How to properly configure a type hard-switch interface with custom mtu #353

Sniijz · 2025-01-17T17:30:56Z

Terraform v1.8.3
on linux_amd64

provider registry.terraform.io/fortinetdev/fortios v1.21.1

FortiOS : 7.2.9

Hello !

I'm trying to deploy through terraform a type hard-switch interface, with a specific mtu of 9216.

To do so, i configured the 3 needed ressources : Physical_switch, virtual_switch and my type hard-switch interface like the following :

resource "fortios_system_physicalswitch" "physical_switch" {
  for_each = { for switch_name, switch_data in local.global_system_physicalswitch : "global-physical-switch-${switch_data.name}" => switch_data }
  name     = each.value.name
  age_val  = each.value.age_val
}


resource "fortios_system_virtualswitch" "virtual_switch" {
  for_each        = { for switch_name, switch_data in local.global_system_virtualswitch : "global-virtual-switch-${switch_data.name}" => switch_data }
  name            = each.value.name
  physical_switch = "sw0"
  dynamic "port" {
    for_each = lookup(each.value, "port", [])
    content {
      name = port.value
    }
  }

  depends_on = [fortios_system_physicalswitch.physical_switch]
}

resource "fortios_system_interface" "hard_switch" {
  for_each = { for idx, bonds in local.global_system_interfaces : "${bonds.name}-${bonds.vdom}" => bonds if bonds.type == "hard-switch" }

  name                       = each.value.name
  vdom                       = fortios_system_vdom.vdom["${each.value.vdom}"].id
  type                       = each.value.type
  speed                      = each.value.speed
  mediatype                  = each.value.mediatype
  forward_error_correction   = each.value.forward_error_correction
  ip                         = each.value.ip
  allowaccess                = each.value.allowaccess
  role                       = each.value.role
  alias                      = each.value.alias
  status                     = each.value.status
  lldp_reception             = each.value.lldp_reception
  lldp_transmission          = each.value.lldp_transmission
  src_check                  = each.value.src_check
  device_identification      = each.value.device_identification
  device_user_identification = each.value.device_user_identification
  vlanid                     = each.value.vlanid
  interface                  = each.value.interface
  mtu                        = each.value.mtu
  mtu_override               = each.value.mtu_override

  dynamic "member" {
    for_each = each.value.member != null ? each.value.member : []

    content {
      interface_name = fortios_system_interface.physicalports["${member.value}-${each.value.vdom}"].id
    }
  }

  depends_on = [fortios_system_virtualswitch.virtual_switch]
}

I also configured the mtu override and mtu 9216 on physical ports members of the virtual_switch

We can see the plan was going to apply as wanted, with mtu override enable and value to 9216 :

