NSE5_FSW_AD-7.6 Fortinet NSE 5 - FortiSwitch 7.6 Administrator Questions and Answers

To enable SNMP v2c on a managed FortiSwitch, the essential requirement involves configuring the SNMP agent and community strings:

Configure SNMP Agent and Communities (D):

SNMP Agent:Activating the SNMP agent on FortiSwitch allows it to respond to SNMP requests.

Community Strings:SNMP v2c uses community strings for authentication. These strings function as passwords to grant read-only or read-write access to the SNMP data.

Understanding Other Options:

Create an SNMP user (A)is necessary for SNMP v3, not v2c, as it involves user-based authentication and encryption.

Specify an SNMP host (B)is typically a part of SNMP configuration but not a requirement just to enable SNMP.

Enable SNMP v3 (C)is not related to enabling SNMP v2c.

A FortiLink interface must be enabled on FortiGate (A): To manage a FortiSwitch stack, a dedicated FortiLink interface on the FortiGate is required. This interface is used to manage the communication between FortiGate and the FortiSwitch stack, enabling centralized control and configuration of the switches directly from the FortiGate.

The switch controller feature must be enabled on FortiGate (B): Enabling the switch controller feature on FortiGate allows it to manage connected FortiSwitch units. This feature provides tools and interfaces on the FortiGate for overseeing FortiSwitch configurations, monitoring switch status, and managing network policies across the stack.

According to theFortiSwitchOS 7.6 Administration GuideandFortiOS 7.6 FortiLink Guide, the processing of Ethernet frames on a managed FortiSwitch port depends on whether the frame is tagged or untagged upon arrival (ingress) and how the port's VLAN membership is defined.

In the provided exhibit,port1is configured with set vlan "IP_Phone" (VLAN 20) as itsnative VLAN. By definition, the native VLAN handles untagged traffic; any untagged frame arriving at the port is assigned to VLAN 20, and any egress traffic from VLAN 20 is sent out of the port without a tag. However, the scenario specifically states that theIP phone tags its traffic with VLAN ID 20.

When a FortiSwitch receives atagged frame, it checks the VLAN ID against theallowed-vlanslist configured on that port. Although VLAN 20 is the native VLAN, the exhibit shows that the port has been explicitly configured with set allowed-vlans "quarantine". This creates a restrictive filter that permits only tagged frames belonging to the "quarantine" VLAN to enter or exit the port. Because VLAN 20 (IP_Phone) is not present in the allowed-vlans list, the switch drops the tagged frames from the IP phone during ingress processing.

To resolve this, the administrator must modify theFortiSwitch port configurationby adding VLAN 20 to the allowed_vlans list (e.g., set allowed-vlans "quarantine" "IP_Phone" or set allowed-vlans-all enable). This ensures that the switch recognizes and permits tagged traffic for VLAN 20 on that physical interface. Option B is incorrect because l2forward is a Layer 3 interface setting on the FortiGate and does not address the physical port's ingress filtering logic on the switch. Disabling the edge_port (Option D) relates to Spanning Tree Protocol (STP) convergence and would not impact VLAN tag filtering.

To cause endpoints to exchange PoE information and negotiate power with the managed FortiSwitch via LLDP, you should configure the LLDP profile to include power management in the advertised LLDP-MED TLVs. Here are the steps:

Access the LLDP Profile Configuration:Start by entering the LLDP profile configuration mode with the command:

config switch-controller lldp-profile

edit "LLDP-PROFILE"

Enable MED-TLVs:Ensure that MED-TLVs (Media Endpoint Discovery TLVs) are enabled. These TLVs are used for extended discovery relating to network policies, including PoE, and are essential for PoE negotiation. They include power management which is crucial for the negotiation of PoE parameters between devices. The command to ensure network policies are set might look like:

set med-tlvs network-policy

Add Power Management TLV:Specifically add or ensure the power management TLV is part of the configuration. This will advertise the PoE capabilities and requirements, enabling dynamic power allocation between the FortiSwitch and the connected devices (like VoIP phones or wireless access points). This can typically be done within the network-policy settings:

config med-network-policy

edit

set poe-capability

next

end

Save and Apply Changes:Exit the configuration blocks properly ensuring changes are saved:

End

Verify Configuration:It’s always good practice to verify that your configurations have been applied correctly. Use the appropriateshoworgetcommands to review the LLDP profile settings.

By adding the power management as part of LLDP-MED TLVs, the FortiSwitch will be able to communicate its power requirements and capabilities to the endpoints, thereby facilitating a dynamic power negotiation that is crucial for efficient PoE utilization.

According to theFortiSwitchOS 7.6 Administration Guideand theNSE 5 FortiSwitch Study Guide, Access Control Lists (ACLs) are used to provide granular control over the traffic entering or leaving a switch port. ACLs function by definingclassifiers(to match specific traffic based on criteria like MAC address, IP address, or VLAN ID) and then applying specificactionsto that matched traffic.

The documentation explicitly categorizes ACL actions into three distinct groups:

Traffic Processing:This category includes actions that dictate the physical handling of the frame. Valid actions listed in the official documents under this header includecount(to track packet volume),drop(to block the traffic),redirect(to forward the frame to a specific physical port or interface instead of its original destination), andmirror(to send a copy to a monitoring port).

Quality of Service (QoS):This category focuses on traffic prioritization and bandwidth management. It includes actions such asrate limiting,remarking CoS/DSCP values, andsetting the egress queue(e.g., assigning a packet to a specific queue number from 0 to 7).

VLAN:This allows for modifications such as setting anouter VLAN tagon frames.

The question specifically asks for "traffic processing actions." Based on the 7.6 documentation,Redirect frames to another port(Option A) andDrop frames(Option D) are explicitly defined under the "Traffic Processing" action header. While "Assign traffic to a high-priority egress queue" (Option B) is a valid action an ACL can perform, it is technically categorized as aQoS action, not a traffic processing action.Encrypt frames(Option C) is not a supported ACL action on FortiSwitch hardware, as encryption is typically handled at higher layers or via dedicated MACsec configurations on specific models.

Active multicast receiver entries are aging on each IGMP query sent on the VLAN (A): When IGMP snooping querier is enabled on a VLAN, it functions to manage multicast traffic within the VLAN by keeping track of multicast group memberships. The IGMP querier sends queries to determine which ports require the multicast traffic. The multicast receiver entries, which are entries that indicate which devices have requested the multicast data, age or time out based on these IGMP queries. Each query refreshes active connections but ages out entries that no longer respond, helping to ensure that multicast traffic is only sent to ports with active receivers.

According to theFortiSwitchOS 7.6 Administration Guideand theFortiSwitch 7.6 Study Guide, the interaction between a managed switch and a connected endpoint depends on whether the endpoint can participate in the 802.1X authentication process. When a security policy is applied to a port, the switch sends EAP (Extensible Authentication Protocol) requests to the device to initiate the login.

The FortiSwitch handles two primary failure scenarios differently:

Non-supplicant (No 802.1X Support):If a device, such as a legacy PC or a basic printer, does not have an 802.1X supplicant, it will not respond to the switch's EAP requests. In this case, the switch waits for the duration specified in theGuest authentication delayfield (30 seconds in the exhibit). Once this timer expires without a response, the switch places the device into theGuest VLAN. As shown in the exhibit, the Guest VLAN is explicitly set to"onboarding.fortilink (onboarding)".

Authentication Failure:If a devicedoessupport 802.1X but the user provides incorrect credentials, the RADIUS server returns an Access-Reject message. In this scenario, the device is moved to theAuthentication fail VLAN, which the exhibit identifies as"quarantine.fortilink (quarantine)".

Note:BecauseMAC authentication bypass (MAB)is disabled in the exhibit, the switch will not attempt to authenticate the device's MAC address against the RADIUS server before defaulting to the Guest VLAN. Therefore, for any device lacking an 802.1X supplicant, the result is placement into theonboardingVLAN.

Tail-drop mode is a congestion management technique used in network devices, including FortiSwitches, to handle congestion on network ports:

Tail-Drop Mode (A):

Behavior:When a queue reaches its maximum capacity on a congested port, tail-drop mode simply drops any incoming packets that arrive after the buffer is full. This continues until the congestion is alleviated and there is space in the queue to accommodate new packets.

Application:This is a straightforward approach used when the device’s buffer allocated to the port becomes full due to sustained high traffic, preventing buffer overflow and maintaining system stability.

