Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
epefti
Staff
Staff

Created on ‎07-15-2025 10:15 PM

Article Id 401594

Technical Tip: Use LLDP on FortiGate to verify connected switches

Description

 

This article describes how to enable LLDP on FortiGate and verify connected Link Layer Discovery Protocol (LLDP) neighbors.

 
Scope

 

FortiGate.

 

Solution

 

By default, LLDP reception is enabled only on interfaces with the WAN role. See FortiOS v6.2 New Features: Leverage LLDP to Simplify Security Fabric Negotiation

 

Depending on the role of the interface, LLDP reception is either enabled or disabled. In situations when multiple FortiSwitches connect to FortiGate using a FortiLink-enabled interface, it can be useful to have LLDP reception enabled to know which switch is connected to the physical FortiGate ports.

 

For example, in the following topology, a FortiGate-200F has two aggregation switches connected to ports x3 and x4.

image_2025-07-15_131440489.png

 

Under normal and default circumstances, the FortiGate will not have any LLDP information about the neighboring device,s and the output of this command will be empty:

 

diagnose lldprx neighbor

If required, LLDP reception can be enabled for all interfaces or specific interfaces such as the default 'fortilink'.


Globally:

 

config system global

set lldp-reception enable

end


Per-interface:

 

config system interface

edit "fortilink"

set lldp-reception enable

next

end

 

For interfaces with LLDP reception enabled, the FortiGate will listen for incoming LLDP frames, and the 'diagnose lldprx neighbor' command shows output:

 

diagnose lldprx neighbor
1 port 'x2' 33 mac 84:39:8F:5E:F4:66 chassis 84:39:8F:5E:F4:4D port 'port25' system 'S524DNTVXXXXXXXX'
2 port 'x4' 34 mac 84:39:8F:5E:D0:A6 chassis 84:39:8F:5E:D0:8D port 'port25' system 'S524DNTVYYYYYYYY'

 

LLDP can also be used with third-party switches:

 

diagnose lldprx neighbor
1 port 'wan1' 5 mac 6C:41:6A:D8:CE:AF chassis 6C:41:6A:D8:CE:80 port 'Te1/0/1' system 'Switch'
2 port 'wan2' 6 mac 6C:41:6A:D8:CE:B0 chassis 6C:41:6A:D3:DE:80 port 'Te1/0/1' system 'Switch'

 

The command 'diagnose lldprx neighbor details' outputs the vendor platform and additional information, including the management IP address:


diagnose lldprx neighbor details
<output omitted>

lldprx.neighbor.1.port.desc.data: TenGigabitEthernet1/0/1
lldprx.neighbor.1.system.desc.data: Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.2(4)E3, RELEASE 
lldprx.neighbor.1.address.1.addr: 172.19.254.254
lldprx.neighbor.2.port.desc.data: TenGigabitEthernet1/0/1
lldprx.neighbor.2.system.desc.data: Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.2(4)E3, RELEASE 
<output omitted>

 

Related documents:

FortiOS Administration Guide: LLDP reception

Technical Tip: Leverage LLDP to Simplify Security Fabric Negotiation

981
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.