Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Zenith
New Contributor

Spanning tree on software switch?

Hi guys, I' m new to a lot of these concepts so maybe I' m missing something obvious, but some input would be really appreciated! Basically I' m setting up a 100D HA pair (active/passive) and four 2960S switches in our datacentre. There will be one FGT and two switches per cabinet, with the cabinets linked by a ethernet connections. The idea being that in say cabinet A a host could have two NICs with one connected to each switch, so if a switch fails in a cabinet it' s no problem, and if a firewall fails in either cabinet it' s no problem. I have it all in-place and it' s working fine but I have a bit of a concern with how spanning-tree has set the links between the Cisco switches. I had envisaged lots of connections between all the switches and traffic could take the shortest route, but of course this routing not switching which became obvious when I started looking into STP . I' ve attached a diagram of how STP has enabled/disabled links. The FGT is configured with a four port software switch that the links from the four 2960s connect to. The problem in the attached diagram is that if servers on different switches want to talk to each other the traffic will be sent down the link to the FGT then back down another link to the relevant switch. It seems like a waste to take this route when there are (currently blocked) links between the switches themselves. The main thing I' m concerned about is the load it' s going to put on the FGT if it has to software-switch all possible traffic in the network. Now of course the good thing here is if a switch fails STP should bring up another link to the FGT, and in reality most of the traffic on the network will be from servers to the FGT (not too much inter-server traffic) but that could change. Is there a way to fix this or should I not be concerned in the first place? It seems like if I could stop the FGT acting as a switch then STP could enable all the inter-switch uplinks without creating loops and hence have more efficient paths between switches, however the software switch is kinda key to the various VLANs running across the switches :). Any thoughts?
9 REPLIES 9
Bunce
New Contributor

Have you looked at the ' Redundant Interface' feature of the Fortigate, rather than a software switch? It probably depends on whether you want to use Link Aggregation on the switches, but if not, you can set up the four interfaces on the FGT into a single ' Redundant Interface' which will in effect, just use one of the links unless there is a failure. Its documented pretty well in the HA guide. We' re setup similarly, but using just two switches and redundant interfaces to create the mesh. We also have an ISL between the two switches.
romanr
Valued Contributor

Hi, I already ran into the same trouble with the 100D " hardware switch" (which actually isn' t one, but thats some different story!) ... Spanning Tree Protocol is only present for the complete switch in " switch mode" . br, Roman
Zenith
New Contributor

Thanks for the replied guys, That' s a good idea on the redundant interfaces, we do not have a need for link aggregation. The problem then is that all traffic destined for the firewall will have to pass through the one switch that has the active link, which may not be a big deal when the firewall is just doing Internet access and server-server traffic is primarily switch-switch, however in our case the network will be quite heavily VLANed so a fair bit of the server-server traffic will be between VLANs meaning a trip through the firewall is required! Ideally if the FGT could stop allowing traffic between the four uplinks, unless that traffic is going between two separate VLANs/subnets/VDOMS, then you could have four active links from the switch to the FGT and also have three of those links between the switch live for any server-server traffic that is within a single VLAN and hence doesn' t need to hit the FGT. What solution did you come up with roman?
rwpatterson
Valued Contributor III

Why don' t you stack the switches into pairs? You' ll then solve half your problems.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Zenith
New Contributor

rwpatterson - Cost unfortunately. For the size of the operation what we spent on this setup was already a stretch, stacking modules and the higher-end licences required for the switches was just too much.
rwpatterson
Valued Contributor III

Makes sense. We use Alcatel here. The stacking modules are built in and the stacking cables are under a hundred bucks.... No additional software or licenses are needed.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Rick_H
New Contributor III

It will probably work fine the way you have it, but your FGT is processing a lot more traffic than it needs to. The switch on the 100D is probably robust enough to handle it, but I don' t think I' d leave it like this. Here' s what I' d do: To make everything operate they way you want this will take some customization on the STP config. I' m not sure how familiar you are with Cisco switching, but read this quick primer on STP for their kit. Set SW1 as the root and SW3 as the secondary. Set the port priority on the link between SW1 and SW3 very high (a number below the default of 128), then set the priority on the link between SW2 and SW4 to be low (above the default of 128). This will ensure that the channel group between SW1 and SW3 is always forwarding and the channel between SW2 and SW4 is always blocking. I' m not sure what the default STP port priority is on the FGT, but I imagine it is set at 128. I would set the port priority on the links between all of your switches and the FGT lower than whatever you set the link between SW2 and SW4 (again, higher number). This way there is not a chance that " normal" traffic will be traversing the FGT unless it actually needs to. You will end up with just one forwarding interface on the FGT--and therefore all traffic that needs to talk to the FGT going through one interface--but STP should kick in and unblock one if you have a failure somewhere. Hope that helps.
emnoc
Esteemed Contributor III

he probably has a lanlite license swicthes, so these don' t support flexstack nor have the ability to be upgraded. But yes that would solve any STP issues. Infact he could do multi-switch etherchannel and aggregated 1gigs to each switch if he had a flexstack stack. That' s how I typically deploy firewalls in a stacked environment.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
bigkeoni64
Contributor

Has this setup actually worked? Seems as though there would be some serious loops created and I would assume that each switch should have an LACP port-channel formed between FGT-1 & FGT-2. Also if the software switch is one big group - will it successfully form the LACP AGG with each switch?

 

I've done this type of setup also on a different vendor FW, but with a 5 stack of Ruckus switches.

Labels
Top Kudoed Authors