Fortinet black logo

Large Campus Deployment Guide

Home FortiSwitch 7.4.0 Large Campus Deployment Guide
7.4.0
7.4.0
7.2.0
7.0.0

Deployment procedures

Deployment procedures

Use the following procedure to deploy the entire topology from the FortiGate switch controller without the need for direct console access to the FortiSwitch units.

NOTE:

  • Fortinet recommends using at least two links for ICL redundancy.

  • Before FortiOS 6.2.0, when using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be active-passive. Starting in FortiOS 6.2.0, the FortiGate HA mode can be either active-passive or active-active.
  • In this topology, you must use the auto-isl-port-group setting as described in the following configuration example. This setting instructs the switches to group ports from MCLAG peers together into one MCLAG when the inter-switch link (ISL) is formed.
  • The auto-isl-port-group setting must be done directly on the FortiSwitch unit.

  • On the global switch level, mclag-stp-aware must be enabled, and STP must be enabled on all ICL trunks. They are both enabled by default.

NOTE: If you are going to use IGMP snooping with an MCLAG topology:

  • On the global switch level, mclag-igmpsnooping-aware must be enabled. It is enabled by default.
  • The igmps-flood-traffic and igmps-flood-report settings must be disabled on the ISL and FortiLink trunks; but the igmps-flood-traffic and igmps-flood-report settings must be enabled on ICL trunks. These settings are enabled by default.
  • IGMP proxy must be enabled.

To create a three-tier FortiLink MCLAG topology, use FortiOS 6.2.3 GA or later and FortiSwitchOS 6.2.3 GA or later.

Configure the core-level (tier-1) MCLAG

Wire the two core-level FortiSwitch units to the FortiGate units. You can use the FortiLink split interface to connect the FortiLink aggregate interface from one FortiGate unit to two FortiSwitch units. When the FortiLink split interface is enabled, only one link remains active.

In this topology, the FortiLink split interface connects a FortiLink aggregate interface from one FortiGate unit to two FortiSwitch units. The aggregate interface of the FortiGate unit for this configuration contains at least one physical port connected to each FortiSwitch unit.

NOTE:

  • Make sure that the split interface is enabled.
  • This procedure also applies to a FortiGate unit in HA mode.
  • More links can be added between the FortiGate unit and FortiSwitch unit.

Use the FortiGate CLI to change the FortiSwitch unitsʼ configuration without losing their management from the FortiGate unit. You do not need to change anything on the individual FortiSwitch units. The MCLAG-ICL can also be enabled on the FortiSwitch unit directly using console cables or management ports.

  1. Using the FortiGate CLI, assign the LLDP profile default-auto-mclag-icl to the ports that should form the MCLAG ICL in FortiSwitch unit 1. For example:

    FGT_Switch_Controller # config switch-controller managed-switch

    FGT_Switch_Controller (managed-switch) # edit FS1E48T419000051

    FGT_Switch_Controller (FS1E48T419000051) # config ports

    FGT_Switch_Controller (ports) # edit port49

    FGT_Switch_Controller (port49) # set lldp-profile default-auto-mclag-icl

    FGT_Switch_Controller (port49) # end

    FGT_Switch_Controller (FS1E48T419000051) # end

  2. Repeat step 1 for FortiSwitch unit 2. The port numbers can be different.
  3. Disable the split interface in the FortiLink interface. For example:

    config system interface

    edit <aggregate_name>

    set fortilink-split-interface disable

    next

    end

  4. From the FortiGate unit, enable the LACP active mode if not already set:

    config system interface

    edit <aggregate_name>

    set lacp-mode active

    next

    end

    NOTE: If you are using FortiOS 6.2 or earlier, use the set lacp-mode static command instead.

  5. Check that the LAG is working correctly. For example:

    diagnose netlink aggregate name <aggregate_name>

Note

If you disable the MCLAG ICL (with the set mclag-icl disable command), you need to enable fortilink-split-interface.

Configure the distribution-level (tier-2) MCLAGs

  1. Connect only the distribution-level (tier-2) MCLAG FortiSwitch units (FS-1048E-B1-C-1 and FS-1048-B1-C-2) to the core FortiSwitch units (FS-3032E-1 and FS-3032E-2). Wait until they are discovered and authorized (if automatic authorization is disabled, you must authorize the switches manually).
  2. Using the FortiGate CLI, assign the LLDP profile default-auto-mclag-icl to the ports that will form the MCLAG ICL in the tier-2 MCLAG switches FS-1048E-B1-C-1 and FS-1048-B1-C-2. For example:

    FGT_Switch_Controller # config switch-controller managed-switch

    FGT_Switch_Controller (managed-switch) # edit FS1E48T419000051

    FGT_Switch_Controller (FS1E48T419000051) # config ports

    FGT_Switch_Controller (ports) # edit port49

    FGT_Switch_Controller (port49) # set lldp-profile default-auto-mclag-icl

    FGT_Switch_Controller (port49) # end

    FGT_Switch_Controller (FS1E48T419000051) # end

  3. On both core-level switches, FS-3032E-1 and FS-3032E-2, add an auto-isl-port-group for the distribution-level (tier-2) MCLAG peer group in building 1 (FS-1048E-B1-C-1 and FS-1048-B1-C-2).

    To the Building 1 cabinet:

    config switch auto-isl-port-group

    edit tier2-B1-C1

    set members port1

    next

    end

    This configuration is done directly in the FortiSwitch CLI, which can be accessed using the Connect to CLI option on the FortiGate Managed FortiSwitches page (or by binding a custom script using custom commands on the FortiGate unit. See Executing custom FortiSwitch scripts.

  4. Repeat steps 1, 2, and 3 for the other MCLAG peer groups in the Building 2 cabinet and Building 3 cabinet.

Configure the access-level (tier-3) MCLAGs

  1. Wire the access-level (tier-3) MCLAG switches from Building 1 floor 1(FS-1024E-B1-F1-1 and FS-1024E-B1-F1-2). Wait until they are discovered and authorized (if automatic authorization is disabled, you must authorize the switches manually).
  2. Using the FortiGate CLI, assign the LLDP profile default-auto-mclag-icl to the ports that will form the ICL in the access-level (tier-3) MCLAG peers switches from Building 1 floor 1 (FS-1024E-B1-F1-1 and FS-1024E-B1-F1-2). For example:

    FGT_Switch_Controller # config switch-controller managed-switch

    FGT_Switch_Controller (managed-switch) # edit FS1E48T419000051

    FGT_Switch_Controller (FS1E48T419000051) # config ports

    FGT_Switch_Controller (ports) # edit port49

    FGT_Switch_Controller (port49) # set lldp-profile default-auto-mclag-icl

    FGT_Switch_Controller (port49) # end

    FGT_Switch_Controller (FS1E48T419000051) # end

  3. On both distribution-level switches in the Building 1 cabinet (FS-1048E-B1-C-1 and FS-1048-B1-C-2), add an auto-isl-port-group for the access-level (tier-3) MCLAG peer group from Building 1 floor 1.

    config switch auto-isl-port-group

    edit to_B1-F2

    set member <port_name>

    next

    edit to_B1-F1

    set member <port_name>

    next

    end

    This configuration is done directly in the FortiSwitch CLI (or by binding a custom script using custom commands on the FortiGate unit. See Executing custom FortiSwitch scripts.

  4. Repeat steps 1, 2, and 3 for the other access-level (tier-3) MCLAG peer groups in building 1 and then in the floors in buildings 2 and 3.
  5. Connect the access switches to the access-level MCLAG peer groups in the floors of each building, and the inter-switch links are formed automatically. Wait until they are discovered and authorized (authorization must be done manually if auto-authorization is disabled).
  6. For the switches in the ring topologies, connect the FortiSwitch units with uplinks to the distribution level, wait until the switches are managed, and then connect the rest of the FortiSwitch units.

  7. All FortiSwitch units are now authorized; therefore, the complete FortiSwitch topology is fully managed on the FortiGate unit. The deployment is completed, and the administrator can now configure the FortiSwitch VLANs and assign them to the access ports or configure 802.1x security, network access control (NAC), and dynamic port policies for dynamic VLAN assignment.

Previous
Next

Deployment procedures

Use the following procedure to deploy the entire topology from the FortiGate switch controller without the need for direct console access to the FortiSwitch units.

NOTE:

  • Fortinet recommends using at least two links for ICL redundancy.

  • Before FortiOS 6.2.0, when using HA-mode FortiGate units to manage FortiSwitch units, the HA mode must be active-passive. Starting in FortiOS 6.2.0, the FortiGate HA mode can be either active-passive or active-active.
  • In this topology, you must use the auto-isl-port-group setting as described in the following configuration example. This setting instructs the switches to group ports from MCLAG peers together into one MCLAG when the inter-switch link (ISL) is formed.
  • The auto-isl-port-group setting must be done directly on the FortiSwitch unit.

  • On the global switch level, mclag-stp-aware must be enabled, and STP must be enabled on all ICL trunks. They are both enabled by default.

NOTE: If you are going to use IGMP snooping with an MCLAG topology:

  • On the global switch level, mclag-igmpsnooping-aware must be enabled. It is enabled by default.
  • The igmps-flood-traffic and igmps-flood-report settings must be disabled on the ISL and FortiLink trunks; but the igmps-flood-traffic and igmps-flood-report settings must be enabled on ICL trunks. These settings are enabled by default.
  • IGMP proxy must be enabled.

To create a three-tier FortiLink MCLAG topology, use FortiOS 6.2.3 GA or later and FortiSwitchOS 6.2.3 GA or later.

Configure the core-level (tier-1) MCLAG

Wire the two core-level FortiSwitch units to the FortiGate units. You can use the FortiLink split interface to connect the FortiLink aggregate interface from one FortiGate unit to two FortiSwitch units. When the FortiLink split interface is enabled, only one link remains active.

In this topology, the FortiLink split interface connects a FortiLink aggregate interface from one FortiGate unit to two FortiSwitch units. The aggregate interface of the FortiGate unit for this configuration contains at least one physical port connected to each FortiSwitch unit.

NOTE:

  • Make sure that the split interface is enabled.
  • This procedure also applies to a FortiGate unit in HA mode.
  • More links can be added between the FortiGate unit and FortiSwitch unit.

Use the FortiGate CLI to change the FortiSwitch unitsʼ configuration without losing their management from the FortiGate unit. You do not need to change anything on the individual FortiSwitch units. The MCLAG-ICL can also be enabled on the FortiSwitch unit directly using console cables or management ports.

  1. Using the FortiGate CLI, assign the LLDP profile default-auto-mclag-icl to the ports that should form the MCLAG ICL in FortiSwitch unit 1. For example:

    FGT_Switch_Controller # config switch-controller managed-switch

    FGT_Switch_Controller (managed-switch) # edit FS1E48T419000051

    FGT_Switch_Controller (FS1E48T419000051) # config ports

    FGT_Switch_Controller (ports) # edit port49

    FGT_Switch_Controller (port49) # set lldp-profile default-auto-mclag-icl

    FGT_Switch_Controller (port49) # end

    FGT_Switch_Controller (FS1E48T419000051) # end

  2. Repeat step 1 for FortiSwitch unit 2. The port numbers can be different.
  3. Disable the split interface in the FortiLink interface. For example:

    config system interface

    edit <aggregate_name>

    set fortilink-split-interface disable

    next

    end

  4. From the FortiGate unit, enable the LACP active mode if not already set:

    config system interface

    edit <aggregate_name>

    set lacp-mode active

    next

    end

    NOTE: If you are using FortiOS 6.2 or earlier, use the set lacp-mode static command instead.

  5. Check that the LAG is working correctly. For example:

    diagnose netlink aggregate name <aggregate_name>

Note

If you disable the MCLAG ICL (with the set mclag-icl disable command), you need to enable fortilink-split-interface.

Configure the distribution-level (tier-2) MCLAGs

  1. Connect only the distribution-level (tier-2) MCLAG FortiSwitch units (FS-1048E-B1-C-1 and FS-1048-B1-C-2) to the core FortiSwitch units (FS-3032E-1 and FS-3032E-2). Wait until they are discovered and authorized (if automatic authorization is disabled, you must authorize the switches manually).
  2. Using the FortiGate CLI, assign the LLDP profile default-auto-mclag-icl to the ports that will form the MCLAG ICL in the tier-2 MCLAG switches FS-1048E-B1-C-1 and FS-1048-B1-C-2. For example:

    FGT_Switch_Controller # config switch-controller managed-switch

    FGT_Switch_Controller (managed-switch) # edit FS1E48T419000051

    FGT_Switch_Controller (FS1E48T419000051) # config ports

    FGT_Switch_Controller (ports) # edit port49

    FGT_Switch_Controller (port49) # set lldp-profile default-auto-mclag-icl

    FGT_Switch_Controller (port49) # end

    FGT_Switch_Controller (FS1E48T419000051) # end

  3. On both core-level switches, FS-3032E-1 and FS-3032E-2, add an auto-isl-port-group for the distribution-level (tier-2) MCLAG peer group in building 1 (FS-1048E-B1-C-1 and FS-1048-B1-C-2).

    To the Building 1 cabinet:

    config switch auto-isl-port-group

    edit tier2-B1-C1

    set members port1

    next

    end

    This configuration is done directly in the FortiSwitch CLI, which can be accessed using the Connect to CLI option on the FortiGate Managed FortiSwitches page (or by binding a custom script using custom commands on the FortiGate unit. See Executing custom FortiSwitch scripts.

  4. Repeat steps 1, 2, and 3 for the other MCLAG peer groups in the Building 2 cabinet and Building 3 cabinet.

Configure the access-level (tier-3) MCLAGs

  1. Wire the access-level (tier-3) MCLAG switches from Building 1 floor 1(FS-1024E-B1-F1-1 and FS-1024E-B1-F1-2). Wait until they are discovered and authorized (if automatic authorization is disabled, you must authorize the switches manually).
  2. Using the FortiGate CLI, assign the LLDP profile default-auto-mclag-icl to the ports that will form the ICL in the access-level (tier-3) MCLAG peers switches from Building 1 floor 1 (FS-1024E-B1-F1-1 and FS-1024E-B1-F1-2). For example:

    FGT_Switch_Controller # config switch-controller managed-switch

    FGT_Switch_Controller (managed-switch) # edit FS1E48T419000051

    FGT_Switch_Controller (FS1E48T419000051) # config ports

    FGT_Switch_Controller (ports) # edit port49

    FGT_Switch_Controller (port49) # set lldp-profile default-auto-mclag-icl

    FGT_Switch_Controller (port49) # end

    FGT_Switch_Controller (FS1E48T419000051) # end

  3. On both distribution-level switches in the Building 1 cabinet (FS-1048E-B1-C-1 and FS-1048-B1-C-2), add an auto-isl-port-group for the access-level (tier-3) MCLAG peer group from Building 1 floor 1.

    config switch auto-isl-port-group

    edit to_B1-F2

    set member <port_name>

    next

    edit to_B1-F1

    set member <port_name>

    next

    end

    This configuration is done directly in the FortiSwitch CLI (or by binding a custom script using custom commands on the FortiGate unit. See Executing custom FortiSwitch scripts.

  4. Repeat steps 1, 2, and 3 for the other access-level (tier-3) MCLAG peer groups in building 1 and then in the floors in buildings 2 and 3.
  5. Connect the access switches to the access-level MCLAG peer groups in the floors of each building, and the inter-switch links are formed automatically. Wait until they are discovered and authorized (authorization must be done manually if auto-authorization is disabled).
  6. For the switches in the ring topologies, connect the FortiSwitch units with uplinks to the distribution level, wait until the switches are managed, and then connect the rest of the FortiSwitch units.

  7. All FortiSwitch units are now authorized; therefore, the complete FortiSwitch topology is fully managed on the FortiGate unit. The deployment is completed, and the administrator can now configure the FortiSwitch VLANs and assign them to the access ports or configure 802.1x security, network access control (NAC), and dynamic port policies for dynamic VLAN assignment.

Previous
Next