According to theFortiSwitchOS 7.6 Administration Guideand theNSE 5 FortiSwitch 7.6 Administrator Study Guide, FortiSwitch supports a multi-stage ACL pipeline that allows for granular traffic control at different points in a packet's journey through the switch.1The documentation identifies three primary stages for ACL application:Prelookup,Ingress, andEgress.

Prelookup (Option D):This is the earliest stage in the switching pipeline. The documentation explicitly states thatPrelookup ACLsare processedbefore any Layer 2 or Layer 3 lookupsare performed by the switch hardware. This stage is highly recommended for high-performance security actions, such as dropping unwanted traffic immediately upon arrival, because it prevents the switch from wasting internal resources (CPU and ASIC lookup cycles) on frames that are destined to be discarded anyway.

Ingress (Option A):This stage occursafterthe switch has completed its Layer 2 (MAC table) and Layer 3 (routing table) lookups butbeforethe packet is queued for the egress port. While powerful, actions here occur after initial processing has already taken place.

Egress (Option C):This stage is processed just before the frame leaves the switch through the destination port. It is typically used for final modifications or filtering based on the outgoing interface context.

Therefore, to achieve the goal of applying actionsbeforeany Layer 2 or Layer 3 processing occurs, thePrelookupstage is the technically correct and recommended choice in FortiSwitchOS 7.6.Forwarding (Option B)is a general functional stage of a switch but is not a specific ACL stage type in the FortiSwitch configuration hierarchy.

FortiSwitch determines how traffic is routed by leveraging atwo-tier routing lookup mechanismthat prioritizes hardware-based forwarding before software-based processing. According to theFortiSwitchOS 7.6 Administrator Guide, FortiSwitch first checks thehardware routing table, which is populated with a subset of routes installed from the Forwarding Information Base (FIB) and programmed directly into the switch ASIC.

The hardware routing table contains routes that are eligible for ASIC acceleration. When a packet arrives on a FortiSwitch interface, the switch performs a lookup in this hardware routing table. If a matching route is found, the packet is forwarded at wire speed using ASIC-based forwarding, which provides optimal performance and minimal latency. This process is referred to ashardware-based routing.

If no matching route exists in the hardware routing table, FortiSwitch then performs a lookup in theForwarding Information Base (FIB), which resides in the kernel. Routes in the FIB are handled by the CPU and processed throughsoftware-based routing. This fallback mechanism ensures correct forwarding behavior even when routes cannot be offloaded to hardware.

The FortiSwitchOS documentation explicitly states that the hardware routing table indicates which routes in the FIB are installed in hardware. This confirms that routing decisions are not exclusively offloaded to FortiGate, nor are they limited to CPU-based processing alone. Instead, FortiSwitch uses ahierarchical lookup order: hardware routing table first, followed by the FIB.

Therefore, the correct and fully documented answer isC. FortiSwitch looks up the hardware routing table and then the forwarding information base (FIB).

The correct statement about using the Switch Port Analyzer (SPAN) packet capture method on FortiSwitch is that "Mirrored traffic can be sent across multiple switches (A)." This feature allows for extensive traffic analysis as it enables network administrators to configure SPAN sessions that span across different switches, thereby providing the capability to monitor traffic across a broad segment of the network infrastructure.

According to theFortiSwitchOS 7.6 Administration Guideand theFortiLink 7.6 Study Guide, DHCP snooping is a security feature that prevents rogue DHCP servers from distributing incorrect IP addresses on a network. Once enabled for a specific VLAN, the switch differentiates betweentrustedanduntrustedports to regulate DHCP traffic.

Trusted Ports and DHCP Replies (Option A):In a managed FortiSwitch environment, all ports areuntrusted by default. To allow a DHCP server (such as a FortiGate or an external server) to provide IP addresses, the administrator must explicitly set the connecting port astrusted. DHCP snooping validates incoming packets; it allowsDHCP server messages(such as DHCPOFFER and DHCPACK) only on these trusted ports. Any DHCP server reply arriving on an untrusted port is identified as coming from a potentially rogue source and is discarded by the switch.

Option 82 Data Insertion (Option C):FortiSwitch supportsDHCP Option 82(also known as the Relay Information Option), which provides additional security by appending location-specific information (such as the Circuit ID and Remote ID) toDHCP request packets. When DHCP snooping is active, the switch can be configured to insert this data into client requests as they enter untrusted ports. This allows the upstream DHCP server to identify the specific physical port or VLAN from which the request originated, even if the server is located in a different subnet.

