Hi all,
I'min the process of replacing hardware for a customer. Right now their netwerk is based on Aruba CX switches (see diagram below), the have 2 core switches opering VSX with MCLAG to the access switch layer. The access switches are Aruba CX6200 stacks with lik 3/4/5 switches network closet.The Aruba switches are stacked and have an LACP trunk o the MCLAG on the core switches. The customer recently switched their firewall to a Fortigate cluster and they are considering replacing their swithing network to Fortinet as well.
So far I have found a decent replacement for the core switch but for access layer switches I can't quit grasp the concepts that fortnet is using.
From what I understood so far is that I should use MCLAG on the access switches as well. If there are more than 2 switches in a network closet, how would include these in this network?
Should I just create a ring network and have Spanning-tree take care of the loop?
Are there other alternatives to connect (more than 2) switches to the core switches using a LACP link?
Thanks in advance for your time an answer.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Jvgestel,
No worries, if they already have FortiGates in situe I would opt for these to be managed through the FortiGate. In my opinion, these FortiSwitches really come into their own when managed in this way as you can monitor and managed everything from one pane.
Yes you could do that, or in your case if you were to add 2, 4 etc switches on top of that as you said you can simply create a ring with at least one 10-GbE link between each of the switches. This way with MCLAG you can make use of all the links simultaneously providing greater throughput and the ring will use MSTP for loop protection and in the event of switch failure will have an alternate root.
Hi there,
I hope you're well.
MCLAG is extended down to the access layer which allows redundant uplinks. If there is a requirement for multiple access switches redundancy becomes even more critical, I would have a pair of switches (MCLAG ICL) terminating the redundant uplinks to the core and then you can simply plug the remaining access switches into this access MCLAG tier and they will automatically establish their ISL trunks.
Let me know if you have any other questions.
Regards,
Dan_Eng52
Hi Jvgestel,
Mocked up a quick diagram for you, in your case with dual HA Fortigates, core layer and MCLAG at the access layer it would look something like this, hope that helps.
Regards,
Dan_Eng52
HI Dan_Eng52,
Thanks a lot for your reply and diagram, it's much appreciated.
From a management perspective, In your diagram, I would be managing 8 individual access switches, correct? What would be the best way to manage these devices? Through the Fortigate, FortiCloud or are there better alternatives?
Thanks again,
Regards,
jvgestel
Hi Dan_Eng52,
another question came to mind regarding the access layer. In your diagram, there are 2 MCLAG clusters, each switch in the cluster has an access switch connected over, what I presume an LACP link, shouldn't that swith be connected to both the switches? if one of the switches connecting to the core fails, the underlying switch would fail as well.
Also, what if I need to connect 2 or 4 more switches to that access layer group on the left, would is just daisy chain them?
Hi Jvgestel,
No worries, if they already have FortiGates in situe I would opt for these to be managed through the FortiGate. In my opinion, these FortiSwitches really come into their own when managed in this way as you can monitor and managed everything from one pane.
Yes you could do that, or in your case if you were to add 2, 4 etc switches on top of that as you said you can simply create a ring with at least one 10-GbE link between each of the switches. This way with MCLAG you can make use of all the links simultaneously providing greater throughput and the ring will use MSTP for loop protection and in the event of switch failure will have an alternate root.
Thanks for your clear explanation Dan_Eng52, much appreciated
Hi @Jvgestel
In addition to Dan's response, you may have a look at the below document, if not already done.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.