Skip to main content
hichem-brahim
hichem-brahim
New Member
October 23, 2024
Solved

Best Practices for FortiGate HA Pair Setup with FortiSwitch FS148F and FS124F

  • October 23, 2024
  • 2 replies
  • 7446 views

Hello Fortinet Community,

I'm seeking advice on the best practice for setting up two FortiGate 121G units in an active-passive HA pair configuration, alongside two FortiSwitch models FS148F and FS124F (does not support MCLAG). I'm currently evaluating two potential topologies and would appreciate your insights on both, particularly around VLAN configurations and any relevant design considerations.

Here are the two topology options I'm considering:

  1. Daisy-Chained Topology:
    In this scenario, the two FortiGate units in HA mode will be connected to a daisy chain of FortiSwitches (FS148F and FS124F). The switches would be stacked for redundancy.

  2. Mesh Topology:
    Each FortiGate in the HA pair would be connected directly to both FortiSwitches. This creates a more distributed setup with each switch directly connected to each firewall for greater redundancy.

Questions:

  • How would VLAN management differ between the daisy-chained and mesh topologies?
  • What would be the most efficient way to handle VLANs with this setup to ensure optimal traffic flow and minimal complexity?
  • Are there any potential performance bottlenecks or limitations with either of these designs?Topo-1.pngTopo-2.png

Best answer by AlexC-FTNT

I think the answer is clear, but I probably miss the background of the "non-question".

In the first case you deliberately implement a SPoF in the first switch. If that goes down, all goes down. This should give you the answer. I'm curious why you would chose the first design anyway.

 

2 replies

AlexC-FTNT
Staff
AlexC-FTNTAnswer
Staff
October 23, 2024

I think the answer is clear, but I probably miss the background of the "non-question".

In the first case you deliberately implement a SPoF in the first switch. If that goes down, all goes down. This should give you the answer. I'm curious why you would chose the first design anyway.

 

    AEK
    SuperUser
    AEK
    SuperUser
    October 23, 2024

    Hello Hichem

     

    When you say redundancy, do you mean you will connect each server (or client) to both switches like with teaming/bonding? And in that case why do you use switches of different models?

    But in case you will not connect each server to both switches, then what do you mean by "redundancy"?

     

    Besides, in the first model you will use one FortiLink, and it is a common model, like shown here:

    https://docs.fortinet.com/document/fortiswitch/7.0.8/devices-managed-by-fortios/801188/ha-mode-fortigate-units-managing-a-fortiswitch-two-tier-topology

     

    While in the second you will use 2 FortiLinks, and in that case I think the ISL may cause a problem as the FG will see each MAC address from 2 interfaces, and in that case I think you should double-check if this could have any negative impact.

    And because of that, the second model can be modified to follow - lets say - the standard/common/supported model, just by removing the redundant links from FGTs to FSWs, and to obtain a topology this this one:

    https://docs.fortinet.com/document/fortiswitch/7.0.8/devices-managed-by-fortios/801190/ha-mode-fortigate-units-managing-a-stack-of-several-fortiswitch-units

    However I have some doubt here, since I've never tried ISL between two different models. Hope some more experienced user can help with this point.

     

    AEK
      Terms & ConditionsAccessibility statement