03-20-2024 07:58 AM
Hi Everyone,
We have two nexus 9K switches need to connect to FORTIGATE Firewall (HA-Active and standby).
We have almost 30 plus VLANs configured in new switches.
If I want connect new nexus switches to fortigates, do i need to use access port or trunk port.
Can you please help in this case.
Connectivity is like below.
nexus-1 port e1/6 and nexus-2 port e1/6 (po70) TO Fortigate-01
nexus-1 port e1/7 and nexus-2 port e1/7 (po70) TO Fortigate-02
Thank you,
03-20-2024 08:03 AM - edited 03-20-2024 08:32 AM
can you more elaborate
I dont understand the network topolgy here
If I want connect new nexus switches to fortigates, do i need to use access port or trunk port. <<- this I dont get it??
MHM
03-22-2024 03:45 PM
when I put the port-channel on LACP mode don't work but on static mode it's work fine why is that?
03-23-2024 02:31 AM
dont worry I think I know the solution just need to check it by lab
update you tonight
MHM
03-24-2024 04:26 AM
Cisco recommend to
No graceful <<- add under port channel for any PO connect to non-cisco device
If that not work
Share
Show lacp internal interface
Show lacp interface
Show port-channel sum
Show inter status
Thanks
MHM
03-20-2024 08:17 AM
Hi,
If the nexus switches are later-2 only, and the firewalls will do all the routing between all VLANs, then you need to make po70 a trunk portchannel with all 30 VLANs included.
HTH
03-20-2024 08:23 AM
Trunk between FortiGate and nexus, it covers future design changes. Make sure you use VPC.
03-23-2024 03:08 AM
Adding to other posts suggested.
You say mesh, then i take Nexus 9K in vPC ?
Then you configure Port-channel with vPC on nexus side, You can refer Fortigate port-bundle.
03-24-2024 03:38 AM - edited 03-24-2024 03:42 AM
Hello @Mahson ,
you should use two separate port channels wth vPC enabled to connect to each of the two Fortigate Firewalls because they are in HA not a cluster.
If you use a single port-channel in on mode the Nexus using load balancing can send packets of a flow to a port on the standby FW unit that will drop them!
Take in account that in HA the standby unit will not talk and this should explain the issues that you have with LACP.
About what VLANs should be allowed on the link it depends on your security design: if you want the FWs to do all the inter VLAN routing you need a trunk port allowing all the defined VLANs.
If you perform inter VLAN routing on the Nexus you can use a dedicated VLAN for L3 routing to/from the FW.
A mixed scenario is also possible with some VLANs routed at Nexus at others routed by FWs.
Hope to help
Giuseppe
03-25-2024 02:38 PM
Se você usar um único canal de porta no modo ligado, o Nexus usando balanceamento de carga poderá enviar pacotes de um fluxo para uma porta na unidade FW de espera que os descartará! Leve em consideração que no HA a unidade standby não falará e isso deve explicar os problemas que você tem com o LACP. Sobre quais VLANs devem ser permitidas no link, isso depende do seu projeto de segurança: se você deseja que os FWs façam todo o roteamento entre VLANs, você precisa de uma porta de tronco que permita todas as VLANs definidas.Thank you..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide