Created on
ā02-24-2025
07:24 AM
Edited on
ā02-24-2025
07:34 AM
By
Jean-Philippe_P
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The method of assigning VLANs created in each VDOM to a single LAG for communication.
Hello, I am a new network engineer from Japan and would like to hear your thoughts on a problem I am facing. I am conducting communication tests with two FortiGate 100F devices in HA active/passive configuration. In addition, I have created four VDOMs and configured two Vclusters.
ć»Vcluster 1:rootćVDOM1
ć»Vcluster 2:VDOM2ćVDOM3ćVDOM4 (The composition).
The priority settings are as follows: ć»Active device: Vcluster 1 (priority 200), Vcluster 2 (priority 100) ć»Passive device: Vcluster 1 (priority 100), Vcluster 2 (priority 200) (Example: Active device settings).
config system ha
set group-id 1
set group-name "FW-HA"
set mode a-p
set password ENC xxxxxxxxx
set hbdev "ha1" 50 "ha2" 50
set session-pickup enable
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface "VLAN10"
next
end
set vcluster-status enable
configvcluster
edit 1
Override Settings Disabled Priority
set 200 monitor "x1" "x2"
set vdom "VDOM1" "root"
next
edit 2
set override disabled set priority 100 monitor "x1" "x2"
set vdom "VDOM2" "VDOM3" "VDOM4"
next
exit
We also configured a LAG using interfaces x1 and x2 and assigned the VLANs created for each VDOM to the LAG interface. The LAG interface is the interface used to communicate with the downstream switch. Inter-VDOM routing is not implemented in this test.
Currently all firewall policies are set to allow all traffic for the test phase. However, when I run the test without HA (standalone mode), I can ping successfully, but when I enable HA the ping fails and does not pass.
Can someone explain why this is happening? Also, if there is any misconfiguration in my setup, I would appreciate your suggestions. I don't speak English fluently, so if any part of this explanation is unclear, please feel free to ask. Thank you very much for your help.
- Labels:
-
FortiGate
-
High Availability
-
VDOM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I haven't done vluster myself with HA. But based on the mechanism how it would work described here:
https://docs.fortinet.com/document/fortigate/7.4.7/administration-guide/599385/ha-virtual-cluster-se...
I think the parent/physical interface and the VLAN interfaces have to be in the same vcluster. Because if the VDOM (likely root now) that the LAG interface belongs to is active on HA-A unit, all VLANs on the LAG work if the other VDOMs are active on the same HA-A unit side. While the VDOMs active on the HA-B unit side's LAG interface in the root VDOM is NOT active and doesn't pass traffic. So all VDOM VLANs on the LAG wouldn't operate.
And, the HA heart beat connection is not designed to pass user traffic. Config sync and session sync, if you didn't separate them, and negotiating the primary role only.
It's described in below as 7000E's limitation. But I don't think it's limited to this particular model.
https://docs.fortinet.com/document/fortigate/7.6.2/fortigate-7000e-administration-guide/792343/virtu...
I guess that's why I never used vclustering.
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Toshi_Esumi,
I hope this message finds you well.
Thank you very much for your response.
If I understand correctly, I can achieve communication by assigning the VLAN of each VDOM to the LAG without using Vcluster, is that correct?
I apologize for my lack of knowledge, but I would greatly appreciate your response.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, of course. That's the same situation when you run one of them stand alone. All VDOMs that are using the LAG (in root vdom?) need to failover to the secondary when the root VDOM fails over.
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your response.
Since the Vcluster and LAG configurations are based on the customer's requirements, I would prefer not to change them too much. Do you have any alternative suggestions?
Also, I performed a communication test after removing the Vcluster earlier, and now Iām seeing VLANs within the same VDOM that can ping and others that cannot. Additionally, when I bring down either the x1 or x2 port of one of the FortiGates, all VLANs start to work again.
Could this be an issue with the LAG configuration rather than the Vcluster?
Created on ā02-25-2025 05:32 PM Edited on ā02-25-2025 05:34 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure why your customer is demanding the vclustering. But to just satisfy the requirement literally, you could just have another LAG (LAG2) in like "root2" vdom then put all VLANs from the second group of VDOMs, then set them up as the second vcluster including root2. So that both vclusters would have physical connection active to go outside from each -A and -B unit at the same time.
Then you could terminate those two LAGs from one unit (totally 4 LAGs from two units) at one (a cluster of) switch(es) to combine/aggregate then connect to wherever you want to connect those VLANs to. Actual traffic from one VLAN would be carried over one LAG at a time.
It requires everything doubled, cabling and ports, (like (2xport LAG)x2 x 2units = 8 ports/cables to the same switch) to manage but at least it would satisfy the requirement. To me it's wasteful and difficult to manage for no particular added benefit so I would never do that myself.
Toshi
