Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TheChosenOne
New Contributor II

Connect two HA Clusters in a redundant way

Hi Community,

I have two HA Clusters that I need to connect.

DC1 has 2x FG200E running active-acative
DC2 has 2x FG201F running active-passive

How would you connect those two HA clusters? I want to be able to lose one of the Forigates on each side.

Would you put a switch in between and connect to the switch using an aggregate?
Or would you directly connect the Fortigates?

I want to create a /30 transfer network to route traffic between the two DCs.

Thanks for your suggestions. :)

1 Solution
AlexC-FTNT
Staff
Staff

For a simple connection between them you definitely need a switch to handle it, especially if you plan to use an aggregate link.
Cluster1 has units 1A (1Aport1,1Aport2) - LACP1A, 1B(1Bport1,1Bport2) - LACP1B on switch

This is on the local switch. Which can further linked with an aggregate to the remote local switch:

Cluster2 has units 2A (2Aport1,2Aport2) - LACP2A, 2B(2Bport1,2Bport2) - LACP2B on switch


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -

View solution in original post

5 REPLIES 5
AlexC-FTNT
Staff
Staff

The main question is "why do you need to connect them"?

What is the goal you are trying to achieve?

 

If the goal is redundancy, you can set them up in FGSP, but the topology must be fairly symmetrical:

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/284323/fortigate-session-life-support-pr...

Connecting them through a switch/directly connecting them will not provide any redundancy, as the two clusters will "fight" for the Master role-  you will either have packet/session drops or a lot of retransmissions, as each cluster will forward the traffic and try to establish sessions for the clients.


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
TheChosenOne
New Contributor II

Hi Alex,

it's not for HA redundancy. Im happy with the two seperate HA clusters.

I just have these two Datacenters and want a direct connection between them for internal traffic from one DC to the other. The Connection between the Datacenters should be established in a way that allows any of the cluster units to fail without interrupting the connection between the Datacenters.

As mentioned, my plan is to create a /30 Subnet as transfer Network where both clusters have an interface in this subnet so Traffic between the Datacenters can be routed.

My question is, what is the most elegant way to connect the two sites. Directly (if yes, how) or with a switch in between.

Thanks!

AlexC-FTNT
Staff
Staff

For a simple connection between them you definitely need a switch to handle it, especially if you plan to use an aggregate link.
Cluster1 has units 1A (1Aport1,1Aport2) - LACP1A, 1B(1Bport1,1Bport2) - LACP1B on switch

This is on the local switch. Which can further linked with an aggregate to the remote local switch:

Cluster2 has units 2A (2Aport1,2Aport2) - LACP2A, 2B(2Bport1,2Bport2) - LACP2B on switch


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
TheChosenOne
New Contributor II

Thanks Alex!

That's the setup I already tried out in my sandbox. I was hoping there could be a solution without switches. Anyway, thanks for your time and help.

Cheers

AlexC-FTNT

As long as you have HA, there must be (at least) a switch for redundancy and to connect the ISP link(s) to both units. And these switches are already present on site (while LACPs only provide an increase in bandwidth)


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
Labels
Top Kudoed Authors