Fortinet black logo

Switching Reference Architecture Guide

Home FortiSwitch 7.2.3 Switching Reference Architecture Guide

SD-branch architectures

7.2.3
7.4.0
7.2.3
Copy Link
Copy Doc ID 05143578-c74d-11ed-8e6d-fa163e15d75b:354148
Download PDF

SD-branch architectures

FortiSwitch units can be adopted as a natural extension of SD-WAN to provide security on the wired LAN edge.

The FortiSwitch unit is an essential cornerstone to the software-defined branch (SD-branch) that completes the SD-WAN architecture by enabling security into the access layer through FortiLink, consolidating all the connectivity in the branches, and enabling the management and power of the FortiAP units.

In addition, the simplification of networking tasks, from the potentially complex topology designs to the lack of staff in the remote locations, by adding a layer of auto-discovery and automation allows the security teams to carry out the deployment in the branches seamlessly.

FortiSwitch units facilitate and enhance network visibility as a first step in grabbing control of the network—under the umbrella of the FortiGate device with the FortiManager unit functioning as a single pane of glass.

The following figure shows a typical SD-branch architecture, where a FortiGate device manages various devices through a FortiSwitch unit. Each device is assigned a different VLAN and port.

You can replace one of the WAN links from the FortiGate device to the Internet with a Long Term Evolution (LTE) connection and use it for failover if an outage occurs on the primary link. See FortiExtender documentation for further details.

Small SD-branch

In the following small SD-branch architecture, a single FortiGate device manages multiple FortiSwitch units. The FortiGate device connects directly to each FortiSwitch unit. Each of these FortiLink ports is added to the logical interface on the FortiGate unit.

Optionally, you can connect other devices to the FortiGate logical interface. These devices, which must support IEEE 802.1q VLAN tagging, will have layer-2 connectivity with the FortiSwitch ports.

Medium SD-branch

In the following medium SD-branch architecture, a single FortiGate device manages a stack of several FortiSwitch units.

The FortiGate device connects directly to one FortiSwitch unit using a physical or aggregate interface. The remaining FortiSwitch units connect in a ring using inter-switch links (ISLs).

Optionally, you can connect a standby FortiLink connection to the last FortiSwitch unit. For this configuration, you create a FortiLink split interface (an aggregate interface that contains one active link and one standby link).

Large SD-branch

The following architecture contains HA-mode FortiGate devices with dual-homed FortiSwitch access.

After the MCLAG peer group is created between FortiSwitch 1 and FortiSwitch 2, the MCLAG trunks are automatically established with the access switches (FortiSwitch 3, FortiSwitch 4, and FortiSwitch 5).

Management

The FortiManager unit is also used to centrally manage SD-branch architectures. It allows the efficient deployment at scale with zero-touch provisioning. FortiGate devices can initiate the connection to the FortiManager unit, which pushes the relevant configuration, including the switching configuration for all managed switches and other extension devices (FortiAP wireless access points and FortiExtender WAN) in the branch, making deployment simple and accomplished within minutes. This architecture can be replicated to multiple sites to have an efficient and consistent deployment at scale.

Previous
Next

SD-branch architectures

FortiSwitch units can be adopted as a natural extension of SD-WAN to provide security on the wired LAN edge.

The FortiSwitch unit is an essential cornerstone to the software-defined branch (SD-branch) that completes the SD-WAN architecture by enabling security into the access layer through FortiLink, consolidating all the connectivity in the branches, and enabling the management and power of the FortiAP units.

In addition, the simplification of networking tasks, from the potentially complex topology designs to the lack of staff in the remote locations, by adding a layer of auto-discovery and automation allows the security teams to carry out the deployment in the branches seamlessly.

FortiSwitch units facilitate and enhance network visibility as a first step in grabbing control of the network—under the umbrella of the FortiGate device with the FortiManager unit functioning as a single pane of glass.

The following figure shows a typical SD-branch architecture, where a FortiGate device manages various devices through a FortiSwitch unit. Each device is assigned a different VLAN and port.

You can replace one of the WAN links from the FortiGate device to the Internet with a Long Term Evolution (LTE) connection and use it for failover if an outage occurs on the primary link. See FortiExtender documentation for further details.

Small SD-branch

In the following small SD-branch architecture, a single FortiGate device manages multiple FortiSwitch units. The FortiGate device connects directly to each FortiSwitch unit. Each of these FortiLink ports is added to the logical interface on the FortiGate unit.

Optionally, you can connect other devices to the FortiGate logical interface. These devices, which must support IEEE 802.1q VLAN tagging, will have layer-2 connectivity with the FortiSwitch ports.

Medium SD-branch

In the following medium SD-branch architecture, a single FortiGate device manages a stack of several FortiSwitch units.

The FortiGate device connects directly to one FortiSwitch unit using a physical or aggregate interface. The remaining FortiSwitch units connect in a ring using inter-switch links (ISLs).

Optionally, you can connect a standby FortiLink connection to the last FortiSwitch unit. For this configuration, you create a FortiLink split interface (an aggregate interface that contains one active link and one standby link).

Large SD-branch

The following architecture contains HA-mode FortiGate devices with dual-homed FortiSwitch access.

After the MCLAG peer group is created between FortiSwitch 1 and FortiSwitch 2, the MCLAG trunks are automatically established with the access switches (FortiSwitch 3, FortiSwitch 4, and FortiSwitch 5).

Management

The FortiManager unit is also used to centrally manage SD-branch architectures. It allows the efficient deployment at scale with zero-touch provisioning. FortiGate devices can initiate the connection to the FortiManager unit, which pushes the relevant configuration, including the switching configuration for all managed switches and other extension devices (FortiAP wireless access points and FortiExtender WAN) in the branch, making deployment simple and accomplished within minutes. This architecture can be replicated to multiple sites to have an efficient and consistent deployment at scale.

Previous
Next