fortiswitch_switch_interface – Usable interfaces (trunks and ports) in Fortinet’s FortiSwitch

New in version 1.0.0.

Synopsis

  • This module is able to configure a FortiSwitch device by allowing the user to set and modify switch feature and interface category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v7.0.0

Requirements

The below requirements are needed on the host that executes this module.

  • ansible>=2.11

FortiSW Version Compatibility


v7.0.0 v7.0.1 v7.0.2 v7.0.3
fortiswitch_switch_interface yes yes yes yes

Parameters

  • enable_log - Enable/Disable logging for task. type: bool required: false default: False
  • member_path - Member attribute path to operate on. type: str
  • member_state - Add or delete a member under specified attribute path. type: str choices: present, absent
  • state - Indicates whether to create or remove the object. type: str required: true choices: present, absent
  • switch_interface - Usable interfaces (trunks and ports). type: dict
    • allowed_sub_vlans - Sub-VLANs allowed to egress this interface. type: str
    • allowed_vlans - Allowed VLANs. type: str
    • arp_inspection_trust - Dynamic ARP Inspection (trusted or untrusted). type: str choices: trusted, untrusted
    • auto_discovery_fortilink - Enable/disable automatic FortiLink discovery mode. type: str choices: disable, enable
    • auto_discovery_fortilink_packet_interval - FortiLink packet interval for automatic discovery (3 - 300 sec). type: int
    • default_cos - Set default COS for untagged packets. type: int
    • description - Description. type: str
    • dhcp_snoop_learning_limit - Maximum DHCP IP learned on the interface. type: int
    • dhcp_snoop_learning_limit_check - Enable/Disable DHCP learning limit check on the interface. type: str choices: disable, enable
    • dhcp_snoop_option82_trust - Enable/Disable (allow/disallow) dhcp pkt with option82 on untrusted interface. type: str choices: enable, disable
    • dhcp_snooping - DHCP snooping interface (trusted or untrusted). type: str choices: trusted, untrusted
    • discard_mode - Configure discard mode for interface. type: str choices: none, all-tagged, all-untagged
    • edge_port - Enable/disable interface as edge port. type: str choices: enabled, disabled
    • filter_sub_vlans - Private VLAN or sub-VLAN based port type. type: str choices: disable, enable
    • fortilink_l3_mode - FortiLink L3 uplink port. type: str choices: enable, disable
    • igmp_snooping_flood_reports - Enable/disable flooding of IGMP snooping reports to this interface. type: str choices: enable, disable
    • ip_mac_binding - Enable/disable ip-mac-binding on this interaface. type: str choices: global, enable, disable
    • learning_limit - Limit the number of dynamic MAC addresses on this port. type: int
    • learning_limit_action - Enable/disable turning off this interface on learn limit violation. type: str choices: none, shutdown
    • log_mac_event - Enable/disable logging for dynamic MAC address events. type: str choices: enable, disable
    • loop_guard - Enable/disable loop guard protection. type: str choices: enabled, disabled
    • loop_guard_mac_move_threshold - Trigger loop guard if MAC move per second of this interface reaches this threshold. type: int
    • loop_guard_timeout - Loop guard disabling protection (min). type: int
    • mcast_snooping_flood_traffic - Enable/disable flooding of multicast snooping traffic to this interface. type: str choices: enable, disable
