Technical Tip: HA-mode FortiGate units using hardware-switch interfaces and STP

sachitdas_FTNT · ‎04-22-2022

Description

This article describes how toconfigure manage FortiSwitches using hardware-switch interfaces and STP.

Scope

FortiLink

Solution

Related document:

https://docs.fortinet.com/document/fortiswitch/7.0.4/devices-managed-by-fortios/801187/ha-mode-forti...

In below example, FortiGate is in 7.0.5 and FortiSwitches in 7.0.3:

FortiGate configuration:

- Configuring fortilink interface with stp enable.

FortiWiFi-60E # show system interface fortilink
# config system interfac3
edit "fortilink"
set vdom "root"
set fortilink enable
set ip 192.168.101.1 255.255.255.0
set allowaccess ping fabric
set type hard-switch
set stp enable

end

- Configuring lower STP priority on FortiGate so that FortiGate acts as root bridge.

# config system stp
set switch-priority 4096
end

- On one of the FortiSwtiches, configure a different revision.

To get this desired behaviour, configure the FortiGate to be the CIST.

For this, FortiGate should be the lowest priority and each switch should be in a different region.

So, it is necessary to move a switch to another region by setting the revision.

Then FortiGate should become the CIST root and the link between the switch is blocked.

# config switch-controller managed-switch

FortiWiFi-60E (managed-switch) edit <switch serial#>

# config stp-settings
set local-override enable
set revision 5678
end

- STP commands on FortiGate and both FortiSwitches:

FortiWiFi-60E # get system stp list

bridge 'fortilink' prio 4096 mac 90:6C:AC:AA:C6:64 vd 'root'
root prio 4096 mac 90:6C:AC:AA:C6:64 cost 0
port 'internal2' role designated state forward cost 20000 edge no rx 8 tx 5437
port 'internal5' role designated state forward cost 20000 edge no rx 4 tx 1606

S124E # diagnose stp instance list

MST Instance Information, primary-Channel:

Instance ID 0 (CST)
Config Priority 24576
Bridge MAC e81cba49213e, MD5 Digest 9999b43d77cc58bba8854f9991c4a487

Root MAC 906cacaac664, Priority 4096, Path Cost 1, Remaining Hops 20

Regional Root MAC e81cba49213e, Priority 24576, Path Cost 0, Root Port 906CACAAC662-0

Active Times Forward Time 15, Max Age 20, Remaining Hops 20

TCN Events Triggered 24 (0d 0h 22m 32s ago), Received 51 (0d 0h 54m 52s ago)

Port Speed Cost Priority Role State HelloTime Flags
________________ ______ _________ _________ ___________ __________ _________ _______________

8FFTV21000067-0 1G 20000 128 ALTERNATIVE DISCARDING 2 EN
906CACAAC662-0 1G 1 128 ROOT FORWARDING 2 EN

S108F# diagnose stp instance list

MST Instance Information, primary-Channel:

Instance ID 0 (CST)
Config Priority 24576
Bridge MAC d476a0b82944, MD5 Digest 9999b43d77cc58bba8854f9991c4a487

Root MAC 906cacaac664, Priority 4096, Path Cost 1, Remaining Hops 20

Regional Root MAC d476a0b82944, Priority 24576, Path Cost 0, Root Port 906CACAAC662-0

Active Times Forward Time 15, Max Age 20, Remaining Hops 20

TCN Events Triggered 16 (0d 0h 55m 36s ago), Received 59 (0d 0h 23m 11s ago)

Port Speed Cost Priority Role State HelloTime Flags
________________ ______ _________ _________ ___________ __________ _________ _______________

4EF5918008699-0 1G 20000 128 DESIGNATED FORWARDING 2 EN
906CACAAC662-0 1G 1 128 ROOT FORWARDING 2 EN