Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Devices Managed by FortiOS

Switch redundancy with MCLAG

The following network topologies provide switch redundancy with MCLAG:

Standalone FortiGate unit with dual-homed FortiSwitch access

This network topology provides high port density with two tiers of FortiSwitch units.

See Transitioning from a FortiLink split interface to a FortiLink MCLAG.

After the MCLAG peer group is created between FortiSwitch 1 and FortiSwitch 2, the MCLAG trunks are automatically established with the access switches (FortiSwitch 3 and FortiSwitch 4).

NOTE:

  • On the global switch level, mclag-stp-aware must be enabled, and STP must be enabled on all ICL trunks. They are both enabled by default.

  • Fortinet recommends using at least two links for ICL redundancy.

NOTE: If you are going to use IGMP snooping with an MCLAG topology:

  • On the global switch level, mclag-igmpsnooping-aware must be enabled. It is enabled by default.
  • The igmps-flood-traffic and igmps-flood-report settings must be disabled on the ISL and FortiLink trunks; but the igmps-flood-traffic and igmps-flood-report settings must be enabled on ICL trunks. These settings are enabled by default.
  • IGMP proxy must be enabled.

HA-mode FortiGate units with dual-homed FortiSwitch access

In HA mode, only one FortiGate is active at a time. If the active FortiGate unit fails, the backup FortiGate unit becomes active.

See Transitioning from a FortiLink split interface to a FortiLink MCLAG.

After the MCLAG peer group is created between FortiSwitch 1 and FortiSwitch 2, the MCLAG trunks are automatically established with the access switches (FortiSwitch 3, FortiSwitch 4, and FortiSwitch 5).

NOTE:

  • Before FortiOS 6.2.0, when using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be active-passive. Starting in FortiOS 6.2.0, the FortiGate HA mode can be either active-passive or active-active.
  • On the global switch level, mclag-stp-aware must be enabled, and STP must be enabled on all ICL trunks. They are both enabled by default.
  • Fortinet recommends using at least two links for ICL redundancy.

NOTE: If you are going to use IGMP snooping with an MCLAG topology:

  • On the global switch level, mclag-igmpsnooping-aware must be enabled. It is enabled by default.
  • The igmps-flood-traffic and igmps-flood-report settings must be disabled on the ISL and FortiLink trunks; but the igmps-flood-traffic and igmps-flood-report settings must be enabled on ICL trunks. These settings are enabled by default.
  • IGMP proxy must be enabled.

HA-mode one-tier MCLAG

HA-mode FortiGate units connect to redundant distribution FortiSwitch units. Access FortiSwitch units are arranged in a stack in each IDF, connected to both distribution switches.

For the FortiLink connection to each distribution switch, you create a FortiLink split interface (an aggregate interface that contains one active link and one standby link).

NOTE:

  • Before FortiSwitchOS 3.6.4, MCLAG was not supported when access rings were present. Starting with FortiSwitchOS 3.6.4, MCLAG is supported, even with access rings present.
  • Before FortiOS 6.2.0, when using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be active-passive. Starting in FortiOS 6.2.0, the FortiGate HA mode can be either active-passive or active-active.
  • When you are using the aggregate interface on the FortiGate unit for the FortiLink interface, the lacp-mode of the FortiLink aggregate interface must be set to static. Unless MCLAG is enabled and you are using 6.2.0 or later, see Transitioning from a FortiLink split interface to a FortiLink MCLAG for details.
  • On the global switch level, mclag-stp-aware must be enabled, and STP must be enabled on all ICL trunks. They are both enabled by default.

  • This is only an example topology. Other combinations of FortiGate units and FortiSwitch units can be used to create a similar topology.
  • Fortinet recommends using at least two links for ICL redundancy.

NOTE: If you are going to use IGMP snooping with an MCLAG topology:

  • On the global switch level, mclag-igmpsnooping-aware must be enabled. It is enabled by default.
  • The igmps-flood-traffic and igmps-flood-report settings must be disabled on the ISL and FortiLink trunks; but the igmps-flood-traffic and igmps-flood-report settings must be enabled on ICL trunks. These settings are enabled by default.
  • IGMP proxy must be enabled.

