Home

FortiSwitch Port Configuration: A CLI Mastery Guide for Network Professionals

.

In today's complex network environments, the ability to efficiently configure and manage switch ports is a fundamental skill for network administrators. While graphical interfaces provide accessibility, the Command Line Interface (CLI) offers unparalleled precision, automation capabilities, and troubleshooting access that professionals rely on for critical network operations. FortiSwitch, integrated within Fortinet Security Fabric, provides extensive CLI capabilities that enable granular control over port behavior, VLAN configuration, and security policies.

This comprehensive guide distills essential information from official Fortinet documentation and real-world community expertise to create a definitive resource for FortiSwitch port configuration via CLI. Whether you're configuring individual ports, implementing VLAN architectures, or establishing FortiLink connections, mastering these CLI commands will significantly enhance your network management efficiency and precision.

Understanding FortiSwitch Port Fundamentals

Basic Physical Port Configuration

The foundation of FortiSwitch management begins with configuring physical port parameters. According to Fortinet's administration guide for version 7.2.10, the CLI structure for basic port configuration follows this pattern:

config switch physical-port   edit <port_name>     set status {up | down}     set description <string>     set max-frame-size <bytes_int>   end end

These commands control essential port characteristics:

  • Administrative Status: Determines whether the port is enabled (up) or disabled (down)
  • Description: A text field for documenting port purpose, location, or connected device
  • Maximum Frame Size: Controls the maximum transmission unit (MTU) for the port, ranging from 68 to 9,216 bytes

Important Note: For eight models in the FS-1xxE series, the max-frame-size command resides under config switch global rather than within individual port configurations.

Bulk Port Configuration Techniques

A common challenge highlighted in community discussions is efficiently configuring multiple ports simultaneously. Unlike some competing platforms, FortiSwitch doesn't natively support port range syntax in all configuration contexts. However, administrators can implement workarounds using FortiGate's managed switch configuration when FortiSwitches are controlled through FortiLink.

When managing FortiSwitches through FortiGate, you can configure multiple ports using structured loops within the FortiGate CLI:

config switch-controller managed-switch   edit <switch_id>     config ports       edit "port1"         set vlan <vlan_name>         set allowed-vlans <vlan_list>       next       edit "port2"         set vlan <vlan_name>         set allowed-vlans <vlan_list>       next     end   end end

For standalone FortiSwitch units, configuration typically proceeds port-by-port, though scripting tools can help automate repetitive tasks across multiple ports.

VLAN Configuration and Port Modes

Creating and Assigning VLANs

Virtual Local Area Networks (VLANs) form the logical backbone of modern network segmentation. FortiSwitch supports up to 1,023 user-defined VLANs with IDs ranging from 1 to 4095. The CLI workflow for VLAN creation and port assignment involves several steps:

1. Create the VLAN interface:

config system interface   edit <vlan_name>     set vlanid <1-4094>     set interface <FortiLink-enabled_interface>     set ip <IP_address> <network_mask>   end end

2. Configure DHCP services (if required):

config system dhcp server   edit 1     set interface <vlan_name>     config ip-range       set start-ip <IP_address>       set end-ip <IP_address>     end     set netmask <network_mask>   end end

3. Assign ports to the VLAN:

config switch-controller managed-switch   edit <switch_id>     config ports       edit <port_name>         set vlan <vlan_name>         set allowed-vlans <vlan_name>         # Or use: set allowed-vlans-all enable       next     end   end end

Access, Trunk, and Hybrid Port Modes

FortiSwitch ports operate in different modes that determine how they handle VLAN traffic:

  • Access Ports: Carry traffic for a single VLAN (typically untagged)
  • Trunk Ports: Carry traffic for multiple VLANs (typically tagged)
  • Hybrid Ports: Support both tagged and untagged traffic on the same port

To configure a port as a trunk with specific VLANs allowed:

config switch-controller managed-switch   edit <switch_id>     config ports       edit <port_name>         set native-vlan <vlan_name>         set allowed-vlans <vlan_list>         set type trunk       next     end   end end

For hybrid port configuration where some VLANs are tagged and others untagged:

config switch-controller managed-switch   edit <switch_id>     config ports       edit <port_name>         set native-vlan <vlan_name>         set allowed-vlans <vlan_list>         set untagged-vlans <vlan_name>       next     end   end end

FortiLink represents the management connection between FortiGate and FortiSwitch devices, enabling centralized control and security policy enforcement. The CLI configuration process varies depending on whether you're using physical ports or logical interfaces.

