Comware

 View Only
last person joined: 5 hours ago 

Back to discussions
Expand all | Collapse all

HP MLAG with FortiGate

This thread has been viewed 41 times

  • 1.  HP MLAG with FortiGate

    Posted Nov 25, 2022 04:28 AM
      |   view attached
    Hello!

    I am in process of configuring MLAG with two FortiGate acting as Active/Passive and two HP FlexFabric connected via IRF.
    I want to check if the topology showed in the attached picture works fine with respect to IRF.

    Thanks for your input in this.



  • 2.  RE: HP MLAG with FortiGate
    Best Answer

    MVP GURU
    Posted Nov 25, 2022 05:57 AM
    Hi, IF the IRF stack (which is a single logical entity from the standpoint of each Firewall appliance) is going to see - let me use this figurative terminology - both the Firewall appliances as a single logical entity (so the Firewalls Cluster is exactly like the IRF Stack and I don't believe this is what the IRF will see) then "Yes, you could create just two BAGGs, one per side" BUT if the answer is "No, the IRF will not see a single logical entity but two separate ones (Active and Passive appliances)" THEN "No, you can't setup just two BAGGs, one per side" and you can't also proceed with the proposed design because BAGGs sourcing from the IRF must co-terminate into a logical entity (a single Firewall Appliance).

    You can create a BAGG sourcing from the Active Firewall appliance with its member links terminating into IRF Member 1 and IRF Member 2 and, concurrently, you can also create the another one BAGG sourcing from the Passive Firewall appliance with its member links terminating into IRF Member 1 and IRF Member 2 (basically links sourcing from each Firewall appliance are distributed into both IRF Members and are sourced from each Firewall appliance, not from both Firewall appliances as in the case of real Multi-Chassis LAGs), on IRF side you are going to create two corresponding BAGGs (one terminating its links into the Active Firewall appliance and the other one into the Passive Firewall appliance).

    As written, the only exception shows up IF the Firewalls Cluster is going to act as a single logical entity from the upstream/downstream peers standpoint (from the IRF standpoint, in your case); generally, the presence of a feature like the Multi-Chassis LAG (MC-LAG) capability on a Stack shows that you're dealing with a Cluster which is capable of acting as a single logical entity and so BAGGs (MC-LAGs) can use links sourced by any of its members (but the termination should also be a single logical entity, the IRF in this case). Verify that.



  • 3.  RE: HP MLAG with FortiGate

    Posted Nov 25, 2022 02:26 PM
    Thanks Parnassus.
    Your reply is always full of information.
    The FortiGate Active/Passive doesn't look like stack as the Master and slave kind of thing. The slave with work as subordinate and take control when master is not there.
    This was one of the blog I was following for my design.
    https://www.madari.co.il/2016/08/hpe-flexfabric-irf-with-fortigate-ha.html

    This is a technical document I found today which is pointing to the same design you mentioned above.
    https://community.fortinet.com/t5/FortiGate/Technical-Tip-High-Availability-basic-deployment-design/ta-p/196942

    Original Message


  • 4.  RE: HP MLAG with FortiGate

    MVP GURU
    Posted Nov 26, 2022 07:55 AM
    Hi, in my opinion you are forced to plan a setup as I described above because - at best - the HA Cluster of two FortiGate firewalls (no matter if they are deployed in Active/Passive or Active/Active mode) could not be considered as a "Single Logical Entity" from the connected peers' standpoint.

    Indeed I'm pretty sure the two FortiGate firewalls - deployed as an HA Cluster entity - aren't able to provide any Multi-Chassis LAG capability to downstream/upstream peers but only standard (in-chassis) LAG (where each chassis is responsible of its own LAGs and it's not able to "virtualize" them against possible peers) .

    See, as example here and note how the two FortiGate firewalls in the example are connected to a series of downstream FortiSwitch Clusters (each one acting instead as a Virtual Switch), Clusters that - exactly like the IRF stack - are capable to provide (and to support) Multi-Chassis LAGs to downstream peers and, in the case of the example, more importantly to upstream FortiGate firewalls deployed as an HA Active/Passive Cluster.


  • 5.  RE: HP MLAG with FortiGate

    Posted Nov 28, 2022 04:50 AM
    Also there is a question of WHY having two unit Fortigate HA cluster configured?

    Is it because of two independent separate ISP routes to internet (exactly what I have), in which case ISP could/need configure BGP to be used on Fortigate HA cluster

    ------------------------------
    spgsitsupport
    ------------------------------

    Original Message


  • 6.  RE: HP MLAG with FortiGate

    MVP GURU
    Posted Nov 28, 2022 01:35 PM
    Why not?

    Two ISPs? not necessarily is that a good reason to deploy an HA Cluster but it could be (also having more than two, why not?). The main reason to me is to setup a resilient layer (the interface to and from WAN) where all assets (including ISPs) act redundantly...and an HA Cluster (Active/Active or Active/Passive) fits the bill...clearly only if it is correctly connected to upstream and downstream peers.



    Original Message


  • 7.  RE: HP MLAG with FortiGate

    Posted Nov 29, 2022 07:35 AM
    A single WAN is the most fragile part of the setup. So having HA cluster is "nice" but only semi-solution in such case (but that is my own opinion)

    ------------------------------
    spgsitsupport
    ------------------------------


  • 8.  RE: HP MLAG with FortiGate

    Posted Nov 29, 2022 08:48 AM
    For redundancy  purpose
    Original Message


  • 9.  RE: HP MLAG with FortiGate

    Posted Nov 29, 2022 08:48 AM
    Thanks
    Original Message