FortiLink with an HA cluster of four FortiGate units

A FortiGate HA cluster consists of two to four FortiGate units configured for HA operation. Each FortiGate in a cluster is called a cluster unit. All cluster units must be the same FortiGate model with the same FortiOS firmware build installed. All cluster units must also have the same hardware configuration (for example, the same number of hard disks) and be running in the same operating mode (NAT mode or transparent mode).

In addition, the cluster units must be able to communicate with each other through their heartbeat interfaces. This heartbeat communication is required for the cluster to be created and to continue operating. Without it, the cluster acts like a collection of standalone FortiGate units.

On startup, after configuring the cluster units with the same HA configuration and connecting their heartbeat interfaces, the cluster units use the FortiGate Clustering Protocol (FGCP) to find other FortiGate units configured for HA operation and to negotiate to create a cluster. During cluster operation, the FGCP shares communication and synchronization information among the cluster units over the heartbeat interface link. This communication and synchronization is called the FGCP heartbeat or the HA heartbeat. Often, this is shortened to just heartbeat.

NOTE: You can create an FGCP cluster of up to four FortiGate units.

The cluster uses the FGCP to select the primary unit, and to provide device, link, and session failover. The FGCP also manages the two HA modes; active-passive (failover HA) and active-active (load-balancing HA).

The FGCP supports a cluster of two, three, or four FortiGate units. You can add more than two units to a cluster to improve reliability: if two cluster units fail the third will continue to operate and so on. A cluster of three or four units in active-active mode may improve performance because another cluster unit is available for security profile processing. However, active-active FGCP HA results in diminishing performance returns as you add units to the cluster, so the additional performance achieved by adding the third cluster unit might not be worth the cost.

There are no special requirements for clusters of more than two units. Here are a few recommendations though:

  • The matching heartbeat interfaces of all of the cluster units must be able to communicate with each other. So each unitʼs matching heartbeat interface should be connected to the same switch. If the ha1 interface is used for heartbeat communication, the ha1 interfaces of all of the units in the cluster must be connected together so communication can happen between all of the cluster units over the ha1 interface.
  • Redundant heartbeat interfaces are recommended. You can reduce the number of points of failure by connecting each matching set of heartbeat interfaces to a different switch. This is not a requirement; however, and you can connect both heartbeat interfaces of all cluster units to the same switch. However, if that switch fails the cluster will stop forwarding traffic.
  • For any cluster, a dedicated switch for each heartbeat interface is recommended because of the large volume of heartbeat traffic and to keep heartbeat traffic off of other networks, but it is not required.
  • Full mesh HA can scale to three or four FortiGate units. Full mesh HA is not required if you have more than two units in a cluster.
  • Virtual clustering can only be done with two FortiGate units.
  • Fortinet recommends using at least two links for ICL redundancy.
  • FortiSwitch units must be connected on a NAT VDOM.

The following network topology uses four FortiGate units; each is a 3200D model and is running FortiOS 6.4.0 build 1533. The FortiSwitch models are 1048E, 448D, and 426EF; they are running FortiSwitchOS 6.2.0 build 0202:

HA-mode FortiGate units in different sites

There are two sites in this topology, each with a FortiGate unit. The two sites share the FortiGate units in active-passive HA mode. The FortiGate units use the FortiSwitch units in FortiLink mode as the heartbeat connections because of limited physical connections between the two sites.

FortiOS 6.4.2 or higher and FortiSwitchOS 6.4.2 or higher are required.

For example steps, refer to Deploying MCLAG topologies.

NOTE: Fortinet recommends using at least two links for ICL redundancy.

Isolated LAN/WAN with multiple FortiLink interfaces

This topology makes use of two FortiLink interfaces to provide a dedicated switching layer for each part of the network, LAN and WAN. Each FortiLink interface is independent with its own FortiSwitch VLANs, providing two separate FortiLink stacks.

In this specific example, the FortiLink stack for the LAN networks consists of a two-tier MCLAG topology with dual-homed access switches, whereas the WAN FortiLink stack has a one-tier MCLAG peer group connected to the ISP routers.

Starting with FortiOS 6.4.2, you can use the GUI to entirely manage multiple FortiLink stacks.

Three-tier FortiLink MCLAG configuration

To create a three-tier FortiLink MCLAG topology, use FortiOS 6.2.3 GA or later and FortiSwitchOS 6.2.3 GA or later.

MCLAG can be deployed in up to three tiers to expand the FortiSwitch stack, offering link and switch redundancy with the efficient use of the bandwidth because all links are active.

For the procedure, see Deploying MCLAG topologies.

NOTE: Fortinet recommends using at least two links for ICL redundancy.

Dual-homed servers connected to a pair of FortiSwitch units using an MCLAG

To configure a multichassis LAG, you need to configure FortiSwitch 1 and FortiSwitch 2 as MCLAG peer switches before creating a two-port LAG. Then you set up two MCLAGs towards the servers, each MCLAG using one port from each FortiSwitch unit. For the procedure, see Deploying MCLAG topologies.

This topology is supported when the FortiGate unit is in HA mode.

 

NOTE:

  • On the global switch level, mclag-stp-aware must be enabled, and STP must be enabled on all ICL trunks. They are both enabled by default.
  • Fortinet recommends using at least two links for ICL redundancy.

NOTE: If you are going to use IGMP snooping with an MCLAG topology:

  • On the global switch level, mclag-igmpsnooping-aware must be enabled. It is enabled by default.
  • The igmps-flood-traffic and igmps-flood-report settings must be disabled on the ISL and FortiLink trunks; but the igmps-flood-traffic and igmps-flood-report settings must be enabled on ICL trunks. These settings are enabled by default.
  • IGMP proxy must be enabled.

 

Switch redundancy with MCLAG

The following network topologies provide switch redundancy with MCLAG:

Standalone FortiGate unit with dual-homed FortiSwitch access

This network topology provides high port density with two tiers of FortiSwitch units.

See Transitioning from a FortiLink split interface to a FortiLink MCLAG.

After the MCLAG peer group is created between FortiSwitch 1 and FortiSwitch 2, the MCLAG trunks are automatically established with the access switches (FortiSwitch 3 and FortiSwitch 4).

NOTE:

  • On the global switch level, mclag-stp-aware must be enabled, and STP must be enabled on all ICL trunks. They are both enabled by default.

  • Fortinet recommends using at least two links for ICL redundancy.

NOTE: If you are going to use IGMP snooping with an MCLAG topology:

  • On the global switch level, mclag-igmpsnooping-aware must be enabled. It is enabled by default.
  • The igmps-flood-traffic and igmps-flood-report settings must be disabled on the ISL and FortiLink trunks; but the igmps-flood-traffic and igmps-flood-report settings must be enabled on ICL trunks. These settings are enabled by default.
  • IGMP proxy must be enabled.

HA-mode FortiGate units with dual-homed FortiSwitch access

In HA mode, only one FortiGate is active at a time. If the active FortiGate unit fails, the backup FortiGate unit becomes active.

See Transitioning from a FortiLink split interface to a FortiLink MCLAG.

After the MCLAG peer group is created between FortiSwitch 1 and FortiSwitch 2, the MCLAG trunks are automatically established with the access switches (FortiSwitch 3, FortiSwitch 4, and FortiSwitch 5).

NOTE:

  • Before FortiOS 6.2.0, when using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be active-passive. Starting in FortiOS 6.2.0, the FortiGate HA mode can be either active-passive or active-active.
  • On the global switch level, mclag-stp-aware must be enabled, and STP must be enabled on all ICL trunks. They are both enabled by default.
  • Fortinet recommends using at least two links for ICL redundancy.

