Fortinet FortiSwitch-5003, Fabric And Base Backplane Communications Manual

Page 1: ... Guide describes using the FortiSwitch 5003A board and FortiSwitch 5003 board for FortiGate 5000 series base and fabric backplane switching This document also contains the FortiSwitch 5003A CLI reference The most recent versions of this and all FortiGate 5000 series documents are available from the FortiGate 5000 page of the Fortinet Technical Documentation web site http docs forticare com Visit h...

Page 2: ...ng an anti static wrist strap and attaching it to an available ESD connector such as the ESD sockets provided on FortiGate 5000 series chassis Make sure all FortiGate 5000 series components have reliable grounding Fortinet recommends direct connections to the building ground If you install a FortiGate 5000 series component in a closed or multi unit rack assembly the operating ambient temperature o...

Page 3: ...twork activity LEDs 19 Connectors 20 Base backplane communications 20 FortiGate 5140 fabric backplane communication 23 Fabric gigabit switching within a chassis 24 Fabric channel connections between FortiSwitch 5003A boards 27 Fabric gigabit switching between chassis 27 Fabric gigabit switching to the network 29 Fabric 10 gigabit switching within a chassis 31 Fabric channel layer 2 link aggregatio...

Page 4: ...xample active active redundant link configuration 66 Verifying the spanning tree configuration of a FortiSwitch 5003A board in slot 1 66 FortiGate 5140 and 5050 base backplane communication 67 Base channel connections between FortiSwitch 5003A boards 68 Base backplane HA configurations 68 Two FortiSwitch boards per chassis 69 Heartbeat failover between channels 71 One FortiSwitch board per chassis...

Page 5: ... 106 date 107 factory reset 108 ping 109 reboot 110 restore 111 shutdown 112 time 113 top 114 traceroute 115 get 116 system performance 116 system status 117 diagnose 118 Monitoring the status of trunk members 118 spanning tree instance fabric channel 119 spanning tree mst config fabric channel 120 switch fabric channel mac address filter 121 switch fabric channel mac address list 122 Index 123 Fo...

Page 6: ...Contents FortiSwitch 5003A and 5003 Fabric and Base Backplane Communications Guide 6 01 30000 85717 20081205 http docs fortinet com Feedback ...

Page 7: ...FortiSwitch 5003A boards in the first and second hub switch fabric slots For most versions of the FortiGate 5140 and 5050 chassis the hub switch base and fabric slots are slots 1 and 2 For more information about each chassis see the FortiGate 5140 Chassis Guide and the FortiGate 5140 Chassis Guide FortiSwitch 5003A and 5003 boards can be used for fabric and base backplane layer 2 switching within ...

Page 8: ...le 1 Revision History Version Description of changes 01 30005 0423 20070829 First version 01 30000 85717 20081128 Re written to include the FortiSwitch 5003A board more information about both FortiSwitch boards fabric backplane functionality and the FortiSwitch 5003A CLI reference Note The FortiSwitch 5003A board does not support Link Aggregation Control Protocol LACP LACP is also called 802 3ad d...

Page 9: ...l MSTP for the fabric channels You can use these features to configure link aggregation and support redundant FortiSwitch 5003A switch configurations to distribute traffic to multiple FortiGate 5000 boards The FortiGate 5000 boards must operate in Transparent mode all are managed separately and all must have the same configuration A FortiSwitch 5003A board in hub switch fabric slot 1 provides comm...

Page 10: ...etween FortiGate 5001A and FortiGate 5005FA2 boards and the FortiSwitch 5003A over the fabric channel to support MSTP configurable from the FortiGate 5001A and FortiGate 5005FA2 systems Standard FortiOS command line interface CLI for configuring fabric switch settings VLANs MSTP trunks and so on Front panel LEDs and connectors From the FortiSwitch 5003A font panel you can view the status of the bo...

Page 11: ...at do not affect normal operation RST Reset switch Press and hold Reset for three seconds to restart the FortiSwitch 5003A board Base Network Activity LEDs Solid Green Indicates this interface is connected to the 1 gigabit base channel interface of a FortiGate 5000 board Table 3 on page 12 lists the base network activity LEDs and the interface that each represents Blinking Green Indicates 1 gigabi...

Page 12: ...when the FortiSwitch 5003A board is starting up or shutting down Off Normal operation The FortiSwitch 5003A board is in contact with the chassis backplane Table 2 FortiSwitch 5003A front panel LEDs and switches Continued LED State Description Table 3 Base channel interfaces and network activity LEDs Interface Name Description SH1 If the FortiSwitch 5003A board is in the first hub switch fabric slo...

Page 13: ...k Table 3 Base channel interfaces and network activity LEDs Interface Name Description Table 4 Fabric channel interfaces Interface Name Description Front Panel CLI 2 1 slot 2 1 Interface between fabric channel 1 and fabric channel 2 If there are two FortiSwitch 5003A boards installed in a chassis this interface can be used to communicate between them In some configurations you may have to disable ...

Page 14: ...e base1 as the HA heartbeat interface Table 5 Fabric network activity LEDs Fabric network activity LED Interface or connection 2 1 Fabric channel connection between fabric channel 1 and fabric channel 2 This LED is lit if there are two FortiSwitch 5003A boards installed in the chassis to indicate fabric backplane communication between them 3 to 13 Fabric backplane connection to FortiGate 5000 boar...

Page 15: ...it connectivity between the external and internal network Figure 5 Example 10 gigabit connection between internal and external networks 1 2 2 3 4 5 SMC 1 SMC POWER 5050SAP SERIAL 1 SERIAL 2 ALARM 10 100 link Act ETH0 Service RESET STATUS Hot Swap link Act ETH0 ETH1 10 100 5000SM 10 100 link Act ETH0 Service RESET STATUS Hot Swap link Act ETH0 ETH1 10 100 5000SM Base channel 1 HA Heartbeat Communic...

Page 16: ...itch 5003A front panel f5 interface The switch adds VLAN tags to traffic from the internal and external networks Figure 6 Basic link aggregation configuration Distributed 10 gigabit data communication on fabric channel 1 Six FortiGate RTM XB2 modules installed in RTM slots 6 8 9 10 11 and 13 to provide 10 gigabit fabric interfaces and NP2 acceleration for each FortiGate 5001A board Internal and ex...

