FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
AlexC-FTNT
Staff
Staff
Article Id 200980

Description

 

This article describes the expected topologies with LACP bundles in a FortiGate HA cluster.

 

Scope

 

FortiGate.

 

Solution

 

It is a question that is often asked when LACP connections to the local switches are not coming up as expected. 

These are the most common and expected topologies (valid for both A-P and A-A clusters), while the most common mistakes are shown below.

 

LACP HA.png

 

Note: If the switches are deployed in MCLAG topology, the dual-homed connection for LACP will work, and each FortiGate will have its own LACP bundle.

Reference: Deploying MCLAG topologies | FortiSwitch 7.4.2 | Fortinet Document Library

 

Note: For version 7.2.1 onwards, lacp-ha-slave has been replaced with lacp-ha-secondary.

 

When it comes to LACP, each unit must have its own LACP bundle on the switch.

HA with 802.3ad aggregate interfaces

'Link aggregation, HA failover performance, and HA mode'.

 

Related documents:

Technical Tip: High Availability basic deployment design

HA with 802.3ad aggregate interfaces

Technical Tip: Initial troubleshooting steps for LACP (Link Aggregation - 802.3ad)

Technical Tip: HA Cluster virtual MAC addresses

Troubleshooting Tip: Verifying physical and HA Virtual MAC addresses of FortiGate interfaces

Technical Tip: FortiGate HA A-P (Active-Passive) cluster connected to a L2 switch with LACP (802.3ad...