Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pieciaq
New Contributor III

Created on ‎01-04-2024 05:20 AM

FortiSwitch to FortiGate - best connection concept

Hello there,

 

I need to make new connection with 4 FortiSwitches 448E FPoE and FortiGate 100F in HA cluster.

Because distance between FortiGates and FortiSwitches is over 400 meters (different buildings) and I got 8 optic fibers for this connection.

My question is what is best recommendation for connecting FortiSwitches with FortiGate to make it redundant and maximize speed of given ports.

  • In FortiGate I was thinking of use X1 and X2.
  • Also want to use FortiLink for management.
  • Nice if both links will be used.

In attachment network connection plan I was thinking off.

Any suggestion or good practice will be nice to read.

VGP new building network - logical for FortiComunityForum.drawio.png

Piotr$
Piotr$
Labels:
837
0 Kudos
1 Solution
Christian_89
Contributor III

Created on ‎01-20-2024 10:08 AM

Connecting multiple FortiSwitches to a FortiGate appliance, especially over a longer distance and with redundancy in mind, requires careful planning. Here are some best practices and considerations for your setup:

1. **Use of Optic Fibers**: Given the distance between the FortiSwitches and the FortiGate, using fiber optic cables is the right choice. Ensure that the transceivers and fiber types (single-mode or multi-mode) are compatible and suitable for the distance.

2. **Leveraging FortiLink**: Using FortiLink is a good strategy for managing the FortiSwitches through the FortiGate. It simplifies the management and can centralize many of the security and network policies.

3. **Redundancy and High Availability (HA)**: Since you have a FortiGate HA cluster, it's crucial to ensure that your FortiSwitches are connected in a way that maintains redundancy. This means each FortiSwitch should have connections to both FortiGates in the HA pair.

4. **Port Selection and Link Aggregation**:
- Utilize the SFP+ ports on the FortiGate 100F, such as X1 and X2, for high-speed connectivity.
- Consider implementing link aggregation (LACP) if the FortiSwitches support it. This can combine multiple fiber connections into a single logical link, providing increased bandwidth and redundancy.
- Connect each FortiSwitch to both FortiGates. For example, FortiSwitch 1 could have one connection to FortiGate A and another to FortiGate B. The same applies to the other switches.

5. **Load Balancing and Failover**:
- Configure the FortiGate and FortiSwitches for active-active or active-passive failover, ensuring that if one link goes down, the other can take over without significant disruption.
- For load balancing, ensure the traffic is evenly distributed across the available links.

6. **Network Segmentation and VLANs**:
- Properly configure VLANs for network segmentation. This is especially important if the switches are servicing different areas or types of devices.
- Ensure VLANs are properly tagged and recognized across the FortiLink connection.

7. **Testing and Validation**:
- After setting up, thoroughly test the configuration to ensure that failover and load balancing work as expected.
- Check the performance over the fiber links to ensure they are operating at the expected speeds.

8. **Firmware and Software Consistency**:
- Ensure that both the FortiGates and FortiSwitches are running compatible firmware versions to avoid any compatibility issues, especially for FortiLink.

9. **Monitoring and Maintenance**:
- Once operational, continuously monitor the links for any signs of degradation or failure.
- Regularly check the system logs for any anomalies or errors.

10. **Documentation**:
- Document your configuration thoroughly, including network diagrams, port assignments, VLAN configurations, and failover setups.

Remember, each environment can have its unique challenges and requirements, so while these guidelines provide a general best practice approach, they should be adapted to fit your specific situation. Additionally, consulting with Fortinet support or a network specialist can provide more tailored advice considering the specifics of your network and equipment.

View solution in original post

586
0 Kudos
4 REPLIES 4
ebilcari
Staff
Staff

Created on ‎01-04-2024 05:26 AM

You can refer to the topology section on the admin guide that include practically all the possible ways when using FortiLink mode.

In this case maybe "HA-mode FortiGate units managing a stack of several FortiSwitch units" fits better or try the two-tier topology if you are able to build a distribution layer.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
829
Christian_89
Contributor III

Created on ‎01-20-2024 10:08 AM

Connecting multiple FortiSwitches to a FortiGate appliance, especially over a longer distance and with redundancy in mind, requires careful planning. Here are some best practices and considerations for your setup:

1. **Use of Optic Fibers**: Given the distance between the FortiSwitches and the FortiGate, using fiber optic cables is the right choice. Ensure that the transceivers and fiber types (single-mode or multi-mode) are compatible and suitable for the distance.

2. **Leveraging FortiLink**: Using FortiLink is a good strategy for managing the FortiSwitches through the FortiGate. It simplifies the management and can centralize many of the security and network policies.

3. **Redundancy and High Availability (HA)**: Since you have a FortiGate HA cluster, it's crucial to ensure that your FortiSwitches are connected in a way that maintains redundancy. This means each FortiSwitch should have connections to both FortiGates in the HA pair.

4. **Port Selection and Link Aggregation**:
- Utilize the SFP+ ports on the FortiGate 100F, such as X1 and X2, for high-speed connectivity.
- Consider implementing link aggregation (LACP) if the FortiSwitches support it. This can combine multiple fiber connections into a single logical link, providing increased bandwidth and redundancy.
- Connect each FortiSwitch to both FortiGates. For example, FortiSwitch 1 could have one connection to FortiGate A and another to FortiGate B. The same applies to the other switches.

5. **Load Balancing and Failover**:
- Configure the FortiGate and FortiSwitches for active-active or active-passive failover, ensuring that if one link goes down, the other can take over without significant disruption.
- For load balancing, ensure the traffic is evenly distributed across the available links.

6. **Network Segmentation and VLANs**:
- Properly configure VLANs for network segmentation. This is especially important if the switches are servicing different areas or types of devices.
- Ensure VLANs are properly tagged and recognized across the FortiLink connection.

7. **Testing and Validation**:
- After setting up, thoroughly test the configuration to ensure that failover and load balancing work as expected.
- Check the performance over the fiber links to ensure they are operating at the expected speeds.

8. **Firmware and Software Consistency**:
- Ensure that both the FortiGates and FortiSwitches are running compatible firmware versions to avoid any compatibility issues, especially for FortiLink.

9. **Monitoring and Maintenance**:
- Once operational, continuously monitor the links for any signs of degradation or failure.
- Regularly check the system logs for any anomalies or errors.

10. **Documentation**:
- Document your configuration thoroughly, including network diagrams, port assignments, VLAN configurations, and failover setups.

Remember, each environment can have its unique challenges and requirements, so while these guidelines provide a general best practice approach, they should be adapted to fit your specific situation. Additionally, consulting with Fortinet support or a network specialist can provide more tailored advice considering the specifics of your network and equipment.

587
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎01-20-2024 12:24 PM

Hi Pieciaq

If you use X ports, 400m for 10Gb I think you are at the maximum supported by OM5 in multimode, or you are approaching it. So be careful of the distance and cable quality.

AEK
AEK
573
0 Kudos
pieciaq
New Contributor III

Created on ‎03-15-2024 03:49 AM

Thank You for for help and answers.

Make this configuration, now in testing phase all looks very promising.

 

When configuring this and reading tech documentation I had additional questions regarding the following configuration:
1. By using MCLAG and connecting them to two switches via ports x1 and x2 on FGT and 10 Gbit ports on FSW, will I achieve a theoretical total throughput of 20 Gbit/s? How will traffic through these two connections be routed?

2. Is it be better also to make MCLAG connection with two connection between Access-002 and Access-03 then normal link that in this configuration right now has down?

project.png

Piotr$
Piotr$
435
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.