Description
This article describes how to connect FortiGate to third party switches, Cisco pair of switches as an example, via FortiLink interface with LACP.
Scope
FortiGate and a pair of Cisco switches.
Solution
There are various circumstances where non-Fortinet switches need to be connected to FortiGate firewall with some level of redundancy and load balancing. This simple solution shows how to connect and configure FortiLink port on FortiGate with LACP to communicate to Cisco switches that formed a distributed port channel to FortiGate. Moreover, this solution uses ports WAN1 and WAN2 on FortiGate to reserve high speed SFP+ ports for uplinks to external networks or Internet
Physical connectivity topology is shown below to demonstrate it:
- Prepare FortiLink interface on the firewall.
Change the default VLAN 4094 to the VLAN ID that is configured on Cisco switches, it is set to VLAN 19 in this example. Add two WAN1 and WAN2 members to it and also make sure that its type is set to aggregate.
config system interface
edit "fortilink"
set vdom "root"
set ip 192.168.1.1 255.255.255.0
set allowaccess ping
set type aggregate
set member "wan1" "wan2"
set lldp-reception enable
set role lan
set switch-controller-mgmt-vlan 19
- Verify LACP formation and connectivity.
Configuration from Cisco switches to achieve it is omitted but the output from the switch to confirm that it formed LACP based distributed port channel off its two interfaces is shown below:
Switch#show int port 1 etherchannel
Port-channel1 (Primary aggregator)
Age of the Port-channel = 0d:07h:42m:28s
Logical slot/port = 10/1 Number of ports = 2
HotStandBy port = null
Port state = Port-channel Ag-Inuse
Protocol = LACP
Port security = Disabled
Load share deferral = Disabled
Ports in the Port-channel:
Index Load Port EC state No of bits
------+------+------+------------------+-----------
0 00 Gi1/0/1 Active 0
0 00 Gi2/0/1 Active 0
On FortiGate this can verified by running the following diagnostic command:
diag netlink aggregate name fortilink
LACP flags: (A|P)(S|F)(A|I)(I|O)(E|D)(E|D)
(A|P) - LACP mode is Active or Passive
status: up
npu: y
flush: n
asic helper: y
oid: 65
ports: 2
link-up-delay: 50ms
min-links: 1
ha: master
distribution algorithm: L4
LACP mode: active
LACP speed: slow
LACP HA: enable
aggregator ID: 1
actor key: 17
actor MAC address: 04:d5:90:4a:9c:2c
partner key: 1
partner MAC address: 6c:41:6a:d8:ce:80
member: wan1
index: 0
link status: up
link failure count: 1
permanent MAC addr: 04:d5:90:4a:9c:2c
LACP state: established
LACPDUs RX/TX: 923/877
actor state: ASAIEE
actor port number/key/priority: 1 17 255
partner state: ASAIEE
partner port number/key/priority: 259 1 32768
partner system: 32768 6c:41:6a:d8:ce:80
aggregator ID: 1
speed/duplex: 1000 1
RX state: CURRENT 6
MUX state: COLLECTING_DISTRIBUTING 4
member: wan2
index: 1
link status: up
link failure count: 1
permanent MAC addr: 04:d5:90:4a:9c:2d
LACP state: established
LACPDUs RX/TX: 925/876
actor state: ASAIEE
actor port number/key/priority: 2 17 255
partner state: ASAIEE
partner port number/key/priority: 258 1 32768
partner system: 32768 6c:41:6a:d8:ce:80
aggregator ID: 1
speed/duplex: 1000 1
RX state: CURRENT 6
MUX state: COLLECTING_DISTRIBUTING 4
And finally this can also be confirmed on FortiGate by checking detected devices in Assets:
