Deploying MCLAG topologies
This section covers the following topics:
- Dual-homed servers connected to a pair of FortiSwitch units using an MCLAG
- Multi-tiered MCLAG with HA-mode FortiGate units
- Three-tier FortiLink MCLAG configuration
- HA-mode FortiGate units in different sites
Dual-homed servers connected to a pair of FortiSwitch units using an MCLAG
To configure a multichassis LAG, you need to configure FortiSwitch 1 and FortiSwitch 2 as MCLAG peer switches before creating a two-port LAG. See Transitioning from a FortiLink split interface to a FortiLink MCLAG. Then you set up two MCLAGs towards the servers, each MCLAG using one port from each FortiSwitch unit.
This topology is supported when the FortiGate unit is in HA mode.
NOTE:
- On the global switch level,
mclag-stp-awaremust be enabled, and STP must be enabled on all ICL trunks. They are both enabled by default. - Fortinet recommends using at least two links for ICL redundancy.
NOTE: If you are going to use IGMP snooping with an MCLAG topology:
- On the global switch level,
mclag-igmpsnooping-awaremust be enabled. It is enabled by default. - The
igmps-flood-trafficandigmps-flood-reportsettings must be disabled on the ISL and FortiLink trunks; but theigmps-flood-trafficandigmps-flood-reportsettings must be enabled on ICL trunks. These settings are enabled by default. - IGMP proxy must be enabled.
Step 1: Ensure the MCLAG ICL is already configured between FortiSwitch 1 and FortiSwitch 2.
diagnose switch mclag icl
Step 2: For each server, configure a trunk in FortiSwitch 1 and then configure a trunk in FortiSwitch 2.
The trunk names must match.
To set up FortiSwitch 1:
config switch trunk
edit server_1
set members port10
set mclag enable
next
edit server_2
set members port15
set mclag enable
next
end
To set up FortiSwitch 2:
config switch trunk
edit server_1
set members port10
set mclag enable
next
edit server_2
set members port15
set mclag enable
next
end
|
If you disable the MCLAG ICL (with the |
Multi-tiered MCLAG with HA-mode FortiGate units
NOTE:
- Before FortiOS 6.2.0, when using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be active-passive. Starting in FortiOS 6.2.0, the FortiGate HA mode can be either active-passive or active-active.
-
In this topology, you must use the
auto-isl-port-groupsetting as described in the following configuration example. This setting instructs the switches to group ports from MCLAG peers together into one MCLAG when the inter-switch link (ISL) is formed. - The inter-chassis link (ICL) and
auto-isl-port-groupsettings must be done directly on the FortiSwitch unit. -
On the global switch level,
mclag-stp-awaremust be enabled, and STP must be enabled on all ICL trunks. They are both enabled by default. - CLI commands in red are manually configured.
- Fortinet recommends using at least two links for ICL redundancy.
NOTE: If you are going to use IGMP snooping with an MCLAG topology:
- On the global switch level,
mclag-igmpsnooping-awaremust be enabled. It is enabled by default. - The
igmps-flood-trafficandigmps-flood-reportsettings must be disabled on the ISL and FortiLink trunks; but theigmps-flood-trafficandigmps-flood-reportsettings must be enabled on ICL trunks. These settings are enabled by default. - IGMP proxy must be enabled.