Page 17: ...t 2 and configure the FortiGate 5000 boards installed in the chassis to use the correct base backplane interface The FortiSwitch 5003 board includes the following features A total of 16 10 100 1000Base T gigabit ethernet interfaces 13 backplane 10 100 1000Base T gigabit interfaces for base backplane switching between FortiGate 5000 series boards installed in the same chassis as the FortiSwitch 500...

Page 18: ...ating normally Yellow Caution status Caution status is indicated by the fault condition of the CLOCK OK or INT FLT LEDs Off The board is not connected to power System Off Normal operation E0 E1 Yellow or Green Link status of out of band management interfaces not used ZRE 0 15 ZRE network activity LEDs LED Mode switch changes mode Green Link Activity mode Blinking to indicate network traffic on thi...

Page 19: ...oftware problem with the FortiSwitch 5003 board Hot Swap Blue Indicates the FortiSwitch 5003 board is ready to be hot swapped During a hot swap the LED is on The LED turns off when the FortiSwitch 5003 board is correctly installed Reset switch Press and hold Reset for three seconds to restart the FortiSwitch 5003 board Table 7 FortiSwitch 5003 board front panel LEDs and switches Continued LED Stat...

Page 20: ... interfaces for connections between base backplane interface 1 and base backplane interface 2 Again these connections can be within the same chassis or among multiple chassis A FortiSwitch 5003 board in slot 1 provides communications on base backplane interface 1 The FortiGate 5001SX and the FortiGate 5001FA2 boards communicate with base backplane interface 1 using the interface named port9 The Fo...

Page 21: ...the same base backplane interface you may experience some bandwidth limitations To increase the amount of bandwidth available you can add a second FortiSwitch 5003 board and use both backplane interfaces for HA heartbeat and data communication If you have two FortiSwitch 5003 boards and two backplane interfaces available you can balance the traffic between the base backplane interfaces by how you ...

Page 22: ...FortiSwitch 5003A and 5003 Fabric and Base Backplane Communications Guide 22 01 30000 85717 20081205 Base backplane communications FortiSwitch 5003 system ...

Page 23: ...topology connecting to or through the fabric backplane requires FortiSwitch 5003A boards installed in hub switch slot 1 hub switch slot 2 or both FortiSwitch 5003A front panel fabric interfaces can also connect the chassis fabric backplane channels to external devices such as a management computer the network or the fabric backplane of another chassis FortiGate 5001A boards and FortiGate 5005FA2 b...

Page 24: ...etween the fabric backplane interfaces of FortiGate 5001A or 5005FA2 boards installed in a FortiGate 5140 chassis Figure 9 shows a FortiGate 5140 chassis with a FortiSwitch 5003A board in hub switch slot 1 and FortiGate 5001A boards in 6 other slots In this configuration the FortiSwitch 5003A board provides 1 gigabit fabric backplane switching for the FortiGate 5001A fabric1 interfaces The FortiSw...

Page 25: ... tags 201 to 210 on slots 9 11 and 13 from the FortiSwitch 5003A CLI enter config switch fabric channel interface edit slot 9 set allowed vlans 1 201 210 next edit slot 11 set allowed vlans 1 201 210 next edit slot 13 set allowed vlans 1 201 210 end For more information about the FortiSwitch 5003A CLI see FortiSwitch 5003A CLI reference on page 89 Figure 10 shows a FortiGate 5140 chassis with Fort...

Page 26: ...ace edit slot 4 set allowed vlans 1 400 next edit slot 12 set allowed vlans 1 400 end FAN TRAY FAN TRAY FAN TRAY 13 11 9 7 5 3 1 2 4 6 8 10 12 14 5140 CRITICAL RES ET MAJO R MINOR USE R1 USE R2 USE R3 5140SAP SERIAL 1 SERIAL 2 ALARM FILTER 1 2 0 1 2 10 100 link Act ETH0 Service RESET STATUS Hot Swap link Act ETH0 ETH1 10 100 5000SM 10 100 link Act ETH0 Service RESET STATUS Hot Swap link Act ETH0 E...

Page 27: ...lot 2 1 set status down end Fabric gigabit switching between chassis You can use the FortiSwitch 5003A front panel fabric interfaces to provide 10 gigabit data communications between the fabric channels of any combination of FortiGate 5050 and FortiGate 5140 chassis Figure 11 shows data communication between two FortiGate 5140 chassis using fabric channel 1 The top chassis in the figure contains a...

Page 28: ...11 9 7 5 3 1 2 4 6 8 10 12 14 5140 CR ITI CA L RE SE T MA JO R MI NO R US ER 1 US ER 2 US ER 3 5140SAP SERIAL 1 SERIAL 2 ALARM FILTER 1 2 0 1 2 10 100 link Act ETH0 Service RESET STATUS Hot Swap link Act ETH0 ETH1 10 100 5000SM 10 100 link Act ETH0 Service RESET STATUS Hot Swap link Act ETH0 ETH1 10 100 5000SM Fabric channel 1 data communication Fabric channel 1 10 gigabit data communication betwe...

Page 29: ...ic1 or fabric2 interfaces of the FortiGate 5000 boards installed in the chassis Figure 12 shows a FortiGate 5140 chassis containing two FortiSwitch 5003A boards and 6 FortiGate 5001A boards The chassis is connected to internal and an external networks using FortiSwitch 5003A front panel fabric interfaces The internal network is connected to fabric channel 2 using the F7 front panel interface of th...

Page 30: ...lots 6 8 and 10 and the F1 front panel interface from the FortiSwitch 5003A CLI enter config switch fabric channel interface edit slot 6 set allowed vlans 1 201 210 next edit slot 8 set allowed vlans 1 201 210 next edit slot 10 set allowed vlans 1 201 210 next edit f1 set allowed vlans 1 201 210 end Internal Network FAN TRAY FAN TRAY FAN TRAY 13 11 9 7 5 3 1 2 4 6 8 10 12 14 5140 CR ITICAL RE SE T...

Page 31: ...k is connected to the F1 10 gigabit front panel interface of the FortiSwitch 5003A board in slot 1 which connects the external network to fabric channel 1 The internal network is connected to the F7 10 gigabit front panel interface of the FortiSwitch 5003A board in slot 2 which connects the internal network to fabric channel 2 10 gigabit traffic from the external network enters the F1 10 gigabit F...

