I am in the process of implementing a secondary Internet link into our environment. I am using Fortigate firewalls and Cisco switches in my environment. I am not seeking any assistance with the Fortigate component.
My question is this. On my Fortigate unit I have configured two VLAN interfaces (one for each ISP). VLANS14, 19
I have two switches connected together (2960G's 48-Port).
The Fortigates are configured in a HA cluster so they appear to the network as a single device (I have two of these also connected together).
I have connected the equipment as such
Fortigate1 Port 8 -> Cisco 2960 (Switch1) Port Gi 0/31
Fortigate2 Port 8 Ciscos 2960 (Switche2) Port Gi 0/31
I have configured the Cisco Ports Gi 0/31 as trunk ports. And I have explicitly defined the vlans that are allowerd 14, 19
On switch1 I have defined an access port Gi 0/31 as an access port in VLAN14 and have patched the ISP router into here.
On switch2 I have defined an access port Gi 0/32 as an access port in VLAN19 and have patched the ISP router into here.
Now my question is this, do I need to also allow VLAN1 (which is the native vlan on the switches) also on the trunk?
The switches are running PVST which I want to change to RSTP as part of the implementation.
So to enable RSTP to work properly i.e. in the event of hardware failure be it the Fortigate or Cisco the network will continue to operate? If the Fortigate fails it sends gratuious ARPs and updates the switch MAC-ADDRESS table for all interfaces.
Hope this makes sense? Appreciate this aint no Fortinet forum!!