Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
GeorgeZhong
Staff
Staff

Created on ‎10-02-2024 11:30 PM

Article Id 346652

Technical Tip: Behavior of Hardware Switch Interface Flap When Removing a Member Port

Description

This article describes the expected behavior of the hardware switch interface on FortiGates when a member port is removed.
Scope FortiGates featuring Shared Media Interfaces.
Solution

A hardware switch on FortiGate serves as a virtual switch interface, aggregating multiple ports to function as a single interface. Supported models include a default hardware switch, typically labeled as either 'internal' or 'lan'. This hardware switch operates at the chipset level.

 

Ports within the same hardware switch behave as if they are on a single physical switch within the same broadcast domain. Member ports can be reassigned to other switches or utilized as standalone interfaces. For more detailed information, refer to the official document:

Hardware switch

 

In most scenarios, adding or removing member ports from a hardware switch should not cause a flap, provided at least one port remains operational.

 

However, there is a specific scenario where a 1-second flap occurs when removing a member port (even if that port is already down) while other ports remain up.

 

Explanation of the Scenario:

Certain FortiGates, such as the FortiGate-100F and 90G, feature a Shared Media Interface, allowing two distinct physical connectors to link to a single logical interface. For further information, see:

Technical Tip: Understanding Shared Media interfaces on the FortiGate

 

When a Shared Media Interface is included in a hardware switch, removing any member port (even if down) will cause the hardware switch to flap.

 

For example, in the below FortiGate 101F, ports 17-20 are designated as Shared Media Interface:

 

GeorgeZhong_0-1727922673093.png

 

Ports 18-20 are part of the hardware switch along with port 2, which is down:

 

GeorgeZhong_1-1727922673095.png

 

When port 2 is removed from the 'lan' switch interface, the system event indicates that the 'lan' interface has gone down and back up. This behavior will also occur when port 2 is added back. If any VLAN interfaces or overlay services are configured on top of the hardware switch, they will also experience a brief disruption during the change.

 

GeorgeZhong_2-1727922673096.png

 

Conversely, if ports 1 and 2 are included in the hardware switch, and port 1 is up, removing port 2 will not cause a flap since port 1 is not a Shared Media Interface.

 

GeorgeZhong_3-1727922673098.png

 

Conclusion:

In summary, the behavior described is expected for the hardware switch interface with Shared Media Interfaces on FortiGate devices. When making this kind of change to the hardware switch interface that carries production traffic, it is advisable to schedule a maintenance window to minimize any potential impact on network traffic.
154
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.