Good day
I need to implement a VLAN network as my client will be looking to have his network made a little more redundant with a failover from HO to Branch with a Fibre Optic cable between. He wants this to be a failover for internet too so that if Head Office primary ISP goes down, then all traffic will use this connection.
The switch that he will use will also be used at a later stage for multiple other offices to connect to.
They are using a Fortigate 200D (HA) which will connect to a new Cisco 2960 -> Direct Connection from there to the Fortigate at the branch Office(Its across the road). Is it difficult to setup VLAN's on a Fortigate?
I have done VLAN's over 6 years ago on Cisco devices but never Fortigate.
Another point to mention is that there will a microwave link between the office that will be used as a 3rd failover. This will be connected to the switch.
Will I need to create two separate VLAN's (One for first failover, and then other for second)
Can a SD-WAN be used if you are using VLAN interfaces?
Should I create a site-to-site IPSec VPN (Using On Demand) for the third Microwave Link Failover.
I have drawn up a small diagram on this to try and get a better view on this.
Looking forward to some ideas and suggestions on this.
Regards,
Marty
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Marty, welcome to the forums.
I'll guess you're using FortiOS 5.6?
Vlans on FortiGates are created as sub-interfaces on a physical interface, aggregate, or FortiGate (hardware/software) switch interface. They're relatively simple. One important thing to note is that in most cases the FortiGate's vlan interfaces are tagged only, not untagged/native, so your connected switch or other device will need to support that.
I think you'll want to control your own failover more fully and so wouldn't want SD-WAN, but that depends on your needs. I describe failover cases below.
You'll need to create link-monitor objects to determine if a link is down and have available routes in your (static?) routes that provide the route out the backup links. See http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-networking/Interfaces/Dual%20Internet... for an example.
I would recommend having your routes and backup routes with the same distance but different priorities, so that all those routes stay in the routing table and are available (until the link-monitor removes one that references an interface that is down). The route with the "highest" priority (lowest number) will be used.
See https://cookbook.fortinet.com/redundant-internet-basic-failover-56/ for an example with the same distance but different priorities.
Regarding an IPsec VPN over the microwave link, unless it's already encrypted/secured I assume you would need something like that to keep things secure. The admin guide and cookbook articles list out most of the VPN details you'll need, though you may need to dig through the forums for details on doing it with certificates.
Hope this helps!
Another reason to have multiple routes with the same distance but different priorities is that you can then create policy routes that override the highest priority route to route more specific traffic over any of those routes (with same distance but different priorities) based on things like source, protocol, etc.
Thanks for this.
You have really given me a better idea on this.
Can I implement link monitoring for 3 interfaces? Can I have routing done on all 3 with different priorities so that if ever the first two fail then the microwave link will kick in as the new default route? If so, then this can be used instead of the IPSec VPN that I originally wanted to use.
They are wanted the most redundant network fail-over with hardly no need of an engineer needing to be onsite to change cables or routers etc.
I haven't set up failover with three separate interfaces, link monitors, and routes, but I think it should work fine.
I would make sure you test it by initially having the IPs you ping be local servers you control so you can stop them responding to the ping and watch how the failover progresses, and how things get restored back onto the higher priority route when you allow those servers to respond to ping again. Note that existing sessions won't be automatically switched off the backup route to the restored route, just new sessions.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.