Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Design Question - Cable connectivity

Have two FGT 500D on HA. Currently, the LAN cable from both the FGT connects to a 2960x switch and a cable from 2960x connects to our Core Switch. all 3 ports being in the same vlan of course on the switch. This works. But is this the preferred design?
Esteemed Contributor III

Yes, at least for me. Switch segmentation by port-based VLANs.

For every physical port on the FGT, you need 3 switch ports: fgt1, fgt2 and destination. So, for bigger FGTs you might need a 48 port switch just for connectivity.

Just make sure the VLANs never exit the switch, i.e. port-based.


Years ago some switches had a problem with this. For each internal VLAN a separate MAC address table is needed, and some low-range switches didn't have that. Nowadays this design has always worked for me, with HPE, Avaya, Alcatel, DELL, H3C. Never tried out D-Link, Netgear, TP-Link.


One caveat:

NEVER run the HA link across a switch! The HA link is the most important connection in a cluster. If it breaks, BOTH units will become master and the network will break down. So, HA links always are direct cables (or fibers), and always at least 2x.


"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Top Kudoed Authors