Managing FortiSwitch Stack with HA FortiGate Cluster PART2

Part 2 of the white board session that shows some diagrams via computer (may be clearer than my whiteboard with glare) as well as some inside the fortigate perspective.

 

This entry was posted in Administration Guides, FortiGate, FortiOS 6, FortiOS 6.2, FortiSwitch, How To, Tips and Tricks on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

4 thoughts on “Managing FortiSwitch Stack with HA FortiGate Cluster PART2

  1. Dave

    Thanks for the awesome videos. I have a couple of questions.
    1) You say redundant interface in the first video, but then you use redundant interface and aggregate interface interchangeably, but they are different interface types. Which should you be using?
    2) If the Fortigate is appropriately sized, is there any negative to setting fortiswitch-splitlink to disabled? I’d like to use an active LACP aggregate to a stack of 4 switches, but everything references only an active link/standby link.
    3) Since you can’t do redundant or aggregate with anything under a FG-100, whats the recommended method for managing a stack of switches with the smaller units?

    Reply
    1. Mike Post author

      1. I use it interchangeably by mistake in the video. I intend for it to be redundant in this video.
      2. I like to use split link because in all honesty, it just works better. Without it, I notice switches dropping off a good deal
      3. You can run them through the FortiGate directly via Hardswitch if it is lower traffic. Interconnect the switches and have top and bottom go to the FortiGate.

      Reply
  2. charles wright

    After watching this and a few other videos, I might have my configuration incorrect for a HA Fortigate pair with redundant 1048E and 424E switches. I have pair 600E units in HA with software switch FortiLink with X1, X2, and ports 11 and 12 in the switch. The port X1 on Primary 600E connects LC to port 47 on 1048E_SW01 and port X1 on Secondary 600E port 47 on 1048E_SW02. The X2 is connected to the corresponding switches on port 48 via LC fiber
    The Ethernet ports 11 and 12 on 600E feed the Ports 28 on the 424E switches. There is currently no ISL between the 1048E or the 424E switches .
    I need to connect Nutanix / Xen hosts ( in a cluster) via 10GB fiber to the Switch ports on each of the 1048E
    The iLo/IPMI from each Nutanix cluster and Xen farm will connect to the 424E 1 GB Ethernet for management only.

    Should this have been built using the hardware ( Redundant or Aggregate ) from the Fortigate and connected the ISL between the stack in order to more efficiently use the Hardware switching ?
    My goal is to have both 10GB ports on the HPE/Xen hosts active load balanced while only 1 Fortigate is actively processing.
    I appreciate your time and assistance

    Reply
  3. TC

    Hi,
    I’m new on Fortinet and trying to deploy a solution with an HA Fortigate and 2 fortiswitches connected via Fortilink.
    I’m not able to understand the main differences between a deployment using hardware switch interfaces versus aggregate interface (HA-mode FortiGate units managing a stack of several FortiSwitch units versus HA-mode FortiGate units using hardware-switch interfaces and STP). Please, can you explain in more detail those differences?
    Thank you in advanced. Kind regards.
    TC.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.