Hi Orani,

 

Thank you very much for your reply.

 

would you have any idea how HA can be setup on the Aruba switches? I'm asuming this isn't just a matter of cross connecting the switches as this would be a loopback.

You have to enable the spanning tree feature at your aruba and 1920's. You can find it under "Traffic" tab at your web gui.

Configure each switch using spanning tree, make all the wiring and then do some test by powering off one machine at a time. At each test you have to check the connectivity.

 

Oh that makes sense, so spanning tree will block the ports that are cross connected untill something fails at which time the ports will become active and take over?

That's right.

You set the root path. When this fails, switches uses the next path available. The paths you configure are weighted.

orani wrote:

Hello,

 

I think that your scenario is acceptable, but in my opinion i think that this is not the best practice as you don't have ha at the Aruba switches. For example, if Aruba Switch 1 fails, then everything fails. I would suggest a configuration like the screenshot below.

 

[attachImg]https://forum.fortinet.com/download.axd?file=0;176878&where=message&f=Screenshot_2.png[/attachImg]

 

 

In my scenario, if a FGT fails, everything continue to work fine. If an Aruba fails, you lose only the connected servers and machines at that switch. Same for 1920's.

 

Hi,

Be carefull because with spanning tree this drawing is false : redondant link will be disabled by spanning tree.

Switch at top is root switch of STP topology, Black links are active links, red links are blocked by STP.

 

Be sure to :

- Manually confiure switch priority to select your root switch. By default, all switch have same priority, so it's the lowest MAC address that win (ie oldest switch)

- activate RSTP, not only STP for a better failover time.

If you want to create a real full HA stack with all links active, you need a feature like IRF (with HPE 5130 for example). 

 

I agree with Baptiste. The best for your scenario is IRF but your switches does not support that (if i remember correctly). 

Baptiste Gold Member  Total Posts : 159Scores: 13Reward points: 0Status: offline[/ul] Re: HA Cluster and multiple switches - physical setup advice Yesterday (permalink)     0

orani Hello,   I think that your scenario is acceptable, but in my opinion i think that this is not the best practice as you don't have ha at the Aruba switches. For example, if Aruba Switch 1 fails, then everything fails. I would suggest a configuration like the screenshot below.       In my scenario, if a FGT fails, everything continue to work fine. If an Aruba fails, you lose only the connected servers and machines at that switch. Same for 1920's.  

Hi, Be carefull because with spanning tree this drawing is false : redondant link will be disabled by spanning tree. Switch at top is root switch of STP topology, Black links are active links, red links are blocked by STP.   Be sure to : - Manually confiure switch priority to select your root switch. By default, all switch have same priority, so it's the lowest MAC address that win (ie oldest switch) - activate RSTP, not only STP for a better failover time. If you want to create a real full HA stack with all links active, you need a feature like IRF (with HPE 5130 for example).      FGT 100D 6.0.5 + FTK200 FGT 60E 5.6.7 & 6.0.4 FGT 40C 5.0.13 FAZ VM 6.2.0 FAP 210B/221C/223C/321C/421E Helpful Report AbuseForward  Quote   #8   orani Quick Reply: (Open Full Version)        Paragraph Font Family Font Size                  Path: p   Preview    Submit Post     Home » All Forums » [link=https://forum.fortinet.com/tt.aspx?forumid=119][Other FortiGate and FortiOS Topics][/link] » Firewall » HA Cluster and multiple switches - physical setup advice Jump to:  Jump to - - - - - - - - - -  [FortiGate / FortiOS UTM features] - - - - AntiVirus - - - - Application Control - - - - Data Leak Prevention (DLP) - - - - Email filtering (AntiSPAM) - - - - Former Content Management Forum - - - - Intrusion Detection & Prevention - - - - Web Filtering [Fortinet Beta Programs] - - - - Beta Message Board [Fortinet Services] - - - - FortiCloud IOC [Other FortiGate and FortiOS Topics] - - - - Firewall  - - - - Log & Report - - - - Miscellaneous -- FortiOS and FortiGate - - - - New Features -- FortiOS - - - - Routing and Transparent Mode - - - - System settings - - - - User and Authentication - - - - VPN [Other Fortinet Products] - - - - AscenLink - - - - Coyote Point - - - - FortiADC - - - - FortiAnalyzer - - - - FortiAP - - - - FortiAuthenticator - - - - FortiBalancer - - - - FortiBridge - - - - FortiCache - - - - FortiCamera & FortiRecorder - - - - FortiCarrier  - - - - FortiCASB - - - - FortiClient - - - - FortiCloud - - - - FortiConnect - - - - FortiController - - - - FortiConverter - - - - FortiCore - - - - FortiDB - - - - FortiDDOS - - - - FortiDeceptor - - - - FortiDirector - - - - FortiDNS - - - - FortiExplorer - - - - FortiExtender - - - - FortiFone - - - - FortiGuard - - - - FortiHypervisor - - - - FortiInsight - - - - FortiMail - - - - FortiManager - - - - FortiMonitor - - - - FortiNAC - - - -  Fortinet Security Fabric - - - - FortiPlanner - - - - FortiPortal - - - - FortiPresence - - - - FortiProxy - - - - FortiRPS - - - - FortiSandbox - - - - FortiScan - - - - FortiSIEM - - - - FortiSwitch - - - - FortiTester - - - - FortiToken - - - - FortiTap - - - - FortiVoice - - - - FortiWAN - - - - FortiWeb - - - - FortiWiFi - - - - Wireless Infrastructure (FortiWLC, FortiWLM, Meru) [Forum Information & Miscellaneous Topics] - - - - Forum News - - - - Ideas for Forum Site - - - - Fortinet Cookbook - - - - Knowledge Base - - - - Technical -- non-FortiOS - - - - Miscellaneous -- non-technical      © 2019 APG vNext Commercial Version 5.5   Latest Posts    Re: FortiAuthenticator FTM push notifications not working Fortigate certificate error Re: Configuring IPv6 DHCP on 30E Alerts work but not sending guest vouchers via email Re: Fortimail HA. [link=https://forum.fortinet.com/tm.aspx?m=176991][Solved] Configuring IPv6 DHCP on 30E[/link] Re: 'Fortinet' proper design for syslog/ntp/etc. Re: VLAN in Zone disables GUI editing of parent interface Re: ipsec vpn cisco phone FG-IR-19-144 more information available? [/ul] Active Posts    'Fortinet' proper design for syslog/ntp/etc. VPN IPSEC - Client can't connect to other site Geo Blocking FortiOS 6.0.1 Radius Wifi authentication Virtual IP with port forwarding to Virtual Server VPN Connection Problem: Connection expiring due to phase 1 down 60E-DSL - vDSL IPOE Service Issue Compare To Cisco SG250 / SG350 L2TP on FortiGate 5.6 with Split Tunneling FortiAP 221E status disconnected after Update Fortigate to 6.2.1 [/ul] All FAQs    There is no record available at this moment[/ul] Baptiste