    • mld_snooping_flood_reports - Enable/disable flooding of MLD reports to this interface. type: str choices: enable, disable
    • nac - Enable/disable NAC in Fortilink mode. type: str choices: enable, disable
    • name - Interface name. type: str required: true
    • native_vlan - Native (untagged) VLAN. type: int
    • packet_sample_rate - Packet sample rate (0 - 99999). type: int
    • packet_sampler - Enable/disable packet sampling. type: str choices: enabled, disabled
    • port_security - Configure port security. type: dict
      • allow_mac_move - Enable/disable allow mac move mode. type: str choices: disable, enable
      • auth_fail_vlan - Enable/disable auth_fail vlan. type: str choices: disable, enable
      • auth_fail_vlanid - Set auth_fail vlanid. type: int
      • authserver_timeout_period - Set authserver_timeout period. type: int
      • authserver_timeout_vlan - Enable/disable authserver_timeout vlan. type: str choices: disable, enable
      • authserver_timeout_vlanid - Set authserver_timeout vlanid. type: int
      • dacl - Enable/disable dynamic access control list mode. type: str choices: disable, enable
      • eap_auto_untagged_vlans - Enable/disable EAP auto-untagged-vlans mode. type: str choices: disable, enable
      • eap_egress_tagged - Enable/disable Egress frame tag. type: str choices: disable, enable
      • eap_passthru - Enable/disable EAP pass-through mode. type: str choices: disable, enable
      • framevid_apply - Enable/disable the capbility to apply the EAP/MAB frame vlan to the port native vlan. type: str choices: disable, enable
      • guest_auth_delay - Set guest auth delay. type: int
      • guest_vlan - Enable/disable guest vlan. type: str choices: disable, enable
      • guest_vlanid - Set guest vlanid. type: int
      • mab_eapol_request - Set MAB EAPOL Request. type: int
      • mac_auth_bypass - Enable/disable mac-authentication-bypass on this interaface. type: str choices: disable, enable
      • macsec_profile - macsec port profile. Source switch.macsec.profile.name. type: str
      • open_auth - Enable/disable open authentication on this interaface. type: str choices: disable, enable
      • port_security_mode - Security mode. type: str choices: none, 802.1X, 802.1X-mac-based, macsec
      • quarantine_vlan - Enable/disable Quarantine VLAN detection. type: str choices: disable, enable
      • radius_timeout_overwrite - Enable/disable radius server session timeout to overwrite local timeout. type: str choices: disable, enable
    • primary_vlan - Private VLAN to host. Source switch.vlan.id. type: int
    • private_vlan - Configure private VLAN. type: str choices: disable, promiscuous, sub-vlan
    • private_vlan_port_type - Private VLAN or sub-VLAN based port type. type: int
    • ptp_policy - PTP policy. Source switch.ptp.policy.name. type: str
    • qnq - Configure QinQ. type: dict
      • add_inner - Add inner-tag for untagged packets upon ingress. type: int
      • edge_type - Choose edge type. type: str choices: customer
      • priority - Follow S-Tag or C-Tag"s priority. type: str choices: follow-c-tag, follow-s-tag
      • remove_inner - Remove inner-tag upon egress. type: str choices: disable, enable
      • s_tag_priority - Set priority value if packets follow S-Tag"s priority. type: int
      • status - Enable/Disable QinQ mode. type: str choices: disable, enable
      • stp_qnq_admin - Enable/Disable QnQ to manage STP admin status. type: str choices: disable, enable
      • untagged_s_vlan - Add s-vlan to untagged packet. type: int
      • vlan_mapping - Configure Vlan Mapping. type: list member_path: qnq/vlan_mapping:id
        • description - Description of Mapping entry. type: str
        • id - Entry Id. type: int required: true
        • match_c_vlan - Matching customer(inner) vlan. type: int
        • new_s_vlan - Set new service vlan. type: int
      • vlan_mapping_miss_drop - Enabled or disabled drop if mapping missed. type: str choices: disable, enable
    • qos_policy - QOS egress COS queue policy. Source switch.qos.qos-policy.name. type: str
    • raguard - IPV6 RA guard configuration. type: list member_path: raguard:id
      • id - ID. type: int required: true
      • raguard_policy - RA Guard policy name. Source switch.raguard-policy.name. type: str
      • vlan_list - Vlan list. type: str
    • rpvst_port - Enable/disable interface to inter-op with pvst type: str choices: enabled, disabled
    • sample_direction - SFlow sample direction. type: str choices: tx, rx, both
    • security_groups - Group name. type: list member_path: security_groups:name
      • name - Group name. type: str required: true
    • sflow_counter_interval - SFlow sampler counter polling interval (0:disable - 255). type: int
    • snmp_index - SNMP index. type: int
    • sticky_mac - Enable/disable Sticky MAC for this interface. type: str choices: enable, disable
    • stp_bpdu_guard - Enable/disable STP BPDU guard protection (stp-state and edge-port must be enabled). type: str choices: enabled, disabled
    • stp_bpdu_guard_timeout - BPDU Guard disabling protection (min). type: int
    • stp_loop_protection - Enable/disable spanning tree protocol loop guard protection (stp-state must be enabled). type: str choices: enabled, disabled
    • stp_root_guard - Enable/disable STP root guard protection (stp-state must be enabled). type: str choices: enabled, disabled
    • stp_state - Enable/disable spanning tree protocol. type: str choices: enabled, disabled
    • sub_vlan - Private VLAN sub-VLAN to host. Source switch.vlan.id. type: int
    • switch_port_mode - Enable/disable port as L2 switch port (enable) or as pure routed port (disable). type: str choices: disable, enable
    • trust_dot1p_map - QOS trust 802.1p map. Source switch.qos.dot1p-map.name. type: str
    • trust_ip_dscp_map - QOS trust IP-DSCP map. Source switch.qos.ip-dscp-map.name. type: str
    • type - Interface type. type: str choices: physical, trunk
    • untagged_vlans - Configure VLANs permitted to be transmitted without VLAN tags. type: str
    • vlan_mapping - Configure vlan mapping table. type: list member_path: vlan_mapping:id
      • action - Vlan action if packet is matched. type: str choices: add, replace, delete
      • description - Description of Mapping entry. type: str
      • direction - Ingress or Egress direction. type: str choices: ingress, egress
      • id - Entry Id. type: int required: true
      • match_c_vlan - Matching customer(inner) vlan. type: int
      • match_s_vlan - Matching service(outer) vlan. type: int
      • new_s_vlan - Set new service(outer) vlan. type: int
    • vlan_mapping_miss_drop - Enabled or disabled drop if mapping missed. type: str choices: disable, enable
    • vlan_tpid - Configure ether-type. Source switch.vlan-tpid.name. type: str
    • vlan_traffic_type - Configure traffic tagging. type: str choices: untagged, tagged

