Hello,
I have two FortiGates running in a HA cluster (Active/Passive). Each FortiGate is located in a server room. Now I would like to increase the redundancy or failover.
In each server room there are also two switches installed to which the VMWare hosts are wired. Now I would like to distribute the FortiGate per server room to the two switches. By this I mean that I want to connect the LAN interface once to switch 1 and once to switch 2.
What do I have to do for this? I can configure a virtual interface and put the interfaces there. But I have hardware switch / software switch and redudant interface available.
The goal is simply that the FortiGate is still accessible, should one switch fail - and as I said, I would have to configure this on both FortiGates per server room.
Maybe someone has an opinion on the subject. :)
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
How do you want to connect one LAN interface to 2 switches at the same time? There is an option for redundant interface on FortiGate
REF: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Creating-a-redundant-link/ta-p/196577
Abdel
Exactly, I can't connect one LAN interface to two switches. Hence the question above.
From your link I see the following configuration:
FortiGate A in server room 1:
I create a redudant interface with (as an example) port 4 and port 5 as member. Port 4 to Switch 1, Port 5 to Switch 2.
If now switch 1 fails, the traffic from port 5 is forwarded to switch 2. Correct? How do I build this setup correctly if the FortiGate is configured in a HA (active/passive)? In the second server room, I would also connect the FortiGate B with port 4 to Switch 1 (second server room) and port 5 to Switch 2 (second server room).
Do these interfaces also have to be configured as monitored interfaces in the HA configuration? Or should I only monitor the external (Internet) interfaces there?
Hi @FortiGateAdmin ,
This depends on what is connected to the switches and how they operate.. are they independent or function as a logical switch?
Abdel
Hey @anignan,
the switches operate independent.
That means you can create either a software or hardware switch but hardware will be better because traffic can be offloaded and STP support.
Abdel
Ok, no redudant interface?
I've made a little drawing that might better show how I envision it and if it can be done that way.
Hi @FortiGateAdmin ,
If your switches are independent use hardware switch but a logical switch use redundant or STP will kick in and block one port to prevent loop... How is the ESXi host configured?
Can you name in your drawing how the switches are connected together?
Abdel
the four switches are connected via 10g sfp to each other with stp configuration.
the esx host is normal configured with 4x lan to switch 1 and 4x lan to switch 2.
In this case try redundant interface since STP is running on the switches no matter what port is active traffic should go through...
Abdel
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.