FortiSwitch Managed by FortiOS 6 – Grouping FortiSwitch units

Grouping FortiSwitch units

You can simplify the configuration and management of complex topologies by creating FortiSwitch groups. A group can include one or more FortiSwitch units and you can include different models in a group.

config switch-controller switch-group edit <name> set description <string> set members <serial-number> <serial-number> … end

end

Grouping FortiSwitch units allows you to restart all of the switches in the group instead of individually. For example, you can use the following command to restart all of the FortiSwitch units in a group named my-swgroup: execute switch-controller restart-swtp my-switch-group

Upgrading the firmware of FortiSwitch groups is easier, too, because fewer commands are needed. See Firmware upgrade of stacked or tiered FortiSwitch units on page 52.

Stacking configuration

To set up stacking:

  1. Configure the active FortiLink interface on the FortiGate unit.
  2. (Optional) Configure the standby FortiLink interface.
  3. Connect the FortiSwitch units together, based on your chosen topology.

1. Configure the active FortiLink

Configure the FortiLink interface (as described in the FortiLink configuration using the FortiGate GUIchapter).

When you configure the FortiLink interface, the stacking capability is enabled automatically.

2. Configure the standby FortiLink

Configure the standby FortiLink interface. Depending on your configuration, the standby FortiLink might connect to the same FortiGate unit as the active FortiLink or to a different FortiGate unit.

If the FortiGate unit receives discovery requests from two FortiSwitch units, the link from one FortiSwitch unit will be selected as active, and the link from other FortiSwitch unit will be selected as standby.

If the active FortiLink fails, the FortiGate unit converts the standby FortiLink to active.

3. Connect the FortiSwitch units

Refer to the topology diagrams to see how to connect the FortiSwitch units.

Inter-switch links (ISLs) form automatically between the stacked switches.

The FortiGate unit will discover and authorize all of the FortiSwitch units that are connected. After this, the FortiGate unit is ready to manage all of the authorized FortiSwitch units.

Grouping FortiSwitch units

Disable stacking

To disable stacking, execute the following commands from the FortiGate CLI. In the following example, port4 is the FortiLink interface:

config system interface edit port4 set fortilink-stacking disable

end

end

Firmware upgrade of stacked or tiered FortiSwitch units

In this topology, the core FortiSwitch units are model FS-224D-FPOE, and the access FortiSwitch units are model FS-124D-POE. Because the switches are stacked or tiered, the procedure to update the firmware is simpler. In the following procedure, the four FortiSwitch units are upgraded from 3.6.1 to 3.6.2.

To upgrade the firmware of stacked or tiered FortiSwitch units:

  1. Check that all of the FortiSwitch units are connected and which firmware versions they are running. For example:

execute switch-controller get-conn-status

STACK-NAME: FortiSwitch-Stack-port2

SWITCH-ID            VERSION     STATUS               ADDRESS           JOIN-TIME

NAME

S108DV2EJZDAC42F    v3.6.0       Authorized/Up      169.254.2.4        Thu Feb 8 17:07:35 2018

S108DV4FQON40Q07    v3.6.0       Authorized/Up      169.254.2.5        Thu Feb 8 17:08:37 2018

S108DVBWVLH4QGEB    v3.6.0       Authorized/Up      169.254.2.6        Thu Feb 8 17:09:13 2018

S108DVCY19SA0CD8    v3.6.0       Authorized/Up      169.254.2.2        Thu Feb 8 17:04:41 2018

S108DVD98KMQGC44* v3.6.0        Authorized/Up      169.254.2.7        Thu Feb 8 17:10:50 2018

Grouping

S108DVGGBJLQQO48* v3.6.0 – Authorized/Up 169.254.2.3 Thu Feb 8 17:06:57 2018
S108DVKM5T2QEA92 v3.6.0 – Authorized/Up 169.254.2.8 Thu Feb 8 17:11:00 2018
S108DVZX3VTAOO45 v3.6.0 – Authorized/Up 169.254.2.9 Thu Feb 8 17:11:00 2018
Managed-Switches: 8 UP: 8 DOWN: 0    
  1. Upload the firmware image for each FortiSwitch model (FS-224D-FPOE and FS-124D-POE) from either an FTP or TFTP server. If you are using a virtual domain (VDOM), you must enter the config global command before entering the upload-swtp-image command. For example:

FG100E4Q16004478 (global) # execute switch-controller upload-swtp-image tftp FSW_124D_POEv3-build0382-FORTINET.out 172.30.12.18

Downloading file FSW_124D_POE-v3-build0382-FORTINET.out from tftp server 172.30.12.18… ################## Image checking …

Image MD5 calculating …

Image Saving S124DP-IMG.swtp … Successful!

File Syncing…

FG100E4Q16004478 (global) # execute switch-controller upload-swtp-image tftp FSW_224D_FPOEv3-build0382-FORTINET.out 172.30.12.18

Downloading file FSW_224D_FPOE-v3-build0382-FORTINET.out from tftp server 172.30.12.18… ###################### Image checking …

Image MD5 calculating …

Image Saving S224DF-IMG.swtp … Successful!

File Syncing…

  1. Check which firmware images are available. For example:

FG100E4Q16004478 (root) # execute switch-controller list-swtp-image SWTP Images on AC:

ImageName                  ImageSize(B)    ImageInfo                ImageMTime

S124DP-IMG.swtp           19174985            S124DP-v3.6-build382 Mon Oct 2 14:40:54 2017

S224DF-IMG.swtp     23277106 S224DF-v3.6-build382 Mon Oct 2 14:42:55 2017 4. Stage the firmware image for each FortiSwitch model (FS-224D-FPOE and FS-124D-POE). For example:

FG100E4Q16004478 (root) # execute switch-controller stage-tiered-swtp-image ALL S124DPIMG.swtp

Staged Image Version S124DP-v3.6-build382

FG100E4Q16004478 (root) # execute switch-controller stage-tiered-swtp-image ALL S224DFIMG.swtp

Staged Image Version S224DF-v3.6-build382

  1. Check that the correct firmware image is staged for each FortiSwitch unit. For example:

diagnose switch-controller dump network-upgrade status

Running                                       Status       Next boot

__________________ ________________________________________ _________ __________________ _________

VDOM : root

S108DVCY19SA0CD8 S108DV-v3.6.0-build4277,171207 (Interim) (0/0/0) S108DV-v3.7.0build4277,171207 (Interim)

S108DV2EJZDAC42F S108DV-v3.6.0-build4277,171207 (Interim) (0/0/0)

  1. Restart the FortiSwitch units after a 2-minute delay. For example:

execute switch-controller restart-swtp-delayed ALL

Grouping FortiSwitch units

  1. When the FortiSwitch units are running again, check that they are running the new firmware version. For example:

execute switch-controller get-conn-status

STACK-NAME: FortiSwitch-Stack-port2    
SWITCH-ID NAME VERSION STATUS ADDRESS JOIN-TIME
S108DV2EJZDAC42F – v3.6.0 Authorized/Up 169.254.2.4 Thu Feb 8 17:07:35 2018
S108DV4FQON40Q07 – v3.6.0 Authorized/Up 169.254.2.5 Thu Feb 8 17:08:37 2018
S108DVBWVLH4QGEB – v3.6.0 Authorized/Up 169.254.2.6 Thu Feb 8 17:09:13 2018
S108DVCY19SA0CD8 – v3.6.0 Authorized/Up 169.254.2.2 Thu Feb 8 17:04:41 2018
S108DVD98KMQGC44* – v3.6.0 Authorized/Up 169.254.2.7 Thu Feb 8 17:10:50 2018
S108DVGGBJLQQO48* – v3.6.0 Authorized/Up 169.254.2.3 Thu Feb 8 17:06:57 2018
S108DVKM5T2QEA92 – v3.6.0 Authorized/Up 169.254.2.8 Thu Feb 8 17:11:00 2018
S108DVZX3VTAOO45 – v3.6.0 Authorized/Up 169.254.2.9 Thu Feb 8 17:11:00 2018
Managed-Switches: 8 UP: 8 DOWN: 0    

 

Transitioning from a FortiLink split interface to a FortiLink MCLAG

Transitioning from a FortiLink split interface to a FortiLink MCLAG

In this topology, the FortiLink split interface connects a FortiLink aggregate interface from one FortiGate unit to two FortiSwitch units.

Note the following:

l This procedure also applies to a FortiGate unit in HA mode. l More links can be added between the FortiGate unit and FortiSwitch unit. l After the MCLAG is set up, only connect the tier-2 FortiSwitch units.

  1. Enable the split interface on the FortiLink aggregate interface. By default, the split interface is enabled. For example:

config system interface edit flinksplit1 set ip 169.254.3.1 255.255.255.0 set allowaccess ping capwap https set vlanforward enable set type aggregate set member port4 port5 set lacp-mode static set fortilink enable

set fortilink-split-interface enable

next

end

  1. Log into FortiSwitch 2 using the Connect to CLI button in the FortiGate GUI, use the get switch lldp auto-isl-status command to find out the name of the trunk connecting the peer switches, and change the ISL to an ICL. For example:

get switch lldp auto-isl-status

config switch trunk edit <trunk_name> set mclag-icl enable

Transitioning from a FortiLink split interface to a FortiLink MCLAG

next

end

  1. Log into FortiSwitch 1 using the Connect to CLI button in the FortiGate GUI, use the get switch lldp auto-isl-status command to find out the name of the trunk connecting the peer switches, and change the ISL to an ICL. For example:

get switch lldp auto-isl-status

config switch trunk edit <trunk_name> set mclag-icl enable

next

end

  1. Log into the FortiGate unit and disable the split interface. For example:

config system interface edit flinksplit1 set fortilink-split-interface disable

next

end

  1. Enable the LACP active mode.
  2. Check that the LAG is working correctly. For example:

diagnose netlink aggregate name <aggregate_name>

This entry was posted in Administration Guides, FortiOS 6, FortiSwitch on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.