매달, 우리는 1000명 이상의 사람들이 시험 준비를 잘하고 시험을 잘 통과할 수 있도록 도와줍니다.
Fortinet NSE 5 - FortiSwitch 7.6 Administrator 온라인 연습
최종 업데이트 시간: 2026년03월09일
당신은 온라인 연습 문제를 통해 Fortinet NSE5_FSW_AD-7.6 시험지식에 대해 자신이 어떻게 알고 있는지 파악한 후 시험 참가 신청 여부를 결정할 수 있다.
시험을 100% 합격하고 시험 준비 시간을 35% 절약하기를 바라며 NSE5_FSW_AD-7.6 덤프 (최신 실제 시험 문제)를 사용 선택하여 현재 최신 111개의 시험 문제와 답을 포함하십시오.
정답:
Explanation:
In FortiSwitchOS 7.6, achieving link-level redundancy and active-active uplink utilization acrosstwo separate FortiSwitch unitsrequires a technology that operates independently of Spanning Tree Protocol (STP). This requirement is fulfilled byMultichassis Link Aggregation Group (MCLAG).
MCLAG allows two FortiSwitch devices to operate as alogical aggregation peer, presenting themselves as a single logical switch to an upstream device such as a FortiGate. With MCLAG, FortiGate can form a singleLACP-based aggregated interfacethat spans both FortiSwitches. This enablessimultaneous use of uplinks on both switches, providing full bandwidth utilization and redundancy without blocking links, which is a fundamental limitation of STP-based designs.
According to the FortiSwitchOS 7.6 Administrator Guide, MCLAG synchronizes control-plane information between the two FortiSwitch peers using inter-switch links (ISLs) and dedicated keepalive mechanisms. This ensures consistent forwarding behavior and loop-free topology while allowing all member links to remain active. If one FortiSwitch fails, traffic continues to flow through the remaining switch with minimal disruption.
The other options do not meet the stated requirement. A standard LAG (Option D) operates only within asingle switchand cannot span multiple FortiSwitch units. Multi-tier topology (Option A) and full mesh HA (Option C) describe architectural layouts or FortiGate HA concepts but do not provide link-level aggregation across switches.
Therefore, the only configuration that allows FortiGate to use uplinks on both FortiSwitches simultaneouslywithout relying on STPisMultichassis Link Aggregation Group (MCLAG), makingOption Bthe correct and fully verified answer.
정답:
Explanation:
Based on the DHCP snooping configuration details provided in the exhibit:
B. FortiSwitch is configured to trust DHCP replies coming on FortiLink interface. The configuration segment shows "trusted ports: port2 FlInK1 MLAG0, " indicating that the FortiSwitch is configured to trust DHCP replies coming from the specified ports, including the FortiLink interface labeled FlInK1. This setup is critical in environments where the FortiLink interface connects directly to a trusted device, such as a FortiGate appliance, ensuring that DHCP traffic on these ports is considered legitimate.
D. Global configuration for DHCP snooping is set to forward DHCP client requests on all ports in the VLAN. The "DHCP Broadcast Mode" set to 'All' under the DHCP Global Configuration indicates that DHCP client requests are allowed to broadcast across all ports within the VLAN. This setting is essential for environments needing broad DHCP client servicing across multiple access ports without restriction, facilitating network connectivity and management.
정답:
Explanation:
According to theFortiSwitchOS 7.6 Administration Guideand theFortiSwitch 7.6 Study Guide, the primary physical constraint when deploying PoE devices is the total power capacity of the switch's internal power supply unit (PSU). The provided exhibit shows the PoE status forAccess-1, highlighting three critical metrics: theUnit Power Budget (185.00W), the current Unit Power Consumption (12.70W), and theUnit Guard Band.
The Unit Power Budgetrepresents the maximum amount of power the switch can provide to all connected Powered Devices (PDs) simultaneously. As more devices (such as access points, VoIP phones, or cameras) are connected, the cumulative power draw increases. The most important consideration is ensuring that thetotal PoE consumption does not exceed this budget. If the budget is exceeded, the switch will stop providing power to new devices or, depending on the configuration, may shut down lower-priority ports to protect the system hardware.
In this specific exhibit, theUnit Poe Power Modeis set toPriority Based. This means that if the power consumption approaches the budget limit, the switch will use the configured port priorities (seen as "Low" for port1 and port2) to decide which devices to keep powered. TheGuard Band (set to a dynamic value) also plays a role by reserving a small amount of power to handle spikes when devices initialize, further emphasizing that the power budget is a hard limit that must be actively managed by the administrator.
