Wired Intelligent Edge

Hello, I have interested about correct design with two 8360 Aruba CX switches in VSX cluster and one Firewall (Fortinet FortiGate 100E). Attached picture.
I have dynamic routing protocol OSPF between two 8360 switches and FortiGate 100E. To avoid problem of asymetric routing I have spoiled route over link (10.99.99.4/30) - ip ospf cost 65535 and force that all traffic pass over link (10.99.99.8/30).

I'm interested in is it correct design, is it possible to accomplish this on another way (agrgated interfaces on firewall, VRFs, VSX active-forwarding). Also, I'm interseted in correct design if I have two firewalls in active-standby mode.


Best regards,
Milan Babic

------------------------------
Milan Babic
------------------------------

Does the 100E support link aggregation so that it can use an aggregate link (two physical interfaces, would show up as one logical interface in the FortiGate management interface) for connecting to the VSX pair?

You could weight links differently and use them as two unique routed links in active/standby, although if the 100E does support link aggregation, that would allow you to use active/active on the links and simplify things.

------------------------------
Charlie Clemmer
------------------------------

Original Message:
Sent: Jan 04, 2022 04:14 AM
From: Milan Babic
Subject: VSX and one firewall

Hello, I have interested about correct design with two 8360 Aruba CX switches in VSX cluster and one Firewall (Fortinet FortiGate 100E). Attached picture.
I have dynamic routing protocol OSPF between two 8360 switches and FortiGate 100E. To avoid problem of asymetric routing I have spoiled route over link (10.99.99.4/30) - ip ospf cost 65535 and force that all traffic pass over link (10.99.99.8/30).

I'm interested in is it correct design, is it possible to accomplish this on another way (agrgated interfaces on firewall, VRFs, VSX active-forwarding). Also, I'm interseted in correct design if I have two firewalls in active-standby mode.


Best regards,
Milan Babic

------------------------------
Milan Babic
------------------------------

What you did is the most appropriate way.
Now, if you target to have 2 FWs, one active and one standby, as Charlie said, a VSX LAG (i.e MCLAG) between the VSX cluster and each FW is the most appropriate, in the context of it is likely that your config on the standby FW must be identical than on the active FW. So you may need to use a L3 transit VLAN
instead of routed-ports on 8360 as you will not be able to use same IP address for routed-port on 2 different interfaces on the same 8360.
You have example in https://support.hpe.com/hpsc/doc/public/display?docId=a00094242en_us

------------------------------
Vincent Giles
------------------------------

Original Message:
Sent: Jan 04, 2022 04:14 AM
From: Milan Babic
Subject: VSX and one firewall

Hello, I have interested about correct design with two 8360 Aruba CX switches in VSX cluster and one Firewall (Fortinet FortiGate 100E). Attached picture.
I have dynamic routing protocol OSPF between two 8360 switches and FortiGate 100E. To avoid problem of asymetric routing I have spoiled route over link (10.99.99.4/30) - ip ospf cost 65535 and force that all traffic pass over link (10.99.99.8/30).

I'm interested in is it correct design, is it possible to accomplish this on another way (agrgated interfaces on firewall, VRFs, VSX active-forwarding). Also, I'm interseted in correct design if I have two firewalls in active-standby mode.


Best regards,
Milan Babic

------------------------------
Milan Babic
------------------------------