Page 32: ... TRAY FAN TRAY FAN TRAY 13 11 9 7 5 3 1 2 4 6 8 10 12 14 5140 CR ITI CA L RE SE T MA JO R MI NO R US ER 1 US ER 2 US ER 3 5140SAP SERIAL 1 SERIAL 2 ALARM FILTER 1 2 0 1 2 10 100 link Act ETH0 Service RESET STATUS Hot Swap link Act ETH0 ETH1 10 100 5000SM 10 100 link Act ETH0 Service RESET STATUS Hot Swap link Act ETH0 ETH1 10 100 5000SM Fabric channel 1 10 gigabit data communication Fabric channel...

Page 33: ... to FortiGate 5000 boards installed in multiple chassis You can add up to 8 interfaces to a trunk to distribute sessions among up to 8 FortiGate 5000 boards You can also add multiple trunks to a single FortiSwitch 5003A board The total number of FortiGate 5000 boards in a trunk is limited by the amount of bandwidth you are processing and the capacity of the FortiSwitch 5003A board Fortinet does no...

Page 34: ...rk are tagged as 101 Figure 14 Fabric channel layer 2 link aggregation configuration Note LInk aggregation does not require FortiGate RTM XB2 modules If the example in Figure did not include FortiGate RTM XB2 modules the configuration steps would be the same and link aggregation would still function the same way The only difference is without the FortiGate RTM XB2 modules communication on the fabr...

Page 35: ...an_fab1_100 and vlan_fab1 101 From the FortiGate 5001A CLI enter config system interface edit vlan_fab1_100 set interface fabric1 set vlanid 100 set vdom root etc next edit vlan_fab1_101 set interface fabric1 set vlanid 101 set vdom root etc end Then you can add vlan_fab1_100 to vlan_fab1 101 firewall policies the data traffic You should also configure the FortiGate 5001A boards to send heartbeat ...

Page 36: ... you must configure MSTP to eliminate loops You can also use MSTP settings to control traffic flow and create different kinds of redundant configurations An active passive configuration where the active FortiSwitch 5003A board receives all traffic and distributes it to the FortiGate 5001A or 5005FA2 boards If the active FortiSwitch 5003A board fails all traffic is diverted to the passive FortiSwit...

Page 37: ...ration In this configuration an external switch is connected to two FortiSwitch 5003A front panel F7 interfaces The switch adds VLAN tags to traffic from two internal and two external networks Packets from each network get different VLAN tags Packets from internal networks are tagged as 103 and 104 and packets from the external networks are tagged as 105 and 106 To make this an active passive conf...

Page 38: ... are shown for an HP procurve 3500yl switch with interfaces A1 and A4 connected to the FortiSwitch 5003A boards The external switch acts as the root for spanning tree instance 0 1 Create an MSTP configuration that includes a name and a revision For example if the name is tree_1 and the revision is 1 spanning tree config name tree_1 spanning tree config revision 1 Distributed 10 gigabit data commun...

Page 39: ... this spanning tree instance Set the priority of this spanning tree instance to 5 spanning tree instance 3 vlan 103 104 spanning tree instance 3 priority 5 4 Add spanning tree instance 5 for packets from the external networks Add VLAN tags 105 and 106 to this spanning tree instance Set the priority of this spanning tree instance to 5 the same as instance 3 spanning tree instance 5 vlan 105 106 spa...

Page 40: ... slot 8 slot 9 slot 10 slot 11 slot 13 end 5 Allow VLAN packets on the FortiSwitch 5003A F7 front panel interface and the trunk config switch fabric channel interface edit f7 set allowed vlans 1 103 106 next edit trunk_6 set allowed vlans 1 103 106 end 6 Enable the FortiSwitch 5003A board to listen for heartbeat packets on all of the interfaces connected to FortiGate 5001A boards config switch fab...

Page 41: ...bb8f5fab64b9d18a Instance ID Mapped VLANs ____________________________________________________ 3 103 104 5 105 106 Enter diagnose spanning tree instance fabric channel instance_integer interface to display the configuration of a spanning tree instance for an interface For example to display the configuration of spanning tree instance 3 for the FortiSwitch 5003A F7 interface enter diagnose spanning...

Page 42: ...iagnose spanning tree mst config fabric channel MST Configuration Identification Information Unit Fabric MST Configuration Name tree_1 MST Configuration Revision 1 MST Configuration Digest 86a2448b88448fb7dbe0f8680e2d0fb5 Instance ID Mapped VLANs ____________________________________________________ 3 103 104 5 105 106 To display the configuration of spanning tree instance 5 for the FortiSwitch 500...

Page 43: ... external networks Then for each fabric interface you must add firewall policies for traffic between the four VLAN interfaces For example for the fabric1 interface you could name the VLAN interfaces vlan_fab1_103 vlan_fab1 104 vlan_fab1_105 and vlan_fab1 106 From the FortiGate 5001A CLI enter config system interface edit vlan_fab1_103 set interface fabric1 set vlanid 103 set vdom root etc next edi...

Page 44: ...can make the previous example an active active redundant link configuration that sends all traffic from the internal networks to one FortiSwitch 5003A board and all traffic from the external networks to the other FortiSwitch 5003A board by changing the priorities of the spanning tree instances added to the FortiSwitch 5003A boards No other configuration changes are required To send all traffic fro...

Page 45: ...slot 1 To display the configuration of spanning tree instance 3 for the FortiSwitch 5003A F7 interface enter diagnose spanning tree instance fabric channel 3 f7 MST Instance Information Fabric Channel Instance ID 3 Mapped VLANs 103 104 Switch Priority 4096 Regional Root MAC Address 00306407a1da Regional Root Priority 4096 Regional Root Path Cost 0 Regional Root Port slot 2 1 Remaining Hops 20 Port...

Page 46: ...FortiSwitch 5003A and 5003 Fabric and Base Backplane Communications Guide 46 01 30000 85717 20081205 Example active active redundant link configuration FortiGate 5140 fabric backplane communication ...

Page 47: ...logy connecting to or through the fabric backplane requires FortiSwitch 5003A boards installed in hub switch slot 1 hub switch slot 2 or both FortiSwitch 5003A front panel fabric interfaces can also connect the chassis fabric backplane channels to external devices such as a management computer the network or the fabric backplane of another chassis FortiGate 5001A boards and FortiGate 5005FA2 board...

