Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Sparh_Hsieh
New Contributor

Created on ‎12-17-2017 11:23 PM

Will this HA scenario working properly?

Hi Experts,

 

Our company is building a new environment for our customer and we are using two Fortigate 100D(s) for L3 High Availability and two L2 switches which running MLAG(Cisco concept = VPC) mechanism. Definitely, the server is connecting to those two switches by using LACP mode. So, the topology will like following diagram:

 

Those two 100D are running Active-Standby mode and my question is, In case of SW-A failure(shutdown, link down between SW-A & Active Fortigate 100D)

 

Will the traffic path like

Server --> SW-B --> Standby Fortigate 100D --HA link--> Active Fortigate 100D --> uplink network (Internet)?

 

Are there specific conditions I need to carefully. 

 

Preview file
43 KB
Labels:
10488
0 Kudos
10 REPLIES 10
Sparh_Hsieh
New Contributor

Created on ‎12-18-2017 12:23 AM

Just update some assumption from my knowledge, Maybe somebody can provide any tips to me.

 

I knew that I have to configure Monitor Port function for both Fortigate 100D devices. Thus, if SW-A is down, Active 100D will detect the Monitor Port is down, and then the HA mechanism will make the standby status as Active.

 

So, my first question is solved by this mechanism. Is it right?

However, anyone have any suggestions is welcome.

 

Thank you!

4109
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Sparh_Hsieh

Created on ‎12-18-2017 09:43 AM

HA link is just management interface including heartbeat and forwarding config changes from the active to the standby. You can see all converstaion when you run "diag debug app hatalk -1". No user traffic would go through HA link.

And standby is standby, not processing user traffic actively while it's in standby. If you want to HA to swap-over when a link goes down, you should monitor the link in the HA config. However, if you've set up LACP with two stacked switches, even if one physical link goes down from SW-A, the active unit can still operate through another link with SW-B. So I would just monitor the aggregated link.

4109
0 Kudos
Sparh_Hsieh
New Contributor
In response to Toshi_Esumi

Created on ‎12-18-2017 05:38 PM

toshiesumi wrote:

However, if you've set up LACP with two stacked switches, even if one physical link goes down from SW-A, the active unit can still operate through another link with SW-B. So I would just monitor the aggregated link.

 

Thank you for your answer Toshi, I still a little bit confused about if we don't have LACP with two stacked switches for uplink path, just only one link connect to upper Fortigate 100D. Is it fine?

The topology is like what I posted in original thread.

 

 

 

 

4109
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Sparh_Hsieh

Created on ‎12-18-2017 06:01 PM

I don't know what kind of switch they are, but if we stack up two switches together and use aggregated interfaces like with LACP, you want to set up one leg from one FG goes SW-A and the other leg goes SW-B so that even when SW-A completely dies, everything would work just fine with mater FG and SW-B. I'm assuming your particular stacked switch can handle that configuration.

4109
0 Kudos
Sparh_Hsieh
New Contributor
In response to Toshi_Esumi

Created on ‎12-18-2017 09:10 PM

Hi Toshi,

 

Just a simple question, if you don't have set up LACP between FGs and switches, which mean each switch only has one physical uplink cable. Will HA function of two FGs work properly? Of course, those two switches still interactives MLAG mechanism.

 

I will very appreciate if you can answer my last question.

 

Thank you!

4109
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Sparh_Hsieh

Created on ‎12-18-2017 09:29 PM

With that given condition, only way to keep the normal operation running is to force the active(left) FG to give up the control to the standby(right) FG, a switch-over. To do that, you need to set monitoring the interface to sw-A in HA config.

4109
0 Kudos
Sparh_Hsieh
New Contributor
In response to Sparh_Hsieh

Created on ‎12-24-2017 06:14 PM

Hi Toshi,

 

Sorry, I cannot get your tips exactly, could you please provide more information to me or more explanation.

What do you mean to force the active(left) FG to give up the control to the standby(right) FG, a switch-over.

4109
0 Kudos
michaelbazy_FTNT
Staff
Staff
In response to Sparh_Hsieh

Created on ‎12-24-2017 10:46 PM

Hi Spahr,

 

I'll let Toshi explain himself with the monitor - not sure I completely understood what he meant too. Maybe an additionnal example would help.

 

However, the addition thing I'd do regarding your setup, would be to add 2 cables:

1 from SWB to active FG

1 from SWA to passive FG

 

Your setup is close to this one:

http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-high-availability-52/HA_full_meshExam...

 

The only difference is that the mentioned setup in the handbook is done using redundant interfaces. In your case I'd use lacp interfaces (lacp support starts with 100Ds).

 

Let us know!

I'm operating by "Crocker's Rules"
4107
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎12-26-2017 08:21 AM

This is an exmaple at our office with two 60Ds. If "lan-side" interface goes down, they would swap-over and the standby 60D would take over.

 

config system ha     set group-id 254     set group-name "office-ha"     set mode a-p     set hbdev "dmz" 0     set session-pickup enable     set override disable     set monitor "lan-side" "wan-side" end

4107
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.