Hello Fortinet Community,
I'm seeking advice on the best practice for setting up two FortiGate 121G units in an active-passive HA pair configuration, alongside two FortiSwitch models FS148F and FS124F (does not support MCLAG). I'm currently evaluating two potential topologies and would appreciate your insights on both, particularly around VLAN configurations and any relevant design considerations.
Here are the two topology options I'm considering:
Daisy-Chained Topology:
In this scenario, the two FortiGate units in HA mode will be connected to a daisy chain of FortiSwitches (FS148F and FS124F). The switches would be stacked for redundancy.
Mesh Topology:
Each FortiGate in the HA pair would be connected directly to both FortiSwitches. This creates a more distributed setup with each switch directly connected to each firewall for greater redundancy.
Questions:
Solved! Go to Solution.
I think the answer is clear, but I probably miss the background of the "non-question".
In the first case you deliberately implement a SPoF in the first switch. If that goes down, all goes down. This should give you the answer. I'm curious why you would chose the first design anyway.
Hello Hichem
When you say redundancy, do you mean you will connect each server (or client) to both switches like with teaming/bonding? And in that case why do you use switches of different models?
But in case you will not connect each server to both switches, then what do you mean by "redundancy"?
Besides, in the first model you will use one FortiLink, and it is a common model, like shown here:
While in the second you will use 2 FortiLinks, and in that case I think the ISL may cause a problem as the FG will see each MAC address from 2 interfaces, and in that case I think you should double-check if this could have any negative impact.
And because of that, the second model can be modified to follow - lets say - the standard/common/supported model, just by removing the redundant links from FGTs to FSWs, and to obtain a topology this this one:
However I have some doubt here, since I've never tried ISL between two different models. Hope some more experienced user can help with this point.
I think the answer is clear, but I probably miss the background of the "non-question".
In the first case you deliberately implement a SPoF in the first switch. If that goes down, all goes down. This should give you the answer. I'm curious why you would chose the first design anyway.
Hello Hichem
When you say redundancy, do you mean you will connect each server (or client) to both switches like with teaming/bonding? And in that case why do you use switches of different models?
But in case you will not connect each server to both switches, then what do you mean by "redundancy"?
Besides, in the first model you will use one FortiLink, and it is a common model, like shown here:
While in the second you will use 2 FortiLinks, and in that case I think the ISL may cause a problem as the FG will see each MAC address from 2 interfaces, and in that case I think you should double-check if this could have any negative impact.
And because of that, the second model can be modified to follow - lets say - the standard/common/supported model, just by removing the redundant links from FGTs to FSWs, and to obtain a topology this this one:
However I have some doubt here, since I've never tried ISL between two different models. Hope some more experienced user can help with this point.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.