Distributed cluster of two Fortigate
Recently completed a project with a client to build a fault-tolerant network infrastructure. While the memories are alive - and the documentation is at hand, I want to share a unique know-how. What is unique? The fact that such a configuration is not mentioned anywhere in official documents Fortinet is not recommended and does not officially exist at all. Also, no mention of this configuration was found on the Internet.
So, what we have available:
Two spaced sites, office and data center (DC). Each site has independent access to the Internet and local subnet. Between sites there is a dedicated connection with the ability to create your own VLANs. From the equipment, there are two Fortigate 100D and four Cisco Catalyst 2960XR managed switches with a Stacking Module. Those. two switches and one fortigge to the site.
Task:
Provide fault tolerance and continuity of communication
1) in case of failure of any one piece of iron.
2) in the case of the fall of any of the communication channels.
3) in case of failure of any one port on any of the glands
')
If we had 2 forgates per site - there would be no problem at all - we set up a standard cluster of two forgates at each site, dynamic routing and enjoying life. However, with the equipment we have what we have, so we have to get bogged down.
At the beginning of the equipment, there was even less - one switch and one fortigate per platform, but in this article I will describe the final configuration.
So let's start:
Let's designate SW1 and FG1 as the stack of switches in the office and fortigate in the office. SW2 and FG2 are similar glands in the datacenter.
For the correct configuration of all we need 5 logical ports on each forgate (5 logical = 10 physical). Denote them as:
We also use both HA ports to ensure cluster synchronization, which adds another 2 ports to those used on the switch. In total, 6 ports on each physical switch (or 12 ports on a stack of switches) will be used only to connect forgates.
Layer1 configuration (physical connections):
I assume that the stack of switches is already assembled, since no difficulty there.
We connect fortigates to switches according to the following scheme:
For DC_Internet
For Office_Internet
For Office_Lan
For DC_Lan
For interconnect
For HA1 and HA2
Repeat the operation similarly for FG2 and SW2.
Now you need to plug in switches links coming from the provider. In my case, these are 2 connections to the Internet and the channel between the DC and the office, respectively, the configuration will be slightly different between the two sites. Again, in my particular case, the providers provided two links to the Internet and 2 links for interconnect on each side.
If you can’t get 2 links to each channel - then one of the requirements will remain partially unfulfilled - in case of a port exit on the switch where the link from the provider is connected, there will be a loss of communication.
Here we will connect downlinkas to Access switches in the office and DC.
We connect in the office:
We connect to DC:
With Layer 1 finished, you can navigate to the Port Aggregation and VLAN configuration.
Layer 2
At this stage, you need to configure a pair of ports on switches and fortigets, and assign a VLAN to limit traffic.
- Create the necessary VLANs on the switches and assign ports in them:
on switches in configuration mode we create the necessary VLANs
In the same place on the switches we create a port-channel and assign ports in them:
For DC_Internet:
Repeat for the above pairs of ports and get the port-channel 2-4
For Interconnect:
Slightly different configuration for HA1 and HA2 there is no port aggregation
For HA1
For HA2
For the Office-DC Channel:
The above configuration for Layer2 is the same for the office and DC, below are the different parts of the config.
In the office:
In DC:
From the side of forgates:
1. Turn on VDOM support
2. Configure Virtual Cluster Support
3. Scatter ports - each in its own VDOM
4. Create Port Aggregation 802.3ad Port Pairs
This is how the code looks like:
This is all for Layer 2, go to Layer 3+ . Here we need:
- enable marshurt
- configure routing monitoring
- configure firewall rules
- set up VPN in case the channel falls between the office and the DC
On the switches do not need anything. On fortigeit (after setting up the cluster, we manage one piece of iron):
Now, if any Internet channel falls, the static route to the Internet will be deleted and the route will be activated through the official channel, if the channel is restored, everything will return as it was.
It remains to create firewall rules (I hope this will be mastered by yourself). You just need to remember that the same traffic can come from different interfaces (Internet or interconnect).
And also create a VPN connection for connecting sites in the event of a DC channel falling - office.
And the corresponding firewall rules:
As a result, VPN will rise only in the event of a fall in the office-dts channel.
What we got in the end:
1. Aggregation of ports protects us from the fall of either one port or the entire switch (with the exception of channels with one wire from the provider).
2. A virtual cluster of fortigets will work as a router for the network, and in a normal situation, the fortigate in the office will always redirect packets for its network zone, and the forgigate to the DC for its own. In the event of a fall of one of the forgates, all traffic will be routed by the second forgate.
3. In the case of the fall of one of the Internet channels - all traffic will go through another channel, and come back as soon as the channel rises to the Internet.
4. In the case of the fall of the office-dz channel, the traffic will go through the automatically rising VPN and will follow it until the channel is restored.
It turned out a lot and probably at first sight difficult - but if you have questions, I am ready to answer them.
So, what we have available:
Two spaced sites, office and data center (DC). Each site has independent access to the Internet and local subnet. Between sites there is a dedicated connection with the ability to create your own VLANs. From the equipment, there are two Fortigate 100D and four Cisco Catalyst 2960XR managed switches with a Stacking Module. Those. two switches and one fortigge to the site.
Task:
Provide fault tolerance and continuity of communication
1) in case of failure of any one piece of iron.
2) in the case of the fall of any of the communication channels.
3) in case of failure of any one port on any of the glands
')
If we had 2 forgates per site - there would be no problem at all - we set up a standard cluster of two forgates at each site, dynamic routing and enjoying life. However, with the equipment we have what we have, so we have to get bogged down.
At the beginning of the equipment, there was even less - one switch and one fortigate per platform, but in this article I will describe the final configuration.
So let's start:
Let's designate SW1 and FG1 as the stack of switches in the office and fortigate in the office. SW2 and FG2 are similar glands in the datacenter.
For the correct configuration of all we need 5 logical ports on each forgate (5 logical = 10 physical). Denote them as:
- Office_Internet
- DC_Internet
- Office_Lan
- DC_Lan
- Interconnect
We also use both HA ports to ensure cluster synchronization, which adds another 2 ports to those used on the switch. In total, 6 ports on each physical switch (or 12 ports on a stack of switches) will be used only to connect forgates.
Layer1 configuration (physical connections):
I assume that the stack of switches is already assembled, since no difficulty there.
We connect fortigates to switches according to the following scheme:
For DC_Internet
FG1-WAN1 - SW1-1/0/1 FG1-WAN2 - SW1-2/0/1 For Office_Internet
FG1-DMZ - SW1-1/0/2 FG1-Port1 - SW1-2/0/2 For Office_Lan
FG1-DMZ - SW1-1/0/3 FG1-Port1 - SW1-2/0/3 For DC_Lan
FG1-Port2 - SW1-1/0/4 FG1-Port3 - SW1-2/0/4 For interconnect
FG1-Port4 - SW1-1/0/5 FG1-Port5 - SW1-2/0/5 For HA1 and HA2
FG1-HA1 - SW1-1/0/6 FG1-HA2 - SW1-2/0/6 Repeat the operation similarly for FG2 and SW2.
Now you need to plug in switches links coming from the provider. In my case, these are 2 connections to the Internet and the channel between the DC and the office, respectively, the configuration will be slightly different between the two sites. Again, in my particular case, the providers provided two links to the Internet and 2 links for interconnect on each side.
If you can’t get 2 links to each channel - then one of the requirements will remain partially unfulfilled - in case of a port exit on the switch where the link from the provider is connected, there will be a loss of communication.
Here we will connect downlinkas to Access switches in the office and DC.
We connect in the office:
SW1-1/0/22 - Office_LAN 1 SW1-2/0/22 - Office_LAN 2 SW1-1/0/23 - 1 SW1-2/0/23 - 2 SW1-1/0/24 - - 1 SW1-2/0/24 - - 2 We connect to DC:
SW1-1/0/22 - DC_LAN 1 SW1-2/0/22 - DC_LAN 2 SW2-1/0/23 - 1 SW2-2/0/23 - 2 SW2-1/0/24 - - 1 SW2-2/0/24 - - 2 With Layer 1 finished, you can navigate to the Port Aggregation and VLAN configuration.
Layer 2
At this stage, you need to configure a pair of ports on switches and fortigets, and assign a VLAN to limit traffic.
- Create the necessary VLANs on the switches and assign ports in them:
on switches in configuration mode we create the necessary VLANs
vlan 10 name DC_Internet vlan 20 name Office_Internet vlan 30 name Office_Lan vlan 40 name DC_LAN vlan 50 name Interconnect vlan 60 name HA In the same place on the switches we create a port-channel and assign ports in them:
For DC_Internet:
Interface port-channel1 switchport access vlan 10 # VLAN 10 = DC_Internet switchport mode access Interface GigabitEthernet1/0/1 switchport access vlan 10 switchport mode access channel-group 1 mode passive Interface GigabitEthernet2/0/1 switchport access vlan 10 switchport mode access channel-group 1 mode passive Repeat for the above pairs of ports and get the port-channel 2-4
For Interconnect:
Interface port-channel5 switchport access vlan 50 switchport mode access Interface GigabitEthernet1/0/5 switchport access vlan 50 switchport mode access channel-group 5 mode passive Interface GigabitEthernet2/0/5 switchport access vlan 50 switchport mode access channel-group 5 mode passive Slightly different configuration for HA1 and HA2 there is no port aggregation
For HA1
Interface GigabitEthernet1/0/6 switchport access vlan 60 # Vlan 60 = HA switchport mode access For HA2
Interface GigabitEthernet2/0/6 switchport access vlan 60 # Vlan 60 = HA switchport mode access For the Office-DC Channel:
Interface port-channel6 switchport mode trunk # !!! Trunk Interface GigabitEthernet1/0/24 switchport mode trunk channel-group 6 mode passive Interface GigabitEthernet2/0/24 switchport mode trunk channel-group 6 mode passive The above configuration for Layer2 is the same for the office and DC, below are the different parts of the config.
In the office:
Interface port-channel7 switchport access vlan 30 # VLAN 30 = Office_Lan switchport mode access Interface GigabitEthernet1/0/22 switchport access vlan 30 switchport mode access channel-group 7 mode passive Interface GigabitEthernet2/0/22 switchport access vlan 30 switchport mode access channel-group 7 mode passive Interface port-channel8 switchport access vlan 20 # VLAN 20 = Office_Internet switchport mode access Interface GigabitEthernet1/0/23 switchport access vlan 20 switchport mode access channel-group 8 mode passive Interface GigabitEthernet2/0/23 switchport access vlan 20 switchport mode access channel-group 8 mode passive In DC:
Interface port-channel7 switchport access vlan 40 # VLAN 40 = DC_Lan switchport mode access Interface GigabitEthernet1/0/22 switchport access vlan 40 switchport mode access channel-group 7 mode passive Interface GigabitEthernet2/0/22 switchport access vlan 40 switchport mode access channel-group 7 mode passive Interface port-channel8 switchport access vlan 10 # VLAN 10 = DC_Internet switchport mode access Interface GigabitEthernet1/0/23 switchport access vlan 10 switchport mode access channel-group 8 mode passive Interface GigabitEthernet2/0/23 switchport access vlan 10 switchport mode access channel-group 8 mode passive From the side of forgates:
1. Turn on VDOM support
2. Configure Virtual Cluster Support
3. Scatter ports - each in its own VDOM
4. Create Port Aggregation 802.3ad Port Pairs
This is how the code looks like:
Lot of code
config system interface edit "wan1" set vdom "DataCenter" set type physical set snmp-index 1 next edit "dmz" set vdom "Office" set type physical set snmp-index 2 next edit "wan2" set vdom "DataCenter" set type physical set snmp-index 7 next edit "ha1" set vdom "root" set type physical set snmp-index 9 next edit "ha2" set vdom "root" set status down set type physical set snmp-index 10 next edit "port1" set vdom "Office" set type physical set snmp-index 12 next edit "port2" set vdom "DataCenter" set type physical set snmp-index 13 next edit "port3" set vdom "Office" set type physical set snmp-index 17 next edit "port4" set vdom "DataCenter" set type physical set snmp-index 18 next edit "port5" set vdom "Office" set type physical set snmp-index 15 next edit "port6" set vdom "Office" set type physical set snmp-index 16 next edit "port7" set vdom "DataCenter" set type physical set snmp-index 19 next edit "port8" set vdom "Office" set status down set type physical set snmp-index 20 next edit "port9" set vdom "DataCenter" set status down set type physical set snmp-index 21 next edit "port10" set vdom "root" set status down set type physical set snmp-index 22 next edit "lan" set vdom "root" set status down set type hard-switch set snmp-index 11 next edit "DC_Internet" set vdom "DataCenter" set ip 2.2.2.2 255.255.255.224 set allowaccess ping https ssh set type aggregate set member "wan1" "wan2" set snmp-index 14 next edit "Office_Internet" set vdom "Office" set ip 1.1.1.1 255.255.255.248 set allowaccess ping https set type aggregate set member "port5" "dmz" set snmp-index 23 next edit "Office-LAN" set vdom "Office" set dhcp-relay-service enable set ip 192.168.100.1 255.255.255.0 set allowaccess ping https ssh set type aggregate set member "port6" "port1" set snmp-index 24 next edit "DC-LAN" set vdom "DataCenter" set ip 192.168.200.1 255.255.255.0 set allowaccess ping https ssh set type aggregate set member "port7" "port2" set snmp-index 25 next edit "Intercon-Office" set vdom "Office" set ip 192.168.150.1 255.255.255.252 set allowaccess ping set type aggregate set member "port8" "port3" set snmp-index 26 next edit "Intercon-DC" set vdom "DataCenter" set ip 192.168.150.2 255.255.255.252 set allowaccess ping set type aggregate set member "port9" "port4" set snmp-index 27 next end config system ha set group-name "aaa.com" set mode ap set password ENC xxx set hbdev "ha1" 50 set arps 30 set arps-interval 1 set session-pickup enable set link-failed-signal enable set ha-mgmt-status enable set ha-mgmt-interface "mgmt" set vcluster2 enable set override enable set priority 100 set monitor "Office_internet" "Office_LAN" "Intercon_Office" config secondary-vcluster set override enable set priority 250 set monitor "DC_Internet" "DC_LAN" "Intercon_DC" set vdom "DataCenter" end end This is all for Layer 2, go to Layer 3+ . Here we need:
- enable marshurt
- configure routing monitoring
- configure firewall rules
- set up VPN in case the channel falls between the office and the DC
On the switches do not need anything. On fortigeit (after setting up the cluster, we manage one piece of iron):
Routing and Routing Monitoring
config vdom edit DataCenter config router static edit 1 set gateway 2.2.2.3 set device "DC_Internet" next edit 2 set dst 192.168.100.0 255.255.255.0 set gateway 192.168.150.1 set device "Intercon-DC" next edit 3 set gateway 192.168.150.1 set distance 15 set device "Intercon-DC" next end config system link-monitor edit "DC-Internet" set srcintf "DC_Internet" set server "2.2.2.3" set gateway-ip 2.2.2.3 set update-cascade-interface disable next edit "Interconnect" set srcintf "Intercon-DC" set server "192.168.150.1" set gateway-ip 192.168.150.1 set update-cascade-interface disable next end end end config vdom edit Office config router static edit 1 set gateway 1.1.1.2 set distance 9 set device "Office_Internet" next edit 2 set dst 192.168.200.0 255.255.255.0 set gateway 192.168.150.2 set device "Intercon-Office" next edit 3 set gateway 192.168.150.2 set distance 15 set device "Intercon-Office" next end config system link-monitor edit "Office-Internet-Check" set srcintf "Office_Internet" set server "1.1.1.2" set gateway-ip 1.1.1.2 set update-cascade-interface disable next edit "Interconnect" set srcintf "Intercon-Office" set server "192.168.150.2" set gateway-ip 192.168.150.2 set update-cascade-interface disable next end Now, if any Internet channel falls, the static route to the Internet will be deleted and the route will be activated through the official channel, if the channel is restored, everything will return as it was.
It remains to create firewall rules (I hope this will be mastered by yourself). You just need to remember that the same traffic can come from different interfaces (Internet or interconnect).
And also create a VPN connection for connecting sites in the event of a DC channel falling - office.
VPN configuration
config vdom edit DataCenter config vpn ipsec phase1 edit "site-to-site" set interface "DC_Internet" set nattraversal disable set proposal aes256-sha256 set dhgrp 5 set remote-gw 1.1.1.1 set psksecret ENC xxx next end config vpn ipsec phase2 edit "p2" set phase1name "site-to-site" set proposal aes256-sha256 set pfs disable set replay disable set auto-negotiate enable set src-addr-type name set dst-addr-type name set src-name "192.168.200.x" set dst-name "192.168.100.x" next end config vdom edit Office config vpn ipsec phase1 edit "site-to-site" set interface "Office_Internet" set nattraversal disable set proposal aes256-sha256 set dhgrp 5 set remote-gw 2.2.2.2 set psksecret ENC xxx next end config vpn ipsec phase2 edit "p2" set phase1name "site-to-site" set proposal aes256-sha256 set pfs disable set replay disable set keepalive enable set auto-negotiate enable set src-addr-type name set dst-addr-type name set src-name "192.168.100.x" set dst-name "192.168.200.x" next end And the corresponding firewall rules:
Firewall rules
config vdom edit Office config firewall policy edit 20 set srcintf "Office-LAN" set dstintf "Office_Internet" set srcaddr "192.168.100.x" set dstaddr "192.168.200.x" set action ipsec set schedule "always" set service "ALL" set inbound enable set outbound enable set vpntunnel "site-to-site" next end config vdom edit DataCenter edit 9 set srcintf "DC-LAN" set dstintf "DC_Internet" set srcaddr "192.168.200.x" set dstaddr "192.168.100.x" set action ipsec set schedule "always" set service "ALL" set inbound enable set outbound enable set vpntunnel "site-to-site" next As a result, VPN will rise only in the event of a fall in the office-dts channel.
What we got in the end:
1. Aggregation of ports protects us from the fall of either one port or the entire switch (with the exception of channels with one wire from the provider).
2. A virtual cluster of fortigets will work as a router for the network, and in a normal situation, the fortigate in the office will always redirect packets for its network zone, and the forgigate to the DC for its own. In the event of a fall of one of the forgates, all traffic will be routed by the second forgate.
3. In the case of the fall of one of the Internet channels - all traffic will go through another channel, and come back as soon as the channel rises to the Internet.
4. In the case of the fall of the office-dz channel, the traffic will go through the automatically rising VPN and will follow it until the channel is restored.
It turned out a lot and probably at first sight difficult - but if you have questions, I am ready to answer them.
Source: https://habr.com/ru/post/308460/
All Articles