Page 48: ...e 5050 chassis with a FortiSwitch 5003A board in hub switch slot 2 and FortiGate 5001A boards in slots 3 4 and 5 In this configuration the FortiSwitch 5003A board provides 1 gigabit fabric backplane switching for the FortiGate 5001A fabric2 interfaces The FortiSwitch 5003A boards operate as layer 2 switches and the FortiGate 5001A boards operate as typical standalone FortiGate units The chassis ca...

Page 49: ...as layer 2 switches for fabric channels 1 and 2 and the FortiGate 5001A boards are operating as typical standalone FortiGate units The FortiGate 5001A boards can use fabric channels 1 and 2 for data communication among the FortiGate boards The chassis can be connected to the network using any of the FortiGate 5001A front panel interfaces You can also connect FortiSwitch 5003A front panel fabric in...

Page 50: ...perating in transparent mode with two FortiSwitch 5003A boards in the same chassis you must disable communication between the FortiSwitch 5003A boards The fabric channel connection between the FortiSwitch 5003A boards uses an internal FortiSwitch 5003A interface called slot 2 1 To disable the fabric channel connection between two FortiSwitch 5003A boards you should set the status of slot 2 1 to do...

Page 51: ...u can also install FortiGate AMC modules in the FortiGate 5001A boards and connect networks to the AMC front panel interfaces The AMC modules and the network connections are not shown in Figure 18 Figure 18 Fabric channel 2 data communication between two FortiGate 5050 chassis For the FortiGate 5001A and 50005FA2 boards to use fabric channel 2 for data communication you must show backplane interfa...

Page 52: ...nect your network directly to a FortiSwitch 5003A fabric channel front panel interface This connection provides data communication to the fabric1 or fabric2 interfaces of the FortiGate 5000 boards installed in the chassis Figure 19 shows a FortiGate 5050 chassis containing two FortiSwitch 5003A boards and three FortiGate 5001A boards The chassis is connected to internal and an external networks us...

Page 53: ...fic contains VLAN tagged packets you must add the VLAN tags to the FortiSwitch 5003A interfaces that will handle the VLAN tagged traffic For example to allow VLAN tags 80 to 90 on slots 3 4 and 5 and the F7 front panel interface from the FortiSwitch 5003A CLI enter config switch fabric channel interface edit slot 3 set allowed vlans 1 80 90 next edit slot 4 set allowed vlans 1 80 90 next edit slot...

Page 54: ... or on the other fabric channel See the FortiGate RTM XB2 System Guide for more information about the FortiGate RTM XB2 Figure 20 shows a FortiGate 5050 chassis containing two FortiSwitch 5003A boards and one FortiGate 5001A board Using these components this chassis supplies 10 gigabit connectivity between the external and internal networks The external network is connected to the F1 10 gigabit fr...

Page 55: ...xample to allow VLAN tags 80 to 90 on slots 1 and the F7 front panel interface from the FortiSwitch 5003A CLI enter config switch fabric channel interface edit slot 1 set allowed vlans 1 80 90 next edit f7 set allowed vlans 1 80 90 end 1 2 2 3 4 5 SMC 1 SMC POWER 5050SAP SERIAL 1 SERIAL 2 ALARM 10 100 link Act ETH0 Service RESET STATUS Hot Swap link Act ETH0 ETH1 10 100 5000SM 10 100 link Act ETH0...

Page 56: ...n the chassis in which a FortiGate 5001A or 5005FA2 board is installed You can also include FortiSwitch 5003A front panel interfaces in a trunk and distribute sessions to FortiGate 5000 boards installed in multiple chassis You can add up to 8 interfaces to a trunk to distribute sessions among up to 8 FortiGate 5000 boards You can also add multiple trunks to a single FortiSwitch 5003A board The tot...

Page 57: ...e hash algorithm works FortiGate 5000 boards in the lower numbered chassis slots in a trunk may receive more traffic The order of the interfaces in the trunk does not matter the numerically lowest slots will always be the ones to receive more traffic if the number of interfaces in the trunk is not a power of 2 Note LInk aggregation does not require FortiGate RTM XB2 modules If the example in Figur...

Page 58: ...nd vlan_fab2 101 From the FortiGate 5001A CLI enter config system interface edit vlan_fab2_100 set interface fabric2 set vlanid 100 set vdom root etc next edit vlan_fab2_101 set interface fabric2 set vlanid 101 set vdom root etc end Then you can add vlan_fab2_100 to vlan_fab2 101 firewall policies the data traffic You should also configure the FortiGate 5001A boards to send heartbeat packets over ...

Page 59: ...board fails all traffic is diverted to the passive FortiSwitch 5003A board which takes over distributing traffic to the FortiGate 5001A or 5005FA2 boards An active active configuration where both FortiSwitch 5003A boards receive and distribute traffic If one of the FortiSwitch 5003A boards fails all traffic is diverted to the remaining FortiSwitch 5003A board which takes over distributing all traf...

Page 60: ...003A board in slot 1 becomes the root for both spanning tree instances Because of the priority settings MSTP sends all packets to the FortiSwitch 5003A board in slot 1 If this board fails MSTP re directs all packets to the FortiSwitch 5003A board in slot 2 For a given spanning tree instance MSTP directs packets to the device with the lowest priority value To give a spanning tree instance a higher ...

Page 61: ...d to send packets from both networks to the FortiSwitch 5003A board vlan 100 name VLAN100 tagged 6 8 19 A1 A4 exit vlan 101 name VLAN101 tagged 5 7 20 A1 A4 no ip address exit 3 Add spanning tree instance 3 for packets from the internal network Add VLAN tag 100 to this spanning tree instance Set the priority of this spanning tree instance to 5 spanning tree instance 3 vlan 100 spanning tree instan...

Page 62: ...d to the external switch For example if the name is tree_1 and the revision is 1 config switch fabric channel stp settings set name tree_1 set revision 1 end 3 Add two spanning tree instances numbered the same as the instances added to the switch 3 and 5 Add the VLAN tags to the instances and set their priority values to 4096 config switch fabric channel stp instance edit 3 set priority 4096 set v...

Page 63: ...guration Identification Information Unit Fabric MST Configuration Name tree_1 MST Configuration Revision 1 MST Configuration Digest d397441fd8666b0abb8f5fab64b9d18a Instance ID Mapped VLANs ____________________________________________________ 3 100 5 101 Enter diagnose spanning tree instance fabric channel instance_integer interface to display the configuration of a spanning tree instance for an i...

Page 64: ... diagnose spanning tree mst config fabric channel MST Configuration Identification Information Unit Fabric MST Configuration Name tree_1 MST Configuration Revision 1 MST Configuration Digest 86a2448b88448fb7dbe0f8680e2d0fb5 Instance ID Mapped VLANs ____________________________________________________ 3 100 5 101 To display the configuration of spanning tree instance 3 for the FortiSwitch 5003A F5 ...

Page 65: ...mple for the fabric1 interface you could name the VLAN interfaces vlan_fab1_100 and vlan_fab1 101 From the FortiGate 5001A CLI enter config system interface edit vlan_fab1_100 set interface fabric1 set vlanid 100 set vdom root etc next edit vlan_fab1_101 set interface fabric1 set vlanid 101 set vdom root etc end For the fabric2 interface you could name the VLAN interfaces vlan_fab2 100 and vlan_fa...

Page 66: ... 3 set priority 4096 set vlan range 100 next edit 5 set priority 40960 set vlan range 101 end To send all traffic from the external network to the FortiSwitch 5003A board in slot 2 configure the spanning tree instances on this board with a lower priority value for instance 5 which is used for VLAN 101 packets config switch fabric channel stp instance edit 3 set priority 40960 set vlan range 100 ne...

Page 67: ...rds switch base backplane traffic between boards in other slots FortiSwitch 5003A front panel base interfaces can also connect the chassis base backplane to external entities such as a management computer the network or the base backplane of another chassis FortiSwitch 5003 boards switch base backplane traffic between boards in other slots FortiSwitch 5003 front panel ZRE interfaces can also conne...

Page 68: ...faces on the FortiGate boards and you should not use the FortiSwitch 5003A boards for HA traffic Alternatively you could disable just one of the base interfaces on all of the FortiGate 5000 boards and use the other base interface for the HA heartbeat Base backplane HA configurations Valid HA hardware configurations can be formed from FortiGate boards located in either the same or multiple FortiGat...

Page 69: ... backplane rather than the base backplane as the default heartbeat interfaces To send heartbeat communications through the base backplane you must enable and configure the priority of base1 and base2 as heartbeat interfaces Figure 23 FortiGate 5140 HA cluster with two available base backplane heartbeat interfaces through FortiSwitch 5003A boards in hub switch slots 1 and 2 Two FortiSwitch boards p...

Page 70: ... for HA communication To separate HA communications of multiple clusters using the same channel configure a different HA Group Name and Password for each cluster 1 2 2 3 4 5 SMC 1 SMC POWER 5050SAP SERIAL 1 SERIAL 2 ALARM 10 100 link Act ETH0 Service RESET STATUS Hot Swap link Act ETH0 ETH1 10 100 5000SM 10 100 link Act ETH0 Service RESET STATUS Hot Swap link Act ETH0 ETH1 10 100 5000SM Base chann...

Page 71: ...t varies by the model of the FortiGate boards You can satisfy these requirements in multiple ways by adjusting interface priority or by disabling heartbeats over other interfaces Required steps vary by the model of your FortiGate boards and the number and heartbeat interface list position of other interfaces enabled as HA heartbeat interfaces Internal Network Slot 1 inter chasis heartbeat Slot 2 i...

Page 72: ...e backplane HA configurations FortiGate 5140 and 5050 base backplane communication Figure 27 FortiGate 5005FA2 heartbeat failover from hub switch slot 1 base1 to hub switch slot 2 base2 Figure 28 FortiGate 5001SX FortiGate 5001FA2 heartbeat failover from hub switch slot 2 port10 to hub switch slot 1 port9 ...

Page 73: ...y to a higher value than all other interfaces or disable interfaces listed above the base backplane interfaces in the heartbeat Interface list For some FortiGate models FortiSwitch slot positions or configurations of other HA interfaces this may mean that no change is required 8 If you want to select a different base backplane interface as the primary heartbeat interface increase its priority 9 Se...

Page 74: ...heartbeat communication will be interrupted For enhanced reliability you can add a second FortiSwitch board You can also improve reliability by connecting and configuring one or more other heartbeat interfaces 1 2 2 3 4 5 SMC 1 SMC POWER 5050SAP SERIAL 1 SERIAL 2 ALARM 10 100 link Act ETH0 Service RESET STATUS Hot Swap link Act ETH0 ETH1 10 100 5000SM 10 100 link Act ETH0 Service RESET STATUS Hot ...

Page 75: ...qual have the highest priority of all heartbeat interfaces if priorities are equal be the first interface on the indexed heartbeat interface list You can satisfy these requirements in multiple ways by adjusting interface priority or by disabling heartbeats for other interfaces Required steps vary by the slot position of the FortiSwitch board the model of your FortiGate boards and the number and he...

Page 76: ...ard into the matching slot number in each chassis then link the base backplanes of each chassis by connecting FortiSwitch boards front panel base or ZRE interfaces with an Ethernet cable For example hardware installations see Figure 30 on page 74 and Figure 29 on page 74 2 Insert FortiGate boards into the required chassis slots 3 On each FortiGate board to be included in the HA cluster go to Syste...

Page 77: ...f separating multiple sensitive or high volume communications such as HA communications for multiple clusters However if you install only one FortiSwitch board in addition to fault tolerance considerations the slot position has additional effects specific to HA Inter chassis HA configurations require that the switch use the same slot number in each chassis so that each cluster member s configurati...

Page 78: ...ditional considerations if you create additional heartbeat backup interfaces connecting FortiGate board interfaces port2 through port8 In this case if the FortiSwitch board in hub switch slot 2 fails or is removed the FortiGate cluster could fail over to port2 through port8 and lastly fail over to the interface connected to the FortiSwitch board in hub switch slot 1 Because of this behavior if you...

Page 79: ...tch boards to link traffic between FortiGate base backplane interfaces and your network Connecting a front panel base or ZRE interface to the network links the base backplane and any connected FortiGate boards to the network Required steps vary by whether you want to use the base backplane interfaces to connect FortiGate boards to each other or to the network These scenarios are not mutually exclu...

