Skip to main content
Ayachinene
Ayachinene
Explorer
February 24, 2025
Question

The method of assigning VLANs created in each VDOM to a single LAG for communication.

  • February 24, 2025
  • 1 reply
  • 2303 views

 

Hello, I am a new network engineer from Japan and would like to hear your thoughts on a problem I am facing. I am conducting communication tests with two FortiGate 100F devices in HA active/passive configuration. In addition, I have created four VDOMs and configured two Vclusters.


・Vcluster 1:root、VDOM1
・Vcluster 2:VDOM2、VDOM3、VDOM4 (The composition).

 

The priority settings are as follows: ・Active device: Vcluster 1 (priority 200), Vcluster 2 (priority 100) ・Passive device: Vcluster 1 (priority 100), Vcluster 2 (priority 200) (Example: Active device settings).

 

config system ha
set group-id 1
set group-name "FW-HA"
set mode a-p
set password ENC xxxxxxxxx
set hbdev "ha1" 50 "ha2" 50
set session-pickup enable
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface "VLAN10"
next
end
set vcluster-status enable
configvcluster
edit 1


Override Settings Disabled Priority

set 200 monitor "x1" "x2"

set vdom "VDOM1" "root"

next

edit 2

set override disabled set priority 100 monitor "x1" "x2"

set vdom "VDOM2" "VDOM3" "VDOM4"

next

exit

 

We also configured a LAG using interfaces x1 and x2 and assigned the VLANs created for each VDOM to the LAG interface. The LAG interface is the interface used to communicate with the downstream switch. Inter-VDOM routing is not implemented in this test.

 

Currently all firewall policies are set to allow all traffic for the test phase. However, when I run the test without HA (standalone mode), I can ping successfully, but when I enable HA the ping fails and does not pass.

 

Can someone explain why this is happening? Also, if there is any misconfiguration in my setup, I would appreciate your suggestions. I don't speak English fluently, so if any part of this explanation is unclear, please feel free to ask. Thank you very much for your help.

1 reply

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
February 24, 2025

I haven't done vluster myself with HA. But based on the mechanism how it would work described here:
https://docs.fortinet.com/document/fortigate/7.4.7/administration-guide/599385/ha-virtual-cluster-setup
I think the parent/physical interface and the VLAN interfaces have to be in the same vcluster. Because if the VDOM (likely root now) that the LAG interface belongs to is active on HA-A unit, all VLANs on the LAG work if the other VDOMs are active on the same HA-A unit side. While the VDOMs active on the HA-B unit side's LAG interface in the root VDOM is NOT active and doesn't pass traffic. So all VDOM VLANs on the LAG wouldn't operate.
And, the HA heart beat connection is not designed to pass user traffic. Config sync and session sync, if you didn't separate them, and negotiating the primary role only.

It's described in below as 7000E's limitation. But I don't think it's limited to this particular model.
https://docs.fortinet.com/document/fortigate/7.6.2/fortigate-7000e-administration-guide/792343/virtual-clustering-vlan-vdom-limitation

I guess that's why I never used vclustering.

Toshi

    Ayachinene
    AyachineneAuthor
    Explorer
    February 25, 2025

    Dear Toshi_Esumi,

    I hope this message finds you well.
    Thank you very much for your response.

    If I understand correctly, I can achieve communication by assigning the VLAN of each VDOM to the LAG without using Vcluster, is that correct?

    I apologize for my lack of knowledge, but I would greatly appreciate your response.

      Toshi_Esumi
      SuperUser
      Toshi_Esumi
      SuperUser
      February 25, 2025

      Yes, of course. That's the same situation when you run one of them stand alone. All VDOMs that are using the LAG (in root vdom?) need to failover to the secondary when the root VDOM fails over.

      Toshi

        Terms & ConditionsAccessibility statement