Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hichem-brahim
New Contributor

Created on ‎10-23-2024 03:30 AM Edited on ‎10-23-2024 03:31 AM

Best Practices for FortiGate HA Pair Setup with FortiSwitch FS148F and FS124F

Hello Fortinet Community,

I'm seeking advice on the best practice for setting up two FortiGate 121G units in an active-passive HA pair configuration, alongside two FortiSwitch models FS148F and FS124F (does not support MCLAG). I'm currently evaluating two potential topologies and would appreciate your insights on both, particularly around VLAN configurations and any relevant design considerations.

Here are the two topology options I'm considering:

  1. Daisy-Chained Topology:
    In this scenario, the two FortiGate units in HA mode will be connected to a daisy chain of FortiSwitches (FS148F and FS124F). The switches would be stacked for redundancy.

  2. Mesh Topology:
    Each FortiGate in the HA pair would be connected directly to both FortiSwitches. This creates a more distributed setup with each switch directly connected to each firewall for greater redundancy.

Questions:

  • How would VLAN management differ between the daisy-chained and mesh topologies?
  • What would be the most efficient way to handle VLANs with this setup to ensure optimal traffic flow and minimal complexity?
  • Are there any potential performance bottlenecks or limitations with either of these designs?Topo-1.pngTopo-2.png

578
0 Kudos
2 Solutions
AlexC-FTNT
Staff
Staff

Created on ‎10-23-2024 04:52 AM

I think the answer is clear, but I probably miss the background of the "non-question".

In the first case you deliberately implement a SPoF in the first switch. If that goes down, all goes down. This should give you the answer. I'm curious why you would chose the first design anyway.

 


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -

View solution in original post

538
AEK
SuperUser
SuperUser

Created on ‎10-23-2024 05:09 AM Edited on ‎10-23-2024 05:20 AM

Hello Hichem

 

When you say redundancy, do you mean you will connect each server (or client) to both switches like with teaming/bonding? And in that case why do you use switches of different models?

But in case you will not connect each server to both switches, then what do you mean by "redundancy"?

 

Besides, in the first model you will use one FortiLink, and it is a common model, like shown here:

https://docs.fortinet.com/document/fortiswitch/7.0.8/devices-managed-by-fortios/801188/ha-mode-forti...

 

While in the second you will use 2 FortiLinks, and in that case I think the ISL may cause a problem as the FG will see each MAC address from 2 interfaces, and in that case I think you should double-check if this could have any negative impact.

And because of that, the second model can be modified to follow - lets say - the standard/common/supported model, just by removing the redundant links from FGTs to FSWs, and to obtain a topology this this one:

https://docs.fortinet.com/document/fortiswitch/7.0.8/devices-managed-by-fortios/801190/ha-mode-forti...

However I have some doubt here, since I've never tried ISL between two different models. Hope some more experienced user can help with this point.

 

AEK

View solution in original post

AEK
534
2 REPLIES 2
AlexC-FTNT
Staff
Staff

Created on ‎10-23-2024 04:52 AM

I think the answer is clear, but I probably miss the background of the "non-question".

In the first case you deliberately implement a SPoF in the first switch. If that goes down, all goes down. This should give you the answer. I'm curious why you would chose the first design anyway.

 


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
539
AEK
SuperUser
SuperUser

Created on ‎10-23-2024 05:09 AM Edited on ‎10-23-2024 05:20 AM

Hello Hichem

 

When you say redundancy, do you mean you will connect each server (or client) to both switches like with teaming/bonding? And in that case why do you use switches of different models?

But in case you will not connect each server to both switches, then what do you mean by "redundancy"?

 

Besides, in the first model you will use one FortiLink, and it is a common model, like shown here:

https://docs.fortinet.com/document/fortiswitch/7.0.8/devices-managed-by-fortios/801188/ha-mode-forti...

 

While in the second you will use 2 FortiLinks, and in that case I think the ISL may cause a problem as the FG will see each MAC address from 2 interfaces, and in that case I think you should double-check if this could have any negative impact.

And because of that, the second model can be modified to follow - lets say - the standard/common/supported model, just by removing the redundant links from FGTs to FSWs, and to obtain a topology this this one:

https://docs.fortinet.com/document/fortiswitch/7.0.8/devices-managed-by-fortios/801190/ha-mode-forti...

However I have some doubt here, since I've never tried ISL between two different models. Hope some more experienced user can help with this point.

 

AEK
AEK
535
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.