Fortinet 5003A Fabric And Base Backplane Communications Manual
  1. Manuals
  2. Brands
  3. Fortinet Manuals
  4. Switch
  5. 5003A
  6. Fabric and base backplane communications manual

Fortinet 5003A Fabric And Base Backplane Communications Manual

Fortinet fortiswitch brochure
Hide thumbs Also See for 5003A:
Table of Contents

Advertisement

Quick Links

Download this manual See also: System Manual
FortiSwitch-5003A and 5003
This FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide describes using the
FortiSwitch-5003A board and FortiSwitch-5003 board for FortiGate-5000 series base and fabric backplane switching.
This document also contains the FortiSwitch-5003A CLI reference.
The most recent versions of this and all FortiGate-5000 series documents are available from the
the
Fortinet Technical Documentation
Visit
http://support.fortinet.com
receive product updates, technical support, and FortiGuard services.
FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide
01-30000-85717-20081205
FortiSwitch-5003A
FortiSwitch-5003
web site (http://docs.forticare.com).
to register your FortiSwitch-5003A and 5003 security system. By registering you can
Fabric and Base Backplane Communications Guide
FortiGate-5000
page of

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the 5003A and is the answer not in the manual?

Questions and answers

Related Manuals for Fortinet 5003A

Summary of Contents for Fortinet 5003A

  • Page 1 FortiSwitch-5003A and 5003 This FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide describes using the FortiSwitch-5003A board and FortiSwitch-5003 board for FortiGate-5000 series base and fabric backplane switching. This document also contains the FortiSwitch-5003A CLI reference. The most recent versions of this and all FortiGate-5000 series documents are available from the...

  • Page 2: Warnings And Cautions

    ESD connector such as the ESD sockets provided on FortiGate-5000 series chassis. • Make sure all FortiGate-5000 series components have reliable grounding. Fortinet recommends direct connections to the building ground. •...

  • Page 3: Table Of Contents

    Fabric channel layer-2 link aggregation and redundancy... 36 Example active-passive redundant link configuration ... 37 External switch configuration ... 38 Example configuration for the FortiSwitch-5003A board in slot 1 ... 39 Example configuration for the FortiSwitch-5003A board in slot 2 ... 42 Example FortiGate-5001A configuration... 43 Example active-active redundant link configuration ...
  • Page 4 Fabric channel layer-2 link aggregation and redundancy... 59 Example active-passive redundant link configuration ... 60 External switch configuration ... 61 Example configuration for the FortiSwitch-5003A board in slot 1 ... 62 Example configuration for the FortiSwitch-5003A board in slot 2 ... 64 Example FortiGate-5001A configuration... 65 Example active-active redundant link configuration ...
  • Page 5 Tools and Documentation CD... 127 Fortinet Knowledge Center ... 127 Comments on Fortinet technical documentation ... 127 Customer service and technical support... 127 Register your Fortinet product ... 127 FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 http://docs.fortinet.com/ • Feedback...
  • Page 6 Contents FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 http://docs.fortinet.com/ • Feedback...

  • Page 7: Introduction

    FortiSwitch-5003 boards in the first and second hub/switch base slots of these chassis.To support fabric backplane layer-2 switching for FortiGate-5001A and 5005FA2 boards in slots 3 and up you can install FortiSwitch-5003A boards in the first and second hub/switch fabric slots. For most versions of the FortiGate-5140 and 5050 chassis the hub/switch base and fabric slots are slots 1 and 2.

  • Page 8: Revision History

    FortiSwitch-5003A board supports 802.3ad static mode link aggregation not LACP (which is also called dynamic link aggregation). See aggregation” on page FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide describes supported describes supported describes the FortiSwitch-5003A CLI “Fabric channel layer-2 link...

  • Page 9: Fortiswitch-5003A System

    (Gbps) throughput. The FortiGate-5140 chassis is a 14-slot ATCA chassis and the FortiGate-5050 chassis is a 5-slot ATCA chassis. In both chassis the FortiSwitch-5003A board is installed in the first and second hub/switch fabric slots. For most versions of the FortiGate-5140 and 5050 chassis the hub/switch fabric slots are slots 1 and 2.

  • Page 10: Front Panel Leds And Connectors

    Standard FortiOS command line interface (CLI) for configuring fabric switch settings (VLANs, MSTP, trunks, and so on) From the FortiSwitch-5003A font panel you can view the status of the board LEDs to verify that the board is functioning normally. The front panel includes a reset switch for restarting the FortiSwitch-5003A board.

  • Page 11: Leds

    Activity LEDs MGMT, B1, (Management and base 1-gigabit LEDs) FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 lists and describes the FortiSwitch-5003A front panel LEDs. State Description Normal operation. Out of service. The LED turns on if the FortiSwitch-5003A board fails.

  • Page 12: Base Channel Interfaces

    Interface Description Name If the FortiSwitch-5003A board is in the first hub/switch fabric slot, this LED indicates a backplane connection to shelf manager 1. If the FortiSwitch-5003A board is in second hub/switch fabric slot this LED indicates a backplane connection to shelf manager 2.

  • Page 13: Fabric Channel Interfaces

    F1 to F7 * You can configure settings for FortiSwitch-5003A fabric interfaces from the FortiSwitch-5003A CLI. The CLI columns show the names of the interfaces as they appear on the FortiSwitch-5003A CLI. The fabric network activity LEDs show links and network activity for the interfaces...

  • Page 14: Front Panel Connectors

    Interface or connection activity LED Fabric channel connection between fabric channel 1 and fabric channel 2. This LED is lit if there are two FortiSwitch-5003A boards installed in the chassis to indicate fabric backplane communication between them. 3 to 13 Fabric backplane connection to FortiGate-5000 boards in chassis slots 3 to 13.

  • Page 15: Fabric 10-Gigabit Switching Within A Chassis

    FortiSwitch-5003A system Figure 4: FortiSwitch-5003A base channel 1 HA heartbeat communication Base channel 1 HA Heartbeat Communication Fabric 10-gigabit switching within a chassis One FortiGate-RTM-XB2 provides 10-gigabit connections to both FortiGate-5001A fabric channels. The FortiGate-RTM-XB2 also provides NP2 packet acceleration for each fabric channel. To effectively use NP2 acceleration,...

  • Page 16: Layer-2 Link Aggregation And Redundancy Configurations

    FortiSwitch-5003A board. In this configuration the external switch is connected to FortiSwitch-5003A front panel f5 interface. The switch adds VLAN tags to traffic from the internal and external networks. Figure 6: Basic link aggregation configuration...

  • Page 17: Fortiswitch-5003 System

    The front panel also includes and out of band management ethernet interface and the RJ-45 console port for connecting to the FortiSwitch-5003 CLI. FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 13 backplane 10/100/1000Base-T gigabit interfaces for base backplane...

  • Page 18: Leds

    LED indicates the speed of the link. Flashing Initialization completed successfully. Green Green Initialization completed successfully. FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide FortiSwitch-5003 system ZRE Network LED Mode Switch Activity LEDs Reset (ZRE 0 to 15)

  • Page 19: About The Zre Network Activity Leds

    Figure 8: FortiSwitch-5003 ZRE network activity LEDs Table 8: ZRE network activity LEDs FortiSwitch-5003 interfaces and connections ZRE network activity LED 3 to 14 FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 State Description Normal operation. Yellow Cannot establish a link to a configured interface or another connection problem external to the FortiSwitch-5003 board.

  • Page 20: Connectors

    2 using the interface named port10. The FortiGate-5005FA2 board communicates with base backplane interface 2 using the interface named base2. FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide FortiSwitch-5003 system Description Front panel out of band management interface.
  • Page 21 HA heartbeat traffic and the other to use port10. If you have a number of data paths that use the same base backplane interfaces you can change the configuration to distribute traffic between both base backplane interfaces. FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 Base backplane communications...
  • Page 22 Base backplane communications FortiSwitch-5003 system FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205...

  • Page 23: Fortigate-5140 Fabric Backplane Communication

    Because of the fabric backplane dual star topology, connecting to or through the fabric backplane requires FortiSwitch-5003A boards installed in hub/switch slot 1, hub/switch slot 2, or both. FortiSwitch-5003A front panel fabric interfaces can also connect the chassis fabric backplane channels to external devices, such as a management computer, the network, or the fabric backplane of another chassis.

  • Page 24: Fabric Gigabit Switching Within A Chassis

    • Example active-passive redundant link configuration • Example active-active redundant link configuration You can use FortiSwitch-5003A fabric channel switching for communication between the fabric backplane interfaces of FortiGate-5001A or 5005FA2 boards installed in a FortiGate-5140 chassis. Figure 9 shows a FortiGate-5140 chassis with a FortiSwitch-5003A board in hub/switch slot 1, and FortiGate-5001A boards in 6 other slots.
  • Page 25 FortiGate-5140 fabric backplane communication The chassis can be connected to the network using any of the FortiGate-5001A front panel interfaces. You can also connect FortiSwitch-5003A front panel fabric interfaces to the network. You can also install FortiGate AMC modules in the FortiGate-5001A boards and connect the network to the AMC front panel interfaces.
  • Page 26 If the data traffic contains VLAN-tagged packets, you must add the VLAN tags to the FortiSwitch-5003A interfaces that will handle the VLAN-tagged traffic. For example, to allow VLAN tag 400 on slots 4 and 12 from the FortiSwitch-5003A CLI enter: config switch fabric-channel interface edit "slot-4"...

  • Page 27: Fabric Channel Connections Between Fortiswitch-5003A Boards

    FortiGate boards in the chassis are operating in transparent mode. Figure 11 fabric channel 1. The top chassis in the figure contains a FortiSwitch-5003A board in hub/switch slot 1 and six FortiGate-5001A boards. The bottom chassis contains a FortiSwitch-5003A board also in hub/switch slot 1 and four FortiGate-5005FA2 boards.
  • Page 28 Fabric gigabit switching between chassis The chassis can be connected to the network using any of the FortiGate front panel interfaces. You can also connect FortiSwitch-5003A front panel fabric interfaces to the network. You can also install FortiGate AMC modules in the FortiGate-5001A boards and connect networks to the AMC front panel interfaces.

  • Page 29: Fabric Gigabit Switching To The Network

    The AMC modules and network connections to the AMC modules and FortiGate boards are not shown in If you have two FortiSwitch-5003A boards installed in a chassis you may need to block communication between fabric channel 1 and fabric channel 2. See channel connections between FortiSwitch-5003A boards”...
  • Page 30 If the data traffic contains VLAN-tagged packets, you must add the VLAN tags to the FortiSwitch-5003A interfaces that will handle the VLAN-tagged traffic. For example, to allow VLAN tags 201 to 210 on slots 6, 8, and 10 and the F1 front...

  • Page 31: Fabric 10-Gigabit Switching Within A Chassis

    10-gigabit connectivity between the external and internal networks. The external network is connected to the F1 10-gigabit front panel interface of the FortiSwitch-5003A board in slot 1, which connects the external network to fabric channel 1. The internal network is connected to the F7 10-gigabit front panel interface of the FortiSwitch-5003A board in slot 2, which connects the internal network to fabric channel 2.
  • Page 32 If the data traffic contains VLAN-tagged packets, you must add the VLAN tags to the FortiSwitch-5003A interfaces that will handle the VLAN-tagged traffic. For example, to allow VLAN tags 300 to 305 on slots 9, 11, and 13 and the F7 front...

  • Page 33: Fabric Channel Layer-2 Link Aggregation

    You can add up to 8 interfaces to a trunk to distribute sessions among up to 8 FortiGate-5000 boards. You can also add multiple trunks to a single FortiSwitch-5003A board. The total number of FortiGate-5000 boards in a trunk is limited by the amount of bandwidth you are processing and the capacity of the FortiSwitch-5003A board.
  • Page 34 (such as a router), before or after the traffic reaches the FortiSwitch-5003A board. If the traffic that you are distributing contains VLAN-tagged packets, you must add the VLAN tags to the FortiSwitch-5003A interfaces and to the trunks that will handle the VLAN-tagged traffic. Figure shows a basic link aggregation configuration using a single FortiSwitch-5003A board.
  • Page 35 RTM/1 and RTM/2 interface names. You should also configure the FortiGate-5001A boards to send heartbeat packets over the fabric1 channel so that the FortiSwitch-5003A board can verify that the FortiGate-5001A boards are functioning. Each FortiGate-5001A board sends 10 heartbeat packets per second from each fabric interface.

  • Page 36: Fabric Channel Layer-2 Link Aggregation And Redundancy

    Redundancy consists of redundant FortiSwitch-5003A boards that both distribute traffic to multiple FortiGate-5001A or 5005FA2 boards. To be able to use redundant FortiSwitch-5003A boards in one chassis you must configure MSTP to eliminate loops. You can also use MSTP settings to control traffic flow and create different kinds of redundant configurations: •...

  • Page 37: Example Active-Passive Redundant Link Configuration

    In this example the spanning tree priority values on the FortiSwitch-5003A board in slot 1 are both set to 4096 and the spanning tree priority values on the FortiSwitch-5003A board in slot 2 are both set to 40960. So spanning tree directs all traffic to the FortiSwitch-5003A board in slot 1.

  • Page 38: External Switch Configuration

    All of the FortiGate-5001A boards must be operating in transparent mode and all must have the same configuration. In this redundant configuration, traffic can be re-directed from one fabric channel to another after a FortiSwitch-5003A fails or if you change the MSTP configuration. To make sure the FortiGate-5001A boards can continue to process traffic after a failure or MSTP configuration change you must add redundant configurations to both fabric interfaces.

  • Page 39: Example Configuration For The Fortiswitch-5003A Board In Slot 1

    Configure the switch to add VLAN tag 103 and 104 to packets from the internal networks and VLAN tag 105 and 106 to packets from the external networks and to send packets from all of these networks to the FortiSwitch-5003A board. vlan 103...
  • Page 40 105-106 Note: The priority values of both spanning tree instances should be lower on the FortiSwitch-5003A board in slot 1 than on the board in slot 2 so that spanning tree directs all traffic to the board in slot 1.
  • Page 41 <instance_integer> <interface> to display the configuration of a spanning tree instance for an interface. For example, to display the configuration of spanning tree instance 3 for the FortiSwitch-5003A F7 interface enter: diagnose spanning-tree instance fabric-channel 3 f7 MST Instance Information, Fabric-Channel:...

  • Page 42: Example Configuration For The Fortiswitch-5003A Board In Slot 2

    105-106 Note: The priority values of both spanning tree instances should be higher on the FortiSwitch-5003A board in slot 2 than on the board in slot 1 so that spanning tree directs all traffic to the board in slot 1.

  • Page 43: Example Fortigate-5001A Configuration

    For the fabric2 interface you could name the VLAN interfaces vlan_fab2_103, vlan_fab2-104, vlan_fab2_105, and vlan_fab2-106. From the FortiGate-5001A CLI enter: config system interface FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 edit vlan_fab1_103 set interface fabric1 set vlanid 103 set vdom root etc...

  • Page 44: Example Active-Active Redundant Link Configuration

    You can make the previous example an active-active redundant link configuration that sends all traffic from the internal networks to one FortiSwitch-5003A board and all traffic from the external networks to the other FortiSwitch-5003A board by changing the priorities of the spanning tree instances added to the FortiSwitch-5003A boards.

  • Page 45: Verifying The Spanning Tree Configuration Of The Fortiswitch-5003A Board In Slot 1

    FortiGate-5140 fabric backplane communication Verifying the spanning tree configuration of the FortiSwitch-5003A board in slot 1 To display the configuration of spanning tree instance 3 for the FortiSwitch-5003A F7 interface enter: diagnose spanning-tree instance fabric-channel 3 f7 MST Instance Information, Fabric-Channel:...
  • Page 46 Example active-active redundant link configuration FortiGate-5140 fabric backplane communication FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205...

  • Page 47: Fortigate-5050 Fabric Backplane Communication

    Because of the fabric backplane dual star topology, connecting to or through the fabric backplane requires FortiSwitch-5003A boards installed in hub/switch slot 1, hub/switch slot 2, or both. FortiSwitch-5003A front panel fabric interfaces can also connect the chassis fabric backplane channels to external devices, such as a management computer, the network, or the fabric backplane of another chassis.

  • Page 48: Fabric Gigabit Switching Within A Chassis

    FortiGate units. The chassis can be connected to the network using any of the FortiGate-5001A front panel interfaces. You can also connect FortiSwitch-5003A front panel fabric interfaces to the network. You can also install FortiGate AMC modules in the FortiGate-5001A boards and connect the network to the AMC front panel interfaces.
  • Page 49 If the data traffic contains VLAN-tagged packets, you must add the VLAN tags to the FortiSwitch-5003A interfaces that will handle the VLAN-tagged traffic. For example, to allow VLAN tag 34 on slot 5 from the FortiSwitch-5003A CLI enter: config switch fabric-channel interface For more information about the FortiSwitch-5003A CLI, see CLI reference”...

  • Page 50: Fabric Channel Connections Between Fortiswitch-5003A Boards

    "slot-5" set allowed-vlans 1,200-205 When two FortiSwitch-5003A boards are installed in a single chassis their fabric channels are connected together. This means there is a data connection between fabric channel 1 and fabric channel 2. Unless you are going to use this connection you should disable it.
  • Page 51 FortiGate-5050 fabric backplane communication Figure 18 fabric channel 2. The top chassis in the figure contains a FortiSwitch-5003A board in hub/switch slot 2 and three FortiGate-5001A boards. The bottom chassis contains a FortiSwitch-5003A board also in hub/switch slot 2 and two FortiGate-5005FA2 boards.

  • Page 52: Fabric Gigabit Switching To The Network

    "f1" set allowed-vlans 1,201-210 You can use the FortiSwitch-5003A fabric front panel interfaces to connect the fabric channel of a chassis to your network. Most often you would do this for data communication between the network and a fabric channel. For a simple 10-gigabit connection from your network to a fabric channel you can connect your network directly to a FortiSwitch-5003A fabric channel front panel interface.
  • Page 53 Figure 19: Fabric channel 2 connected to an internal network and fabric channel 1 Fabric channel 1 Data Communication If you have two FortiSwitch-5003A boards installed in a chassis you may need to block communication between fabric channel 1 and fabric channel 2. See channel connections between FortiSwitch-5003A boards” on page 50 information.

  • Page 54: Fabric 10-Gigabit Switching Within A Chassis

    10-gigabit connectivity between the external and internal networks. The external network is connected to the F1 10-gigabit front panel interface of the FortiSwitch-5003A board in slot 1, which connects the external network to fabric channel 1. The internal network is connected to the F7 10-gigabit front panel interface of the FortiSwitch-5003A board in slot 2, which connects the internal network to fabric channel 2.
  • Page 55 If the data traffic contains VLAN-tagged packets, you must add the VLAN tags to the FortiSwitch-5003A interfaces that will handle the VLAN-tagged traffic. For example, to allow VLAN tags 80 to 90 on slots 1 and the F7 front panel interface,...

  • Page 56: Fabric Channel Layer-2 Link Aggregation

    You can add up to 8 interfaces to a trunk to distribute sessions among up to 8 FortiGate-5000 boards. You can also add multiple trunks to a single FortiSwitch-5003A board. The total number of FortiGate-5000 boards in a trunk is limited by the amount of bandwidth you are processing and the capacity of the FortiSwitch-5003A board.
  • Page 57 (such as a router), before or after the traffic reaches the FortiSwitch-5003A board. If the traffic that you are distributing contains VLAN-tagged packets, you must add the VLAN tags to the FortiSwitch-5003A interfaces and to the trunks that will handle the VLAN-tagged traffic. Figure 21 FortiSwitch-5003A board.
  • Page 58 RTM/1 and RTM/2 interface names. You should also configure the FortiGate-5001A boards to send heartbeat packets over the fabric1 channel so that the FortiSwitch-5003A board can verify that the FortiGate-5001A boards are functioning. Each FortiGate-5001A board sends 10 heartbeat packets per second from each fabric interface.

  • Page 59: Fabric Channel Layer-2 Link Aggregation And Redundancy

    Redundancy consists of redundant FortiSwitch-5003A boards that both distribute traffic to multiple FortiGate-5001A or 5005FA2 boards. To be able to use redundant FortiSwitch-5003A boards in one chassis you must configure MSTP to eliminate loops. You can also use MSTP settings to control traffic flow and create different kinds of redundant configurations: •...

  • Page 60: Example Active-Passive Redundant Link Configuration

    In this example the spanning tree priority values on the FortiSwitch-5003A board in slot 1 are both set to 4096 and the spanning tree priority values on the FortiSwitch-5003A board in slot 2 are both set to 40960. Spanning tree directs all traffic to the FortiSwitch-5003A board in slot 1.

  • Page 61: External Switch Configuration

    The external switch requires the following configuration settings. Example commands are shown for an HP procurve 3500yl switch with interfaces A1 and A4 connected to the FortiSwitch-5003A boards. This external switch acts as the root for spanning tree instance 0.

  • Page 62: Example Configuration For The Fortiswitch-5003A Board In Slot 1

    101 Note: The priority values of both spanning tree instances should be lower on the FortiSwitch-5003A board in slot 1 than on the board in slot 2 so that MSTP directs all traffic to the board in slot 1.
  • Page 63 FortiGate-5050 fabric backplane communication Enable the FortiSwitch-5003A board to listen for heartbeat packets on the interfaces connected to FortiGate-5001A boards: config switch fabric-channel physical-port Verifying the MSTP tree configuration of the FortiSwitch-5003A board in slot 1 Enter diagnose spanning-tree mst-config fabric-channel to display the FortiSwitch-5003A fabric channel MSTP configuration.

  • Page 64: Example Configuration For The Fortiswitch-5003A Board In Slot 2

    101 Note: The priority values of both spanning tree instances should be higher on the FortiSwitch-5003A board in slot 2 than on the board in slot 1 so that spanning tree directs all traffic to the board in slot 1.

  • Page 65: Example Fortigate-5001A Configuration

    You should also configure the FortiGate-5001A boards to send heartbeat packets over the fabric1 and fabric2 channels so that the FortiSwitch-5003A board can verify that the FortiGate-5001A boards are functioning. Each FortiGate-5001A board sends 10 heartbeat packets per second from each fabric interface. The packets are type 255 bridge protocol data unit (BPDU) packets.

  • Page 66: Example Active-Active Redundant Link Configuration

    40960 set vlan-range 101 To send all traffic from the external network to the FortiSwitch-5003A board in slot 2 configure the spanning tree instances on this board with a lower priority value for instance 5 which is used for VLAN 101 packets.

  • Page 67: Fortigate-5140 And 5050 Base Backplane Communication

    1, hub/switch slot 2, or both. FortiSwitch-5003A boards switch base backplane traffic between boards in other slots. FortiSwitch-5003A front panel base interfaces can also connect the chassis base backplane to external entities, such as a management computer, the network, or the base backplane of another chassis.

  • Page 68: Base Channel Connections Between Fortiswitch-5003A Boards

    Base backplane data configurations Two FortiSwitch-5003A boards in the same chassis are connected together across the base backplane channel. For some versions of the FortiSwitch-5003A firmware, this connection cannot be disabled. The base channel connection between the FortiGate boards is not usually a problem if the FortiGate-5000 boards in the chassis are operating in NAT/Route mode and the base channels are being used for HA heartbeat packets.

  • Page 69: Two Fortiswitch Boards Per Chassis

    FortiSwitch-5003A board to any base front panel interface on another FortiSwitch-5003A board installed in the other chassis. You can also use the base front panel interfaces to connect more than two chassis together. The same applies to the FortiSwitch-5003 ZRE0, ZRE1, or ZRE2 interfaces and to connections between FortiSwitch-5003A and FortiSwitch-5003 boards.
  • Page 70 To separate HA communications of multiple clusters using the same channel, configure a different HA Group Name and Password for each cluster. Figure 24: FortiGate-5050 HA cluster with two available base backplane heartbeat interfaces (through FortiSwitch-5003A boards in hub/switch slots 1 and 2) Base channel 1 HA heartbeat...

  • Page 71: Heartbeat Failover Between Channels

    Required steps vary by the model of your FortiGate boards, and the number and heartbeat interface list position of other interfaces enabled as HA heartbeat interfaces. FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 heartbeat interfaces (through FortiSwitch-5003A boards in hub/switch...
  • Page 72 Figure 27: FortiGate-5005FA2 heartbeat failover from hub/switch slot 1 (base1) to hub/switch slot 2 (base2) Figure 28: FortiGate-5001SX/FortiGate-5001FA2 heartbeat failover from hub/switch slot 2 (port10) to hub/switch slot 1 (port9) FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205...

  • Page 73: One Fortiswitch Board Per Chassis

    FortiGate-5001FA2 clusters. For details on the effects of slot positioning of a single FortiSwitch board in HA configurations, see interface precedence” on page 77 FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 Figure 23 on page Figure 25 on page...
  • Page 74 (through a FortiSwitch-5003A board in slot 1) 5140 FILTER FA N TR AY FA N T R AY Base channel 1 FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide Base channel 2 HA heartbeat POWER 5000SM 10/100 link/Act...
  • Page 75 Figure 31: FortiGate-5005FA2 HA through slot 1 (base1) with failover to a non-base FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 backplane interface (port1) Base backplane HA configurations...
  • Page 76 Note: Heartbeat interface precedence can be determined by multiple factors, including Priority and position in the Heartbeat Interface list. For details, see heartbeat interface precedence” on page FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide Figure 30 on page 74 Figure 29 on “Slot position and HA...

  • Page 77: Choosing The Slot Position

    If multiple heartbeat interfaces have highest priority, including when all have equal priority, the HA cluster chooses a heartbeat interface using the Heartbeat Interface list. FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 Base backplane HA configurations...
  • Page 78 So for a cluster of these boards, if you have a single FortiSwitch board it doesn’t matter which slot you install it in because both base interfaces are sorted to the top of the interface list. FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205...

  • Page 79: Base Backplane Data Configurations

    Note: FortiSwitch-5003 boards do not support VLAN-tagged packets, so if you are using the FortiSwitch-5003 board base backplane traffic cannot include VLAN-tagged packets. FortiSwitch-5003A boards do support VLAN-tagged packets over the base channels. Like HA scenarios, network configurations can involve one or two FortiSwitch boards per chassis, and one or more chassis.

  • Page 80: Connecting Fortigate Boards To The Network

    ZRE interface of the FortiSwitch board connected to the network, you can provide a shared network. Configure FortiGate boards to communicate with the network through the base backplane interfaces as you would other interfaces. FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205...

  • Page 81: Fortigate-5020 Base Backplane Communication

    Heartbeat interface failover order is contingent on heartbeat interface Priority and/or position in the Heartbeat Interface list. For details, see HA heartbeat interface precedence” on page FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 HA configurations “Slot position and...

  • Page 82: Heartbeat Failover Between Channels

    Figure 33: HA cluster with two available base backplane heartbeat interfaces (directly connected through the base backplane) CONSOLE base backplane CONSOLE channel 1 FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide FortiGate-5020 base backplane communication PSU A PSU B base STA IPM backplane...
  • Page 83 Insert FortiGate modules into the chassis slots. For details on hardware installation and related warnings and cautions, see the FortiGate-5000 Series Power on each chassis. FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 backplane channels Introduction. HA configurations...

  • Page 84: Inter-Chassis Ha Configurations

    Internet • port7 and port8 connect to switches that handle only heartbeat traffic • port3 to port6 are not used FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide FortiGate-5020 base backplane communication FortiGate HA Guide. “Slot position and HA...
  • Page 85 In the above example, the front panel interfaces port7 and port8 are enabled as heartbeat interfaces, and port9 and port10 are disabled. FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 Internal Network...

  • Page 86: Network Configurations

    PSU A PSU B CONSOLE STA IPM CONSOLE STA IPM Internet FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide FortiGate-5020 base backplane communication Internal Network switch PSU A PSU B CONSOLE STA IPM CONSOLE...
  • Page 87 FortiGate-5020 base backplane communication Figure 39: Network connection between two modules in the same chassis backplane channel 1 FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 CONSOLE base CONSOLE Network configurations PSU A PSU B base STA IPM...
  • Page 88 Network configurations FortiGate-5020 base backplane communication FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205...

  • Page 89: Fortiswitch-5003A Cli Reference

    This chapter also describes how to connect to the FortiSwitch-5003A CLI. Working with the FortiSwitch-5003A CLI is the same as working with the FortiOS CLI. For information about CLI command syntax, CLI objects and other CLI basics see the This chapter describes: •...

  • Page 90: Setting Administrative Access On The Mgmt Interface

    Press Enter to connect to the FortiSwitch-5003A CLI. A prompt similar to the following appears. FS5A033E08000111 login: The prompt includes the FortiSwitch-5003A host name. The default host name is the FortiSwitch-5003A serial number. Type a valid administrator name and press Enter.

  • Page 91: Connecting To The Fortiswitch-5003A Cli Using Ssh

    Secure Shell (SSH) provides strong secure authentication and secure communications to the FortiSwitch-5003A CLI from your internal network or the internet. Once the FortiSwitch-5003A board is configured to accept SSH connections, you can run an SSH client on your management computer and use this client to connect to the FortiSwitch-5003A CLI.

  • Page 92: Config

    • system global • system interface admin user Use this command to add and configure FortiSwitch-5003A administrator accounts. You cannot set different access levels for FortiSwitch-5003A administrators. Syntax config admin user edit <administrator_name> description <description_str> password <admin_password>...

  • Page 93: Route Static

    Related topics • config system interface • execute traceroute FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 Description Enter a sequence number to identify the static route. The device name is always mgmt because you cannot configure routing for other FortiSwitch-5003A interfaces.

  • Page 94: Switch Fabric-Channel Interface

    Use this command to configure the VLANs allowed on FortiSwitch-5003A fabric channel interfaces. You can also change the native VLAN for each interface and disable or enable MSTP for each interface. Syntax config switch fabric-channel interface edit <interface_name>...
  • Page 95 "f1" set allowed-vlans 1,201-210 Related topics • config switch fabric-channel physical-port • config switch fabric-channel stp instance • config switch fabric-channel stp settings • config switch fabric-channel trunk FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 config...

  • Page 96: Switch Fabric-Channel Physical-Port

    {disable | enable} status {down | up} Examples This example shows how to enable the FortiSwitch-5003A board to listen for heartbeat packets on the interfaces for chassis slots 6, 8, and 10: Description Enter the name of the FortiSwitch-5003A fabric channel interface to configure.
  • Page 97 "slot-10" set heartbeat enable This example shows how to bring down the slot-2/1 FortiSwitch-5003A interface. You may need to bring this interface down to disable communication between fabric channel 1 and fabric channel 2. config switch fabric-channel physical-port...

  • Page 98: Switch Fabric-Channel Stp Instance

    • An instance ID • A priority value • A VLAN range • A cost and priority value for each FortiSwitch-5003A interface (configured with the config stp-port Syntax config switch fabric-channel stp instance edit <instance_id> priority <priority_value> vlan-range <id_numbers> config stp-port edit <interface_name>...
  • Page 99 FortiSwitch-5003A CLI reference config stp-port Use this command to change the spanning tree cost and priority for each FortiSwitch-5003A interface in a spanning tree instance. When you add a new spanning tree instance the cost of each interface in the spanning tree instance is set to 0 and the priority is set to 128.

  • Page 100: Switch Fabric-Channel Stp Settings

    You can use the revision number to keep track of changes in the MSTP configuration and to help confirm that the MSTP configurations of all of the devices in a region are in sync. FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide FortiSwitch-5003A CLI reference Default...

  • Page 101: Switch Fabric-Channel Trunk

    FortiSwitch-5003A CLI reference switch fabric-channel trunk Use this command to create a trunk and add FortiSwitch-5003A interfaces to the trunk. You use trunks to group FortiSwitch-5003A interfaces so that you can use 802.3ad static mode layer-2 link aggregation to distribute sessions to the fabric interfaces of the FortiGate-5001A and 5005FA2 boards connected to the FortiSwitch-5003A interfaces in the trunk.
  • Page 102 Related topics • config switch fabric-channel interface • config switch fabric-channel physical-port • config switch fabric-channel stp instance • config switch fabric-channel stp settings FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide FortiSwitch-5003A CLI reference 01-30000-85717-20081205...

  • Page 103: System Global

    <board_hostname> timezone <timezone_number> Variables daylightsavetime {disable | enable} hostname <board_hostname> Enter a name to identify this FortiSwitch-5003A board. The timezone <timezone_number> Example This example shows how to set the time zone to 19 (GMT-3:00) Buenos Aires, Georgetown and how to change the host name to 5003A_slot2.

  • Page 104: System Interface

    Use this command to change the IP address and management access setting of the FortiSwitch-5003A mgmt (management) interface and to bring the mgmt interface up or down. Syntax config system interface status {down | up} ip <interface_ipv4mask>...

  • Page 105: Execute

    <backup_filename> <tftp_ipv4> config <backup_filename> all-config <tftp_ipv4> Example This example shows how to backup the FortiSwitch-5003A configuration to a file named 5003A_new.cfg on a TFTP server at IP address 192.168.1.23. execute backup config 5003A_new.cfg 192.168.1.23 Related topics • execute restore FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide...

  • Page 106: Bootimage

    FortiSwitch-5003A CLI reference bootimage Use this command to change the firmware image used to start the FortiSwitch-5003A board by switching between the primary or secondary firmware image. To use this command you must install a primary and a secondary firmware image by using the system startup options available when you reboot the FortiSwitch-5003A from a console connection to the FortiSwitch-5003A COM port.

  • Page 107: Date

    ‘06’ instead of ‘2006’ are not valid. Shortened values for the month and year are valid. Examples This example sets the date to 17 September 2009: execute date 9/17/2009 Related topics • config system global • execute time FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 execute...

  • Page 108: Factory-Reset

    Syntax execute factory-reset Caution: This command deletes all changes that you have made to the FortiSwitch-5003A configuration and reverts the system to its original configuration, including resetting the mgmt interface IP address. FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide...

  • Page 109: Ping

    FortiSwitch-5003A CLI reference ping Send an ICMP echo request (ping) to test the network connection between the FortiSwitch-5003A mgmt interface and another network device. You must add a DNS server to the FortiSwitch-5003A configuration to ping a hostname. Syntax execute ping {<address_ipv4> | <host-name_str>} <host-name_str>...

  • Page 110: Reboot

    FortiSwitch-5003A CLI reference reboot Restart the FortiSwitch-5003A board. While the FortiSwitch-5003A board is rebooting it cannot forward traffic. Syntax execute reboot FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205...

  • Page 111: Restore

    FortiSwitch-5003A CLI reference restore Use this command to restore the FortiSwitch-5003A configuration from a file on a TFTP server or change the FortiSwitch-5003A firmware. Syntax execute restore config <filename> <tftp_ipv4> execute restore config <filename> <tftp_ipv4> execute restore image tftp <filename> <tftp_ipv4>...

