Active/Active HA 10G LACP LAN connection

Forum|Forum|9 years ago
May 3, 2017
1 reply
18626 views

Hi everyone,

proud new owner of a pair of 1500D that I am going to implement in the coming months. My current test setup is Active/Active HA with a single 1G port connected to the LAN side(to a Cisco 6509 VSS Core). The production environment(Active/Passive) currently has 2 x 10G port per firewall appliance to each Core. So example, FW1 to Core1(active) and FW1 to Core2(redundant). Same thing goes for FW2. My goal is to have redundant connections in a similar fashion with the Fortigates. I know it supports 802.3ad, but I want to make sure it is implemented correctly, especially as this will change all the rules and static routes currently being sent to a single port.

I haven't been able to find good information(cookbook,tech docs,...) to truly determine the Best practices, so before I open a ticket with support, I thought checking with the forums would probably be better.

Is anyone currently running A/A HA with redundant LAN ports to their Core's or am I over-complicating it all?

Thanks for your input

Ben

Best answer by emnoc

You should have no problems, we run ACTIVE on all FGTs running a mix of 5.2.x and 5.4.x with zero issues to include 1500s. We are running VSS and vPCdomain in 6500s an NXOS gear btw.

ken

hklb

Visitor III

Hi

I think HA a-a is not necessary if your firewall is not undersized. It more complicated to troubleshoot and the performence is improve only for 20%..

You can create a LACP interface without any problem and it's works very well on 1k5D. I suggest to use ports on the same NP6 (like 33-34,35-36, 37-38, 39-40)..

Lucas

emnoc

New Member

A-A in a single vdom setup buys very little to nothing. If you had multi-vdom vcluster1 and vcluster2 and load-blance vdom that I see that as an advantage

As far as LACP to a VSS cluster that would be best-practice and simple to deploy.

Ken

ede_pfau

SuperUser

Congrats for the 1500D! Fun to play with...

We've connected my customer's 1500D cluster cross-wise to a HPE switch stack, using 2x 2port LACP trunks. The stack acts just like one single switch, even for LACP trunks. The 2 lines in a LACP trunk terminate on 2 different chassis in the stack. This way, one switch could fail without forcing the FGT to fail over, just reducing bandwidth. And one FGT can fail without losing bandwidth.

But it does cost 4 10G ports to get this redundancy.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded