topic SDA Border Node Connection to HA Fusion in Software-Defined Access (SD-Access)

SDA Border Node Connection to HA Fusion

pinglis — Tue, 24 Feb 2026 10:44:52 GMT

We are working on the design for an SD Access deployment and I have a question about border node configuration.

Our typical WAN connectivity is via a pair of high availability FortiGate Firewalls. These will act as the Fusion device. In a HA configuration the firewall appear as a single device and share the same configuration (IPs, BGP etc.) so while we have physical redundancy effectively there is a single Fusion device.

On the Fabric side the border node will typically be a stack of switches and the FortiGate's will be physically connected to different members. So again physical redundancy but a single Border node.

The set up is illustrated below.

My questions is how do I configure the interface that links to the second firewall?

Catalyst Center does seem to allow me to add it as part of the Border Node configuration (complains about duplicate addresses).

Looking at the configuration deployed on a Border node interface its it just a basic trunk port.

Is ok to just configure the second link as a Trunk port? Or is there some other configurations required that designate it as an "exit" point from the Fabric?

Thanks

Re: SDA Border Node Connection to HA Fusion

balaji.bandi — Tue, 24 Feb 2026 11:11:20 GMT

In the Fabric Provisioning workflow, select the Port Channel as the external interface for the Border Node.

Some example reading :

https://netcraftsmen.com/securing-sd-access-traffic/

Re: SDA Border Node Connection to HA Fusion

Andrii Oliinyk — Tue, 24 Feb 2026 11:14:06 GMT

u want to configure 2nd link exactly as 1st. but are u really able to add 2nd link in BN-L3HO workflow for the same IP-transit?
finally, it's bad idea to have BN stacked as you lose hitless SWIM for site (assuming u have single pair of BN & FN there)