FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
acvaldez
Staff
Staff
Description

This article will serve as a guide on how to configure the LACP interface on HA-monitored interfaces when LACP is used for multicast traffic.

Scope FortiGate
Solution

Below shows the interfaces that are part of the  LACP configuration.

 

FGTA-MCAST # diag netlink aggregate name LACPMcastServer

status: up

npu: n

flush: n

asic helper: y

ports: 2

link-up-delay: 50ms

min-links: 1

ha: master

distribution algorithm: L4

LACP mode: static

 

slave: port3

  index: 0

  link status: up

  link failure count: 0

  permanent MAC addr: 00:0c:29:09:75:6f

 

slave: port4

  index: 1

  link status: up

  link failure count: 0

  permanent MAC addr: 00:0c:29:09:75:79

 

- On HA configuration instead of placing the LACP interface, the individual interfaces are configured that is a member of the LACP.

 

FGTA-MCAST (ha) # show

config system ha

    set group-name "FGT_Multicast"

    set mode a-p

    set password ENC 

    set hbdev "port5" 0

    set ha-mgmt-status enable

    config ha-mgmt-interfaces

        edit 1

            set interface "port1"

            set gateway 100.100.100.2

        next

    end

    set override enable

    set priority 200

    set monitor "port2" "port3" "port4"

end

 

-With this configuration, if failover is triggered from Primary to Secondary FortiGate the multicast traffic will establish without any delay.

 

 # get sys ha stat

HA Health Status: OK

Model: FortiGate-VM64

Mode: HA A-P

Group: 0

Debug: 0

Cluster Uptime: 0 days 0:30:17

Cluster state change time: 2022-06-17 21:32:28

Primary selected using:<2022/06/17 21:32:28> FGVM04TM22004042 is selected as the primary because it has the largest value of override priority.

 

-Screenshot of the Multicast traffic when a failover was done.

 

acvaldez_1-1655473403527.png

 

Note: If the LACP interface itself is used on the HA monitored interfaces, HA monitoring will have a delay when detecting the LACP interface and can cause some delays to establish LACP traffic during a FortiGate HA failover.

Contributors