Regarding the incorrect options:Option Bis false as DHCP snooping only inspects and filters DHCP-specific traffic, not general unicast data.Option Dis incorrect because DHCP requests (client-to-server) are generally permitted on all ports to ensure clients can find a server, though some configurations allow dropping requests from untrusted sources if they do not meet specific security criteria.

According to theFortiSwitchOS 7.6 Administration Guideand theFortiSwitch 7.6 Study Guide, Internet Group Management Protocol (IGMP) snooping is a Layer 2 mechanism that allows a switch to "listen" to IGMP conversations between hosts and routers to maintain a map of which ports require specific multicast streams. When IGMP snooping is enabled, the switch populates aMulticast Layer 2 Forwarding Table(as shown in the exhibit), which ensures that multicast traffic is only forwarded to ports where a receiver has explicitly requested it (e.g., PC1 on port1).

When IGMP snooping isdisabled, the switch no longer maintains this granular forwarding table. By default, a Layer 2 switch that is not performing IGMP snooping treats multicast traffic as if it werebroadcast traffic. Consequently, instead of being intelligently forwarded only to the interested receiver (PC1), the multicast traffic for group 225.1.2.3 will beflooded to all portswithin the same VLAN (VLAN 10). This means PC2, even if it has not joined the group, will receive the multicast packets at the physical layer, leading to unnecessary bandwidth consumption and increased CPU load on unintended recipients.

The documentation explicitly states that disabling IGMP snooping reverts the switch to a "flood-all" behavior for multicast frames within the broadcast domain. Option A is incorrect because the host (PC1) remains a member of the group; only the switch's forwarding logic changes. Option B is incorrect as the switch may still see the messages but will not act on them to prune ports. Option D is incorrect as disabling the feature removes the prune/stop mechanism, causing traffic to flow everywhere rather than stopping.

According to theFortiSwitchOS 7.6 Administration Guideand theFortiSwitch 7.6 Study Guide, the way a FortiSwitch handles VLAN tags on egress (outgoing) traffic is governed by the port'sNative VLANand itsUntagged VLAN list. When traffic for VLAN 10 arrives at port2 (the uplink) and is forwarded to port1, the switch must determine whether to strip the 802.1Q tag before transmission.

Untagged VLAN List (Option B):The documentation explicitly states that the "untagged VLAN list" specifies VLANs for which the port will transmit frameswithout the VLAN tag. By adding VLAN ID 10 to the untagged VLANs on port1, any traffic belonging to VLAN 10 will have its tag stripped at the egress point, ensuring PC1 receives a standard untagged frame.

Configuration Logic (Option C):In FortiSwitch management, moving a VLAN from the "Allowed" list (which typically implies tagged delivery) to the "Untagged" list on a specific interface forces the switch to perform the tag-stripping action. This effectively converts the port from a trunked behavior for that VLAN to an "access" or untagged behavior.

Regarding the incorrect options:Option A (MAC-based assignment)is used primarily foringress classification. While it can assign a device to a VLAN when it sends trafficintothe switch, the documentation notes that by default, egress packets for MAC-based VLANs still include the tag unless the untagged list is configured.Option D(Private VLANs) is a security feature for isolating traffic between ports within the same VLAN and does not address the physical tagging requirements of the endpoint.

According to theFortiOS 7.6 Study Guideand theFortiSwitch 7.6 FortiLink Guide, several prerequisite steps and compatibility checks must be performed before a FortiGate can successfully discover, authorize, and manage a FortiSwitch or a stack of switches.

First, theSwitch Controller feature must be enabled (Option B)on the FortiGate.2By default, on many FortiGate models, the "Switch Controller" menu is hidden in the GUI to simplify the interface. Administrators must navigate toSystem > Feature Visibilityand toggle theSwitch Controllerswitch to "on" to expose the management menus required to configure FortiLink interfaces and manage FortiSwitch units.3Without this feature enabled, the FortiGate cannot act as a centralized management entity for the switch fabric.

Second, theFortiSwitchOS version must be compatible with FortiOS (Option D). While it is not strictly required to be on the "latest" version (Option A), the firmware on both devices must fall within the supported compatibility matrix provided by Fortinet. If the versions are incompatible, the FortiLink tunnel (CAPWAP) may fail to establish, or certain management features may be unavailable in the FortiOS GUI.

