Fortinet white logo
Fortinet white logo

FortiLink Guide

Optimizing the FortiSwitch network

Optimizing the FortiSwitch network

Starting in FortiOS 6.4.2 with FortiSwitchOS 6.4.2, you can check your FortiSwitch network and get recommendations on how to optimize it. If you agree with the configuration recommendations, you can accept them, and they are automatically applied.

Note

After accepting a recommended change to the network, you must go to Security Fabric > Security Rating and click Run Now again after the network change is made to update the recommendations based on the new network topology.

In FortiOS 7.2.4 with FortiSwitchOS 7.2.3, more tests have been added to the FortiSwitch recommendations to help optimize your network:

  • If port 8 of an FS-108E or FS-108 unit is used for an inter-switch link (ISL), FortiOS recommends creating a custom auto-config policy.
  • If the configured speed is less than the maximum speed for a switch port, FortiOS recommends changing the port speed to the maximum amount.
  • FortiOS checks if the ISLs and inter-chassis links (ICLs) are static to increase stability during events such as cable disconnections or power outages. If any ISLs or ICLs are not static, FortiOS recommends locking down the Security Fabric topology to prevent the automatically created ISLs and ICLs from being accidentally deleted.
  • When a multichassis link-aggregation group (MCLAG) is recommended between two FortiSwitch units, there is a Create MCLAG button available under WiFi & Switch Controller > Managed FortiSwitches in the Topology view.

In FortiOS 7.4.0 with FortiSwitchOS 7.4.0, more tests have been added to the FortiSwitch recommendations to help optimize your network:

  • Check if the switch port where a quarantined device was last seen has bouncing enabled.

  • Check if the Basic Input/Output System (BIOS) on the FortiSwitch unit needs to be upgraded before FortiSwitchOS can be upgraded.

  • If the poe-status has been enabled under the config switch-controller auto-config policy command, FortiOS recommends that you disable it to prevent unpredictable problems caused by connecting two power sourcing equipment (PSE) ports.

In FortiOS 7.4.1 with FortiSwitchOS 7.4.1, more tests have been added to the FortiSwitch recommendations to help optimize your network:

  • When a connected tier-1 MCLAG peer group is detected and FortiOS detects a possible tier-2 MCLAG pair of switches, FortiOS recommends forming a tier-2 MCLAG.

    After you accept the recommendation, the set lldp-profile default-auto-mclag-icl command is configured on the two switches with the recommended interchassis link (ICL) ports, and the config switch auto-isl-port-group command is configured on the parent MCLAG peer group.

  • When a connected tier-2 MCLAG peer group is detected and FortiOS detects a possible tier-3 MCLAG pair of switches, FortiOS recommends forming a tier-3 MCLAG.

    After you accept the recommendation, the set lldp-profile default-auto-mclag-icl command is configured on the two switches with the recommended ICL ports, and the config switch auto-isl-port-group command is configured on the parent MCLAG peer group.

NOTE: For detection to be successful, there must be fully meshed connection (each tier-2 FortiSwitcch unit must have a connection to each tier-1 FortiSwitch unit; each tier-3 FortiSwitch unit must have a connection to each tier-2 FortiSwitch unit.

NOTE: The Security Rating feature is available only when VDOMs are disabled.

To optimize your FortiSwitch network:
  1. Go to Security Fabric > Security Rating.
  2. Select Run Now (under Report Details in the right pane) to generate the Security Rating report.

  3. Select the Optimization section.

  4. Under Failed, select + next to each item to see more details in the right pane.

  5. If you agree with a suggestion in the Recommendations section, select Apply for the change to be made.

Example

In this example, a FortiGate device manages four FortiSwitch units. Two of the switches already form an MCLAG, and the user wants a second MCLAG tier for redundancy.

  1. In the FortiOS GUI, go to WiFi & Switch Controller > Managed FortiSwitches and verify that the two tier-2 FortiSwitch units are the same model so that they can form an MCLAG.

  2. Go to Security Fabric > Security Rating and click Run Now.

  3. After the security rating report has run, expand the Optimization results to see Enable MC-LAG Tier 2/3.

  4. Go to WiFi & Switch Controller > Managed FortiSwitches and hover over the link connecting the two tier-2 FortiSwitch units. Click Create MC-LAG pair.