  # fortios_system_interface.hard_switch["Sw2930-FG-traffic"] will be created
  + resource "fortios_system_interface" "hard_switch" {
      + aggregate_type                             = (known after apply)
      + algorithm                                  = (known after apply)
      + alias                                      = "SwitchPortWAN"
      + ap_discover                                = (known after apply)
      + arpforward                                 = (known after apply)
      + auth_type                                  = (known after apply)
      + auto_auth_extension_device                 = (known after apply)
      + autogenerated                              = (known after apply)
      + bfd                                        = (known after apply)
      + bfd_desired_min_tx                         = (known after apply)
      + bfd_detect_mult                            = (known after apply)
      + bfd_required_min_rx                        = (known after apply)
      + broadcast_forward                          = (known after apply)
      + dedicated_to                               = (known after apply)
      + default_purdue_level                       = (known after apply)
      + defaultgw                                  = (known after apply)
      + detectprotocol                             = (known after apply)
      + device_identification                      = "enable"
      + device_user_identification                 = "disable"
      + devindex                                   = (known after apply)
      + dhcp_broadcast_flag                        = (known after apply)
      + dhcp_classless_route_addition              = (known after apply)
      + dhcp_relay_agent_option                    = (known after apply)
      + dhcp_relay_allow_no_end_option             = (known after apply)
      + dhcp_relay_interface_select_method         = (known after apply)
      + dhcp_relay_link_selection                  = (known after apply)
      + dhcp_relay_request_all_server              = (known after apply)
      + dhcp_relay_service                         = (known after apply)
      + dhcp_relay_source_ip                       = (known after apply)
      + dhcp_relay_type                            = (known after apply)
      + dhcp_smart_relay                           = (known after apply)
      + disc_retry_timeout                         = (known after apply)
      + distance                                   = (known after apply)
      + dns_server_override                        = (known after apply)
      + dns_server_protocol                        = (known after apply)
      + drop_fragment                              = (known after apply)
      + drop_overlapped_fragment                   = (known after apply)
      + dynamic_sort_subtable                      = "false"
      + eap_supplicant                             = (known after apply)
      + explicit_ftp_proxy                         = (known after apply)
      + explicit_web_proxy                         = (known after apply)
      + external                                   = (known after apply)
      + fail_action_on_extender                    = (known after apply)
      + fail_alert_method                          = (known after apply)
      + fail_detect                                = (known after apply)
      + fail_detect_option                         = (known after apply)
      + fortilink                                  = (known after apply)
      + fortilink_neighbor_detect                  = (known after apply)
      + fortilink_split_interface                  = (known after apply)
      + fortilink_stacking                         = (known after apply)
      + forward_error_correction                   = (known after apply)
      + get_all_tables                             = "false"
      + gwdetect                                   = (known after apply)
      + ha_priority                                = (known after apply)
      + icmp_accept_redirect                       = (known after apply)
      + icmp_send_redirect                         = (known after apply)
      + id                                         = (known after apply)
      + ident_accept                               = (known after apply)
      + interface                                  = (known after apply)
      + ip                                         = (known after apply)
      + ip_managed_by_fortiipam                    = (known after apply)
      + ipmac                                      = (known after apply)
      + ips_sniffer_mode                           = (known after apply)
      + ipunnumbered                               = (known after apply)
      + l2forward                                  = (known after apply)
      + lacp_ha_secondary                          = (known after apply)
      + lacp_ha_slave                              = (known after apply)
      + lacp_mode                                  = (known after apply)
      + lacp_speed                                 = (known after apply)
      + lcp_echo_interval                          = (known after apply)
      + lcp_max_echo_fails                         = (known after apply)
      + link_up_delay                              = (known after apply)
      + lldp_reception                             = (known after apply)
      + lldp_transmission                          = "enable"
      + macaddr                                    = (known after apply)
      + managed_subnetwork_size                    = (known after apply)
      + management_ip                              = (known after apply)
      + mediatype                                  = (known after apply)
      + min_links                                  = (known after apply)
      + min_links_down                             = (known after apply)
      + mode                                       = (known after apply)
      + monitor_bandwidth                          = (known after apply)
      + mtu                                        = 9216
      + mtu_override                               = "enable"
      + name                                       = "Sw2930"
      + ndiscforward                               = (known after apply)
      + netbios_forward                            = (known after apply)
      + netflow_sample_rate                        = (known after apply)
      + netflow_sampler                            = (known after apply)
      + padt_retry_timeout                         = (known after apply)
      + polling_interval                           = (known after apply)
      + pppoe_egress_cos                           = (known after apply)
      + pppoe_unnumbered_negotiate                 = (known after apply)
      + pptp_auth_type                             = (known after apply)
      + pptp_client                                = (known after apply)
      + pptp_server_ip                             = (known after apply)
      + preserve_session_route                     = (known after apply)
      + priority                                   = (known after apply)
      + priority_override                          = (known after apply)
      + proxy_captive_portal                       = (known after apply)
      + reachable_time                             = (known after apply)
      + remote_ip                                  = (known after apply)
      + role                                       = "lan"
      + sample_direction                           = (known after apply)
      + sample_rate                                = (known after apply)
      + secondary_ip                               = (known after apply)
      + security_ip_auth_bypass                    = (known after apply)
      + security_mac_auth_bypass                   = (known after apply)
      + security_mode                              = (known after apply)
      + sflow_sampler                              = (known after apply)
      + snmp_index                                 = (known after apply)
      + speed                                      = (known after apply)
      + src_check                                  = (known after apply)
      + status                                     = (known after apply)
      + stp                                        = (known after apply)
      + stp_ha_secondary                           = (known after apply)
      + stpforward                                 = (known after apply)
      + stpforward_mode                            = (known after apply)
      + subst                                      = (known after apply)
      + substitute_dst_mac                         = (known after apply)
      + switch_controller_access_vlan              = (known after apply)
      + switch_controller_arp_inspection           = (known after apply)
      + switch_controller_dhcp_snooping            = (known after apply)
      + switch_controller_dhcp_snooping_option82   = (known after apply)
      + switch_controller_dhcp_snooping_verify_mac = (known after apply)
      + switch_controller_feature                  = (known after apply)
      + switch_controller_igmp_snooping            = (known after apply)
      + switch_controller_igmp_snooping_fast_leave = (known after apply)
      + switch_controller_igmp_snooping_proxy      = (known after apply)
      + switch_controller_iot_scanning             = (known after apply)
      + switch_controller_mgmt_vlan                = (known after apply)
      + switch_controller_netflow_collect          = (known after apply)
      + switch_controller_offload                  = (known after apply)
      + switch_controller_offload_gw               = (known after apply)
      + switch_controller_offload_ip               = (known after apply)
      + switch_controller_rspan_mode               = (known after apply)
      + switch_controller_source_ip                = (known after apply)
      + system_id                                  = (known after apply)
      + system_id_type                             = (known after apply)
      + trunk                                      = (known after apply)
      + trust_ip6_1                                = (known after apply)
      + trust_ip6_2                                = (known after apply)
      + trust_ip6_3                                = (known after apply)
      + trust_ip_1                                 = (known after apply)
      + trust_ip_2                                 = (known after apply)
      + trust_ip_3                                 = (known after apply)
      + type                                       = "hard-switch"
      + vdom                                       = "FG-traffic"
      + vdomparam                                  = (known after apply)
      + virtual_mac                                = (known after apply)
      + vlan_protocol                              = (known after apply)
      + vlanforward                                = (known after apply)
      + vrrp_virtual_mac                           = (known after apply)
      + wccp                                       = (known after apply)
      + wins_ip                                    = (known after apply)
    }

