FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable
Article Id 196510
Article
DescriptionThis article discusses issues with using or not using auto-negotiation with Fortinet product 1000BaseT gigabit ethernet interfaces.
Components
  • All Fortinet products with 1000BaseT Gigabit Ethernet interfaces.
Issue Description

Today, all Ethernet devices have a default setting of auto-negotiation enabled because as a requirement for the IEEE 802.3 standard (802.3u, 802.3z, 802.3ab, and so on.) and the auto-negotiation function SHALL BE USED for 1000BaseT.

Gigabit transceivers at the physical layer (PHY) of the Open Systems Interconnection (OSI) model use auto-negotiation to advertise the following modes of operation:

  • 1000BaseT in full or half duplex,
  • 100BaseTX in full or half duplex, and
  • 10BaseT in full or half duplex.

Although auto-negotiation can be disabled for 100BaseTX or 10BaseT connectivity, it is always required for normal 1000BaseT operation.

Auto-negotiation is defined in Clause 28 of the 1998 edition of the IEEE Standard (Std) 802.3. Clause 28 defines a standard to address the following goals:

  • Provide easy, plug-and-play upgrades from 10 Mbps, 100 Mbps, and 1000 Mbps as the network infrastructure is upgraded
  • Prevent network disruptions when connecting mixed technologies such as 10BaseT, 100BaseTX, and 1000BaseT
  • Accommodate future PHY (transceiver) solutions
  • Allow manual override of auto-negotiation
  • Support backward compatibility with 10BaseT
  • Provide a parallel detection function to recognize 10BaseT, 100BaseTX, and 100BaseT4 non-NWay devices

In addition, the 1999 standard for Gigabit over copper cabling, IEEE Std 802.3ab (Clause 40 (1000BASE-T), sub-clause 40.5.1 of 802.), added the following enhancements to the Auto-Negotiation standard:

  • Mandatory auto-negotiation for 1000BaseT
  • Configure master and slave modes for the PHY

Auto-Negotiation link partner abilities are negotiated and use a priority resolution algorithm to establish the best mode of operation. The following example is a normal priority scheme (from highest to lowest) for the auto-negotiation link if a device has all the capabilities advertised and advertisement is enabled:

  1. 1000 full duplex
  2. 1000 half duplex
  3. 100 full duplex
  4. 100 half duplex
  5. 10 full duplex
  6. 10 half duplex

The IEEE 802.3 standard default is to run with auto-negotiation enabled. Technology improvements and better interoperation of auto-negotiation make it the preferred mode of operation, and is required on new technologies such as 1000BaseT (802.3ab). While the standard on Fast Ethernet allows the ability to disable auto-negotiation, it is neither required nor recommended for vendors to implement it.

The IEEE 802.3 standard states that you must support and test auto-negotiation enabled to certify a product IEEE 802.3 compliant, and for multivendor interoperability (for example, testing at the UNH Interoperability Laboratory). There are no requirements in the standard to support locked down or forced configurations using auto-negotiation disabled. As a result, there are no requirements for vendors to test multivendor interoperability between products with auto-negotiation disabled.

The IEEE 802.3ab specification does not allow for forced mode 1000BaseT with auto-negotiation disabled running at 1000 Mbps. As a result, many switch vendors do not support forced mode. Although some vendors’ Giga transceivers can be configurable for the 1000 Mbps forced mode but it does not work under certain circumstances.

Auto-Negotiation is performed as part of the initial set-up of the link, and allows the PHYs at each end to advertise their capabilities (speed, PHY type, half or full duplex) and to automatically select the operating mode for communication on the link. Auto-negotiation signaling is used for the following two primary purposes for 1000BASE-T:

  • To negotiate that the PHY is capable of supporting 1000BASE-T half duplex or full duplex transmission.
  • To determine the MASTER-SLAVE relationship between the PHYs at each end of the link. 1000BASE-T MASTER PHY is from a local source. The SLAVE PHY uses loop timing where the clock is recovered from the received data stream.

What this means is that although auto-negotiation (Clauses 22 and 28) is optional for most variants of Ethernet and manual configuration (forced mode) is allowed, this is not the case for Gigabit copper (1000BASE-T).

Locked-down port policies (forcing speed, duplex, and link capabilities with auto-negotiation disabled) are outdated. Legacy and historical reasons for forced setup with auto-negotiation disabled date back many years when the technology was new. Due to the maturity of the technology today, it no longer has the same issues of 10 years ago when 802.3u Fast Ethernet and 802.3z Gigabit Ethernet were new technology and many vendors had standard compliance issues. The UNH Interoperability Laboratory is used to ensure vendor compliance. These issues were resolved with NIC-driver patches, switch-firmware, and multiple generations of new product releases over many years. The notion of “auto-negotiation is unreliable” can no longer be substantiated.

Not all network devices have the ability to force link capabilities for disabled auto-negotiation policies. Some switches and drivers use auto-negotiation (enabled) only and its usage is not optional. In the absence of auto-negotiation (for example, using forced mode), link syncing between link partners may not occur and the link may not come up.

Even though the standard allows the ability to disable auto-negotiation on Fast Ethernet 802.3u and Gigabit Ethernet 802.3z (fiber) technologies, it is neither required nor recommended. Do not disable auto-negotiation between switches or NICs unless absolutely required, as physical layer problems may go undetected and result in spanning tree loops. Disabling auto-negotiation should only be used as a troubleshooting aid or temporary workaround until the auto-negotiation problem is resolved. The alternative to disabling auto-negotiation is contacting the vendor for a software or hardware upgrade for IEEE 802.3 compliant Ethernet auto-negotiation support. Old policies from years past for locked-down forced auto-negotiation disabled should be discouraged today.