To configure a multi-tiered MCLAG with HA-mode FortiGate units:
- Configure FortiSwitch-1 and FortiSwitch-2 for the tier-1 MCLAG:
For FortiSwitch-1, enable the ICL on the ISL formed with the MCLAG peer switch:
config switch trunk
edit "D243Z14000288-0" // trunk name derived from FortiSwitch-2 SN
set mode lacp-active
set auto-isl 1
set mclag-icl enable
set members "port21" "port22"
end
For FortiSwitch-2, enable the ICL on the ISL formed with the MCLAG peer switch:
config switch trunk
edit "D243Z14000289-0" // trunk name derived from FortiSwitch-1 SN
set mode lacp-active
set auto-isl 1
set mclag-icl enable
set members "port21" "port22"
end
- Continue to configure FortiSwitch-1 for the tier-1 MCLAG:
Configure the two
auto-isl-port-groups based on the topology diagram. The group name must match the name that is configured on the peer switch.config switch auto-isl-port-group
edit "distribute-1"
set members "port1" "port2"
next
edit "distribute-2"
set members "port3" "port4"
end
After you complete the CLI commands in Steps 1 and 2a, the trunks are automatically formed:
config switch trunk
edit "D243Z14000288-0"
set mode lacp-active
set auto-isl 1
set mclag-icl enable
set members "port21" "port22"
next
edit "FG100D3G15817028" // trunk name derived from FortiGate-1
set mclag enable
set members "port24" "port23"
next
edit "distribute-1"
set mode lacp-active
set auto-isl 1
set mclag enable
set members "port1" "port2"
next
edit "distribute-2"
set mode lacp-active
set auto-isl 1
set mclag enable
set members "port3" "port4"
next
end
- Continue to configure FortiSwitch-2 for the tier-1 MCLAG:
Configure the two
auto-isl-port-groups based on the topology diagram. The group name must match the name that is configured on the peer switch.config switch auto-isl-port-group
edit "distribute-1"
set members "port1" "port2"
next
edit "distribute-2"
set members "port3" "port4"
end
After you complete the CLI commands in Steps 1 and 3a, the trunks are automatically formed:
config switch trunk
edit "D243Z14000288-0"
set mode lacp-active
set auto-isl 1
set mclag-icl enable
set members "port21" "port22"
next
edit "FG100D3G15817032" // trunk name derived from FortiGate-2
set mclag enable
set members "port24" "port23"
next
edit "distribute-1"
set mode lacp-active
set auto-isl 1
set mclag enable
set members "port1" "port2"
next
edit "distribute-2"
set mode lacp-active
set auto-isl 1
set mclag enable
set members "port3" "port4"
next
end
- Tier-2 MCLAGs. Enable the ICL between the MCLAG peer switches. For example, configure FortiSwitch-6 as follows.
Change the tier-2 MCLAG peer switches to FortiLink mode and connect them to each other. Enable the ICL on the ISL formed with the MCLAG peer switches.
config switch trunk
edit "8DN3X15000026-0" // trunk name derived from FortiSwitch-7 SN
set mode lacp-active
set auto-isl 1
set mclag-icl enable
set members "port43" "port44"
end
The trunks are automatically formed as below:
config switch trunk
edit "8DN3X15000026-0"
set mode lacp-active
set auto-isl 1
set mclag-icl enable
set members "port43" "port44"
next
edit "_FlInK1_MLAG0_"
set mode lacp-active
set auto-isl 1
set mclag enable
set members "port48" "port47"
next
end
-
Access FortiSwitch units. The access switch trunks are formed automatically as below.
On FortiSwitch-6:
config switch trunk
edit "_FlInK1_MLAG0_"
set mode lacp-active
set auto-isl 1
set mclag enable
set members "port48" "port47"
next
end
On FortiSwitch-7:
config switch trunk
edit "_FlInK1_MLAG0_"
set mode lacp-active
set auto-isl 1
set mclag enable
set members "port47" "port48"
next
end
If you disable the MCLAG ICL (with the
set mclag-icl disablecommand), you need to enable the fortilink-split-interface.
Three-tier FortiLink MCLAG configuration
To create a three-tier FortiLink MCLAG topology, use FortiOS 6.2.3 GA or later and FortiSwitchOS 6.2.3 GA or later.
NOTE: Fortinet recommends using at least two links for ICL redundancy.
To configure the two FortiGate units:
- Set up an active-passive or active-active HA configuration.
- (Optional) Disable
overridein the HA CLI configuration. - Use the GUI or CLI to create the FortiLink interface.
- Configure the FortiLink interface:
config system interface
edit <FortiLink_interface>
set lacp-mode active
set fortilink-neighbor-detect lldp
set fortilink-split-interface disable
set lldp-reception enable
set lldp-transmission enable
next
end
To configure the FortiSwitch units in the core:
- Find the trunk between the two MCLAG switches. Enable
mclag-iclon the MCLAG-ICL trunk. The default name of the MCLAG-ICL trunk is the last 13 characters of the peer switch name plus “-0”.config switch trunk
edit <MCLAG-ICL_trunk_name>
set mclag-icl enable
next
end
- Create downlink trunks on the MCLAG-ICL switches.
Note: Only the trunks from the higher tier MCLAG-ICL switches to the next tier MCLAG-ICL switches need this configuration.
To configure the three-tier MCLAG topology shown in the following figure:
- Configure the tier-1 MCLAG switches.
- Connect switch 1 and switch 2 to the FortiGate units and interconnect switch 1 and switch 2.
- Wait for both switches to change to FortiLink mode and for both FortiLinks to be up.
- Configure the ICL trunks on the inter-switch trunks to form MCLAG switches in FortiLink mode.
- Use the
diagnose switch mclag peer-consistency-checkCLI command to verify that the MCLAG-ICL trunk formed successfully. - Add an
auto-isl-port-groupfor the tier-2 MCLAG switches on both switch 1 and switch 2:config switch auto-isl-port-group
edit tier2-closet-1
set members port1
next
edit tier2-closet-2
set members port2
next
end
- Wire all switches in closet 1 by following the figure. Do not make the dotted-line connections for now. Wait for all switches to be up in FortiLink mode.
- Add two
auto-isl-port-groups for the tier-3 MCLAG switches on both switch 3 and switch 4:config switch auto-isl-port-group
edit tier-2-closet-<1>-downlink-trunk-A
set member <port_name>
next
edit tier-2-closet-<1>-downlink-trunk-B
set member <port_name>
next
end
- Enable the tier-2 MCLAG-ICL trunk on switch 4 using the FortiOS CLI of the switch console port.
- Enable the tier-3 MCLAG-ICL trunks on switch 6 and switch 8.
NOTE: The trunk must be configured from the end of the daisy-chain switch. - Enable the tier-3 MCLAG-ICL trunks on switch 5 and switch 7.
- Enable the tier-2 MCLAG-ICL trunk on switch 3.
- Verify that all the FortiLinks are up and double-check that the MCLAG-ICL configuration on each MCLAG switch.
- Connect switch 4 to switch 2.
- Verify that the FortiLinks are up.
- Connect switch 6 and switch 8 to switch 4.
- Verify that the FortiLinks are up.
- Use the
diagnose switch mclag peerCLI command to verify that the tier-1, tier-2, and tier-3 MCLAG-switches are formed correctly. - Check the traffic on switch 1 and switch 2 during the configuration.
- Repeat steps 2 to 14 for closet 2.
- All FortiLinks should be up.
HA-mode FortiGate units in different sites
There are two sites in this topology, each with a FortiGate unit. The two sites share the FortiGate units in active-passive HA mode. The FortiGate units use the FortiSwitch units in FortiLink mode as the heartbeat connections because of limited physical connections between the two sites.
FortiOS 6.4.2 or higher and FortiSwitchOS 6.4.2 or higher are required.
Refer to the other network topologies in Deploying MCLAG topologies.
NOTE: Fortinet recommends using at least two links for ICL redundancy.
The following steps are an example of how to configure this topology:
- Disconnect the physical connections between the two sites.
- On Site 1:
- Use the FortiGate unit to establish the FortiLinks on Site 1. See Configuring FortiLink.
- Enable the MCLAG-ICL on the core switches of Site 1. See Transitioning from a FortiLink split interface to a FortiLink MCLAG.
- Enable the HA mode and set the heartbeat ports on FortiGate-1. FortiGate port1 and port2 are used as HA heartbeat ports in this example. For example,
set hbdev "port1" 242 "port2" 25. - Create a switch VLAN or VLANs dedicated to the FortiGate HA heartbeats between the two FortiGate units. For example:
config system interface
edit "hb1"
set vdom "vdom name"
set vlanid 998
next
edit "hb2"
set vdom "vdom name"
set vlanid 999
next
end
- Under the
config switch-controller managed-switchcommand, set the native VLAN of the switch ports connected to the heartbeat ports using the VLAN created in step 2d.
In this example, you need to assign port1 of core-switch1 to vlan998 and connect port1 of the active FortiGate unit to port1 of core-switch1. Then you need to assign port1 of core-switch2 to vlan999 and connect port2 of the active FortiGate unit to port1 of core-switch2.config switch-controller managed-switch
edit <site1-core-switch1>
edit "port1"
set vlan "hb1"
next
end
edit <site1-core-switch2>
edit "port1"
set vlan "hb2"
next
end
- Make sure all FortiLinks are up.
- On Site 2:
- Configure Site 2 using the same configuration as step 2, except for the HA priority.
- Make sure all FortiLinks are up.
- Disconnect the physical connections for the FortiGate HA and FortiLink interface on Site 2.
- Connect the cables between the two pairs of core switches in Site 1 and Site 2.
- On both sites:
- On the MCLAG Peer Group switches at Site 1, use the
config switch auto-isl-port-groupcommand in the FortiSwitch CLI to group the ports to Site 2. See Deploying MCLAG topologies. - On the MCLAG Peer Group switches at Site 2 , use the
config switch auto-isl-port-groupcommand in the FortiSwitch CLI to group the ports to Site 1. See Deploying MCLAG topologies. - Make sure all the FortiLinks are up.
- On the MCLAG Peer Group switches at Site 1, use the
- Connect the FortiGate HA and FortiLink interface connections on Site 2.
- Check the configuration:
- On both sites, enter the
get system ha statuscommand on the FortiGate unit to check the HA status. - On the active (master) FortiGate unit, enter the
execute switch-controller get-conn-statuscommand to check the FortiLink state.
- On both sites, enter the
- In the GUI, the example configuration looks like the following:
