Deployment procedures
Use the following procedure to deploy the entire topology from the FortiGate switch controller without the need for direct console access to the FortiSwitch units.
NOTE:
-
Fortinet recommends using at least two links for ICL redundancy.
- Before FortiOS 6.2.0, when using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be active-passive. Starting in FortiOS 6.2.0, the FortiGate HA mode can be either active-passive or active-active.
-
In this topology, you must use the
auto-isl-port-group
setting as described in the following configuration example. This setting instructs the switches to group ports from MCLAG peers together into one MCLAG when the inter-switch link (ISL) is formed. - The
auto-isl-port-group
setting must be done directly on the FortiSwitch unit. -
On the global switch level,
mclag-stp-aware
must be enabled, and STP must be enabled on all ICL trunks. They are both enabled by default.
NOTE: If you are going to use IGMP snooping with an MCLAG topology:
- On the global switch level,
mclag-igmpsnooping-aware
must be enabled. It is enabled by default. - The
igmps-flood-traffic
andigmps-flood-report
settings must be disabled on the ISL and FortiLink trunks; but theigmps-flood-traffic
andigmps-flood-report
settings must be enabled on ICL trunks. These settings are enabled by default. - IGMP proxy must be enabled.
To create a three-tier FortiLink MCLAG topology, use FortiOS 6.2.3 GA or later and FortiSwitchOS 6.2.3 GA or later.
Configure the core-level (tier-1) MCLAG
Wire the two core-level FortiSwitch units to the FortiGate units. You can use the FortiLink split interface to connect the FortiLink aggregate interface from one FortiGate unit to two FortiSwitch units. When the FortiLink split interface is enabled, only one link remains active.
In this topology, the FortiLink split interface connects a FortiLink aggregate interface from one FortiGate unit to two FortiSwitch units. The aggregate interface of the FortiGate unit for this configuration contains at least one physical port connected to each FortiSwitch unit.
NOTE:
- Make sure that the split interface is enabled.
- This procedure also applies to a FortiGate unit in HA mode.
- More links can be added between the FortiGate unit and FortiSwitch unit.
Use the FortiGate CLI to change the FortiSwitch unitsʼ configuration without losing their management from the FortiGate unit. You do not need to change anything on the individual FortiSwitch units. The MCLAG-ICL can also be enabled on the FortiSwitch unit directly using console cables or management ports.
- Using the FortiGate CLI, assign the LLDP profile
default-auto-mclag-icl
to the ports that should form the MCLAG ICL in FortiSwitch unit 1. For example:FGT_Switch_Controller # config switch-controller managed-switch
FGT_Switch_Controller (managed-switch) # edit FS1E48T419000051
FGT_Switch_Controller (FS1E48T419000051) # config ports
FGT_Switch_Controller (ports) # edit port49
FGT_Switch_Controller (port49) # set lldp-profile default-auto-mclag-icl
FGT_Switch_Controller (port49) # end
FGT_Switch_Controller (FS1E48T419000051) # end
- Repeat step 1 for FortiSwitch unit 2. The port numbers can be different.
- Disable the split interface in the FortiLink interface. For example:
config system interface
edit <aggregate_name>
set fortilink-split-interface disable
next
end
- From the FortiGate unit, enable the LACP active mode if not already set:
config system interface
edit <aggregate_name>
set lacp-mode active
next
end
NOTE: If you are using FortiOS 6.2 or earlier, use the
set lacp-mode static
command instead. - Check that the LAG is working correctly. For example:
diagnose netlink aggregate name <aggregate_name>
If you disable the MCLAG ICL (with the |
Configure the distribution-level (tier-2) MCLAGs
- Connect only the distribution-level (tier-2) MCLAG FortiSwitch units (FS-1048E-B1-C-1 and FS-1048-B1-C-2) to the core FortiSwitch units (FS-3032E-1 and FS-3032E-2). Wait until they are discovered and authorized (if automatic authorization is disabled, you must authorize the switches manually).