Regarding the incorrect options:Option Ais not a requirement because older, compatible versions are often used in stable environments.Option Cis incorrect because FortiLink interfaces are the very mechanism used for management; they must be correctly configured and enabled, not disabled, for management to function. Therefore, ensuring feature visibility and verifying the compatibility matrix are the two essential administrative requirements for establishing a managed switch stack.

According to theFortiSwitchOS 7.6 Administration Guideand theFortiSwitch 7.6 Study Guide, understanding how VLANs are processed on a switch port is fundamental to network segmentation. A FortiSwitch port behaves differently depending on whether traffic is entering (ingress) or leaving (egress) the interface.

First,you can assign only one native VLAN on a port (Option C). The Native VLAN (often called the PVID or Port VLAN ID) is the default internal ID assigned to any untagged frames arriving at the port. In a managed environment, this is typically set via the FortiGate's switch controller. By design, a single physical interface can only belong to one primary broadcast domain for untagged ingress traffic to ensure there is no ambiguity in the switch's internal forwarding logic.

Second, theuntagged VLAN setting applies to egress traffic only (Option B). While the "Allowed VLANs" list defines which tagged traffic can pass through the port, the "Untagged VLANs" list specifies which of those VLAN tags should beremovedby the switch before the frame is transmitted out of the physical port. This is crucial for connecting devices that do not support 802.1Q tagging, such as standard PCs or printers.

Regarding the incorrect options:Option Ais incorrect because the "Untagged" list does not define ingress rules; ingress is governed by the Native VLAN for untagged packets and the Allowed list for tagged packets.Option Dis incorrect because, in a managed FortiLink environment, all VLAN assignments should be performed through theFortiGate's Switch Controllerto ensure centralized management and consistency.

"Classification: FortiSwitch maps packets with a given CoS or DSCP marking to an egress queue. There are eight egress queues on each port: queues 0 to 7."

In Quality of Service (QoS) mechanisms, the process of mapping packets with specific CoS (Class of Service) or DSCP (Differentiated Services Code Point) markings to an egress queue involves two key steps:classificationandqueuing.

Classification: This occurs on the ingress side (incoming traffic). The switch examines the packet headers (e.g., CoS or DSCP values) to determine how the traffic should be treated. Based on this classification, the switch assigns the packet to a specific priority level or queue.

Queuing: Once the packet is classified, it is mapped to an egress queue based on its priority level. The egress queues are used to manage how traffic is transmitted out of the switch.

Option A (Queuing for egress traffic)refers to managing how packets leave the switch, but it does not involve the initial mapping of CoS/DSCP values to a queue.

Option C (Rate limiting for egress traffic)is about controlling the rate of outgoing traffic, which is unrelated to CoS/DSCP mapping.

Option D (Marking for ingress traffic)involves modifying the CoS or DSCP values of packets as they enter the switch, but it does not map them to an egress queue.

Thus,classification for ingress trafficis the mechanism that identifies and maps packets with specific CoS or DSCP markings to an appropriate egress queue.

According to theFortiSwitchOS 7.6 Administration Guideand theFortiSwitch 7.6 Study Guide, Multichassis Link Aggregation (MCLAG) and standard Link Aggregation Groups (LAG) are designed to provide link-level and node-level redundancy while presenting a simplified logical view to the Spanning Tree Protocol (STP).

In the provided topology:

Logical Switch View (Option D):Switch 1 and Switch 2 are configured asMCLAG peersconnected via an Inter-Chassis Link (ICL). From the perspective of downstream devices and STP, these two physical switches act as a single logical entity. This prevents STP from seeing a loop between the two switches and the downstream Switch 3, as the redundant physical paths are bundled into a single logical MCLAG trunk.

Logical Interface View (Option B):The exhibit shows Switch 4 connected to Switch 3 via two physical links bundled into aLAG, and Switch 3 connected to the MCLAG peers via split links. In both cases, STP treats the aggregated physical links as asingle logical interface. Because the multiple physical paths are managed by the Link Aggregation Control Protocol (LACP) as one trunk, STP does not block individual ports to prevent loops; instead, it sees one high-bandwidth path.

