Hello,
i try to learn more from this type of scenario so any help would be appreciated.
I want to provide internet connectivity for 4 adjacent buildings that can be connected together either by running fiber or over the air with antennas.
I was thinking of using two different ISP. One in each of the 2 main building selected.
The goal is to have building 1 serving building 3 and building 2 serving building 4 but in case of issue from one of the main building with an ISP connection, operation would continu provided by the other main building. (for example building 1 would serve building 4 in case of building 2 failure).
From my reading so far i try to implement an active active high availability scenario with policy based routing or i might be wrong ! should i got vrrp or ospf ?
Can someone provide me guiding to achieve the best deployment possible in this type of scenario ? Thanks.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
In any mode HA, active-active or active-passive, the units must have identical setup. It is not advisable to keep ISP1 link connected to only device and ISP2 link connected to different device. Once you have identical setup made, then you may route traffic from one building through one ISP and fallback to second ISP if primary ISP failed and vice versa.
best regards,
Jin
Created on 08-21-2024 12:46 PM Edited on 08-21-2024 01:04 PM
thanks for the reply !
so even in a distributed HA ? geographically separated firewall should have the same ISP link ? or keeping the same ISP do not matter ? also why can we not do active-active with pppoe ?
Hello,
It is also present in the documentation. Reference:
https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/357558/ha-active-active-clus...
An A-A cluster supports interfaces in DHCP mode, but not interfaces in PPPoE mode. If an interface is in PPPoE mode, then the Active-Active option will not appear in the Mode selection.
thanks for the reply but i do not get my questions answered :)
so no matter from which isp the internet connection coming from, if i want to do active active, i need to have two link from both side ?
Hello,
For Active -active you need the ISP link connection on both of your Firewall
For multiple ISP link
Please refer to the document
https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/23145/sd-wan-with-fgcp-ha
Created on 08-30-2024 02:19 PM Edited on 08-30-2024 02:23 PM
The reason is in a-a FGCP HA, every new session has to come though the primary unit, regardless where it's coming from, like ISP1, ISP2, and LAN side. Only after that some sessions can be delegated to the secondary units as depicted in the packet flow diagram below:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-HA-A-A-cluster-3-way-TCP-handsha...
Toshi
so this type of scenario would have me more sens ?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.