Fortinet black logo

Switching Reference Architecture Guide

Home FortiSwitch 7.2.3 Switching Reference Architecture Guide
7.2.3
7.4.0
7.2.3

Access layer

Access layer

The access layer is where endpoints (such as phones, laptops, video-conferencing sets, printers, IoT sensors, IP cameras, and servers) are primarily connecting to the network. Wireless access points are also connected here and provide further access. FortiSwitch units distribute the ports to plugs distributed through the ceilings, the floor, the walls, or the desks from IDFs (or technical cabinets) spread throughout the floors. The IDF can also be at a central location, depending on the size of the floor due to the 100-meter copper cable limit. Through the use of wireless access points, a single Ethernet port can distribute the access to tens or hundreds of access devices in this layer. Wired connectivity, though, is usually provided to a single endpoint per gigabit (or more) Ethernet port, except if a PC is reaching the network through an IP phone with multiple GigE ports for example. Dual-attached endpoints like servers are typically not connected here but to the aggregation layer. Redundant uplinks from the access layer to the aggregation layer ensure security and resiliency for the entire network. The access layer acts as a collection point for high-performance wired and wireless devices and must have enough capacity to support the power and bandwidth needs of today as well as to scale for the future while the number of devices grows.

Access-layer deployment recommendations

Depicting what the access layer should look like is difficult because it depends on several physical and logical factors that make up the campus. These examples are offered as guidance for building a multi-tiered network supporting all the aforementioned design principles. You will need to adapt them to your specific environment and layout.

These network design proposals are for a network implemented with FortiSwitch units and FortiAP units. A FortiGate device (or a FortiManager unit) is the single-pane-of-glass network manager and controller for the FortiSwitch and FortiAP units.

This section considers use cases for a potentially large campus. Taking into consideration the assumptions made in the designing principles, the initial setup will use 4x10-GbE links between the access layer and the aggregation layer.

The following figure shows a typical deployment of a single floor with up to four switches and the connection of the access layer with the aggregation layer.

Each of the FortiSwitch units is managed using FortiLink by a FortiGate device in the core layer as part of the Fabric and connects with a 10-GbE aggregation link. To provide link redundancy, two sets of two switches have an inter-switch link to their closest FortiSwitch neighbor with a second 10-GbE link, forming two distinct loops. If any of the red or green links in the figure fail, the connectivity is still active, and the oversubscription ratio of 10:1 is respected as 96-GbE ports are uplinked with 10 Gbps.

In a scenario where the floor requires five switches or more, redundancy becomes even more critical. To address this requirement, the MCLAG is extended down to the access layer by using a pair of high-end switches to create redundant uplinks to the aggregation layer. Enough bandwidth is left to the additional access switches on the floor through multiple 10-GbE links to fuel the ring behind.

The following figure shows the typical deployment of a single floor with five switches and single-attached wireless access points.

This design creates a full loop between the access and aggregation layers. Both layers need to implement MCLAG to be able to use all links simultaneously, to not rely on the STP to block ports, and to add delay when needing to converge. MCLAG must be supported for this design even at the access layer, which calls for FortiSwitch 400E and 500D Series models acting as ToR switches.

This design can also be applied with two, three, or four switches per floor, especially because it would help to make the network much more agnostic to the spanning tree already at the access layer.

Both FortiSwitch units managed with FortiLink acting as ToR in the access layer have 2x10-GbE ports directly toward the aggregation layer (each 10-GbE link to a different MCLAG unit on each side). The remaining switches (not connected directly) have at least one 10-GbE link going each to the closest two switches, creating a ring as seen in the preceding figure. You can double (LAG) the green links between the first switch in the ring and the second one to provide more throughput overall (especially in case of a transient outage) and more resiliency. Using this design, you can go up to eight switches and never need more than 4x10-GbE ports per switch to interconnect other access-layer switches or the aggregation layer. Having eight switches on a floor is compatible with wired and wireless access for a floor of 3,200 square meters (approximately 56 m x 56 m) in an open-space environment. If more than this is needed, then you can replicate the design in another IDF to still stay within the 10:1 oversubscription ratio (and with the 100-m copper cable limitations).

The following figure shows a typical deployment of a single floor with eight switches and single-attached wireless access points.