Regarding the incorrect options:Option Ais false because Switch 3 is an MCLAGclient, not a peer in the group.Option Cis incorrect because Switch 3 and Switch 4 are separate physical and logical nodes; they are not seen as a single client entity by the core.

In dynamic routing on FortiSwitch, certain types of interfaces are utilized to participate in the routing processes. The types of interfaces that can be used include:

Loopback Interfaces (B):Loopback interfaces are virtual interfaces that are always up, making them ideal for use in routing protocols where a stable interface is necessary. They are commonly used to establish router IDs and manage routing information more reliably.

Switch Virtual Interfaces (C):Switch Virtual Interfaces (SVIs) are assigned to VLANs and can have IP addresses assigned to them, making them capable of participating in Layer 3 routing. SVIs are essential for routing between different VLANs on a switch and can participate in dynamic routing protocols to advertise networks or make routing decisions.

Physical Interfaces (D)andDetected Management Interfaces (A)are not typically used directly by dynamic routing protocols for their operations in the context of FortiSwitch.

Layer 2 flooding caused by Ethernet frames with all bytes in the destination MAC address set to FF refers to broadcast frames.Here’s why:

Broadcast Ethernet Frame (A):

Address Specification:In Ethernet networking, a broadcast frame has a destination MAC address ofFF:FF:FF:FF:FF:FF, which instructs network devices to forward the frame to all devices within the broadcast domain.

Network Behavior:This causes Layer 2 flooding as the frame is sent to all ports in the VLAN, except the originating port, ensuring that the broadcast reaches all network segments.

Other Frame Types:

Unicast (B)targets a single device.

Multicast (C)targets a group of devices.

Anycast (D)is not used in Ethernet but rather in IP-based routing to route to the nearest of multiple destinations, typically in internet addressing.

FortiGate's multi-tenancy feature, specifically Virtual Domains (VDOMs), is the most appropriate tool for segmenting network operations and the administration of managed FortiSwitch devices on FortiGate. Here's why:

VDOMs as Virtual Firewalls:VDOMs function as independent virtual firewalls within a single FortiGate device. Each VDOM can have its own:

Security policies

Interfaces (Including FortiLink interfaces for FortiSwitch management)

Routing table

Administrative access

Segmenting Network Operations:By assigning different FortiSwitch devices (or groups of ports) to separate VDOMs, you effectively partition your network. Network administrators can manage specific FortiSwitches through their assigned VDOMs, maintaining operational isolation.

Enhanced Administration:VDOMs offer granular administrative control. Different administrators can be assigned to specific VDOMs, limiting their management scope and reducing the risk of accidental configuration changes.

Why Other Options Are Less Suitable:

B. Multi-chassis link aggregation trunk:This focuses on link redundancy and bandwidth aggregation, not network segmentation.

C. FortiGate clustering protocol:This is aimed at high availability and scalability of the firewall functions themselves, not the management of switches.

D. FortiLink split interface:This allows dividing a FortiLink interface on the FortiGate for managing multiple FortiSwitches, but it doesn't provide the true segmentation and administrative isolation that VDOMs offer.

According to theFortiSwitchOS 7.6 Administration Guide(specificallyPage 178) and theFortiSwitch 7.6 Study Guide, the Spanning Tree Protocol (STP) is the fundamental protocol used to manage redundant paths in a Layer 2 network. In the scenario described, where every FortiSwitch connects to every other FortiSwitch, afull Layer 2 meshis created. This architecture inherently produces multiple physical switching loops that, if left unmanaged, would cause catastrophic broadcast storms.

STP is responsible for detecting these loops by exchangingBridge Protocol Data Units (BPDUs). It then mathematically calculates a loop-free logical topology by placing redundant ports into ablocking (discarding)state while keeping primary paths in aforwardingstate. WhileMCLAG (Option A)provides node-level redundancy and eliminates STP delays by allowing two switches to appear as one, it is not a standalone solution for a global full-mesh topology. In fact, Fortinet MCLAG explicitly relies on STP through the mclag-stp-aware feature to detect and prevent loops caused by connections outside the Inter-Chassis Link (ICL).

Therefore, although MCLAG and LAG increase bandwidth and availability,STPremains the required underlying mechanism to maintain network stability in any highly redundant mesh environment. "Full mesh HA" (Option C) is not a defined feature in FortiSwitchOS 7.6.

