Network topologies for managed FortiSwitches

The FortiGate requires only one active FortiLink to manage all of the subtending FortiSwitches (called stacking).

You can configure the FortiLink as a physical interface or as a logical interface (associated with one or more physical interfaces). Depending on the network topology, you may also configure a standby FortiLink.

For any of the topologies, note the following:

  • All of the managed FortiSwitches will function as one Layer-2 stack where the FortiGate manages each FortiSwitch separately.
  • The active FortiLink carries data as well as management traffic.

Supported topologies

Fortinet recommends the following topologies for managed FortiSwitches:

  • Single FortiGate managing a single FortiSwitch
  • Single FortiGate managing a stack of several FortiSwitches
  • HA-mode FortiGates managing a single FortiSwitch
  • HA-mode FortiGates managing a stack of several FortiSwitches
  • HA-mode FortiGates managing a FortiSwitch two-tier topology
  • Single FortiGate managing multiple FortiSwitches (using a hardware or software switch interface)
  • HA-mode FortiGates managing two-tier FortiSwitches with access rings
  • Dual-homed servers connected to FortiLink tier-1 FortiSwitches using an MCLAG
  • Standalone FortiGate with dual-homed FortiSwitch access
  • HA-mode FortiGates with dual-homed FortiSwitch access

Single FortiGate managing a single FortiSwitch

On the FortiGate, the FortiLink interface is configured as physical or aggregate. The 802.3ad aggregate interface type provides a logical grouping of one or more physical interfaces.

For the aggregate interface, you must disable the split interface on the FortiGate.

Single FortiGate managing a stack of several FortiSwitches

The FortiGate connects directly to one FortiSwitch device using a physical or aggregate interface. The remaining FortiSwitches connect in a ring using inter-switch links (that is, ISL).

Optionally, you can connect a standby FortiLink connection to the last FortiSwitch. For this configuration, you create a FortiLink Split-Interface (an aggregate interface that contains one active link and one standby link).

HA-mode FortiGates managing a single FortiSwitch

The master and slave FortiGate units both connect a FortiLink to the FortiSwitch. The FortiLink port(s) and interface type must match on the two FortiGate units.

HA-mode FortiGates managing a stack of several FortiSwitches

The master and slave FortiGate units both connect a FortiLink to the first FortiSwitch and (optionally) to the last FortiSwitch. The FortiLink ports and interface type must match on the two FortiGate units.

For the active/standby FortiLink configuration, you create a FortiLink Split-Interface (an aggregate interface that contains one active link and one standby link).

HA-mode FortiGates managing a FortiSwitch two-tier topology

The distribution FortiSwitch connects to the master and slave FortiGate units. The FortiLink port(s) and interface type must match on the two FortiGate units.

Single FortiGate managing multiple FortiSwitches (using a hardware or software switch interface)

The FortiGate connects directly to each FortiSwitch. Each of these FortiLink ports is added to the logical hardware-switch or software-switch interface on the FortiGate.

Optionally, you can connect other devices to the FortiGate logical interface. These devices, which must support IEEE 802.1q VLAN tagging, will have Layer 2 connectivity with the FortiSwitch ports.

Using the hardware or software switch interface in FortiLink mode is not recommended in most cases. It can be used when the traffic on the ports is very light because all traffic across the switches moves through FortiGate.

HA-mode FortiGates managing two-tier FortiSwitches with access rings

MCLAG is not supported when access rings are present.

HA-mode FortiGates connect to redundant distribution FortiSwitches. Access FortiSwitches are arranged in a stack in each IDF, connected to both distribution switches.

For the FortiLink connection to each distribution switch, you create a FortiLink split interface (an aggregate interface that contains one active link and one standby link).

 

Dual-homed servers connected to FortiLink tier-1 FortiSwitches using an MCLAG

To configure a multichassis LAG, you need to configure FortiSwitch 1 and FortiSwitch 2 as MCLAG peer switches before creating a two-port LAG. Use the set mclag-icl enable command to create an inter-chassis link (ICL) on each FortiSwitch. Then you set up two MCLAGs towards the servers, each MCLAG using one port from each FortiSwitch. You must disable the FortiLink split interface for the FortiGate.

This topology is supported when the FortiGate is in HA mode.

Standalone FortiGate with dual-homed FortiSwitch access

This network topology provides high port density with two tiers of FortiSwitches.

Use the set mclag-icl enable command to create an ICL on each FortiSwitch.

HA-mode FortiGates with dual-homed FortiSwitch access

In HA mode, only one FortiGate is active at a time. If the active FortiGate fails, the backup FortiGate becomes active.

