Configuring SD-WAN in an HA cluster using internal hardware switches
This setup is not fully compliant with a regular HA configuration. Failover is also unnecessary. Flipping can occur if failover is configured using a ping server interface. |
Two FortiGates with internal hardware switches can be configured as an active-active (A-A) HA pair. In the following topology, both FortiGates forward traffic through internal switches connected to service providers. SD-WAN is configured on all upstream interfaces and overlays.
This setup is not fully compliant with a regular HA configuration. In a regular HA configuration, two logical switches are used: one for incoming traffic and one for outgoing traffic. In this example, only incoming traffic has a switch while outgoing traffic uses the internal switch. This means that if FortiGate A loses power, ISP 1 will not be available.
Traffic will flow either through ISP 1 directly or through ISP 2 via a connection between FortiGate A and FortiGate B’s internal switch interface. FortiGate A decides how traffic will go through ISP 1 or ISP 2 based on SD-WAN rules. If ISP 1 is not available, then traffic will go through ISP 2.
Failover is unnecessary in this setup. Because SD-WAN will automatically failover traffic to the accessible ISP, traffic is not blocked so there is no network downtime. Also, the hardware switch interface cannot be monitored as an HA interface. If HA failover is required, a ping server must be used. The ping server monitor interface has to be configured under HA settings. This failover setup, however, results in flipping. FortiGate B will act as the primary after failover and traffic will still flow to the available ISP. Since the broken link to one of the ISPs still fails, HA will start flipping until the link is back up.
To configure the HA A-A cluster with internal hardware switches:
- Configure two FortiGates with internal switches in an active-active HA cluster (follow the steps in HA active-active cluster setup), starting by connecting the heartbeat interface.
- On the primary FortiGate, remove the existing interface members:
- Go to Network > Interfaces.
- In the LAN section, double-click the internal interface to edit it.
- In the Interface Members box, remove all the interfaces.
- Click OK.
- On the primary FortiGate, configure the hardware switch interfaces for the two ISPs:
- Go to Network > Interfaces.
- Click Create New > Interface.
- Enter a name (HD_SW1).
- For type, select Hardware Switch.
- For Interface Members, add two interfaces (internal1 and internal2).
- Configure the remaining settings as needed.
- Click OK.
- Repeat these steps to create a second hardware switch interface (HD_SW2) with two interface members (internal3 and internal4).
- On the primary FortiGate, set up SD-WAN:
The primary FortiGate makes all the SD-WAN decisions.
- Go to Network > SD-WAN Zones.
- Click Create New > SD-WAN Member.
- In the Interface dropdown, select HD_SW1.
- Leave SD-WAN Zone set to virtual-wan-link.
- Enter the Gateway address.
- Click OK.
- Repeat these steps to add the second interface (HD_SW2).
- Click Apply.
- Connect the devices as shown in the topology:
- Connect the incoming interface to the internal switch on both FortiGates.
- On FortiGate A, connect ISP 1 to HD_SW1.
- On FortiGate B, connect ISP 2 to HD_SW2.
- For HD_SW1, connect FortiGate A directly to B.
- For HD_SW2, connect FortiGate A directly to B.
The default implicit rule load-balancing algorithm for SD-WAN is the source IP address. For more information about rule types and configurations, see Implicit rule. |