Fortigate in a looped switch environment.

Question

HI All

I need to get some guidance on how we can deploy below network

Firewall HA ( 2 LAN port1 and port2 in same hardware switch),

Port 1 on both FG connect to cisco switch 1 and cisco switch 2 respectively. Port 2 on both FG connect to cisco switch 1 and 2 respectively also

Cisco Switch 1 and 2 also interconnected(trunk port). Cisco runs RPVST+. Switch1 runs as STP root primary, Switch 2 runs as STP root secondary

Above topology eventually create loop network. How should it be configured to avoid the loop

Fortigate hardware switch if disable STP, it eventaally create loop, and broadcast storm starts. Enable STP on FG hardware , eventually the broadcast stops. But i found some weird result. When i check Switch2 STP, it blocks the port connect to FG1, but port connect to FG2 becomes root, and forward state. Switch2 can still somehow reach FG IP, the mac-address also shows it learned from port to FG2. But FG2 runs as HA passive state. i try diagnose sniffer on FG2, nothing captured. How this possible.

Also what is best recommendation in this case to run loop free network.

sjoshi · Answer

Hi ​@nagis1986,Deploy the FortiGate HA cluster in active‑passive mode with each unit connecting redundantly to both Cisco switches through separate LACP bundles instead of using a single hardware switch group. Keep the HA heartbeat on a dedicated direct link that does not participate in STP. On Cisco switches, run RPVST+ with PortFast or edge‑port for FortiGate‑connected ports and enable BPDU Guard to prevent loops. Disable STP only on the isolated heartbeat link, not on production ports. When STP is disabled on FortiGate but enabled on Cisco, loops and broadcast storms appear; enabling FortiGate STP stops these but can alter which ports forward because RPVST+ elects different roots per VLAN

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded