Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JPScolar
New Contributor

Public IP Hand-off

Hello, 

I need to provide Managed Wan Connectivity + Wireless Failover to a customer who is managing their own network, their Edge device is a Meraki MX firewall. They need Public static IP addresses on the MX. 

 

I use ISPs to provide the last mile connectivity which,  in most cases is Off-Net Braodband Cable or FTTP (this is not dedicated fibre). 

 

I would like to use FG40Fs to terminate the WAN connectivy (so I can manage it ), then hand-off the Public IP to the MX over a switchport. Then setup GRE tunnels back to my core network so I can route and advertise the Public IPs. One Primary tunnel and one Failover tunnel. 

 

I've been told that this has many disadvantages:  A) the GRE tunnel overhead, B) the Cable (DOCSIS) variable latency & potential packet loss, and C)  and tunneling already tunneled and encrypted traffic.  I've also been told that, despite the specs in its datasheet, a FG40F wil not be able to deliver more than 100-200Mbps throughput because the GRE tunnels and DOCSIS nature. 

 

Could you please provide some advise on how to best  implement this (IP-VPN or SD-WAN solutions are not posible alternatives)?  Can this be done with a FG?  How should I size the FG?  What will be the setup/Configuration to be use?  Any advise will be much appreacited. 

 

 

4 REPLIES 4
Anthony_E
Community Manager
Community Manager

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
Toshi_Esumi
SuperUser
SuperUser

I thought you originally showed a diagram. The network scheme you're thinking probably wouldn't work well once the MX is in the picture and that's why nobody seems to be willing to comment on your post.

Either let the MX side to provide failover/redundancy with multiple ISPs and MRs or replacing the MX with the FGT, which might manage Forti-something inside their network.

We had many prospects in the past asking similar things. We mostly turn them down by telling above. Even if you could implement something that might work, it would cost you a lot for troubleshooting down on the road by taking lots of resources then the unsatisfied customer would eventually leave.

 

Toshi

JPScolar
New Contributor

Hi Toshi.

Thank you for your reply. I'm including the net Diagram to illustrate the concept. 

IP-Handoff.JPG

Toshi_Esumi

Cisco 1000 Series ISR is NOT Meraki MX. Not sure how much FW feature it covers while Cisco has Firepower FW product line. It's probably not appropriate to discuss at this community. And now there is no FG40F in place as you mentioned in your original post either.

I think it's beyond this community.

Toshi

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors