Solved: Nexus and Firewall - Full Mesh connectivity

Fazal E Rasool Khan · ‎01-09-2017

Hello Everyone,

Need help from experts.

There are two 9508 nexus switches and two fortinet firewalls. I am running vPC on nexus 9508 switches and firewalls need to be connected toward northbond in full mesh topology which is each nexus switch should have connection to each firewall.

This firewalls will be in active/standby mode so inside and outside interfaces IP address will be same on primary and secondary firewall. Once active will go down secondary will take over.

Attached is the design.

My question is how what should be the link type between firewall and nexus (L3 or SVI). Ports should be in port channel or not (port channel with vPC or without vPC).

Kindly advise.

Reza Sharifi · ‎01-09-2017

Hi,

I have not done this with Fortinet firewalls, but if you can aggregate multiple interfaces on the firewall to look and act as one logical port, you can create 2 Portchannels, each Portchannel will have 2 links in it (one from each 9508). You can than put all 4 links in a /29 or /28 all in one vlan .

Example:

vlan 200

192.168.1.0/28

nexus-1 port e1/1 and nexus-2 port e1/1 (po20) one IP

nexus-1 port e2/1 and nexus-2 port e2/1 (po30) one IP

connect all these links to the firewalls and give it one IP.

HTH

View solution in original post

Reza Sharifi · ‎01-09-2017

Hi,

I have not done this with Fortinet firewalls, but if you can aggregate multiple interfaces on the firewall to look and act as one logical port, you can create 2 Portchannels, each Portchannel will have 2 links in it (one from each 9508). You can than put all 4 links in a /29 or /28 all in one vlan .

Example:

vlan 200

192.168.1.0/28

nexus-1 port e1/1 and nexus-2 port e1/1 (po20) one IP

nexus-1 port e2/1 and nexus-2 port e2/1 (po30) one IP

connect all these links to the firewalls and give it one IP.

HTH

Fazal E Rasool Khan · ‎01-12-2017

Thanks for your input Reza.
Addition to your above solution port channels should also be in vPC so that firewall can see both nexus as single switch.

I tested the solution between nexus 9k and fortigate 1200D firewall and everything works fine. On nexus switches i created two VPC's and one fortinet firewall i created LACP port channels.

Nexus 1 - Port 1 - Connecting to FW1 - In vPC 17

Nexus 1 - Port 2 - Connecting to FW2 - In vPC 18

Nexus 2 - Port 1 - Connecting to FW1 - In vPC 17

Nexus 2 - Port 2 - Connecting to FW2 - In vPC 18

Based on above vPC concept firewall will see both ports from nexus 1 and nexus 2 which are in vPC 17 as single port channel. Once we create port channel on foritage for ports coming from nexus 1 and nexus 2 which are in vPC 17 it will acts as single virtual bundled link. Similar for port channel & vPC 18.

Attached is the configs for Nexus SW 1 and SW 2.
On Fortigate we just have to create port channel (802.3ad) on primary and same will be replicated on secondary.

Srikanth-Tanubudhu · ‎02-28-2018

Hi,

I have this problem too, we are planning for network redesign, separating user farm and server farm by placing the fortigate 600D between the switches.

We have two new nexus 3548x switches need to connect to fortigate(HA-Active and standby).

We have almost 20 plus vlans configured in new switches.

If i connect new nexus switches to fortigates, do i need to use access port or trunk port. Can you please help in this case.

Vlan 1 is my default and network management vlan.

Connectivity is like below.

nexus-1 port e1/1 and nexus-2 port e1/1 (po20) TO Fortigate-01

nexus-1 port e2/1 and nexus-2 port e2/1 (po30) TO Fortigate-02

Thank you,

Srikanth

recep.sefer · ‎08-14-2020

Hi, Reza

I have a similar case

But I have limited 10G interfaces on Fortigate Firewall 601E

Does this connectivity works? with/without VPC?

nexus-1 port e1/1 connected to FW-1

nexus-2 port e1/1 connected to FW-2

Thanks