Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
DuyNguy
Staff
Staff

Created on ‎05-13-2024 03:10 PM

Article Id 313877

Technical Tip: FortiGate VM, FortiSwitch-MCLAG and ESXi Virtual Machine vMotion Application Note

Description

This article describes and explains a FortiGate VM setup with Managed FortiSwitches in MCLAG and an ESXi Virtual Machine vMotion Application Configuration Note.
Scope FortiGate VM and Managed FortiSwitches in MCLAG.
Solution

Issue Statement: When a virtual machine (VM) is moved to another ESXi host, a new FortiLink trunk is created and breaks its connectivity.

 

Topology:

 

DuyNguy_0-1715183810416.png

 

VMWare ESXi Server Configuration:

  1. Use either a Standard vSwitch or Distributed vSwtich.
  2. Accept 'Promiscuous mode', 'MAC address changes', and 'Forged transmits' on the ports to the FortiSwitches (it is necessary to configure it globally).
  3. The vSwitch must be configured to perform 802.3ad link aggregation in static mode and the load-balancing method must be set to 'Route based on IP hash'.
  4. Network Failure Detection must be set to ‘Link status only’.
  5. Teaming and failover for the NICs must both be configured to have the NICs active.

 

DuyNguy_1-1715183810425.png

 

FortiGateVM Configuration:

  1. Configure a FortiLink aggregated interface with two ports (port1 and port2).
  2. Change the fortilink-neighbor-detection mode to 'lldp' (from FortiLink).

 

FortiSwitch Configuration

  1. The MCLAG trunks of VMWare hosts must be created locally in each MCLAG switch since these are FortiLink trunks. Note: Creating MCLAG trunks in FortiGate switch-controller will not work.
  2. With the switches already setup for MCLAG, create a new trunk, set MCLAG to Enabled, and set the Mode to Static.
  3. Configure the trunks for LACP static and Port Selection Criteria/load balance algorithm 'src-dst-ip'.
  4. Enable 'set static-isl' on these trunks and add the following commands on them:

set auto-isl 1 <- This means the system creates the ISL trunk.

 

set isl-fortilink 1 <- This refers to the FortiLink trunk, which is directly connected to FortiGate.

 

Example of a manually created trunk for Esxi Host1 on Core1:

 

config switch trunk

edit "EsxHost1"

set port-selection-criteria src-dst-ip

set description "Manually created trunk for EsxHost1"

set mode static

set bundle disable

set auto-isl 1

set fortilink 0

set isl-fortilink 1

set mclag enable

set static-isl disable

set static-isl-auto-vlan enable

set members "port4"        

next

end

 

Example of a manually created trunk for Esxi Host1 on Core2:

 

config switch trunk

edit "EsxHost1"

set port-selection-criteria src-dst-ip

set description "Manually created trunk for EsxHost1"

set mode static

set bundle disable

set auto-isl 1

set fortilink 0

set isl-fortilink 1

set mclag enable

set static-isl disable

set static-isl-auto-vlan enable

set members "port4"        

next

end
849
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.