Technical Tip: Aggregate link configuration topologies in a High Availability cluster
Description
This article describes the expected topologies with LACP bundles in a FortiGate HA cluster.
Scope
FortiGate.
Solution
It is a question that is often asked when LACP connections to the local switches are not coming up as expected.
These are the most common and expected topologies (valid for both A-P and A-A clusters), while the most common mistakes are shown below.
Notes:
- If the switches are deployed in an MCLAG topology, the dual-homed connection for LACP will work, and each FortiGate will have its own LACP bundle.
Reference: Deploying MCLAG topologies.
- For version 7.2.1 onwards, set lacp-ha-slave has been replaced with set lacp-ha-secondary.
- In an Active-Active HA setup, both units are processing traffic. This means that both LACP bundles must be active simultaneously.
In this case, set lacp-secondary disable will prevent the LACP on the second unit from establishing, and traffic from being processed correctly. In the Active-Active FortiGate setup, the connected switch must have the LACP bundles connected in two separate LAG groups.
It is recommended that each FortiGate unit connects to the switch via its own separate LACP bundle.
HA with 802.3ad aggregate interfaces
'Link aggregation, HA failover performance, and HA mode'.
Related documents:
Technical Tip: High Availability basic deployment design
HA with 802.3ad aggregate interfaces
Technical Tip: Initial troubleshooting steps for LACP (Link Aggregation - 802.3ad)
Technical Tip: HA Cluster virtual MAC addresses
Troubleshooting Tip: Verifying physical and HA Virtual MAC addresses of FortiGate interfaces
Technical Tip: FortiGate HA A-P (Active-Passive) cluster connected to a L2 switch with LACP (802.3ad)
Aggregation and redundancy