Fortinet black logo

Core layer

7.2.3
Copy Link
Copy Doc ID 05143578-c74d-11ed-8e6d-fa163e15d75b:539807
Download PDF

Core layer

With the Fortinet solution for integrated networking using FortiLink, the core layer always comprises a set of two to four FortiGate devices and two very high-speed FortiSwitch units, which support a large number of 100-GbE and/or 40-GbE ports with enough capacity to grow the links between them and with the aggregation layer(s). This design provides the maximum level of redundancy and resiliency towards the nonstop forwarding goal that this layer proposes to provide for the entire wired and wireless networks and with the external connectivity out of the campus. This layer of redundancy actually reduces the network complexity, especially when networks have three or more aggregation switch pairs (including the data center switches because these are usually considered as part of the aggregation layer, especially with dual-attached servers to the data center Top-of-the-Rack switches). Without a set of core switches for n aggregation switches, the redundant links to fully provide a mesh between all aggregation switches would equal [n x (n-1)]/2. On the other end, with a set of two core switches in between, it is only (nx2)+2. So, if n=6, you must provision for 14 links instead of 15. Each aggregation switch requires 5x100-GbE links to the other switches. With the use of a core layer, each aggregation switch only needs 2x100-GbE links, and the core layer is the only place where you need large numbers of 100-GbE ports. For example, if you have n=10, then you have 22 links instead of 45. In a large campus deployment, it is not practical to run that many optical fibers between buildings.

The core layer is critical, yet very simple to design, and allows for network evolution quite easily. Point-to-point links are used between each element, and Fortinet recommends using the MCLAG and dual ICLs between the core switches. The following figure shows the fully distributed set of links meshed between the core FortiGate devices, core FortiSwitch units, and the next aggregation layer of FortiSwitch units.

The FortiGate devices in the core layer can use FGCP in active-passive mode with two to four firewalls or in active-active mode for increased performance through HA load-balancing. FGCP provides failover protection, meaning that a cluster can provide FortiGate services even when one of the devices in the cluster encounters a problem that would result in the complete loss of connectivity for a stand-alone FortiGate unit (no HA). Failover protection provides a backup mechanism that can be used to reduce the risk of unexpected downtime, especially in mission-critical environments. FGCP supports failover protection in four ways:

  • If a link fails

  • If a device loses power

  • If a solid-state drive (SSD) fails

  • If memory use exceeds the threshold for a specified amount of time

When session-pickup is enabled in the HA settings, existing TCP sessions are kept, and users on the network are not impacted by downtime because the traffic can be passed without reestablishing the sessions.

From a spanning tree standpoint (when MCLAG is used in both layers), the core-to-aggregation layer looks like a single link, removing all loops in the topology. This prevents failures at the switch or link level to cause a reconvergence and some unavailability time.

Core layer platforms

The core layer comprises a combination of two FortiSwitch units and up to four FortiGate devices. The most appropriate FortiSwitch unit to form the core layer must have many 100 gigabit Ethernet ports to address the aggregation layer and distribute a few 100-GbE ports towards the core FortiGate devices.

The following figure shows an FS-3032E core-layer switch.

The FortiSwitch model FS-3032E with 32x100-GbE QSFP28 ports ensures that many aggregation switches can connect simultaneously with little to no possibility of oversubscription and has enough room for multiple 100-GbE ports towards the firewall. The capacity of 6.4 Tbps and its integrated dual AC power supplies with field-replaceable fans in a one rack unit form factor provide the necessary characteristics to handle the fully redundant switching requirements of this layer.

When it comes to the core FortiGate devices, the choice depends on the type of traffic and if there is a requirement to handle all requests on the campus to be secured and filtered at the core level or if some of the intranet traffic can be allowed between devices of the same VLAN directly. The capacity to handle the number of switches and access points as a fabric controller should be considered. The price-to-performance ratio has also been taken into account in recommending a limited number of choices for you with two levels: price optimized and performance optimized.

The price-optimized option consists of a pair of FG-3400E FortiGate devices. With 4x100-GbE QSFP28 slots, it provides enough capacity to directly connect to the two core FortiSwitch units and still allow for expansion because it also has 24x25-GbE ports (with two HA ports for communication between the FortiGate devices). Using the security processing units (SPUs) NP6 and CP9, it accelerates in hardware many of the security and networking protocols(like CAPWAP) to achieve 240 Gbps in firewall capacity, 44 Gbps in the intrusion prevention system (IPS), 34 Gbps in NGFW, and 25 Gbps in threat protection. It supports control using FortiLink of 300 FortiSwitch units, terminates CAPWAP at 57 Gbps, and also allows control of 4,096 WiFi access points in bridge mode or 2,048 APs in tunnel mode. 2,048 access points can cover around 400,000 square meters of open-space offices, while 4,096 APs can cover up to 800,000 square meters. Based on the International Labour Organization (ILO) recommendations of 6 square meter minimum per employee, a campus of between 6,500 and 13,000 employees can be covered with such AP and switching capacity at the core.

The following figure shows the FG-3401E, which provides a core firewall, secure wireless, and switch controller.

You can also use virtual machine FortiGate models like FG-VM16, FG-VM32, or FG-VMUL and their “V” versions to achieve the same number of switches and APs supported in the core layer. The requirement of several 100-GbE links towards the core FortiSwitch units on top of the performance requirements to handle that amount of traffic would probably undermine the VM options in this secure campus scenario as a core platform.

The performance-optimized choice consists of a pair of FG-4200F units. This design can even grow up to four FortiGate devices at the core level to process even more traffic of next-generation firewalls in parallel. With 8x100-GbE QSFP28 slots per FortiGate unit, it provides enough capacity to directly connect with 2x100-GbE ports to each of the two core FortiSwitch units at a nonstop forwarding capacity of up to 800-Gbps firewall performance using NP7 and CP9 hardware accelerated security processing. Each unit has an additional 18x25-GbE/10-GbE ports and is capable of 52 Gbps of IPS, 47 Gbps in NGFW, and 45 Gbps in threat protection. 300 FortiSwitch units can be controlled as a network controller, as well as 8,192 access points in bridge mode or 4,096 APs in tunnel mode for traffic of up to 47 Gbps in CAPWAP. As calculated previously, this covers the need of 13,000 to 26,000 employees in the campus with such capacity at the core layer.

The following figure shows an FG-4200F, which provides a core firewall, secure wireless, and switch controller.

Core layer

With the Fortinet solution for integrated networking using FortiLink, the core layer always comprises a set of two to four FortiGate devices and two very high-speed FortiSwitch units, which support a large number of 100-GbE and/or 40-GbE ports with enough capacity to grow the links between them and with the aggregation layer(s). This design provides the maximum level of redundancy and resiliency towards the nonstop forwarding goal that this layer proposes to provide for the entire wired and wireless networks and with the external connectivity out of the campus. This layer of redundancy actually reduces the network complexity, especially when networks have three or more aggregation switch pairs (including the data center switches because these are usually considered as part of the aggregation layer, especially with dual-attached servers to the data center Top-of-the-Rack switches). Without a set of core switches for n aggregation switches, the redundant links to fully provide a mesh between all aggregation switches would equal [n x (n-1)]/2. On the other end, with a set of two core switches in between, it is only (nx2)+2. So, if n=6, you must provision for 14 links instead of 15. Each aggregation switch requires 5x100-GbE links to the other switches. With the use of a core layer, each aggregation switch only needs 2x100-GbE links, and the core layer is the only place where you need large numbers of 100-GbE ports. For example, if you have n=10, then you have 22 links instead of 45. In a large campus deployment, it is not practical to run that many optical fibers between buildings.

The core layer is critical, yet very simple to design, and allows for network evolution quite easily. Point-to-point links are used between each element, and Fortinet recommends using the MCLAG and dual ICLs between the core switches. The following figure shows the fully distributed set of links meshed between the core FortiGate devices, core FortiSwitch units, and the next aggregation layer of FortiSwitch units.

The FortiGate devices in the core layer can use FGCP in active-passive mode with two to four firewalls or in active-active mode for increased performance through HA load-balancing. FGCP provides failover protection, meaning that a cluster can provide FortiGate services even when one of the devices in the cluster encounters a problem that would result in the complete loss of connectivity for a stand-alone FortiGate unit (no HA). Failover protection provides a backup mechanism that can be used to reduce the risk of unexpected downtime, especially in mission-critical environments. FGCP supports failover protection in four ways:

  • If a link fails

  • If a device loses power

  • If a solid-state drive (SSD) fails

  • If memory use exceeds the threshold for a specified amount of time

When session-pickup is enabled in the HA settings, existing TCP sessions are kept, and users on the network are not impacted by downtime because the traffic can be passed without reestablishing the sessions.

From a spanning tree standpoint (when MCLAG is used in both layers), the core-to-aggregation layer looks like a single link, removing all loops in the topology. This prevents failures at the switch or link level to cause a reconvergence and some unavailability time.

Core layer platforms

The core layer comprises a combination of two FortiSwitch units and up to four FortiGate devices. The most appropriate FortiSwitch unit to form the core layer must have many 100 gigabit Ethernet ports to address the aggregation layer and distribute a few 100-GbE ports towards the core FortiGate devices.

The following figure shows an FS-3032E core-layer switch.

The FortiSwitch model FS-3032E with 32x100-GbE QSFP28 ports ensures that many aggregation switches can connect simultaneously with little to no possibility of oversubscription and has enough room for multiple 100-GbE ports towards the firewall. The capacity of 6.4 Tbps and its integrated dual AC power supplies with field-replaceable fans in a one rack unit form factor provide the necessary characteristics to handle the fully redundant switching requirements of this layer.

When it comes to the core FortiGate devices, the choice depends on the type of traffic and if there is a requirement to handle all requests on the campus to be secured and filtered at the core level or if some of the intranet traffic can be allowed between devices of the same VLAN directly. The capacity to handle the number of switches and access points as a fabric controller should be considered. The price-to-performance ratio has also been taken into account in recommending a limited number of choices for you with two levels: price optimized and performance optimized.

The price-optimized option consists of a pair of FG-3400E FortiGate devices. With 4x100-GbE QSFP28 slots, it provides enough capacity to directly connect to the two core FortiSwitch units and still allow for expansion because it also has 24x25-GbE ports (with two HA ports for communication between the FortiGate devices). Using the security processing units (SPUs) NP6 and CP9, it accelerates in hardware many of the security and networking protocols(like CAPWAP) to achieve 240 Gbps in firewall capacity, 44 Gbps in the intrusion prevention system (IPS), 34 Gbps in NGFW, and 25 Gbps in threat protection. It supports control using FortiLink of 300 FortiSwitch units, terminates CAPWAP at 57 Gbps, and also allows control of 4,096 WiFi access points in bridge mode or 2,048 APs in tunnel mode. 2,048 access points can cover around 400,000 square meters of open-space offices, while 4,096 APs can cover up to 800,000 square meters. Based on the International Labour Organization (ILO) recommendations of 6 square meter minimum per employee, a campus of between 6,500 and 13,000 employees can be covered with such AP and switching capacity at the core.

The following figure shows the FG-3401E, which provides a core firewall, secure wireless, and switch controller.

You can also use virtual machine FortiGate models like FG-VM16, FG-VM32, or FG-VMUL and their “V” versions to achieve the same number of switches and APs supported in the core layer. The requirement of several 100-GbE links towards the core FortiSwitch units on top of the performance requirements to handle that amount of traffic would probably undermine the VM options in this secure campus scenario as a core platform.

The performance-optimized choice consists of a pair of FG-4200F units. This design can even grow up to four FortiGate devices at the core level to process even more traffic of next-generation firewalls in parallel. With 8x100-GbE QSFP28 slots per FortiGate unit, it provides enough capacity to directly connect with 2x100-GbE ports to each of the two core FortiSwitch units at a nonstop forwarding capacity of up to 800-Gbps firewall performance using NP7 and CP9 hardware accelerated security processing. Each unit has an additional 18x25-GbE/10-GbE ports and is capable of 52 Gbps of IPS, 47 Gbps in NGFW, and 45 Gbps in threat protection. 300 FortiSwitch units can be controlled as a network controller, as well as 8,192 access points in bridge mode or 4,096 APs in tunnel mode for traffic of up to 47 Gbps in CAPWAP. As calculated previously, this covers the need of 13,000 to 26,000 employees in the campus with such capacity at the core layer.

The following figure shows an FG-4200F, which provides a core firewall, secure wireless, and switch controller.