We have a Viprion2250 connected via one trunk using 0x8100 Ether type to our standalone firewall (8interfaces in the trunk - that is 8x10G each)
So basically we have one viprion to connected to one Fortigate (firewall) via LACP
Now we purchased another Fortigate firewall to make it cluster (active/standby)
Can we just create another LACP trunk and add the same VLANs to it and connect it to the standby firewall and it will work ?
I know some will say purchase a switch and do the connection via switch, but we're trying to eliminate the switch option.
It is pssible to do it without switch and connect both LACPs to both firewall active and standby ? will this work ?
Has anyone done this and it is working for him ?
Hi @ac89live ,
From my perspective , it should work as you explained.
If you purchased another Bigip ( Active/Standy ) For example , you will have to connect it with the same manner 8 interfaces with FW1 and 8 interfaces with FW2 , So it seems wo work for me.
My recommendation is , if you have another blade , you should connect it same as the primary blade for better performance and not to exhaust backplane between blades.
@ac89live Same thing that @Mohamed_Ahmed_Kansoh but you might want to see how a standby Fortigate works for interfaces because I know sometimes a standby device is not capable of performing all functions of an active unit. If for some reason LACP doesn't function as expected on the standby unit then at that time it might be best to have a switch between the two sets of devices. Just make sure that you have a way for the HA F5s to know which Fortinet device is active in the pair as well as the Fortinet device knows which F5 device is active in the pair. This last piece is typically the reason you have a switch between the sets of HA devices because it's usually a much more complicated task to make sure the HA devices that are connected to other HA devices to know which is the active unit. Typically you do this by using an SLA monitor that causes a failover event. You might have HA issues on the F5s as well if they are not able to validate the other device is up on a particular segment. For instance F5 External interface can see the other F5 External IP and the same thing for every other interface. You do have ways to ignore pieces of HA configuration but again it just complicates the setup.
Thank you guys.
We're not looking to purchase new another for clustering the F5. Only another firewall for clustering the firewall. So evetually we'll have one F5 and two fortigates in cluster.
As I understood from fortinet KBs, a fortigate in cluster should share a VMAC in case of failover
So basically the F5 will continue to send the traffic to same primary member if the F5 can handle the gratuitous ARP from the Fortigate cluster firewalls.
I only was hoping if someone have same design and can confirm this to us. 🙂
Hi @ac89live ,
Bigip is same as Fortigate firewall if you configure the MAC address masquraded feature on bigip traffic group ,
From my perspective bigip will NOT send traffic to the Failed FW node , as the second FW unit will advertise gARP as you said and this gARP will make Bigip to detect the failover that happen between Firewalls units.
> Because of both of FWs shares same vMAC address the gARP will NOT update the ARP cache table ( IP & MAC ) but gARP updates CAM table ( MAC and Ports ) so from my perspective , Bigip will detect the failover quickly and forward traffic in the correct path to the ACTIVE FW unit.
For That I will Need one of F5 Experts can validate my answer or they can adjust it for us to get the most correct answer.