Hi Guys and Gals,
I have been tasked with repatching our network rack. It's an absolute mess and there are several issues with the way cabling has evolved over the years e.g. daisy chained switches, that are causing some strange issues on the network, IP clashes and DHCP issues.
Network design is relatively new to me so please bare with me and let me know if I miss out any vital info.
We have two network racks connected with a fibre link approx 100m apart.
Network rack A contains -
[ol]
Network rack B contains -
[ol]
Is the following configuration acceptable?
Internet------Fortigate------Aruba Switch1-----Aruba Switch2----SFP-------Fibre link-------SFP------HP 1920------HP 1920
Basically all 4 switches connected to one another then connected to the Primary fortigate, secondary fortigate will also be connected to Aruba Switch 1 so it can take over if the primary unit fails.
I had initially planned to have each switch connected directly to each fortigate as this seemed the right way rather than daisychaining them but I just had a 15 minute call with a network tech and they said that connecting each switch to the next (uplink as they put it) was an acceptable network setup.
We have had issues here since I started working with Avaya phones losing static IP's, stating they are in use, and constant "invalid address" entries on our DHCP list. I thought this was due to the daisychaining, e.g. the switch on the end not updating is MAC table fast enough to keep up with the rest.
Any advice welcome.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
I think that your scenario is acceptable, but in my opinion i think that this is not the best practice as you don't have ha at the Aruba switches. For example, if Aruba Switch 1 fails, then everything fails. I would suggest a configuration like the screenshot below.
In my scenario, if a FGT fails, everything continue to work fine. If an Aruba fails, you lose only the connected servers and machines at that switch. Same for 1920's.
Orestis Nikolaidis
Network Engineer/IT Administrator
Hi Orani,
Thank you very much for your reply.
would you have any idea how HA can be setup on the Aruba switches? I'm asuming this isn't just a matter of cross connecting the switches as this would be a loopback.
You have to enable the spanning tree feature at your aruba and 1920's. You can find it under "Traffic" tab at your web gui.
Orestis Nikolaidis
Network Engineer/IT Administrator
Configure each switch using spanning tree, make all the wiring and then do some test by powering off one machine at a time. At each test you have to check the connectivity.
Orestis Nikolaidis
Network Engineer/IT Administrator
Oh that makes sense, so spanning tree will block the ports that are cross connected untill something fails at which time the ports will become active and take over?
That's right.
You set the root path. When this fails, switches uses the next path available. The paths you configure are weighted.
Orestis Nikolaidis
Network Engineer/IT Administrator
orani wrote:Hello,
I think that your scenario is acceptable, but in my opinion i think that this is not the best practice as you don't have ha at the Aruba switches. For example, if Aruba Switch 1 fails, then everything fails. I would suggest a configuration like the screenshot below.
[attachImg]https://forum.fortinet.com/download.axd?file=0;176878&where=message&f=Screenshot_2.png[/attachImg]
In my scenario, if a FGT fails, everything continue to work fine. If an Aruba fails, you lose only the connected servers and machines at that switch. Same for 1920's.
Hi,
Be carefull because with spanning tree this drawing is false : redondant link will be disabled by spanning tree.
Switch at top is root switch of STP topology, Black links are active links, red links are blocked by STP.
Be sure to :
- Manually confiure switch priority to select your root switch. By default, all switch have same priority, so it's the lowest MAC address that win (ie oldest switch)
- activate RSTP, not only STP for a better failover time.
If you want to create a real full HA stack with all links active, you need a feature like IRF (with HPE 5130 for example).
2 FGT 100D + FTK200
3 FGT 60E FAZ VM some FAP 210B/221C/223C/321C/421E
I agree with Baptiste. The best for your scenario is IRF but your switches does not support that (if i remember correctly).
Baptiste Gold Member Total Posts : 159Scores: 13Reward points: 0Status: offline[/ul] Re: HA Cluster and multiple switches - physical setup advice Yesterday (permalink) 0orani Hello, I think that your scenario is acceptable, but in my opinion i think that this is not the best practice as you don't have ha at the Aruba switches. For example, if Aruba Switch 1 fails, then everything fails. I would suggest a configuration like the screenshot below. In my scenario, if a FGT fails, everything continue to work fine. If an Aruba fails, you lose only the connected servers and machines at that switch. Same for 1920's.Hi, Be carefull because with spanning tree this drawing is false : redondant link will be disabled by spanning tree. Switch at top is root switch of STP topology, Black links are active links, red links are blocked by STP. Be sure to : - Manually confiure switch priority to select your root switch. By default, all switch have same priority, so it's the lowest MAC address that win (ie oldest switch) - activate RSTP, not only STP for a better failover time. If you want to create a real full HA stack with all links active, you need a feature like IRF (with HPE 5130 for example). FGT 100D 6.0.5 + FTK200 FGT 60E 5.6.7 & 6.0.4 FGT 40C 5.0.13 FAZ VM 6.2.0 FAP 210B/221C/223C/321C/421E Helpful Report AbuseForward Quote #8 orani Quick Reply: (Open Full Version) Paragraph Font Family Font Size Path: p Preview Submit Post Home » All Forums » [link=https://forum.fortinet.com/tt.aspx?forumid=119][Other FortiGate and FortiOS Topics][/link] » Firewall » HA Cluster and multiple switches - physical setup advice Jump to: Jump to - - - - - - - - - - [FortiGate / FortiOS UTM features] - - - - AntiVirus - - - - Application Control - - - - Data Leak Prevention (DLP) - - - - Email filtering (AntiSPAM) - - - - Former Content Management Forum - - - - Intrusion Detection & Prevention - - - - Web Filtering [Fortinet Beta Programs] - - - - Beta Message Board [Fortinet Services] - - - - FortiCloud IOC [Other FortiGate and FortiOS Topics] - - - - Firewall - - - - Log & Report - - - - Miscellaneous -- FortiOS and FortiGate - - - - New Features -- FortiOS - - - - Routing and Transparent Mode - - - - System settings - - - - User and Authentication - - - - VPN [Other Fortinet Products] - - - - AscenLink - - - - Coyote Point - - - - FortiADC - - - - FortiAnalyzer - - - - FortiAP - - - - FortiAuthenticator - - - - FortiBalancer - - - - FortiBridge - - - - FortiCache - - - - FortiCamera & FortiRecorder - - - - FortiCarrier - - - - FortiCASB - - - - FortiClient - - - - FortiCloud - - - - FortiConnect - - - - FortiController - - - - FortiConverter - - - - FortiCore - - - - FortiDB - - - - FortiDDOS - - - - FortiDeceptor - - - - FortiDirector - - - - FortiDNS - - - - FortiExplorer - - - - FortiExtender - - - - FortiFone - - - - FortiGuard - - - - FortiHypervisor - - - - FortiInsight - - - - FortiMail - - - - FortiManager - - - - FortiMonitor - - - - FortiNAC - - - - Fortinet Security Fabric - - - - FortiPlanner - - - - FortiPortal - - - - FortiPresence - - - - FortiProxy - - - - FortiRPS - - - - FortiSandbox - - - - FortiScan - - - - FortiSIEM - - - - FortiSwitch - - - - FortiTester - - - - FortiToken - - - - FortiTap - - - - FortiVoice - - - - FortiWAN - - - - FortiWeb - - - - FortiWiFi - - - - Wireless Infrastructure (FortiWLC, FortiWLM, Meru) [Forum Information & Miscellaneous Topics] - - - - Forum News - - - - Ideas for Forum Site - - - - Fortinet Cookbook - - - - Knowledge Base - - - - Technical -- non-FortiOS - - - - Miscellaneous -- non-technical © 2019 APG vNext Commercial Version 5.5 Latest Posts Re: FortiAuthenticator FTM push notifications not working Fortigate certificate error Re: Configuring IPv6 DHCP on 30E Alerts work but not sending guest vouchers via email Re: Fortimail HA. [link=https://forum.fortinet.com/tm.aspx?m=176991][Solved] Configuring IPv6 DHCP on 30E[/link] Re: 'Fortinet' proper design for syslog/ntp/etc. Re: VLAN in Zone disables GUI editing of parent interface Re: ipsec vpn cisco phone FG-IR-19-144 more information available? [/ul] Active Posts 'Fortinet' proper design for syslog/ntp/etc. VPN IPSEC - Client can't connect to other site Geo Blocking FortiOS 6.0.1 Radius Wifi authentication Virtual IP with port forwarding to Virtual Server VPN Connection Problem: Connection expiring due to phase 1 down 60E-DSL - vDSL IPOE Service Issue Compare To Cisco SG250 / SG350 L2TP on FortiGate 5.6 with Split Tunneling FortiAP 221E status disconnected after Update Fortigate to 6.2.1 [/ul] All FAQs There is no record available at this moment[/ul] Baptiste
Orestis Nikolaidis
Network Engineer/IT Administrator
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1714 | |
1093 | |
752 | |
447 | |
232 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.