HA Internal Interface on 2 switches

nsantin · ‎03-20-2012

Hi, very simple question as I setup my first HA cluster with 2 FGT60-C I have the WAN1/2/DMZ interfaces all interconnected using dedicated VLANs on my switches. With the internal interfaces do they need to be on the same isolated switch? Can I have FGT1 connect to switch #1 (with other devices) and FGT2 connected to switch #2 (with another batch of devices) and have the 2 switches interconnected? I know this is a rudimentary question, just all the documentation I see refers to a single switch. Im concerned about the duplicate MAC addresses and how the switches would handle that across 2 physically different switches. (Cisco SG300 and Cisco ESW-540) Im trying to have the internal interfaces on different switches so I dont have a single place of failure (in the event of a switch failure) Thanks!

ede_pfau · ‎03-22-2012

oops, good point. I didn' t think of that. Well then, one link only will work as well (but not redundant).

Ede Kernel panic: Aiee, killing interrupt handler!

nsantin · ‎03-22-2012

forgive my ignorance, but is link aggregation required? if I have int1 on both units conected to my core switch, then both int2 connected to VMserver1 (virtual switch) and both int3 to Vmserver2 (virtusal switch), then wouldn' t this work? if a unit went down, the other fgt link would still be up on all 3 devices. Would the FGT not send the update to all 3 " switches" if the internal ports are all in switch mode? My guess is it would work because in the HA guide it says you can use any internal port, so why not use 3 of them at once on different devices? in VMWare the host machine creates a virtual switch to interconnect all the guests, so from the FGT' s perspective, he thinks he is connected to 3 different switches on INT1, INT2 and INT3 Additioanlly the FGT(s) will become the switch to my VM servers from the core network, just 1 more hop. Logically, this is what it would " look like" to the FGT:

ede_pfau · ‎03-22-2012

I agree. If INT1-3 are all on an internal ' switch' (in switch mode). OK get going. Test, test, test.

Ede Kernel panic: Aiee, killing interrupt handler!

nsantin · ‎03-22-2012

UPDATE: I built a test lab tonight to test having the FGT cluster connected to multiple switches and Im happy to report everything worked really well. I had my 2 units configured and had INT1 wired together on a layer 3 switch and INT2 wired together on a basic switch. WAN1 were interconnected on a VLAN on the layer3 switch and I had configured some internet connectivity. I then connected a couple of laptops to the mix on the different switches and ran some simulations. everything worked very well. The fail over was smooth when i simulated a FGT failure and everything responded properly when it came back online. Link activity on all the switches was routine (no mass flashing in unison which is indicative of a broadcast storm). I didn' t see any irregularities in any log (FG or Cisco) and everything was solid. I' m letting it run overnight with some continuous pings and I' ll see if anything is out of the ordinary. BTW, I did a test configure with my 1st scenario (with the loop on INT 1), and it did indeed create a broadcast storm. The switches went haywire and litup like a christmas tree. tomorrow I' ll start to migrate all of the firewall rules from the old unit and I think I' ll be in great shape for my rollout this weekend. Thanks a lot to Ede and veechee for their guidance.