Examples

- hosts: fortiswitch01
  collections:
    - fortinet.fortiswitch
  connection: httpapi
  vars:
   ansible_httpapi_use_ssl: yes
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 443
  tasks:
  - name: Usable interfaces (trunks and ports).
    fortiswitch_switch_interface:
      state: "present"
      switch_interface:
        allowed_sub_vlans: "<your_own_value>"
        allowed_vlans: "<your_own_value>"
        arp_inspection_trust: "trusted"
        auto_discovery_fortilink: "disable"
        auto_discovery_fortilink_packet_interval: "7"
        default_cos: "8"
        description: "<your_own_value>"
        dhcp_snoop_learning_limit: "10"
        dhcp_snoop_learning_limit_check: "disable"
        dhcp_snoop_option82_trust: "enable"
        dhcp_snooping: "trusted"
        discard_mode: "none"
        edge_port: "enabled"
        filter_sub_vlans: "disable"
        fortilink_l3_mode: "enable"
        igmp_snooping_flood_reports: "enable"
        ip_mac_binding: "global"
        learning_limit: "20"
        learning_limit_action: "none"
        log_mac_event: "enable"
        loop_guard: "enabled"
        loop_guard_mac_move_threshold: "24"
        loop_guard_timeout: "25"
        mcast_snooping_flood_traffic: "enable"
        mld_snooping_flood_reports: "enable"
        nac: "enable"
        name: "default_name_29"
        native_vlan: "30"
        packet_sample_rate: "31"
        packet_sampler: "enabled"
        port_security:
            allow_mac_move: "disable"
            auth_fail_vlan: "disable"
            auth_fail_vlanid: "36"
            authserver_timeout_period: "37"
            authserver_timeout_vlan: "disable"
            authserver_timeout_vlanid: "39"
            dacl: "disable"
            eap_auto_untagged_vlans: "disable"
            eap_egress_tagged: "disable"
            eap_passthru: "disable"
            framevid_apply: "disable"
            guest_auth_delay: "45"
            guest_vlan: "disable"
            guest_vlanid: "47"
            mab_eapol_request: "48"
            mac_auth_bypass: "disable"
            macsec_profile: "<your_own_value> (source switch.macsec.profile.name)"
            open_auth: "disable"
            port_security_mode: "none"
            quarantine_vlan: "disable"
            radius_timeout_overwrite: "disable"
        primary_vlan: "55 (source switch.vlan.id)"
        private_vlan: "disable"
        private_vlan_port_type: "57"
        ptp_policy: "<your_own_value> (source switch.ptp.policy.name)"
        qnq:
            add_inner: "60"
            edge_type: "customer"
            priority: "follow-c-tag"
            remove_inner: "disable"
            s_tag_priority: "64"
            status: "disable"
            stp_qnq_admin: "disable"
            untagged_s_vlan: "67"
            vlan_mapping:
             -
                description: "<your_own_value>"
                id:  "70"
                match_c_vlan: "71"
                new_s_vlan: "72"
            vlan_mapping_miss_drop: "disable"
        qos_policy: "<your_own_value> (source switch.qos.qos-policy.name)"
        raguard:
         -
            id:  "76"
            raguard_policy: "<your_own_value> (source switch.raguard-policy.name)"
            vlan_list: "<your_own_value>"
        rpvst_port: "enabled"
        sample_direction: "tx"
        security_groups:
         -
            name: "default_name_82"
        sflow_counter_interval: "83"
        snmp_index: "84"
        sticky_mac: "enable"
        stp_bpdu_guard: "enabled"
        stp_bpdu_guard_timeout: "87"
        stp_loop_protection: "enabled"
        stp_root_guard: "enabled"
        stp_state: "enabled"
        sub_vlan: "91 (source switch.vlan.id)"
        switch_port_mode: "disable"
        trust_dot1p_map: "<your_own_value> (source switch.qos.dot1p-map.name)"
        trust_ip_dscp_map: "<your_own_value> (source switch.qos.ip-dscp-map.name)"
        type: "physical"
        untagged_vlans: "<your_own_value>"
        vlan_mapping:
         -
            action: "add"
            description: "<your_own_value>"
            direction: "ingress"
            id:  "101"
            match_c_vlan: "102"
            match_s_vlan: "103"
            new_s_vlan: "104"
        vlan_mapping_miss_drop: "disable"
        vlan_tpid: "<your_own_value> (source switch.vlan-tpid.name)"
        vlan_traffic_type: "untagged"

Return Values

Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:

  • build - Build number of the fortiSwitch image returned: always type: str sample: 1547
  • http_method - Last method used to provision the content into FortiSwitch returned: always type: str sample: PUT
  • http_status - Last result given by FortiSwitch on last operation applied returned: always type: str sample: 200
  • mkey - Master key (id) used in the last call to FortiSwitch returned: success type: str sample: id
  • name - Name of the table used to fulfill the request returned: always type: str sample: urlfilter
  • path - Path of the table used to fulfill the request returned: always type: str sample: webfilter
  • serial - Serial number of the unit returned: always type: str sample: FS1D243Z13000122
  • status - Indication of the operation's result returned: always type: str sample: success
  • version - Version of the FortiSwitch returned: always type: str sample: v7.0.0

Status

  • This module is not guaranteed to have a backwards compatible interface.

Authors

  • Link Zheng (@chillancezen)
  • Jie Xue (@JieX19)
  • Hongbin Lu (@fgtdev-hblu)
  • Frank Shen (@frankshen01)
  • Miguel Angel Munoz (@mamunozgonzalez)

Hint

If you notice any issues in this documentation, you can create a pull request to improve it.