- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Fortigate 300C HA in Active – Active mode with ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate 300C HA in Active – Active mode with Cisco 3750X Stackable switches
Hello All,
I am planning to implement Fortigate 300C HA in Active – Active Mode with Link Aggregation (LACP 802.3ad) for four firewall segments with full mesh.
Two Firewall segments will connect through Cisco 3750X Stackable switches and one segment will connect via Cisco 2960S Switch stack.
Two Firewall Segments will be defining as several VLANs under Ethernet bond (LACP) interfaces.
If anybody has experience in deploying Fortigate Active – Active HA with Cisco 3750X & 2960S stackable switches Please verify above and comment.
Tnx,
Asa
Asanka
Asanka
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I' m kinda of doing that with 620B now, but with a 3750E stack, what' s your concerns? The stack allows for multi chassis lacp, so you can create redundancy in the stack. Bothe A-A pairs will need 2 links minimum into each stack switch and then those ports for each firewall will need LACP enable.
What we did was craft a LAN topo of 2x3750E for the outside and dmz and then the internal lan topo from the 620B goes back into our Nexus 7K core. We have 2 FGT one set specifically as a VPN terminator for remote-clients and site2site vpns.
Other than cpu seems higher on one FGT than the other, we haven' t seen any real issues.
It was kinda over kill, but they had the budget.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Works like a charm, no special issues, you can make a LACP from a cluster node to the stacked Cisco' s (split over the 2 units).
No special issues.
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks " emnoc" & " SecureLayers-Eric" for you inputs !!
Since Fortigate HA operates on Virtual MAC address.. in case of failure occurs on Switch stack , network segment or firewall level, will there be significant delay in fail-over or is it normal like (one ping request timed out)??
And what is your recommendation on configuring ether channel for this setup from Cisco Stack side?
Regards
Asanka
Asanka
Asanka
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How much of a impact? could be determine by how much traffic over that link. Nobody can give you an exactly ms or sec impact or lost of ping count. Just test it, it will be minor if any.And hardly noticeable.
On etherchannel mode, you want LACP so channel-group x mode act is what I would do. X would be the port-channel number & this enable LACP aka 802.3ad on whatever members you deploy.
One last issue,
On the channel-groups load balancing, you might want to monitor & adjust the balancing algorithm. Execute the " show etherchann load-balance" command to get any ideal of the default load-balance schema.
Then adjust accordingly, src/port-dst/port ( L4) is typically better than src-mac or dst-mac or src-ip/dst-ip ( L2 or L3 respectively ).
EtherChannel Load-Balancing Configuration:
src-dst-port
mpls label-ip
EtherChannel Load-Balancing Addresses Used Per-Protocol:
Non-IP: Source XOR Destination MAC address
IPv4: Source XOR Destination TCP/UDP (layer-4) port number
IPv6: Source XOR Destination IP address
MPLS: Label or IP
YMMV
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the inputs!!
I have tested mention scenario in-house using two standalone Cisco switches (one channel group per LACP Bond interface) for two segments with Full mesh , LACP & Session Pickup from Fortigate HA side.
i have tested failover by powring off Master fortigate unit while ICMP Ping & FTP Filtransfer in place between two segmnts. when power goes off in Master unit FTP seesion & ping ( 1 time out) still working without issue.
But when i power on the (Previous Master) Unit again ofter about 20 -30 sec all active connection get drop (ping & ftp) for 10 - 20 sec. and start working again during this time HA master role will be taken by previous master unit. but all active connections get drop !!!!
Regards,
Asanka
Asanka
Asanka
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That' s has nothing to do with LACP btw. You might want to look at HA and how it works and preemption & override.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Related Posts
- setup FortiGate Firewall with Mikrotik Router. 84 Views
- After firmware upgrade, GUI doesn't show... 109 Views
- Users do not get VLANs DHCP... 236 Views
- How to configure physical internal switch... 134 Views
- Which Firewall of Fortigate help me... 224 Views
Labels
-
FortiGate
6,604 -
FortiClient
1,318 -
5.2
801 -
5.4
639 -
FortiManager
572 -
FortiAnalyzer
417 -
6.0
416 -
5.6
362 -
FortiSwitch
339 -
FortiAP
337 -
FortiClient EMS
269 -
6.2
251 -
FortiMail
248 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
152 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
73 -
FortiToken
72 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
63 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
SD-WAN
26 -
Firewall policy
25 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
High Availability
21 -
FortiConverter
21 -
FortiPortal
18 -
FortiAuthenticator
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
Interface
13 -
FortiDDoS
13 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Application control
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.