Skip to main content
Ptipoussin588
Ptipoussin588
New Member
December 17, 2019
Question

Fortigate Cluster (Active-Passive) to Layer 3 switch (VPC/MLAG)

  • December 17, 2019
  • 2 replies
  • 16540 views

Hi everybody,

 

Traditionally, we use layer 2 connection between our fortigate cluster and our CORE switch cluster (VSS, VPC or Stack) but I'd like to know if it's possible to have full layer 3 connection (/30) between fortigate cluster (Active-Passive mode) and switch cluster like Nexus VPC or Arista MLAG.

 

I put a small design in attachment to describe the situation. On the left design, that's what we're doing now and on the right that's what we would like to test.

 

Do you think it's possible?

How fortigates will react in case of failover?

Do we need to run some routing protocol like OSPF to achieve that?

 

Thank you for your help.

 

Best regards,

 

Greg.

    2 replies

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    December 17, 2019

    If those /30 interfaces are the ones to pass user traffic through, no you can't. FGT's HA is design to have config on both a and p identical, except dedicated-to-management interfaces, which are isolated from the rest for management only.

    Ptipoussin588
    Ptipoussin588Author
    New Member
    December 17, 2019

    Hi Toshi,

     

    Yes the user traffic pass through thoses interfaces. About your response, that's also what I thought! But this afternoon, I contacted the Fortinet Support to ask them and they told me that L3 configuration is valid too. But I'm not agree with that.

     

    As you said, both firewall must share the same configuration. Moreover from a management point of view, when the Fortigate-Cluster is UP, we only have 1 management point so I don't understand how it's possible to configure 2 different network (/30) on the same physical port.

     

    Thank you for your help

     

    Best Regards,

     

     

    Izraelgard
    Izraelgard
    New Member
    December 13, 2023

    Actually You can do L3 with two different subnets on one interface (secondary IP), but then You'll find out, that ie. OSPF is active only on one device, so there are scenarios, when the failover means long times with traffic blackholing. And I didn't find any ultimate solution to all the scenarios mentioned.

    Terms & ConditionsAccessibility statement