Technical Tip: How to verify link aggregation (LAG, LACP, 802.3ad) algorithm result
Description
This article describes how to check which physical port will be used within a LAG based on the hash value calculation.
Scope
FortiGate.
Note:
This command will show the port that is selected by software hash calculation, while a different port selected by NP6 on any NP6 platforms can actually be used.
Solution
Verify which port will be used in LACP LAG.
Example for L4 hash (default):
Example for L3 hash:
Example for L2 hash:
diagnose netlink aggregate port <aggregate-interface>
[ src-mac <mac-addr> ] [ dst-mac <mac-addr> ]
or
[ src-ip <IPv4-addr> ] [ dst-ip <IPv4-addr> ] [ proto <IP-protocol> ] [ src-port <TCP/UDP port> ] [ dst-port <TCP/UDP port> ] [ vlan-id <VLAN-Id> ] [ spi <IPsec-SPI> ] [ frag (offset|flag) ]
[ src-mac <mac-addr> ] [ dst-mac <mac-addr> ]
or
[ src-ip <IPv4-addr> ] [ dst-ip <IPv4-addr> ] [ proto <IP-protocol> ] [ src-port <TCP/UDP port> ] [ dst-port <TCP/UDP port> ] [ vlan-id <VLAN-Id> ] [ spi <IPsec-SPI> ] [ frag (offset|flag) ]
Example for L4 hash (default):
diagnose netlink aggregate port agg2 src-ip 1.2.3.4 dst-ip 5.6.7.8 proto 6 src-port 64123 dst-port 64124
> port port4
diagnose netlink aggregate port agg2 src-ip 1.2.3.4 dst-ip 5.6.7.8 proto 6 src-port 64120 dst-port 64125
> port port2
> port port4
diagnose netlink aggregate port agg2 src-ip 1.2.3.4 dst-ip 5.6.7.8 proto 6 src-port 64120 dst-port 64125
> port port2
Example for L3 hash:
diagnose netlink aggregate port agg2 src-ip 1.2.3.4 dst-ip 5.6.7.8
> port port2
diagnose netlink aggregate port agg2 src-ip 1.2.3.4 dst-ip 5.6.7.9
> port port4
> port port2
diagnose netlink aggregate port agg2 src-ip 1.2.3.4 dst-ip 5.6.7.9
> port port4
Example for L2 hash:
diagnose netlink aggregate port agg2 src-mac 00:10:10:20:30:40 dst-mac 00:50:56:57:58:59
> port port4
diagnose netlink aggregate port agg2 src-mac 00:10:10:20:30:40 dst-mac 00:50:56:57:58:60
> port port2
> port port4
diagnose netlink aggregate port agg2 src-mac 00:10:10:20:30:40 dst-mac 00:50:56:57:58:60
> port port2
Note:
By default in FortiOS, the LAG member selection algorithm for traffic distribution is based on ONLY Layer 4 header information.
Therefore, ICMP and other non-L4 flows may not produce meaningful or distributed results when using the 'diagnose netlink aggregate port <aggregate-interface>' command, since the tool only fully evaluates LAG hashing with L4 fields that are actually present.
Clarification:
- The L2 algorithm ONLY considers the Source and Destination MAC addresses when distributing the traffic across the port members of the LAG.
- The L3 algorithm ONLY considers the Source and Destination IP addresses when distributing the traffic across the port members of the LAG.
- The L4(default) algorithm ONLY considers Source and Destination ports (TCP/UDP) when distributing traffic across the port members of the LAG.
- The source-MAC algorithm ONLY considers the Source-MAC address when distributing the traffic across the port members of the LAG.
Related article:
Technical Tip: Initial troubleshooting steps for LACP (Link Aggregation - 802.3ad)