Fortinet Forti 5003, Forti 5003A User Manual

FortiSwitch-5003A and 5003

Fabric and Base Backplane Communications Guide

FortiSwitch-5003A

ETH

O

MANAGEMENT

RS232ZRE0

SYSTEM

CONSOLE

ZRE

1

ZRE

2

E1

E0

1514

1312

1110

9876543210

OKCLK

INTEXT

FLT

HOT SWAP

ZRE

RESET

FLT

LED MODE

FortiSwitch-5003

This FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide describes using the FortiSwitch-5003A board and FortiSwitch-5003 board for FortiGate-5000 series base and fabric backplane switching. This document also contains the FortiSwitch-5003A CLI reference.

The most recent versions of this and all FortiGate-5000 series documents are available from the FortiGate-5000 page of the Fortinet Technical Documentation web site (http://docs.forticare.com).

Visit http://support.fortinet.com to register your FortiSwitch-5003A and 5003 security system. By registering you can

receive product updates, technical support, and FortiGuard services.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

01-30000-85717-20081205

Warnings and cautions

!

Only trained and qualified personnel should be allowed to install or maintain FortiGate-5000 series equipment. Read and comply with all warnings, cautions and notices in this document.

CAUTION: Risk of Explosion if Battery is replaced by an Incorrect Type. Dispose of Used Batteries According to the Instructions.

Caution: You should be aware of the following cautions and warnings before installing FortiGate-5000 series hardware

• Turning off all power switches may not turn off all power to the FortiGate-5000 series equipment. Some circuitry in the FortiGate-5000 series equipment may continue to operate even though all power switches are off.

• Many FortiGate-5000 components are hot swappable and can be installed or removed while the power is on. But some of the procedures in this document may require power to be turned off and completely disconnected. Follow all instructions in the procedures in this document that describe disconnecting FortiGate-5000 series equipment from power sources, telecommunications links and networks before installing, or removing FortiGate-5000 series components, or performing other maintenance tasks. Failure to follow the instructions in this document can result in personal injury or equipment damage.

• Install FortiGate-5000 series chassis at the lower positions of a rack to avoid making the rack top-heavy and unstable.

• Do not insert metal objects or tools into open chassis slots.

• Electrostatic discharge (ESD) can damage FortiGate-5000 series equipment. Only perform the procedures described in this document from an ESD workstation. If no such station is available, you can provide some ESD protection by wearing an anti-static wrist strap and attaching it to an available ESD connector such as the ESD sockets provided on FortiGate-5000 series chassis.

• Make sure all FortiGate-5000 series components have reliable grounding. Fortinet recommends direct connections to the building ground.

• If you install a FortiGate-5000 series component in a closed or multi-unit rack assembly, the operating ambient temperature of the rack environment may be greater than room ambient. Make sure the operating ambient temperature does not exceed Fortinet’s maximum rated ambient temperature.

• Installing FortiGate-5000 series equipment in a rack should be such that the amount of airflow required for safe operation of the equipment is not compromised.

• FortiGate-5000 series chassis should be installed by a qualified electrician.

• FortiGate-5000 series equipment shall be installed and connected to an electrical supply source in accordance with the applicable codes and regulations for the location in which it is installed. Particular attention shall be paid to use of correct wire type and size to comply with the applicable codes and regulations for the installation / location. Connection of the supply wiring to the terminal block on the equipment may be accomplished using Listed wire compression lugs, for example, Pressure Terminal Connector made by Ideal Industries Inc. or equivalent which is suitable for AWG 10. Particular attention shall be given to use of the appropriate compression tool specified by the compression lug manufacturer, if one is specified.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

01-30000-85717-20081205

Introduction

This FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide contains information, instructions and example configurations for the base

and fabric backplane channels and interfaces of FortiGate-5000 ATCA chassis and security systems.

FortiGate-5020 chassis is a 2-slot ATCA chassis. The FortiGate-5020 base backplane provides 2 base backplane channels for the base backplane interfaces of FortiGate-5000 boards installed in the chassis. The FortiGate-5020 chassis does not include fabric backplane channels.

The FortiGate-5140 chassis is a 14-slot ATCA chassis and the FortiGate-5050 chassis is a 5-slot ATCA chassis. To support base backplane layer-2 switching for FortiGate-5000 boards in slots 3 and up you can install FortiSwitch-5003A or FortiSwitch-5003 boards in the first and second hub/switch base slots of these chassis.To support fabric backplane layer-2 switching for FortiGate-5001A and 5005FA2 boards in slots 3 and up you can install FortiSwitch-5003A boards in the first and second hub/switch fabric slots. For most versions of the FortiGate-5140 and 5050 chassis the hub/switch base and fabric slots are slots 1 and 2. For more information about each chassis see the FortiGate-5140 Chassis Guide and the

FortiGate-5140 Chassis Guide.

FortiSwitch-5003A and 5003 boards can be used for fabric and base backplane layer-2 switching within a single chassis and between multiple chassis.

Note: Installing a FortiSwitch-5003A board and a FortiSwitch-5003 board in the same chassis is not supported.

Usually you would use the base channel for management traffic (for example, HA heartbeat traffic) and the fabric channel for data traffic although this is not a requirement.

This section includes the following topics:

• About this document

• Revision history

About this document

This document includes the following chapters:

• FortiSwitch-5003A system an overview of the FortiSwitch-5003A board.

• FortiSwitch-5003 system an overview of the FortiSwitch-5003 board.

• FortiGate-5140 fabric backplane communication describes supported configurations and features for FortiGate-5140 chassis fabric backplane communications.

• FortiGate-5050 fabric backplane communication describes supported configurations and features for FortiGate-5050 chassis fabric backplane communications.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 7

Revision history Introduction

• FortiGate-5140 and 5050 base backplane communication describes supported configurations and features for FortiGate-5140 and 5050 chassis base backplane communications.

• FortiGate-5020 base backplane communication describes supported configurations and features for FortiGate-5020 chassis backplane communications.

• FortiSwitch-5003A CLI reference describes the FortiSwitch-5003A CLI commands.

Revision history

Table 1: Revision History

Version Description of changes

01-30005-0423-20070829 First version.

01-30000-85717-20081128 Re-written to include the FortiSwitch-5003A board, more

01-30000-85717-20081205 Improved the explanation of how the FortiSwitch-5003A

information about both FortiSwitch boards, fabric backplane functionality and the FortiSwitch-5003A CLI reference.

Note: The FortiSwitch-5003A board does not support Link Aggregation Control Protocol (LACP). LACP is also called

802.3ad dynamic mode layer-2 link aggregation.

board supports link aggregation and LACP. The FortiSwitch-5003A board supports 802.3ad static mode link aggregation not LACP (which is also called dynamic link aggregation). See “Fabric channel layer-2 link

aggregation” on page 33.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

8 01-30000-85717-20081205

FortiSwitch-5003A system

The FortiSwitch-5003A board provides 10/1-gigabit fabric backplane channel layer-2 switching and 1-gigabit base backplane channel layer-2 switching in a dual star architecture for the FortiGate-5140 and FortiGate-5050 chassis. The FortiSwitch-5003A board provides a total capacity of 200 Gigabits per second (Gbps) throughput.

The FortiGate-5140 chassis is a 14-slot ATCA chassis and the FortiGate-5050 chassis is a 5-slot ATCA chassis. In both chassis the FortiSwitch-5003A board is installed in the first and second hub/switch fabric slots. For most versions of the FortiGate-5140 and 5050 chassis the hub/switch fabric slots are slots 1 and 2. For more information about these chassis see the FortiGate-5140 Chassis Guide and the FortiGate-5140 Chassis Guide.

You can use the FortiSwitch-5003A board for fabric and base backplane layer-2 switching for FortiGate-5000 boards installed in slots 3 and up in FortiGate-5140 and FortiGate-5050 chassis. Usually you would use the base channel for management traffic (for example, HA heartbeat traffic) and the fabric channel for data traffic. FortiSwitch-5003A boards can be used for fabric and base backplane layer-2 switching within a single chassis and between multiple chassis.

The FortiSwitch-5003A system also supports 802.3ad static mode layer-2 link aggregation, 802.1q VLANs, and 802.1s Multi-Spanning Tree Protocol (MSTP) for the fabric channels. You can use these features to configure link aggregation and support redundant FortiSwitch-5003A switch configurations to distribute traffic to multiple FortiGate-5000 boards. The FortiGate-5000 boards must operate in Transparent mode, all are managed separately and all must have the same configuration.

A FortiSwitch-5003A board in hub/switch fabric slot 1 provides communications on fabric channel 1 and base channel 1. A FortiSwitch-5003A board in hub/switch fabric slot 2 provides communications on fabric channel 2 and base channel 2. If your chassis includes one FortiSwitch-5003A board you can install it in hub/switch fabric slot 1 or 2 and configure the FortiGate-5000 boards installed in the chassis to use the correct fabric and base backplane interfaces.

For a complete 10-gigabit fabric backplane solution you must install FortiGate-5000 hardware that supports 10-gigabit connections. For example, a FortiGate-5001A board combined with a FortiGate-RTM-XB2 module provides two 10-gigabit fabric interfaces. You can install the FortiGate-5001A boards in chassis slots 3 and up and FortiGate-RTM-XB2 modules in the corresponding RTM slots on the back of the chassis.

The FortiSwitch-5003A board includes the following features:

• One 1-gigabit base backplane channel for layer-2 base backplane switching between FortiGate-5000 boards installed in the same chassis as the FortiSwitch-5003A

• One 10/1-gigabit fabric backplane channel for layer-2 fabric backplane switching between FortiGate-5000 boards installed in the same chassis as the FortiSwitch-5003A

• Two front panel base backplane one-gigabit copper gigabit interfaces (B1 and B2) that connect to the base backplane channel

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 9

Front panel LEDs and connectors FortiSwitch-5003A system

Figure 1: FortiSwitch-5003A front panel

Base Network

Activity LEDs

Fabric Network

Activity LEDs

B1 B2

Base 1G

Copper

Healthy LED

Active LED

BASE 10G Optical

or Copper SFP

Fault LED

14/F8 F7 F6 F5 F4 F3 F2 F1

Fabric 10G Optical or Copper SFP

Reset Switch

Hot Swap

LED

Retention

Screw

Extraction

Lever

Retention

Screw

Extraction

Lever

RJ-45 COM

Port

MGMT 1G

Copper

Interface

OOS LED

• One front panel base backplane 10-gigabit optical or copper SFP+ interface (BASE 10G) that connects to the base backplane channel

• Eight front panel fabric backplane 10-gigabit optical or copper SFP+ interfaces (14/F8, F7, F6, F5, F4, F3, F2, and F1)

• One gigabit out of band management ethernet interface (MGMT)

• One RJ-45, RS-232 serial console connection (COM)

• Mounting hardware

• LED status indicators

• IEEE 802.1q VLANs

• IEEE 802.3ad static mode layer-2 link aggregation

• Link aggregation using a hash algorithm based on source and destination IP addresses

• Multi-Spanning Tree Protocol (MSTP) (IEEE 802.1s) to support redundant FortiSwitch-5003A boards and external MSTP-compatible switches

• Heartbeat between FortiGate-5001A and FortiGate-5005FA2 boards and the FortiSwitch-5003A over the fabric channel to support MSTP (configurable from the FortiGate-5001A and FortiGate-5005FA2 systems)

• Standard FortiOS command line interface (CLI) for configuring fabric switch settings (VLANs, MSTP, trunks, and so on)

Front panel LEDs and connectors

From the FortiSwitch-5003A font panel you can view the status of the board LEDs to verify that the board is functioning normally. The front panel includes a reset switch for restarting the FortiSwitch-5003A board.

The front panel also contains connectors to the fabric and base channels, an out of band management ethernet interface, and an RJ-45 RS-232 console port for connecting to the FortiSwitch-5003A CLI.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

10 01-30000-85717-20081205

FortiSwitch-5003A system Front panel LEDs and connectors

LEDs

Ta bl e 2 lists and describes the FortiSwitch-5003A front panel LEDs.

Table 2: FortiSwitch-5003A front panel LEDs and switches

LED State Description

OOS (Out of Service) Off Normal operation.

Red Out of service. The LED turns on if the

ACT (Active) Green The FortiSwitch-5003A board is powered on and

Yellow Caution status. Caution status is indicated by the

Off The board is not connected to power.

HTY (Healthy) Green The FortiSwitch-5003A board is powered on and

Off The board health system has detected a fault.

FLT (Fault) Off Normal operation.

