Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Hari122939_
New Contributor

Created on ‎05-24-2025 12:26 AM

Request for Guidance: Connecting Cisco C9300L Stack to FortiGate 100F in HA(Active-Passive) Mode

Hello Team,

                 We are deploying two FortiGate 100F firewalls in an Active-Passive High Availability (HA) configuration with a Stack of two Cisco Catalyst 9300L switches. One of the LAN interfaces(Port 3 & Port 4) will be configured with LACP for link aggregation in the Firewalls. Below the firewalls, we have a stack of two Cisco Catalyst 9300L switches, in the Firewalls Port1 & Port2, with WAN ISPs(JIO & AIRTEL) links.

                 Considering our network topology, we are seeking your best failover guidance on the best practices to connect a Cisco C9300L stack to Active-Passive (High Availability) FortiGate 100F firewalls. We are attaching a proposed network diagrams for reference.Network Topology.JPG

                 Your input on the configuration and uplink design would be greatly appreciated.

 

 

Labels:
310
0 Kudos
2 REPLIES 2
funkylicious
SuperUser
SuperUser

Created on ‎05-24-2025 06:51 AM Edited on ‎05-24-2025 06:51 AM

 i would go with plan A even tho the whole switch will go down, i would not want the isolate/take out a working equipment and not do anything.

as for the ISP, assuming that they also go in the stack then it would be easier to just move the cable from one sw to another in order to regain connectivity to a better uplink ( if its the case ).

"jack of all trades, master of none"
"jack of all trades, master of none"
264
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎05-24-2025 07:48 AM

It's not about FGT HA in the two scenarios, but it's about the purpose of Catalyst stacking. Because if you add the LAN side in HA monitoring interface in addition to the WAN side, the FGT1 would failover when the SW1 goes down.
However, the problem situation occurs when FGT1 and SW2 (or FG2 and SW1) have problem at the same time in plan B. The bottom line is when you "stack" switches, all LAG/LACP connections terminated at the switches should be split to two member switches. That's the one of two main purposes of stacking switches.

Toshi

248
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.