Technical Tip: Expected behavior of the FortiGate FortiLink aggregate interface 'split interface' option with multiple FortiSwitches connected to the FortiGate

Hovering over the 'i' information icon next to 'FortiLink split interface' in the FortiGate GUI when editing the FortiLink aggregate interface will display the following information:

Connect a FortiLink aggregate interface from one FortiGate to more than one FortiSwitch (no MCLAG).

When the 'FortiLink split interface' option is enabled on the FortiLink interface in the FortiGate, the 'Interface members' section will show that only one of the interface members is up and active. This may lead to concern that there is an issue with the port(s) that are going down.

In the above screenshot example, interface x3 shows as down. This is expected behavior as, when the 'FortiLink split interface' option is enabled, and multiple FortiSwitch units are connected to the FortiGate, only one link remains active.

Checking the same via the CLI:

diagnose netlink aggregate name fortilink

status: up npu: y flush: n asic helper: y oid: 0 ports: 2 link-up-delay: 50ms min-links: 1 ha: master distribution algorithm: L4 LACP mode: active LACP speed: slow LACP HA: enable aggregator ID: 1 actor key: 17 actor MAC address: xx:xx:xx:xx:xx:xx partner key: 17 partner MAC address: zz:zz:zz:zz:zz:zz  member: x1   index: 0   link status: up <-------------   link failure count: 0   permanent MAC addr: xx:xx:xx:xx:xx:xx   LACP state: established <-------------   LACPDUs RX/TX: 6/10   actor state: ASAIEE   actor port number/key/priority: 12 17 255   partner state: ASAIEE   partner port number/key/priority: 1 17 255   partner system: 65535 zz:zz:zz:zz:zz:zz   aggregator ID: 1   speed/duplex: 1000 1   RX state: CURRENT 6   MUX state: COLLECTING_DISTRIBUTING 4  member: x3   index: 1   link status: down <-------------   link failure count: 1   permanent MAC addr: xx:xx:xx:xx:xx:xx

To avoid confusion, note that member port x3 will be shown as 'admin' down instead of physically down.

diagnose hardware deviceinfo nic x3 | grep -i 'admin\|status'

========== Link Status ==========
Admin :down <------------- logical/config
netdev status :N/A
link_status :Down <------------- physical
rx_link_status :0

get system interface physical x3

== [onboard]
==[x3]
mode: static
ip: 0.0.0.0 0.0.0.0
ipv6: ::/0
status: down <------------- physical
speed: n/a

show system interface ? (no <enter> is needed and will look similar to the below)

x3 static 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 up disable physical

Note: To enable/disable the FortiLink split interface via the CLI, use the following commands:

config system interface

    edit <aggregate_name>   <-- Replace <aggregate_name> with the FortiLink interface name to be configured.

        set fortilink-split-interface [enable | disable]

end

Starting from FortiGate v7.6.1, as described in the release notes: What’s new in FortiOS 7.6.1, the default behavior of the split-interface is changed due to the following details:

The default fortilink-neighbor-detect mode is changed from 'fortilink' to 'lldp', and the redundancy is achieved in another way.

show full-configuration system interface fortilink | grep neighbor

    set fortilink-neighbor-detect lldp

Because of this change, the status of all member ports will always show as UP, but only the connections (if multiple) to the same switch will show LACP in the 'established' state.

The other member ports will be in the 'negotiating' state and, as a result, only 1 active path will remain.

diagnose netlink aggregate name fortilink

status: up npu: y flush: n asic helper: y oid: 0 ports: 2 link-up-delay: 50ms min-links: 1 ha: master distribution algorithm: L4 LACP mode: active LACP speed: slow LACP HA: enable aggregator ID: 1 actor key: 17 actor MAC address: xx:xx:xx:xx:xx:xx partner key: 17 partner MAC address: zz:zz:zz:zz:zz:zz  member: x1   index: 0   link status: up <-------------   link failure count: 0   permanent MAC addr: xx:xx:xx:xx:xx:xx   LACP state: established <-------------   LACPDUs RX/TX: 90/102   actor state: ASAIEE   actor port number/key/priority: 12 17 255   partner state: ASAIEE   partner port number/key/priority: 1 17 255   partner system: 65535 zz:zz:zz:zz:zz:zz   aggregator ID: 1   speed/duplex: 1000 1   RX state: CURRENT 6   MUX state: COLLECTING_DISTRIBUTING 4  member: x3   index: 1   link status: up <-------------   link failure count: 1   permanent MAC addr: xx:xx:xx:xx:xx:xx   LACP state: negotiating <-------------   LACPDUs RX/TX: 11/13   actor state: ASAODD   actor port number/key/priority: 11 17 255   partner state: ASAODD   partner port number/key/priority: 1 17 255   partner system: 65535 zz:zz:zz:zz:zz:zz   aggregator ID: 1   speed/duplex: 1000 1   RX state: CURRENT 6   MUX state: WAITING 2

Also, due to changing the 'fortilink-neighbor-detect' to LLDP, this will cause a network outage for non-MCLAG environments where the 'access-vlan' | 'Block intra-VLAN traffic' feature is also used/enabled. Avoiding the issue requires the 'fortilink-neighbor-detect' to be set to 'FortiLink' instead. For more details, refer to Technical Tip: Managed FortiSwitch redundancy for Access-VLAN feature.

See the following documents for configuration steps for FortiLink:

• Configuring FortiLink 7.2.0
• Configuring FortiLink 7.4.0
• Configuring FortiLink 7.6.0