Hi Community,
I have two HA Clusters that I need to connect.
DC1 has 2x FG200E running active-acative
DC2 has 2x FG201F running active-passive
How would you connect those two HA clusters? I want to be able to lose one of the Forigates on each side.
Would you put a switch in between and connect to the switch using an aggregate?
Or would you directly connect the Fortigates?
I want to create a /30 transfer network to route traffic between the two DCs.
Thanks for your suggestions. :)
Solved! Go to Solution.
For a simple connection between them you definitely need a switch to handle it, especially if you plan to use an aggregate link.
Cluster1 has units 1A (1Aport1,1Aport2) - LACP1A, 1B(1Bport1,1Bport2) - LACP1B on switch
This is on the local switch. Which can further linked with an aggregate to the remote local switch:
Cluster2 has units 2A (2Aport1,2Aport2) - LACP2A, 2B(2Bport1,2Bport2) - LACP2B on switch
The main question is "why do you need to connect them"?
What is the goal you are trying to achieve?
If the goal is redundancy, you can set them up in FGSP, but the topology must be fairly symmetrical:
Connecting them through a switch/directly connecting them will not provide any redundancy, as the two clusters will "fight" for the Master role- you will either have packet/session drops or a lot of retransmissions, as each cluster will forward the traffic and try to establish sessions for the clients.
Hi Alex,
it's not for HA redundancy. Im happy with the two seperate HA clusters.
I just have these two Datacenters and want a direct connection between them for internal traffic from one DC to the other. The Connection between the Datacenters should be established in a way that allows any of the cluster units to fail without interrupting the connection between the Datacenters.
As mentioned, my plan is to create a /30 Subnet as transfer Network where both clusters have an interface in this subnet so Traffic between the Datacenters can be routed.
My question is, what is the most elegant way to connect the two sites. Directly (if yes, how) or with a switch in between.
Thanks!
For a simple connection between them you definitely need a switch to handle it, especially if you plan to use an aggregate link.
Cluster1 has units 1A (1Aport1,1Aport2) - LACP1A, 1B(1Bport1,1Bport2) - LACP1B on switch
This is on the local switch. Which can further linked with an aggregate to the remote local switch:
Cluster2 has units 2A (2Aport1,2Aport2) - LACP2A, 2B(2Bport1,2Bport2) - LACP2B on switch
Thanks Alex!
That's the setup I already tried out in my sandbox. I was hoping there could be a solution without switches. Anyway, thanks for your time and help.
Cheers
As long as you have HA, there must be (at least) a switch for redundancy and to connect the ISP link(s) to both units. And these switches are already present on site (while LACPs only provide an increase in bandwidth)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.