Page 80: ...r available hardware and other goals such as hardware redundancy The most basic way to connect FortiGate boards to the network through the base backplane is to connect one of the FortiSwitch front panel base or ZRE interfaces to the network By installing a second FortiSwitch board per chassis you can provide a redundant network connection By connecting front panel base or ZRE interfaces of other c...

Page 81: ...te module front panel interface In these cases additional hardware such as an external switch or Ethernet cables may be required This section includes the following topics HA configurations Inter chassis HA configurations Network configurations HA configurations For a single FortiGate 5020 chassis configuring HA between two FortiGate modules through their base backplane interfaces is identical to ...

Page 82: ...ts in multiple ways by adjusting interface priority or by disabling heartbeats over other interfaces Required steps vary by the model of your FortiGate modules and the number and Heartbeat Interface list position of other interfaces enabled as heartbeat interfaces Default heartbeat interfaces vary by the model of the FortiGate modules and are not always base backplane interfaces For example FortiG...

Page 83: ...failover between base backplane channels Figure 35 FortiGate 5001SX FortiGate 5001FA2 heartbeat failover between base backplane channels To configure heartbeat interface failover between two base backplane channels 1 Insert FortiGate modules into the chassis slots For details on hardware installation and related warnings and cautions see the FortiGate 5000 Series Introduction 2 Power on each chass...

Page 84: ...A interfaces this may mean that no change is required The table below describes where changes are required and if so what kind 6 If you want to select a different base backplane interface as the primary heartbeat interface increase its priority 7 Select OK Inter chassis HA configurations Base backplane HA clustering between multiple FortiGate 5020 chassis is not supported To configure HA for Forti...

Page 85: ...faces Because base backplane interfaces cannot be used in inter chassis configurations if you want to form an inter chassis HA cluster these default heartbeat interfaces should be disabled In the above example the front panel interfaces port7 and port8 are enabled as heartbeat interfaces and port9 and port10 are disabled PSU A PSU B PWR STA IPM CONSOLE USB 1 2 3 4 5 6 7 8 ACC PWR STA IPM CONSOLE U...

Page 86: ...in slot 2 port9 in slot 1 cannot send traffic to port10 in slot 2 The FortiGate 5020 chassis base backplane only supports networking between FortiGate modules located in the same FortiGate 5020 chassis Unlike FortiGate 5140 and FortiGate 5050 chassis you cannot use the FortiGate 5020 base backplane to connect FortiGate modules to modules in another chassis or to the network through their base back...

Page 87: ...3 Fabric and Base Backplane Communications Guide 01 30000 85717 20081205 87 Figure 39 Network connection between two modules in the same chassis PSU A PSU B PWR STA IPM CONSOLE USB 1 2 3 4 5 6 7 8 ACC PWR STA IPM CONSOLE USB 1 2 3 4 5 6 7 8 ACC base backplane channel 1 base backplane channel 2 ...

Page 88: ...FortiSwitch 5003A and 5003 Fabric and Base Backplane Communications Guide 88 01 30000 85717 20081205 Network configurations FortiGate 5020 base backplane communication ...

Page 89: ...g to the FortiSwitch 5003A console Setting administrative access on the mgmt interface Connecting to the FortiSwitch 5003A CLI using SSH Connecting to the FortiSwitch 5003A console Connect to the FortiSwitch 5003A console using the FortiSwitch 5003A front panel COM port You need a computer with an available communications port a null modem cable with an RJ 45 connector as provided with your FortiS...

Page 90: ...tive access on the mgmt interface To perform administrative functions through a the FortiSwitch 5003A mgmt network interface you must enable the required types of administrative access Access to the CLI requires SSH or Telnet access To use the CLI to configure SSH or Telnet access 1 Connect and log into the FortiSwitch 5003A console 2 Use the following command to configure the mgmt interface to ac...

Page 91: ...ernet Once the FortiSwitch 5003A board is configured to accept SSH connections you can run an SSH client on your management computer and use this client to connect to the FortiSwitch 5003A CLI To connect to the CLI using SSH 1 Install and start an SSH client 2 Connect to the FortiSwitch 5003A mgmt interface 3 Type a valid administrator name and press Enter 4 Type the password for this administrato...

Page 92: ...cess levels for FortiSwitch 5003A administrators Syntax config admin user edit administrator_name set description description_str set password admin_password end Example This example shows how to add a new administrator called new_admin config admin user edit new_admin set description A new administrator set password 123456 end Variables Description Default edit administrator_name Enter a new admi...

Page 93: ...route static edit 2 set device mgmt set dst 0 0 0 0 0 0 0 0 set gateway 192 168 22 44 end Related topics config system interface execute traceroute Variables Description Default edit sequence_number Enter a sequence number to identify the static route No default device interface_name The device name is always mgmt because you cannot configure routing for other FortiSwitch 5003A interfaces mgmt dst...

Page 94: ...0 chassis slot 10 slot 11 FortiGate 5140 chassis slot 11 slot 12 FortiGate 5140 chassis slot 12 slot 13 FortiGate 5140 chassis slot 13 slot 14 f8 FortiGate 5140 chassis slot 14 or FortiSwitch 5003A front panel slot 14 F8 f7 FortiSwitch 5003A front panel slot F7 f6 FortiSwitch 5003A front panel slot F6 f5 FortiSwitch 5003A front panel slot F5 f4 FortiSwitch 5003A front panel slot F4 f3 FortiSwitch ...

Page 95: ...nd the F1 front panel interface config switch fabric channel interface edit slot 6 set allowed vlans 1 201 210 next edit slot 8 set allowed vlans 1 201 210 next edit slot 10 set allowed vlans 1 201 210 next edit f1 set allowed vlans 1 201 210 end Related topics config switch fabric channel physical port config switch fabric channel stp instance config switch fabric channel stp settings config swit...

Page 96: ...3 FortiGate chassis slot 3 slot 4 FortiGate chassis slot 4 slot 5 FortiGate chassis slot 5 slot 6 FortiGate 5140 chassis slot 6 slot 7 FortiGate 5140 chassis slot 7 slot 8 FortiGate 5140 chassis slot 8 slot 9 FortiGate 5140 chassis slot 9 slot 10 FortiGate 5140 chassis slot 10 slot 11 FortiGate 5140 chassis slot 11 slot 12 FortiGate 5140 chassis slot 12 slot 13 FortiGate 5140 chassis slot 13 slot ...

Page 97: ... 10 set heartbeat enable end This example shows how to bring down the slot 2 1 FortiSwitch 5003A interface You may need to bring this interface down to disable communication between fabric channel 1 and fabric channel 2 config switch fabric channel physical port edit slot 2 1 set status down end Related topics config switch fabric channel interface config switch fabric channel stp instance config ...

Page 98: ...g The stp port configuration of spanning tree instance 0 sets the cost of all FortiSwitch 5003A interfaces to 0 and the priority of all interfaces to 128 priority priority_value The priority value of the FortiSwitch 5003A spanning tree instance MSTP regions include multiple devices with the same spanning tree instances The different priority values of the same instances on different devices determ...

Page 99: ...t edit slot 13 set cost 2000 set priority 16 end end Related topics config switch fabric channel interface config switch fabric channel physical port config switch fabric channel stp settings config switch fabric channel trunk Variables Description Default edit interface_name Enter the name of the FortiSwitch 5003A fabric channel interface to configure You cannot edit an interface that has been ad...

Page 100: ...onds The forward delay time is the number of seconds that spanning tree spends in the listening and learning state The range is 4 to 30 seconds 15 hello time hello_time_int Enter the time between sending bridge protocol data units BPDUs The range is 1 to 10 seconds 2 max age age_time_int The max age timer controls the maximum length of time in seconds that passes before a device saves its configur...

Page 101: ...ription Default edit trunk_name Enter the name of a trunk to add or edit This trunk name appears in fabric channel interface lists members interface_names Enter the names of the FortiSwitch 5003A fabric channel interfaces to add to the trunk An interface can be added to only one trunk Separate each interface name with a space You can enter the interface names in any order To add or remove an inter...

Page 102: ...cations Guide 102 01 30000 85717 20081205 config FortiSwitch 5003A CLI reference Related topics config switch fabric channel interface config switch fabric channel physical port config switch fabric channel stp instance config switch fabric channel stp settings ...

Page 103: ...lot2 end Related topics execute date execute time Variables Description Default daylightsavetime disable enable Enable or disable daylight saving time If you enable daylight saving time the FortiSwitch 5003A board adjusts the system time when the time zone changes to daylight saving time and back to standard time hostname board_hostname Enter a name to identify this FortiSwitch 5003A board The hos...

Page 104: ...k and to configure the mgmt interface to allow ping ssh and telnet administrative access config system interface set ip 172 20 120 178 24 set allowaccess ping ssh telnet end Related topics config route static Variables Description Default status down up Bring the mgmt interface up or down start or stop the interface If the interface is down it does not accept or send packets up ip interface_ipv4ma...

Page 105: ... backup_filename tftp_ipv4 execute backup all config backup_filename tftp_ipv4 Example This example shows how to backup the FortiSwitch 5003A configuration to a file named 5003A_new cfg on a TFTP server at IP address 192 168 1 23 execute backup config 5003A_new cfg 192 168 1 23 Related topics execute restore Keywords and variables Description config backup_filename tftp_ipv4 Back up the system con...

Page 106: ... firmware image used to start the FortiSwitch 5003A board by switching between the primary or secondary firmware image To use this command you must install a primary and a secondary firmware image by using the system startup options available when you reboot the FortiSwitch 5003A from a console connection to the FortiSwitch 5003A COM port Syntax execute bootimage primary secondary ...

Page 107: ...m is the month and can be 1 to 12 dd is the day of the month and can be 1 to 31 yyyy is the year and can be from 2001 to 2037 If you do not specify a date the command returns the current system date Shortened values for the year such as 06 instead of 2006 are not valid Shortened values for the month and year are valid Examples This example sets the date to 17 September 2009 execute date 9 17 2009 ...

Page 108: ... CLI reference factory reset Reset the FortiSwitch 5003A configuration to factory default settings Syntax execute factory reset Caution This command deletes all changes that you have made to the FortiSwitch 5003A configuration and reverts the system to its original configuration including resetting the mgmt interface IP address ...

Page 109: ...name_str should be a fully qualified domain name for example www fortinet com Example This example shows how to ping a host with the IP address 172 20 120 11 execute ping 172 20 120 11 PING 172 20 120 11 172 20 120 11 56 data bytes 64 bytes from 172 20 120 11 seq 0 ttl 128 time 0 454 ms 64 bytes from 172 20 120 11 seq 1 ttl 128 time 0 399 ms 64 bytes from 172 20 120 11 seq 2 ttl 128 time 0 402 ms ...

Page 110: ...ase Backplane Communications Guide 110 01 30000 85717 20081205 execute FortiSwitch 5003A CLI reference reboot Restart the FortiSwitch 5003A board While the FortiSwitch 5003A board is rebooting it cannot forward traffic Syntax execute reboot ...

Page 111: ...configuration The name of the configuration file on the TFTP server is backupconfig The IP address of the TFTP server is 192 168 1 23 execute restore config backupconfig 192 168 1 23 Related topics execute backup Variables Description config filename tftp_ipv4 Restore the system configuration from a file on a TFTP server The new configuration replaces the existing configuration all config filename...

Page 112: ...ric and Base Backplane Communications Guide 112 01 30000 85717 20081205 execute FortiSwitch 5003A CLI reference shutdown Shut down the FortiSwitch 5003A board now You will be prompted to confirm the shutdown Syntax execute shutdown ...

Page 113: ...here hh is the hour and can be 00 to 23 mm is the minutes and can be 00 to 59 ss is the seconds and can be 00 to 59 If you do not specify a time the command returns the current system time You are allowed to shorten numbers to only one digit when setting the time For example both 01 01 01 and 1 1 1 are allowed Example This example sets the system time to 15 31 03 execute time 15 31 03 Related topi...

Page 114: ...49 root S 4276 1 0 newcli admin userfrom telnet 172 2 46 1 root S 4220 1 0 bin cmdbsvr 50 1 root S 3720 1 0 bin sshd 51 1 root S 3572 1 0 bin switchd 49 1 root S 1884 0 0 usr sbin telnetd F 52 1 root S 1880 0 0 sbin getty 38400 dev vc 1 53 1 root S 1880 0 0 sbin getty L dev usb tts 0 9600 vt 80 79 root S 1876 0 0 sh c top 81 80 root R 1876 0 0 top 1 0 root S 1380 0 0 init 28 2 root SW 0 0 0 bcm sh...

