Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anonymous
Not applicable

Created on ‎11-23-2020 11:01 PM Edited on ‎10-13-2025 05:38 AM By Moderator

Article Id 197899

Technical Tip: Link Aggregation Control Protocol (LACP) Design and Topology

Description This article describes using LACP in different scenarios, which may not work correctly.
Scope FortiGate.
Solution

Configuring LACP is used to increase bandwidth and provide a failover capability. LACP is used to combine multiple interfaces and cables to work as one physical cable.


However, in certain scenarios, LACP may work as expected.


The following issues may occur:

  1. Flapping (ports go up and down).
  2. Intermittent network connectivity.
  3. HA cluster is failing over.

An LACP group could be considered as one physical cable. This means it is only intended to connect to one other device.

One other device could mean the following:

  1. A single device.
  2. A stack of devices acting as a single device (i.e., switch stack).

Scenario 1.
On the switch.

  • Port1 and Port2 are configured as LACP group 1.
  • Port1 and Port2 connect to PC-Syarif. IP address 192.168.1.254.

If the connected interfaces are 1 Gbps, this makes the potential bandwidth for PC-Syarif 2 Gbps.

Scenario 2.
On the switch.

  • Port1 and Port2 are configured as LACP group 1.
  • Port1 connects to PC-Syarif. IP address 192.168.1.254.
  • Port2 connects to PC-Jackie. IP address 192.168.1.253.


Refer to the diagram below:

wmichael_0-1760120934025.png

 

 

It is not possible for a single 'cable' to connect to two PCs at the same time. PC-Syarif and PC-Jackie are individual devices. This scenario will not work as LACP cannot be connected to multiple devices at the same time, because it is acting as a single physical connection.  Either Port1 or Port2 will be shut down. This is to mitigate ARP conflict, broadcast issues, and so on.  The individual devices, PC-Syarif and PC-Jackie, will not notice that the traffic will be flowing or notice that the physical cable on the adapter is showing as not connected.
 
Now consider replacing the PCs as a FortiGate HA cluster:
  • PC-Syarif as FortiGateA.
  • PC-Jackie as FortiGateB.
 
When the FortiGates are configured as an HA cluster (active-passive or active-active), each FortiGate is still considered an individual device.
When an HA cluster breaks, it is possible that both devices could try to become the primary or active device; the common term for this is 'split brain'.
 
For more information about 'split brain', see this article: Technical Tip: High Availability Split Brain.
 
When both individual devices have the same information, the switch may start to take action to mitigate this using STP and other measurements.
 
To mitigate this issue, proper design is required; one LACP group is only intended to connect to a device or a stack of devices acting as a single device.
 
In the case of an HA cluster of FortiGates, it is possible to configure 'set lacp-ha-secondary disable' to prevent the secondary or passive device from participating in LACP.
 

config system interface
    edit <aggregate-interface-name>
        set lacp-ha-secondary disable
    next
end

 

For more information about the 'lacp-ha-secondary', see this article: Technical Tip: LACP behavior in an HA cluster.

 

Related articles:

Technical Tip: Initial troubleshooting steps for LACP (Link Aggregation - 802.3ad)

Technical Tip: Understanding outputs of LACP related debug commands and what parameters need to matc...
Technical Tip: Aggregate link configuration topologies in a High Availability cluster

Technical Tip: High availability basic deployment design

 

Labels:
19176
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.