According to theFortiOS 7.6 Administration Guideand theFortiSwitch 7.6 FortiLink Guide, deploying managed switches over a Layer 3 underlay—such as the public internet—requires a specific tunneling mechanism to bridge Layer 2 broadcast domains. Traditional FortiLink relies on a direct Layer 2 connection; however, for remote sites,FortiLink over VXLANis the standard solution.

FortiLink over VXLAN (Option A):Virtual Extensible LAN (VXLAN) is used to encapsulate Layer 2 Ethernet frames into Layer 3 UDP packets, allowing VLAN-tagged traffic to traverse an ISP's routable network. This enables the FortiGate to manage remote FortiSwitch "islands" as if they were locally connected, maintaining full VLAN segmentation across the WAN.

Layer 3 Termination (Option E):The FortiGate acts as theVirtual Tunnel Endpoint (VTEP). It must have a reachable Layer 3 interface (such as a WAN port with a public IP or an IPsec tunnel interface) to terminate the VXLAN overlay. Once the VXLAN tunnel is terminated at the FortiGate, the encapsulated VLAN traffic is extracted, and the FortiGate can perform inter-VLAN routing and security inspection.

Regarding the incorrect options:Option Bis incorrect because the FortiGate at the central site handles the routing, eliminating the need for a local L3 device.Option Cis a performance consideration but not a functional requirement for basic connectivity.Option Dis often used for security to encrypt the underlay, but IPsec alone does not provide the Layer 2 extension capabilities required for VLAN segmentation; VXLAN is the specific component that handles the MAC-in-UDP encapsulation.

According to theFortiOS 7.6 Study Guideand theFortiSwitch 7.6 FortiLink Guide, the automatic discovery and subsequent management of a FortiSwitch by a FortiGate controller is primarily facilitated by theLink Layer Discovery Protocol (LLDP). LLDP is an industry-standard, layer-2 protocol that allows network devices to advertise their identities and capabilities to neighbors on the same physical link.

When a factory-default FortiSwitch is connected to a FortiGate port (specifically one configured as a FortiLink interface), the switch automatically sends outLLDP advertisements. These advertisements include specificOrganizationally Specific TLVs (Type-Length-Values)that identify the device as a FortiSwitch and provide its management MAC address and current state. The FortiGate "listens" for these LLDP frames; once it receives a frame from a compatible FortiSwitch, it automatically lists the switch in theManaged FortiSwitchinventory as a "discovered" device awaiting authorization.

WhileZero-touch deployment (Option A)describes the overall goal of deploying a switch without manual CLI configuration, it is the underlyingLLDPprotocol that provides the technical mechanism for the initial detection. Once the switch is discovered via LLDP and authorized, the FortiGate uses a DHCP server on the FortiLink interface to assign an IP address to the switch and establishes a secureCAPWAP(Control and Provisioning of Wireless Access Points) tunnel for management. TheFortiLink heartbeat (Option D)is a secondary mechanism usedafterthe connection is established to monitor the health and status of the link, rather than for the initial detection of the device.

According to theFortiOS 7.6 Study Guideand theFortiSwitch 7.6 FortiLink Guide, the health and stability of the control plane between a FortiGate and a managed FortiSwitch are maintained through a continuous keepalive mechanism. Once a FortiSwitch is authorized and transitions to theFL_STATE_READYstate (as shown in the debug output in the exhibit), the devices must ensure the management tunnel remains active.

The primary mechanism for this is theFortiLink heartbeat. The documentation specifies that a managed FortiSwitch sends heartbeat messages to the FortiGate every few seconds over the FortiLink interface. The FortiGate, acting as the controller, must acknowledge these heartbeats to confirm that the switch is still reachable and responding to management commands. If the FortiGate fails to receive a certain number of consecutive heartbeats, it will consider the switch "offline" in the GUI, even if physical link lights remain green.

Checking for these heartbeat exchanges is a critical troubleshooting step to verify that theCAPWAP(Control and Provisioning of Wireless Access Points) based management tunnel is functioning correctly without intermittent drops. Option A is incorrect as port disabling is a configuration choice, not a health check. Option C is incorrect because firmware updates are manual or scheduled, not automatic upon authorization. Option D is a logging function that relies on a healthy management tunnel but is not a direct measure of the FortiLink's operational health.

