Fortinet black logo

FortiSwitch (FortiLink) Cookbook

Home FortiSwitch 6.4.6 FortiSwitch (FortiLink) Cookbook
6.4.6
6.4.6
6.4.2
6.0.1

MCLAG peer group managed with FortiLink over layer 3

MCLAG peer group managed with FortiLink over layer 3

This cookbook article describes how to configure a multichassis link aggregation group (MCLAG) peer group that is managed with FortiLink over layer 3. The following tasks are covered:

  1. Set up the FortiGate device
  2. Configure the WAN router
  3. Configure the site1_mclag1 switch
  4. Authorize the site1_mclag1 switch
  5. Configure the site1_mclag2 switch
  6. Configure the FortiGate device
  7. Configure the access switches
  8. Finish the FortiSwitch configuration from the FortiGate device
  9. Check the configuration
Assumptions

The following tasks must be done before starting this procedure:

  • The FortiGate device is already configured with an interface towards the WAN router.
  • The FortiGate device is already managing FortiSwitch units connected locally, and different VLANs are needed in the remote FortiSwitch units.
  • The WAN router has an 802.3ad link aggregation group (LAG) connected to the FortiSwitch MCLAG peer group, and the WAN router is VLAN-capable. (An untagged VLAN is needed for FortiSwitch control, and tagged VLANs are needed for user data traffic.)
Configuration summary

Here is a summary of the procedure:

  1. On the FortiGate device:
    1. Configure the routing so the FortiGate unit can reach the FortiSwitch units.
    2. Configure a dedicated FortiLink interface to control the FortiSwitch units connected to the FortiGate device from remote locations.
    3. Configure a firewall policy to allow the connections from the FortiSwitch units.
  2. On the WAN router, configure an untagged interface or VLAN on the LAG connected to the FortiSwitch units. Assign an IP address and DHCP service, including the Network Time Protocol (NTP) server and option 138 (the switch controller IP address).
  3. On the site1_mclag1 FortiSwitch unit in the MCLAG peer group:
    1. Enable FortiLink mode.
    2. Set the switch-controller discovery type to DHCP.
    3. Enable FortiLink over layer 3 on the switch interface connected to the WAN router and enable the Link Aggregation Control Protocol (LACP) on the newly formed trunk.
  4. On the FortiGate device, authorize and name the site1_mclag1 FortiSwitch unit.
  5. On the site1_mclag2 FortiSwitch unit in the MCLAG peer group:
    1. Enable FortiLink mode.
    2. Set the switch-controller discovery type to DHCP.
  6. On the FortiGate device:
    1. Authorize and name the site1_mclag2 FortiSwitch unit.
    2. Enable the MCLAG peer group.
    3. Connect to the CLI of the site1_mclag2 FortiSwitch unit and enable FortiLink over layer 3 on the switch interface connected to the WAN router. Enable LACP on the newly formed trunk.
    4. Connect to the CLI of the site1_mclag1 FortiSwitch unit and enable MCLAG on the trunk connected to the WAN router.
  7. On the access FortiSwitch units:
    1. Enable FortiLink mode.
    2. Set the switch-controller discovery type to DHCP.
  8. On the FortiGate device:
    1. Authorize and name the access FortiSwitch units.
    2. Create FortiSwitch VLANs and assign them to FortiSwitch ports.
Previous
Next

MCLAG peer group managed with FortiLink over layer 3

This cookbook article describes how to configure a multichassis link aggregation group (MCLAG) peer group that is managed with FortiLink over layer 3. The following tasks are covered:

  1. Set up the FortiGate device
  2. Configure the WAN router
  3. Configure the site1_mclag1 switch
  4. Authorize the site1_mclag1 switch
  5. Configure the site1_mclag2 switch
  6. Configure the FortiGate device
  7. Configure the access switches
  8. Finish the FortiSwitch configuration from the FortiGate device
  9. Check the configuration
Assumptions

The following tasks must be done before starting this procedure:

  • The FortiGate device is already configured with an interface towards the WAN router.
  • The FortiGate device is already managing FortiSwitch units connected locally, and different VLANs are needed in the remote FortiSwitch units.
  • The WAN router has an 802.3ad link aggregation group (LAG) connected to the FortiSwitch MCLAG peer group, and the WAN router is VLAN-capable. (An untagged VLAN is needed for FortiSwitch control, and tagged VLANs are needed for user data traffic.)
Configuration summary

Here is a summary of the procedure:

  1. On the FortiGate device:
    1. Configure the routing so the FortiGate unit can reach the FortiSwitch units.
    2. Configure a dedicated FortiLink interface to control the FortiSwitch units connected to the FortiGate device from remote locations.
    3. Configure a firewall policy to allow the connections from the FortiSwitch units.
  2. On the WAN router, configure an untagged interface or VLAN on the LAG connected to the FortiSwitch units. Assign an IP address and DHCP service, including the Network Time Protocol (NTP) server and option 138 (the switch controller IP address).
  3. On the site1_mclag1 FortiSwitch unit in the MCLAG peer group:
    1. Enable FortiLink mode.
    2. Set the switch-controller discovery type to DHCP.
    3. Enable FortiLink over layer 3 on the switch interface connected to the WAN router and enable the Link Aggregation Control Protocol (LACP) on the newly formed trunk.
  4. On the FortiGate device, authorize and name the site1_mclag1 FortiSwitch unit.
  5. On the site1_mclag2 FortiSwitch unit in the MCLAG peer group:
    1. Enable FortiLink mode.
    2. Set the switch-controller discovery type to DHCP.
  6. On the FortiGate device:
    1. Authorize and name the site1_mclag2 FortiSwitch unit.
    2. Enable the MCLAG peer group.
    3. Connect to the CLI of the site1_mclag2 FortiSwitch unit and enable FortiLink over layer 3 on the switch interface connected to the WAN router. Enable LACP on the newly formed trunk.
    4. Connect to the CLI of the site1_mclag1 FortiSwitch unit and enable MCLAG on the trunk connected to the WAN router.
  7. On the access FortiSwitch units:
    1. Enable FortiLink mode.
    2. Set the switch-controller discovery type to DHCP.
  8. On the FortiGate device:
    1. Authorize and name the access FortiSwitch units.
    2. Create FortiSwitch VLANs and assign them to FortiSwitch ports.
Previous
Next