Use the set mclag-icl enable command to create an ICL on each FortiSwitch.

Grouping FortiSwitches

You can simplify the configuration and management of complex topologies by creating FortiSwitch groups. A group can include one or more FortiSwitches and you can include different models in a group.

config switch-controller switch-group

edit <name>

set description <string>

set members <serial-number> <serial-number> ...

end

end

Grouping FortiSwitches allows you to restart all of the switches in the group instead of individually. For example, you can use the following command to restart all of the FortiSwitches in a group named my-sw-group:

execute switch-controller restart-swtp my-switch-group

 

Upgrading the firmware of FortiSwitch groups is easier, too, because fewer commands are needed. See Firmware upgrade of stacked or tiered FortiSwitches.

Stacking configuration

To set up stacking:

  1. Configure the active FortiLink interface on the FortiGate.
  2. (Optional) Configure the standby FortiLink interface.
  3. Connect the FortiSwitches together, based on your chosen topology.

1. Configure the active FortiLink

Configure the FortiLink interface (as described in the FortiLink configuration using the FortiGate GUI chapter).

When you configure the FortiLink interface, the stacking capability is enabled automatically.

2. Configure the standby FortiLink

Configure the standby FortiLink interface. Depending on your configuration, the standby FortiLink might connect to the same FortiGate as the active FortiLink or to a different FortiGate.

If the FortiGate receives discovery requests from two FortiSwitches, the link from one FortiSwitch will be selected as active, and the link from other FortiSwitch will be selected as standby.

If the active FortiLink fails, FortiGate converts the standby FortiLink to active.

3. Connect the FortiSwitches

Refer to the topology diagrams to see how to connect the FortiSwitches.

Inter-switch links (ISLs) form automatically between the stacked switches.

FortiGate will discover and authorize all of the FortiSwitches that are connected. After this, the FortiGate is ready to manage all of the authorized FortiSwitches.

Disable stacking

To disable stacking, execute the following commands from the FortiGate CLI. In the following example, port4 is the FortiLink interface:

config system interface

edit port4

set fortilink-stacking disable

end

end

Firmware upgrade of stacked or tiered FortiSwitches

In this topology, the core FortiSwitches are model FS-224D-FPOE, and the access FortiSwitches are model FS-124D-POE. Because the switches are stacked or tiered, the procedure to update the firmware is simpler. In the following procedure, the four FortiSwitches are upgraded from 3.6.1 to 3.6.2.

To upgrade the firmware of stacked or tiered FortiSwitches:
  1. Check that all of the FortiSwitches are connected and which firmware versions they are running. For example:

    FG100E4Q16004478 (root) # execute switch-controller get-conn-status Managed-devices in current vdom root: STACK-NAME: FortiSwitch-Stack-flink SWITCH-ID VERSION STATUS ADDRESS JOIN-TIME NAME S124DP3X15000118 v3.6.1 Authorized/Up 169.254.1.5 Mon Oct 2 14:06:08 2017 - S124DP3X15000380 v3.6.1 Authorized/Up 169.254.1.4 Mon Oct 2 14:05:26 2017 - S224DF3X16001718 v3.6.1 Authorized/Up 169.254.1.3 Mon Oct 2 14:05:37 2017 - S224DF3X17000238 v3.6.1 Authorized/Up 169.254.1.2 Mon Oct 2 14:06:22 2017 -

  2. Upload the firmware image for each FortiSwitch model (FS-224D-FPOE and FS-124D-POE) from either an FTP or TFTP server. If you are using a virtual domain (VDOM), you must enter the config global command before entering the upload-swtp-image command. For example:

    FG100E4Q16004478 (global) # execute switch-controller upload-swtp-image tftp FSW_124D_POE-v3-build0382-FORTINET.out 172.30.12.18 Downloading file FSW_124D_POE-v3-build0382-FORTINET.out from tftp server 172.30.12.18... ################## Image checking ... Image MD5 calculating ... Image Saving S124DP-IMG.swtp ... Successful! File Syncing... FG100E4Q16004478 (global) # execute switch-controller upload-swtp-image tftp FSW_224D_FPOE-v3-build0382-FORTINET.out 172.30.12.18 Downloading file FSW_224D_FPOE-v3-build0382-FORTINET.out from tftp server 172.30.12.18... ###################### Image checking ... Image MD5 calculating ... Image Saving S224DF-IMG.swtp ... Successful! File Syncing...

  3. Check which firmware images are available. For example:

    FG100E4Q16004478 (root) # execute switch-controller list-swtp-image SWTP Images on AC: ImageName ImageSize(B) ImageInfo ImageMTime S124DP-IMG.swtp 19174985 S124DP-v3.6-build382 Mon Oct 2 14:40:54 2017 S224DF-IMG.swtp 23277106 S224DF-v3.6-build382 Mon Oct 2 14:42:55 2017

  4. Stage the firmware image for each FortiSwitch model (FS-224D-FPOE and FS-124D-POE). For example:

    FG100E4Q16004478 (root) # execute switch-controller stage-tiered-swtp-image ALL S124DP-IMG.swtp Staged Image Version S124DP-v3.6-build382 FG100E4Q16004478 (root) # execute switch-controller stage-tiered-swtp-image ALL S224DF-IMG.swtp Staged Image Version S224DF-v3.6-build382

  5. Check that the correct firmware image is staged for each FortiSwitch. For example:

    FG100E4Q16004478 (root) # diagnose switch-controller dump network-upgrade status Device State =========================================================================================================================== VDOM : root S224DF3X16001718 Running : S224DF-v3.6.1-build372,170620 (GA) Next Boot : S224DF-v3.6-build382, Flash Erase:[100], Flash Write:[100] S224DF3X17000238 Running : S224DF-v3.6.1-build372,170620 (GA) Next Boot : S224DF-v3.6-build382, Flash Erase:[100], Flash Write:[100] S124DP3X15000118 Running : S124DP-v3.6.1-build372,170620 (GA) Next Boot : S124DP-v3.6-build382, Flash Erase:[100], Flash Write:[100] S124DP3X15000380 Running : S124DP-v3.6.1-build372,170620 (GA) Next Boot : S124DP-v3.6-build382, Flash Erase:[100], Flash Write:[100]

  6. Restart the FortiSwitches after a 2-minute delay. For example:

    execute switch-controller restart-swtp-delayed ALL


  7. When the FortiSwitches are running again, check that they are running the new firmware version. For example:

    execute switch-controller get-conn-status Managed-devices in current vdom root: STACK-NAME: FortiSwitch-Stack-flink SWITCH-ID VERSION STATUS ADDRESS JOIN-TIME NAME S124DP3X15000118 v3.6.2 Authorized/Up 169.254.1.5 Mon Oct 2 15:26:51 2017 - S124DP3X15000380 v3.6.2 Authorized/Up 169.254.1.4 Mon Oct 2 15:26:49 2017 - S224DF3X16001718 v3.6.2 Authorized/Up 169.254.1.3 Mon Oct 2 15:25:44 2017 - S224DF3X17000238 v3.6.2 Authorized/Up 169.254.1.2 Mon Oct 2 15:25:27 2017 -

Transitioning from a FortiLink split interface to a FortiLink MCLAG

In this topology, the FortiLink split interface connects a FortiLink aggregate interface from one FortiGate to two FortiSwitches.

Note the following:

  • This procedure also applies to a FortiGate in HA mode.
  • More links can be added between the FortiGate and FortiSwitch.
  • After the MCLAG is set up, only connect the tier-2 FortiSwitches.

 

  1. Enable the split interface on the FortiLink aggregate interface. By default, the split interface is enabled. For example:

     

    config system interface

    edit flinksplit1

    set ip 169.254.3.1 255.255.255.0

    set allowaccess ping capwap https

    set vlanforward enable

    set type aggregate

    set member port4 port5

    set lacp-mode static

    set fortilink enable

    set fortilink-split-interface enable

    next

    end

  2. Log into FortiSwitch 2 using the Connect to CLI button in the FortiGate GUI, use the get switch lldp auto-isl-status command to find out the name of the trunk connecting the peer switches, and change the ISL to an ICL. For example:

     

    get switch lldp auto-isl-status

     

    config switch trunk

    edit <trunk_name>

    set mclag-icl enable

    next

    end

     

  3. Log into FortiSwitch 1 using the Connect to CLI button in the FortiGate GUI, use the get switch lldp auto-isl-status command to find out the name of the trunk connecting the peer switches, and change the ISL to an ICL. For example:

     

    get switch lldp auto-isl-status

     

    config switch trunk

    edit <trunk_name>

    set mclag-icl enable

    next

    end

     

  4. Log into the FortiGate and disable the split interface. For example:

     

    config system interface

    edit flinksplit1

    set fortilink-split-interface disable

    next

    end

     

  5. Enable the LACP active mode.
  6. Check that the LAG is working correctly. For example:

     

    diagnose netlink aggregate name <aggregate_name>