All hosts behind an authenticated port are allowed access after a successful authentication (A): Once a device on a port successfully authenticates using 802.1X, all other devices connected behind that port also gain network access. This is typical in scenarios where a switch is behind an authenticated port and not each device individually authenticates.

All devices connecting to FortiSwitch must support 802.1X authentication (D): For a network secured with 802.1X, all devices attempting to connect through the FortiSwitch must support and participate in 802.1X authentication to gain access. This ensures that all devices on the network are authenticated before they are allowed to communicate on the network.

When loop guard is enabled on port1 and port2 configured with the same native VLAN (VLAN 10), there are specific scenarios under which port1 can be shut down due to loop guard operation:

A.port1 was shut down by loop guard protection.Loop guard is a specific feature used in network environments to prevent alternative or redundant loops. When loop guard is active, it can shut down a port if it stops receiving BPDU (Bridge Protocol Data Units) on a port that is expected to receive them, assuming a loop or link failure and putting the port into an inconsistent state to prevent potential loops.

B.STP triggered a loop and applied loop guard protection on port1.If the Spanning Tree Protocol (STP) detects a loop or loss of BPDU transmissions while loop guard is enabled, it will proactively shut down the port to prevent network instability or a broadcast storm. This is an essential function of loop guard within the context of STP, providing additional protection against topology changes that could introduce loops.

The output of the diagnose switch physical-ports summary command provides critical insight into how a FortiSwitch is being managed by examiningVLAN assignments,tag protocol identifiers (TPID), andinternal port behavior. In the provided exhibit, several ports—includingport1,port5, and theinternalport—are assigned toVLAN 4094.

According to the FortiSwitchOS 7.6 Administrator Guide,VLAN 4094 is reserved for FortiLink management trafficwhen a FortiSwitch is managed by a FortiGate. FortiLink uses this dedicated VLAN to carry control-plane traffic such as configuration synchronization, monitoring data, LLDP-based discovery, and keepalive messages between the FortiGate and FortiSwitch. The presence of VLAN 4094 on physical interfaces is a strong and explicit indicator ofFortiGate-managed mode.

In standalone or local management mode, FortiSwitch ports typically default toVLAN 1or administrator-defined VLANs, andVLAN 4094 is not automatically assigned. Similarly, FortiSwitch Cloud–managed devices do not use VLAN 4094 in this manner, as cloud management relies on IP connectivity to FortiEdge Cloud rather than FortiLink encapsulation.

Additionally, the internal port showing VLAN 4094 further confirms FortiLink operation, as this internal interface is used by the switch ASIC to communicate with the FortiGate over the FortiLink tunnel. This behavior is documented in FortiOS 7.6 and FortiSwitchOS 7.6 design guides as characteristic of FortiGate-managed FortiSwitch deployments.

Therefore, based on the VLAN assignments shown—specifically the use ofVLAN 4094—the most accurate and fully verified conclusion is thatthe FortiSwitch is managed by FortiGate, makingOption Bthe correct answer.

According to theFortiSwitchOS 7.6 Administration Guideand theFortiSwitch 7.6 Study Guide, Multichassis Link Aggregation (MCLAG) provides node-level redundancy by grouping two physical switches together so that theyappear as a single logical switchto the rest of the network. This logical representation is critical for preventing Spanning Tree Protocol (STP) from blocking redundant uplinks from downstream client switches.

To achieve this "single switch" appearance, the MCLAG peer switches synchronize their STP state andshare the same Bridge ID, which consists of a synchronized bridge MAC address and the same bridge priority. As shown in the exhibits for Core-1 and Core-2, both switches are configured with aBridge MAC of 02090f000701and aPriority of 20480. Because they possess identical identification parameters, each physical switch in the peer group locally recognizes itself as part of the root bridge entity for the MSTP region.

This behavior is intentional and is a fundamental characteristic of MCLAG design in FortiSwitchOS. It ensures that any downstream device, such as Access-1, receives BPDUs with the same bridge ID from both Core-1 and Core-2, thereby treating them as a single high-availability neighbor rather than two separate devices. Option A is incorrect as FortiGate typically does not participate in STP calculations. Option B is incorrect because this "duplicate" root behavior is the expected sign of acorrectlyfunctioning MCLAG control plane. Option D is incorrect as STP remains active to prevent loops elsewhere in the fabric; it is merely logically simplified for the MCLAG domain.