- Using the FortiGate CLI, assign the LLDP profile
default-auto-mclag-icl
to the ports that will form the MCLAG ICL in the tier-2 MCLAG switches FS-1048E-B1-C-1 and FS-1048-B1-C-2. For example:FGT_Switch_Controller # config switch-controller managed-switch
FGT_Switch_Controller (managed-switch) # edit FS1E48T419000051
FGT_Switch_Controller (FS1E48T419000051) # config ports
FGT_Switch_Controller (ports) # edit port49
FGT_Switch_Controller (port49) # set lldp-profile default-auto-mclag-icl
FGT_Switch_Controller (port49) # end
FGT_Switch_Controller (FS1E48T419000051) # end
- On both core-level switches, FS-3032E-1 and FS-3032E-2, add an
auto-isl-port-group
for the distribution-level (tier-2) MCLAG peer group in building 1 (FS-1048E-B1-C-1 and FS-1048-B1-C-2).To the Building 1 cabinet:
config switch auto-isl-port-group
edit tier2-B1-C1
set members port1
next
end
This configuration is done directly in the FortiSwitch CLI, which can be accessed using the Connect to CLI option on the FortiGate Managed FortiSwitches page (or by binding a custom script using custom commands on the FortiGate unit. See Executing custom FortiSwitch scripts.
- Repeat steps 1, 2, and 3 for the other MCLAG peer groups in the Building 2 cabinet and Building 3 cabinet.
Configure the access-level (tier-3) MCLAGs
- Wire the access-level (tier-3) MCLAG switches from Building 1 floor 1(FS-1024E-B1-F1-1 and FS-1024E-B1-F1-2). Wait until they are discovered and authorized (if automatic authorization is disabled, you must authorize the switches manually).
- Using the FortiGate CLI, assign the LLDP profile
default-auto-mclag-icl
to the ports that will form the ICL in the access-level (tier-3) MCLAG peers switches from Building 1 floor 1 (FS-1024E-B1-F1-1 and FS-1024E-B1-F1-2). For example:FGT_Switch_Controller # config switch-controller managed-switch
FGT_Switch_Controller (managed-switch) # edit FS1E48T419000051
FGT_Switch_Controller (FS1E48T419000051) # config ports
FGT_Switch_Controller (ports) # edit port49
FGT_Switch_Controller (port49) # set lldp-profile default-auto-mclag-icl
FGT_Switch_Controller (port49) # end
FGT_Switch_Controller (FS1E48T419000051) # end
- On both distribution-level switches in the Building 1 cabinet (FS-1048E-B1-C-1 and FS-1048-B1-C-2), add an
auto-isl-port-group
for the access-level (tier-3) MCLAG peer group from Building 1 floor 1.config switch auto-isl-port-group
edit to_B1-F2
set member <port_name>
next
edit to_B1-F1
set member <port_name>
next
end
This configuration is done directly in the FortiSwitch CLI (or by binding a custom script using custom commands on the FortiGate unit. See Executing custom FortiSwitch scripts.
- Repeat steps 1, 2, and 3 for the other access-level (tier-3) MCLAG peer groups in building 1 and then in the floors in buildings 2 and 3.
- Connect the access switches to the access-level MCLAG peer groups in the floors of each building, and the inter-switch links are formed automatically. Wait until they are discovered and authorized (authorization must be done manually if auto-authorization is disabled).
- For the switches in the ring topologies, connect the FortiSwitch units with uplinks to the distribution level, wait until the switches are managed, and then connect the rest of the FortiSwitch units.
-
All FortiSwitch units are now authorized; therefore, the complete FortiSwitch topology is fully managed on the FortiGate unit. The deployment is completed, and the administrator can now configure the FortiSwitch VLANs and assign them to the access ports or configure 802.1x security, network access control (NAC), and dynamic port policies for dynamic VLAN assignment.