To extend the design to a floor with nine switches or more (modulo 8 each time), Fortinet recommends splitting the floor into sets of the previous designs with up to eight access switches per group. This design protects from oversubscription because with 8x48-GbE ports and the 10:1 oversubscription ratio, you need 38.4 Gbps on the uplink; with 9x48-GbE ports, you need 43.2 Gbps, exceeding the 40-Gbps maximum available with the 4x10-Gbps uplinks.

In the previous designs, access points are connected to a GbE or mGig port on a single switch. The mGig ports would also be within the expected limits with 2.5 Gbps per access point.

In an even higher availability scenario where the wireless is critical and losing wireless connectivity of an access point is not possible, the design scenario for five to eight switches is still fully adapted because it allows for dual attachment of the APs to the ToR MCLAG switches, as shown in the following figure.

In the preceding figure, each AP is dual-attached to the MCLAG switches, between which the blue interchassis link can even be doubled for extra redundancy. If oversubscription occurs in a normal situation, the traffic of 384 GbE ports is forwarded towards the aggregation layer using 40 Gbps, which is in the 10:1 ratio. Losing one of the switches connected to the aggregation layer directly removes 48 ports to be uplinked, which roughly provides a 15:1 ratio. In the worst-case scenario of one of the red links failing but not the switch, the network still adheres to the 20:1 ratio in a temporary outage. If you want more than four redundant access switches, you need to deploy new sets of 10-GbE uplinks to the aggregation layer to respect the oversubscription recommendations.

The following figure shows how to interconnect 10-GbE uplinks between the access layer and aggregation layer with MCLAG at both layers for resiliency.

Access layer platforms

Tightly integrated into the Fortinet Security Fabric with FortiLink, FortiSwitch units can be managed directly from the FortiGate interface and through FortiManager, offering a single pane of glass that you can use to control and deploy the campus. This network topology offers next-generation firewalls with advanced security, core routing, switching, and wireless. This single-pane-of-glass management provides complete visibility and control of users and devices on the network, regardless of how they connect.

This network topology also includes the detection and control of IoT devices to ensure they are not compromised. IoT devices represent a serious risk to networks because they are built more for function than security. IoT devices are beginning to multiply tremendously in all connected buildings and organizations.

From an equipment basis as well as long-term contracts and services, this secure, simple, and scalable campus solution offers simplified operations, increased value for your money, and optimized total cost of ownership (TCO).

At the access layer, several options are provided, primarily depending on the level of feature richness and uplink choices. This design minimizes the number of different products to make maintenance, troubleshooting, and operations simpler for IT, security, and networking staff.

The following figure shows an FS-148F-FPOE access-layer switch.

The 100F Series switches are featured entry-level access switches that provide full PoE options for 24 and 48 gigabits Ethernet ports, with 4x10-Gb Ethernet SFP+ uplinks. An eight-port version also exists with 2-GbE SFP uplinks for more complex architectures. Because this switch series does not support the MCLAG, these switches are pure access switches, which are recommended for single-attached end devices. The switches themselves can be dual-homed to Top of the Rack or aggregation switches, and they can allow for multiple links to be aggregated towards the same destination and to create rings. The 100F Series switches should not be used when access devices need to be attached to two different access switches; instead, you can use 400E Series switches or 500D Series switches.

The following figure shows an FS-M426E-FPOE access-layer MCLAG-capable switch.

The 400E Series switches are enterprise switches with full functionality, including MCLAG, and come in 24-GbE and 48-GbE ports versions with full PoE options. The FortiSwitch M426E-FPOE unit has 16-GbE FPoE plus 8x2.5-GbE FPoE ports plus 2x5-GbE ports with 4x10-GbE SFP+ uplinks, allowing for powering access points and providing multi-gigabit connectivity.

The following figure shows an FS-548D-FPOE access-layer MCLAG-capable switch.

The 500D Series switches are high-end access switches with 4x10-G SFP+ ports uplinks (including the hardware support of MACsec), and 2x40-G links. If needed, these ports allow future expansion of the uplinks toward the aggregation layer, potentially dividing the uplink ratio by 2 (80 Gbps instead of 40 Gbps). Expanding the uplinks would mean that the aggregation layer has enough 40-GbE ports on the other end and would mean an uplift from 1000E Series to 3000E Series FortiSwitch units.

Previous
Next

Access layer

The access layer is where endpoints (such as phones, laptops, video-conferencing sets, printers, IoT sensors, IP cameras, and servers) are primarily connecting to the network. Wireless access points are also connected here and provide further access. FortiSwitch units distribute the ports to plugs distributed through the ceilings, the floor, the walls, or the desks from IDFs (or technical cabinets) spread throughout the floors. The IDF can also be at a central location, depending on the size of the floor due to the 100-meter copper cable limit. Through the use of wireless access points, a single Ethernet port can distribute the access to tens or hundreds of access devices in this layer. Wired connectivity, though, is usually provided to a single endpoint per gigabit (or more) Ethernet port, except if a PC is reaching the network through an IP phone with multiple GigE ports for example. Dual-attached endpoints like servers are typically not connected here but to the aggregation layer. Redundant uplinks from the access layer to the aggregation layer ensure security and resiliency for the entire network. The access layer acts as a collection point for high-performance wired and wireless devices and must have enough capacity to support the power and bandwidth needs of today as well as to scale for the future while the number of devices grows.

Access-layer deployment recommendations

Depicting what the access layer should look like is difficult because it depends on several physical and logical factors that make up the campus. These examples are offered as guidance for building a multi-tiered network supporting all the aforementioned design principles. You will need to adapt them to your specific environment and layout.

These network design proposals are for a network implemented with FortiSwitch units and FortiAP units. A FortiGate device (or a FortiManager unit) is the single-pane-of-glass network manager and controller for the FortiSwitch and FortiAP units.

This section considers use cases for a potentially large campus. Taking into consideration the assumptions made in the designing principles, the initial setup will use 4x10-GbE links between the access layer and the aggregation layer.

The following figure shows a typical deployment of a single floor with up to four switches and the connection of the access layer with the aggregation layer.

Each of the FortiSwitch units is managed using FortiLink by a FortiGate device in the core layer as part of the Fabric and connects with a 10-GbE aggregation link. To provide link redundancy, two sets of two switches have an inter-switch link to their closest FortiSwitch neighbor with a second 10-GbE link, forming two distinct loops. If any of the red or green links in the figure fail, the connectivity is still active, and the oversubscription ratio of 10:1 is respected as 96-GbE ports are uplinked with 10 Gbps.

In a scenario where the floor requires five switches or more, redundancy becomes even more critical. To address this requirement, the MCLAG is extended down to the access layer by using a pair of high-end switches to create redundant uplinks to the aggregation layer. Enough bandwidth is left to the additional access switches on the floor through multiple 10-GbE links to fuel the ring behind.

The following figure shows the typical deployment of a single floor with five switches and single-attached wireless access points.

This design creates a full loop between the access and aggregation layers. Both layers need to implement MCLAG to be able to use all links simultaneously, to not rely on the STP to block ports, and to add delay when needing to converge. MCLAG must be supported for this design even at the access layer, which calls for FortiSwitch 400E and 500D Series models acting as ToR switches.

This design can also be applied with two, three, or four switches per floor, especially because it would help to make the network much more agnostic to the spanning tree already at the access layer.

Both FortiSwitch units managed with FortiLink acting as ToR in the access layer have 2x10-GbE ports directly toward the aggregation layer (each 10-GbE link to a different MCLAG unit on each side). The remaining switches (not connected directly) have at least one 10-GbE link going each to the closest two switches, creating a ring as seen in the preceding figure. You can double (LAG) the green links between the first switch in the ring and the second one to provide more throughput overall (especially in case of a transient outage) and more resiliency. Using this design, you can go up to eight switches and never need more than 4x10-GbE ports per switch to interconnect other access-layer switches or the aggregation layer. Having eight switches on a floor is compatible with wired and wireless access for a floor of 3,200 square meters (approximately 56 m x 56 m) in an open-space environment. If more than this is needed, then you can replicate the design in another IDF to still stay within the 10:1 oversubscription ratio (and with the 100-m copper cable limitations).

The following figure shows a typical deployment of a single floor with eight switches and single-attached wireless access points.

To extend the design to a floor with nine switches or more (modulo 8 each time), Fortinet recommends splitting the floor into sets of the previous designs with up to eight access switches per group. This design protects from oversubscription because with 8x48-GbE ports and the 10:1 oversubscription ratio, you need 38.4 Gbps on the uplink; with 9x48-GbE ports, you need 43.2 Gbps, exceeding the 40-Gbps maximum available with the 4x10-Gbps uplinks.

In the previous designs, access points are connected to a GbE or mGig port on a single switch. The mGig ports would also be within the expected limits with 2.5 Gbps per access point.

In an even higher availability scenario where the wireless is critical and losing wireless connectivity of an access point is not possible, the design scenario for five to eight switches is still fully adapted because it allows for dual attachment of the APs to the ToR MCLAG switches, as shown in the following figure.

In the preceding figure, each AP is dual-attached to the MCLAG switches, between which the blue interchassis link can even be doubled for extra redundancy. If oversubscription occurs in a normal situation, the traffic of 384 GbE ports is forwarded towards the aggregation layer using 40 Gbps, which is in the 10:1 ratio. Losing one of the switches connected to the aggregation layer directly removes 48 ports to be uplinked, which roughly provides a 15:1 ratio. In the worst-case scenario of one of the red links failing but not the switch, the network still adheres to the 20:1 ratio in a temporary outage. If you want more than four redundant access switches, you need to deploy new sets of 10-GbE uplinks to the aggregation layer to respect the oversubscription recommendations.

The following figure shows how to interconnect 10-GbE uplinks between the access layer and aggregation layer with MCLAG at both layers for resiliency.

Access layer platforms

Tightly integrated into the Fortinet Security Fabric with FortiLink, FortiSwitch units can be managed directly from the FortiGate interface and through FortiManager, offering a single pane of glass that you can use to control and deploy the campus. This network topology offers next-generation firewalls with advanced security, core routing, switching, and wireless. This single-pane-of-glass management provides complete visibility and control of users and devices on the network, regardless of how they connect.

This network topology also includes the detection and control of IoT devices to ensure they are not compromised. IoT devices represent a serious risk to networks because they are built more for function than security. IoT devices are beginning to multiply tremendously in all connected buildings and organizations.

From an equipment basis as well as long-term contracts and services, this secure, simple, and scalable campus solution offers simplified operations, increased value for your money, and optimized total cost of ownership (TCO).

At the access layer, several options are provided, primarily depending on the level of feature richness and uplink choices. This design minimizes the number of different products to make maintenance, troubleshooting, and operations simpler for IT, security, and networking staff.

The following figure shows an FS-148F-FPOE access-layer switch.

The 100F Series switches are featured entry-level access switches that provide full PoE options for 24 and 48 gigabits Ethernet ports, with 4x10-Gb Ethernet SFP+ uplinks. An eight-port version also exists with 2-GbE SFP uplinks for more complex architectures. Because this switch series does not support the MCLAG, these switches are pure access switches, which are recommended for single-attached end devices. The switches themselves can be dual-homed to Top of the Rack or aggregation switches, and they can allow for multiple links to be aggregated towards the same destination and to create rings. The 100F Series switches should not be used when access devices need to be attached to two different access switches; instead, you can use 400E Series switches or 500D Series switches.

The following figure shows an FS-M426E-FPOE access-layer MCLAG-capable switch.

The 400E Series switches are enterprise switches with full functionality, including MCLAG, and come in 24-GbE and 48-GbE ports versions with full PoE options. The FortiSwitch M426E-FPOE unit has 16-GbE FPoE plus 8x2.5-GbE FPoE ports plus 2x5-GbE ports with 4x10-GbE SFP+ uplinks, allowing for powering access points and providing multi-gigabit connectivity.

The following figure shows an FS-548D-FPOE access-layer MCLAG-capable switch.

The 500D Series switches are high-end access switches with 4x10-G SFP+ ports uplinks (including the hardware support of MACsec), and 2x40-G links. If needed, these ports allow future expansion of the uplinks toward the aggregation layer, potentially dividing the uplink ratio by 2 (80 Gbps instead of 40 Gbps). Expanding the uplinks would mean that the aggregation layer has enough 40-GbE ports on the other end and would mean an uplift from 1000E Series to 3000E Series FortiSwitch units.

Previous
Next