Skip to main content
isasic
isasic
New Member
October 3, 2016
Question

Transparent mode - BPDU

  • October 3, 2016
  • 2 replies
  • 10448 views

Hello everyone, 

 

I have a question: in case of active/standby HA cluster of two Fortigates in transparent mode (280D), is there possibility for unit in passive mode to process BPDU packets? 

 

Thank you very much for your help! 

 

Ivan 

      2 replies

      emnoc
      emnoc
      New Member
      October 3, 2016

      The questions would be why would you want that?

       

      Do you have "set stpforward enable" enabled  on the interface pairs? 

       

      if yes, than you should be okay but you should double check  on both units  by using "diag netlink brctl" list commands 

       

        isasic
        isasicAuthor
        New Member
        October 4, 2016

        Thank you emnoc!

         

        I have topology that looks like this. Two ASAs and two FortiGates, both in active/standby failover. FortiGates must stand between three L2 switches in triangle. The point is, we should cover every possible failure scenario, from links between devices to devices itself. This is Internet segment, and internal traffic is going outside toward SW1. You also have Internet router that is sitting in front of SW1, which is ASA's upstream next hop. 

         

        If standby FortiGate is forwarding BPDU packets (when I configure it with 'set stp-forward enable') I guess this would work well. But I don't know about STP behavior when there's more than two STP speaking devices on same LAN segment. 

        isasic
        isasicAuthor
        New Member
        October 4, 2016

        Sorry, guess I didn't attach image. And my experienced colleague just explained to me that I could achieve all of this without cross links between FortiGates and switches and without BPDU packet forwarding at all. Fact is that passive unit doesn't process any traffic at all at any given moment. Thanks anyway! 

          emnoc
          emnoc
          New Member
          October 4, 2016

          So are you  running  tagged intefaces on the 3 links between the FGT and what/why the cross the links betweem FGTs and sw2/sw3?

           

          If you could add port#s and the interface for the opmode transparent ( tags and forrwarddomain if applicable ) that might give us a better ideal of the  topology from the cisco ASA to sw1. I don't think the  cross-links between each FGT to the  opposite switches are need from the picture

           

            Terms & ConditionsAccessibility statement