Skip to main content
deltahotel
deltahotel
New Member
April 5, 2016
Question

2 x FGT100Ds connecting to switch stack

  • April 5, 2016
  • 1 reply
  • 9722 views

We currently have 2 x Fortigate 100Ds setup in HA connecting to a single switch to which several servers are attached. On the Fortigate, port1 is our WAN, port2 is our LAN. Because of the spec of the current switch, we have VLAN sub interfaces on port2 corresponding to each server. Everything is working OK at the moment. 

 

We want to build some redundancy in for the switch though as a) it's a single point of failure and b) recovering it in the event of a failure would be quite time consuming. We've purchased two HP 2920s which I've stacked, and I'm trying to establish how the configuration should look before I arrange travel and server downtime. 

 

I haven't built a stacked switch before, so I've mocked up a diagram of how it might look and attached it here. 

Is the layout consistent with anyone else's experience?

On the Fortigate, do I need to create a hardware switch consisting of port2 and port3 on the FGT? If yes, that means blowing away all objects in the config referring to port2 and replacing it with the name of the new hardware switch? :(

Or can I just enable LACP on the Fortigate on port2 and port3 and simultaneously enable LACP on the switch on ports 1/47, 1/48 and 2/47 and 2/48?

 

The servers are mostly Windows 2012 with teamed NIC configurations; has anyone had any pitfalls with this sort of setup? 

 

HA mode is A-A

Firmware version: v5.2.4,build688

 

    1 reply

    Bunce
    Bunce
    New Member
    May 4, 2016

    I don't quite get the single-vlan-per-server requirement so I'll leave that for someone else as ours are all virtualised so don't have to worry about server level teaming anymore, but FWIW we've got a HA (Active-Passive) cluster setup using a pair of HP switches (unstacked) and just use the 'redundant interface' feature of the Fortigates.

     

    This has worked without issue using 200B's and 200D's to date and provided sufficient performance for our needs.

     

    Either way, changing a physical port to an aggregate will usually mean removing any existing config, although there are a few methods to make this easier such as making the config change offline and restoring it with the changes (requires reboot).

    emnoc
    emnoc
    New Member
    May 4, 2016

    Go the aggregate route and build 2x members  ( one to each stack ) and that will give you what you want. You can now leverage bond or nic-teaming at the server if you need the ultimate HA . Cisco , HP and Juniper all has stackable switches that can do this with ease 2960S , NX3548  EX4300 etc....

     

    But yes rebuilding and tearing things apart is unavoidable . In the future it might be wise to place ports into zones if you have any notion that you will build into a multiple stack cluster.

     

    i.e

     

    PORT2 zone  = WAN

    PORT3 zone =  LAN01-WEB

    PORT4 zone =  LAN02-DBS

    PORT5 zone =  LAN03-3FL

    PORT6 zone =  LAN04-VOIP

    ( the same strategy applies to sub-intf )

     

    I did the above in a  recent engagement since they only had budget one  cisco 3750-X  and by Q1-2017 they will have the 2nd 3750-X to accomplish the stacking.

     

     

    This way you don't have to tear out fwpolicies if you ever build decide to go with a new aggrega groups. You can also build out with a single member in a aggregate port  also YMMV but plann wisely ;)

     

     

    Terms & ConditionsAccessibility statement