Skip to main content
Matthew1
Matthew1
New Member
February 8, 2021
Question

Fortigate 100F ( HA Cluster ) Link Aggregation for multiple vDoms

  • February 8, 2021
  • 4 replies
  • 22234 views

Hello to all,

 

Iám  new to the Fortinet Products.

At the moment i concern onself with the Fortigate 100F Firewall.

 

Question:

 

It is possible to configure one LACP link (with to ports)  to a Switch, when i use multiple vDoms on the Fortigate 100F

and this Fortigate is also in a HA Cluster.

 

Because i read the below in the FortiOS 6.4.4 Adminstration Guide on Page 397:

 

Aggregation and redundancy

An interface is available to be an aggregate interface if:

[size="3"]It is in the same VDOM as the aggregated interface. [style="background-color: #ffff00;"]Aggregate ports cannot span multiple VDOMs[/style][/size]

 

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/7d5dfa98-3a77-11eb-96b9-00505692583a/FortiOS-6.4.4-Administration_Guide.pdf

 

Does this mean i need a dedicated Interface pair per vDOM ?, or can i use Vlan´s on the 802.1q Trunk and then 

use one Vlan per vDom ?

 

Any recommendation / example configuration would be great.

 

Thank you.

    [size="2"] [/size]

    4 replies

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    February 8, 2021

    In multi-vdom environment, you generally want to use VLANs on the trunked agg interface. Each VLAN subinterface can be bound to any vdom independently.

    Matthew1
    Matthew1Author
    New Member
    February 9, 2021

    Thank you for the quick reply Toshi.

     

    If i get it right, you configure a LACP Interface with 2 physical Port´s on the Fortigate for each vDOM ?

    or for the root vDOM alone and then use Vlan´s in the other vDOMs and bound it to the LACP Interface on the root

    vDOM?

     

    Some configuration example may make it clear for me.

     

    Thank you.

     

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    February 9, 2021

    By assuming the other end is terminated at a VLAN capable switch, regardless where/what vdom the physical agg interface is terminated at, we regularly don't assign any IP on it, or don't use non-tagged interface, but use only VLANs for all VDOM uses including root. Where on the other end it's switched with/without tags is up to the switch.

    Matthew1
    Matthew1Author
    New Member
    February 15, 2021

    Hi Toshi,

    thank´s for your effort.

    This Solution ist not what iám looking for.

    I only want to use 4 phy. Interfaces per FG Firewall ( 2 leg for the upper 2 switch´s with agg. 802.1q Trunk

    and 2 legs to the bottom switch with agg. 802.1q Trunk.

    Then use logical Interface and bound it to the agg. Trunk Interface. 

    Not a additional phy. Interface per VDOM.

    Just 4 phy. Interfaces and 3 VDOMs per FG Firewall that´s it.

    thank you.

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    February 15, 2021

    Isn't this what you want??

    Matthew1
    Matthew1Author
    New Member
    February 15, 2021

    Hello Toshi,

     

    nice drawing.

     

    When the green dotted lines are NO phy. Interface and the Vlans to the bottom switch are the same for the upper

    switch. Mean Vlan 10,11 and 12 .

    Then the answer is yes. 

    Is it possible ?

     

     

    really thank you for the effort

     

     

    ZGB
    ZGB
    New Member
    September 6, 2023

     have the same challenge with Fortinet 100F (FW 6.4.x). I connect a Multi-VDOM HA-Cluster to a stack with to switches. For my understanding to LACP LAGs are required for redundancy. Firewall-Cluster and Switch stack a full-meshed.

    AnbindungSW.png

     

    For default all interfaces are in root VDOM, which we want to use as mangement VDOM.

    Each interface/LACP is assigned to a distinct VDOM. The VLANs on this LACP are then also in the assigned VDOM. 

    In which VDOM or context do I have to define LACP LAGS and VLANs?

     

    Thanks in advance...

     

    AnbindungSW.png

     

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    September 6, 2023

    It doesn't mater where the physical LAG/LACP interface resides. Wherever it is, you can create as many VLANs as you want on the LAG and set a VDOM for each VLAN, Like your VLAN 2, 3, 4, 5.
    I would leave the LAG at root VDOM though.

     

    Toshi

    ZGB
    ZGB
    New Member
    September 6, 2023

    Thanks Toshi for your reply. I got it :)

    Are there any security concerns on having the LACP-Interface, which is forwaring all VLAN-Frames, in the root-VDOM (Mangement VDOM)?

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    September 6, 2023

    I wouldn't concern much. It's just L2 interface. If you sniff it at root vdom, it would just show like below:

    fgxxx (root) # diag sniffer packet down_link
    interfaces=[down_link]
    filters=[none]
    0.711052 802.1Q vlan#3 P0
    0.730212 802.1Q vlan#3 P0
    0.751162 802.1Q vlan#3 P0
    0.751182 802.1Q vlan#3 P0
    0.751353 802.1Q vlan#3 P0
    0.906159 stp 802.1w, rapid stp, flags [learn, forward, agreement], bridge-id 8000.20:cf:ae:13:68:19.83e8
    1.046609 802.1Q vlan#3 P0
    1.055343 802.1Q vlan#3 P0
    1.108825 802.1Q vlan#3 P0
    1.660195 802.1Q vlan#3 P0

    Besides, root vdom is your management vdom and nobody outside would come in.

     

    Toshi

    Terms & ConditionsAccessibility statement