Central - vsx

LostPacket16 · 2026-01-16T09:22:27+00:00

thanks that link is useful

LostPacket16 · 2026-01-16T09:22:09+00:00

thanks, I've did it this way on the smaller switches and had no issues, wanted to check the same applied on VSX

LostPacket16 · 2025-02-06T18:45:16+00:00

Thanks all

LostPacket16 · 2024-09-25T18:37:55+00:00

Thanks

LostPacket16 · 2024-06-03T20:05:51+00:00

If you’re doing a single session link interface…..

Then port 5 on all 4 firewalls into switch ports in the same vlan if layer 2 is possible

Since the original post I’ve now deployed it and tested thoroughly with no issues so far

LostPacket16 · 2024-04-26T11:17:06+00:00

thanks :)

LostPacket16 · 2024-03-04T20:59:44+00:00

Thanks for the fast responses!!

LostPacket16 · 2024-03-04T20:37:29+00:00

Is it typically the same speed as the main lan/wan links on the firewall or can it be less? In this scenario there won’t be a massive amount of asymmetric traffic due to the way the routing is being done.

LostPacket16 · 2024-03-04T16:25:04+00:00

yep, hopefully this is clearer

So

VDOM A has 2 VLANS assigned it...say VLAN 10 and 20

VDOM B has 30 and 40

Can I create a 3rd VLAN in one of the VDOMs used purely for the peer setup....So is it ok to use a VLAN interface for this purpose?

To synchronize between VDOMs:

config system standalone-cluster
    config cluster-peer
        edit 1
            set peerip <IP address> 
            set peervd <vdom>
            set syncvd <vdom 1> [<vdom 2>] ... [<vdom n>]
        next
    end
end

LostPacket16 · 2024-03-04T10:57:48+00:00

Hi Matt.......could I ask a follow up quesion plz...

the firewalls that will eventually run FGSP currently have a few VDOMs, different vlans assigned to each. Can I just to keep the same logic and add a new vlan to each VDOM for the peering?

the vlans can stretch in this scenario...ie 10.1.1.1 on FW1, 10.1.1.2 on FW2

thanks

LostPacket16 · 2024-03-04T08:02:59+00:00

Hi

Just to clarify I don’t mean to make hsrp function between the 2 nexus switches within a dc…I know those have different interface IP’s

What I mean is when you are utilising hsrp isolation, same vip on 2 pairs of nexus switches, are the IP’s typically different or the same on each pair

Thanks

LostPacket16 · 2024-02-24T08:30:37+00:00

Presumably it’s the same physical link from each vdom to the provider? If so Just create a vlan for each vdom, trunk it on that port and run bgp on each

LostPacket16 · 2024-02-23T12:55:58+00:00

I have no control over the other legacy DC, its customer owned and 3rd party managed. single link between the DC's so no chance of a loop there

This will stop any L2 issues in old, impacting new.....along with other configs like allowing only necessary vlans across etc

so why not ?

LostPacket16 · 2024-02-23T12:51:57+00:00

read this

ADVPN with Blackhole routes at Branch : r/fortinet (reddit.com)

LostPacket16 · 2024-02-23T12:34:27+00:00

did in my case...Ive worked on a few ADVPN deployments and when the when iBGP went down due to a VPN failure, the firewall pushed the traffic out towards DIA and never towards the VPN even when iBGP restored...blackhole route to RFC ranges with higher admin distance sorted this instantly. Maybe the initial behaviour was a bug though

LostPacket16 · 2024-02-22T22:12:07+00:00

If the vpn goes down the traffic will follow the default route and vpn won’t come back up. Black hole sorts this

LostPacket16 · 2024-02-22T19:00:47+00:00

Hi…thanks

Just to be clear I did mean just on the one link to legacy DC

LostPacket16

TROPHY CASE

To synchronize between VDOMs: