Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
We use FG60Dx2 in HA(a-p) at our office. We have a set of cisco switches with four trunk ports for the FGs; two (one for WAN another for LAN) coming from each FG. All IPs are configured only on VLAN subinterfaces at FGs and Cisco switches handle vlan-spanning and access ports for non-vlan devices.
if they are stack and don't support LACP, than you probably can't use LACP for a HA measure?
What's your access-layer layer3 structure? What's the local lan gateways next-hop ( FGT or SWITCH )?
What I've done was to use layer3 at the l3-switch and run dynamic routing protocol ( BGP/OSPF ) and you adjust the metric for what link you want.
Look at this diagram
PCNSE
NSE
StrongSwan
The two downlink that have different metric, will be cable to each stack member as a physical link if that's not obvious, the layer3 router will send and receive ALL traffic over that link to avoid asymmetrical routing.
And only one FGT is active , this works for near sub sec failover if the FGT200 fails or links are unplugged.
VRRP is used at the local-LAN NET01/02/03 to provide LAN access and a combination of ip sla and track ensure you control master/standby at the cisco l3-sw-SVI.
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1631 | |
1063 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.