Network topologies for managed FortiSwitch units
The FortiGate requires only one active FortiLink to manage all of the subtending FortiSwitch units (called stacking).
You can configure the FortiLink as a physical interface or as a logical interface (associated with one or more physical interfaces). Depending on the network topology, you can also configure a standby FortiLink.
For any of the topologies, note the following:
- All of the managed FortiSwitch units will function as one Layer-2 stack where the FortiGate manages each FortiSwitch separately.
- The active FortiLink carries data as well as management traffic.
Supported topologies
Fortinet recommends the following topologies for managed FortiSwitch units:
l Single FortiGate managing a single FortiSwitch unit on page 38 l Single FortiGate unit managing a stack of several FortiSwitch units on page 39 l HA-mode FortiGate units managing a single FortiSwitch unit on page 40 l HA-mode FortiGate units managing a stack of several FortiSwitch units on page 41 l HA-mode FortiGate units managing a FortiSwitch two-tier topology on page 42 l Single FortiGate unit managing multiple FortiSwitch units (using a hardware or software switch interface) on page
43 l HA-mode FortiGate units managing two-tier FortiSwitch units with access rings on page 44 l Dual-homed servers connected to FortiLink tier-1 FortiSwitch units using an MCLAG on page 45 l Standalone FortiGate unit with dual-homed FortiSwitch access on page 46 l HA-mode FortiGate units with dual-homed FortiSwitch access on page 47 l Multi-tiered MCLAG with HA-mode FortiGate units on page 48
Single FortiGate managing a single FortiSwitch unit
Single FortiGate managing a single FortiSwitch unit
On the FortiGate unit, the FortiLink interface is configured as physical or aggregate. The 802.3ad aggregate interface type provides a logical grouping of one or more physical interfaces.
NOTE: For the aggregate interface, you must disable the split interface on the FortiGate unit.
Network topologies for managed FortiSwitch units Single FortiGate unit managing a stack of several
Single FortiGate unit managing a stack of several FortiSwitch units
The FortiGate unit connects directly to one FortiSwitch unit using a physical or aggregate interface. The remaining FortiSwitch units connect in a ring using inter-switch links (that is, ISL).
Optionally, you can connect a standby FortiLink connection to the last FortiSwitch unit. For this configuration, you create a FortiLink Split-Interface (an aggregate interface that contains one active link and one standby link).
NOTE: External devices shown in the following topology must be compliant endpoints, such as computers. They cannot be third-party switches or appliances.
HA-mode FortiGate units managing a single FortiSwitch unit
HA-mode FortiGate units managing a single FortiSwitch unit
The master and slave FortiGate units both connect a FortiLink to the FortiSwitch unit. The FortiLink port(s) and interface type must match on the two FortiGate units.
FortiSwitch HA-mode FortiGate units managing a stack of several FortiSwitch units units
HA-mode FortiGate units managing a stack of several FortiSwitch units
The master and slave FortiGate units both connect a FortiLink to the first FortiSwitch unit and (optionally) to the last FortiSwitch unit. The FortiLink ports and interface type must match on the two FortiGate units.
For the active/standby FortiLink configuration, you create a FortiLink Split-Interface (an aggregate interface that contains one active link and one standby link).
HA-mode FortiGate units managing a FortiSwitch two-tier
topology FortiSwitch units
HA-mode FortiGate units managing a FortiSwitch two-tier topology
The distribution FortiSwitch unit connects to the master and slave FortiGate units. The FortiLink port(s) and interface type must match on the two FortiGate units.
Single FortiGate unit managing multiple FortiSwitch units (using a hardware or
FortiSwitch units software switch interface)
Single FortiGate unit managing multiple FortiSwitch units (using a hardware or software switch interface)
The FortiGate unit connects directly to each FortiSwitch unit. Each of these FortiLink ports is added to the logical hardware-switch or software-switch interface on the FortiGate unit.
Optionally, you can connect other devices to the FortiGate logical interface. These devices, which must support IEEE 802.1q VLAN tagging, will have Layer 2 connectivity with the FortiSwitch ports.
NOTE: Using the hardware or software switch interface in FortiLink mode is not recommended in most cases. It can be used when the traffic on the ports is very light because all traffic across the switches moves through the FortiGate unit.
HA-mode FortiGate units managing two-tier FortiSwitch units with Network topologies for managed FortiSwitch access rings units
HA-mode FortiGate units managing two-tier FortiSwitch units with access rings
NOTE: Before FortiSwitchOS 3.6.4, MCLAG was not supported when access rings were present. Starting with FortiSwitchOS 3.6.4, MCLAG is supported, even with access rings present.
HA-mode FortiGate units connect to redundant distribution FortiSwitch units. Access FortiSwitch units are arranged in a stack in each IDF, connected to both distribution switches.
For the FortiLink connection to each distribution switch, you create a FortiLink split interface (an aggregate interface that contains one active link and one standby link).
NOTE: This is only an example topology. Other combinations of FortiGate units and FortiSwitch units can be used to create a similar topology.
Dual-homed servers connected to FortiLink tier-1 FortiSwitch units using
FortiSwitch units an MCLAG