Hi everybody,
Traditionally, we use layer 2 connection between our fortigate cluster and our CORE switch cluster (VSS, VPC or Stack) but I'd like to know if it's possible to have full layer 3 connection (/30) between fortigate cluster (Active-Passive mode) and switch cluster like Nexus VPC or Arista MLAG.
I put a small design in attachment to describe the situation. On the left design, that's what we're doing now and on the right that's what we would like to test.
Do you think it's possible?
How fortigates will react in case of failover?
Do we need to run some routing protocol like OSPF to achieve that?
Thank you for your help.
Best regards,
Greg.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If those /30 interfaces are the ones to pass user traffic through, no you can't. FGT's HA is design to have config on both a and p identical, except dedicated-to-management interfaces, which are isolated from the rest for management only.
Hi Toshi,
Yes the user traffic pass through thoses interfaces. About your response, that's also what I thought! But this afternoon, I contacted the Fortinet Support to ask them and they told me that L3 configuration is valid too. But I'm not agree with that.
As you said, both firewall must share the same configuration. Moreover from a management point of view, when the Fortigate-Cluster is UP, we only have 1 management point so I don't understand how it's possible to configure 2 different network (/30) on the same physical port.
Thank you for your help
Best Regards,
Hello Greg
we are using 2x FGT1200D in A-A, using 2x 10GbE ports of each FGT to create a trunk (LACP) to connect one leg of the trunk to each of a Dell S5248F switch - cluster running VLT. The trunk's (1 per FGT) passing user traffic through (12 VLAN's configured on that virtual interface) without any problems for many years now. (Used/using FGT100E&F, FGT300C&D, FGT500E, FGT1000D with MLAG currently and in the past always in A-A … working great).
Works great as you can do maintenance, reboot, firmware upgrade, … , of each switch separat or on the FGT without Network interruption.
Not quite your design, but hope that helps ...
Best Regards
Sini
Hi Sini,
Actually, we used exactly the same kind of design that yours for many years without any problems either. (2x1200D with Etherchannel (Trunk) linked to Cisco VSS). We don't want to change our design at all but I just want to know if this kind of design is valid or not.
Thank you very much.
Best regards,
Greg.
Actually You can do L3 with two different subnets on one interface (secondary IP), but then You'll find out, that ie. OSPF is active only on one device, so there are scenarios, when the failover means long times with traffic blackholing. And I didn't find any ultimate solution to all the scenarios mentioned.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1640 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.