VRRP configuration on cluster

Question

HiI'm working on a new design and I need to know if this is possible or not.Currently, we have 2 server rooms in separate buildings. In each location we have a core switch with a L3 routed connection between them. We have stretched vlans between the rooms, using VRRP on the core switches. This allows us to vmotion VM from roomA to roomB, without changing IP details. Each of the server vlans are using the VRRP ID from the switches as their gateway. We also have a Fortgate HA cluster in A-P mode. The active member is in roomA with the passive member in roomB. What I want to do is move the server vlans behind the firewall. Is this just a simple case of moving the VRRP configuration to the Fortigate cluster? How would this work, if there are servers on the same subnet/vlan in each room but there is a passive fortigate cluster member in the room? Or should the cluster be changed from A-P to A-A mode? I'm just trying to work out how the traffic would flow. ThanksRoy

Toshi_Esumi · Answer

Not sure how the FGT cluster is currently connected to the network. But moving LAN side VLANs to the FGT is to move the current VRRPed GW IP to the FGT. Then move the VLANs along to reach the FGT's LAN interfaces. HA acts as an alternative to the VRRP (only one device/interface operates as the primary at a time), you don't need VRRP on the FGT or you wouldn't be able to configure in A-P mode since the config is almost identical between them.
If you have a diagram, that would tell you what you need to do. Nothing should be complicated.

A-P or A-A is a separate consideration from if you have LAN side behind the FW or not. It wouldn't affect how you move those VLANs around. A-A can loadbalance only proxy processes all traffic/sessions need to get to the primary unit. You need to read the document from FTNT to decide if you really need A-A or not.

Toshi

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded