Skip to main content
ForIT
ForIT
New Member
December 19, 2017
Question

LACP between Cisco 3850 and Fortigate 100D

  • December 19, 2017
  • 1 reply
  • 16306 views

Hello all,

 

can you  please tell me where can I find up to date configuration for the LACP between cisco and fortigate. Last I found the configuration with dot1q command which is not supported anymore. 

My LACP is up but no traffic passes through.

 

CHZHSTFW01 # diagnose netlink aggregate name test
 
CHZHSTFW01 # diagnose netlink aggregate name Test
LACP flags: (A|P)(S|F)(A|I)(I|O)(E|D)(E|D)
(A|P) - LACP mode is Active or Passive
(S|F) - LACP speed is Slow or Fast
(A|I) - Aggregatable or Individual
(I|O) - Port In sync or Out of sync
(E|D) - Frame collection is Enabled or Disabled
(E|D) - Frame distribution is Enabled or Disabled
 
status: up
ports: 1
link-up-delay: 50ms
min-links: 1
ha: master
distribution algorithm: L4
LACP mode: active
LACP speed: slow
LACP HA: enable
aggregator ID: 1
actor key: 17
actor MAC address: 90:6c:ac:52:3a:5a
partner key: 2
partner MAC address: a0:f8:49:cd:5c:00
 
slave: port5
  link status: up
  link failure count: 5
  permanent MAC addr: 90:6c:ac:52:3a:5a
  LACP state: established
  actor state: ASAIEE
  actor port number/key/priority: 1 17 255
  partner state: ASAIEE
  partner port number/key/priority: 266 2 32768
  partner system: 34817 a0:f8:49:cd:5c:00
  aggregator ID: 1
  speed/duplex: 1000 1
  RX state: CURRENT 6
  MUX state: COLLECTING_DISTRIBUTING 4
  

  

CHZHSTFW01 # diagnose sniffer packet Test
interfaces=[Test]
filters=[none]
pcap_lookupnet: Test: no IPv4 address assigned
9.624169 loopback
10.534169 802.3ad LACPDU (32768,A0-F8-49-CD-5C-00,0002,32768,0266) ASAIEE (65535,90-6C-AC-52-3A-5A,0017,0255,0001) ASAIEE
19.624169 loopback
23.674169 llc unnumbered, ui, flags [command], length 46
29.174169 llc unnumbered, ui, flags [command], length 469
29.624169 loopback
^C
6 packets received by filter
0 packets dropped by kernel
 
CHZHSTFW01 #

 

 

Cisco side is 

interface Port-channel2 switchport trunk allowed vlan 208 switchport mode trunk

 

interface TenGigabitEthernet1/0/9

switchport trunk allowed vlan 208

switchport mode trunk channel-protocol lacp

channel-group 2 mode active

 

Thanks

 

    1 reply

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    December 19, 2017

    Nothing seems to be wrong in terms of aggregation/port-chanel interface config. Did you configure the vlan interface (vlanid 28) attached to the "Test" interface on the FG side? 

    SamCrenshaw
    SamCrenshaw
    New Member
    December 20, 2017

    This the configuration I am using:

     

    interface Port-channel3 switchport trunk native vlan 1046 switchport trunk allowed vlan 1024 switchport mode trunk

    interface GigabitEthernet1/0/3 description port2.zzz2 switchport trunk native vlan 1046 switchport trunk allowed vlan 1024 switchport mode trunk no snmp trap link-status no lldp transmit no lldp receive no cdp enable channel-protocol lacp channel-group 3 mode active

    config sys inter edit "zzz2.po2" set vdom "inet" set type aggregate set member "port2" "port6" set alias "zzz2.po2" set role lan set snmp-index 16 next edit "zzz.int.po2" set vdom "inet" set ip 10.1.201.2 255.255.255.192 set allowaccess ping set alias "zzz.int" set role lan set snmp-index 8 config ipv6 set ip6-allowaccess ping end set interface "zzz2.po2" set vlanid 1024 next end

    blackhole_route
    blackhole_route
    New Member
    December 21, 2017

    You've just identified your problem. The 100D doesn't have any ten gig ports so trying to do connectivity from 1 gig on the Fortigate to the Cisco 10 gig interface just isn't going to work. One option you could pursue is drop a 1 gig sfp optic in the 3850 and dumb down the port to a 1 gig port. I don't know for certain, but I had in mind that the 3850 does support this, if you have the sfp optic.

    Terms & ConditionsAccessibility statement