Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8552
Views
5
Helpful
6
Replies

Best way to connect 3650 stack to Fortigate 300D HA

Go to solution
Joel Melashenko
Level 1
Level 1

‎08-03-2018 09:47 AM - edited ‎03-08-2019 03:49 PM

I am attempting to implement a Fortigate 300D HA scenario.  Currently there are 2 Cisco 3650 in an active-standby stacked configuration.  Currently, this stack connects to the LAN port on a single Fortigate 300D.  The configuration of the switch port is shown below:

 

interface gigabitethernet1/0/2
description ***uplink to fortinet internet fw***
no switchport
ip address 192.168.31.2 255.255.255.252
no cdp enable

 

Question:  How do I best connect a port on each 3650 in this stack to port 1 (LAN) on each Fortigate 300D in the proposed HA (Active-passive) cluster?

 

Is it best to create a vlan (31), make port 1/0/2 and 2/0/2 a member of the vlan (31), and give vlan 31 the address of the current port connected to the Cisco stack?

 

I will attach a proposed network diagram

 

I believe I have the Fortigate HA piece figured out, but would appreciate input on how best to connect the 3650 stack to the 2 Fortigate 300Ds given that they will be the gateway to the default route to the Fortigate 300D

 

Thanks in advance for your input.

Labels:
Preview file
98 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎08-04-2018 12:03 AM

Greeting.

 

As per your network diagram, L3 port-channel will not work for you becuase In HA configuration due to load balancing behaviour of a port channel. Fortigate will not accept any packet on the secondary/backup device there is no matter that it is active-passive or active-active.

 

My suggestion to go with L2 to port-channel with VLAN. One port-channel for Active FortiGate and second for the secondary FortiGate.

But keep in mind that by default FortiGate will not monitor Port-Channel's ports status. You must configure a command under the Fortigate LACP configuration "Set minimum link 2".

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎08-03-2018 10:21 AM

Not sure if Fortigate support vlan (layer-2), if not I think you can bundle ports 1/0/2 and 2/0/2 using a Portchannel and use LACP with IPs (layer-3).

HTH

0 Helpful

Go to solution
Joel Melashenko
Level 1
Level 1
In response to Reza Sharifi

‎08-03-2018 02:39 PM

Hi Reza, thanks for your suggestions.  I'll check to see if Fortigate will support Vlan.  Would you make the port channel (LACP) in a vlan (31 in my example) or do you simply give the port channel the address itself?

 

Thanks for your help!

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to Joel Melashenko

‎08-03-2018 05:09 PM

Hi,

I would simply add the physical interfaces to a Portchannel and give it an address (one IP for each side of the Portchannel).  Also, LACP is standard and supported almost by all vendors.

HTH

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎08-04-2018 12:03 AM

Greeting.

 

As per your network diagram, L3 port-channel will not work for you becuase In HA configuration due to load balancing behaviour of a port channel. Fortigate will not accept any packet on the secondary/backup device there is no matter that it is active-passive or active-active.

 

My suggestion to go with L2 to port-channel with VLAN. One port-channel for Active FortiGate and second for the secondary FortiGate.

But keep in mind that by default FortiGate will not monitor Port-Channel's ports status. You must configure a command under the Fortigate LACP configuration "Set minimum link 2".

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
Joel Melashenko
Level 1
Level 1
In response to Deepak Kumar

‎08-05-2018 06:44 PM

Thanks so much for the detailed answer Deepak.  I will test your config suggestion once I'm back at work.  Appreciate your help!


~Joel

0 Helpful

Go to solution
Chris McCann
Level 1
Level 1
In response to Joel Melashenko

‎09-13-2021 08:28 AM

did you solve this problem ?

0 Helpful
Customers Also Viewed These Support Documents