Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jvgestel
New Contributor

Created on ‎01-25-2024 02:23 AM

Fortiswitch network redundancy

Hi all,

 

I'min the process of replacing hardware for a customer. Right now their netwerk is based on Aruba CX switches (see diagram below), the have 2 core switches opering VSX with MCLAG to the access switch layer. The access switches are Aruba CX6200 stacks with lik 3/4/5 switches network closet.The Aruba switches are stacked and have an LACP trunk o the MCLAG on the core switches. The customer  recently switched their firewall to a Fortigate cluster and they are considering replacing their swithing network to Fortinet as well.

 

So far I have found a decent replacement for the core switch but for access layer switches I can't quit grasp the concepts that fortnet is using.

 

From what I understood so far is that I should use MCLAG on the access switches as well. If there are more than 2 switches in a network closet, how would include these in this network?

Should I just create a ring network and have Spanning-tree take care of the loop?

Are there other alternatives to connect (more than 2) switches to the core switches using a LACP link?

 

Thanks in advance for your time an answer.

Diagram.jpg

 

Labels:
627
0 Kudos
1 Solution
Dan_Eng52
Contributor
In response to Jvgestel

Created on ‎01-25-2024 07:34 AM

Hi Jvgestel, 

 

No worries, if they already have FortiGates in situe I would opt for these to be managed through the FortiGate. In my opinion, these FortiSwitches really come into their own when managed in this way as you can monitor and managed everything from one pane. 

 

Yes you could do that, or in your case if you were to add 2, 4 etc switches on top of that as you said you can simply create a ring with at least one 10-GbE link between each of the switches. This way with MCLAG you can make use of all the links simultaneously providing greater throughput and the ring will use MSTP for loop protection and in the event of switch failure will have an alternate root. 

 

Example 2.png

View solution in original post

569
0 Kudos
7 REPLIES 7
Dan_Eng52
Contributor

Created on ‎01-25-2024 05:50 AM

Hi there, 

 

I hope you're well. 

 

MCLAG is extended down to the access layer which allows redundant uplinks. If there is a requirement for multiple access switches redundancy becomes even more critical, I would have a pair of switches (MCLAG ICL) terminating the redundant uplinks to the core and then you can simply plug the remaining access switches into this access MCLAG tier and they will automatically establish their ISL trunks. 

 

Let me know if you have any other questions. 

 

Regards, 

Dan_Eng52

 

 

600
0 Kudos
Dan_Eng52
Contributor

Created on ‎01-25-2024 06:17 AM

Hi Jvgestel, 

 

Mocked up a quick diagram for you, in your case with dual HA Fortigates, core layer and MCLAG at the access layer it would look something like this, hope that helps. 

Example.png

Regards,

Dan_Eng52

593
0 Kudos
Jvgestel
New Contributor

Created on ‎01-25-2024 07:06 AM

HI Dan_Eng52,

 

Thanks a lot for your reply and diagram, it's much appreciated.

 

From a management perspective, In your diagram, I would be managing 8 individual access switches, correct? What would be the best way to manage these devices? Through the Fortigate, FortiCloud or are there better alternatives?

 

Thanks again,

Regards,

jvgestel

 

583
0 Kudos
Jvgestel
New Contributor

Created on ‎01-25-2024 07:17 AM

Hi Dan_Eng52,

 

another question came to mind regarding the access layer. In your diagram, there are 2 MCLAG clusters, each switch in the cluster has an access switch connected over, what I presume an LACP link, shouldn't that swith be connected to both the switches? if one of the switches connecting to the core fails, the underlying switch would fail as well.

 

Also, what if I need to connect 2 or 4 more switches to that access layer group on the left, would is just daisy chain them?

 

577
0 Kudos
Dan_Eng52
Contributor
In response to Jvgestel

Created on ‎01-25-2024 07:34 AM

Hi Jvgestel, 

 

No worries, if they already have FortiGates in situe I would opt for these to be managed through the FortiGate. In my opinion, these FortiSwitches really come into their own when managed in this way as you can monitor and managed everything from one pane. 

 

Yes you could do that, or in your case if you were to add 2, 4 etc switches on top of that as you said you can simply create a ring with at least one 10-GbE link between each of the switches. This way with MCLAG you can make use of all the links simultaneously providing greater throughput and the ring will use MSTP for loop protection and in the event of switch failure will have an alternate root. 

 

Example 2.png

570
0 Kudos
Jvgestel
New Contributor

Created on ‎01-25-2024 10:16 AM

Thanks for your clear explanation Dan_Eng52, much appreciated

535
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎01-25-2024 01:15 PM

Hi @Jvgestel 

In addition to Dan's response, you may have a look at the below document, if not already done.

https://docs.fortinet.com/document/fortiswitch/7.0.8/devices-managed-by-fortios/780635/switch-redund...

AEK
AEK
518
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.