—to clear the learning-limit violation log for a specific interface
  • execute mac-limit-violation reset vlan <VLAN_ID>—to clear the learning-limit violation log for a specific VLAN

You can also specify how often the learning-limit violation log is reset, use the following commands:

config switch global

set log-mac-limit-violations enable

set mac-violation-timer <0-1500>

end

For example:

config switch global

set log-mac-limit-violations enable

set mac-violation-timer 60

end

Persistent (sticky) MAC addresses

You can make dynamically learned MAC addresses persistent when the status of a FortiSwitch port changes (goes down or up). By default, MAC addresses are not persistent.

NOTE:

  • You cannot use persistent MAC addresses with 802.1x authentication.
  • If you move a device within your network that has a sticky MAC address entry on the switch, remove the sticky MAC address entry from the interface. If you move the device and do not clear the sticky MAC address from the original port it was learned on, the new port will not learn the MAC address of the device.
Using the GUI:
  1. Go to Switch > MAC Entries.
  2. Select Add MAC Entry to create a new item.
  3. Select an interface and enter a value for MAC Address and VLAN.
  4. Select Sticky.
  5. Select Add to create the MAC entry.

To delete the persistent MAC addresses instead of saving them in the FortiSwitch configuration file:

  1. Go to Switch > Monitor > Forwarding Table.
  2. In the Unsaved sticky MACs on field, select an interface or select All.
  3. Select Delete.
Using the CLI:

Use the following command to configure the persistence of MAC addresses on an interface:

config switch interface

edit <port>

set sticky-mac <enable | disable>

next

end

You can also save persistent MAC addresses to the FortiSwitch configuration file so that they are automatically loaded when the FortiSwitch unit is rebooted. By default, persistent entries are lost when a FortiSwitch unit is rebooted. Use the following command to save persistent MAC addresses for a specific interface or all interfaces:

execute sticky-mac save {all | interface <interface_name>}

Use the following command to delete the persistent MAC addresses instead of saving them in the FortiSwitch configuration file:

execute sticky-mac delete-unsaved {all | interface <interface_name>}

Static MAC addresses

You can configure one or more static MAC addresses on an interface.

Using the GUI:
  1. Go to Switch > MAC Entries.
  2. Select Add MAC Entry to create a new item.
  3. Select an interface and enter a value for MAC Address and VLAN.
  4. Select Add to create the MAC entry.
Using the CLI:

config switch static-mac

edit <sequence_number>

set description <optional_string>

set interface <interface_name>

set mac <static_MAC_address>

set type {sticky | static}

set vlan-id <VLAN_ID>

end

For example:

config switch static-mac

edit 1

set description "first static MAC address"

set interface port10

set mac d6:dd:25:be:2c:43

set type static

set vlan-id 10

end

Loop guard

A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects. Loop guard helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any downstream loops.

The loop guard feature is designed to work in concert with STP rather than as a replacement for STP. Each port that has loop guard enabled will periodically broadcast loop guard data packets (LGDP) packets to its network. If a broadcast packet is subsequently received by the sending port, a loop exists downstream.

You can also have the port check for a high rate of MAC address moves per second, which indicates a physical loop only when the rate exceeds the threshold for 6 consecutive seconds.

NOTE: If a port detects a loop, the system takes the port out of service to protect the overall network. The port returns to service after a configured timeout duration. If the timeout value is zero, you must manually reset the port.

By default, loop guard is disabled on all ports. When loop guard is enabled, the default loop-guard-timeout is 45 minutes, and the default loop-guard-mac-move-threshold is 0, which means that the traditional loop guard is used instead of the MAC-move loop guard.

Configuring loop guard

Using the GUI:
  1. Go to Switch > Interface > Physical or Switch > Interface > Trunk.
  2. Select one or more interfaces to update and then select Edit.
    If you selected more than one port, the port names are displayed in the name field, separated by commas.
  3. Select Enable Loop Guard.
  4. Select OK to save your changes.
Using the CLI:

config switch interface

edit port <number>

set loop-guard <enabled | disabled>

set loop-guard-timeout <0-120 minutes>

set loop-guard-mac-move-threshold <0-100 MAC address moves per second>

When loop guard takes a port out of service, the system creates the following log messages:

Loop Guard: loop detected on <port_name>. Shutting down <port_name>

Use the following command to reset a port that detected a loop:

execute loop-guard reset <port>

Viewing the loop guard configuration

Using the GUI:

Go to Switch > Interface > Physical and check the Loop Guard column.

