FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable
Article Id 191336

 

Description

 

This article describes the recommended Spanning Tree Protocol settings for network switches connected to an HA cluster.

 

The time that a bridge stores the spanning tree bridge control data unit (BPDU) before discarding it. A maximum age of 20 seconds means it may take 20 seconds before the switch changes a port to the listening state.

 

The time that a connected port stays in listening and learning state.

A forward delay of 15 seconds assumes a maximum network size of seven bridge hops, a maximum of three lost BPDUs and a hello-interval of 2 seconds.

 

Solution

 

 

For an active-active HA cluster to be compatible with the spanning tree algorithm, the FGCP requires that the sum of maximum age and forward delay should be less than 20 seconds.

The maximum age and forward delay settings are designed to prevent layer 2 loops.

If there is no possibility of layer 2 loops in the network, you could reduce the forward delay to the minimum value.

 

For some Dell 3348 switches the default maximum age is 20 seconds and the default forward delay is 15 seconds.

In this configuration the switch cannot work with a FortiGate HA cluster. However, the switch and cluster are compatible if the maximum age is reduced to 10 seconds and the forward delay is reduced to 5 seconds.

 

Spanning Tree protocol (STP).

 

Spanning tree protocol is an IEEE 802.1 standard link management protocol that for media access control bridges.

STP uses the spanning tree algorithm to provide path redundancy while preventing undesirable loops in a network that are created by multiple active paths between stations.

Loops can be created if there are more than route between two hosts.

To control path redundancy, STP creates a tree that spans all of the switches in an extended network.

Using the information in the tree, the STP can force redundant paths into a standby, or blocked, state.

The result is that only one active path is available at a time between any two network devices (preventing looping).

Redunant links are used as backups if the initial link should fail.

 

Without spanning tree in place, it is possible that two connections may be simultaneously live, which could result in an endless loop of traffic on the network.

 

Bridge Protocol Data Unit (BPDU).

 

BPDUs are spanning tree data messages exchanged across switches within an extended network.

BPDU packets contain information on ports, addresses, priorities and costs and ensure that the data ends up where it was intended to go.

BPDU messages are exchanged across bridges to detect loops in a network topology.

The loops are then removed by shutting down selected bridge interfaces and placing redundant switch ports in a backup, or blocked, state.

 

Related Articles

Articles about HA with third-party products

Contributors