Fortinet black logo

Reference architectures

7.2.3
Copy Link
Copy Doc ID 05143578-c74d-11ed-8e6d-fa163e15d75b:746434
Download PDF

Reference architectures

This section describes how the reference architecture for campus deployments can be implemented with the Fortinet solution, leveraging the tiered recommendation described in Wired local area network basics (access, aggregation, and core layers).

The solution is based on the FortiSwitch units being managed by a FortiGate device using FortiLink.

Security Fabric integration through FortiLink

All the proposed designs rely on using FortiSwitch management from the central FortiGate platform through FortiLink or from a FortiManager unit managing FortiGate devices. FortiLink is Fortinetʼs solution to extend the Fortinet Security Fabric to the Ethernet switch port level. This link allows the same policies configured and applied to FortiGate interfaces to be applied to the FortiSwitch Ethernet ports, reducing the complexity and decreasing the management cost. With network visibility, it is easy for system administrators to implement and manage security and access-layer functions enabled and managed through a single console and centralized policy management (including role-based access and control). Users and devices can be authenticated against the same database and have the same security policy applied regardless of how or where they connect to the network. FortiManager provides the single-pane-of-glass network operations center (NOC) view of the overall deployment, encompassing in the same place the security and network elements of both the campus and multiple remote branch offices, especially when using SD-branch. This allows network and security teams to work hand-in-hand with the same view of the network and all elements of the security through the Fabric. This is a major differentiator for Fortinet in the market.

MCLAG

The key to scaling and optimizing the reference architecture is the multichassis link aggregation group (MCLAG) . It allows a switch pair to appear as a single device to other network elements. MCLAG has the advantage of allowing all uplinks between switches to be active and passing traffic, resulting in higher capacity and availability. It helps make the network agnostic of STP, which would block redundant links instead of using their capacity. Because it usually takes up to 45 seconds for a traditional (not rapid per-VLAN spanning tree) STP port to transition from blocking to forwarding, MCLAG also boosts the convergence time for much quicker recovery from any incident on the forwarding path of active traffic. All uplinks can therefore be used at capacity to meet network demands and provide better oversubscription ratios.

MCLAG switches are interconnected through dedicated links called interchassis links (ICLs). Fortinet recommends using at least two links for ICL redundancy, which can be, depending on the need, 10-GbE, 40-GbE, or 100-GbE ports. If a MCLAG member switch fails, the other member continues to operate without any change.

The following figure shows two FortiSwitch MCLAG pairs and two ICLs.

Tiered architecture

The following figure shows the tiered reference architecture for the campus and indicates which components are included in the core, distribution, and access layers, as well as in the three tiered layers of MCLAG.

Tier-1/core layer:
  • The core layer comprises one, two, or up to four FortiGate devices acting as the FortiSwitch and FortiAP controllers. The layer-3 routing features of FortiGate devices are used for all inter-VLAN traffic. The FortiGate devices provide the NGFW for enforcing security measures for internal traffic.

  • A maximum of two FortiSwitch units at this level forward all layer-2 traffic. Only east-west links are used for layer-2 traffic flowing from one aggregation stack to another. To maximize convergence, resiliency, and bandwidth, Fortinet recommends a pair of FortiSwitch units configured as an MCLAG pair and connected with the FortiGate devices using full mesh.

  • This layer could be used to connect servers and headquarters resources shared across the network.

  • Typical links used at this tier would be 10 GbE or an aggregation of various 10-GbE, 25-GbE, 40-GbE, or 100-GbE interfaces.

Tier-2/aggregation layer:
  • The aggregation layer comprises one or multiple FortiSwitch MCLAG pairs, which consolidate all traffic coming from their corresponding access stacks. Only east-west links are used for layer-2 traffic flowing from one access stack to another.

  • Depending on the final design, you could use this layer as a top-of-rack (ToR) level or delegate this function to the next layer below. The tier-2/aggregation layer can be the entry to different buildings or geographical locations within the campus.

  • Typical links used at this tier would be 10 GbE or an aggregation of various 10-GbE links to connect towards the access layer; 10-GbE, 25-GbE, 40-GbE, or 100-GbE interfaces would be used as uplinks towards the core layer.

Tier-3/access layer:
  • The access layer comprises one or multiple FortiSwitch MCLAG pairs, which provide full traffic capacity towards the aggregation layer.

