Hi All,
Our current network is MPLS based with Layer 3 handoffs at 6 sites, managed by a Fortigate Cluster that we manage at each (advertising routes via OSPF to the ISP who redistributes across the MPLS (I think using BGP). Sites links are quite slow (between 5 and 20 Mbps) and have been supported by WAN Accelerators which are end-of-life. A few sites have local internet breakouts for Guess Wifi etc.
A Datacentre houses the majority of our server kit with a pair of 101E firewalls providing inter-vlan routing and policies for outgoing internet traffic, a handful of VIPS off our primary tail (100 Mbps). While not a hugely powerful device the 101E has served us quite well in regard to throughput.
We’re currently upgrading the MPLS network which will provide significant increase to each site’s bandwidth, allowing 1Gbps to be shared between the MPLS tail and a local Internet breakout in the future as we start to transition to the use of more cloud based services. Our Fortimanager and Fortianalyser will assist in centrally managing the Fortigate clusters across sites, but for now our primary internet connection will remain at our Datacentre/Head Office (refer below - Orange is current links, purple the proposed new network )
Part of the design is a 1Gbps Point-to-point Layer 2 link between our head office and the datacentre. This is to partly to support the rehoming of the primary internet tail directlyout of the Head Office, rather than the Datacentre, due to a significant cost savings available from of a city wide ’10-Gig-Ethernet Project’ that covers the Head Office building. Internet services out of the datacentre are very expensive in comparison.
Upshot is that while our server kit remains in the datacentre (presumably with the Fortigate cluster) our internet service will now tail out of our Head Office building. Both of these sites will have a tail into the MPLS VPN for redundancy in case Head Office were to lose power. or otherwise go down. We have a separate DR site that would pick up the primary internet service should that occur.
Our traffic flows have been relatively simple until now. Fortigates (only) used as our security layer for ACL’s and Layer 3 routing between VLANS etc while all switching has effectively been Layer 2 only. To this date, all our switching has been 1GB maximum, except for some East-West 10Gbe server traffic contained within backplanes of HCI devices like the Dell FX2. So we've not needed to use SFP's or similar into the Fortigates..
Maintaining this model with Fortigates performing our core routing at these speeds would seem quite expensive. The first device with 10Gbe SFP is the 500E which is quite a big jump for us, and so the questions arises as to whether we could / should use comparatively cheaper 10Gbe switching (eg 2 x Dell S4112) which could route near line-rate, and leave the Fortigate just to do edge filtering..
I’m also having trouble defining exactly how the topology of switching and firewalls would sit across the Datacentre and Head Office given the Layer 2 link between them but Layer 3 requied at both sides for the MPLS tails.
I would need to keep the Fortigates physically in the Datacenter for reliability and continuity purposes for other sites should HO go down. How and where we would separate the VLANS etc.
Can I pipe outgoing internet traffic across the P2P layer 2 link and just send it out via a switch in HO? Or should I add another cluster of Fortigates in Head Office?
Any tips to set me straight? I’m probably over thinking things but the switch to a Layer 2 link between sites has stumped me as I’m quite used to just using the Fortigates at Layer 3 and setting routing priorities to direct traffic as needed.
Thanks!
Andrew
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.