Description
This article describes the basic requirements that must be met when configuring LACP between HA FortiGates and Nexus Switches configured for vPC.
Scope
FortiGate (all models/versions); Cisco Nexus switches.
Solution
As a primer, LACP link-aggregation is designed to connect one Layer 2 device to another using one logical interface composed of multiple redundant members. This would typically mean that an LACP-capable device (like the FortiGate) would have to form one link-aggregate/port-channel per LACP peer (i.e. FortiGate to a single switch).
To expand beyond this one-to-one design, Cisco Nexus switches implement a function called Virtual Port Channels (vPCs) that allows a single logical Port-Channel to span across two or more physical switches (i.e. interfaces from multiple Nexus switches can be placed into a single vPC). On the other hand, HA FortiGates do not utilize a similar 'spanned' aggregate concept, and instead they must be treated as separate, individual FortiGates for the purposes of LACP link-aggregation (i.e. one HA cluster may be composed of 2 or more physical FortiGates, each of which forms its own LACP aggregate connection).
With that in mind, here are the rules for configuring link-aggregation for FortiGates, with additional consideration given towards Nexus vPCs:
-
First and foremost: FortiGates in an HA cluster must all have the same network connections to external devices. This is to ensure that in the event of an HA Failover, the new cluster Primary FortiGate is able to reach all of the same network locations as the original Primary.
Keep in mind that configurations are synced between HA cluster members, so configuring an Aggregate interface on the HA Primary also means that the Secondary FortiGates are also configured with the same Aggregate. -
For each Aggregate interface on each physical FortiGate, a corresponding Cisco Nexus vPC must be created (e.g. FGT-01 Agg1 -> Nexus vPC1, FGT-02 Agg1 -> Nexus vPC2, etc.)
-
FortiGates can be physically connected to different physical Cisco Nexus switches, so long as the ports are a part of the same vPC/channel-group.
-
Also, admins must not have multiple physical FortiGates connected to the same vPC/channel-group (e.g. FGT-01 port1 and FGT-02 port1 must not both be connected to vPC1 on the Nexus side).
Note that vPC/channel-group in this terminology is distinctly different from the vPC domain (the logical group of Nexus Switches) and also different from the vPC peer (the individual Nexus switch member).
The following formula can be used to determine how many vPCs/channel-groups/EtherChannels must be created on the Nexus Switches to accommodate the corresponding LACP Aggregate configuration on an HA FortiGate cluster:
# of PortChannels on Switch = (# of Aggregate interfaces in FortiGate config) * (# of FortiGate members in cluster).
For example, if having 2x FortiGates in an HA cluster, and they have 2x Aggregates interfaces that connect to the Cisco Nexus switch infrastructure, then each Cisco Nexus switch peer must be configured with a total of 4x vPCs.
To further clarify, the following diagram depicts an example topology of FortiGates and Cisco Nexus switches configured with a single LACP Aggregate with two member interfaces:
Related documents:
