Fortinet Forti 5003, Forti 5003A User Manual

FortiSwitch-5003A and 5003

Fabric and Base Backplane Communications Guide

FortiSwitch-5003A

ETH

MANAGEMENT

RS232ZRE0

SYSTEM

CONSOLE

ZRE

1514

1312

1110

9876543210

OKCLK

INTEXT

FLT

HOT SWAP

ZRE

RESET

FLT

LED MODE

FortiSwitch-5003

This FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide describes using the FortiSwitch-5003A board and FortiSwitch-5003 board for FortiGate-5000 series base and fabric backplane switching. This document also contains the FortiSwitch-5003A CLI reference.

The most recent versions of this and all FortiGate-5000 series documents are available from the FortiGate-5000 page of the Fortinet Technical Documentation web site (http://docs.forticare.com).

Visit http://support.fortinet.com to register your FortiSwitch-5003A and 5003 security system. By registering you can

receive product updates, technical support, and FortiGuard services.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

01-30000-85717-20081205

Warnings and cautions

Only trained and qualified personnel should be allowed to install or maintain FortiGate-5000 series equipment. Read and comply with all warnings, cautions and notices in this document.

CAUTION: Risk of Explosion if Battery is replaced by an Incorrect Type. Dispose of Used Batteries According to the Instructions.

Caution: You should be aware of the following cautions and warnings before installing FortiGate-5000 series hardware

• Turning off all power switches may not turn off all power to the FortiGate-5000 series equipment. Some circuitry in the FortiGate-5000 series equipment may continue to operate even though all power switches are off.

• Many FortiGate-5000 components are hot swappable and can be installed or removed while the power is on. But some of the procedures in this document may require power to be turned off and completely disconnected. Follow all instructions in the procedures in this document that describe disconnecting FortiGate-5000 series equipment from power sources, telecommunications links and networks before installing, or removing FortiGate-5000 series components, or performing other maintenance tasks. Failure to follow the instructions in this document can result in personal injury or equipment damage.

• Install FortiGate-5000 series chassis at the lower positions of a rack to avoid making the rack top-heavy and unstable.

• Do not insert metal objects or tools into open chassis slots.

• Electrostatic discharge (ESD) can damage FortiGate-5000 series equipment. Only perform the procedures described in this document from an ESD workstation. If no such station is available, you can provide some ESD protection by wearing an anti-static wrist strap and attaching it to an available ESD connector such as the ESD sockets provided on FortiGate-5000 series chassis.

• Make sure all FortiGate-5000 series components have reliable grounding. Fortinet recommends direct connections to the building ground.

• If you install a FortiGate-5000 series component in a closed or multi-unit rack assembly, the operating ambient temperature of the rack environment may be greater than room ambient. Make sure the operating ambient temperature does not exceed Fortinet’s maximum rated ambient temperature.

• Installing FortiGate-5000 series equipment in a rack should be such that the amount of airflow required for safe operation of the equipment is not compromised.

• FortiGate-5000 series chassis should be installed by a qualified electrician.

• FortiGate-5000 series equipment shall be installed and connected to an electrical supply source in accordance with the applicable codes and regulations for the location in which it is installed. Particular attention shall be paid to use of correct wire type and size to comply with the applicable codes and regulations for the installation / location. Connection of the supply wiring to the terminal block on the equipment may be accomplished using Listed wire compression lugs, for example, Pressure Terminal Connector made by Ideal Industries Inc. or equivalent which is suitable for AWG 10. Particular attention shall be given to use of the appropriate compression tool specified by the compression lug manufacturer, if one is specified.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

01-30000-85717-20081205

Contents

Warnings and cautions ..................................................................................... 2

Introduction ........................................................................ 7

About this document......................................................................................... 7

Revision history................................................................................................. 8

FortiSwitch-5003A system ................................................ 9

Front panel LEDs and connectors ................................................................. 10

LEDs ........................................................................................................... 11

Base channel interfaces.............................................................................. 12

Fabric channel interfaces ............................................................................ 13

Front panel connectors ............................................................................... 14

FortiSwitch-5003A configurations ................................................................. 14

Base and fabric gigabit switching within a chassis...................................... 14

Fabric 10-gigabit switching within a chassis ............................................... 15

Layer-2 link aggregation and redundancy configurations ........................... 16

FortiSwitch-5003 system................................................. 17

Front panel LEDs and connectors ................................................................. 17

LEDs ........................................................................................................... 18

About the ZRE network activity LEDs ......................................................... 19

Connectors.................................................................................................. 20

Base backplane communications .................................................................. 20

FortiGate-5140 fabric backplane communication......... 23

Fabric gigabit switching within a chassis ..................................................... 24

Fabric channel connections between FortiSwitch-5003A boards .............. 27

Fabric gigabit switching between chassis .................................................... 27

Fabric gigabit switching to the network ........................................................ 29

Fabric 10-gigabit switching within a chassis................................................ 31

Fabric channel layer-2 link aggregation ........................................................ 33

Fabric channel layer-2 link aggregation and redundancy ........................... 36

Example active-passive redundant link configuration................................. 37

External switch configuration ...................................................................... 38

Example configuration for the FortiSwitch-5003A board in slot 1 ............... 39

Example configuration for the FortiSwitch-5003A board in slot 2 ............... 42

Example FortiGate-5001A configuration ..................................................... 43

Example active-active redundant link configuration.................................... 44

Verifying the spanning tree configuration of the FortiSwitch-5003A

board in slot 1.............................................................................................. 45

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 3

Contents

FortiGate-5050 fabric backplane communication ........ 47

Fabric gigabit switching within a chassis..................................................... 48

Fabric channel connections between FortiSwitch-5003A boards .............. 50

Fabric gigabit switching between chassis.................................................... 50

Fabric gigabit switching to the network........................................................ 52

Fabric 10-gigabit switching within a chassis................................................ 54

Fabric channel layer-2 link aggregation........................................................ 56

Fabric channel layer-2 link aggregation and redundancy........................... 59

Example active-passive redundant link configuration ................................ 60

External switch configuration ...................................................................... 61

Example configuration for the FortiSwitch-5003A board in slot 1 ............... 62

Example configuration for the FortiSwitch-5003A board in slot 2 ............... 64

Example FortiGate-5001A configuration ..................................................... 65

Example active-active redundant link configuration ................................... 66

Verifying the spanning tree configuration of a FortiSwitch-5003A

board in slot 1 ............................................................................................. 66

FortiGate-5140 and 5050 base backplane

communication ................................................................ 67

Base channel connections between FortiSwitch-5003A boards ................ 68

Base backplane HA configurations ............................................................... 68

Two FortiSwitch boards per chassis ........................................................... 69

Heartbeat failover between channels.......................................................... 71

One FortiSwitch board per chassis ............................................................. 73

Choosing the slot position ........................................................................... 77

Slot position and HA heartbeat interface precedence................................. 77

Base backplane data configurations ............................................................. 79

Connecting FortiGate boards to each other ................................................ 79

Connecting FortiGate boards to the network .............................................. 80

FortiGate-5020 base backplane communication .......... 81

HA configurations ........................................................................................... 81

Heartbeat failover between channels.......................................................... 82

Inter-chassis HA configurations .................................................................... 84

Network configurations .................................................................................. 86

FortiSwitch-5003A CLI reference ................................... 89

Connecting to the CLI ..................................................................................... 89

Connecting to the FortiSwitch-5003A console ............................................ 89

Setting administrative access on the mgmt interface.................................. 90

Connecting to the FortiSwitch-5003A CLI using SSH ................................. 91

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

4 01-30000-85717-20081205

Contents

config ................................................................................................................ 92

admin user .................................................................................................. 92

route static................................................................................................... 93

switch fabric-channel interface .................................................................... 94

switch fabric-channel physical-port ............................................................. 96

switch fabric-channel stp instance .............................................................. 98

switch fabric-channel stp settings ............................................................. 100

switch fabric-channel trunk........................................................................ 101

system global ............................................................................................ 103

system interface ........................................................................................ 104

execute ........................................................................................................... 105

backup....................................................................................................... 105

bootimage ................................................................................................. 106

date ........................................................................................................... 107

factory-reset .............................................................................................. 108

ping ........................................................................................................... 109

reboot ........................................................................................................ 110

restore ....................................................................................................... 111

shutdown................................................................................................... 112

time ........................................................................................................... 113

top ............................................................................................................. 114

traceroute .................................................................................................. 115

get ................................................................................................................... 116

system performance.................................................................................. 116

system status ............................................................................................ 117

diagnose ......................................................................................................... 118

Monitoring the status of trunk members.................................................... 118

spanning-tree instance fabric-channel ...................................................... 119

spanning-tree mst-config fabric-channel ................................................... 120

switch fabric-channel mac-address filter ................................................... 121

switch fabric-channel mac-address list ..................................................... 122

Index................................................................................ 123

For more information..................................................... 127

Fortinet documentation................................................................................. 127

Fortinet Tools and Documentation CD ...................................................... 127

Fortinet Knowledge Center ...................................................................... 127

Comments on Fortinet technical documentation ...................................... 127

Customer service and technical support .................................................... 127

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 5

Contents

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

6 01-30000-85717-20081205

Introduction About this document

Introduction

This FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide contains information, instructions and example configurations for the base

and fabric backplane channels and interfaces of FortiGate-5000 ATCA chassis and security systems.

FortiGate-5020 chassis is a 2-slot ATCA chassis. The FortiGate-5020 base backplane provides 2 base backplane channels for the base backplane interfaces of FortiGate-5000 boards installed in the chassis. The FortiGate-5020 chassis does not include fabric backplane channels.

The FortiGate-5140 chassis is a 14-slot ATCA chassis and the FortiGate-5050 chassis is a 5-slot ATCA chassis. To support base backplane layer-2 switching for FortiGate-5000 boards in slots 3 and up you can install FortiSwitch-5003A or FortiSwitch-5003 boards in the first and second hub/switch base slots of these chassis.To support fabric backplane layer-2 switching for FortiGate-5001A and 5005FA2 boards in slots 3 and up you can install FortiSwitch-5003A boards in the first and second hub/switch fabric slots. For most versions of the FortiGate-5140 and 5050 chassis the hub/switch base and fabric slots are slots 1 and 2. For more information about each chassis see the FortiGate-5140 Chassis Guide and the

FortiGate-5140 Chassis Guide.

FortiSwitch-5003A and 5003 boards can be used for fabric and base backplane layer-2 switching within a single chassis and between multiple chassis.

Note: Installing a FortiSwitch-5003A board and a FortiSwitch-5003 board in the same chassis is not supported.

Usually you would use the base channel for management traffic (for example, HA heartbeat traffic) and the fabric channel for data traffic although this is not a requirement.

This section includes the following topics:

• About this document

• Revision history

About this document

This document includes the following chapters:

• FortiSwitch-5003A system an overview of the FortiSwitch-5003A board.

• FortiSwitch-5003 system an overview of the FortiSwitch-5003 board.

• FortiGate-5140 fabric backplane communication describes supported configurations and features for FortiGate-5140 chassis fabric backplane communications.

• FortiGate-5050 fabric backplane communication describes supported configurations and features for FortiGate-5050 chassis fabric backplane communications.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 7

Revision history Introduction

• FortiGate-5140 and 5050 base backplane communication describes supported configurations and features for FortiGate-5140 and 5050 chassis base backplane communications.

• FortiGate-5020 base backplane communication describes supported configurations and features for FortiGate-5020 chassis backplane communications.

• FortiSwitch-5003A CLI reference describes the FortiSwitch-5003A CLI commands.

Revision history

Table 1: Revision History

Version Description of changes

01-30005-0423-20070829 First version.

01-30000-85717-20081128 Re-written to include the FortiSwitch-5003A board, more

01-30000-85717-20081205 Improved the explanation of how the FortiSwitch-5003A

information about both FortiSwitch boards, fabric backplane functionality and the FortiSwitch-5003A CLI reference.

Note: The FortiSwitch-5003A board does not support Link Aggregation Control Protocol (LACP). LACP is also called

802.3ad dynamic mode layer-2 link aggregation.

board supports link aggregation and LACP. The FortiSwitch-5003A board supports 802.3ad static mode link aggregation not LACP (which is also called dynamic link aggregation). See “Fabric channel layer-2 link

aggregation” on page 33.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

8 01-30000-85717-20081205

FortiSwitch-5003A system

The FortiSwitch-5003A board provides 10/1-gigabit fabric backplane channel layer-2 switching and 1-gigabit base backplane channel layer-2 switching in a dual star architecture for the FortiGate-5140 and FortiGate-5050 chassis. The FortiSwitch-5003A board provides a total capacity of 200 Gigabits per second (Gbps) throughput.

The FortiGate-5140 chassis is a 14-slot ATCA chassis and the FortiGate-5050 chassis is a 5-slot ATCA chassis. In both chassis the FortiSwitch-5003A board is installed in the first and second hub/switch fabric slots. For most versions of the FortiGate-5140 and 5050 chassis the hub/switch fabric slots are slots 1 and 2. For more information about these chassis see the FortiGate-5140 Chassis Guide and the FortiGate-5140 Chassis Guide.

You can use the FortiSwitch-5003A board for fabric and base backplane layer-2 switching for FortiGate-5000 boards installed in slots 3 and up in FortiGate-5140 and FortiGate-5050 chassis. Usually you would use the base channel for management traffic (for example, HA heartbeat traffic) and the fabric channel for data traffic. FortiSwitch-5003A boards can be used for fabric and base backplane layer-2 switching within a single chassis and between multiple chassis.

The FortiSwitch-5003A system also supports 802.3ad static mode layer-2 link aggregation, 802.1q VLANs, and 802.1s Multi-Spanning Tree Protocol (MSTP) for the fabric channels. You can use these features to configure link aggregation and support redundant FortiSwitch-5003A switch configurations to distribute traffic to multiple FortiGate-5000 boards. The FortiGate-5000 boards must operate in Transparent mode, all are managed separately and all must have the same configuration.

A FortiSwitch-5003A board in hub/switch fabric slot 1 provides communications on fabric channel 1 and base channel 1. A FortiSwitch-5003A board in hub/switch fabric slot 2 provides communications on fabric channel 2 and base channel 2. If your chassis includes one FortiSwitch-5003A board you can install it in hub/switch fabric slot 1 or 2 and configure the FortiGate-5000 boards installed in the chassis to use the correct fabric and base backplane interfaces.

For a complete 10-gigabit fabric backplane solution you must install FortiGate-5000 hardware that supports 10-gigabit connections. For example, a FortiGate-5001A board combined with a FortiGate-RTM-XB2 module provides two 10-gigabit fabric interfaces. You can install the FortiGate-5001A boards in chassis slots 3 and up and FortiGate-RTM-XB2 modules in the corresponding RTM slots on the back of the chassis.

The FortiSwitch-5003A board includes the following features:

• One 1-gigabit base backplane channel for layer-2 base backplane switching between FortiGate-5000 boards installed in the same chassis as the FortiSwitch-5003A

• One 10/1-gigabit fabric backplane channel for layer-2 fabric backplane switching between FortiGate-5000 boards installed in the same chassis as the FortiSwitch-5003A

• Two front panel base backplane one-gigabit copper gigabit interfaces (B1 and B2) that connect to the base backplane channel

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 9

Front panel LEDs and connectors FortiSwitch-5003A system

Figure 1: FortiSwitch-5003A front panel

Base Network

Activity LEDs

Fabric Network

Activity LEDs

B1 B2

Base 1G

Copper

Healthy LED

Active LED

BASE 10G Optical

or Copper SFP

Fault LED

14/F8 F7 F6 F5 F4 F3 F2 F1

Fabric 10G Optical or Copper SFP

Reset Switch

Hot Swap

LED

Retention

Screw

Extraction

Lever

Retention

Screw

Extraction

Lever

RJ-45 COM

Port

MGMT 1G

Copper

Interface

OOS LED

• One front panel base backplane 10-gigabit optical or copper SFP+ interface (BASE 10G) that connects to the base backplane channel

• Eight front panel fabric backplane 10-gigabit optical or copper SFP+ interfaces (14/F8, F7, F6, F5, F4, F3, F2, and F1)

• One gigabit out of band management ethernet interface (MGMT)

• One RJ-45, RS-232 serial console connection (COM)

• Mounting hardware

• LED status indicators

• IEEE 802.1q VLANs

• IEEE 802.3ad static mode layer-2 link aggregation

• Link aggregation using a hash algorithm based on source and destination IP addresses

• Multi-Spanning Tree Protocol (MSTP) (IEEE 802.1s) to support redundant FortiSwitch-5003A boards and external MSTP-compatible switches

• Heartbeat between FortiGate-5001A and FortiGate-5005FA2 boards and the FortiSwitch-5003A over the fabric channel to support MSTP (configurable from the FortiGate-5001A and FortiGate-5005FA2 systems)

• Standard FortiOS command line interface (CLI) for configuring fabric switch settings (VLANs, MSTP, trunks, and so on)

Front panel LEDs and connectors

From the FortiSwitch-5003A font panel you can view the status of the board LEDs to verify that the board is functioning normally. The front panel includes a reset switch for restarting the FortiSwitch-5003A board.

The front panel also contains connectors to the fabric and base channels, an out of band management ethernet interface, and an RJ-45 RS-232 console port for connecting to the FortiSwitch-5003A CLI.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

10 01-30000-85717-20081205

FortiSwitch-5003A system Front panel LEDs and connectors

LEDs

Ta bl e 2 lists and describes the FortiSwitch-5003A front panel LEDs.

Table 2: FortiSwitch-5003A front panel LEDs and switches

LED State Description

OOS (Out of Service) Off Normal operation.

Red Out of service. The LED turns on if the

ACT (Active) Green The FortiSwitch-5003A board is powered on and

Yellow Caution status. Caution status is indicated by the

Off The board is not connected to power.

HTY (Healthy) Green The FortiSwitch-5003A board is powered on and

Off The board health system has detected a fault.

FLT (Fault) Off Normal operation.

Yellow Cannot establish a link to a configured interface or

RST (Reset switch) Press and hold Reset for three seconds to restart the

Base Network Activity LEDs

Fabric Network Activity LEDs

MGMT, B1, B2 (Management and base 1-gigabit LEDs)

Link/Act (Left LED)

Speed (Right LED)

FortiSwitch-5003A board.

Solid Green

Blinking Green

Off No link.

Solid Green

Blinking Green

Off No link.

Solid Green

Blinking Green

Off No Link

Green Connection at 1 Gbps.

Amber Connection at 100 Mbps.

Off Connection at 10 Mbps.

FortiSwitch-5003A board fails. The LED may also flash briefly when the board is powering on.

operating normally.

fault condition of the HTY and FLT LEDs.

operating normally.

another connection problem external to the FortiSwitch-5003A board. This LED may indicate issues that do not affect normal operation.

Indicates this interface is connected to the 1-gigabit base channel interface of a FortiGate-5000 board.

Table 3 on page 12 lists the base network activity

LEDs and the interface that each represents.

Indicates 1-gigabit network traffic on this interface.

Indicates this interface is connected to the 10/1-gigabit fabric channel interface of a FortiGate-5000 board. Table 5 on page 14 lists the fabric network activity LEDs and the interface that each represents.

Indicates 10/1-gigabit network traffic on this interface.

Table 5 on page 14 lists the fabric network activity

LEDs and the interface that each represents.

Indicates this interface is connected with the correct cable and the attached network device has power.

Indicates network traffic on this interface.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 11

Front panel LEDs and connectors FortiSwitch-5003A system

Table 2: FortiSwitch-5003A front panel LEDs and switches (Continued)

LED State Description

Solid

BASE 10G, 14/F8, F7, F6, F5, F4, F3, F2, F1 (Base and Fabric 10 gigabit LEDs)

HS (Hot Swap) Blue The FortiSwitch-5003A is ready to be hot-swapped

Green

Blinking Green

Off No link.

Flashing Blue

Off Normal operation. The FortiSwitch-5003A board is in

Indicates this interface is connected to a 10-gigabit network device with the correct cable and the attached network device has power.

Indicates 10-gigabit network traffic on this interface.

(removed from the chassis). If the HS light is blue and no other LEDs are lit the FortiSwitch-5003A board has lost power

The FortiSwitch-5003A is changing from hot swap to running mode or from running mode to hot swap. This happens when the FortiSwitch-5003A board is starting up or shutting down.

contact with the chassis backplane.

Base channel interfaces

Tab le 3 lists and describes the FortiSwitch-5003A base backplane channel

interfaces. The base backplane interfaces are not configurable or visible from the FortiSwitch-5003A CLI.

Figure 2: FortiSwitch-5003A base network activity LEDs

Table 3: Base channel interfaces and network activity LEDs

Interface Name

SH1 If the FortiSwitch-5003A board is in the first hub/switch fabric slot, this

15 and SH2 Not used.