Each interfaces are created properly, except when it comes to the hard switch, i get the following error :

╷
│ Error: Error creating SystemInterface resource: Internal Server Error - Internal error when processing the request (500)
│ Cli response: 
│ current vf=root:0
│ Please input interface of the physical device first.
│ MTU size not valid. Should be in the range of 68 - 1500.
│ node_check_object fail! for mtu 9216
│ 
│ value parse error before '9216'
│ Command fail. Return code -2
│ Command fail. Return code 1
│ 
│ 
│   with fortios_system_interface.hard_switch["Sw2930-FG-traffic"],
│   on main.tf line 84, in resource "fortios_system_interface" "hard_switch":
│   84: resource "fortios_system_interface" "hard_switch" {
│ 
╵

The final wanted configuration in FortiOS configs look like this :

config system interface
    edit "port29"
        set vdom "FG-traffic"
        set type physical
        set mediatype sr
        set snmp-index 29
        set forward-error-correction cl91-rs-fec
        set speed 25000full
        set mtu-override enable
        set mtu 9216
    next
    edit "port30"
        set vdom "FG-traffic"
        set type physical
        set mediatype sr
        set snmp-index 30
        set forward-error-correction cl91-rs-fec
        set speed 25000full
        set mtu-override enable
        set mtu 9216
    next
end
config system physical-switch
    edit "sw0"
        set age-val 0
    next
end
config system virtual-switch
    edit "Sw2930"
        set physical-switch "sw0"
        config port
            edit "port29"
            next
            edit "port30"
            next
        end
    next
end
edit "Sw2930"
        set vdom "FG-traffic"
        set type hard-switch
        set alias "SwitchPortWAN"
        set device-identification enable
        set device-user-identification disable
        set lldp-transmission enable
        set role lan
        set snmp-index 50
        set mtu-override enable
        set mtu 9216
    next
end

In the end, i created the interface through cli, set the correct mtu, and manually imported it to my tfstate.

I would like to do it without manually import, and properly deploy the interface through terraform with correct mtu, any advice on why my mtu couldn't be applied properly ?

Thanks !

The text was updated successfully, but these errors were encountered:

MaxxLiu22 · 2025-01-17T21:58:04Z

Hi @Sniijz ,

Thank you for your question. It seems that the system interface "Sw2930" was automatically created after you set up the virtual switch "Sw2930." In this case, you may need to define autogenerated = "auto" in your fortios_system_interface. This will handle the import process for you. Otherwise, fortios_system_interface might attempt to create a new interface instead of managing the existing one, which could result in an error. Let me know if that doesn't solve your problem.

Thanks,
Maxx

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How to properly configure a type hard-switch interface with custom mtu #353

How to properly configure a type hard-switch interface with custom mtu #353

Sniijz commented Jan 17, 2025

MaxxLiu22 commented Jan 17, 2025

How to properly configure a type hard-switch interface with custom mtu #353

How to properly configure a type hard-switch interface with custom mtu #353

Comments

Sniijz commented Jan 17, 2025

MaxxLiu22 commented Jan 17, 2025