Description
This article explains Active-Passive High Availability scenario.
Scope
FortiGate, High Availability.
Solution
In the following scenarios, FortiGate is connected to two switches without LACP and with LACP (802.3ad) design.
Any HA deployment is highly dependent on the network side.
The following scenarios explain common best practices for HA network design.
Scenario 1: Without LACP.
SW-A and SW-B are in one cluster or called stacking which acts as 1 brain.
- One cable(port23) from SW-A connects to FGT-A(port1).
- One cable(port23) from SW-B connects to FGT-B(port1).
Assuming SW-A and SW-B are the 'core switch'(one brain) for now, which connects to FGT-A and FGT-B.Core switch: 10.10.10.2
FortiGate: 10.10.10.1
SW-A(port23) to FGT-A(port1) set as VLAN100
SW-B(port23) to FGT-B(port1) set as VLAN100
From a core switch perspective, 10.10.10.1 (FortiGate) is reachable on VLAN100.
The core switch(SW-A & SW-B) may send traffic to both FGT-A and FGT-B at the same time due to the same VLAN100.
SW-A(port23) to FGT-A(port1) set as VLAN100
SW-B(port23) to FGT-B(port1) set as VLAN100
From a core switch perspective, 10.10.10.1 (FortiGate) is reachable on VLAN100.
The core switch(SW-A & SW-B) may send traffic to both FGT-A and FGT-B at the same time due to the same VLAN100.
Since FGT-A is the primary, only FGT-A will respond to the traffic.
Scenario 2: With LACP.
This scenario is almost the same as the first, but this scenario is configured with LACP for higher redundancy and better performance.
On the core switch side:
LACP Group A = Port23 and port24 of SW-A. This group connects to FGT-A port1&port2.
LACP Group B = Port23 and port24 of SW-B. This group connects to FGT-B port1&port2.
LACP Group B = Port23 and port24 of SW-B. This group connects to FGT-B port1&port2.
Separate the LACP group for each FortiGate. Note, two FortiGates are considered as 2 individual brains (active-passive).
Combining 4 cables in 1 group will make the LACP not work as expected.
