Fortinet white logo
Fortinet white logo

Session-Aware Load Balancing Cluster Guide

5.2.10

Dual mode SLBC with four FortiController-5903Cs and two chassis

Dual mode SLBC with four FortiController-5903Cs and two chassis

This example describes how to setup a dual-mode SLBC cluster consisting of two FortiGate-5144C chassis, four FortiController-5903Cs, two in each chassis, and six FortiGate-5001Ds acting as workers, three in each chassis. This SLBC configuration can have up to 8 redundant 40Gbps network connections. The FortiGate-5144C is required to supply enough power for the FortiController-5903Cs and provide 40Gpbs fabric backplane communication.

In this dual mode configuration, the FortiController in chassis 1 slot 1 is configured to become the primary FortiController. Both of the FortiControllers in chassis 1 receive traffic and load balance it to the workers in chassis 1. In dual mode configuration the front panel interfaces of both FortiControllers are active. All networks have single connections to the FortiController in slot 1 or the FortiController in slot 2. It is a best practice in a dual-mode configuration to distribute traffic evenly between the FortiControllers. So in this example, ingress traffic from the Internet is processed by the FortiController in slot 1 and egress traffic for the internal network is processed by the FortiController in slot 2.

Note Redundant connections to a network from the FortiControllers in same chassis is not supported (unless you configure link aggregation).

The front panel F1 to F4 interfaces of the FortiController in slot 1 are named fctrl1/f1 to fctrl1/f4 and the front panel F1 to F4 interfaces of the FortiController in slot 2 are named fctrl2/f1 to fctrl2/f4.

The network connections to the FortiControllers in chassis 1 are duplicated with the FortiControllers in chassis 2. If one of the FortiControllers in chassis 1 fails, the FortiController in chassis 2 slot 1 becomes the primary FortiController and all traffic fails over to the FortiControllers in chassis 2. If one of the FortiControllers in chassis 2 fails, the remaining FortiController in chassis 2 keeps processing traffic received by its front panel interfaces. Traffic to and from the failed FortiController is lost.

Heartbeat, base control, base management, and session sync communication is established between the chassis using the FortiController B1 and B2 interfaces. Connect all of the B1 interfaces together using a 10 Gbps switch. Collect all of the B2 interfaces together using another 10 Gbps switch. Using the same switch for the B1 and B2 interfaces is not recommended and requires a double VLAN tagging configuration.

The switches must be configured to support the following VLAN tags and subnets used by the traffic on the B1 and B2 interfaces:

  • Heartbeat traffic uses VLAN 999.
  • Base control traffic on the 10.101.11.0/255.255.255.0 subnet uses VLAN 301.
  • Base management on the 10.101.10.0/255.255.255.0 subnet uses VLAN 101.
  • Session sync traffic between the FortiControllers in slot 1 uses VLAN 1900.
  • Session sync traffic between the FortiControllers in slot 2 uses VLAN 1901.

This example sets the device priority of the FortiController in chassis 1 slot 1 higher than the device priority of the other FortiControllers to make sure that the FortiController in chassis 1 slot 1 becomes the primary FortiController for the cluster. Override is also enabled on the FortiController in chassis 1 slot 1. Override may cause the cluster to negotiate more often to select the primary unit. This makes it more likely that the unit that you select to be the primary unit will actually be the primary unit; but enabling override can also cause the cluster to negotiate more often.

Dual mode SLBC with four FortiController-5903Cs and two chassis

Dual mode SLBC with four FortiController-5903Cs and two chassis

This example describes how to setup a dual-mode SLBC cluster consisting of two FortiGate-5144C chassis, four FortiController-5903Cs, two in each chassis, and six FortiGate-5001Ds acting as workers, three in each chassis. This SLBC configuration can have up to 8 redundant 40Gbps network connections. The FortiGate-5144C is required to supply enough power for the FortiController-5903Cs and provide 40Gpbs fabric backplane communication.

In this dual mode configuration, the FortiController in chassis 1 slot 1 is configured to become the primary FortiController. Both of the FortiControllers in chassis 1 receive traffic and load balance it to the workers in chassis 1. In dual mode configuration the front panel interfaces of both FortiControllers are active. All networks have single connections to the FortiController in slot 1 or the FortiController in slot 2. It is a best practice in a dual-mode configuration to distribute traffic evenly between the FortiControllers. So in this example, ingress traffic from the Internet is processed by the FortiController in slot 1 and egress traffic for the internal network is processed by the FortiController in slot 2.

Note Redundant connections to a network from the FortiControllers in same chassis is not supported (unless you configure link aggregation).

The front panel F1 to F4 interfaces of the FortiController in slot 1 are named fctrl1/f1 to fctrl1/f4 and the front panel F1 to F4 interfaces of the FortiController in slot 2 are named fctrl2/f1 to fctrl2/f4.

The network connections to the FortiControllers in chassis 1 are duplicated with the FortiControllers in chassis 2. If one of the FortiControllers in chassis 1 fails, the FortiController in chassis 2 slot 1 becomes the primary FortiController and all traffic fails over to the FortiControllers in chassis 2. If one of the FortiControllers in chassis 2 fails, the remaining FortiController in chassis 2 keeps processing traffic received by its front panel interfaces. Traffic to and from the failed FortiController is lost.

Heartbeat, base control, base management, and session sync communication is established between the chassis using the FortiController B1 and B2 interfaces. Connect all of the B1 interfaces together using a 10 Gbps switch. Collect all of the B2 interfaces together using another 10 Gbps switch. Using the same switch for the B1 and B2 interfaces is not recommended and requires a double VLAN tagging configuration.

The switches must be configured to support the following VLAN tags and subnets used by the traffic on the B1 and B2 interfaces:

  • Heartbeat traffic uses VLAN 999.
  • Base control traffic on the 10.101.11.0/255.255.255.0 subnet uses VLAN 301.
  • Base management on the 10.101.10.0/255.255.255.0 subnet uses VLAN 101.
  • Session sync traffic between the FortiControllers in slot 1 uses VLAN 1900.
  • Session sync traffic between the FortiControllers in slot 2 uses VLAN 1901.

This example sets the device priority of the FortiController in chassis 1 slot 1 higher than the device priority of the other FortiControllers to make sure that the FortiController in chassis 1 slot 1 becomes the primary FortiController for the cluster. Override is also enabled on the FortiController in chassis 1 slot 1. Override may cause the cluster to negotiate more often to select the primary unit. This makes it more likely that the unit that you select to be the primary unit will actually be the primary unit; but enabling override can also cause the cluster to negotiate more often.