I have inherited a rather weird setup at work, although my forte is servers and cloud, I have to look into network matters as well due to lack of resources.
This setup has 2 x Fortigate 100Ds (FG1, FG2) and 2 x Cisco 2960X switches (SW1, SW2) will be added as expansion because Fortigates ran out of free switch ports.
Topology is as below:
(VLAN A, B) FG1 <== HA1 Port (Trunks VLANs A, B) ==> FG2 (VLAN A, B)
Hosts on FG1's switch ports are able to access to hosts on FG2's switch ports.
All switch ports are in access mode, no trunk. Only trunk is on HA1 port.
New topology will be like this:
FG1 <== TRUNK ==> FG2
|| ||
|| ||
TRUNK TRUNK
|| ||
|| ||
SW1 <== TRUNK ==> SW2
| |
| |
HOSTS HOSTS
Target is to stop using switch ports on both Fortigates, so all of them will be moved to these 48 port switches, if any of the Fortigate is down, we need all of the hosts in same VLANs to be able to access to each other.
For example, if FG2 is down, topology will be reduced to this
FG1
||
||
TRUNK
||
||
SW1 <== TRUNK ==> SW2
| |
| |
HOSTS HOSTS
How might I be able to do this without causing a loop?
Best Answer
We didn't want to take the risk of this design and STP compatibility issues between FG and Cisco and changed our design to something safer and more redundant.
For our new design, we migrated all hosts (policies) from FG1 to FG2, once FG1 is idle, we enabled HA cluster on FG2 and made FG1 slave to it.
FG1 and FG2 are no more trunked and we have full redundancy in case any of them is down or their monitored interfaces like WAN or trunks to switches.
Thank you all again for other suggestions. They would have worked but couldn't risk with our limited experience.