Skip to main content
sw2090
SuperUser
sw2090
SuperUser
July 1, 2025
Question

FortiGate HA and LACP with two clusters

  • July 1, 2025
  • 4 replies
  • 2508 views

Hello,

 

I would like to ask you for yur opinion on this:

 

I have two ha clusters:

 

Cluster #1 has two 400Fs and is active-passive

Cluster #2 has two 200Fs and is active-passive

 

between these two clusters is a link. This is an LACP Aggregate Interface with two ports (2x10G SFP).

Should there be a switch in between the two clusters?

Can they be connected directly? I could disable the LACP participiation of the secondary node on each cluster to avoid mac address conflicts (since without switch there is no LAGs) which wouldn't be a problem since the secondary node is passive anyways.

 

what would you say is best practice here? 

I found support docs that show it without switch but I also heard ppl say you have to have a switch in here...

 

So I am unsure now and also wo talk about a load of money (switches with many sfp ports are really expensive).

4 replies

sjoshi
Staff
sjoshi
Staff
July 1, 2025

Hi,

 

Best practice is to place a switch between the two HA clusters when using an LACP (aggregate) link, as this allows proper LACP negotiation, prevents MAC address conflicts during failover, and provides better stability and scalability. While it is technically possible to connect the clusters directly and disable LACP on passive units, this setup is not recommended due to potential MAC flapping and unsupported behavior. 

If you have found a solution, please like and mark it as solved to make it easily accessible for everyone.
    sw2090
    SuperUser
    sw2090Author
    SuperUser
    July 1, 2025

    this would also mean that you create redundancy on your Fortigates by doing HA and then you create a single point of failure to connect the clusters. 

      sw2090
      SuperUser
      sw2090Author
      SuperUser
      July 1, 2025

      would it be better to not use aggregate interfaces and just use redundant interfaces instead just to have link redundancy?

      Toshi_Esumi
      SuperUser
      Toshi_Esumi
      SuperUser
      July 1, 2025

      Better to have a stacked switch cluster and split LACP legs to different physical switches. So when one physical switch dies all operation would continue without interruption. Just half (if two legs) of the capacity.

      Toshi

      Terms & ConditionsAccessibility statement