  5. In the Create MC-LAG Pair panel, enter the ISL port group name.

  6. The Managed FortiSwitches page shows that the MCLAG is formed for the tier-2 managed FortiSwitch units.

Optimizing the FortiSwitch network

Optimizing the FortiSwitch network

Starting in FortiOS 6.4.2 with FortiSwitchOS 6.4.2, you can check your FortiSwitch network and get recommendations on how to optimize it. If you agree with the configuration recommendations, you can accept them, and they are automatically applied.

Note

After accepting a recommended change to the network, you must go to Security Fabric > Security Rating and click Run Now again after the network change is made to update the recommendations based on the new network topology.

In FortiOS 7.2.4 with FortiSwitchOS 7.2.3, more tests have been added to the FortiSwitch recommendations to help optimize your network:

  • If port 8 of an FS-108E or FS-108 unit is used for an inter-switch link (ISL), FortiOS recommends creating a custom auto-config policy.
  • If the configured speed is less than the maximum speed for a switch port, FortiOS recommends changing the port speed to the maximum amount.
  • FortiOS checks if the ISLs and inter-chassis links (ICLs) are static to increase stability during events such as cable disconnections or power outages. If any ISLs or ICLs are not static, FortiOS recommends locking down the Security Fabric topology to prevent the automatically created ISLs and ICLs from being accidentally deleted.
  • When a multichassis link-aggregation group (MCLAG) is recommended between two FortiSwitch units, there is a Create MCLAG button available under WiFi & Switch Controller > Managed FortiSwitches in the Topology view.

In FortiOS 7.4.0 with FortiSwitchOS 7.4.0, more tests have been added to the FortiSwitch recommendations to help optimize your network:

  • Check if the switch port where a quarantined device was last seen has bouncing enabled.

  • Check if the Basic Input/Output System (BIOS) on the FortiSwitch unit needs to be upgraded before FortiSwitchOS can be upgraded.

  • If the poe-status has been enabled under the config switch-controller auto-config policy command, FortiOS recommends that you disable it to prevent unpredictable problems caused by connecting two power sourcing equipment (PSE) ports.

In FortiOS 7.4.1 with FortiSwitchOS 7.4.1, more tests have been added to the FortiSwitch recommendations to help optimize your network:

  • When a connected tier-1 MCLAG peer group is detected and FortiOS detects a possible tier-2 MCLAG pair of switches, FortiOS recommends forming a tier-2 MCLAG.

    After you accept the recommendation, the set lldp-profile default-auto-mclag-icl command is configured on the two switches with the recommended interchassis link (ICL) ports, and the config switch auto-isl-port-group command is configured on the parent MCLAG peer group.

  • When a connected tier-2 MCLAG peer group is detected and FortiOS detects a possible tier-3 MCLAG pair of switches, FortiOS recommends forming a tier-3 MCLAG.

    After you accept the recommendation, the set lldp-profile default-auto-mclag-icl command is configured on the two switches with the recommended ICL ports, and the config switch auto-isl-port-group command is configured on the parent MCLAG peer group.

NOTE: For detection to be successful, there must be fully meshed connection (each tier-2 FortiSwitcch unit must have a connection to each tier-1 FortiSwitch unit; each tier-3 FortiSwitch unit must have a connection to each tier-2 FortiSwitch unit.

NOTE: The Security Rating feature is available only when VDOMs are disabled.

To optimize your FortiSwitch network:
  1. Go to Security Fabric > Security Rating.
  2. Select Run Now (under Report Details in the right pane) to generate the Security Rating report.

  3. Select the Optimization section.

  4. Under Failed, select + next to each item to see more details in the right pane.

  5. If you agree with a suggestion in the Recommendations section, select Apply for the change to be made.

Example

In this example, a FortiGate device manages four FortiSwitch units. Two of the switches already form an MCLAG, and the user wants a second MCLAG tier for redundancy.

  1. In the FortiOS GUI, go to WiFi & Switch Controller > Managed FortiSwitches and verify that the two tier-2 FortiSwitch units are the same model so that they can form an MCLAG.

  2. Go to Security Fabric > Security Rating and click Run Now.

  3. After the security rating report has run, expand the Optimization results to see Enable MC-LAG Tier 2/3.

  4. Go to WiFi & Switch Controller > Managed FortiSwitches and hover over the link connecting the two tier-2 FortiSwitch units. Click Create MC-LAG pair.

  5. In the Create MC-LAG Pair panel, enter the ISL port group name.

  6. The Managed FortiSwitches page shows that the MCLAG is formed for the tier-2 managed FortiSwitch units.