Yellow Cannot establish a link to a configured interface or

RST (Reset switch) Press and hold Reset for three seconds to restart the

Base Network Activity LEDs

Fabric Network Activity LEDs

MGMT, B1, B2 (Management and base 1-gigabit LEDs)

Link/Act (Left LED)

Speed (Right LED)

FortiSwitch-5003A board.

Solid Green

Blinking Green

Off No link.

Solid Green

Blinking Green

Off No link.

Solid Green

Blinking Green

Off No Link

Green Connection at 1 Gbps.

Amber Connection at 100 Mbps.

Off Connection at 10 Mbps.

FortiSwitch-5003A board fails. The LED may also flash briefly when the board is powering on.

operating normally.

fault condition of the HTY and FLT LEDs.

operating normally.

another connection problem external to the FortiSwitch-5003A board. This LED may indicate issues that do not affect normal operation.

Indicates this interface is connected to the 1-gigabit base channel interface of a FortiGate-5000 board.

Table 3 on page 12 lists the base network activity

LEDs and the interface that each represents.

Indicates 1-gigabit network traffic on this interface.

Indicates this interface is connected to the 10/1-gigabit fabric channel interface of a FortiGate-5000 board. Table 5 on page 14 lists the fabric network activity LEDs and the interface that each represents.

Indicates 10/1-gigabit network traffic on this interface.

Table 5 on page 14 lists the fabric network activity

LEDs and the interface that each represents.

Indicates this interface is connected with the correct cable and the attached network device has power.

Indicates network traffic on this interface.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 11

Front panel LEDs and connectors FortiSwitch-5003A system

Table 2: FortiSwitch-5003A front panel LEDs and switches (Continued)

LED State Description

Solid

BASE 10G, 14/F8, F7, F6, F5, F4, F3, F2, F1 (Base and Fabric 10 gigabit LEDs)

HS (Hot Swap) Blue The FortiSwitch-5003A is ready to be hot-swapped

Green

Blinking Green

Off No link.

Flashing Blue

Off Normal operation. The FortiSwitch-5003A board is in

Indicates this interface is connected to a 10-gigabit network device with the correct cable and the attached network device has power.

Indicates 10-gigabit network traffic on this interface.

(removed from the chassis). If the HS light is blue and no other LEDs are lit the FortiSwitch-5003A board has lost power

The FortiSwitch-5003A is changing from hot swap to running mode or from running mode to hot swap. This happens when the FortiSwitch-5003A board is starting up or shutting down.

contact with the chassis backplane.

Base channel interfaces

Tab le 3 lists and describes the FortiSwitch-5003A base backplane channel

interfaces. The base backplane interfaces are not configurable or visible from the FortiSwitch-5003A CLI.

Figure 2: FortiSwitch-5003A base network activity LEDs

Table 3: Base channel interfaces and network activity LEDs

Interface Name

SH1 If the FortiSwitch-5003A board is in the first hub/switch fabric slot, this

15 and SH2 Not used.

2/1 Base channel connection between base channels 1 and 2.

3 to 14 Base channel connection to FortiGate-5000 boards in chassis slots 3 to

Description

LED indicates a backplane connection to shelf manager 1. If the FortiSwitch-5003A board is in second hub/switch fabric slot this LED indicates a backplane connection to shelf manager 2.

This LED may not be lit even if a shelf manager is present if the shelf manager is configured to use its front panel interface.

The 2/1 LED is lit if there is any board capable of connecting to the base channel in the other slot. For example, if the FortiSwitch-5003A board is installed in the first hub/switch fabric slot, this LED will be lit if any board is installed in the second hub/switch fabric slot, including a FortiSwitch-5003A board or any FortiGate-5000 board.

14.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

12 01-30000-85717-20081205

FortiSwitch-5003A system Front panel LEDs and connectors

Table 3: Base channel interfaces and network activity LEDs

Interface Name

B1 and B2 Front panel gigabit base channel interfaces B1 and B2.

BASE 10G Front panel 10-gigabit base channel interface.

Fabric channel interfaces

Ta bl e 4 lists and describes the FortiSwitch-5003A fabric channel interfaces. You

can configure fabric interface settings, group fabric interfaces into trunks, and configure MSTP spanning tree settings for fabric interfaces from the FortiSwitch-5003A CLI.

Table 4: Fabric channel interfaces

Interface Name

Front Panel CLI*

2/1 slot-2/1 Interface between fabric channel 1 and fabric channel 2.

3 to 13 slot-3 to

14/F8 slot-14/f8 Front panel interface 14/F8.

F1 to F7 f1 to f7 Front panel 10-gigabit fabric interfaces F1 to F7.

* You can configure settings for FortiSwitch-5003A fabric interfaces from the FortiSwitch-5003A CLI. The CLI columns show the names of the interfaces as they appear on the FortiSwitch-5003A CLI.

Description

Use these interfaces to connect your network to the base channel, to connect base channel 1 to base channel 2, or to connect a base channel on one chassis to a base channel on another chassis.

Use this interface to connect a 10-gigabit network to the base channel. 10-gigabit communication is not supported across the base channels but this interface is still available if you need to connect the base channel to a 10-gigabit network.

Description

If there are two FortiSwitch-5003A boards installed in a chassis this interface can be used to communicate between them. In some configurations you may have to disable this communication.

Fabric backplane slots 3 to 13.

slot-13

The 3 to 13 fabric network activity LEDs are lit if there are FortiGate boards in chassis slots 3 to 13.

Fabric backplane slot 14 and front panel interface 14/F8 share the same FortiSwitch-5003A switch port. By default the the front panel interface 14/F8 is enabled and fabric backplane slot 14 is disabled. You can change this setting using a switch on the FortiSwitch-5003A board.

Use these interfaces to connect your network to the fabric channel, to connect fabric channel 1 to fabric channel 2, or to connect a fabric channel on one chassis to a fabric channel on another chassis.

The fabric network activity LEDs show links and network activity for the interfaces and connections listed in Tab le 5 .

Figure 3: FortiSwitch-5003A fabric network activity LEDs

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 13

FortiSwitch-5003A configurations FortiSwitch-5003A system

Table 5: Fabric network activity LEDs

Fabric network activity LED

2/1 Fabric channel connection between fabric channel 1 and fabric

3 to 13 Fabric backplane connection to FortiGate-5000 boards in chassis slots

Front panel connectors

Tab le 6 lists and describes the FortiSwitch-5003A front panel connectors.

Table 6: FortiSwitch-5003A connectors

Connector Type Speed Protocol Description

MGMT RJ-45 10/100/1000

COM RJ-45 9600 bps

B1, B2 RJ-45 10/100/1000

BASE 10G SFP+ 10 Gbps Ethernet SFP+ 10 gigabit connection to the base

FABRIC 10G, 14/F8, F7, F6, F5, F4, F3, F2, F1

Interface or connection

channel 2. This LED is lit if there are two FortiSwitch-5003A boards installed in the chassis to indicate fabric backplane communication between them.

3 to 13.

Base-T

8/N/1

Base-T

SFP+ 10 Gbps Ethernet SFP+ 10 gigabit connection to the fabric

Ethernet Copper gigabit connection to out of band

RS-232 serial

Ethernet Copper gigabit connection to the base

management interface. Serial connection to the command line

interface.

backplane channel.

FortiSwitch-5003A configurations

You can operate the FortiSwitch-5003A board as a fabric and base channel layer-2 switch for any FortiGate-5000 board. The FortiSwitch-5003A board is compatible with all FortiGate-5000 boards.

Base and fabric gigabit switching within a chassis

Figure 4 shows a FortiGate-5050 chassis with a FortiSwitch-5003A board in slot 1

and two FortiGate-5001A boards in slots 3 and 4. In this configuration the FortiGate-5001A boards are using base channel 1 for HA heartbeat communication. The FortiGate-5001A boards use base1 as the HA heartbeat interface.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

14 01-30000-85717-20081205

FortiSwitch-5003A system FortiSwitch-5003A configurations

1

2

3

4

5

SMC

1

SMC

POWER

Base channel 1 HA Heartbeat Communication

Figure 4: FortiSwitch-5003A base channel 1 HA heartbeat communication

5000SM

10/100

ETH0

Service

link/Act

ETH1

10/100

RESET

ETH0

link/Act

SERIAL

STATUS

Hot Swap

1

Fabric 10-gigabit switching within a chassis

One FortiGate-RTM-XB2 provides 10-gigabit connections to both FortiGate-5001A fabric channels. The FortiGate-RTM-XB2 also provides NP2 packet acceleration for each fabric channel. To effectively use NP2 acceleration, packets must be received by the FortiGate-5001A board on one fabric channel and exit from the FortiGate-5001A board on the same fabric channel or on the other fabric channel. See the FortiGate-RTM-XB2 System Guide for more information.

Figure 5 shows a FortiGate-5050 chassis containing two FortiSwitch-5003A

boards and one FortiGate-5001A board. Using these components this chassis supplies 10-gigabit connectivity between the external and internal network.

Figure 5: Example 10-gigabit connection between internal and external networks

Internal Network

Internal 10-gigabit

Network Connected

to Fabric Channel 2

5050SAP

ALARM

5000SM

10/100

ETH0

Service

link/Act

ETH1

SERIAL

2

FortiGate-RTM-XB2 module installed in RTM slot 3 provides two 10-gigabit fabric channels and NP2 acceleration for the FortiGate-5001A board

STATUS

10/100

RESET

ETH0

link/Act

FortiGate-5001A Board Installed in FortiGate-5050 front panel slot 3

Hot Swap

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 15

Fabric Channel 1 10 Gigabit Data Communication

5

4

3

2

POWER

Fabric Channel 2 10-gigabit Data Communication

1

5000SM

10/100

SMC

ETH0

Service

link/Act

ETH1

10/100

RESET

ETH0

link/Act

2

5050SAP

SERIAL

STATUS

Hot Swap

1

ALARM

External 10-gigabit

Network Connected

to Fabric Channel 1

5000SM

10/100 link/Act

ETH1

SERIAL

10/100

2

ETH0

link/Act

External Network

SMC

ETH0

Service

STATUS

Hot Swap

RESET

1

FortiSwitch-5003A configurations FortiSwitch-5003A system

Layer-2 link aggregation and redundancy configurations

The FortiSwitch-5003A board supports 802.3ad static mode layer-2 link aggregation, 802.1q VLANs, and 802.1s Multi-Spanning Tree Protocol (MSTP) for the fabric channels. You can use these features to configure link aggregation and support redundant FortiSwitch-5003A configurations to distribute traffic to multiple FortiGate-5001A or 5005FA2 boards.

Figure 6 shows a basic link aggregation configuration using a single

FortiSwitch-5003A board. In this configuration the external switch is connected to FortiSwitch-5003A front panel f5 interface. The switch adds VLAN tags to traffic from the internal and external networks.

Figure 6: Basic link aggregation configuration

External Network

Internal and external

10-gigabit networks

connected to

FortiSwitch-5003A

front panel interface F7

and to fabric channel 1

1311975312468101214

External switch

VLAN tagged traffic

FILTER

Internal Network

5140SAP

5140

CAL

ITI

USER1

MINOR

MAJOR

CR

RESET

SERIAL 1 SERIAL 2 ALARM

USER2

USER3

Six FortiGate-RTM-XB2 modules installed in RTM slots 6, 8, 9, 10, 11, and

5000SM

ETH1

ETH0

10/100

link/Act

13 to provide 10-gigabit fabric interfaces and

ETH0 Service

RESET

NP2 acceleration for each

STATUS

Hot Swap

FortiGate-5001A board

12

5000SM

ETH1

ETH0

10/100

link/Act

ETH0 Service

RESET

STATUS

Hot Swap

0

Distributed 10-gigabit data communication on fabric channel 1

FAN TRAY FAN TRAYFAN TRAY

12

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

16 01-30000-85717-20081205

FortiSwitch-5003 system Front panel LEDs and connectors

FortiSwitch-5003 system

The FortiSwitch-5003 board provides base backplane interface switching for the FortiGate-5140 chassis and the FortiGate-5050 chassis. You can use this switching for data communication or HA heartbeat communication between the base backplane interfaces of FortiGate-5000 series boards installed in slots 3 and up in these chassis. FortiSwitch-5003 boards can be used for base backplane communication in a single chassis or between multiple chassis.

Install FortiSwitch-5003 boards in chassis slots 1 and 2. A FortiSwitch-5003 board in slot 1 provides communications on base backplane interface 1. A FortiSwitch-5003 board in slot 2 provides communications on base backplane interface 2.

If your configuration includes only one FortiSwitch-5003 board you can install it in slot 1 or slot 2 and configure the FortiGate-5000 boards installed in the chassis to use the correct base backplane interface.

The FortiSwitch-5003 board includes the following features:

• A total of 16 10/100/1000Base-T gigabit ethernet interfaces:

• 13 backplane 10/100/1000Base-T gigabit interfaces for base backplane switching between FortiGate-5000 series boards installed in the same chassis as the FortiSwitch-5003

• Three front panel 10/100/1000Base-T gigabit interfaces (ZRE0, ZRE1, ZRE2) for base backplane switching between two or more FortiGate-5000 series chassis

• One 100Base-TX out of band management ethernet interface (ETH0)

• RJ-45 RS-232 serial console connection (CONSOLE)

• Mounting hardware

• LED status indicators

Front panel LEDs and connectors

From the FortiSwitch-5003 font panel you can view the status of the board LEDs to verify that the board is functioning normally. You can also connect the FortiSwitch-5003 board in one chassis to a FortiSwitch-5003 board in another chassis through the front panel ethernet connections. The front panel also includes and out of band management ethernet interface and the RJ-45 console port for connecting to the FortiSwitch-5003 CLI.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 17

Front panel LEDs and connectors FortiSwitch-5003 system

Figure 7: FortiSwitch-5003 front panel

Power LED

Management

100Base-TX

Ethernet

ETH

O

MANAGEMENT

CONSOLE

RJ-45

Serial

RS232ZRE0ZRE1ZRE2

SYSTEM

CONSOLE

ZRE Network Activity LEDs (ZRE 0 to 15)

E1

9876543210

1514

1312

1110

E0

LED Mode Switch

Reset

Switch

OKCLK

INTEXT

FLT

HOT SWAP

ZRE

RESET

LED MODE

FLT

LEDs

Mounting

Knot

Extraction

Lever

Out of

Service LED

ZRE0 ZRE1 ZRE2

base backplane interfaces

10/100/1000Base-T

Ethernet

Hot

Swap

LED

Extraction

Lever

Tab le 7 lists and describes the FortiSwitch-5003 board front panel LEDs.

Table 7: FortiSwitch-5003 board front panel LEDs and switches

LED State Description

Off Normal operation.

Red Out of service. The LED turns on if the FortiSwitch-5003 board

Green The FortiSwitch-5003 board is powered on and operating

Yellow Caution status. Caution status is indicated by the fault condition

Off The board is not connected to power.

System Off Normal operation.

E0, E1

ZRE 0-15

Yellow or Green

Green Link/Activity mode: Blinking to indicate network traffic on this

(ZRE network activity LEDs, LED

Yellow Link/Activity mode: The interface is disabled and cannot

Mode switch changes

Off Link/Activity mode: No link.

mode)

LED Mode switch

Change the ZRE network activity LED display mode. Normally the ZRE network activity LEDs operate in Link/Activity mode. In this mode the LEDs flash green to indicate a link and to indicate network traffic.

Press this button to switch the ZRE LEDs to Link/Speed mode. In Link/Speed mode the ZRE LEDs use a solid color to indicate a link. The color of the LED indicates the speed of the link.

CLK Flashing

Green

OK Green Initialization completed successfully.

fails. The LED may also flash briefly when the board is powering on.

normally.

of the CLOCK, OK or INT FLT LEDs.

Link status of out of band management interfaces (not used).

interface. Table 8 on page 19 lists the ZRE LEDs and the interface that each represents.

Link/Speed mode: 100 Mbps connection.

forward packets. (not used) Link/Speed mode: 1000 Mbps connection.

Link/Speed mode: 10 Mbps connection.

Initialization completed successfully.

Mounting

Knot

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

18 01-30000-85717-20081205

FortiSwitch-5003 system Front panel LEDs and connectors

ZRE

1514

1312

1110

98

76

54

32

10

Table 7: FortiSwitch-5003 board front panel LEDs and switches (Continued)

LED State Description

EXT FLT Off Normal operation.

Yellow Cannot establish a link to a configured interface or another

INT FLT Off Normal operation.

Yellow Failure of internal tests. Indicates a hardware or software

Hot Swap Blue Indicates the FortiSwitch-5003 board is ready to be hot

Reset switch

Press and hold Reset for three seconds to restart the FortiSwitch-5003 board.

connection problem external to the FortiSwitch-5003 board. This LED may indicate issues that do not affect normal operation.

problem with the FortiSwitch-5003 board.

swapped. During a hot swap, the LED is on. The LED turns off when the FortiSwitch-5003 board is correctly installed.

About the ZRE network activity LEDs

The ZRE network activity LEDs show links and network activity for the interfaces and connections listed in Tab le 8 .

Figure 8: FortiSwitch-5003 ZRE network activity LEDs

Table 8: ZRE network activity LEDs FortiSwitch-5003 interfaces and connections

ZRE network activity LED

0 ZRE0 front panel interface.

1 ZRE1 front panel interface.

2 ZRE2 front panel interface.

3 to 14 Base backplane connection to FortiGate-5000 series boards in chassis

15 Base backplane link. Indicates that the FortiSwitch-5003 board can

Interface or connection

slots 3 to 14.

connect to the base backplane interface.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 19

Base backplane communications FortiSwitch-5003 system

Connectors

Tab le 9 lists and describes the FortiSwitch-5003 front panel connectors.

Table 9: FortiSwitch-5003 connectors

Connector Type Speed Protocol Description

ETH0 RJ-45 100Base-T Ethernet Front panel out of band management

CONSOLE RJ-45 9600 bps RS-232

ZRE0, ZRE1, ZRE2

RJ-45 10/100/1000

Base-T

serial Ethernet Redundant connections to another

interface. A second out of band management interface, ETH1, connects to the shelf managers. Neither of the out of band management interfaces are used.

Serial connection to the command line interface.

FortiSwitch-5003 board in an different FortiGate-5140 or FortiGate-5050 chassis. Use these interfaces for base backplane interface connections between FortiGate-5000 series chassis.

Base backplane communications

This section provides a brief introduction to using FortiSwitch-5003 boards for base backplane communication.

FortiSwitch-5003 boards installed in a FortiGate-5140 or FortiGate-5050 chassis in slot 1 or slot 2 provide base backplane switching for all of the FortiGate-5000 series boards installed in chassis slots 3 and above. Base backplane switching can be used for HA heartbeat communication and for data communication between FortiGate-5000 series boards.

The FortiGate-5000 series boards can all be installed in the same chassis, or you can use the FortiSwitch-5003 front panel ZRE interfaces for base backplane communication among multiple FortiGate-5140 and FortiGate-5050 chassis. The communication can be among a collection of the same chassis (for example, multiple FortiGate-5050 chassis) or among a mixture of FortiGate-5140 and FortiGate-5050 chassis. In most cases you would connect the same base backplane interfaces together, but you can also use the FortiSwitch-5003 front panel ZRE interfaces for connections between base backplane interface 1 and base backplane interface 2. Again these connections can be within the same chassis or among multiple chassis.

A FortiSwitch-5003 board in slot 1 provides communications on base backplane interface 1. The FortiGate-5001SX and the FortiGate-5001FA2 boards communicate with base backplane interface 1 using the interface named port9. The FortiGate-5005FA2 board communicates with base backplane interface 1 using the interface named base1.

A FortiSwitch-5003 board in slot 2 provides communications on base backplane interface 2. The FortiGate-5001SX and the FortiGate-5001FA2 boards communicate with base backplane interface 2 using the interface named port10. The FortiGate-5005FA2 board communicates with base backplane interface 2 using the interface named base2.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

20 01-30000-85717-20081205

FortiSwitch-5003 system Base backplane communications

In a single chassis, more than one cluster can use the same base backplane interface for HA heartbeat communication. To separate heartbeat communication for multiple clusters on the same base backplane interface, configure a different HA group name and password for each cluster.

In a single chassis, you can also use the same base backplane interface for data and HA heartbeat communication. If you are operating multiple clusters and multiple data paths on the same base backplane interface you may experience some bandwidth limitations. To increase the amount of bandwidth available you can add a second FortiSwitch-5003 board and use both backplane interfaces for HA heartbeat and data communication.

If you have two FortiSwitch-5003 boards and two backplane interfaces available you can balance the traffic between the base backplane interfaces by how you configure your FortiGate-5000 board data interfaces and HA heartbeat interfaces. For example, if you have two busy FortiGate-5001SX clusters you might configure one cluster to use port9 for HA heartbeat traffic and the other to use port10. If you have a number of data paths that use the same base backplane interfaces you can change the configuration to distribute traffic between both base backplane interfaces.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 21

Base backplane communications FortiSwitch-5003 system

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

22 01-30000-85717-20081205

FortiGate-5140 fabric backplane communication

The FortiGate-5140 chassis has two fabric backplane Ethernet channels that can operate at 1 Gbps or 10 Gbps. Available connections to these channels vary by chassis hub/switch slot number.

• Hub/switch slot 1 can connect to the first fabric backplane channel (channel 1), and thereby all other chassis slots, except hub/switch slot 2.

• Hub/switch Slot 2 can connect the to the second fabric backplane channel (channel 2), and thereby all other chassis slots, except hub/switch slot 1.

• Other slots can connect to either or both channels, but only directly reach hub/switch slot 1 or hub/switch slot 2. Connections to other slots through the fabric backplane channels must pass through hub/switch slot 1 or hub/switch slot 2.

Note: For more information on chassis architecture, see ATCA (Advanced Telecom Computing Architecture) specifications.

Because of the fabric backplane dual star topology, connecting to or through the fabric backplane requires FortiSwitch-5003A boards installed in hub/switch slot 1, hub/switch slot 2, or both. FortiSwitch-5003A front panel fabric interfaces can also connect the chassis fabric backplane channels to external devices, such as a management computer, the network, or the fabric backplane of another chassis.

Note: FortiSwitch-5003 boards do not support fabric backplane switching.

FortiGate-5001A boards and FortiGate-5005FA2 boards can connect to the fabric backplane at 1 Gbps. With the addition of a FortiGate-RTM-XB2 modules, FortiSwitch-5001A boards can also connect to the fabric backplane at 10 Gbps. The FortiGate-5001SX board and FortiGate-5001FA2 board do not include fabric backplane interfaces.

Table 10: Names of fabric backplane interfaces by FortiGate model

Model Name of fabric backplane

interface 1 (to slot 1)

FortiGate-5001A fabric1 fabric2

FortiGate-5005FA2 fabric1 fabric2

FortiGate-5001FA2 N/A N/A

FortiGate-5001SX N/A N/A

Name of fabric backplane interface 2 (to slot 2)

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 23

Fabric gigabit switching within a chassis FortiGate-5140 fabric backplane communication

1311975312468101214

5140

FILTER

12

0

12

Fabric channel 1 data communication

This section describes:

• Fabric gigabit switching within a chassis

• Fabric channel connections between FortiSwitch-5003A boards

• Fabric gigabit switching between chassis

• Fabric gigabit switching to the network

• Fabric 10-gigabit switching within a chassis

• Fabric channel layer-2 link aggregation

• Fabric channel layer-2 link aggregation and redundancy

• Example active-passive redundant link configuration

• Example active-active redundant link configuration

Fabric gigabit switching within a chassis

You can use FortiSwitch-5003A fabric channel switching for communication between the fabric backplane interfaces of FortiGate-5001A or 5005FA2 boards installed in a FortiGate-5140 chassis.

Figure 9 shows a FortiGate-5140 chassis with a FortiSwitch-5003A board in

hub/switch slot 1, and FortiGate-5001A boards in 6 other slots. In this configuration the FortiSwitch-5003A board provides 1-gigabit fabric backplane switching for the FortiGate-5001A fabric1 interfaces. The FortiSwitch-5003A boards operate as layer-2 switches and the FortiGate-5001A boards operate as typical standalone FortiGate units.

Figure 9: FortiGate-5140 fabric channel 1 data communication

5140SAP

SERIAL 1 SERIAL 2 ALARM

USER2

USER3

USER1

MINOR

MAJOR

CRITICAL

RESET

5000SM

ETH1

ETH0

10/100

link/Act

ETH0 Service

RESET

STATUS

Hot Swap

5000SM

ETH1

ETH0

10/100

link/Act

ETH0 Service

RESET

STATUS

Hot Swap

FAN TRAY FAN TRAYFAN TRAY

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

24 01-30000-85717-20081205

FortiGate-5140 fabric backplane communication Fabric gigabit switching within a chassis

The chassis can be connected to the network using any of the FortiGate-5001A front panel interfaces. You can also connect FortiSwitch-5003A front panel fabric interfaces to the network. You can also install FortiGate AMC modules in the FortiGate-5001A boards and connect the network to the AMC front panel interfaces. The AMC modules and the network connections are not shown in

Figure 9.

For the FortiGate-5001A boards to use the fabric channel 1 for data communication you must show backplane interfaces on the FortiGate-5001A web-based manager and then configure firewall polices and routing for the fabric1 interfaces.

If the data traffic contains VLAN-tagged packets, you must add the VLAN tags to the FortiSwitch-5003A interfaces that will handle the VLAN-tagged traffic. For example, to allow VLAN tags 201 to 210 on slots 9, 11, and 13 from the FortiSwitch-5003A CLI enter:

config switch fabric-channel interface

edit "slot-9"

set allowed-vlans 1,201-210 next edit "slot-11"

set allowed-vlans 1,201-210 next edit "slot-13"

set allowed-vlans 1,201-210 end

For more information about the FortiSwitch-5003A CLI, see “FortiSwitch-5003A

CLI reference” on page 89.

Figure 10 shows a FortiGate-5140 chassis with FortiSwitch-5003A boards in

hub/switch slots 1 and 2 and FortiGate-5001A and 5005FA2 boards in all of the other slots. The FortiGate boards can use fabric channels 1 and 2 for data communication among the FortiGate boards. In this configuration the FortiSwitch-5003A boards are operating as layer-2 switches for fabric channels 1 and 2 and the FortiGate boards are operating as typical standalone FortiGate units.

The chassis can be connected to the network using any of the FortiGate front panel interfaces. You can also connect FortiSwitch-5003A front panel fabric interfaces to the network. You can also install FortiGate AMC modules in the FortiGate-5001A boards and connect the network to the AMC front panel interfaces. The AMC modules and the network connections are not shown in

Figure 10.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 25

Fabric gigabit switching within a chassis FortiGate-5140 fabric backplane communication

Figure 10: FortiGate-5140 fabric channel 1 and 2 data communication

Fabric channel 2 data communication

5140SAP

5140

E S

E

R

1311975312468101214

LINK

CONSOLE

OOS ACC STATUS

IPM

L

R A C

T

I

JO

IN

IT

A

R

M

C

LINK

ACT

FABRIC

BASE

OOS ACC STATUS

USB USB

3 412 56

IPM

78

2

1

R

O

E

S

U

LINK

ACT

FABRIC

BASE

CONSOLE

3 412 56

SERIAL 1 SERIAL 2 ALARM

3 R E

S U

LINK

ACT

FABRIC

BASE

CONSOLE

OOS ACC STATUS

USB USB

3 412 56

IPM

78

LINK

ACT

FABRIC

BASE

CONSOLE

OOS ACC STATUS

IPM

LINK

ACT

FABRIC

BASE

CONSOLE

OOS ACC STATUS

USB USB

3 412 56

IPM

78

LINK

ACT

FABRIC

BASE

CONSOLE

OOS ACC STATUS

USB USB

3 412 56

IPM

78

5000SM

ETH1

ETH0

10/100

link/Act

ETH0

Service

RESET

STATUS

Hot Swap

12

5000SM

ETH1

ETH0

10/100

link/Act

ETH0

Service

RESET

STATUS

Hot Swap

FILTER

0

FAN TRAY FAN TRAYFAN TRAY

12

Fabric channel 1 data communication

For the FortiGate boards to use the fabric channels 1 and 2 for data communication you must show backplane interfaces on the FortiGate web-based manager and then configure firewall polices and routing for the fabric1 and fabric2 interfaces.

If the data traffic contains VLAN-tagged packets, you must add the VLAN tags to the FortiSwitch-5003A interfaces that will handle the VLAN-tagged traffic. For example, to allow VLAN tag 400 on slots 4 and 12 from the FortiSwitch-5003A CLI enter:

config switch fabric-channel interface

edit "slot-4"

set allowed-vlans 1,400 next edit "slot-12"

set allowed-vlans 1,400 end

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

26 01-30000-85717-20081205

FortiGate-5140 fabric backplane communication Fabric channel connections between FortiSwitch-5003A boards

Fabric channel connections between FortiSwitch-5003A boards

When two FortiSwitch-5003A boards are installed in a single chassis their fabric channels are connected together. This means there is a data connection between fabric channel 1 and fabric channel 2. Unless you are going to use this connection you should disable it.

If one or more of the FortiGate-5001A or 5005FA2 boards are operating in transparent mode, the connection between the fabric channels can cause looping. If you have one or more FortiGate-5001A or 5005FA2 boards operating in transparent mode with two FortiSwitch-5003A boards in the same chassis you must disable communication between the FortiSwitch-5003A boards.

The fabric channel connection between the FortiSwitch-5003A boards uses an internal FortiSwitch-5003A interface called slot-2/1. To disable the fabric channel connection between two FortiSwitch-5003A boards you should set the status of slot-2/1 to down for one of the boards. Connect to the CLI of one of the FortiSwitch-5003A boards and enter the following command:

config switch fabric-channel physical-port

edit slot-2/1

set status down

end

Fabric gigabit switching between chassis

You can use the FortiSwitch-5003A front panel fabric interfaces to provide 10-gigabit data communications between the fabric channels of any combination of FortiGate-5050 and FortiGate-5140 chassis.

Note: Its not required, but in most cases you would connect the same fabric channels together. That is you would connect fabric channel 1 on one chassis to fabric channel 1 on another. Usually you would not connect fabric channel 1 on one chassis to fabric channel 2 on another chassis. Also, you would usually not connect a base channel from one chassis to a fabric channel on another chassis. You should be careful of looping when connecting chassis together if some of the FortiGate boards in the chassis are operating in transparent mode.

Figure 11 shows data communication between two FortiGate-5140 chassis using

fabric channel 1. The top chassis in the figure contains a FortiSwitch-5003A board in hub/switch slot 1 and six FortiGate-5001A boards. The bottom chassis contains a FortiSwitch-5003A board also in hub/switch slot 1 and four FortiGate-5005FA2 boards.

The chassis are connected together using the FortiSwitch-5003A F1 front panel interface in the top chassis and the FortiSwitch-5003A F7 front panel interface in the bottom chassis.

In this configuration the FortiSwitch-5003A boards are operating as layer-2 switches for fabric channel 1 and the FortiGate-5001A and 5005FA2 boards are operating as typical standalone FortiGate units.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 27

Fabric gigabit switching between chassis FortiGate-5140 fabric backplane communication

The chassis can be connected to the network using any of the FortiGate front panel interfaces. You can also connect FortiSwitch-5003A front panel fabric interfaces to the network. You can also install FortiGate AMC modules in the FortiGate-5001A boards and connect networks to the AMC front panel interfaces. The AMC modules and the network connections are not shown in Figure 11.

Figure 11: Fabric channel 1 data communication between two FortiGate-5140

chassis

5140SAP

5140

1311975312468101214

FILTER

SERIAL 1 SERIAL 2 ALARM

USER2

USER1

USER3

MINOR

MAJOR

CRITICAL

RESET

5000SM

ETH1

ETH0

10/100

link/Act

ETH0

Service

RESET

STATUS

Hot Swap

12

5000SM

ETH1

ETH0

10/100

link/Act

ETH0

Service

RESET

STATUS

Hot Swap

0

Fabric channel 1 data communication

FAN TRAY FAN TRAYFAN TRAY

12

Fabric channel 1 10-gigabit data communication between 2 chassis

5140SAP

5140

1311975312468101214

LINK

ACT

FABRIC

BASE

CONSOLE

OOS ACC STATUS

USB USB

3 412 56

IPM

78

SERIAL 1 SERIAL 2 ALARM

USER2

USER1

USER3

MINOR

MAJOR

CRITICAL

RESET

LINK

ACT

FABRIC

BASE

CONSOLE

OOS ACC STATUS

USB USB

3 412 56

IPM

78

5000SM

ETH1

ETH0

10/100

link/Act

ETH0 Service

RESET

STATUS

Hot Swap

12

5000SM

ETH1

ETH0

10/100

link/Act

ETH0 Service

RESET

STATUS

Hot Swap

FILTER

0

Fabric channel 1 data communication

FAN TRAY FAN TRAYFAN TRAY

12

For the FortiGate-5001A and 50005FA2 boards to use fabric channel 1 for data communication you must show backplane interfaces on the FortiGate web-based manager and then configure firewall polices and routing for the fabric1 interfaces.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

28 01-30000-85717-20081205

FortiGate-5140 fabric backplane communication Fabric gigabit switching to the network

If the data traffic contains VLAN-tagged packets, you must add the VLAN tags to the FortiSwitch-5003A interfaces that will handle the VLAN-tagged traffic. For example, to allow VLAN tags 201 to 210 on slots 8 and 10 and the F7 front panel interface, from the FortiSwitch-5003A CLI enter:

config switch fabric-channel interface

edit "slot-8"

set allowed-vlans 1,201-210 next edit "slot-10"

set allowed-vlans 1,201-210 next edit "f7"

set allowed-vlans 1,201-210 end

Fabric gigabit switching to the network

You can use the FortiSwitch-5003A fabric front panel interfaces to connect the fabric channel of a chassis to your network. Most often you would do this for data communication between the network and a fabric channel. For a simple 10-gigabit connection from your network to a fabric channel you can connect your network directly to a FortiSwitch-5003A fabric channel front panel interface. This connection provides data communication to the fabric1 or fabric2 interfaces of the FortiGate-5000 boards installed in the chassis.

Figure 12 shows a FortiGate-5140 chassis containing two FortiSwitch-5003A

boards and 6 FortiGate-5001A boards. The chassis is connected to internal and an external networks using FortiSwitch-5003A front panel fabric interfaces:

• The internal network is connected to fabric channel 2 using the F7 front panel interface of the FortiSwitch-5003A board in hub/switch slot 2

• The external network is connected to fabric channel 1 using the F1 front panel interface of the FortiSwitch-5003A board in hub/switch slot 1

In this configuration the FortiSwitch-5003A boards are operating as layer-2 switches and the FortiGate-5001A boards are operating as standalone FortiGate units.

The chassis can also be connected to the network using any of the FortiGate front panel interfaces. You can also install FortiGate AMC modules in the FortiGate-5001A boards and connect networks to the AMC front panel interfaces. The AMC modules and network connections to the AMC modules and FortiGate boards are not shown in Figure 12.

If you have two FortiSwitch-5003A boards installed in a chassis you may need to block communication between fabric channel 1 and fabric channel 2. See “Fabric

channel connections between FortiSwitch-5003A boards” on page 27 for more

information.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 29

Fabric gigabit switching to the network FortiGate-5140 fabric backplane communication

Figure 12: Fabric channel 2 connected to an internal network and fabric channel 1

connected to an external network

Internal Network

Fabric channel 2

Internal network connected to the F7 front panel fabric interface to connect to fabric channel 2

1311975312468101214

data communication

5140

FILTER

5140SAP

SERIAL 1 SERIAL 2 ALARM

R3

R1

ET

USER2

USE

MINOR

MAJOR

CRITICAL

RES

5000SM

ETH1

ETH0

10/100

10/100 link/Act

link/Act

ETH0

Service

RESET

STATUS

Hot Swap

12

5000SM

ETH1

ETH0

10/100

10/100 link/Act

link/Act

ETH0

Service

RESET

STATUS

Hot Swap

External network connected to the F1 front panel fabric interface to connect to fabric channel 1

External Network

0

Fabric channel 1 data communication

FAN TRAY FAN TRAYFAN TRAY

12

For the FortiGate-5001A boards to use the fabric channels for data communication you must show backplane interfaces on the FortiGate web-based manager and then configure firewall polices and routing for the fabric1 and fabric2 interfaces.

If the data traffic contains VLAN-tagged packets, you must add the VLAN tags to the FortiSwitch-5003A interfaces that will handle the VLAN-tagged traffic. For example, to allow VLAN tags 201 to 210 on slots 6, 8, and 10 and the F1 front panel interface, from the FortiSwitch-5003A CLI enter:

config switch fabric-channel interface

edit "slot-6"

set allowed-vlans 1,201-210 next edit "slot-8"

set allowed-vlans 1,201-210 next edit "slot-10"

set allowed-vlans 1,201-210 next edit "f1"

set allowed-vlans 1,201-210 end

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

30 01-30000-85717-20081205

FortiGate-5140 fabric backplane communication Fabric 10-gigabit switching within a chassis

Fabric 10-gigabit switching within a chassis

All of the FortiSwitch-5003A fabric front panel interfaces are 10-gigabit interfaces and the FortiSwitch-5003A board supports 10-gigabit communication across the fabric backplane channels. The FortiGate-5001A board also supports 10-gigabit communication on the fabric backplane with the addition of a FortiGate-RTM-XB2 module. You require one FortiGate-RTM-XB2 module for each FortiGate-5001A board. The FortiGate-RTM-XB2 module must be installed in the chassis rear transition module (RTM) slot that corresponds to the front panel slot containing the FortiGate-5001A board. For example, if you install a FortiGate-5001A board in slot 3 you must also install a FortiGateRTM-XB2 module in RTM slot 3. The RTM slots are at the back of the FortiGate-5140 chassis.

One FortiGate-RTM-XB2 module provides 10-gigabit connections to both fabric channels. The FortiGate-RTM-XB2 also provides NP2 packet acceleration for both fabric channels. To effectively use NP2 acceleration, packets must be received by the FortiGate-5001A board on one fabric channel and must exit from the FortiGate-5001A board on the same fabric channel or on the other fabric channel. See the FortiGate-RTM-XB2 System Guide for more information about the FortiGate-RTM-XB2.

Note: A single FortiSwitch-5003A can provide simultaneous 10 Gbps connections to FortiGate-5001A boards with FortiGate-RTM-XB2 modules, 1 Gbps connections to FortiGate-5001A boards, and 1 Gbps connections to FortiGate-5005FA2 boards.

Figure 13 shows a FortiGate-5140 chassis containing two FortiSwitch-5003A

boards and six FortiGate-5001A boards. Using these components this chassis supplies 10-gigabit connectivity between the external and internal networks. The external network is connected to the F1 10-gigabit front panel interface of the FortiSwitch-5003A board in slot 1, which connects the external network to fabric channel 1. The internal network is connected to the F7 10-gigabit front panel interface of the FortiSwitch-5003A board in slot 2, which connects the internal network to fabric channel 2.

10-gigabit traffic from the external network enters the F1 10-gigabit FortiSwitch-5003A front panel interface, passes through the FortiSwitch-5003A board and through the FortiGate-RTM-XB2 modules to the fabric1 interfaces of the FortiGate-5001A boards. Traffic accepted at the fabric1 interfaces is processed by each FortiGate-5001A board. Traffic destined for the internal network exits the fabric2 interfaces of the FortiGate-5001A boards, passes through the FortiGate-RTM-XB2 modules and through the FortiSwitch-5003A board and exits the F7 10-gigabit FortiSwitch-5003A front panel interface and is received by the internal network.

The configuration shown in Figure 13 requires no configuration changes to the FortiSwitch-5003A boards except to disable communication between the FortiSwitch-5003A boards (if required, see “Fabric channel connections between

FortiSwitch-5003A boards” on page 27).

On the FortiGate-5001A boards, to allow traffic to pass between the internal and external networks, the FortiGate-5001A boards would operate in NAT/Route mode and you must configure firewall policies and routing for the fabric1 and fabric2 interfaces. No configuration changes are required to use the FortiGate-RTM-XB2 module. NP2 acceleration is automatically applied to traffic passing between the internal and external networks by the FortiGate-RTM-XB2 module.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 31

Fabric 10-gigabit switching within a chassis FortiGate-5140 fabric backplane communication

Figure 13: Example 10-gigabit connection between internal and external networks

Internal Network

FortiGate-RTM-XB2 modules installed in RTM slots 6, 8, and 10 provide two 10-gigabit fabric channels and NP2 acceleration for each FortiGate-5001A board

5000SM

ETH1

ETH0

10/100

link/Act

ETH0 Service

RESET

STATUS

Hot Swap

12

5000SM

ETH1

ETH0

10/100

link/Act

ETH0 Service

RESET

STATUS

Hot Swap

Internal 10-gigabit network connected to fabric channel 2

FortiGate-RTM-XB2

modules installed

in RTM slots 9, 11,

and 13 provide two

10-gigabit fabric

channels and NP2

acceleration

for each

FortiGate-5001A

board

Fabric channel 2 10-gigabit data communication

5140SAP

5140

1311975312468101214

FILTER

SERIAL 1 SERIAL 2 ALARM

R

T

ER2

INO

AJOR

SE

US

USER3

USER1

M

CRITICAL

RE

External 10-gigabit network connected to fabric channel 1

External Network

0

Fabric channel 1 10-gigabit data communication

FAN TRAY FAN TRAYFAN TRAY

12

Note: On some versions of the FortiGate-5001A firmware, when a FortiGate-5001A board starts up with a FortiGate-RTM-XB2 module installed, the fabric1 and fabric2 interfaces are replaced with interfaces that are named RTM/1 and RTM/2 to indicate the presence of the FortiGate-RTM-XB2 module. Configuration settings that include the fabric1 and fabric2 interface names will have to be changed to use the RTM/1 and RTM/2 interface names.

If the data traffic contains VLAN-tagged packets, you must add the VLAN tags to the FortiSwitch-5003A interfaces that will handle the VLAN-tagged traffic. For example, to allow VLAN tags 300 to 305 on slots 9, 11, and 13 and the F7 front panel interface, from the FortiSwitch-5003A CLI enter:

config switch fabric-channel interface

edit "slot-9"

set allowed-vlans 1,300-305 next edit "slot-11"

set allowed-vlans 1,300-305 next edit "slot-13"

set allowed-vlans 1,300-305 next edit "f7"

set allowed-vlans 1,300-305 end

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

32 01-30000-85717-20081205

FortiGate-5140 fabric backplane communication Fabric channel layer-2 link aggregation

Fabric channel layer-2 link aggregation

FortiSwitch-5003A boards support 802.3ad static mode layer-2 link aggregation and 802.1q VLANs for the fabric channels. You can use these features to configure link aggregation to distribute traffic to multiple FortiGate-5001A or 5005FA2 boards. Link aggregation configurations also support IPv6 traffic and traffic with jumbo frames up to 16 kbytes.

You can use link aggregation to increase the bandwidth capacity of a FortiGate-5000 configuration by distributing network traffic among multiple FortiGate-5001A or 5005FA2 boards. Adding a new FortiGate-5000 board to a trunk results in an almost linear increase in performance. Link aggregation is configured and functions the same way for 1-gigabit and 10-gigabit fabric backplane networks. You can configure 1-gigabit configurations with FortiGate5001A or 5005FA2 boards. You can configure 10-gigabit configurations with FortiGate-5001A boards combined with FortiGate-RTM-XB2 modules. FortiGateRTM-XB2 modules also increase performance by added NP2 acceleration to the configuration.

You configure link aggregation by adding FortiSwitch-5003A interfaces to a link aggregation trunk. The FortiSwitch-5003A board uses a hash algorithm based on source and destination IP addresses to distribute sessions to the interfaces added to the trunk. Each interface in the trunk usually corresponds to a slot in the chassis in which a FortiGate-5001A or 5005FA2 board is installed. You can also include FortiSwitch-5003A front panel interfaces in a trunk and distribute sessions to FortiGate-5000 boards installed in multiple chassis.

Note: The FortiSwitch-5003A board does not support Link Aggregation Control Protocol (LACP). LACP is also called 802.3ad dynamic mode layer-2 link aggregation.

You can add up to 8 interfaces to a trunk to distribute sessions among up to 8 FortiGate-5000 boards. You can also add multiple trunks to a single FortiSwitch-5003A board. The total number of FortiGate-5000 boards in a trunk is limited by the amount of bandwidth you are processing and the capacity of the FortiSwitch-5003A board. Fortinet does not support mixing FortiGate-5001A and 5005FA2 boards in the same trunk.

If you add a FortiGate-5000 board to a trunk, or if you remove a FortiGate-5000 board from a trunk the link aggregation hash algorithm recalculates the session distribution. If the FortiSwitch-5003A system is processing traffic when you add or remove a FortiGate-5000 board, after sessions are redistributed the FortiGate-5000 boards in the trunk will not necessarily continue to process the same sessions. The same happens if a FortiGate-5000 board in a trunk fails. The FortiSwitch-5003A system does not maintain a session table, so changes to a trunk can result in communication being temporarily interrupted. As a result you should only add or remove FortiGate-5000 boards from a trunk during off-peak hours.

The FortiGate-5000 boards in a trunk must operate in transparent mode. All the FortiGate-5000 boards in a trunk are managed separately and all must have the same configuration. You can use the FortiManager system to maintain the same configuration on the FortiGate-5000 boards.

Note: Due to the way the hash algorithm works, FortiGate-5000 boards in the lower numbered chassis slots in a trunk may receive more traffic. The order of the interfaces in the trunk does not matter, the numerically lowest slots will always be the ones to receive more traffic if the number of interfaces in the trunk is not a power of 2.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 33

Fabric channel layer-2 link aggregation FortiGate-5140 fabric backplane communication

Distributed 10-gigabit data communication on fabric channel 1

Six FortiGate-RTM-XB2 modules installed in RTM slots 6, 8, 9, 10, 11, and 13 to provide 10-gigabit fabric interfaces and NP2 acceleration for each FortiGate-5001A board

Internal and external

10-gigabit networks

connected to

FortiSwitch-5003A

front panel interface F7

and to fabric channel 1

External switch

VLAN tagged traffic

External Network

Internal Network

Because the FortiGate-5000 boards in a link aggregation configuration operate in transparent mode, any routing, VPN or NAT requirements should be handed by an external device (such as a router), before or after the traffic reaches the FortiSwitch-5003A board.

If the traffic that you are distributing contains VLAN-tagged packets, you must add the VLAN tags to the FortiSwitch-5003A interfaces and to the trunks that will handle the VLAN-tagged traffic.

Figure shows a basic link aggregation configuration using a single

FortiSwitch-5003A board. In this configuration the external switch is connected to the FortiSwitch-5003A F7 front panel interface. The external switch adds VLAN tags to traffic from the internal and external networks. Packets from the internal network are tagged as 100 and packets from the external network are tagged as

101.

Note: LInk aggregation does not require FortiGate-RTM-XB2 modules. If the example in

Figure did not include FortiGate-RTM-XB2 modules the configuration steps would be the

same and link aggregation would still function the same way. The only difference is without the FortiGate-RTM-XB2 modules communication on the fabric channel would be 1Gbps instead of 10 Gbps.

Figure 14: Fabric channel layer-2 link aggregation configuration

5140SAP

5140

1311975312468101214

FILTER

SERIAL 1 SERIAL 2 ALARM

USER2

USER3

USER1

MINOR

MAJOR

CRITICAL

RESET

5000SM

ETH1

ETH0

10/100

link/Act

ETH0

Service

RESET

STATUS

Hot Swap

12

5000SM

ETH1

ETH0

10/100

link/Act

ETH0

Service

RESET

STATUS

Hot Swap

0

FAN TRAY FAN TRAYFAN TRAY

12

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

34 01-30000-85717-20081205

FortiGate-5140 fabric backplane communication Fabric channel layer-2 link aggregation

The FortiSwitch-5003A configuration consists of adding a trunk named trunk_6 that aggregates backplane slots 6, 8, 9, 10, 11, and 13:

config switch fabric-channel trunk

edit "trunk_6"

set members "slot-6" "slot-8" "slot-9" "slot-10"

"slot-11" "slot-13"

end

Allow VLAN packets on the FortiSwitch-5003A F7 front panel interface and the trunk:

config switch fabric-channel interface

edit "f7"

set allowed-vlans 1,100-101 next edit "trunk_6"

set allowed-vlans 1,100-101 end

The traffic enters and exits the FortiGate-5001A boards using the fabric1 interface. You must add two VLAN interfaces to the fabric1 interface, one for traffic from the Internal network and one for traffic from the external network. Then you must add firewall policies for traffic between these VLAN interfaces.

For example, you could name the VLAN interfaces vlan_fab1_100 and

vlan_fab1-101. From the FortiGate-5001A CLI enter:

config system interface

edit vlan_fab1_100

set interface fabric1

set vlanid 100

set vdom root

etc... next edit vlan_fab1_101

set interface fabric1

set vlanid 101

set vdom root

etc... end

Then you can add vlan_fab1_100 to vlan_fab1-101 firewall policies the data traffic.

Note: On some versions of the FortiGate-5001A firmware, when a FortiGate-5001A board includes a FortiGate-RTM-XB2 module, the fabric1 and fabric2 interfaces are replaced with interfaces that are named RTM/1 and RTM/2 to indicate the presence of the FortiGate-RTM-XB2 module. Configuration settings that include the fabric1 and fabric2 interface names will have to be changed to use the RTM/1 and RTM/2 interface names.

You should also configure the FortiGate-5001A boards to send heartbeat packets over the fabric1 channel so that the FortiSwitch-5003A board can verify that the FortiGate-5001A boards are functioning. Each FortiGate-5001A board sends 10 heartbeat packets per second from each fabric interface. The packets are type 255 bridge protocol data unit (BPDU) packets. From the FortiGate-5001A CLI enter:

config system global

set fortiswitch-heartbeat enable

end

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 35

Fabric channel layer-2 link aggregation and redundancy FortiGate-5140 fabric backplane communication

You must also enable the FortiSwitch-5003A board to listen for heartbeat packets on all of the interfaces connected to FortiGate-5001A boards:

config switch fabric-channel physical-port

edit "slot-6"

set heartbeat enable next edit "slot-8"

set heartbeat enable next edit "slot-9"

set heartbeat enable next edit "slot-10"

set heartbeat enable next edit "slot-11"

set heartbeat enable next edit "slot-13"

set heartbeat enable end

Fabric channel layer-2 link aggregation and redundancy

In addition to 802.3adstatic mode layer-2 link aggregation and 802.1q VLANs the FortiSwitch-5003A board also supports 802.1s Multi-Spanning Tree Protocol (MSTP) for the fabric channels. You can use MSTP to add redundancy to a link aggregation configuration. Redundancy consists of redundant FortiSwitch-5003A boards that both distribute traffic to multiple FortiGate-5001A or 5005FA2 boards.

To be able to use redundant FortiSwitch-5003A boards in one chassis you must configure MSTP to eliminate loops. You can also use MSTP settings to control traffic flow and create different kinds of redundant configurations:

• An active-passive configuration where the active FortiSwitch-5003A board receives all traffic and distributes it to the FortiGate-5001A or 5005FA2 boards. If the active FortiSwitch-5003A board fails, all traffic is diverted to the passive FortiSwitch-5003A board which takes over distributing traffic to the FortiGate-5001A or 5005FA2 boards.

• An active-active configuration where both FortiSwitch-5003A boards receive and distribute traffic. If one of the FortiSwitch-5003A boards fails, all traffic is diverted to the remaining FortiSwitch-5003A board which takes over distributing all traffic to the FortiGate-5001A or 5005FA2 boards.

Redundant configurations require a third-party switch that supports MSTP and is used to connect the FortiSwitch-5003A boards to the networks. You configure MSTP on the third-party switch and on the FortiSwitch-5003A boards to create spanning tree instances on all three devices. All three devices must have the same spanning tree instances. Depending on the requirement, the spanning tree instances can have different priorities on each device. You can also use the third-party switch to add and remove VLAN tags from incoming and outgoing traffic.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

36 01-30000-85717-20081205

FortiGate-5140 fabric backplane communication Example active-passive redundant link configuration

The configuration of the spanning tree instances determines whether you create an active-passive or active-active configuration:

• For an active-passive configuration, you can create one spanning tree instance on all three devices and give one of the FortiSwitch-5003A boards a higher priority. This board becomes the active board in the configuration because spanning tree sends all traffic to the high priority spanning tree instance. If the active board fails, spanning tree re-directs all traffic to the other board.

• For an active-active configuration, you create two or more spanning tree instances on all three devices and give some instances a higher priority on one FortiSwitch-5003A board and give other instances a higher on the other FortiSwitch-5003A board. While both FortiSwitch-5003A boards are, the spanning tree configuration distributes traffic to both boards. If one of the FortiSwitch-5003A boards fails, spanning tree redirects all of the traffic to the board that is still operating.

Note: If you have more than one spanning tree instance you can still configure an active-passive configuration by setting the priorities of all spanning tree instances to be higher for the same FortiSwitch-5003A board.

In both active-passive or active-active configurations, if one of the FortiSwitch-5003A boards fails, sessions are temporarily interrupted because the FortiSwitch-5003A boards do not store session information.

Example active-passive redundant link configuration

Figure 15 shows an example redundant link aggregation configuration. In this

configuration an external switch is connected to two FortiSwitch-5003A front panel F7 interfaces. The switch adds VLAN tags to traffic from two internal and two external networks. Packets from each network get different VLAN tags. Packets from internal networks are tagged as 103 and 104 and packets from the external networks are tagged as 105 and 106.

To make this an active-passive configuration, the spanning tree instances on the FortiSwitch-5003A board in slot 1 should have a higher priority than the spanning tree instances on the FortiSwitch-5003A board in slot 2. The FortiSwitch-5003A board in slot 1 becomes the root for both spanning tree instances. Because of the priority settings, MSTP sends all packets to the FortiSwitch-5003A board in slot 1. If this board fails, MSTP re-directs all packets to the FortiSwitch-5003A board in slot 2.

For a given spanning tree instance, MSTP directs packets to the device with the lowest priority value. To give a spanning tree instance a higher priority on a device you must configure the instance on that device with a lower priority value. The lower priority value gives the device a higher spanning tree priority for a given spanning tree instance.

In this example the spanning tree priority values on the FortiSwitch-5003A board in slot 1 are both set to 4096 and the spanning tree priority values on the FortiSwitch-5003A board in slot 2 are both set to 40960. So spanning tree directs all traffic to the FortiSwitch-5003A board in slot 1.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 37

Example active-passive redundant link configuration FortiGate-5140 fabric backplane communication

Distributed 10-gigabit data communication on fabric channel 1

Distributed 10-gigabit data communication on fabric channel 2

Six FortiGate-RTM-XB2 modules installed in RTM slots 6, 8, 9, 10, 11, and 13 to provide 10-gigabit fabric interfaces and NP2 acceleration for each FortiGate-5001A board.

Internal and external

10-gigabit networks

connected to

FortiSwitch-5003A

front panel interface F7

and to fabric channels

1 and 2

External Switch

VLAN Tagged Traff ic

External Networks

Internal Networks

All of the FortiGate-5001A boards must be operating in transparent mode and all must have the same configuration. In this redundant configuration, traffic can be re-directed from one fabric channel to another after a FortiSwitch-5003A fails or if you change the MSTP configuration. To make sure the FortiGate-5001A boards can continue to process traffic after a failure or MSTP configuration change you must add redundant configurations to both fabric interfaces. This means adding 4 VLAN interfaces to each fabric interface (one for each VLAN tag) and configuring duplicate firewall policies and routing for both sets of VLAN interfaces.

Figure 15: Redundant link aggregation configuration

5140SAP

5140

1311975312468101214

SERIAL 1 SERIAL 2 ALARM

L

2

1

3

R

A

R

O

C

T

O

I

J

E

IN

IT

S

A

S

R

U

M

E

M

C

R

External switch configuration

The external switch requires the following configuration settings. Example commands are shown for an HP procurve 3500yl switch with interfaces A1 and A4 connected to the FortiSwitch-5003A boards. The external switch acts as the root for spanning tree instance 0.

1 Create an MSTP configuration that includes a name and a revision. For example,

if the name is tree_1 and the revision is 1:

spanning-tree config-name "tree_1" spanning-tree config-revision 1

FILTER

0

12

5000SM

ETH1

ETH0

10/100

link/Act

ETH0 Service

RESET

STATUS

Hot Swap

12

5000SM

ETH1

ETH0

10/100

link/Act

ETH0 Service

RESET

STATUS

Hot Swap

FAN TRAY FAN TRAYFAN TRAY

38 01-30000-85717-20081205

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

FortiGate-5140 fabric backplane communication Example active-passive redundant link configuration

2 Configure the switch to add VLAN tag 103 and 104 to packets from the internal

networks and VLAN tag 105 and 106 to packets from the external networks and to send packets from all of these networks to the FortiSwitch-5003A board.

vlan 103

name "VLAN103" tagged 6,8,19,A1,A4 exit

vlan 104

name "VLAN104" tagged 5,7,20,A1,A4 no ip address exit

vlan 105

name "VLAN105" tagged 6,8,19,A1,A4 no ip address exit

vlan 106

name "VLAN106" tagged 5,7,20,A1,A4 no ip address exit

3 Add spanning tree instance 3 for packets from the internal networks. Add VLAN

tags 103 and 104 to this spanning tree instance. Set the priority of this spanning tree instance to 5.

spanning-tree instance 3 vlan 103 104 spanning-tree instance 3 priority 5

4 Add spanning tree instance 5 for packets from the external networks. Add VLAN

tags 105 and 106 to this spanning tree instance. Set the priority of this spanning tree instance to 5, the same as instance 3.

spanning-tree instance 5 vlan 105 106 spanning-tree instance 5 priority 5

Example configuration for the FortiSwitch-5003A board in slot 1

The FortiSwitch-5003A board in slot 1 requires the following configuration settings:

1 Disable communication between the FortiSwitch-5003A boards:

config switch fabric-channel physical-port

edit slot-2/1

set status down

end

2 Create an MSTP configuration that includes the same name and revision as was

added to the external switch. For example, if the name is tree_1 and the revision is 1:

config switch fabric-channel stp settings

set name "tree_1" set revision 1

end

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 39

Example active-passive redundant link configuration FortiGate-5140 fabric backplane communication

3 Add two spanning tree instances numbered the same as the instances added to

the switch (3 and 5). Add the VLAN tags to the instances and set their priority values to 4096:

config switch fabric-channel stp instance

edit 3

set priority 4096

set vlan-range 103-104 next edit 5

set priority 4096

set vlan-range 105-106 end

Note: The priority values of both spanning tree instances should be lower on the FortiSwitch-5003A board in slot 1 than on the board in slot 2 so that spanning tree directs all traffic to the board in slot 1.

4 Add a trunk named trunk_6 that aggregates backplane slots 6, 8, 9, 10, 11, and

13:

config switch fabric-channel trunk

edit "trunk_6"

set members "slot-6" "slot-8" "slot-9" "slot-10"

"slot-11" "slot-13"

end

5 Allow VLAN packets on the FortiSwitch-5003A F7 front panel interface and the

trunk:

config switch fabric-channel interface

edit "f7"

set allowed-vlans 1,103-106 next edit "trunk_6"

set allowed-vlans 1,103-106 end

6 Enable the FortiSwitch-5003A board to listen for heartbeat packets on all of the

interfaces connected to FortiGate-5001A boards:

config switch fabric-channel physical-port

edit "slot-6"

set heartbeat enable next edit "slot-8"

set heartbeat enable next edit "slot-9"

set heartbeat enable next edit "slot-10"

set heartbeat enable next edit "slot-11"

set heartbeat enable next edit "slot-13"

set heartbeat enable end

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

40 01-30000-85717-20081205

FortiGate-5140 fabric backplane communication Example active-passive redundant link configuration

Verifying the MSTP configuration of the FortiSwitch-5003A board in slot 1

Enter diagnose spanning-tree mst-config fabric-channel to display the FortiSwitch-5003A fabric channel MSTP configuration.

diagnose spanning-tree mst-config fabric-channel

MST Configuration Identification Information

Unit: Fabric MST Configuration Name: tree_1 MST Configuration Revision: 1 MST Configuration Digest:

Instance ID Mapped VLANs ____________________________________________________ 3 103 104 5 105 106

Enter diagnose spanning-tree instance fabric-channel <instance_integer> <interface> to display the configuration of a

spanning tree instance for an interface. For example, to display the configuration of spanning tree instance 3 for the FortiSwitch-5003A F7 interface enter:

diagnose spanning-tree instance fabric-channel 3 f7

d397441fd8666b0abb8f5fab64b9d18a

MST Instance Information, Fabric-Channel:

Instance ID : 3 Mapped VLANs : 103 104 Switch Priority : 4096 Regional Root MAC Address : 003064058f87 Regional Root Priority: 4096 Regional Root Path Cost: 0 Regional Root Port: slot-2/1 Remaining Hops: 20

Port Speed Cost Priority Role State __________ ______ ________ _________ __________ __________

f7 10G 2000 128 DESIGNATED FORWARDING

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 41

Example active-passive redundant link configuration FortiGate-5140 fabric backplane communication

Example configuration for the FortiSwitch-5003A board in slot 2

The FortiSwitch-5003A board in slot 2 requires the same configuration settings as the FortiSwitch-5003A board in slot 1 except that the priority values of both spanning tree instances is set higher for the FortiSwitch-5003A board in slot 2:

config switch fabric-channel stp instance

edit 3

set priority 40960

set vlan-range 103-104 next edit 5

set priority 40960

set vlan-range 105-106 end

Note: The priority values of both spanning tree instances should be higher on the FortiSwitch-5003A board in slot 2 than on the board in slot 1 so that spanning tree directs all traffic to the board in slot 1.

