Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jorisboth
New Contributor

Wan failover to same ISP

I've got a datacenter setup where I've got two uplinks. One uplink goes to the Corerouter-A and the other goes to the Corerouter-B. Both of them are managed by my ISP and they are running VRRP to make sure only one link is up at a time.

 

How do I connect this to my fortigate 100D router? I've already added two static routes to the same gateway (one for each WAN port) and configured a WAN load-balance with ping check. I'm having doubts about the seconds part, because my primary WAN IP address (that needs to be configured on the active WAN port) can only be set to one of the WAN ports, not both.

 

The IP address on the WAN port is necessary because my aditional subnets are routed to this IP address.

 

Any help is more then welcome :). I'm new to Fortinet products but I'm loving it already!

9 REPLIES 9
Robin_Svanberg
Contributor

Jorisboth wrote:

I've got a datacenter setup where I've got two uplinks. One uplink goes to the Corerouter-A and the other goes to the Corerouter-B. Both of them are managed by my ISP and they are running VRRP to make sure only one link is up at a time.

 

How do I connect this to my fortigate 100D router? I've already added two static routes to the same gateway (one for each WAN port) and configured a WAN load-balance with ping check. I'm having doubts about the seconds part, because my primary WAN IP address (that needs to be configured on the active WAN port) can only be set to one of the WAN ports, not both.

 

The IP address on the WAN port is necessary because my aditional subnets are routed to this IP address.

 

Any help is more then welcome :). I'm new to Fortinet products but I'm loving it already!

Hi,

 

Is the ISP routers on the same subnets? In that case you could create a software switch with the two interfaces to the ISP routers?  http://help.fortinet.com/fos50hlp/52data/index.htm#FortiOS/fortigate-system-administration-52/interf...

 

In that case, you can only have one IP on the software switch and don´t need to rely on ping checks, just a static route to the VRRP IP of the core routers.

 

 

BR Robin

 

Robin Svanberg Network Consultant @ Ethersec AB in Östersund, Sweden

 

robin.svanberg@ethersec.se

Dave_Hall

Thing about soft switches is the the Fortigate's own CPU itself has to push/copy information between the port members, which can take up a lot of CPU usage.  If the 100D is capable of hard switches I would try to go that route; or place a small switch in front of the fgt.

 

That said, the 100D appears to have 2 shared ports, which I can assume could be used for this purpose.

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

Shawn_W

Great info.  Thank you.

Robin_Svanberg

Dave Hall wrote:

Thing about soft switches is the the Fortigate's own CPU itself has to push/copy information between the port members, which can take up a lot of CPU usage.  If the 100D is capable of hard switches I would try to go that route; or place a small switch in front of the fgt.

 

That said, the 100D appears to have 2 shared ports, which I can assume could be used for this purpose.

 

[attachImg]https://forum.fortinet.com/download.axd?file=0;121372&where=message&f=100D shared ports.jpg[/attachImg]

True. I thought that it shouldn´t be much traffic passing through the switch since it´s connected to just two routers in VRRP, but a lot better using an hardware switch.

 

Checked on of our 100D and it´s possible to use  interface 1-14 in an hardware switch. 

 

BR Robin

 

Robin Svanberg Network Consultant @ Ethersec AB in Östersund, Sweden

 

robin.svanberg@ethersec.se

Jorisboth

Ok, I've tried the software switch to see if that would work.. When I connected the interfaces, the core switches detected a lot of BPDU traffic and shut down the port. It seems that we created a switch loop... I need to discuss the proper setup with our ISP. I need to keep the port on the core switch in forwarding mode, otherwise a failover would take 10 minutes or more...

 

What other options do I have to realize this setup?

Jorisboth
New Contributor

I've been talking to the ISP and they do have a solution for my problem. They need to adjust the uplinks so that the fortigate joins the STP domain that they are running. Or if the Fortigate doesn't support this, transfer the BPDU's from one link to the other (transparantly).

 

I can't find much about STP for the fortigate 100D, only that it is supported. What are my options here?

 

Jorisboth
New Contributor

*Bump*, can anyone help me?

Christopher_McMullan

I've never had to configure STP between a FortiGate and an ISP before, but what I can offer is the CLI reference guide section on STP settings.

The FortiGate can forward STP messages and/or participate (participation and forwarding are both disabled by default) - from the sounds of it, the firewall would have to participate.

 

Review the attached page (PDF) from the OS 5.2 CLI Reference Guide, and see, based on your ISP's requirements, if the FortiGate can participate in the way they expect.

 

It's named as a .txt file to get around the forum filetype attachment restrictions. Just rename it to .pdf, and you should have no trouble opening it.

Regards, Chris McMullan Fortinet Ottawa

Dave_Hall

Just noticed KB#FD36384 was recently posted (or updated) this past week -- contains the same info, but geared towards the smaller fgt devices.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C