Nexus and FortiGate - Full Mesh

Mahson · ‎03-20-2024

Hi Everyone,

We have two nexus 9K switches need to connect to FORTIGATE Firewall (HA-Active and standby).

We have almost 30 plus VLANs configured in new switches.

If I want connect new nexus switches to fortigates, do i need to use access port or trunk port.

Can you please help in this case.

Connectivity is like below.

nexus-1 port e1/6 and nexus-2 port e1/6 (po70) TO Fortigate-01

nexus-1 port e1/7 and nexus-2 port e1/7 (po70) TO Fortigate-02

Thank you,

MHM Cisco World · ‎03-20-2024

can you more elaborate
I dont understand the network topolgy here

If I want connect new nexus switches to fortigates, do i need to use access port or trunk port. <<- this I dont get it??

MHM

Mahson · ‎03-22-2024

when I put the port-channel on LACP mode don't work but on static mode it's work fine why is that?

MHM Cisco World · ‎03-23-2024

dont worry I think I know the solution just need to check it by lab

update you tonight

MHM

MHM Cisco World · ‎03-24-2024

Cisco recommend to

No graceful <<- add under port channel for any PO connect to non-cisco device

If that not work

Share

Show lacp internal interface

Show lacp interface

Show port-channel sum

Show inter status

Thanks

MHM

Reza Sharifi · ‎03-20-2024

Hi,

If the nexus switches are later-2 only, and the firewalls will do all the routing between all VLANs, then you need to make po70 a trunk portchannel with all 30 VLANs included.

HTH

Ruben Cocheno · ‎03-20-2024

@Mahson

Trunk between FortiGate and nexus, it covers future design changes. Make sure you use VPC.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

balaji.bandi · ‎03-23-2024

Adding to other posts suggested.

You say mesh, then i take Nexus 9K in vPC ?

Then you configure Port-channel with vPC on nexus side, You can refer Fortigate port-bundle.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-High-Availability-basic-deployment-design/ta-p/196942

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Giuseppe Larosa · ‎03-24-2024

Hello @Mahson ,

you should use two separate port channels wth vPC enabled to connect to each of the two Fortigate Firewalls because they are in HA not a cluster.

If you use a single port-channel in on mode the Nexus using load balancing can send packets of a flow to a port on the standby FW unit that will drop them!

Take in account that in HA the standby unit will not talk and this should explain the issues that you have with LACP.

About what VLANs should be allowed on the link it depends on your security design: if you want the FWs to do all the inter VLAN routing you need a trunk port allowing all the defined VLANs.

If you perform inter VLAN routing on the Nexus you can use a dedicated VLAN for L3 routing to/from the FW.

A mixed scenario is also possible with some VLANs routed at Nexus at others routed by FWs.

Hope to help

Giuseppe

fatamakar · ‎03-25-2024

Se você usar um único canal de porta no modo ligado, o Nexus usando balanceamento de carga poderá enviar pacotes de um fluxo para uma porta na unidade FW de espera que os descartará! Leve em consideração que no HA a unidade standby não falará e isso deve explicar os problemas que você tem com o LACP. Sobre quais VLANs devem ser permitidas no link, isso depende do seu projeto de segurança: se você deseja que os FWs façam todo o roteamento entre VLANs, você precisa de uma porta de tronco que permita todas as VLANs definidas.Thank you..

https://www.rizetours.com