Verifying the MSTP configuration of the FortiSwitch-5003A board in slot 2

Enter diagnose spanning-tree mst-config fabric-channel to display the FortiSwitch-5003A fabric channel MSTP configuration.

diagnose spanning-tree mst-config fabric-channel

MST Configuration Identification Information

Unit: Fabric MST Configuration Name: tree_1 MST Configuration Revision: 1

MST Configuration Digest: 86a2448b88448fb7dbe0f8680e2d0fb5

Instance ID Mapped VLANs ____________________________________________________ 3 103 104 5 105 106

To display the configuration of spanning tree instance 5 for the FortiSwitch-5003A F7 interface enter:

diagnose spanning-tree instance fabric-channel 5 f7

MST Instance Information, Fabric-Channel:

Instance ID : 5 Mapped VLANs : 105 106

Switch Priority : 40960 Regional Root MAC Address : 00306407a1da Regional Root Priority: 40960 Regional Root Path Cost: 0 Regional Root Port: slot-2/1 Remaining Hops: 20

Port Speed Cost Priority Role State __________ ______ ________ _________ __________ __________ f7 10G 2000 128 DESIGNATED FORWARDING

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

42 01-30000-85717-20081205

FortiGate-5140 fabric backplane communication Example active-passive redundant link configuration

Example FortiGate-5001A configuration

All of the FortiGate-5001A boards must be operating in transparent mode and all must have the same configuration.

The spanning tree instances can send traffic to fabric channel 1 or fabric channel

2. As a result, traffic can enter and exit the FortiGate-5001A boards using the fabric1 interface or the fabric2 interface. So you should create redundant configurations for each fabric interface. For each fabric interface you must add four VLAN interfaces, two for traffic from both Internal networks and two for traffic from both external networks. Then for each fabric interface you must add firewall policies for traffic between the four VLAN interfaces.

For example, for the fabric1 interface you could name the VLAN interfaces vlan_fab1_103, vlan_fab1-104, vlan_fab1_105, and vlan_fab1-106. From the FortiGate-5001A CLI enter:

config system interface

edit vlan_fab1_103

set interface fabric1 set vlanid 103 set vdom root

etc... next edit vlan_fab1_104

set interface fabric1

set vlanid 104

set vdom root

etc... edit vlan_fab1_105

set interface fabric1

set vlanid 105

set vdom root

etc... next edit vlan_fab1_106

set interface fabric1

set vlanid 106

set vdom root

etc... end

For the fabric2 interface you could name the VLAN interfaces vlan_fab2_103, vlan_fab2-104, vlan_fab2_105, and vlan_fab2-106. From the

FortiGate-5001A CLI enter:

config system interface

edit vlan_fab2_103

set interface fabric2

set vlanid 103

set vdom root

etc... next edit vlan_fab2_104

set interface fabric2

set vlanid 104

set vdom root

etc...

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 43

Example active-active redundant link configuration FortiGate-5140 fabric backplane communication

edit vlan_fab2_105

set interface fabric2 set vlanid 105 set vdom root

etc... next edit vlan_fab2_106

set interface fabric2

set vlanid 106

set vdom root

etc... end

You should also configure the FortiGate-5001A boards to send heartbeat packets over the fabric1 and fabric2 channels so that the FortiSwitch-5003A board can verify that the FortiGate-5001A boards are functioning. Each FortiGate-5001A board sends 10 heartbeat packets per second from each fabric interface. The packets are type 255 bridge protocol data unit (BPDU) packets. From the FortiGate-5001A CLI enter:

config system global

set fortiswitch-heartbeat enable

end

Example active-active redundant link configuration

You can make the previous example an active-active redundant link configuration that sends all traffic from the internal networks to one FortiSwitch-5003A board and all traffic from the external networks to the other FortiSwitch-5003A board by changing the priorities of the spanning tree instances added to the FortiSwitch-5003A boards. No other configuration changes are required.

To send all traffic from the internal networks to the FortiSwitch-5003A board in slot 1 configure the spanning tree instances on this board with a lower priority value for instance 3 which is used for VLAN 103 and 104 packets.

config switch fabric-channel stp instance

edit 3

set priority 4096

set vlan-range 103-104 next edit 5

set priority 40960

set vlan-range 105-106 end

To send all traffic from the external networks to the FortiSwitch-5003A board in slot 2 configure the spanning tree instances on this board with a lower priority value for instance 5 which is used for VLAN 105 and 106 packets.

config switch fabric-channel stp instance

edit 3

set priority 40960

set vlan-range 103-104 next

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

44 01-30000-85717-20081205

FortiGate-5140 fabric backplane communication Example active-active redundant link configuration

edit 5

set priority 4096 set vlan-range 105-106

end

Verifying the spanning tree configuration of the FortiSwitch-5003A board in slot 1

To display the configuration of spanning tree instance 3 for the FortiSwitch-5003A F7 interface enter:

diagnose spanning-tree instance fabric-channel 3 f7

MST Instance Information, Fabric-Channel:

Instance ID : 3 Mapped VLANs : 103 104 Switch Priority : 4096 Regional Root MAC Address : 00306407a1da Regional Root Priority: 4096 Regional Root Path Cost: 0 Regional Root Port: slot-2/1 Remaining Hops: 20

Port Speed Cost Priority Role State __________ ______ ________ _________ __________ __________

f7 10G 2000 128 DESIGNATED FORWARDING

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 45

Example active-active redundant link configuration FortiGate-5140 fabric backplane communication

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

46 01-30000-85717-20081205

FortiGate-5050 fabric backplane communication

The FortiGate-5505 chassis has two fabric backplane Ethernet channels that can operate at 1 Gbps or 10 Gbps. Available connections to these channels vary by hub/switch slot number.

• Hub/switch slot 1 can connect to the first fabric backplane channel (channel 1), and thereby all other chassis slots, except hub/switch slot 2.

• Hub/switch Slot 2 can connect the to the second fabric backplane channel (channel 2), and thereby all other chassis slots, except hub/switch slot 1.

• Other slots can connect to either or both channels, but only directly reach hub/switch slot 1 or hub/switch slot 2. Connections to other slots through the fabric backplane channels must pass through hub/switch slot 1 or hub/switch slot 2.

Note: For more information on chassis architecture, see ATCA (Advanced Telecom Computing Architecture) specifications.

Because of the fabric backplane dual star topology, connecting to or through the fabric backplane requires FortiSwitch-5003A boards installed in hub/switch slot 1, hub/switch slot 2, or both. FortiSwitch-5003A front panel fabric interfaces can also connect the chassis fabric backplane channels to external devices, such as a management computer, the network, or the fabric backplane of another chassis.

Note: FortiSwitch-5003 boards do not support fabric backplane switching.

FortiGate-5001A boards and FortiGate-5005FA2 boards can connect to the fabric backplane at 1 Gbps. With the addition of a FortiGate-RTM-XB2 modules, FortiSwitch-5001A boards can also connect to the fabric backplane at 10 Gbps. The FortiGate-5001SX board and FortiGate-5001FA2 board do not include fabric backplane interfaces.

Table 11: Names of fabric backplane interfaces by FortiGate model

Model Name of fabric backplane

interface 1 (to slot 1)

FortiGate-5001A fabric1 fabric2

FortiGate-5005FA2 fabric1 fabric2

FortiGate-5001FA2 N/A N/A

FortiGate-5001SX N/A N/A

Name of fabric backplane interface 2 (to slot 2)

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 47

Fabric gigabit switching within a chassis FortiGate-5050 fabric backplane communication

1

2

3

4

5

SMC

1

SMC

POWER

Fabric channel 2 data communication

This section describes:

• Fabric gigabit switching within a chassis

• Fabric channel connections between FortiSwitch-5003A boards

• Fabric gigabit switching between chassis

• Fabric gigabit switching to the network

• Fabric 10-gigabit switching within a chassis

• Fabric channel layer-2 link aggregation

• Fabric channel layer-2 link aggregation and redundancy

• Example active-passive redundant link configuration

• Example active-active redundant link configuration

Fabric gigabit switching within a chassis

You can use FortiSwitch-5003A fabric channel switching for communication between the fabric backplane interfaces of FortiGate-5001A or 5005FA2 boards installed in a FortiGate-5050 chassis.

Figure 16 shows a FortiGate-5050 chassis with a FortiSwitch-5003A board in

hub/switch slot 2, and FortiGate-5001A boards in slots 3, 4, and 5. In this configuration the FortiSwitch-5003A board provides 1-gigabit fabric backplane switching for the FortiGate-5001A fabric2 interfaces. The FortiSwitch-5003A boards operate as layer-2 switches and the FortiGate-5001A boards operate as typical standalone FortiGate units.

The chassis can be connected to the network using any of the FortiGate-5001A front panel interfaces. You can also connect FortiSwitch-5003A front panel fabric interfaces to the network. You can also install FortiGate AMC modules in the FortiGate-5001A boards and connect the network to the AMC front panel interfaces. The AMC modules and the network connections are not shown in

Figure 16.

Figure 16: FortiGate-5050 fabric channel 2 data communication

5000SM

10/100

ETH0

Service

link/Act

ETH1

STATUS

10/100

RESET

ETH0

link/Act

5050SAP

SERIAL

Hot Swap

1

ALARM

5000SM

10/100

ETH0

Service

link/Act

ETH1

SERIAL

2

STATUS

10/100

ETH0

link/Act

Hot Swap

RESET

48 01-30000-85717-20081205

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

FortiGate-5050 fabric backplane communication Fabric gigabit switching within a chassis

For the FortiGate-5001A boards to use the fabric channel 2 for data communication you must show backplane interfaces on the FortiGate-5001A web-based manager and then configure firewall polices and routing for the fabric2 interfaces.

If the data traffic contains VLAN-tagged packets, you must add the VLAN tags to the FortiSwitch-5003A interfaces that will handle the VLAN-tagged traffic. For example, to allow VLAN tag 34 on slot 5 from the FortiSwitch-5003A CLI enter:

config switch fabric-channel interface

edit "slot-5"

set allowed-vlans 1,34

end

For more information about the FortiSwitch-5003A CLI, see “FortiSwitch-5003A

CLI reference” on page 89.

Figure 17 shows a FortiGate-5050 chassis with FortiSwitch-5003A boards in

hub/switch slots 1 and 2 and FortiGate-5001A boards in slots 3, 4, and 5. In this configuration the FortiSwitch-5003A boards are operating as layer-2 switches for fabric channels 1 and 2 and the FortiGate-5001A boards are operating as typical standalone FortiGate units. The FortiGate-5001A boards can use fabric channels 1 and 2 for data communication among the FortiGate boards.

The chassis can be connected to the network using any of the FortiGate-5001A front panel interfaces. You can also connect FortiSwitch-5003A front panel fabric interfaces to the network. You can also install FortiGate AMC modules in the FortiGate-5001A boards and connect the network to the AMC front panel interfaces. The AMC modules and the network connections are not shown in

Figure 17.

Figure 17: FortiGate-5050 fabric channel 1 and 2 data communication

Fabric channel 1

data communication

5

4

3

2

1

5000SM

10/100

SMC

ETH0

link/Act

ETH1

10/100

ETH0

link/Act

2

Service

STATUS

RESET

5050SAP

SERIAL

Hot Swap

1

ALARM

5000SM

10/100 link/Act

ETH1

SERIAL

10/100

2

ETH0

link/Act

Fabric channel 2 data communication

POWER

ETH0

Service

SMC

STATUS

Hot Swap

RESET

1

For the FortiGate-5001A boards to use the fabric channels 1 and 2 for data communication you must show backplane interfaces on the FortiGate-5001A web-based manager and then configure firewall polices and routing for the fabric1 and fabric2 interfaces.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 49

Fabric channel connections between FortiSwitch-5003A boards FortiGate-5050 fabric backplane communication

If the data traffic contains VLAN-tagged packets, you must add the VLAN tags to the FortiSwitch-5003A interfaces that will handle the VLAN-tagged traffic. For example, to allow VLAN tags 200 to 205 on slots 3, 4, and 5 from the FortiSwitch-5003A CLI enter:

config switch fabric-channel interface

edit "slot-3"

set allowed-vlans 1,200-205 next edit "slot-4"

set allowed-vlans 1,200-205 next edit "slot-5"

set allowed-vlans 1,200-205 end

Fabric channel connections between FortiSwitch-5003A boards

When two FortiSwitch-5003A boards are installed in a single chassis their fabric channels are connected together. This means there is a data connection between fabric channel 1 and fabric channel 2. Unless you are going to use this connection you should disable it.

If one or more of the FortiGate-5001A or 5005FA2 boards are operating in transparent mode, the connection between the fabric channels can cause looping. If you have one or more FortiGate-5001A or 5005FA2 boards operating in transparent mode with two FortiSwitch-5003A boards in the same chassis you must disable communication between the FortiSwitch-5003A boards.

The fabric channel connection between the FortiSwitch-5003A boards uses an internal FortiSwitch-5003A interface called slot-2/1. To disable the fabric channel connection between two FortiSwitch-5003A boards you should set the status of slot-2/1 to down for one of the boards. Connect to the CLI of one of the FortiSwitch-5003A boards and enter the following command:

config switch fabric-channel physical-port

edit slot-2/1

set status down end

Fabric gigabit switching between chassis

You can use the FortiSwitch-5003A front panel fabric interfaces to provide 10-gigabit data communications between the fabric channels of any combination of FortiGate-5050 and FortiGate-5140 chassis.

Note: Its not required, but in most cases you would connect the same fabric channels together. That is you would connect fabric channel 1 on one chassis to fabric channel 1 on another. Usually you would not connect fabric channel 1 on one chassis to fabric channel 2 on another chassis. Also, you would usually not connect a base channel from one chassis to a fabric channel on another chassis. You should be careful of looping when connecting chassis together if some of the FortiGate boards in the chassis are operating in transparent mode.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

50 01-30000-85717-20081205

FortiGate-5050 fabric backplane communication Fabric gigabit switching between chassis

Fabric channel 2 10-figabit data ccommunication between 2 chassis

1

2

3

4

5

SMC

1

SMC

POWER

1

2

3

4

5

SMC

1

SMC

POWER

Figure 18 shows data communication between two FortiGate-5050 chassis using

fabric channel 2. The top chassis in the figure contains a FortiSwitch-5003A board in hub/switch slot 2 and three FortiGate-5001A boards. The bottom chassis contains a FortiSwitch-5003A board also in hub/switch slot 2 and two FortiGate-5005FA2 boards. The chassis are connected together using their respective FortiSwitch-5003A F1 front panel interfaces.

In this configuration the FortiSwitch-5003A boards are operating as layer-2 switches for fabric channel 2 and the FortiGate-5001A and 5005FA2 boards are operating as typical standalone FortiGate units.

The chassis can be connected to the network using any of the FortiGate front panel interfaces. You can also connect FortiSwitch-5003A front panel fabric interfaces to the network. You can also install FortiGate AMC modules in the FortiGate-5001A boards and connect networks to the AMC front panel interfaces. The AMC modules and the network connections are not shown in Figure 18.

Figure 18: Fabric channel 2 data communication between two FortiGate-5050

chassis

5000SM

10/100

ETH0

Service

link/Act

ETH1

STATUS

10/100

RESET

ETH0

link/Act

ACT

LINK

BASE

ACT

FABRIC

LINK

CONSOLE

ACT

LINK

BASE

ACT

FABRIC

LINK

CONSOLE

5000SM

10/100

ETH0

Service

link/Act

ETH1

STATUS

10/100

RESET

ETH0

link/Act

For the FortiGate-5001A and 50005FA2 boards to use fabric channel 2 for data communication you must show backplane interfaces on the FortiGate web-based manager and then configure firewall polices and routing for the fabric2 interfaces.

Hot Swap

USB USB

OOS ACC STATUS

USB USB

OOS ACC STATUS

Hot Swap

SERIAL

1

5050SAP

ALARM

3 412 56

ALARM

5000SM

10/100

ETH0

Service

link/Act

ETH1

SERIAL

2

SERIAL

2

10/100

ETH0

link/Act

78

IPM

78

IPM

5000SM

10/100 link/Act

ETH1

10/100

ETH0

link/Act

STATUS

Hot Swap

RESET

ETH0

Service

STATUS

Hot Swap

RESET

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 51

Fabric gigabit switching to the network FortiGate-5050 fabric backplane communication

If the data traffic contains VLAN-tagged packets, you must add the VLAN tags to the FortiSwitch-5003A interfaces that will handle the VLAN-tagged traffic. For example, to allow VLAN tags 201 to 210 on slots 3, 4, and 5 and the F1 front panel interface, from the FortiSwitch-5003A CLI enter:

config switch fabric-channel interface

edit "slot-3"

set allowed-vlans 1,201-210 next edit "slot-4"

set allowed-vlans 1,201-210 next edit "slot-5"

set allowed-vlans 1,201-210 next edit "f1"

set allowed-vlans 1,201-210 end

Fabric gigabit switching to the network

You can use the FortiSwitch-5003A fabric front panel interfaces to connect the fabric channel of a chassis to your network. Most often you would do this for data communication between the network and a fabric channel. For a simple 10-gigabit connection from your network to a fabric channel you can connect your network directly to a FortiSwitch-5003A fabric channel front panel interface. This connection provides data communication to the fabric1 or fabric2 interfaces of the FortiGate-5000 boards installed in the chassis.

Figure 19 shows a FortiGate-5050 chassis containing two FortiSwitch-5003A

boards and three FortiGate-5001A boards. The chassis is connected to internal and an external networks using FortiSwitch-5003A front panel fabric interfaces:

• The internal network is connected to fabric channel 2 using the F7 front panel interface of the FortiSwitch-5003A board in hub/switch slot 2

• The external network is connected to fabric channel 1 using the F1 front panel interface of the FortiSwitch-5003A board in hub/switch slot 1

In this configuration the FortiSwitch-5003A boards are operating as layer-2 switches and the FortiGate-5001A boards are operating as standalone FortiGate units.

The chassis can also be connected to the network using any of the FortiGate front panel interfaces. You can also install FortiGate AMC modules in the FortiGate-5001A boards and connect networks to the AMC front panel interfaces. The AMC modules and network connections to the AMC modules and FortiGate boards are not shown in Figure 19.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

52 01-30000-85717-20081205

FortiGate-5050 fabric backplane communication Fabric gigabit switching to the network

Figure 19: Fabric channel 2 connected to an internal network and fabric channel 1

connected to an external network

Internal Network

Internal network connected to the F7

front panel fabric interface

to connect to fabric channel 2

5

Fabric channel 1 Data Communication

4

3

2

POWER

Fabric channel 2 Data Communication

1

5000SM

10/100

SMC

ETH0

Service

link/Act

ETH1

STATUS

10/100

RESET

ETH0

link/Act

2

5050SAP

SERIAL

Hot Swap

1

ALARM

5000SM

10/100

ETH0

link/Act

ETH1

SERIAL

10/100

2

ETH0

link/Act

SMC

Service

STATUS

Hot Swap

RESET

1

External network connected to the F1

front panel fabric interface

to connect to fabric channel 1

External Network

If you have two FortiSwitch-5003A boards installed in a chassis you may need to block communication between fabric channel 1 and fabric channel 2. See “Fabric

channel connections between FortiSwitch-5003A boards” on page 50 for more

information.

For the FortiGate-5001A boards to use the fabric channels for data communication you must show backplane interfaces on the FortiGate web-based manager and then configure firewall polices and routing for the fabric1 and fabric2 interfaces.

If the data traffic contains VLAN-tagged packets, you must add the VLAN tags to the FortiSwitch-5003A interfaces that will handle the VLAN-tagged traffic. For example, to allow VLAN tags 80 to 90 on slots 3, 4, and 5 and the F7 front panel interface, from the FortiSwitch-5003A CLI enter:

config switch fabric-channel interface

edit "slot-3"

set allowed-vlans 1,80-90 next edit "slot-4"

set allowed-vlans 1,80-90 next edit "slot-5"

set allowed-vlans 1,80-90 next edit "f7"

set allowed-vlans 1,80-90 end

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 53

Fabric 10-gigabit switching within a chassis FortiGate-5050 fabric backplane communication

Fabric 10-gigabit switching within a chassis

All of the FortiSwitch-5003A fabric front panel interfaces are 10-gigabit interfaces and the FortiSwitch-5003A board supports 10-gigabit communication across the fabric backplane channels. The FortiGate-5001A board also supports 10-gigabit communication on the fabric backplane with the addition of a FortiGate-RTM-XB2 module. You require one FortiGate-RTM-XB2 module for each FortiGate-5001A board. The FortiGate-RTM-XB2 module must be installed in the chassis rear transition module (RTM) slot that corresponds to the front panel slot containing the FortiGate-5001A board. For example, if you install a FortiGate-5001A board in slot 3 you must also install a FortiGateRTM-XB2 module in RTM slot 3. The RTM slots are at the back of the FortiGate-5050 chassis.

One FortiGate-RTM-XB2 module provides 10-gigabit connections to both fabric channels. The FortiGate-RTM-XB2 also provides NP2 packet acceleration for both fabric channels. To effectively use NP2 acceleration, packets must be received by the FortiGate-5001A board on one fabric channel and must exit from the FortiGate-5001A board on the same fabric channel or on the other fabric channel. See the FortiGate-RTM-XB2 System Guide for more information about the FortiGate-RTM-XB2.

Note: A single FortiSwitch-5003A can provide simultaneous 10 Gbps connections to FortiGate-5001A boards with FortiGate-RTM-XB2 modules, 1 Gbps connections to FortiGate-5001A boards, and 1 Gbps connections to FortiGate-5005FA2 boards.

Figure 20 shows a FortiGate-5050 chassis containing two FortiSwitch-5003A

boards and one FortiGate-5001A board. Using these components this chassis supplies 10-gigabit connectivity between the external and internal networks. The external network is connected to the F1 10-gigabit front panel interface of the FortiSwitch-5003A board in slot 1, which connects the external network to fabric channel 1. The internal network is connected to the F7 10-gigabit front panel interface of the FortiSwitch-5003A board in slot 2, which connects the internal network to fabric channel 2.

10-gigabit traffic from the external network enters the F1 10-gigabit FortiSwitch-5003A front panel interface, passes through the FortiSwitch-5003A board and through the FortiGate-RTM-XB2 module to the fabric1 interface of the FortiGate-5001A board. Traffic accepted at the fabric1 interface is processed by the FortiGate-5001A board. Traffic destined for the internal network exits the fabric2 interface of the FortiGate-5001A board, passes through the FortiGate-RTM-XB2 module and through the FortiSwitch-5003A board and exits the F7 10-gigabit FortiSwitch-5003A front panel interface and is received by the internal network.

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide

54 01-30000-85717-20081205

FortiGate-5050 fabric backplane communication Fabric 10-gigabit switching within a chassis

Fabric Channel 2 10-gigabit Data Communication

FortiGate-RTM-XB2 module installed in RTM slot 3 provides two 10-gigabit fabric channels and NP2 acceleration for the FortiGate-5001A board

FortiGate-5001A Board Installed in FortiGate-5050 front panel slot 3

Fabric Channel 1 10 Gigabit Data Communication

Internal 10-gigabit Network Connected to Fabric Channel 2

External 10-gigabit

Network Connected

to Fabric Channel 1

Internal Network

External Network

Figure 20: Example 10-gigabit connection between internal and external networks

5

4

3

2

1

5000SM

10/100

SMC

ETH0

Service

link/Act

ETH1

STATUS

10/100

RESET

ETH0

link/Act

2

5050SAP

SERIAL

Hot Swap

1

ALARM

5000SM

10/100 link/Act

ETH1

SERIAL

10/100

2

ETH0

link/Act

POWER

SMC

ETH0

Service

STATUS

Hot Swap

RESET

1

The configuration shown in Figure 20 requires no configuration changes to the FortiSwitch-5003A boards except to disable communication between the FortiSwitch-5003A boards (if required, see “Fabric channel connections between

FortiSwitch-5003A boards” on page 50).

On the FortiGate-5001A board, to allow traffic to pass between the internal and external networks, the FortiGate-5001A board would operate in NAT/Route mode and you must configure firewall policies and routing for the fabric1 and fabric2 interfaces. No configuration changes are required to use the FortiGate-RTM-XB2 module. NP2 acceleration is automatically applied to traffic passing between the internal and external networks by the FortiGate-RTM-XB2 module.

Note: On some versions of the FortiGate-5001A firmware, when a FortiGate-5001A board starts up with a FortiGate-RTM-XB2 module installed, the fabric1 and fabric2 interfaces are replaced with interfaces that are named RTM/1 and RTM/2 to indicate the presence of the FortiGate-RTM-XB2 module. Configuration settings that include the fabric1 and fabric2 interface names will have to be changed to use the RTM/1 and RTM/2 interface names.

If the data traffic contains VLAN-tagged packets, you must add the VLAN tags to the FortiSwitch-5003A interfaces that will handle the VLAN-tagged traffic. For example, to allow VLAN tags 80 to 90 on slots 1 and the F7 front panel interface, from the FortiSwitch-5003A CLI enter:

config switch fabric-channel interface

edit "slot-1"

set allowed-vlans 1,80-90 next edit "f7"

set allowed-vlans 1,80-90 end

FortiSwitch-5003A and 5003 Fabric and Base Backplane Communications Guide 01-30000-85717-20081205 55

Fabric channel layer-2 link aggregation FortiGate-5050 fabric backplane communication