2/1 Base channel connection between base channels 1 and 2.

3 to 14 Base channel connection to FortiGate-5000 boards in chassis slots 3 to

Description

LED indicates a backplane connection to shelf manager 1. If the FortiSwitch-5003A board is in second hub/switch fabric slot this LED indicates a backplane connection to shelf manager 2.

This LED may not be lit even if a shelf manager is present if the shelf manager is configured to use its front panel interface.

The 2/1 LED is lit if there is any board capable of connecting to the base channel in the other slot. For example, if the FortiSwitch-5003A board is installed in the first hub/switch fabric slot, this LED will be lit if any board is installed in the second hub/switch fabric slot, including a FortiSwitch-5003A board or any FortiGate-5000 board.

14.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

12 01-30000-85717-20081205

FortiSwitch-5003A system Front panel LEDs and connectors

Table 3: Base channel interfaces and network activity LEDs

Interface Name

B1 and B2 Front panel gigabit base channel interfaces B1 and B2.

BASE 10G Front panel 10-gigabit base channel interface.

Fabric channel interfaces

Ta bl e 4 lists and describes the FortiSwitch-5003A fabric channel interfaces. You

can configure fabric interface settings, group fabric interfaces into trunks, and configure MSTP spanning tree settings for fabric interfaces from the FortiSwitch-5003A CLI.

Table 4: Fabric channel interfaces

Interface Name

Front Panel CLI*

2/1 slot-2/1 Interface between fabric channel 1 and fabric channel 2.

3 to 13 slot-3 to

14/F8 slot-14/f8 Front panel interface 14/F8.

F1 to F7 f1 to f7 Front panel 10-gigabit fabric interfaces F1 to F7.

* You can configure settings for FortiSwitch-5003A fabric interfaces from the FortiSwitch-5003A CLI. The CLI columns show the names of the interfaces as they appear on the FortiSwitch-5003A CLI.

Description

Use these interfaces to connect your network to the base channel, to connect base channel 1 to base channel 2, or to connect a base channel on one chassis to a base channel on another chassis.

Use this interface to connect a 10-gigabit network to the base channel. 10-gigabit communication is not supported across the base channels but this interface is still available if you need to connect the base channel to a 10-gigabit network.

Description

If there are two FortiSwitch-5003A boards installed in a chassis this interface can be used to communicate between them. In some configurations you may have to disable this communication.

Fabric backplane slots 3 to 13.

slot-13

The 3 to 13 fabric network activity LEDs are lit if there are FortiGate boards in chassis slots 3 to 13.

Fabric backplane slot 14 and front panel interface 14/F8 share the same FortiSwitch-5003A switch port. By default the the front panel interface 14/F8 is enabled and fabric backplane slot 14 is disabled. You can change this setting using a switch on the FortiSwitch-5003A board.

Use these interfaces to connect your network to the fabric channel, to connect fabric channel 1 to fabric channel 2, or to connect a fabric channel on one chassis to a fabric channel on another chassis.

The fabric network activity LEDs show links and network activity for the interfaces and connections listed in Tab le 5 .

Figure 3: FortiSwitch-5003A fabric network activity LEDs

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 13

FortiSwitch-5003A configurations FortiSwitch-5003A system

Table 5: Fabric network activity LEDs

Fabric network activity LED

2/1 Fabric channel connection between fabric channel 1 and fabric

3 to 13 Fabric backplane connection to FortiGate-5000 boards in chassis slots

Front panel connectors

Tab le 6 lists and describes the FortiSwitch-5003A front panel connectors.

Table 6: FortiSwitch-5003A connectors

Connector Type Speed Protocol Description

MGMT RJ-45 10/100/1000

COM RJ-45 9600 bps

B1, B2 RJ-45 10/100/1000

BASE 10G SFP+ 10 Gbps Ethernet SFP+ 10 gigabit connection to the base

FABRIC 10G, 14/F8, F7, F6, F5, F4, F3, F2, F1

Interface or connection

channel 2. This LED is lit if there are two FortiSwitch-5003A boards installed in the chassis to indicate fabric backplane communication between them.

3 to 13.

Base-T

8/N/1

Base-T

SFP+ 10 Gbps Ethernet SFP+ 10 gigabit connection to the fabric

Ethernet Copper gigabit connection to out of band

RS-232 serial

Ethernet Copper gigabit connection to the base

management interface. Serial connection to the command line

interface.

backplane channel.

FortiSwitch-5003A configurations

You can operate the FortiSwitch-5003A board as a fabric and base channel layer-2 switch for any FortiGate-5000 board. The FortiSwitch-5003A board is compatible with all FortiGate-5000 boards.

Base and fabric gigabit switching within a chassis

Figure 4 shows a FortiGate-5050 chassis with a FortiSwitch-5003A board in slot 1

and two FortiGate-5001A boards in slots 3 and 4. In this configuration the FortiGate-5001A boards are using base channel 1 for HA heartbeat communication. The FortiGate-5001A boards use base1 as the HA heartbeat interface.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

14 01-30000-85717-20081205

FortiSwitch-5003A system FortiSwitch-5003A configurations

SMC

POWER

Base channel 1 HA Heartbeat Communication

Figure 4: FortiSwitch-5003A base channel 1 HA heartbeat communication

5000SM

10/100

ETH0

Service

link/Act

ETH1

10/100

RESET

ETH0

link/Act

SERIAL

STATUS

Hot Swap

Fabric 10-gigabit switching within a chassis

One FortiGate-RTM-XB2 provides 10-gigabit connections to both FortiGate-5001A fabric channels. The FortiGate-RTM-XB2 also provides NP2 packet acceleration for each fabric channel. To effectively use NP2 acceleration, packets must be received by the FortiGate-5001A board on one fabric channel and exit from the FortiGate-5001A board on the same fabric channel or on the other fabric channel. See the FortiGate-RTM-XB2 System Guide for more information.

Figure 5 shows a FortiGate-5050 chassis containing two FortiSwitch-5003A

boards and one FortiGate-5001A board. Using these components this chassis supplies 10-gigabit connectivity between the external and internal network.

Figure 5: Example 10-gigabit connection between internal and external networks

Internal Network

Internal 10-gigabit

Network Connected

to Fabric Channel 2

5050SAP

ALARM

5000SM

10/100

ETH0

Service

link/Act

ETH1

SERIAL

FortiGate-RTM-XB2 module installed in RTM slot 3 provides two 10-gigabit fabric channels and NP2 acceleration for the FortiGate-5001A board

STATUS

10/100

RESET

ETH0

link/Act

FortiGate-5001A Board Installed in FortiGate-5050 front panel slot 3

Hot Swap

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 15

Fabric Channel 1 10 Gigabit Data Communication

POWER

Fabric Channel 2 10-gigabit Data Communication

5000SM

10/100

SMC

ETH0

Service

link/Act

ETH1

10/100

RESET

ETH0

link/Act

5050SAP

SERIAL

STATUS

Hot Swap

ALARM

External 10-gigabit

Network Connected

to Fabric Channel 1

5000SM

10/100 link/Act

ETH1

SERIAL

10/100

ETH0

link/Act

External Network

SMC

ETH0

Service

STATUS

Hot Swap

RESET

FortiSwitch-5003A configurations FortiSwitch-5003A system

Layer-2 link aggregation and redundancy configurations

The FortiSwitch-5003A board supports 802.3ad static mode layer-2 link aggregation, 802.1q VLANs, and 802.1s Multi-Spanning Tree Protocol (MSTP) for the fabric channels. You can use these features to configure link aggregation and support redundant FortiSwitch-5003A configurations to distribute traffic to multiple FortiGate-5001A or 5005FA2 boards.

Figure 6 shows a basic link aggregation configuration using a single

FortiSwitch-5003A board. In this configuration the external switch is connected to FortiSwitch-5003A front panel f5 interface. The switch adds VLAN tags to traffic from the internal and external networks.

Figure 6: Basic link aggregation configuration

External Network

Internal and external

10-gigabit networks

connected to

FortiSwitch-5003A

front panel interface F7

and to fabric channel 1

1311975312468101214

External switch

VLAN tagged traffic

FILTER

Internal Network

5140SAP

5140

CAL

ITI

USER1

MINOR

MAJOR

RESET

SERIAL 1 SERIAL 2 ALARM

USER2

USER3

Six FortiGate-RTM-XB2 modules installed in RTM slots 6, 8, 9, 10, 11, and

5000SM

ETH1

ETH0

10/100

link/Act

13 to provide 10-gigabit fabric interfaces and

ETH0 Service

RESET

NP2 acceleration for each

STATUS

Hot Swap

FortiGate-5001A board

5000SM

ETH1

ETH0

10/100

link/Act

ETH0 Service

RESET

STATUS

Hot Swap

Distributed 10-gigabit data communication on fabric channel 1

FAN TRAY FAN TRAYFAN TRAY

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

16 01-30000-85717-20081205

FortiSwitch-5003 system Front panel LEDs and connectors

FortiSwitch-5003 system

The FortiSwitch-5003 board provides base backplane interface switching for the FortiGate-5140 chassis and the FortiGate-5050 chassis. You can use this switching for data communication or HA heartbeat communication between the base backplane interfaces of FortiGate-5000 series boards installed in slots 3 and up in these chassis. FortiSwitch-5003 boards can be used for base backplane communication in a single chassis or between multiple chassis.

Install FortiSwitch-5003 boards in chassis slots 1 and 2. A FortiSwitch-5003 board in slot 1 provides communications on base backplane interface 1. A FortiSwitch-5003 board in slot 2 provides communications on base backplane interface 2.

If your configuration includes only one FortiSwitch-5003 board you can install it in slot 1 or slot 2 and configure the FortiGate-5000 boards installed in the chassis to use the correct base backplane interface.

The FortiSwitch-5003 board includes the following features:

• A total of 16 10/100/1000Base-T gigabit ethernet interfaces:

• 13 backplane 10/100/1000Base-T gigabit interfaces for base backplane switching between FortiGate-5000 series boards installed in the same chassis as the FortiSwitch-5003

• Three front panel 10/100/1000Base-T gigabit interfaces (ZRE0, ZRE1, ZRE2) for base backplane switching between two or more FortiGate-5000 series chassis

• One 100Base-TX out of band management ethernet interface (ETH0)

• RJ-45 RS-232 serial console connection (CONSOLE)

• Mounting hardware

• LED status indicators

Front panel LEDs and connectors

From the FortiSwitch-5003 font panel you can view the status of the board LEDs to verify that the board is functioning normally. You can also connect the FortiSwitch-5003 board in one chassis to a FortiSwitch-5003 board in another chassis through the front panel ethernet connections. The front panel also includes and out of band management ethernet interface and the RJ-45 console port for connecting to the FortiSwitch-5003 CLI.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 17

Front panel LEDs and connectors FortiSwitch-5003 system

Figure 7: FortiSwitch-5003 front panel

Power LED

Management

100Base-TX

Ethernet

ETH

MANAGEMENT

CONSOLE

RJ-45

Serial

RS232ZRE0ZRE1ZRE2

SYSTEM

CONSOLE

ZRE Network Activity LEDs (ZRE 0 to 15)

9876543210

1514

1312

1110

LED Mode Switch

Reset

Switch

OKCLK

INTEXT

FLT

HOT SWAP

ZRE

RESET

LED MODE

FLT

LEDs

Mounting

Knot

Extraction

Lever

Out of

Service LED

ZRE0 ZRE1 ZRE2

base backplane interfaces

10/100/1000Base-T

Ethernet

Hot

Swap

LED

Extraction

Lever

Tab le 7 lists and describes the FortiSwitch-5003 board front panel LEDs.

Table 7: FortiSwitch-5003 board front panel LEDs and switches

LED State Description

Off Normal operation.

Red Out of service. The LED turns on if the FortiSwitch-5003 board

Green The FortiSwitch-5003 board is powered on and operating

Yellow Caution status. Caution status is indicated by the fault condition

Off The board is not connected to power.

System Off Normal operation.

E0, E1

ZRE 0-15

Yellow or Green

Green Link/Activity mode: Blinking to indicate network traffic on this

(ZRE network activity LEDs, LED

Yellow Link/Activity mode: The interface is disabled and cannot

Mode switch changes

Off Link/Activity mode: No link.

mode)

LED Mode switch

Change the ZRE network activity LED display mode. Normally the ZRE network activity LEDs operate in Link/Activity mode. In this mode the LEDs flash green to indicate a link and to indicate network traffic.

Press this button to switch the ZRE LEDs to Link/Speed mode. In Link/Speed mode the ZRE LEDs use a solid color to indicate a link. The color of the LED indicates the speed of the link.

CLK Flashing

Green

OK Green Initialization completed successfully.

fails. The LED may also flash briefly when the board is powering on.

normally.

of the CLOCK, OK or INT FLT LEDs.

Link status of out of band management interfaces (not used).

interface. Table 8 on page 19 lists the ZRE LEDs and the interface that each represents.

Link/Speed mode: 100 Mbps connection.

forward packets. (not used) Link/Speed mode: 1000 Mbps connection.

Link/Speed mode: 10 Mbps connection.

Initialization completed successfully.

Mounting

Knot

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

18 01-30000-85717-20081205

FortiSwitch-5003 system Front panel LEDs and connectors

ZRE

1514

1312

1110

Table 7: FortiSwitch-5003 board front panel LEDs and switches (Continued)

LED State Description

EXT FLT Off Normal operation.

Yellow Cannot establish a link to a configured interface or another

INT FLT Off Normal operation.

Yellow Failure of internal tests. Indicates a hardware or software

Hot Swap Blue Indicates the FortiSwitch-5003 board is ready to be hot

Reset switch

Press and hold Reset for three seconds to restart the FortiSwitch-5003 board.

connection problem external to the FortiSwitch-5003 board. This LED may indicate issues that do not affect normal operation.

problem with the FortiSwitch-5003 board.

swapped. During a hot swap, the LED is on. The LED turns off when the FortiSwitch-5003 board is correctly installed.