NOTE: If you are going to use IGMP snooping with an MCLAG topology:

  • On the global switch level, mclag-igmpsnooping-aware must be enabled. It is enabled by default.
  • The igmps-flood-traffic and igmps-flood-report settings must be disabled on the ISL and FortiLink trunks; but the igmps-flood-traffic and igmps-flood-report settings must be enabled on ICL trunks. These settings are enabled by default.
  • IGMP proxy must be enabled.

HA-mode one-tier MCLAG

HA-mode FortiGate units connect to redundant distribution FortiSwitch units. Access FortiSwitch units are arranged in a stack in each IDF, connected to both distribution switches.

For the FortiLink connection to each distribution switch, you create a FortiLink split interface (an aggregate interface that contains one active link and one standby link).

NOTE:

  • Before FortiSwitchOS 3.6.4, MCLAG was not supported when access rings were present. Starting with FortiSwitchOS 3.6.4, MCLAG is supported, even with access rings present.
  • Before FortiOS 6.2.0, when using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be active-passive. Starting in FortiOS 6.2.0, the FortiGate HA mode can be either active-passive or active-active.
  • When you are using the aggregate interface on the FortiGate unit for the FortiLink interface, the lacp-mode of the FortiLink aggregate interface must be set to static. Unless MCLAG is enabled and you are using 6.2.0 or later, see Transitioning from a FortiLink split interface to a FortiLink MCLAG for details.
  • On the global switch level, mclag-stp-aware must be enabled, and STP must be enabled on all ICL trunks. They are both enabled by default.

  • This is only an example topology. Other combinations of FortiGate units and FortiSwitch units can be used to create a similar topology.
  • Fortinet recommends using at least two links for ICL redundancy.

NOTE: If you are going to use IGMP snooping with an MCLAG topology:

  • On the global switch level, mclag-igmpsnooping-aware must be enabled. It is enabled by default.
  • The igmps-flood-traffic and igmps-flood-report settings must be disabled on the ISL and FortiLink trunks; but the igmps-flood-traffic and igmps-flood-report settings must be enabled on ICL trunks. These settings are enabled by default.
  • IGMP proxy must be enabled.

FortiLink with an HA cluster of four FortiGate units

A FortiGate HA cluster consists of two to four FortiGate units configured for HA operation. Each FortiGate in a cluster is called a cluster unit. All cluster units must be the same FortiGate model with the same FortiOS firmware build installed. All cluster units must also have the same hardware configuration (for example, the same number of hard disks) and be running in the same operating mode (NAT mode or transparent mode).

In addition, the cluster units must be able to communicate with each other through their heartbeat interfaces. This heartbeat communication is required for the cluster to be created and to continue operating. Without it, the cluster acts like a collection of standalone FortiGate units.

On startup, after configuring the cluster units with the same HA configuration and connecting their heartbeat interfaces, the cluster units use the FortiGate Clustering Protocol (FGCP) to find other FortiGate units configured for HA operation and to negotiate to create a cluster. During cluster operation, the FGCP shares communication and synchronization information among the cluster units over the heartbeat interface link. This communication and synchronization is called the FGCP heartbeat or the HA heartbeat. Often, this is shortened to just heartbeat.

NOTE: You can create an FGCP cluster of up to four FortiGate units.

The cluster uses the FGCP to select the primary unit, and to provide device, link, and session failover. The FGCP also manages the two HA modes; active-passive (failover HA) and active-active (load-balancing HA).

The FGCP supports a cluster of two, three, or four FortiGate units. You can add more than two units to a cluster to improve reliability: if two cluster units fail the third will continue to operate and so on. A cluster of three or four units in active-active mode may improve performance because another cluster unit is available for security profile processing. However, active-active FGCP HA results in diminishing performance returns as you add units to the cluster, so the additional performance achieved by adding the third cluster unit might not be worth the cost.

There are no special requirements for clusters of more than two units. Here are a few recommendations though:

  • The matching heartbeat interfaces of all of the cluster units must be able to communicate with each other. So each unitʼs matching heartbeat interface should be connected to the same switch. If the ha1 interface is used for heartbeat communication, the ha1 interfaces of all of the units in the cluster must be connected together so communication can happen between all of the cluster units over the ha1 interface.
  • Redundant heartbeat interfaces are recommended. You can reduce the number of points of failure by connecting each matching set of heartbeat interfaces to a different switch. This is not a requirement; however, and you can connect both heartbeat interfaces of all cluster units to the same switch. However, if that switch fails the cluster will stop forwarding traffic.
  • For any cluster, a dedicated switch for each heartbeat interface is recommended because of the large volume of heartbeat traffic and to keep heartbeat traffic off of other networks, but it is not required.
  • Full mesh HA can scale to three or four FortiGate units. Full mesh HA is not required if you have more than two units in a cluster.
  • Virtual clustering can only be done with two FortiGate units.
  • Fortinet recommends using at least two links for ICL redundancy.
  • FortiSwitch units must be connected on a NAT VDOM.

The following network topology uses four FortiGate units; each is a 3200D model and is running FortiOS 6.4.0 build 1533. The FortiSwitch models are 1048E, 448D, and 426EF; they are running FortiSwitchOS 6.2.0 build 0202:

HA-mode FortiGate units in different sites

There are two sites in this topology, each with a FortiGate unit. The two sites share the FortiGate units in active-passive HA mode. The FortiGate units use the FortiSwitch units in FortiLink mode as the heartbeat connections because of limited physical connections between the two sites.

FortiOS 6.4.2 or higher and FortiSwitchOS 6.4.2 or higher are required.

For example steps, refer to Deploying MCLAG topologies.

NOTE: Fortinet recommends using at least two links for ICL redundancy.

Isolated LAN/WAN with multiple FortiLink interfaces

This topology makes use of two FortiLink interfaces to provide a dedicated switching layer for each part of the network, LAN and WAN. Each FortiLink interface is independent with its own FortiSwitch VLANs, providing two separate FortiLink stacks.

In this specific example, the FortiLink stack for the LAN networks consists of a two-tier MCLAG topology with dual-homed access switches, whereas the WAN FortiLink stack has a one-tier MCLAG peer group connected to the ISP routers.

Starting with FortiOS 6.4.2, you can use the GUI to entirely manage multiple FortiLink stacks.

Three-tier FortiLink MCLAG configuration

To create a three-tier FortiLink MCLAG topology, use FortiOS 6.2.3 GA or later and FortiSwitchOS 6.2.3 GA or later.

MCLAG can be deployed in up to three tiers to expand the FortiSwitch stack, offering link and switch redundancy with the efficient use of the bandwidth because all links are active.

For the procedure, see Deploying MCLAG topologies.

NOTE: Fortinet recommends using at least two links for ICL redundancy.

Dual-homed servers connected to a pair of FortiSwitch units using an MCLAG

To configure a multichassis LAG, you need to configure FortiSwitch 1 and FortiSwitch 2 as MCLAG peer switches before creating a two-port LAG. Then you set up two MCLAGs towards the servers, each MCLAG using one port from each FortiSwitch unit. For the procedure, see Deploying MCLAG topologies.

This topology is supported when the FortiGate unit is in HA mode.

 

NOTE:

  • On the global switch level, mclag-stp-aware must be enabled, and STP must be enabled on all ICL trunks. They are both enabled by default.
  • Fortinet recommends using at least two links for ICL redundancy.

NOTE: If you are going to use IGMP snooping with an MCLAG topology:

  • On the global switch level, mclag-igmpsnooping-aware must be enabled. It is enabled by default.
  • The igmps-flood-traffic and igmps-flood-report settings must be disabled on the ISL and FortiLink trunks; but the igmps-flood-traffic and igmps-flood-report settings must be enabled on ICL trunks. These settings are enabled by default.
  • IGMP proxy must be enabled.