Using the CLI:

diagnose loop-guard status

Previous
Next

Layer-2 interfaces

This chapter covers the following topics:

Switched interfaces

Default configuration will suffice for regular switch ports. By default, VLAN is set to 1, STP is enabled, and all other optional capabilities are disabled.

You can configure optional capabilities such as Spanning Tree Protocol, sFlow , 802.1x authentication, and Private VLANs. These capabilities are covered in subsequent sections of this document.

Using the GUI:
  1. Go to Switch > Interface > Physical.
  2. Select one or more interfaces to update and select Edit.
    If you selected more than one port, the port names are displayed in the name field, separated by commas.
  3. Enter new values as required for the Native VLAN and Allowed VLANs fields.
  4. Select OK to save your changes.
Using the CLI:

config switch interface

edit <port>

set native-vlan <vlan>

set allowed-vlans <vlan> [<vlan>] [<vlan> - <vlan>]

set untagged-vlans <vlan> [<vlan>] [<vlan> - <vlan>]

set stp-state {enabled | disabled}

set edge-port {enabled | disabled}

Viewing interface configuration

Using the GUI:

Go to Switch > Interface > Physical.

Using the CLI:

show switch interface <port>

Display port settings using following command:

config switch interface

edit <port>

get

Dynamic MAC address learning

You can enable or disable dynamic MAC address learning on a port. The existing dynamic MAC entries are deleted when you change this setting. If you disable MAC address learning, you can set the behavior for an incoming packet with an unknown MAC address (to drop or forward the packet).

You can limit the number of learned MAC addresses on an interface or VLAN. The limit ranges from 1 to 128. If the learning limit is set to zero (the default), no limit exists. When the limit is exceeded, the FortiSwitch unit adds a warning to the system log.

Configuring dynamic MAC address learning

Use the following CLI commands to configure dynamic MAC address learning:

config switch physical-port

edit <port>

set l2-learning (enable | disable)

set l2-unknown (drop | forward)

end

config switch interface

edit <port>

set learning-limit <0-128>

end

config switch vlan

edit <VLAN_ID>

set learning {enable | disable}

set learning-limit <0-128>

end

NOTE: If you enable 802.1x MAC-based authorization on a port, you cannot change the l2-learning setting.

Changing when MAC addresses are deleted

By default, each learned MAC address is deleted after 300 seconds. The value ranges from 10 to 1000,000 seconds. Set the value to zero to not delete learned MAC addresses.

Use the following command to change this value:

config switch global

set mac-aging-interval 200

end

Logging dynamic MAC address events

By default, dynamic MAC address events are not logged. When you enable logging for an interface, the following events are logged:

  • When a dynamic MAC address is learned
  • When a dynamic MAC address is moved
  • When a dynamic MAC address is deleted

NOTE: Some dynamic MAC address events might take a long time to be logged. If too many events happen within a short period of time, some events might not be logged.

To enable the logging of dynamic MAC address events:

config switch interface

edit <interface_name>

set log-mac-event enable

end

To view the log entries:

execute log display

Using the learning-limit violation log

If you want to see the first MAC address that exceeded a learning limit for an interface or VLAN, you can enable the learning-limit violation log for a FortiSwitch unit. Only one violation is recorded per interface or VLAN.

To enable or disable the learning-limit violation log, use the following commands. By default, the learning-limit violation log is disabled. The most recent violation that occurred on each interface or VLAN is logged. After that, no more violations are logged until the log is reset for the triggered interface or VLAN. Only the most recent 128 violations are displayed in the console.

NOTE: The set log-mac-limit-violations command is only displayed if your FortiSwitch model supports it.

config switch global

set log-mac-limit-violations {enable | disable}

end

To view the content of the learning-limit violation log, use one of the following commands:

  • get switch mac-limit-violations all—to see the first MAC address that exceeded the learning limit on any interface or VLAN. An asterisk by the interface name indicates that the interface-based learning limit was exceeded. An asterisk by the VLAN identifier indicates the VLAN-based learning limit was exceeded.
  • get switch mac-limit-violations interface <interface_name>—to see the first MAC address that exceeded the learning limit on a specific interface
  • get switch mac-limit-violations vlan <VLAN_ID>—to see the first MAC address that exceeded the learning limit on a specific VLAN. This command is only displayed if your FortiSwitch model supports it.

To reset the learning-limit violation log, use one of the following commands:

  • execute mac-limit-violation reset all—to clear all learning-limit violation logs
  • execute mac-limit-violation reset interface <interface_name>—to clear the learning-limit violation log for a specific interface
  • execute mac-limit-violation reset vlan <VLAN_ID>—to clear the learning-limit violation log for a specific VLAN

You can also specify how often the learning-limit violation log is reset, use the following commands:

config switch global

set log-mac-limit-violations enable

set mac-violation-timer <0-1500>

end

For example:

config switch global

set log-mac-limit-violations enable

set mac-violation-timer 60

end

Persistent (sticky) MAC addresses

You can make dynamically learned MAC addresses persistent when the status of a FortiSwitch port changes (goes down or up). By default, MAC addresses are not persistent.

NOTE:

  • You cannot use persistent MAC addresses with 802.1x authentication.
  • If you move a device within your network that has a sticky MAC address entry on the switch, remove the sticky MAC address entry from the interface. If you move the device and do not clear the sticky MAC address from the original port it was learned on, the new port will not learn the MAC address of the device.
Using the GUI:
  1. Go to Switch > MAC Entries.
  2. Select Add MAC Entry to create a new item.
  3. Select an interface and enter a value for MAC Address and VLAN.
  4. Select Sticky.
  5. Select Add to create the MAC entry.

To delete the persistent MAC addresses instead of saving them in the FortiSwitch configuration file:

  1. Go to Switch > Monitor > Forwarding Table.
  2. In the Unsaved sticky MACs on field, select an interface or select All.
  3. Select Delete.
Using the CLI:

Use the following command to configure the persistence of MAC addresses on an interface:

config switch interface

edit <port>

set sticky-mac <enable | disable>

next

end

You can also save persistent MAC addresses to the FortiSwitch configuration file so that they are automatically loaded when the FortiSwitch unit is rebooted. By default, persistent entries are lost when a FortiSwitch unit is rebooted. Use the following command to save persistent MAC addresses for a specific interface or all interfaces:

execute sticky-mac save {all | interface <interface_name>}

Use the following command to delete the persistent MAC addresses instead of saving them in the FortiSwitch configuration file:

execute sticky-mac delete-unsaved {all | interface <interface_name>}

Static MAC addresses

You can configure one or more static MAC addresses on an interface.

Using the GUI:
  1. Go to Switch > MAC Entries.
  2. Select Add MAC Entry to create a new item.
  3. Select an interface and enter a value for MAC Address and VLAN.
  4. Select Add to create the MAC entry.
Using the CLI:

config switch static-mac

edit <sequence_number>

set description <optional_string>

set interface <interface_name>

set mac <static_MAC_address>

set type {sticky | static}

set vlan-id <VLAN_ID>

end

For example:

config switch static-mac

edit 1

set description "first static MAC address"

set interface port10

set mac d6:dd:25:be:2c:43

set type static

set vlan-id 10

end

Loop guard

A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects. Loop guard helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any downstream loops.

The loop guard feature is designed to work in concert with STP rather than as a replacement for STP. Each port that has loop guard enabled will periodically broadcast loop guard data packets (LGDP) packets to its network. If a broadcast packet is subsequently received by the sending port, a loop exists downstream.

You can also have the port check for a high rate of MAC address moves per second, which indicates a physical loop only when the rate exceeds the threshold for 6 consecutive seconds.

NOTE: If a port detects a loop, the system takes the port out of service to protect the overall network. The port returns to service after a configured timeout duration. If the timeout value is zero, you must manually reset the port.

By default, loop guard is disabled on all ports. When loop guard is enabled, the default loop-guard-timeout is 45 minutes, and the default loop-guard-mac-move-threshold is 0, which means that the traditional loop guard is used instead of the MAC-move loop guard.

Configuring loop guard

Using the GUI:
  1. Go to Switch > Interface > Physical or Switch > Interface > Trunk.
  2. Select one or more interfaces to update and then select Edit.
    If you selected more than one port, the port names are displayed in the name field, separated by commas.
  3. Select Enable Loop Guard.
  4. Select OK to save your changes.
Using the CLI:

config switch interface

edit port <number>

set loop-guard <enabled | disabled>

set loop-guard-timeout <0-120 minutes>

set loop-guard-mac-move-threshold <0-100 MAC address moves per second>

When loop guard takes a port out of service, the system creates the following log messages:

Loop Guard: loop detected on <port_name>. Shutting down <port_name>

Use the following command to reset a port that detected a loop:

execute loop-guard reset <port>

Viewing the loop guard configuration

Using the GUI:

Go to Switch > Interface > Physical and check the Loop Guard column.

Using the CLI:

diagnose loop-guard status

Previous
Next