Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jtfinley
Contributor

HA require Switch LAG configuration?

Running (2) Fortigate80c in HA mode. ISP provides (2) feeds but only 1 is active; I assume HSRP? INSIDE Switch1 -> FGT1:WAN1 -> Switch1 -> ISP Ethernet Feed INSIDE Switch2 -> FGT2:WAN1 -> Switch2 -> ISP Ethernet Feed Is it required that I run LAG (Trunk or EtherChannel) on either end of the switches? The switches in use now are NOT stackable. Have a weird issue taking place and need to confirm if this is a requirement. Thanks in advance
9 REPLIES 9
emnoc
Esteemed Contributor III

What do you mean 2 feeds? Also in FGT1 & 2 , you need the 2 ISP handoffs if they are in HA attach to the same lan/vlan as the FGT1 and FGT2 wan interfaces See file of a typical setup, excuse me for using a ASA in my example ;)

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
jtfinley

What do you mean 2 feeds? Also in FGT1 & 2 , you need the 2 ISP handoffs if they are in HA attach to the same lan/vlan as the FGT1 and FGT2 wan interfaces See file of a typical setup, excuse me for using a ASA in my example ;)
We have a cabinet in a datacenter where they provide (2) Ethernet feeds. I agree, it' s overly complicated but my goal for the network is to be completely redundant. The switches in use now are not stackable and I can' t seem to find low port density switches that STACK ie 8-12 port switch with true STACKING capability... My original question was, must I have stackable switches and configure LAG for both WAN1 feeds or simply just plug into same logical domain?
ede_pfau
Esteemed Contributor III

I agree; you use way too many switches... Look at the HA pair as ONE FGT. All ports used on FGT1 must be connected (port by port) to the same ports on FGT2. Assume you are using <n> ports on the FGT (like WAN, LAN and DMZ => <n>=3). You can either use <n> switches with each having at least 3 ports, or use one switch which you partition into <n> compartments using port-based VLANs. I would partition into <n> x 4 ports: FGT1, FGT2, LAN connect and one spare for testing. So using one 24-port switch you could utilize 6 firewall ports for different zones. And in my inner ear I already hear emnoc gasping " not all eggs into one basket!" - if you use one switch like this you build in a single point of failure, you should know that. In the clusters I' ve built so far I' ve always used one switch per firewall port used.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
jtfinley

Look at the HA pair as ONE FGT. All ports used on FGT1 must be connected (port by port) to the same ports on FGT2.
Yes, both FGT' s are connected exactly the same to various switches; I am confused by their documentation about HA. Do I require LAG or not when incorporating Stack switches?
emnoc
Esteemed Contributor III

Agreed to the last statement. Even better I build stacked-members ( 2960) with aggregated links from each FGT. Might be overally built for a small office but a must in a enterprised or carrier arena. food for thought E.g we build vPC to nexus 5Ks for FGT3040 in my last big deployment. This gave use full multipath and with no single failure. Also with HA members, we use dual-links for HA link redundant connections. This might limiting in a smaller FGT, but once again a must in a entrprised or carrier outfit

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ede_pfau
Esteemed Contributor III

No you don' t. And I' m afraid you didn' t get my point (sorry, my fault): each port of both FGTs has to be connected on the SAME switch. So, if you use LAN and WAN1, WAN2 on the FGTs, you would need 3 switches with at least 3 ports (better 4 ports). That' s just for HA. To get rid of the risk that one small switch fails you could stack 2 to form 1 switch. In the above example, you' d need 6 small switches which would have to be stackable. As these do not exist, I recommend bigger switches (like 24 port), stack 2 of them and partition them into 3 x 4 ports (3 internal port-based VLANs). Select the 4 ports in such a manner that they span both switches: portgroup 1: sw1-1, sw1-2, sw2-1, sw2-2 from FGT1-LAN to sw1-1 from FGT2-LAN to sw1-2 from your LAN to sw1-2 or sw2-2 (or via LAG to both) Likewise for WAN1 and WAN2, using the same switches sw1 and sw2. Bottom line: no LAG required on FGTs, LAG only if your connection should be redundant. Sounds far more complicated than it is in reality.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
jtfinley

Bottom line: no LAG required on FGTs, LAG only if your connection should be redundant.
Great follow up Ede Ok. To clarify for my own thoughts - I always tend to over complicate things..... LAG ONLY if connection should be redundant meaning if HA is in ACTIVE/ACTIVE which both of mine are. My FGT 80c' s do not support LAG apparently.
ede_pfau
Esteemed Contributor III

No, sorry,
LAG only if your connection should be redundant
should read
LAG between switch and your LAN only if your connection from the switch to your LAN is required be redundant
LAG is no requirement for a FGT cluster! The cluster protocol (FGCP) takes care if there are multiple links to the same target in order to avoid loops. If you re-read the setup of a HA cluster in the Handbook, don' t read too much into it - it' s short because there' s not much to do. No complications to take into account. The only thing ' complicated' you could do on the FGT side is to have 2 HA links between the FGTs. Reasoning: one HA link will do nicely. BUT if that link breaks (is pulled by accident) then the cluster falls apart - you immediately have 2 identical routers with identical IP addresses, ALIVE. Breaking the HA link must be avoided at any cost. Best practice: do not run the link across any intermediate switch, use 2 cables which you annotate accordingly, use a different cable color (RED for instance). And one final best practice: you will have good reasons to run the cluster in A/A. From my experience, an A/P cluster is much more stable and serves 90% of the time just as good. So, if you have good reasons, OK, if not, stick to A/P.
My FGT 80c' s do not support LAG apparently.
So much the better. No brain racking needed.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
jtfinley
Contributor

Thanks guys for the reply. I had drawn out removing the (6) switches and consolidating to (2) Stackable and create VLANs.
Labels
Top Kudoed Authors