The Fortinet NSE 5 - FortiSwitch 7.6 Administrator (NSE5_FSW_AD-7.6)

According to the FortiSwitchOS 7.6 Administration Guide and the FortiLink 7.6 Study Guide , the Spanning Tree Protocol (STP) is automatically enabled on managed FortiSwitches to ensure a loop-free Layer 2 topology within the FortiLink fabric. When multiple physical paths exist between switches (as shown in the redundant connections between the Core and Access tiers), STP must block one of the paths to prevent a broadcast storm.

The behavior described in the exhibit—where port3 on Access-1 enters a Discarding state —is a result of the STP election process. In a standard STP environment, switches elect a Root Bridge based on the lowest Bridge Priority (or lowest MAC address as a tie-breaker). Once a root is established, other switches identify the "best" path to that root (the Root Port) and block all other redundant paths.

The provided exhibit shows that Access-1 has two paths to the core: one to Core-1 and one to Core-2. The fact that the path to Core-2 is discarded suggests that the STP topology was recalculated when Core-2 was enabled. In the context of Fortinet technical exams for this specific scenario, Option C (Core-2 has the lowest bridge priority) is the standard answer identifying that Core-2's priority settings influenced the STP tree such that Access-1's link to it was determined to be the redundant (alternate) path.

If the switches were configured with MCLAG (Multi-Chassis Link Aggregation) , both physical links would be treated as a single logical trunk, and neither would be in a discarding state. However, without MCLAG, the system relies on bridge priorities to prune the loop. BPDU Guard (Option A) is incorrect because it would administratively shut down the port rather than placing it in an STP "Discarding" state. Option B is incorrect as the switch would not appear in the managed topology if unauthorized.

According to the FortiSwitchOS 7.6 Administration Guide and the FortiSwitch 7.6 Study Guide , the primary physical constraint when deploying PoE devices is the total power capacity of the switch's internal power supply unit (PSU). The provided exhibit shows the PoE status for Access-1 , highlighting three critical metrics: the Unit Power Budget (185.00W) , the current Unit Power Consumption (12.70W) , and the Unit Guard Band .

The Unit Power Budget represents the maximum amount of power the switch can provide to all connected Powered Devices (PDs) simultaneously. As more devices (such as access points, VoIP phones, or cameras) are connected, the cumulative power draw increases. The most important consideration is ensuring that the total PoE consumption does not exceed this budget . If the budget is exceeded, the switch will stop providing power to new devices or, depending on the configuration, may shut down lower-priority ports to protect the system hardware.

In this specific exhibit, the Unit Poe Power Mode is set to Priority Based . This means that if the power consumption approaches the budget limit, the switch will use the configured port priorities (seen as "Low" for port1 and port2) to decide which devices to keep powered. The Guard Band (set to a dynamic value) also plays a role by reserving a small amount of power to handle spikes when devices initialize, further emphasizing that the power budget is a hard limit that must be actively managed by the administrator.

According to the FortiGate Switch Best Practices and the FortiSwitch 7.6 FortiLink Guide , the recommended best practice for a scalable and high-performance FortiLink deployment is to use a link aggregation group (LAG) interface, also known as an 802.3ad aggregate . 3

While a hardware-based switch interface (Option A) offers low latency by switching traffic directly in the ASIC, it has significant limitations regarding scalability and redundancy . Hardware switches are restricted by the number of physical ports on the Integrated Switch Fabric (ISF) and cannot be easily expanded to include additional redundant links as the network grows. Conversely, software-based switch interfaces (Option B) are processed by the system CPU, leading to higher utilization and a lack of NPU hardware acceleration , which makes them unsuitable for high-performance or growing environments. 4

By configuring FortiLink as a LAG (Option C) , the administrator ensures that the network can support future growth seamlessly. A LAG interface allows for the addition of multiple physical ports to increase bandwidth between the FortiGate and the switch fabric while providing link-level redundancy. 5 This configuration is the default for modern FortiOS versions because it supports NPU offloading and serves as the technical prerequisite for more advanced topologies, such as MCLAG (Option D) . While MCLAG is an excellent solution for high availability in multi-switch environments, it is a topology feature rather than the primary interface type used to define the FortiLink connection on the FortiGate unit itself. Therefore, starting with an aggregate (LAG) interface provides the most flexible foundation for migrating to more complex infrastructures as additional switches are added.

According to the FortiSwitchOS 7.6 Administration Guide and the FortiSwitch 7.6 Study Guide , understanding how VLANs are processed on a switch port is fundamental to network segmentation. A FortiSwitch port behaves differently depending on whether traffic is entering (ingress) or leaving (egress) the interface.

First, you can assign only one native VLAN on a port (Option C) . The Native VLAN (often called the PVID or Port VLAN ID) is the default internal ID assigned to any untagged frames arriving at the port. In a managed environment, this is typically set via the FortiGate's switch controller. By design, a single physical interface can only belong to one primary broadcast domain for untagged ingress traffic to ensure there is no ambiguity in the switch's internal forwarding logic.

Second, the untagged VLAN setting applies to egress traffic only (Option B) . While the "Allowed VLANs" list defines which tagged traffic can pass through the port, the "Untagged VLANs" list specifies which of those VLAN tags should be removed by the switch before the frame is transmitted out of the physical port. This is crucial for connecting devices that do not support 802.1Q tagging, such as standard PCs or printers.

Regarding the incorrect options: Option A is incorrect because the "Untagged" list does not define ingress rules; ingress is governed by the Native VLAN for untagged packets and the Allowed list for tagged packets. Option D is incorrect because, in a managed FortiLink environment, all VLAN assignments should be performed through the FortiGate's Switch Controller to ensure centralized management and consistency.

The MAC address "00:50:56:96:e3:fc" appearing in two different VLANs (4089 and 4094) in the diagnostic output indicates it is a MAC address associated with a device that supports traffic from multiple VLANs. Such a behavior is typical of network infrastructure devices like switches or routers, which are configured to allow traffic from various VLANs to pass through a single physical or logical interface. This is essential in network designs that utilize VLANs to segregate network traffic for different departments or use cases while using the same physical infrastructure.

The native VLAN is implicitly part of the allowed VLAN on the port (C) : On a managed FortiSwitch port, the native VLAN, which is the VLAN assigned to untagged traffic, is implicitly included in the list of allowed VLANs. This means it does not need to be explicitly specified when configuring VLAN settings on the port. This configuration simplifies VLAN management and ensures that untagged traffic is handled correctly without additional configuration steps.

"The tool is a Python script that converts the supported settings in a FortiSwitch standalone configuration file to the equivalent FortiOS settings for a managed switch." Reference: FortiSwitch 7.2 Study Guide, page 349

According to the FortiOS 7.6 Study Guide and the FortiSwitch 7.6 FortiLink Guide , the health and stability of the control plane between a FortiGate and a managed FortiSwitch are maintained through a continuous keepalive mechanism. Once a FortiSwitch is authorized and transitions to the FL_STATE_READY state (as shown in the debug output in the exhibit), the devices must ensure the management tunnel remains active.

The primary mechanism for this is the FortiLink heartbeat . The documentation specifies that a managed FortiSwitch sends heartbeat messages to the FortiGate every few seconds over the FortiLink interface. The FortiGate, acting as the controller, must acknowledge these heartbeats to confirm that the switch is still reachable and responding to management commands. If the FortiGate fails to receive a certain number of consecutive heartbeats, it will consider the switch "offline" in the GUI, even if physical link lights remain green.

Checking for these heartbeat exchanges is a critical troubleshooting step to verify that the CAPWAP (Control and Provisioning of Wireless Access Points) based management tunnel is functioning correctly without intermittent drops. Option A is incorrect as port disabling is a configuration choice, not a health check. Option C is incorrect because firmware updates are manual or scheduled, not automatic upon authorization. Option D is a logging function that relies on a healthy management tunnel but is not a direct measure of the FortiLink's operational health.

Enable IGMP snooping proxy (C) : To reduce the number of unwanted IGMP reports processed by the IGMP querier, enabling IGMP snooping proxy is effective. This feature acts as an intermediary between multicast routers and hosts, optimizing the management of IGMP messages by handling report messages locally and reducing unnecessary IGMP traffic across the network. This minimizes the processing load on the IGMP querier and improves overall network efficiency.