MCLAG-堆叠组网 2 Tier MCLAG FortiLink(2层堆叠)配置组网举例
2 Tier MCLAG FortiLink(2层堆叠)组网配置举例,我们会基于 1 Tier MCLAG FortiLink(1层堆叠)的举例(上一个章节)来说明,不再重复的描述相同的HA、VLAN、WIFI、SD-WAN、Policy等等一样的内容。
首先我们来看:
1 Tier MCLAG主要配置步骤:
1.FGT配置聚合端口, 并设置split为enable模式。
2.上线Core-FSW1和Core-FSW2, 将FGT和Core-FSW1以及Core-FSW2连接起来。
3.分别登录到Switch-A和Switch-B上, 配置ISL 接口为”mclag-icl enable”。配置为ICL堆叠线路(Inter-Chassis-Link),形成两台核心交换机的堆叠。
4.配置FGT聚合端口为split disable模式。
5.上线Access-FSW1和Access-FSW2。
6.上线FortiAP和有线PC, 并测试无线网络和有线网络的连通性。
而 2 Tier MCLAG的主要配置步骤会有两个地方的区别:
2 Tier MCLAG主要配置步骤:
1.FGT配置聚合端口, 并设置split为enable模式。
2.上线Core-FSW1和Core-FSW2, 将FGT和Core-FSW1以及Core-FSW2连接起来。
3.分别登录到Core-FSW1和Core-FSW2上, 配置二者直连的ISL 接口为“mclag-icl enable”。配置为ICL堆叠线路(Inter-Chassis-Link),形成两台核心交换机的堆叠。
4.配置FGT聚合端口为split disable模式。
5.上线Access-FSW1和Access-FSW2。
前面5步完全一致!目的是为了形成1 Tier MCLAG(形成2台核心交换机的堆叠),当然这里由于2 Tier MCLAG的组网,必然Access-FSW1和Access-FSW2之间会直接互联起来,因为我们还要形成另外2台接入交换机的堆叠。
6.分别登录到Access-FSW1和Access-FSW2, 配置二者直连的ISL 接口为"mclag-icl enable”,配置为ICL堆叠线路(Inter-Chassis-Link),形成2台接入交换机的堆叠。// 多这一步!!!形成两台接入交换机的堆叠。
7.在Core-FSW1和Core-FSW2上分别配置auto-isl-port-group, 注意group的名字必须一致, 端口可以不一样,这样是为了让核心的堆叠交换机与接入的堆叠交换机相互跨交换机手工形成聚合。// 还有多这一步!!!比较来说一共多了两个配置步骤。目的就是为了形成两组堆叠,同时将两组堆叠手工聚合起来。
8.上线FortiAP和有线PC, 并测试无线网络和有线网络的连通性。
拓扑:
拓扑图的变化,ACCESS-FSW1和ACCESS-FSW2相互之间通过Port45和Port46互联,他们两台接入交换机会形成另外一个堆叠交换机。
形成堆叠之后的逻辑简化版本:
需求说明:
FortiGate FortiGate-101E v6.2.4 *2
FortiSwitch:FortiSwitch v3.6.9* 4 (Core-FSW1和Core-FSW2 && Access-FSW1和Access-FSW2)
FortiAP:FP221C-v6.0-build5017 * 1
FGT运行HA-Cluster,核心交换和接入交换机采用2 Tier MCLAG堆叠组网结构(2层堆叠组网)。
整体规划:
FortiGate HA-Cluster部署
HA独立管理口:
FGT101E_Master_379 mgmt:192.168.91.21
FGT101E_Slave_045 mgmt:192.168.91.22
外网IP网段规划:
WAN1 联通出口 IP 202.100.1.21 GW 202.100.1.192
WAN2 电信出口 IP 101.100.1.21 GW 101.100.1.192
WAN1和WAN2合并成SD-WAN接口。
内网IP网段规划:
FGT通过FortiLink+Capwap协议统一的接管FortiSW和FortiAP,为有线和无线统一进行管理和业务处理。
有线网络规划 VLAN 10 192.168.10.1
无线网络规划 员工WIFI VLAN 20 192.168.20.1
无线网络规划 访客WIFI VLAN 30 192.168.30.1
管理FortiAP VLAN99 192.168.99.1
FortiLink互联部分规划:
FortiGate的port1和port2做聚合接口与FortiSwitch的后两个接口互联即可实现聚合接口的FortiLink管理,FGT100及以上的防火墙推荐使用聚合接口建立FortiLink,而低端型号(FGT60E)不支持聚合接口的话,则直接使用单独物理口或者硬交换机接口即可。支持聚合接口的设备就使用聚合接口对接。
配置步骤:
注意:与上一章节重复的步骤不再演示,只演示2 Tier需要新增的两个配置步骤,第 6、7 步骤。
步骤1~步骤5,请参考上一个章节的配置,不再配置演示,99%的内容都是一样的,只是拓扑图稍微有一点点变化而已,虽然不演示配置,但是我们会分析一下配置完1~5步骤后的拓扑状态,以便我们更好的理解后续的整个配置逻辑和拓扑变化的逻辑。
配置完前面5步的时候,FortiLink形成的组网图如下:
逻辑上类似于下面这个拓扑图:
观察一下STP的状态:
FGT101E_Master_379 # execute ssh admin@169.254.1.4
Core-FSW1 # diagnose stp instance list 15
