An HPE comware 7 switches, in IRF mode, connected
to Fortigate 600D in HA active/passive mode.
Crossed links between the devices in order to
prevent device failure/HA failure situation.
In my first attempt I assumed that since the
HPE switches using IRF I should handle them as single device, while connecting
them to the Fortigate HA, I’ve connected all 4 ports, from the switches, in one
bridge-aggregation group. This configuration led to partial packet loss since
all 4 ports, in the link-aggregation group were up and running (Fortigate ports
are all up although it’s an HA configuration).
Configuring the Fortigate with 2 ports (port17
and port18) in aggregation mode running all VLAN sub-interfaces while the HPE
switches configure with 2 bridge-aggregation interfaces, one for each switch
has solved the problem.
Next there was the VPN-instance (VRF lite in
Cisco terms) issue, on the switches I’ve configured 5 VPN-instances and one OSPF
process per VPN-instance between the Fortigate and the switches. The Fortigate
advertised default route (under Router->Dynamic->Advanced) in always
mode. In the switches I didn’t manage to see the default route in neither
VPN-instance. The problem solved after issuing the command: vpn-instance-capability simple under the
VPN-instance sub-command.
This is the network topology:
HPE FlexFabric switch (relevant) configuration:
|
ip vpn-instance TEST1
route-distinguisher 1:10
#
ip vpn-instance TEST2
route-distinguisher 1:20
#
ip vpn-instance TEST3
route-distinguisher 1:30
#
ip vpn-instance TEST4
route-distinguisher 1:40
#
ip vpn-instance TEST5
route-distinguisher 1:50
#
irf domain 1
irf mac-address persistent timer
irf auto-update enable
irf link-delay 200
irf member 1 priority 32
irf member 2 priority 31
irf member 1 description IRF_UNIT1
irf member 2 description IRF_UNIT2
irf mode normal
#
irf-port global load-sharing mode
destination-ip source-ip
#
ospf 10 router-id 1.1.1.10
vpn-instance TEST1
vpn-instance-capability simple
area 0.0.0.10
network 0.0.0.0 255.255.255.255
#
ospf 20 router-id 1.1.1.20
vpn-instance TEST2
vpn-instance-capability simple
area 0.0.0.20
network 0.0.0.0 255.255.255.255
#
ospf 30 router-id 1.1.1.30
vpn-instance TEST3
vpn-instance-capability simple
area 0.0.0.30
network 0.0.0.0 255.255.255.255
#
ospf 40 router-id 1.1.1.40
vpn-instance TEST4
vpn-instance-capability simple
area 0.0.0.40
network 0.0.0.0 255.255.255.255
#
ospf 50 router-id 1.1.1.50
vpn-instance TEST5
vpn-instance-capability simple
area 0.0.0.50
network 0.0.0.0 255.255.255.255
#
|
i love reading this article so beautiful!!great job! best vpn services
ReplyDeleteThank You for Your haring this information. Can You share some information about LAG's configuration. Do You use on HP switches LACP mode dynamic? And on Fortigate side what lacp mode Active , passive or static?
ReplyDeleteBecause we using HP IRF stack and testing Fortigates 100D and this configuration working just then Fortigates LACP is Static. Can You confirm this information?
Thank You very much.
Hello,
DeleteI'm using 2 600D's with Arista 7050S. Both FG's are connected via LACP. Fortigate in default, Arista portchannel in active mode.
Also make sure if you are running HA with LACP that you configure the LACP-HA-SLAVE DISABLE!!
I ran into a problem where I could failover once.. But STP kicking in because the second unit was sending lacp packets too ( and because of the floating MAC the the port never came up again )
very interesting keep posting. https://bestcheapvpn.com/
ReplyDeleteI admire this article for the well-researched content and excellent wording. I got so involved in this material that I couldn’t stop reading. I am impressed with your work and skill. Thank you so much. App Valley Download
ReplyDeleteDOWNLOAD PAID APPS FOR FREE WITH TUTUAPP FROM PLAYSTORE DOWNLOAD TUTUAPP FOR MORE INFO
ReplyDeleteTutuapp
Tutuapp Android
If more people that write articles really concerned themselves with writing great content like you, more readers would be interested in their writings. Thank you for caring about your content. ios screen recorder
ReplyDeleteThanks for the nice post.
ReplyDeleteCan you please share the steps you performed.
Did you create LACP on Fortigate before putting them in Active passive mode or you did it after you configured Fortigate in Active Passive mode?
Please if you can write the steps. I shall be very thankful.
We have 100D Fortigate with HP running core and wanted to make sure that its full meshed HA setup for fortigate firewall.
correct please picture - wrong BA group in IRF (BA1 = FG1/0/1, FG2/0/1 and BA2 = FG1/0/2 and FG2/0/2)
ReplyDeleteI agree with you :
DeleteWith the displayed topology the LACP links can not be correctly mounted (with flag ACDEF) : only one physical port UP by LACP group. Isn't true ?
thank you for sharing this information. I really like your blog post very much. You have really shared a informative and interesting blog post with people fiesta ford used
ReplyDeleteYes i am totally agreed with this article and i just want say that this article is very nice and very informative article.I will make sure to be reading your blog more. You made a good point but I can't help but wonder, what about the other side? !!!!!!THANKS!!!!!! expressvpn free trial
ReplyDeleteGreat Information sharing .. I am very happy to read this article .. thanks for giving us go through info.Fantastic nice. I appreciate this post. top android vpn
ReplyDeleteTweakbox App is the one of the best ios,android App store to get the tons of free app and game. Here the latest version of tweakbox of free.
ReplyDeleteTweakbox Apk
Tweakbox for ios
Tweakbox for android
Hello just wanted to give you a quick heads up. The text
ReplyDeletein your article seem to be running off the screen in Opera.
I’m not sure if this is a formatting issue or something to do with web
browser compatibility but I thought I’d post to let you know.
The style and design look great though! Hope you get the issue fixed soon. Cheers
foxit phantompdf activation key crack
nitro pro enterprise crack
easeus data recovery wizard crack
cyberlink powerdirector crack
I really enjoyed reading your blog, you have lots of great content.Please visit here:Mixcraft Crack
ReplyDelete
ReplyDeleteVery good blogspot, Also I love this article.
gridinsoft anti malware crack
microsoft office 2007 crack
ccleaner pro crack
Very interesting and amazing article. I will surely share it with friends. Thanks for sharing.cisco online certification
ReplyDeleteIs this a paid topic or do you change it yourself?
ReplyDeleteHowever, stopping by with great quality writing, it's hard to see any good blog today.
Very good article! We will be linking to this particularly great post on our website. Keep up the good writing.
However, stopping by with great quality writing, it's hard to see any good blog today.
really a nice post!
IObit Software Updater Crack
JetBrains PhpStorm Crack
However, what about the last sentence? Are you sure of the origin?
ReplyDeleteHello friends, your wonderful article on the subject of learning and well explained, keep up the good work. Hello friends a good and offensive note is mentioned here for me
I love it. Surprised, I have to admit. Rarely do I find a blog that is similarly informative and entertaining, and
Sure enough you hit a nail in the head. I found your blog site on Yahoo and looked at your first post
content. Keep it running smoothly.
eset smart security crack
filezilla pro crack
balabolka crack
camera bits photo mechanic crack
ReplyDeleteHowdy! This is my 1st comment here so I just wanted to give a
quick shout out and tell you I truly enjoy reading through your posts.
Can you suggest any other blogs/websites/forums that go over the same topics?
Thanks a ton!
adobe character animator cc crack
kmsauto net crack
luxion keyshot pro crack
navicat premium crack
Hi, sometimes I read your blog and I have a similar one and I was interested if you get a lot of spam answers?
ReplyDeleteIf so, how can you stop it, could you propose any plugin or anything? I get so much recently that's insane for me, so any support is definitely appreciated.
izotope ozone crack
4k youtube to mp3 license key
chrispc videotube downloader pro crack
adobe acrobat pro crack download
Wow, amazing block structure! How long
ReplyDeleteHave you written a blog before? Working on a blog seems easy.
The overview of your website is pretty good, not to mention what it does.
Live Home 3D Pro Crack Free Downloard
CyberLink PowerDirector Crack Free Downloard
DaVinci Resolve Crack Free Downloard
Cool Edit Pro Crack Free Downloard
FL Studio Crack Free Downloard
This is an excellent post that you have shared with us. Thank you for sharing this excellent post and I hope you will continue to do so in the future.
ReplyDeleteInPage Download For PC Windows
softs4crack
King Soft Pc