정답:
Explanation:
Enable IGMP snooping proxy (C): To reduce the number of unwanted IGMP reports processed by the IGMP querier, enabling IGMP snooping proxy is effective. This feature acts as an intermediary between multicast routers and hosts, optimizing the management of IGMP messages by handling report messages locally and reducing unnecessary IGMP traffic across the network. This minimizes the processing load on the IGMP querier and improves overall network efficiency.
정답:
Explanation:
FortiSwitch supports packet capture through various methods, but the Sniffer profile is specifically capable of capturing traffic on both trunks and management interfaces.
Here's why:
Sniffer Profile (B):
Versatile Capture: The sniffer profile in FortiSwitch is designed to capture traffic across different types of interfaces, including trunks (where multiple VLANs are present) and management interfaces (used for controlling and monitoring the switch ).
Configuration Flexibility: You can configure sniffer profiles to target specific traffic, offering flexibility in monitoring and troubleshooting network issues on both data and management planes.
Other Options:
SPAN (A) is used mainly for mirroring traffic to another port for analysis but is typically limited in its ability to capture management interface traffic.
sFlow (C) and TCP dump (D) are useful tools but do not specifically align with the capability to universally capture traffic across trunks and management interfaces in the context described.
Reference: For further details on configuring and utilizing sniffer profiles on FortiSwitch, refer to the FortiSwitch management documentation: Fortinet Product Documentation
정답:
Explanation:
In mixed-vendor network environments, such as deployments that include bothFortiSwitchandCiscodevices, properLayer 2 discovery protocolsmust be enabled to allow devices to automatically discover neighbors and exchange essential device and interface information. FortiSwitchOS 7.6 supports bothCisco Discovery Protocol (CDP) andLink Layer Discovery Protocol (LLDP) to ensure interoperability.
Cisco Discovery Protocol (CDP) is a Cisco-proprietary Layer 2 discovery protocol widely used by Cisco switches, routers, and IP phones. When CDP is enabled on FortiSwitch interfaces, Cisco devices can discover FortiSwitch neighbors and receive information such as device ID, port ID, platform, and capabilities. This is particularly important in Cisco-centric networks where CDP is the primary discovery mechanism.
Link Layer Discovery Protocol (LLDP), defined by IEEE 802.1AB, is a vendor-neutral discovery protocol supported by both Fortinet and Cisco devices. Enabling LLDP allows FortiSwitch and Cisco devices to exchange standardized information including system name, port description, VLAN information, and management address. LLDP is essential for cross-vendor compatibility and is commonly enabled by default in modern enterprise networks.
The remaining options are incorrect.Unidirectional Link Detection (UDLD) is used to detect unidirectional fiber or copper link failures and does not provide device discovery or information exchange. LLDP-MEDis an extension of LLDP specifically designed for media endpoints such as IP phones and is not required for general switch-to-switch discovery.
Therefore, to ensure automatic discovery and information exchange between FortiSwitch and Cisco devices, both CDP and LLDP must be enabled, making
Options B and C the correct and fully verified answers based on FortiSwitchOS 7.6 documentation.
정답:
Explanation:
Fortinet FortiLink Protocol: The FortiLink protocol is Fortinet's proprietary mechanism for managing FortiSwitch units from a FortiGate firewall. It simplifies configuration and security policy enforcement across the connected network devices.
Auto-Discovery: FortiLink's auto-discovery feature means that by default, all ports on a FortiSwitch will actively send out discovery frames. This allows them to locate a FortiGate device that has a FortiLink interface enabled, streamlining the device management process.
No Configuration Needed: You don't have to manually configure individual ports for FortiLink discovery on FortiSwitch devices.
Reference
FortiSwitchOS FortiLink Guide (FortiSwitch Devices Managed by FortiOS 7.6): Refer to pages 13 and 14
for details on zero-touch management and FortiLink configuration.
[https: //fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/27f63c72-b083-11ec-
9fd1-fa163e15d75b/FortiSwitchOS-7.6.0-
FortiLink_Guide%E2%80%94FortiSwitch_Devices_Managed_by_FortiOS_7.6.pdf]
정답:
Explanation:
According to theFortiSwitchOS 7.6 Administration Guideand theFortiSwitch 7.6 Study Guide, Multichassis Link Aggregation (MCLAG) provides node-level redundancy by grouping two physical switches together so that theyappear as a single logical switchto the rest of the network. This logical representation is critical for preventing Spanning Tree Protocol (STP) from blocking redundant uplinks from downstream client switches.
To achieve this "single switch" appearance, the MCLAG peer switches synchronize their STP state andshare the same Bridge ID, which consists of a synchronized bridge MAC address and the same bridge priority. As shown in the exhibits for Core-1 and Core-2, both switches are configured with aBridge MAC of 02090f000701and aPriority of 20480. Because they possess identical identification parameters, each physical switch in the peer group locally recognizes itself as part of the root bridge entity for the MSTP region.