  • Page 112: Shutdown

    FortiSwitch-5003A CLI reference shutdown Shut down the FortiSwitch-5003A board now. You will be prompted to confirm the shutdown. Syntax execute shutdown FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205...

  • Page 113: Time

    You are allowed to shorten numbers to only one digit when setting the time. For example both 01:01:01 and 1:1:1 are allowed. Example This example sets the system time to 15:31:03: execute time 15:31:03 Related topics • execute date • config system global FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 where execute...

  • Page 114: Top

    Display a list of processes running on the FortiSwitch-5003A board. The command also displays information about each process. Mem: 100168K used, 406696K free, 0K shrd, 344K buff, 75092K cached CPU: 0% usr Load average: 0.00 0.00 0.00 PPID USER...

  • Page 115: Traceroute

    Test the connection between the FortiSwitch-5003A board and an address or hostname and display information about the network hops between the address and the FortiSwitch-5003A board. You must add a DNS server to the FortiSwitch-5003A configuration to trace the rout to a hostname. Syntax execute traceroute {<address_ipv4>...

  • Page 116: Get

    • system performance • system status system performance Use this command to display FortiSwitch-5003A CPU usage, memory usage, and USB disk usage. Syntax get system performance Example The output looks like this (for an idle system): # get system performance...

  • Page 117: System Status

    FortiSwitch-5003A CLI reference system status Use this command to display FortiSwitch-5003A system status information including: • firmware version, build number and branch point • serial number • host name • system time and date and related settings Syntax get system status Example output Version: FortiSwitch-5003A 3.00,build0026,080911...

  • Page 118: Diagnose

    This section describes some of the available FortiSwitch-5003A diagnose commands. You can use diagnose commands for debugging the operation of the FortiSwitch-5003A board and to set parameters for displaying different levels of diagnostic information. Caution: Diagnose commands are intended for advanced users only. Contact Fortinet technical support before using these commands.

  • Page 119: Spanning-Tree Instance Fabric-Channel

    FortiSwitch-5003A CLI reference spanning-tree instance fabric-channel Display the configuration of a spanning tree instance for an interface. For example, to display the configuration of spanning tree instance 5 for the FortiSwitch-5003A F5 interface enter: Syntax diagnose spanning-tree instance fabric-channel <instance_integer>...

  • Page 120: Spanning-Tree Mst-Config Fabric-Channel

    Example output MST Configuration Identification Information Unit: Fabric MST Configuration Name: tree_1 MST Configuration Revision: 1 MST Configuration Digest: d397441fd8666b0abb8f5fab64b9d18a Instance ID ____________________________________________________ Mapped VLANs FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide FortiSwitch-5003A CLI reference 01-30000-85717-20081205...

  • Page 121: Switch Fabric-Channel Mac-Address Filter

    • port-id-map list of port-ids to display • show show filter • trunk-id-map list of trunk-ids to display • vlan-map list of vlans to display FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 diagnose...

  • Page 122: Switch Fabric-Channel Mac-Address List

    Flags: 0x00000c00 [ ] MAC: 00:09:0f:09:37:02 VLAN: 906 Trunk: slot_8_12(trunk-id 0) Flags: 0x00000c80 [ trunk ] MAC: 00:09:0f:71:03:1d VLAN: 1 Trunk: slot_8_12(trunk-id 0) Flags: 0x00000c80 [ trunk ] FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide FortiSwitch-5003A CLI reference 01-30000-85717-20081205...

  • Page 123: Index

    67, 68, 69, 70, 72, 75, 79, 86 base2 67, 68, 69, 70, 72, 79, 86 board 7 bootimage CLI command 106 FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 BPDU 35, 58 time between packets 100 bridge protocol data unit 35, 58...
  • Page 124 71, 73, 75, 77, 82, 84 interface selection 77 interface selection precedence 76 Heartbeat Interface 71, 73, 75, 76, 77, 78, 81, 82, 84 hello time MSTP 100 high availability (HA) 68, 81, 84 FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide Index 01-30000-85717-20081205...
  • Page 125 27, 50 management access mgmt interface 104 max-age 100 MSTP timer 100 max-hops 100 MSTP 100 FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 mgmt interface down 104 IP and netmask 104 management access 104 ping 104...
  • Page 126 FortiSwitch-5003A interfaces 25, 26, 29, 30, 32, 34, 49, 50, 52, 53, 55, 57 allowed 94 native 94 VLAN tagging 86 ZRE interfaces 67, 69, 73, 76, 79, 80 FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide Index 01-30000-85717-20081205...

  • Page 127: For More Information

    For more information For more information Support for your Fortinet product is available as online help from within the web-based manager, from the Tools and Documentation CD included with the product, on the Fortinet Technical Documentation web site, from the Fortinet Knowledge Center web site, as well as from Fortinet Technical Support.
  • Page 128 Register your Fortinet product © Copyright 2009 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.

This manual is also suitable for:

5003Fortiswitch-5003aFortiswitch-5003

Table of Contents

Save PDF