  • These MCLAG pairs can also be used as TOR levels, to which more FortiSwitch units could be connected in a dual-homed topology or to form additional rings, which would extend the number of ports required at this point. The tier-3/access layer can be the entry to different floors within the building, where final endpoints are connected to the subsequent stack of FortiSwitch units, or FortiAP units can be connected to leverage the PoE capabilities of the FortiSwitch units.

  • Typical links used at this tier are 10 GbE or an aggregation of various 10-GbE links towards the aggregation layer; 10-GbE, 5-GbE, 2.5-GbE, or 1-GbE links would be used towards the rest of the access FortiSwitch units, FortiAP units, and endpoints.

Leaf-and-spine data center architecture

Although this architecture is not normally used in campus deployments, it could be useful for data center designs. You can implement the Fortinet leaf-and-spine topology following a similar methodology as in Tiered architecture and as shown in the following figure of a leaf-and-spine reference architecture for a campus. This design provides deterministic latencies and performance to critical services in the network. Fortinet adds a bonus by also providing 360 degrees of end-to-end security, all the way down to the LAN ports.

Spine:
  • This layer comprises the routing elements for layer 3, the FortiGate devices, and a pair of high-capacity FortiSwitch units configured as an MCLAG. This layer is the same as the tier-1/core layer.

  • All traffic is processed and secured by this combination at this level; therefore, high-performance FortiGate devices are required with native 40-G or 100-G interfaces facing the FortiSwitch units.

Leaves:
  • This layer comprises a myriad of different FortiSwitch units, depending on the requirements of the connecting devices. If specific requirements are needed to provide a highly resilient service, such as priority-based flow control or ingress pause metering, then the FortiSwitch models must belong to the high end of the family.

  • You can have separate FortiSwitch units connected in a dual-homed topology into the spine, or you can reduce complexity by having pairs of MCLAG FortiSwitch units to provide high availability and resiliency for servers that might require redundant paths towards the spine.

  • The “leaves” layer can be implemented only for the data center or alongside the traditional tier-2/aggregation layer being deployed for campus switching.

  • Typically, FortiSwitch units from the 500 series and higher are used in this layer to provide 40-G connectivity with the spine.

Reference architectures

This section describes how the reference architecture for campus deployments can be implemented with the Fortinet solution, leveraging the tiered recommendation described in Wired local area network basics (access, aggregation, and core layers).

The solution is based on the FortiSwitch units being managed by a FortiGate device using FortiLink.

Security Fabric integration through FortiLink

All the proposed designs rely on using FortiSwitch management from the central FortiGate platform through FortiLink or from a FortiManager unit managing FortiGate devices. FortiLink is Fortinetʼs solution to extend the Fortinet Security Fabric to the Ethernet switch port level. This link allows the same policies configured and applied to FortiGate interfaces to be applied to the FortiSwitch Ethernet ports, reducing the complexity and decreasing the management cost. With network visibility, it is easy for system administrators to implement and manage security and access-layer functions enabled and managed through a single console and centralized policy management (including role-based access and control). Users and devices can be authenticated against the same database and have the same security policy applied regardless of how or where they connect to the network. FortiManager provides the single-pane-of-glass network operations center (NOC) view of the overall deployment, encompassing in the same place the security and network elements of both the campus and multiple remote branch offices, especially when using SD-branch. This allows network and security teams to work hand-in-hand with the same view of the network and all elements of the security through the Fabric. This is a major differentiator for Fortinet in the market.

MCLAG

The key to scaling and optimizing the reference architecture is the multichassis link aggregation group (MCLAG) . It allows a switch pair to appear as a single device to other network elements. MCLAG has the advantage of allowing all uplinks between switches to be active and passing traffic, resulting in higher capacity and availability. It helps make the network agnostic of STP, which would block redundant links instead of using their capacity. Because it usually takes up to 45 seconds for a traditional (not rapid per-VLAN spanning tree) STP port to transition from blocking to forwarding, MCLAG also boosts the convergence time for much quicker recovery from any incident on the forwarding path of active traffic. All uplinks can therefore be used at capacity to meet network demands and provide better oversubscription ratios.

MCLAG switches are interconnected through dedicated links called interchassis links (ICLs). Fortinet recommends using at least two links for ICL redundancy, which can be, depending on the need, 10-GbE, 40-GbE, or 100-GbE ports. If a MCLAG member switch fails, the other member continues to operate without any change.

The following figure shows two FortiSwitch MCLAG pairs and two ICLs.

Tiered architecture

The following figure shows the tiered reference architecture for the campus and indicates which components are included in the core, distribution, and access layers, as well as in the three tiered layers of MCLAG.

Tier-1/core layer:
  • The core layer comprises one, two, or up to four FortiGate devices acting as the FortiSwitch and FortiAP controllers. The layer-3 routing features of FortiGate devices are used for all inter-VLAN traffic. The FortiGate devices provide the NGFW for enforcing security measures for internal traffic.

  • A maximum of two FortiSwitch units at this level forward all layer-2 traffic. Only east-west links are used for layer-2 traffic flowing from one aggregation stack to another. To maximize convergence, resiliency, and bandwidth, Fortinet recommends a pair of FortiSwitch units configured as an MCLAG pair and connected with the FortiGate devices using full mesh.

  • This layer could be used to connect servers and headquarters resources shared across the network.

  • Typical links used at this tier would be 10 GbE or an aggregation of various 10-GbE, 25-GbE, 40-GbE, or 100-GbE interfaces.

Tier-2/aggregation layer:
  • The aggregation layer comprises one or multiple FortiSwitch MCLAG pairs, which consolidate all traffic coming from their corresponding access stacks. Only east-west links are used for layer-2 traffic flowing from one access stack to another.

  • Depending on the final design, you could use this layer as a top-of-rack (ToR) level or delegate this function to the next layer below. The tier-2/aggregation layer can be the entry to different buildings or geographical locations within the campus.

  • Typical links used at this tier would be 10 GbE or an aggregation of various 10-GbE links to connect towards the access layer; 10-GbE, 25-GbE, 40-GbE, or 100-GbE interfaces would be used as uplinks towards the core layer.

Tier-3/access layer:
  • The access layer comprises one or multiple FortiSwitch MCLAG pairs, which provide full traffic capacity towards the aggregation layer.

  • These MCLAG pairs can also be used as TOR levels, to which more FortiSwitch units could be connected in a dual-homed topology or to form additional rings, which would extend the number of ports required at this point. The tier-3/access layer can be the entry to different floors within the building, where final endpoints are connected to the subsequent stack of FortiSwitch units, or FortiAP units can be connected to leverage the PoE capabilities of the FortiSwitch units.

  • Typical links used at this tier are 10 GbE or an aggregation of various 10-GbE links towards the aggregation layer; 10-GbE, 5-GbE, 2.5-GbE, or 1-GbE links would be used towards the rest of the access FortiSwitch units, FortiAP units, and endpoints.

Leaf-and-spine data center architecture

Although this architecture is not normally used in campus deployments, it could be useful for data center designs. You can implement the Fortinet leaf-and-spine topology following a similar methodology as in Tiered architecture and as shown in the following figure of a leaf-and-spine reference architecture for a campus. This design provides deterministic latencies and performance to critical services in the network. Fortinet adds a bonus by also providing 360 degrees of end-to-end security, all the way down to the LAN ports.

Spine:
  • This layer comprises the routing elements for layer 3, the FortiGate devices, and a pair of high-capacity FortiSwitch units configured as an MCLAG. This layer is the same as the tier-1/core layer.

  • All traffic is processed and secured by this combination at this level; therefore, high-performance FortiGate devices are required with native 40-G or 100-G interfaces facing the FortiSwitch units.

Leaves:
  • This layer comprises a myriad of different FortiSwitch units, depending on the requirements of the connecting devices. If specific requirements are needed to provide a highly resilient service, such as priority-based flow control or ingress pause metering, then the FortiSwitch models must belong to the high end of the family.

  • You can have separate FortiSwitch units connected in a dual-homed topology into the spine, or you can reduce complexity by having pairs of MCLAG FortiSwitch units to provide high availability and resiliency for servers that might require redundant paths towards the spine.

  • The “leaves” layer can be implemented only for the data center or alongside the traditional tier-2/aggregation layer being deployed for campus switching.

  • Typically, FortiSwitch units from the 500 series and higher are used in this layer to provide 40-G connectivity with the spine.