This behavior is intentional and is a fundamental characteristic of MCLAG design in FortiSwitchOS. It ensures that any downstream device, such as Access-1, receives BPDUs with the same bridge ID from both Core-1 and Core-2, thereby treating them as a single high-availability neighbor rather than two separate devices.
Option A is incorrect as FortiGate typically does not participate in STP calculations.
Option B is incorrect because this "duplicate" root behavior is the expected sign of acorrectlyfunctioning MCLAG control plane.
Option D is incorrect as STP remains active to prevent loops elsewhere in the fabric; it is merely logically simplified for the MCLAG domain.
정답:
Explanation:
The output of the diagnose switch physical-ports summary command provides critical insight into how a FortiSwitch is being managed by examiningVLAN assignments, tag protocol identifiers (TPID), andinternal port behavior. In the provided exhibit, several ports―includingport1, port5, and theinternalport―are assigned toVLAN 4094.
According to the FortiSwitchOS 7.6 Administrator Guide, VLAN 4094 is reserved for FortiLink management trafficwhen a FortiSwitch is managed by a FortiGate. FortiLink uses this dedicated VLAN to carry control-plane traffic such as configuration synchronization, monitoring data, LLDP-based discovery, and keepalive messages between the FortiGate and FortiSwitch. The presence of VLAN 4094 on physical interfaces is a strong and explicit indicator ofFortiGate-managed mode.
In standalone or local management mode, FortiSwitch ports typically default toVLAN 1or administrator-defined VLANs, andVLAN 4094 is not automatically assigned. Similarly, FortiSwitch CloudCmanaged devices do not use VLAN 4094 in this manner, as cloud management relies on IP connectivity to FortiEdge Cloud rather than FortiLink encapsulation.
Additionally, the internal port showing VLAN 4094 further confirms FortiLink operation, as this internal interface is used by the switch ASIC to communicate with the FortiGate over the FortiLink tunnel. This behavior is documented in FortiOS 7.6 and FortiSwitchOS 7.6 design guides as characteristic of FortiGate-managed FortiSwitch deployments.
Therefore, based on the VLAN assignments shown―specifically the use ofVLAN 4094―the most accurate and fully verified conclusion is thatthe FortiSwitch is managed by FortiGate, makingOption Bthe correct answer.
정답:
Explanation:
When loop guard is enabled on port1 and port2 configured with the same native VLAN (VLAN 10), there are specific scenarios under which port1 can be shut down due to loop guard operation:
A. port1 was shut down by loop guard protection. Loop guard is a specific feature used in network environments to prevent alternative or redundant loops. When loop guard is active, it can shut down a port if it stops receiving BPDU (Bridge Protocol Data Units) on a port that is expected to receive them, assuming a loop or link failure and putting the port into an inconsistent state to prevent potential loops.
B. STP triggered a loop and applied loop guard protection on port1.If the Spanning Tree Protocol (STP) detects a loop or loss of BPDU transmissions while loop guard is enabled, it will proactively shut down the port to prevent network instability or a broadcast storm. This is an essential function of loop guard within the context of STP, providing additional protection against topology changes that could introduce loops.
Reference: Additional details about loop guard functionality and STP interaction can be found in the FortiSwitch administration guides, accessible viaFortinet Documentation.
정답:
Explanation:
All hosts behind an authenticated port are allowed access after a successful authentication (A): Once a device on a port successfully authenticates using 802.1X, all other devices connected behind that port also gain network access. This is typical in scenarios where a switch is behind an authenticated port and not each device individually authenticates.
All devices connecting to FortiSwitch must support 802.1X authentication (D): For a network secured with 802.1X, all devices attempting to connect through the FortiSwitch must support and participate in 802.1X authentication to gain access. This ensures that all devices on the network are authenticated before they are allowed to communicate on the network.
정답:
Explanation:
According to theFortiOS 7.6 Study Guideand theFortiSwitch 7.6 FortiLink Guide, the health and stability of the control plane between a FortiGate and a managed FortiSwitch are maintained through a continuous keepalive mechanism. Once a FortiSwitch is authorized and transitions to theFL_STATE_READYstate (as shown in the debug output in the exhibit), the devices must ensure the management tunnel remains active.
The primary mechanism for this is theFortiLink heartbeat. The documentation specifies that a managed FortiSwitch sends heartbeat messages to the FortiGate every few seconds over the FortiLink interface. The FortiGate, acting as the controller, must acknowledge these heartbeats to confirm that the switch is still reachable and responding to management commands. If the FortiGate fails to receive a certain number of consecutive heartbeats, it will consider the switch "offline" in the GUI, even if physical link lights remain green.
Checking for these heartbeat exchanges is a critical troubleshooting step to verify that the CAPWAP (Control and Provisioning of Wireless Access Points) based management tunnel is functioning correctly without intermittent drops.
Option A is incorrect as port disabling is a configuration choice, not a health check.
Option C is incorrect because firmware updates are manual or scheduled, not automatic upon authorization.
Option D is a logging function that relies on a healthy management tunnel but is not a direct measure of the FortiLink's operational health.
정답:
Explanation:
According to theFortiOS 7.6 Study Guideand theFortiSwitch 7.6 FortiLink Guide, the automatic discovery and subsequent management of a FortiSwitch by a FortiGate controller is primarily facilitated by theLink Layer Discovery Protocol (LLDP). LLDP is an industry-standard, layer-2 protocol that allows network devices to advertise their identities and capabilities to neighbors on the same physical link.
When a factory-default FortiSwitch is connected to a FortiGate port (specifically one configured as a FortiLink interface), the switch automatically sends outLLDP advertisements. These advertisements include specificOrganizationally Specific TLVs (Type-Length-Values) that identify the device as a FortiSwitch and provide its management MAC address and current state. The FortiGate "listens" for these LLDP frames; once it receives a frame from a compatible FortiSwitch, it automatically lists the switch in theManaged FortiSwitchinventory as a "discovered" device awaiting authorization.
WhileZero-touch deployment (Option A) describes the overall goal of deploying a switch without manual CLI configuration, it is the underlyingLLDPprotocol that provides the technical mechanism for the initial detection. Once the switch is discovered via LLDP and authorized, the FortiGate uses a DHCP server on the FortiLink interface to assign an IP address to the switch and establishes a secureCAPWAP (Control and Provisioning of Wireless Access Points) tunnel for management. TheFortiLink heartbeat (Option D) is a secondary mechanism usedafterthe connection is established to monitor the health and status of the link, rather than for the initial detection of the device.
정답:
Explanation:
According to theFortiOS 7.6 Administration Guideand theFortiSwitch 7.6 FortiLink Guide, deploying managed switches over a Layer 3 underlay―such as the public internet―requires a specific tunneling mechanism to bridge Layer 2 broadcast domains. Traditional FortiLink relies on a direct Layer 2 connection; however, for remote sites, FortiLink over VXLANis the standard solution.
FortiLink over VXLAN (Option A): Virtual Extensible LAN (VXLAN) is used to encapsulate Layer 2 Ethernet frames into Layer 3 UDP packets, allowing VLAN-tagged traffic to traverse an ISP's routable network. This enables the FortiGate to manage remote FortiSwitch "islands" as if they were locally connected, maintaining full VLAN segmentation across the WAN.
Layer 3 Termination (Option E): The FortiGate acts as theVirtual Tunnel Endpoint (VTEP). It must have a reachable Layer 3 interface (such as a WAN port with a public IP or an IPsec tunnel interface) to terminate the VXLAN overlay. Once the VXLAN tunnel is terminated at the FortiGate, the encapsulated VLAN traffic is extracted, and the FortiGate can perform inter-VLAN routing and security inspection.
Regarding the incorrect options:
Option B is incorrect because the FortiGate at the central site handles the routing, eliminating the need for a local L3 device.
Option C is a performance consideration but not a functional requirement for basic connectivity.
Option D is often used for security to encrypt the underlay, but IPsec alone does not provide the Layer 2 extension capabilities required for VLAN segmentation; VXLAN is the specific component that handles the MAC-in-UDP encapsulation.
정답:
Explanation:
According to theFortiSwitchOS 7.6 Administration Guide (specificallyPage 178) and theFortiSwitch 7.6 Study Guide, the Spanning Tree Protocol (STP) is the fundamental protocol used to manage redundant paths in a Layer 2 network. In the scenario described, where every FortiSwitch connects to every other FortiSwitch, afull Layer 2 meshis created. This architecture inherently produces multiple physical switching loops that, if left unmanaged, would cause catastrophic broadcast storms.
STP is responsible for detecting these loops by exchanging Bridge Protocol Data Units (BPDUs). It then mathematically calculates a loop-free logical topology by placing redundant ports into ablocking (discarding) state while keeping primary paths in aforwardingstate. WhileMCLAG (Option A) provides node-level redundancy and eliminates STP delays by allowing two switches to appear as one, it is not a standalone solution for a global full-mesh topology. In fact, Fortinet MCLAG explicitly relies on STP through the mclag-stp-aware feature to detect and prevent loops caused by connections outside the Inter-Chassis Link (ICL ).
Therefore, although MCLAG and LAG increase bandwidth and availability, STPremains the required underlying mechanism to maintain network stability in any highly redundant mesh environment. "Full mesh HA" (Option C) is not a defined feature in FortiSwitchOS 7.6.