MST Instance Information, primary-Channel:
Instance ID 15
Config Priority 20480, VLANs 4094
Bridge MAC 704ca5e28210, MD5 Digest 9999b43d77cc58bba8854f9991c4a487
Regional Root MAC 704ca5e28210, Priority 20480, Path Cost 0
(This bridge is the regional root)
TCN Events Triggered 44, Received 94
Port Speed Cost Priority Role State Flags
________________ ______ _________ _________ ___________ __________ _______________
internal 1G 20000 128 DESIGNATED FORWARDING ED
D243Z17000085-0 20G 1 128 DESIGNATED FORWARDING ED
__FoRtI1LiNk0__ 2G 20000 128 DESIGNATED FORWARDING ED
>>> port24 STP state DISCARDING mismatches trunk `__FoRtI1LiNk0__`: Active members in HW: port23
8DP3W16000061-0 1G 1 128 DESIGNATED FORWARDING EN
8DP3W16000060-0 1G 1 128 DESIGNATED FORWARDING EN
Flags: EN(STP enable), ED(Edge), LP(Loop Protection), RG(Root Guard Triggered), BG(BPDU Guard Triggered)
Core-FSW1 #
FGT101E_Master_379 # execute ssh admin@169.254.1.3
Core-FSW2 # diagnose stp instance list 15
MST Instance Information, primary-Channel:
Instance ID 15
Config Priority 20480, VLANs 4094
Bridge MAC 704ca5e28210, MD5 Digest 9999b43d77cc58bba8854f9991c4a487
Regional Root MAC 704ca5e28210, Priority 20480, Path Cost 0
(This bridge is the regional root)
TCN Events Triggered 37, Received 40
Port Speed Cost Priority Role State Flags
________________ ______ _________ _________ ___________ __________ _______________
internal 1G 20000 128 DESIGNATED FORWARDING ED
D24T418000339-0 20G 1 128 DESIGNATED FORWARDING ED
__FoRtI1LiNk0__ 2G 20000 128 DESIGNATED FORWARDING ED
>>> port24 STP state DISCARDING mismatches trunk `__FoRtI1LiNk0__`: Active members in HW: port23
8DP3W16000061-0 1G 1 128 DESIGNATED FORWARDING EN
8DP3W16000060-0 1G 1 128 DESIGNATED FORWARDING EN
Flags: EN(STP enable), ED(Edge), LP(Loop Protection), RG(Root Guard Triggered), BG(BPDU Guard Triggered)
Core-FSW2 #
FGT101E_Master_379 # execute ssh admin@169.254.1.2
Access-FSW1 # diagnose stp instance list 15
MST Instance Information, primary-Channel:
Instance ID 15
Config Priority 28672, VLANs 4094
Bridge MAC 906caca3f1f6, MD5 Digest 9999b43d77cc58bba8854f9991c4a487
Regional Root MAC 704ca5e28210, Priority 20480, Path Cost 1, Root Port _FlInK1_MLAG0_
TCN Events Triggered 2, Received 12
Port Speed Cost Priority Role State Flags
________________ ______ _________ _________ ___________ __________ _______________
internal 1G 20000 128 DESIGNATED FORWARDING ED
_FlInK1_MLAG0_ 2G 1 128 ROOT FORWARDING EN
8DP3W16000060-0 2G 1 128 ALTERNATIVE DISCARDING EN // STP阻塞端口,存在环路STP在工作
Flags: EN(STP enable), ED(Edge), LP(Loop Protection), RG(Root Guard Triggered), BG(BPDU Guard Triggered)
Access-FSW1 #
FGT101E_Master_379 # execute ssh admin@169.254.1.5
Access-FSW2 # diagnose stp instance list 15
MST Instance Information, primary-Channel:
Instance ID 15
Config Priority 28672, VLANs 4094
Bridge MAC 906caca3f1c2, MD5 Digest 9999b43d77cc58bba8854f9991c4a487
Regional Root MAC 704ca5e28210, Priority 20480, Path Cost 1, Root Port _FlInK1_MLAG0_
TCN Events Triggered 3, Received 9
Port Speed Cost Priority Role State Flags
________________ ______ _________ _________ ___________ __________ _______________
internal 1G 20000 128 DESIGNATED FORWARDING ED
_FlInK1_MLAG0_ 2G 1 128 ROOT FORWARDING EN
8DP3W16000061-0 2G 1 128 DESIGNATED FORWARDING EN
Flags: EN(STP enable), ED(Edge), LP(Loop Protection), RG(Root Guard Triggered), BG(BPDU Guard Triggered)
Access-FSW2 #
新增第6步的配置:
6.分别登录到Access-FSW1和Access-FSW2, 配置二者直连的ISL 接口为"mclag-icl enable”,配置为ICL堆叠线路(Inter-Chassis-Link),形成2台接入交换机的堆叠。// 多这一步!!!形成两台接入交换机的堆叠。
分别登陆到Access-FSW1和Access-FSW2,同时将二者互联接口配置为:"mclag-icl enable”,配置为ICL堆叠线路(Inter-Chassis-Link),从而形成2台接入交换机的堆叠:
配置Access-FSW1:
FGT101E_Slave_045 # execute ssh admin@169.254.1.2
Access_FSW1 #
Access_FSW1 # config switch trunk
Access_FSW1 (trunk) #
Access_FSW1 (trunk) # show
config switch trunk
edit "_FlInK1_MLAG0_"
set mode lacp-active
set auto-isl 1
set mclag enable
set members "port48" "port47"
next
edit "8DP3W16000060-0"
set mode lacp-active
set auto-isl 1
set members "port45" "port46"
next
end
Access_FSW1 (trunk) # edit 8DP3W16000060-0 交换机的互联接口会自动形成fortilink接口,开启MCLAG-ICL,形成两台接入交换机的堆叠
Access_FSW1 (8DP3W16000060-0) # set mclag-icl enable // 手工开启接入交换机1的MCLAG-ICL,这样会将两个交换机堆叠处理
Access_FSW1 (8DP3W16000060-0) # show
config switch trunk
edit "8DP3W16000060-0"
set mode lacp-active
set auto-isl 1
set mclag-icl enable
set members "port45" "port46"
next
end
Access_FSW1 (8DP3W16000060-0) # end
Access_FSW1 #
配置Access-FSW2:
FGT101E_Slave_045 # execute ssh admin@169.254.1.5
Access_FSW2 # config switch trunk
Access_FSW2 (trunk) # show
config switch trunk
edit "_FlInK1_MLAG0_"
set mode lacp-active
set auto-isl 1
set mclag enable
set members "port48" "port47"
next
edit "8DP3W16000061-0"
set mode lacp-active
set auto-isl 1
set members "port45" "port46"
next
end
Access_FSW2 (trunk) # edit 8DP3W16000061-0 交换机的互联接口会自动形成fortilink接口,开启MCLAG-ICL,形成两台接入交换机的堆叠
Access_FSW2 (8DP3W16000061-0) # set mclag-icl enable // 手工开启接入交换机2的MCLAG-ICL,这样会将两个交换机堆叠处理
Access_FSW2 (8DP3W16000061-0) # show
config switch trunk
edit "8DP3W16000061-0"
set mode lacp-active
set auto-isl 1
set mclag-icl enable
set members "port45" "port46"
next
end
Access_FSW2 (8DP3W16000061-0) # end
Access_FSW2 #
新增第7步的配置:
7.在Core-FSW1和Core-FSW2上分别配置auto-isl-port-group, 注意group的名字必须一致, 端口可以不一样,这样是为了让核心的堆叠交换机与接入的堆叠交换机相互跨交换机手工形成聚合。// 还有多这一步!!!比较来说一共多了两个配置步骤。目的就是为了形成两组堆叠,同时将两组堆叠手工聚合起来。
在Core-FSW1上手工配置auto-isl-port-group:
FGT101E_Slave_045 # execute ssh admin@169.254.1.4
Core-FSW1 #
Core-FSW1 # config switch auto-isl-port-group
Core-FSW1 (auto-isl-port-~r) # show
config switch auto-isl-port-group
edit "mclag-tier2" // 手工配置auto-isl-port-group,Core-FSW1和Core-FSW2的名字需要一样,都为mclag-tier2
set members "port21" "port22"
next
end
Core-FSW1 (auto-isl-port-~r) # end
Core-FSW1 #
配置完毕之后Core-FSW1会自动生成聚合接口,无需手工配置:
Core-FSW1 # config switch trunk
Core-FSW1 (trunk) # show
config switch trunk
edit "D243Z17000085-0"
set mode lacp-active
set auto-isl 1
set mclag-icl enable
set members "port17" "port18"
next
edit "__FoRtI1LiNk0__"
set mode lacp-active
set mclag enable
set members "port23" "port24"
next
edit "mclag-tier2" // 对于堆叠交换机而言,名字一样的聚合接口即为跨交换机聚合的聚合接口,这是"mclag-tier2"聚合接口在CORE-FSW1上的两个物理接口Port21和Port22
set mode lacp-active
set auto-isl 1
set mclag enable
set members "port21" "port22"
next
end
Core-FSW1 (trunk) # end
Core-FSW1 #
同理,在Core-FSW2上手工配置auto-isl-port-group:
FGT101E_Slave_045 # execute ssh admin@169.254.1.3
Core-FSW2 #
Core-FSW2 # config switch auto-isl-port-group
Core-FSW2 (auto-isl-port-~r) # show
config switch auto-isl-port-group
edit "mclag-tier2" // 手工配置auto-isl-port-group,Core-FSW1和Core-FSW2的名字需要一样,都为mclag-tier2
set members "port21" "port22"
next
end
Core-FSW2 (auto-isl-port-~r) # end
配置完毕之后Core-FSW2会自动生成聚合接口,无需手工配置:
Core-FSW2 # config switch trunk
Core-FSW2 (trunk) # show
config switch trunk
edit "D24T418000339-0"
set mode lacp-active
set auto-isl 1
set mclag-icl enable
set members "port17" "port18"
next
edit "__FoRtI1LiNk0__"
set mode lacp-active
set mclag enable
set members "port23" "port24"
next
edit "mclag-tier2" // 对于堆叠交换机而言,名字一样的聚合接口即为跨交换机聚合的聚合接口,这是"mclag-tier2"聚合接口在CORE-FSW2上的两个物理接口Port21和Port22
set mode lacp-active
set auto-isl 1
set mclag enable
set members "port21" "port22"
next
end
Core-FSW2 (trunk) # end
Core-FSW2 #
此配置可以理解为手工创建了跨堆叠交换机的聚合接口:"mclag-tier2" 包括四个物理接口,CORE-FSW1上的两个物理接口Port21和Port22 以及 CORE-FSW2上的两个物理接口Port21和Port22,一共四个物理接口,共同属于聚合接口:"mclag-tier2"。
最终的2 Tier MCLAG FortiLink逻辑图如下:
第8步和上一个章节完全一样,不再重复讲述,可以参考上一个章节。