Page 115: ...dress and the FortiSwitch 5003A board You must add a DNS server to the FortiSwitch 5003A configuration to trace the rout to a hostname Syntax execute traceroute address_ipv4 host name_str Example This example shows how to test the connection with 172 20 120 178 In this example the traceroute command times out after the first hop indicating a possible problem execute traceroute 172 16 100 149 trace...

Page 116: ...ands are available system performance system status system performance Use this command to display FortiSwitch 5003A CPU usage memory usage and USB disk usage Syntax get system performance Example The output looks like this for an idle system get system performance CPU Used 2 9 Memory Total 506 864 KB Used 25 228 KB 5 0 USB Disk Total 27 265 KB Used 9 733 KB 35 7 ...

Page 117: ... system status information including firmware version build number and branch point serial number host name system time and date and related settings Syntax get system status Example output Version FortiSwitch 5003A 3 00 build0026 080911 Serial Number FS5A033E08000111 Hostname FS5A033E08000111 System time Fri Sep 18 05 02 45 2009 Daylight Time Saving Yes Time Zone GMT 8 00 Pacific Time US Canada ...

Page 118: ...changes of trunk members To do this enable debugging for trunk The console will then display port effective or port ineffective according to the status of the trunk member Syntax diagnose debug trunk enable diagnose switch fabric channel trunk Example output Switch Trunk Information Fabric Channel Trunk Name slot_8_12 Port Selection Algorithm src dst ip Port Serial Number Update Time __________ __...

Page 119: ...nstance ID 5 Mapped VLANs 101 Switch Priority 4096 Regional Root MAC Address 003064058f87 Regional Root Priority 4096 Regional Root Path Cost 0 Regional Root Port slot 2 1 Remaining Hops 20 Port Speed Cost Priority Role State __________ ______ ________ _________ __________ __________ f5 10G 2000 128 DESIGNATED FORWARDING Variables Description instance_integer The number of a spanning tree instance...

Page 120: ... the FortiSwitch 5003A fabric channel MSTP configuration Syntax diagnose spanning tree mst config fabric channel Example output MST Configuration Identification Information Unit Fabric MST Configuration Name tree_1 MST Configuration Revision 1 MST Configuration Digest d397441fd8666b0abb8f5fab64b9d18a Instance ID Mapped VLANs ____________________________________________________ 3 100 5 101 ...

Page 121: ...hannel mac address filter Filter the FortiSwitch 5003A MAC addresses Syntax diagnose switch fabric channel mac address filter filter Where filter can be clear clear filter flags flag pattern to match and mask of important bits port id map list of port ids to display show show filter trunk id map list of trunk ids to display vlan map list of vlans to display ...

Page 122: ...s list Example output MAC 00 09 0f 09 37 02 VLAN 904 Trunk slot_8_12 trunk id 0 Flags 0x00000c80 trunk MAC 00 09 0f 71 00 61 VLAN 902 Trunk slot_8_12 trunk id 0 Flags 0x00000c80 trunk MAC 00 09 0f 09 33 01 VLAN 1 Port slot 3 port id 1 Flags 0x00000c00 MAC 00 09 0f 91 01 4f VLAN 1 Port slot 5 port id 3 Flags 0x00000c00 MAC 00 09 0f 09 37 02 VLAN 906 Trunk slot_8_12 trunk id 0 Flags 0x00000c80 trunk...

Page 123: ...05 allowaccess system interface 104 allowed VLANs 94 B backplane interfaces show 25 28 30 49 51 53 backup CLI command 105 base connection between FortiSwitch 5003A boards 68 base backplane channel 23 47 67 70 73 79 82 83 86 base1 67 68 69 70 72 75 79 86 base2 67 68 69 70 72 79 86 board 7 bootimage CLI command 106 BPDU 35 58 time between packets 100 bridge protocol data unit 35 58 C channel fabric ...

Page 124: ...hassis 81 FortiGate 5140 chassis 23 47 67 Fortinet customer service 127 Fortinet documentation 127 Fortinet Knowledge Center 127 FortiSwitch 5003 23 47 67 68 77 81 base channels 67 connectors 14 20 font panel LEDs and connectors 10 17 LEDs 11 18 overview 9 17 FortiSwitch 5003A 23 47 67 adding VLANs 25 26 29 30 32 34 49 50 52 53 55 57 base channels 67 CLI config commands 92 CLI reference 89 hostnam...

Page 125: ...3 56 looping avoiding in transparent mode 27 50 M management access mgmt interface 104 max age 100 MSTP timer 100 max hops 100 MSTP 100 mgmt interface down 104 IP and netmask 104 management access 104 ping 104 ssh 104 starting 104 stopping 104 telnet 104 up 104 MSTP 36 59 94 enable or disable for an interface 94 fabric channel 36 59 98 forward delay time 100 hello time 100 link aggregation 36 59 m...

Page 126: ...terface CLI command 94 switch fabric channel physical port CLI command 96 switch fabric channel stp instance CLI command 98 switch fabric channel stp settings CLI command 100 switch fabric channel trunk CLI command 101 synchronization 73 system global CLI command 103 system interface CLI command 104 system performance CLI command 116 system status CLI command 117 T technical support 127 telnet mgm...

Page 127: ...oducts is available from the Fortinet Knowledge Center The knowledge center contains troubleshooting and how to articles FAQs technical notes and more Visit the Fortinet Knowledge Center at http kc fortinet com Comments on Fortinet technical documentation Please send information about any errors or omissions in this document or any Fortinet technical documentation to techdoc fortinet com Customer ...

Page 128: ...without prior written permission of Fortinet Inc Trademarks Fortinet FortiGate and FortiGuard are registered trademarks and Dynamic Threat Prevention System DTPS APSecure FortiASIC FortiBIOS FortiBridge FortiClient FortiGate FortiGate Unified Threat Management System FortiGuard Antispam FortiGuard Antivirus FortiGuard Intrusion FortiGuard Web FortiLog FortiAnalyzer FortiManager FortiOS FortiPartne...