FortiGate in HA - Cabling question

FortiGateAdmin · ‎09-22-2023

Hello,

I have two FortiGates running in a HA cluster (Active/Passive). Each FortiGate is located in a server room. Now I would like to increase the redundancy or failover.

In each server room there are also two switches installed to which the VMWare hosts are wired. Now I would like to distribute the FortiGate per server room to the two switches. By this I mean that I want to connect the LAN interface once to switch 1 and once to switch 2.

What do I have to do for this? I can configure a virtual interface and put the interfaces there. But I have hardware switch / software switch and redudant interface available.

The goal is simply that the FortiGate is still accessible, should one switch fail - and as I said, I would have to configure this on both FortiGates per server room.

Maybe someone has an opinion on the subject. :)

anignan · ‎09-22-2023

Hi @FortiGateAdmin

How do you want to connect one LAN interface to 2 switches at the same time? There is an option for redundant interface on FortiGate

REF: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Creating-a-redundant-link/ta-p/196577

Abdel

FortiGateAdmin · ‎09-22-2023

Exactly, I can't connect one LAN interface to two switches. Hence the question above.

From your link I see the following configuration:

FortiGate A in server room 1:
I create a redudant interface with (as an example) port 4 and port 5 as member. Port 4 to Switch 1, Port 5 to Switch 2.
If now switch 1 fails, the traffic from port 5 is forwarded to switch 2. Correct? How do I build this setup correctly if the FortiGate is configured in a HA (active/passive)? In the second server room, I would also connect the FortiGate B with port 4 to Switch 1 (second server room) and port 5 to Switch 2 (second server room).
Do these interfaces also have to be configured as monitored interfaces in the HA configuration? Or should I only monitor the external (Internet) interfaces there?

anignan · ‎09-22-2023

Hi @FortiGateAdmin ,

This depends on what is connected to the switches and how they operate.. are they independent or function as a logical switch?

Abdel

FortiGateAdmin · ‎09-22-2023

Hey @anignan,

the switches operate independent.

anignan · ‎09-22-2023

Hi @FortiGateAdmin

That means you can create either a software or hardware switch but hardware will be better because traffic can be offloaded and STP support.

Abdel

FortiGateAdmin · ‎09-22-2023

Ok, no redudant interface?

I've made a little drawing that might better show how I envision it and if it can be done that way.

anignan · ‎09-22-2023

Hi @FortiGateAdmin ,

If your switches are independent use hardware switch but a logical switch use redundant or STP will kick in and block one port to prevent loop... How is the ESXi host configured?

Can you name in your drawing how the switches are connected together?

Abdel

FortiGateAdmin · ‎09-22-2023

the four switches are connected via 10g sfp to each other with stp configuration.

the esx host is normal configured with 4x lan to switch 1 and 4x lan to switch 2.

anignan · ‎09-22-2023

In this case try redundant interface since STP is running on the switches no matter what port is active traffic should go through...

Abdel