About the ZRE network activity LEDs

The ZRE network activity LEDs show links and network activity for the interfaces and connections listed in Tab le 8 .

Figure 8: FortiSwitch-5003 ZRE network activity LEDs

Table 8: ZRE network activity LEDs FortiSwitch-5003 interfaces and connections

ZRE network activity LED

0 ZRE0 front panel interface.

1 ZRE1 front panel interface.

2 ZRE2 front panel interface.

3 to 14 Base backplane connection to FortiGate-5000 series boards in chassis

15 Base backplane link. Indicates that the FortiSwitch-5003 board can

Interface or connection

slots 3 to 14.

connect to the base backplane interface.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 19

Base backplane communications FortiSwitch-5003 system

Connectors

Tab le 9 lists and describes the FortiSwitch-5003 front panel connectors.

Table 9: FortiSwitch-5003 connectors

Connector Type Speed Protocol Description

ETH0 RJ-45 100Base-T Ethernet Front panel out of band management

CONSOLE RJ-45 9600 bps RS-232

ZRE0, ZRE1, ZRE2

RJ-45 10/100/1000

Base-T

serial Ethernet Redundant connections to another

interface. A second out of band management interface, ETH1, connects to the shelf managers. Neither of the out of band management interfaces are used.

Serial connection to the command line interface.

FortiSwitch-5003 board in an different FortiGate-5140 or FortiGate-5050 chassis. Use these interfaces for base backplane interface connections between FortiGate-5000 series chassis.

Base backplane communications

This section provides a brief introduction to using FortiSwitch-5003 boards for base backplane communication.

FortiSwitch-5003 boards installed in a FortiGate-5140 or FortiGate-5050 chassis in slot 1 or slot 2 provide base backplane switching for all of the FortiGate-5000 series boards installed in chassis slots 3 and above. Base backplane switching can be used for HA heartbeat communication and for data communication between FortiGate-5000 series boards.

The FortiGate-5000 series boards can all be installed in the same chassis, or you can use the FortiSwitch-5003 front panel ZRE interfaces for base backplane communication among multiple FortiGate-5140 and FortiGate-5050 chassis. The communication can be among a collection of the same chassis (for example, multiple FortiGate-5050 chassis) or among a mixture of FortiGate-5140 and FortiGate-5050 chassis. In most cases you would connect the same base backplane interfaces together, but you can also use the FortiSwitch-5003 front panel ZRE interfaces for connections between base backplane interface 1 and base backplane interface 2. Again these connections can be within the same chassis or among multiple chassis.

A FortiSwitch-5003 board in slot 1 provides communications on base backplane interface 1. The FortiGate-5001SX and the FortiGate-5001FA2 boards communicate with base backplane interface 1 using the interface named port9. The FortiGate-5005FA2 board communicates with base backplane interface 1 using the interface named base1.

A FortiSwitch-5003 board in slot 2 provides communications on base backplane interface 2. The FortiGate-5001SX and the FortiGate-5001FA2 boards communicate with base backplane interface 2 using the interface named port10. The FortiGate-5005FA2 board communicates with base backplane interface 2 using the interface named base2.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

20 01-30000-85717-20081205

FortiSwitch-5003 system Base backplane communications

In a single chassis, more than one cluster can use the same base backplane interface for HA heartbeat communication. To separate heartbeat communication for multiple clusters on the same base backplane interface, configure a different HA group name and password for each cluster.

In a single chassis, you can also use the same base backplane interface for data and HA heartbeat communication. If you are operating multiple clusters and multiple data paths on the same base backplane interface you may experience some bandwidth limitations. To increase the amount of bandwidth available you can add a second FortiSwitch-5003 board and use both backplane interfaces for HA heartbeat and data communication.

If you have two FortiSwitch-5003 boards and two backplane interfaces available you can balance the traffic between the base backplane interfaces by how you configure your FortiGate-5000 board data interfaces and HA heartbeat interfaces. For example, if you have two busy FortiGate-5001SX clusters you might configure one cluster to use port9 for HA heartbeat traffic and the other to use port10. If you have a number of data paths that use the same base backplane interfaces you can change the configuration to distribute traffic between both base backplane interfaces.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 21

Base backplane communications FortiSwitch-5003 system

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

22 01-30000-85717-20081205

FortiGate-5140 fabric backplane communication

The FortiGate-5140 chassis has two fabric backplane Ethernet channels that can operate at 1 Gbps or 10 Gbps. Available connections to these channels vary by chassis hub/switch slot number.

• Hub/switch slot 1 can connect to the first fabric backplane channel (channel 1), and thereby all other chassis slots, except hub/switch slot 2.

• Hub/switch Slot 2 can connect the to the second fabric backplane channel (channel 2), and thereby all other chassis slots, except hub/switch slot 1.

• Other slots can connect to either or both channels, but only directly reach hub/switch slot 1 or hub/switch slot 2. Connections to other slots through the fabric backplane channels must pass through hub/switch slot 1 or hub/switch slot 2.

Note: For more information on chassis architecture, see ATCA (Advanced Telecom Computing Architecture) specifications.

Because of the fabric backplane dual star topology, connecting to or through the fabric backplane requires FortiSwitch-5003A boards installed in hub/switch slot 1, hub/switch slot 2, or both. FortiSwitch-5003A front panel fabric interfaces can also connect the chassis fabric backplane channels to external devices, such as a management computer, the network, or the fabric backplane of another chassis.

Note: FortiSwitch-5003 boards do not support fabric backplane switching.

FortiGate-5001A boards and FortiGate-5005FA2 boards can connect to the fabric backplane at 1 Gbps. With the addition of a FortiGate-RTM-XB2 modules, FortiSwitch-5001A boards can also connect to the fabric backplane at 10 Gbps. The FortiGate-5001SX board and FortiGate-5001FA2 board do not include fabric backplane interfaces.

Table 10: Names of fabric backplane interfaces by FortiGate model

Model Name of fabric backplane

interface 1 (to slot 1)

FortiGate-5001A fabric1 fabric2

FortiGate-5005FA2 fabric1 fabric2

FortiGate-5001FA2 N/A N/A

FortiGate-5001SX N/A N/A

Name of fabric backplane interface 2 (to slot 2)

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 23

Fabric gigabit switching within a chassis FortiGate-5140 fabric backplane communication

1311975312468101214

5140

FILTER

Fabric channel 1 data communication

This section describes:

• Fabric gigabit switching within a chassis

• Fabric channel connections between FortiSwitch-5003A boards

• Fabric gigabit switching between chassis

• Fabric gigabit switching to the network

• Fabric 10-gigabit switching within a chassis

• Fabric channel layer-2 link aggregation

• Fabric channel layer-2 link aggregation and redundancy

• Example active-passive redundant link configuration

• Example active-active redundant link configuration

Fabric gigabit switching within a chassis

You can use FortiSwitch-5003A fabric channel switching for communication between the fabric backplane interfaces of FortiGate-5001A or 5005FA2 boards installed in a FortiGate-5140 chassis.

Figure 9 shows a FortiGate-5140 chassis with a FortiSwitch-5003A board in

hub/switch slot 1, and FortiGate-5001A boards in 6 other slots. In this configuration the FortiSwitch-5003A board provides 1-gigabit fabric backplane switching for the FortiGate-5001A fabric1 interfaces. The FortiSwitch-5003A boards operate as layer-2 switches and the FortiGate-5001A boards operate as typical standalone FortiGate units.

Figure 9: FortiGate-5140 fabric channel 1 data communication

5140SAP

SERIAL 1 SERIAL 2 ALARM

USER2

USER3

USER1

MINOR

MAJOR

CRITICAL

RESET

5000SM

ETH1

ETH0

10/100

link/Act

ETH0 Service

RESET

STATUS

Hot Swap

5000SM

ETH1

ETH0

10/100

link/Act

ETH0 Service

RESET

STATUS

Hot Swap

FAN TRAY FAN TRAYFAN TRAY

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

24 01-30000-85717-20081205

FortiGate-5140 fabric backplane communication Fabric gigabit switching within a chassis

The chassis can be connected to the network using any of the FortiGate-5001A front panel interfaces. You can also connect FortiSwitch-5003A front panel fabric interfaces to the network. You can also install FortiGate AMC modules in the FortiGate-5001A boards and connect the network to the AMC front panel interfaces. The AMC modules and the network connections are not shown in

Figure 9.

For the FortiGate-5001A boards to use the fabric channel 1 for data communication you must show backplane interfaces on the FortiGate-5001A web-based manager and then configure firewall polices and routing for the fabric1 interfaces.

If the data traffic contains VLAN-tagged packets, you must add the VLAN tags to the FortiSwitch-5003A interfaces that will handle the VLAN-tagged traffic. For example, to allow VLAN tags 201 to 210 on slots 9, 11, and 13 from the FortiSwitch-5003A CLI enter:

config switch fabric-channel interface

edit "slot-9"

set allowed-vlans 1,201-210 next edit "slot-11"

set allowed-vlans 1,201-210 next edit "slot-13"

set allowed-vlans 1,201-210 end

For more information about the FortiSwitch-5003A CLI, see “FortiSwitch-5003A

CLI reference” on page 89.

Figure 10 shows a FortiGate-5140 chassis with FortiSwitch-5003A boards in

hub/switch slots 1 and 2 and FortiGate-5001A and 5005FA2 boards in all of the other slots. The FortiGate boards can use fabric channels 1 and 2 for data communication among the FortiGate boards. In this configuration the FortiSwitch-5003A boards are operating as layer-2 switches for fabric channels 1 and 2 and the FortiGate boards are operating as typical standalone FortiGate units.

The chassis can be connected to the network using any of the FortiGate front panel interfaces. You can also connect FortiSwitch-5003A front panel fabric interfaces to the network. You can also install FortiGate AMC modules in the FortiGate-5001A boards and connect the network to the AMC front panel interfaces. The AMC modules and the network connections are not shown in

Figure 10.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 25

Fabric gigabit switching within a chassis FortiGate-5140 fabric backplane communication

Figure 10: FortiGate-5140 fabric channel 1 and 2 data communication

Fabric channel 2 data communication

5140SAP

5140

E S

1311975312468101214

LINK

CONSOLE

OOS ACC STATUS

IPM

R A C

LINK

ACT

FABRIC

BASE

OOS ACC STATUS

USB USB

3 412 56

IPM

LINK

ACT

FABRIC

BASE

CONSOLE

3 412 56

SERIAL 1 SERIAL 2 ALARM

3 R E

S U

LINK

ACT

FABRIC

BASE

CONSOLE

OOS ACC STATUS

USB USB

3 412 56

IPM

LINK

ACT

FABRIC

BASE

CONSOLE

OOS ACC STATUS

IPM

LINK

ACT

FABRIC

BASE

CONSOLE

OOS ACC STATUS

USB USB

3 412 56

IPM

LINK

ACT

FABRIC

BASE

CONSOLE

OOS ACC STATUS

USB USB

3 412 56

IPM

5000SM

ETH1

ETH0

10/100

link/Act

ETH0

Service

RESET

STATUS

Hot Swap

5000SM

ETH1

ETH0

10/100

link/Act

ETH0

Service

RESET

STATUS

Hot Swap

FILTER

FAN TRAY FAN TRAYFAN TRAY

Fabric channel 1 data communication

For the FortiGate boards to use the fabric channels 1 and 2 for data communication you must show backplane interfaces on the FortiGate web-based manager and then configure firewall polices and routing for the fabric1 and fabric2 interfaces.

If the data traffic contains VLAN-tagged packets, you must add the VLAN tags to the FortiSwitch-5003A interfaces that will handle the VLAN-tagged traffic. For example, to allow VLAN tag 400 on slots 4 and 12 from the FortiSwitch-5003A CLI enter:

config switch fabric-channel interface

edit "slot-4"

set allowed-vlans 1,400 next edit "slot-12"

set allowed-vlans 1,400 end

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

26 01-30000-85717-20081205

FortiGate-5140 fabric backplane communication Fabric channel connections between FortiSwitch-5003A boards

Fabric channel connections between FortiSwitch-5003A boards

When two FortiSwitch-5003A boards are installed in a single chassis their fabric channels are connected together. This means there is a data connection between fabric channel 1 and fabric channel 2. Unless you are going to use this connection you should disable it.

If one or more of the FortiGate-5001A or 5005FA2 boards are operating in transparent mode, the connection between the fabric channels can cause looping. If you have one or more FortiGate-5001A or 5005FA2 boards operating in transparent mode with two FortiSwitch-5003A boards in the same chassis you must disable communication between the FortiSwitch-5003A boards.

The fabric channel connection between the FortiSwitch-5003A boards uses an internal FortiSwitch-5003A interface called slot-2/1. To disable the fabric channel connection between two FortiSwitch-5003A boards you should set the status of slot-2/1 to down for one of the boards. Connect to the CLI of one of the FortiSwitch-5003A boards and enter the following command:

config switch fabric-channel physical-port

edit slot-2/1

set status down

end

Fabric gigabit switching between chassis

You can use the FortiSwitch-5003A front panel fabric interfaces to provide 10-gigabit data communications between the fabric channels of any combination of FortiGate-5050 and FortiGate-5140 chassis.

Note: Its not required, but in most cases you would connect the same fabric channels together. That is you would connect fabric channel 1 on one chassis to fabric channel 1 on another. Usually you would not connect fabric channel 1 on one chassis to fabric channel 2 on another chassis. Also, you would usually not connect a base channel from one chassis to a fabric channel on another chassis. You should be careful of looping when connecting chassis together if some of the FortiGate boards in the chassis are operating in transparent mode.

Figure 11 shows data communication between two FortiGate-5140 chassis using

fabric channel 1. The top chassis in the figure contains a FortiSwitch-5003A board in hub/switch slot 1 and six FortiGate-5001A boards. The bottom chassis contains a FortiSwitch-5003A board also in hub/switch slot 1 and four FortiGate-5005FA2 boards.

The chassis are connected together using the FortiSwitch-5003A F1 front panel interface in the top chassis and the FortiSwitch-5003A F7 front panel interface in the bottom chassis.

