Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sjoshi
Staff
Staff

Created on ‎08-22-2024 01:06 PM Edited on ‎04-04-2025 05:06 AM By Staff

Article Id 335667

Technical Tip: How to setup LACP between FortiGate and Cisco Switch

Description

 

This article describes a glimpse of the configuration of LACP between the FortiGate firewall and Cisco Switch.

 

Scope

 

FortiOS.

 

Solution

 

The Topology setup is as follows:

 

Capture.PNG

 

Here the FortiGate is in an Active-Passive Setup and there is a VPC setup between the Cisco Switch.

 

LACP configuration on the FortiGate Side:

 

config system interface
    edit "LACP-X1-X2"
        set vdom "root"
        set type aggregate
        set member "x2" "x1" --> Here it is selected X1, X2 port to be part of LAG.
        set alias "SW_Uplink"
        set device-identification enable
        set lldp-reception enable
        set lldp-transmission enable
        set role lan
        set snmp-index 12
        set lacp-mode active
    next
end

 

Since the FortiGate is in HA the same config will get synced with the Secondary device.

 

LACP configuration on the Cisco Side:

 

Create the port channel:

 

interface port-channel1
description Fortigate-Uplink
switchport
switchport mode trunk
vpc 1

interface port-channel2
description Fortigate-Sec-Uplink
switchport
switchport mode trunk
vpc 2

 

Mapped the interface into the port channel:

 

interface Ethernet1/1/1
switchport
switchport mode trunk
channel-group 1 mode active
no shutdown

interface Ethernet1/1/2
switchport
switchport mode trunk
channel-group 2 mode active
no shutdown

 

Note:

 

  • A port in active mode can form a port channel successfully with another port that is in active or passive mode.
  • A port in passive mode cannot form a port channel successfully with another port that is in passive mode.
  • A port in 'ON' mode is not running LACP and cannot form a port channel.

 

By default, the port channel mode is set to 'on', change it to active.

 

Verify the LACP status on FortiGate and Cisco

 

Cisco Side:

 

sh port-channel summary 

Group Port- Type Protocol Member Ports
Channel
--------------------------------------------------------------------------------
1 Po1(SU) Eth LACP Eth1/1/1(P)
2 Po2(SU) Eth LACP Eth1/1/2(P)

 

Note:


P - Up in port-channel (members)

 

FortiGate Side:

 

diag netlink aggregate name LACP-X1-X2

 

status: up
npu: y
flush: n
asic helper: y
oid: 82
ports: 2
link-up-delay: 50ms
min-links: 1
ha: primary
distribution algorithm: L4
LACP mode: passive
LACP speed: slow
LACP HA: enable
aggregator ID: 1

 

secondary: x1
index: 0
link status: up
LACP state: established

 

secondary: x2
index: 0
link status: up
LACP state: established

Labels:
6986
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.