Multiple FortiSwitches in tiers via aggregate interface with MCLAG enabled on all tiers
This example provides a recommended configuration of FortiLink where multi-tier FortiSwitch devices are managed by an A-P mode HA cluster of FortiGates acting as a switch controller via an aggregate interface. The FortiGates provide A-A links to two distribution FortiSwitches that are connected to each other by MCLAG. All access FortiSwitch devices have A-A links with two upper tier FortiSwitches, as long as the MCLAG-ICL has been enabled between the upper tiers.
Prerequisites:
- The FortiGate model supports an aggregate interface.
- FortiSwitch units have been upgraded to latest released software version.
- Layer-3 path/route in the management VDOM is available to Internet so that the FortiSwitch units can synchronize NTP.
- For the FortiSwitch D series, the models above 4 just support MCLAG. For the FortiSwitch E series, the models above 2 just support MCLAG.
Change the FortiSwitch management mode to FortiLink:
Enter the following CLI commands on the FortiSwitch:
config system global set switch-mgmt-mode fortilink end This operation will cleanup all of the configuration and reboot the system! Do you want to continue? (y/n)y Backing up local mode config before entering FortiLink mode....
If the FortiSwitch ports used for the FortiLink connection have auto-discovery-fortilink
enabled, executing authorization on FortiGate will trigger the transformation to FortiLink mode automatically.
config switch interface edit "port1" set auto-discovery-fortilink enable …… next end
Set up an A-P mode HA cluster:
See HA active-passive cluster setup.
Create an aggregate interface and designate it as Fortilink interface on the FortiGate:
Using the CLI:
config system interface edit "aggr1" set vdom "vdom1" set fortilink enable set type aggregate set member "port11" "port12" set fortilink-split-interface disable next end
fortilink-split-interface
must be disabled for MCLAG to work.
Using the GUI:
- Go to WiFi & Switch Controller > FortiLink Interface.
- In Interface members, select one or more physical ports that are connected to different distribution FortiSwitches to create an aggregate interface.
- Disable FortiLink split interface.
- Configure other fields as necessary.
- Click OK.
Discover and authorize the FortiSwitch:
Using the CLI:
config switch-controller managed-switch edit "FSWSerialNum" set fsw-wan1-admin enable …… next end
Check the CLI output for Connection: Connected
to show that FortiLink is up:
execute switch-controller get-conn-status FSWSerialNum Get managed-switch S248EPTF18001384 connection status: Admin Status: Authorized Connection: Connected Image Version: S248EP-v6.2.0-build143,190107 (Interim) Remote Address: 2.2.2.2 Join Time: Fri Jan 11 15:22:32 2019 interface status duplex speed fortilink stacking poe status port1 up full 1000Mbps no no Delivering Power port2 down N/A 0 no no Searching ……
Using the GUI:
- Go to WiFi & Switch Controller > Managed FortiSwitch.
- Click Authorize and wait for a few minutes for the connection to be established.
When FortiLink between the FortiGate and FortiSwitch is established, the Link-up ports change to green and the POE port that is supplying power changes to blue. The dotted line between the FortiGate and FortiSwitch changes to a solid line. The Connection status shows that FortiLink is up.
Enable MCLAG on the ICL link between the distribution FortiSwitch devices:
conf switch trunk edit "4DN4K15000008-0" set mclag-icl enable next end
When you enable mclag-icl
, MCLAG on the FortiLink interface is enabled automatically and active-active backup links between the distribution FortiSwitches are established.
Extend the security perimeter to the edge of FortiSwitch:
- Configure the VLAN arrangement.
- On the FortiGate, go to WiFi & Switch Controller > FortiSwitch VLANs.
- Configure the VLAN interfaces that are applied on FortiSwitch.
On FortiGate, these switch VLAN interfaces are treated as layer-3 interfaces and are available to be applied by firewall policy and other security controls in FortiOS. This means that security boundary is extended to FortiSwitch.
- Configure FortiSwitch ports.
- On the FortiGate, go to WiFi & Switch Controller > FortiSwitch Ports.
- Select one or more FortiSwitch ports and assign them to the switch VLAN.
- You can also select POE/DHCP Snooping, STP, and other parameters for the FortiSwitch ports to show their real-time status such as link status, data statistics, etc.
- Configure access authentication.
- On the FortiGate, go to WiFi & Switch Controller > FortiSwitch Security Policies.
- Configure the 802.1X security policies.
- Select Port-based or MAC-based mode and select User groups from the existing VDOM.
- Configure other fields as necessary.
- Go to WiFi & Switch Controller > FortiSwitch Ports.
- Select one or more FortiSwitch ports, click + in the Security Policy column, then make a selection from the pane.
Troubleshooting
Authorized FortiSwitch always offline
If an authorized FortiSwitch is always offline, go to the FortiGate CLI and use the command below to see all the checkpoints. Inspect each checkpoint to find the cause of the problem.
execute switch-controller diagnose-connection S248EPTF18001384 Fortilink interface ... OK aggr1 enabled DHCP server ... OK aggr1 enabled NTP server ... OK aggr1 enabled NTP server sync ... OK synchronized: yes, ntpsync: enabled, server-mode: enabled ipv4 server(ntp1.fortiguard.com) 208.91.113.70 -- reachable(0x80) S:2 T:128 no data ipv4 server(ntp2.fortiguard.com) 208.91.113.71 -- reachable(0x80) S:2 T:128 no data ipv4 server(ntp2.fortiguard.com) 208.91.112.51 -- reachable(0xff) S:2 T:66 selected server-version=4, stratum=2 reference time is dfe3aec5.744404e6 -- UTC Sat Jan 12 00:09:41 2019 clock offset is -0.320411 sec, root delay is 0.054535 sec root dispersion is 0.533081 sec, peer dispersion is 11495 msec ipv4 server(ntp1.fortiguard.com) 208.91.112.50 -- reachable(0xff) S:2 T:66 server-version=4, stratum=2 reference time is dfe3aec5.744404e6 -- UTC Sat Jan 12 00:09:41 2019 clock offset is -0.448087 sec, root delay is 0.054535 sec root dispersion is 0.533081 sec, peer dispersion is 12542 msec HA mode ... disabled Fortilink Status ... SWITCH_AUTHORIZED_READY Last keepalive ... 1 seconds ago CAPWAP Remote Address: 2.2.2.2 Status ... CONNECTED Last keepalive ... 26 seconds ago PING 2.2.2.2 (2.2.2.2): 56 data bytes 64 bytes from 2.2.2.2: icmp_seq=0 ttl=64 time=1.1 ms 64 bytes from 2.2.2.2: icmp_seq=1 ttl=64 time=13.9 ms 64 bytes from 2.2.2.2: icmp_seq=2 ttl=64 time=12.7 ms 64 bytes from 2.2.2.2: icmp_seq=3 ttl=64 time=2.9 ms 64 bytes from 2.2.2.2: icmp_seq=4 ttl=64 time=1.2 ms --- 2.2.2.2 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 1.1/6.3/13.9 ms
HA sync fails
If HA sync fails, use the command below to diagnose and locate the cause.
# diagnose sys ha checksum cluster