In this configuration the FortiSwitch-5003A boards are operating as layer-2 switches for fabric channel 1 and the FortiGate-5001A and 5005FA2 boards are operating as typical standalone FortiGate units.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 27

Fabric gigabit switching between chassis FortiGate-5140 fabric backplane communication

The chassis can be connected to the network using any of the FortiGate front panel interfaces. You can also connect FortiSwitch-5003A front panel fabric interfaces to the network. You can also install FortiGate AMC modules in the FortiGate-5001A boards and connect networks to the AMC front panel interfaces. The AMC modules and the network connections are not shown in Figure 11.

Figure 11: Fabric channel 1 data communication between two FortiGate-5140

chassis

5140SAP

5140

1311975312468101214

FILTER

SERIAL 1 SERIAL 2 ALARM

USER2

USER1

USER3

MINOR

MAJOR

CRITICAL

RESET

5000SM

ETH1

ETH0

10/100

link/Act

ETH0

Service

RESET

STATUS

Hot Swap

5000SM

ETH1

ETH0

10/100

link/Act

ETH0

Service

RESET

STATUS

Hot Swap

Fabric channel 1 data communication

FAN TRAY FAN TRAYFAN TRAY

Fabric channel 1 10-gigabit data communication between 2 chassis

5140SAP

5140

1311975312468101214

LINK

ACT

FABRIC

BASE

CONSOLE

OOS ACC STATUS

USB USB

3 412 56

IPM

SERIAL 1 SERIAL 2 ALARM

USER2

USER1

USER3

MINOR

MAJOR

CRITICAL

RESET

LINK

ACT

FABRIC

BASE

CONSOLE

OOS ACC STATUS

USB USB

3 412 56

IPM

5000SM

ETH1

ETH0

10/100

link/Act

ETH0 Service

RESET

STATUS

Hot Swap

5000SM

ETH1

ETH0

10/100

link/Act

ETH0 Service

RESET

STATUS

Hot Swap

FILTER

Fabric channel 1 data communication

FAN TRAY FAN TRAYFAN TRAY

For the FortiGate-5001A and 50005FA2 boards to use fabric channel 1 for data communication you must show backplane interfaces on the FortiGate web-based manager and then configure firewall polices and routing for the fabric1 interfaces.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

28 01-30000-85717-20081205

FortiGate-5140 fabric backplane communication Fabric gigabit switching to the network

If the data traffic contains VLAN-tagged packets, you must add the VLAN tags to the FortiSwitch-5003A interfaces that will handle the VLAN-tagged traffic. For example, to allow VLAN tags 201 to 210 on slots 8 and 10 and the F7 front panel interface, from the FortiSwitch-5003A CLI enter:

config switch fabric-channel interface

edit "slot-8"

set allowed-vlans 1,201-210 next edit "slot-10"

set allowed-vlans 1,201-210 next edit "f7"

set allowed-vlans 1,201-210 end

Fabric gigabit switching to the network

You can use the FortiSwitch-5003A fabric front panel interfaces to connect the fabric channel of a chassis to your network. Most often you would do this for data communication between the network and a fabric channel. For a simple 10-gigabit connection from your network to a fabric channel you can connect your network directly to a FortiSwitch-5003A fabric channel front panel interface. This connection provides data communication to the fabric1 or fabric2 interfaces of the FortiGate-5000 boards installed in the chassis.

Figure 12 shows a FortiGate-5140 chassis containing two FortiSwitch-5003A

boards and 6 FortiGate-5001A boards. The chassis is connected to internal and an external networks using FortiSwitch-5003A front panel fabric interfaces:

• The internal network is connected to fabric channel 2 using the F7 front panel interface of the FortiSwitch-5003A board in hub/switch slot 2

• The external network is connected to fabric channel 1 using the F1 front panel interface of the FortiSwitch-5003A board in hub/switch slot 1

In this configuration the FortiSwitch-5003A boards are operating as layer-2 switches and the FortiGate-5001A boards are operating as standalone FortiGate units.

The chassis can also be connected to the network using any of the FortiGate front panel interfaces. You can also install FortiGate AMC modules in the FortiGate-5001A boards and connect networks to the AMC front panel interfaces. The AMC modules and network connections to the AMC modules and FortiGate boards are not shown in Figure 12.

If you have two FortiSwitch-5003A boards installed in a chassis you may need to block communication between fabric channel 1 and fabric channel 2. See “Fabric

channel connections between FortiSwitch-5003A boards” on page 27 for more

information.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 29

Fabric gigabit switching to the network FortiGate-5140 fabric backplane communication

Figure 12: Fabric channel 2 connected to an internal network and fabric channel 1

connected to an external network

Internal Network

Fabric channel 2

Internal network connected to the F7 front panel fabric interface to connect to fabric channel 2

1311975312468101214

data communication

5140

FILTER

5140SAP

SERIAL 1 SERIAL 2 ALARM

USER2

USE

MINOR

MAJOR

CRITICAL

RES

5000SM

ETH1

ETH0

10/100

10/100 link/Act

link/Act

ETH0

Service

RESET

STATUS

Hot Swap

5000SM

ETH1

ETH0

10/100

10/100 link/Act

link/Act

ETH0

Service

RESET

STATUS

Hot Swap

External network connected to the F1 front panel fabric interface to connect to fabric channel 1

External Network

Fabric channel 1 data communication

FAN TRAY FAN TRAYFAN TRAY

For the FortiGate-5001A boards to use the fabric channels for data communication you must show backplane interfaces on the FortiGate web-based manager and then configure firewall polices and routing for the fabric1 and fabric2 interfaces.

If the data traffic contains VLAN-tagged packets, you must add the VLAN tags to the FortiSwitch-5003A interfaces that will handle the VLAN-tagged traffic. For example, to allow VLAN tags 201 to 210 on slots 6, 8, and 10 and the F1 front panel interface, from the FortiSwitch-5003A CLI enter:

config switch fabric-channel interface

edit "slot-6"

set allowed-vlans 1,201-210 next edit "slot-8"

set allowed-vlans 1,201-210 next edit "slot-10"

set allowed-vlans 1,201-210 next edit "f1"

set allowed-vlans 1,201-210 end

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

30 01-30000-85717-20081205

+ 98 hidden pages

Fortinet Forti 5003, Forti 5003A User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Warnings and cautions

Contents

Introduction

About this document

Revision history

FortiSwitch-5003A system

Front panel LEDs and connectors

LEDs

Base channel interfaces

Fabric channel interfaces

Front panel connectors

FortiSwitch-5003A configurations

Base and fabric gigabit switching within a chassis

Fabric 10-gigabit switching within a chassis

Layer-2 link aggregation and redundancy configurations

FortiSwitch-5003 system

Front panel LEDs and connectors

LEDs

About the ZRE network activity LEDs

Connectors

Base backplane communications

FortiGate-5140 fabric backplane communication

Fabric gigabit switching within a chassis

Fabric channel connections between FortiSwitch-5003A boards

Fabric gigabit switching between chassis

Fabric gigabit switching to the network