- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Dual WAN links with HSRP
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 11-18-2011 11:06 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dual WAN links with HSRP
I have Fortigate 110C box, connected to two upstream routers configured with a virtual HSRP address, with one connected to wan1 and another to wan2
How can I make use of the link redundancy here?
KB #10376 http://kb.fortinet.com/kb/documentLink.do?externalID=10376
suggests to use ECMP routing to achieve that
The problem is that both wan1 and wan2 interfaces have to be in the same subnet to reach the upstream routers, which Fortigate doesn' t allow
thanks,
HGheist
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
and welcome to the forums.
As I see it you can' t have both concepts in one circuit:
- if you use HSRP with one virtual IP address facing the FGT, then you use only one interface on the FGT. The HSRP cluster presents itself as one device.
- if you want to take advantage of 2 WAN interfaces, 2 routers and 2 ISPs, then use ECMP. No need for HSRP then, except for that I' m overlooking something that HSRP does and that you need.
Both ways are viable and reasonable solutions. There is a way to allow overlapping subnet addresses on multiple interfaces on a FGT but this creates a huge security risk. It deactivates the anti-spoof feature systemwide. Absolutely recommended against, and unnecessary also.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ede,
In other words, to get 2-port upstream redundancy with FGT, i should be using ECMP and the upstream routers cannot be in the same subnet for that
Thanks,
HG
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Confusion: if this is HSRP is this not being done via the two upstream routers and aren' t these routers " cisco" ?
If this is true, all you need todo is plug the 2 wan lan interfaces into a shared hub/switch and the fortigate into that switch as well. The redundant operation is then performed via the cisco routers.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Emnoc,
What I would like to accomplish is failover in case of upstream router failure and failover in case of wan1/wan2 interface failure.
The use of one shared hub/switch kind of defies the redundancy requirement - it becomes the single point of failure
Understand I can use one port only and have two routers upstream connected to it, presenting themselves as a single virtual IP.
With Cisco or Linux, i could have created a trunk out of wan1 and wan2, but alas, doesn' t appear to be possible with FGTT.
Per Ede' s suggestion, I' ll look into ECMP, with two upstream routers being in different subnets.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That' s right. You can choose the transfer networks (the IPs of the 2 WAN routers and of the 2 FGT WAN ports) freely as long as the two don' t overlap.
Did you have a look at the ECMP feature yet?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have, however i need to ask the upstream colo provider to change the setup on their side
I guess, the way to deal with it with Cisco/Linux is to have an upstream trunk made out of wan1 and wan2
HG
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
heilige
Another option is to use GLBP on the cisco. This would place the ECMP function within the hands of the cisco and nothing would have to change out side of having one WAN to the common lan-subnet that the cisco sits in.
With GLBP vrs HSRP, you get true active/active to include weighted load balancing for non-symmetrical links.
i.e
with a 4 to 1 balancing alogrithim,
4 packets out router1 vrs 1 out router2
Check with your ISP provider and see if they support this.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Increasing Log Visibility for IPSEC VPN... 101 Views
- How to Remove NAT for IPSEC... 123 Views
- SSH to Vdom Link IP Address 284 Views
- ADVPN tunnel up but BGP on... 246 Views
- fortiweb - troubleshoot links to files... 180 Views
Labels
-
FortiGate
7,160 -
FortiClient
1,412 -
5.2
801 -
5.4
639 -
FortiManager
620 -
FortiAnalyzer
456 -
6.0
416 -
FortiAP
376 -
FortiSwitch
373 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
FortiNAC
128 -
6.4
128 -
FortiGuard
115 -
IPsec
107 -
SSL-VPN
103 -
FortiGateCloud
97 -
FortiSIEM
93 -
FortiCloud Products
89 -
FortiToken
76 -
Customer Service
71 -
Wireless Controller
65 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
48 -
FortiADC
45 -
FortiEDR
44 -
Fortivoice
44 -
FortiDNS
39 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
FortiSandbox
34 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
FortiPortal
18 -
LDAP
18 -
Interface
18 -
FortiSwitch v6.2
17 -
Routing
17 -
VDOM
17 -
FortiMonitor
15 -
Authentication
15 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
NAT
13 -
RADIUS
12 -
FortiCASB
12 -
Application control
11 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
SSL SSH inspection
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
FortiGate v4.0 MR3
8 -
OSPF
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiAP profile
7 -
SNMP
7 -
4.0
7 -
Admin
7 -
Web application firewall profile
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
Automation
6 -
IPS signature
5 -
Packet capture
5 -
DNS Filter
5 -
FortiCache
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Fabric connector
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
Fortinet Engage Partner Program
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1062 | |
| 889 | |
| 527 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.