Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
boozely25
New Contributor

Created on ‎01-11-2018 09:08 AM

Redundant Interfaces

This is my first Firewall Setup and my first post here so forgive me if this post is a little hard to follow

 

Here is my setup:

2 Fortigate 500D's in a HA Active\Passive

 

2 ISPs

each connected to a  switch (ISP1-->Sw1   ISP2---> SW2) by a single interface with the switches connected via crossover

The Switches are not stacked

 

SD-WAN

2 Redundant Connections WAN1(port1, port 2) WAN2(port3 ,port4)

 

My question:

Can I connect each individual port of the redundant interface to a separate switch

Port1--> Sw1(port1)  Port2-->SW2(port1)

or

do I have to create aggregate ports on the switches and connect both ports of the redundant interface to the aggregate ports on a single switch?

WAN1\Port1-->Sw1\port1

WAN1\Port2-->SW1\port2

 

Thank you

11755
0 Kudos
6 REPLIES 6
Anurag_Goyal
New Contributor

Created on ‎01-11-2018 10:06 AM

hi,

take a look on 

 

Anurag Goyal

Anurag Goyal
Drawing3.jpg
Preview file
28 KB
3898
0 Kudos
boozely25
New Contributor
In response to Anurag_Goyal

Created on ‎01-11-2018 11:20 AM

So judging by this diagram, you cannot split the ports that make up the redundant interface to go to separate switches. Is that correct?

3898
0 Kudos
boozely25
New Contributor

Created on ‎01-19-2018 11:06 AM

Let me reword my question.  Can I connect each port of the redundant interfaces to different switches if the switches are not stacked and the switch ports are not aggregated(LACP).

3898
0 Kudos
dmcquade
New Contributor III
In response to boozely25

Created on ‎01-19-2018 06:59 PM

Yes this is possible. You will need to trunk the switches and create 2 VLANs (1 for each ISP subnet). Create 3 ports for each VLAN. For example, if VLAN10 is defined for ISP 1 and VLAN20 for ISP 2, you can do something like:

ISP 1 --> Sw1 port 1 (VLAN10)

ISP 2 --> Sw2 port 1 (VLAN20)

FW Primary WAN1 --> Sw1 port 2 (VLAN10)

FW Primary WAN2 --> Sw1 port 3 (VLAN20)

FW Secondary WAN1 --> Sw2 port 2 (VLAN10)

FW Secondary WAN2 --> Sw2 port 3 (VLAN20)

 

Make sure your trunk allows both VLANs

 

HTH

d

3898
0 Kudos
boozely25
New Contributor
In response to dmcquade

Created on ‎02-16-2018 08:52 AM

Is there a way to do this without vlans?

3898
0 Kudos
dmcquade
New Contributor III
In response to boozely25

Created on ‎02-19-2018 04:58 PM

You don't need VLANs if each switch is dedicated to the ISP connected.

Primary Firewall WAN1 --> Switch1

Primary Firewall WAN2 --> Switch2

Secondary Firewall WAN1 --> Switch1

Secondary Firewall WAN2 --> Switch2

 

HTH

d

3898
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.