I'm working on a design for a greenfield environment and haven't run across another design like it so I was hoping someone else had gone down this path and could speak to their experience. The scenario is we've got two main DC's that are connected via a <5ms layer-2 metro-e circuit. Both DC's are for the most part identical in terms of equipment. There will be stretched VLANs between the two sites to accommodate vMotion, vSAN and various other types of DC-specific traffic.
I'm utilizing 1000-series switches in each DC which will run VRRP for HA purposes. A pair at either DC. Has anyone done VRRP between sites for this purpose? I'm wondering if VXLAN is the better route to achieve VLAN mobility between sites. The FortiSwitches will connect to a pair of FortiGate 200F (A-P) for internet/WAN connectivity. My preference is to keep all of the SVI's on the FortiSwitch so that a lot of the bandwidth intensive traffic (Backups, synchronization, storage...etc.) is not over-taxing the gate. I realize there are a lot of moving parts so I'm trying to keep this as simple as possible. Thanks in advance.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I'm trying to understand your case. I guess as you are doing inter-site VMotion you need same IP subnets on both sites and same gateways up on both sites with inter-site gateway isolation, right? Or you use VRRP inter-site to keep the gateway up on one site at a time?
On the other hand the dilemma is if you keep SVIs on distribution switch you will probably not be able to filter the traffic, while if you put them on the 200F you will probably lose much performance.
You are correct. The use case is VM mobility. After thinking this over though, I'm comfortable with having only a single gateway active at one site at a time. Moving the DG from site 1 to site 2 could just be a manual enabling of the SVI at site 2. You mentioned "VRRP inter-site", do you have any docs or references for that design? Also, I'm trying the 1000-series switches more as "Core" switches for the datacenter. I'm trying to avoid the gate having to do any DC-specific inter-vlan routing.
Having each gateway up at one site at a time will make your life simple, even if it has some disadvantages as you may know. But this will avoid you much headaches in case you will have to managing asymmetric traffic at firewall layer.
So you can configure VRRP on your FortiSwitches in order to make your gateways highly available in Active-Passive way.
Ref: https://docs.fortinet.com/document/fortiswitch/7.2.6/administration-guide/508059/vrrp
Initially you may distribute your gateways to your 4 switches in order to have more or less same load over all 4 switches.
Usually we also distribute VMs and gateways in such way to have minimum traffic transiting between sites, e.g.: keep all VMs on the same site as their gateway, and keep app VMs on the same site as the DB VMs they heavily communicate with.
You are right to avoid FG 200F to route inter-VLAN traffic, since it may be capable to handle your North-South traffic, but I don't think it can handle Est-West traffic (check datasheet). Usually for that we use high-end FG (e.g.: 1800F and so).
I think you need to dig a lot in the "standard" dual-DC architectures before you can take a final decision, I remember Cisco published much designs that will be very interesting for you. You can find a lot just by googling. Also I strongly believe you will need help of a good network architect to make a correct serious design. As you may know your question is 95% about network and 5% about security.
For FortiSwitch you can start here, I think it will help as well.
Thank you for the feedback! Very helpful. Have you ever implemented the routing offload feature that was introduced in 7.4.1? This will be necessary to perform L3 routing on the FortiSwitches rather than the gate.
You are welcome.
Unfortunately not, but I'm sure experienced community members will help with pleasure.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.