Physical Port FortiLink Configuration:

config system interface   edit port1     set auto-auth-extension-device enable     set fortilink enable   end end  config system ntp   set server-mode enable   set interface port1 end  config switch-controller managed-switch   edit FS224D3W14000370     set fsw-wan1-admin enable   end end

Logical Interface (LAG) FortiLink Configuration:

config system interface   edit flink1     set ip 169.254.3.1 255.255.255.0     set allowaccess ping capwap https     set vlanforward enable     set type aggregate     set member port4 port5     set lacp-mode static     set fortilink enable   next end

Important Considerations: When configuring FortiLink, note that the FortiSwitch unit will reboot after issuing the set fsw-wan1-admin enable command. Additionally, if aggregate interface members connect to more than one FortiSwitch, you must enable fortilink-split-interface.

For distributed network architectures, FortiSwitch supports management over Layer 3 networks. This configuration requires specific preparation:

# Reset to factory defaults execute factoryreset  # Set FortiLink mode config system global   set switch-mgmt-mode fortilink end  # Configure discovery (DHCP or static) config switch-controller global   set ac-discovery-type dhcp   set dhcp-option-code 138 end  # Enable Layer 3 mode on uplink port config switch interface   edit <port_number>     set fortilink-l3-mode enable   end end

Critical Layer 3 Limitations:

  • All FortiSwitch units must be preconfigured in the FortiGate switch table
  • No Layer 2 data path components (VLANs) can span the Layer 3 boundary
  • All switches within an island must connect to the same FortiGate unit
  • When using the management port for Layer 3 connections, the island can contain only one FortiSwitch unit

Advanced Port Features and Optimization

MAC Address Management and Security

FortiSwitch provides several mechanisms for controlling MAC address behavior and implementing security policies:

MAC Address Aging Configuration:

config switch-controller global   set mac-aging-interval <10_to_1000000> end

This setting controls how long inactive MAC addresses remain in the switching table (default: 300 seconds).

Quarantine Configuration for Security Isolation:

config user quarantine   set quarantine enable   config targets     edit 00:00:00:aa:bb:cc       set description "infected by virus"       set tags "quarantined"     next   end end

When enabled, this feature creates a quarantine VLAN (qtn.<FortiLink_port_name>) with IP address 10.254.254.254, isolating specified MAC addresses from the production network.

Spanning Tree Protocol (STP) Configuration

While STP isn't supported between FortiGate and FortiSwitch units in FortiLink mode, it remains essential for preventing loops in extended switching environments:

config switch-controller stp-settings   set name <name>   set revision <stp_revision>   set hello-time <hello_time>   set forward-time <forwarding_delay>   set max-age <maximum_aging_time>   set max-hops <maximum_number_of_hops> end

For switch-specific STP settings overriding global configurations:

config switch-controller managed-switch   edit <switch-id>     config stp-settings       set local-override enable       # Additional switch-specific STP parameters     end   end end

LLDP and Network Discovery Protocols

Link Layer Discovery Protocol (LLDP) facilitates automatic neighbor discovery and topology mapping:

config switch-controller lldp-settings   set status enable   set tx-hold <int>   set tx-interval <int>   set fast-start-interval <int>   set management-interface {internal | management} end

To add asset identification to LLDP advertisements:

config switch-controller managed-switch   edit <fsw>     set switch-device-tag <string>   end end

Integration with FortiManager

For organizations managing multiple Fortinet devices, FortiManager provides centralized configuration management. While specific FortiManager port configuration details weren't covered in the provided sources, the general workflow involves:

  1. Adding FortiGate devices to FortiManager
  2. Using the FortiManager CLI or GUI to push switch configurations to managed fortigate
  3. Leveraging policy packages and installation targets for consistent deployment

When working with FortiManager, ensure that your FortiSwitch CLI configurations are compatible with the FortiManager's supported feature set for your specific FortiOS version.

Monitoring and Troubleshooting

Essential Diagnostic Commands

Effective port management requires robust monitoring and diagnostic capabilities:

View Port Statistics and Status:

diagnose switch-controller switch-info physical-ports <switch_name> get hardware nic port8

Check VLAN Configuration and Membership:

diagnose switch-controller vlan show show system interface <vlan_name>

Monitor LLDP Neighbor Information:

diagnose switch-controller dump lldp neighbors-summary <switch> diagnose switch-controller dump lldp neighbors-detail <switch>

Verify FortiLink Status and Connections:

diagnose switch-controller switch-list diagnose switch-controller switch-link-monitor

Common Configuration Issues and Solutions

Based on community discussions and documentation, several recurring challenges emerge:

  1. Ports not coming online: Verify administrative status (set status up), check physical connections, and confirm no conflicting security policies are blocking traffic.

  2. VLAN traffic not passing: Ensure VLANs are correctly assigned to ports, verify trunk configurations, and check that inter-VLAN routing is configured if needed.

  3. FortiLink connection failures: Confirm NTP synchronization, verify Layer 2 connectivity, and check that the FortiSwitch is authorized in the managed switch configuration.

  4. Performance issues: Review MTU settings, check for broadcast storms, and verify that spanning tree is properly configured in complex topologies.

Best Practices for FortiSwitch Port Configuration

  1. Consistent Naming Conventions: Use descriptive port names and VLAN identifiers that follow organizational standards.

  2. Comprehensive Documentation: Maintain detailed records of port assignments, VLAN purposes, and special configurations.

  3. Change Management Procedures: Implement formal processes for port configuration changes, especially in production environments.

  4. Regular Configuration Backups: Schedule automated backups of switch configurations to facilitate recovery and historical tracking.

  5. Performance Baseline Establishment: Document normal performance metrics to facilitate anomaly detection and capacity planning.

  6. Security-First Configuration: Begin with most restrictive port configurations and enable features only as required by specific use cases.

Conclusion

Mastering FortiSwitch port configuration through the CLI empowers network administrators with precise control, automation capabilities, and deep troubleshooting access. By understanding the fundamental commands for physical port configuration, VLAN management, FortiLink establishment, and advanced feature implementation, professionals can build robust, secure, and efficient network infrastructures that leverage the full potential of Fortinet's Security Fabric.

As network complexity continues to grow, the skills to efficiently manage switch ports via CLI remain indispensable. Regular practice, continuous learning from community resources, and thorough testing in lab environments will ensure successful implementation and maintenance of FortiSwitch deployments in any organizational context.

Frequently Asked Questions

How do I configure a range of ports simultaneously on FortiSwitch?

While FortiSwitch CLI doesn't natively support Cisco-style port range syntax (like "interface range gigabitEthernet 1/0/1-10"), you can configure multiple ports efficiently when managing through FortiGate. Use the structured configuration approach within config switch-controller managed-switch, manually listing each port or employing external scripting tools to generate configuration blocks for port ranges. Some administrators create template configurations or use automation tools like Ansible to apply consistent settings across multiple ports.

What's the difference between native VLAN and allowed VLANs on a FortiSwitch port?

The native VLAN (configured with set native-vlan) carries untagged traffic on a trunk port and represents the default VLAN association for the port. Allowed VLANs (configured with set allowed-vlans) determine which VLANs can traverse the port. For access ports, typically only one VLAN is both native and allowed. For trunk ports, the native VLAN handles untagged traffic while multiple additional VLANs can be specified in the allowed list for tagged traffic.

Can I manage FortiSwitch ports directly when they're connected via FortiLink?

When FortiSwitches are connected via FortiLink to a FortiGate, primary management occurs through the FortiGate interface rather than directly on the switch. The FortiGate acts as a switch controller, centralizing configuration and policy management. You can configure ports using the FortiGate CLI under config switch-controller managed-switch sections. Direct access to the FortiSwitch CLI is possible but changes made directly might be overwritten by FortiGate-managed configurations during synchronization.

How do I configure a port for both voice and data VLANs (common in VoIP deployments)?

For VoIP deployments where phones connect devices to the network, configure hybrid ports with:

  • Native VLAN set to the voice VLAN for phone traffic
  • Allowed VLANs including both voice and data VLANs
  • Data VLAN configured as tagged (not in untagged-vlans list) This allows phones to receive untagged voice traffic while tagging data traffic from connected computers.

What should I check if a FortiLink connection isn't establishing properly?

Troubleshoot FortiLink connections by: 1) Verifying physical connectivity and port status, 2) Confirming NTP synchronization between devices, 3) Checking that FortiLink is enabled on the correct interface, 4) Ensuring the FortiSwitch is authorized in the managed switch configuration, 5) Verifying no IP address conflicts exist on the FortiLink subnet, and 6) Confirming compatible firmware versions between FortiGate and FortiSwitch devices.