Description
This article describes the FortiLink topologies supported by Fortinet and some notes on what to expect when enabling or disabling 'fortilink-split-interface' on the FortiLink interface.
Scope
FortiOS 7.2 and upwards.
FortiSwitch OS 7.2 and upwards.
Solution
When FortiLink is set as an aggregate interface, there are 3 most common scenarios:
- FortiSwitches in MCLAG connected to FortiGate
- FortiSwitches non-supporting/using MCLAG interconnected between them with an ISL (LACP between Forti...
- One FortiSwitch connected to FortiGate using several members of the same Ling Aggregation Group
Scenario 1. The first scenario is well explained on this documentation: Transitioning from a FortiLink split interface to a FortiLink MCLAG
In this scenario, 'fortilink-split-interface' must be disabled in order to have both FortiSwitches 'Online' on FortiGate and managed by the switch controller. Note that this step is only achieved after the configurations regarding the ICL trunk have been performed, and not before.
Scenario 2. In this second scenario, there may be FortiSwitches that support MCLAG and those that do not. Both kinds are interconnected with each other using an ISL trunk (LACP). This trunk is negotiated and configured automatically due to the 'default-auto-isl' LLDP profile configured on all FortiSwitches and 'auto-isl' being enabled by default on all switches.
On this scenario, if the second switch is connected to the FortiGate (whether it is connected to a FortiGate Cluster or a standalone FortiGate), the link will not come up as the 'fortilink-split-interface' must be enabled. If 'fortilink-split-interface' is disabled, it will cause a split-brain scenario. Disabling split interface on this scenario is not recommended. On this scenario, only one link of the LACP links going to the FortiGate will come up, and the rest of the links will remain in 'Suspended' mode in LACP and 'down' on FortiGate. This is expected and is documented here: FortiLink split interface - FortiSwitch 7.6.4 FortiLink Guide.
This scenario would be exactly the same as the scenarios described here:
- Single FortiGate unit managing a stack of several FortiSwitch units
- HA-mode FortiGate units managing a stack of several FortiSwitch units
Important: This topology contemplates an 802.3ad interface type for FortiLink interface. There is an alternative that allows both FortiSwitches online and not being cascaded. However, this alternative makes use of a Hardware-Switch interface as FortiLink and enabling STP on it, and not an LAG as the present article suggests. This alternative is described here: HA-mode FortiGate units using hardware-switch interfaces and STP and can be configured as follows: Technical Tip: HA mode FortiGate units using hardware switch.
Note: Connecting more than one link as LACP members will not enable all LAG members from FortiSwitch to FortiGate even though 'fortilink-split-interface' is set to 'disable'. Only one of the links will remain active as the example below shows following the same principle explained earlier in this article (Scenario 1):
Scenario 3. In this third scenario there is only one FortiSwitch connected to the FortiGate directly. In this scenario, 'fortilink-split-interface' must be set to 'disable'. This way, the three links will come up. Other FortiSwitches can be connected in a cascade below this first FortiSwitch and FortiLink will work correctly. This is documented here: FortiLink split interface.
This also applies if the switch is connected to a FortiGate cluster (HA). In such cases, the topology will be as follows:
