Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
andersh
New Contributor

Change LACP settings on existing link

Hi,

 

I have changed our core switching to a pair of ArubaOS-CX devices and wanted to move the existing Fortigate LAG on X1/X2 on a 100F (6.0.14) to go to each of the Arubas.

The Aruba multi-chassis LAG can only be set up with LACP and it didn't come up so ended up creating a non-LACP LAG to just one of the switches to get us up and running. I have looked at the Fortigate and seen that the LACP type is static. My question is, can this be changed to active or passive on an already configured Fortigate LAG? Or like with everything else, do I have to remove all config and start again to create a new one?

I don't want to have to travel to the site to find out it can't be changed with a CLI command. Thanks!

1 Solution
bpozdena_FTNT


@andersh wrote:

My question is, can this be changed to active or passive on an already configured Fortigate LAG?


Yes, you can of course change the LCAP mode on the fly.

 

If the mode is currently for some reason set to 'static' on your aggregate interface, it means that LCAP is disabled. It is therefore expected that the aggregate link would not come up when LACP was enabled on your Aruba switch.

 

You can enable LACP with the bellow command:

config system interface
    edit <aggregate_port>
        set lacp-mode active
    next
end

 

Just note that the moment you enable LACP in Fortigate, the link will go down and it will remain down until you also enable LACP (active or passive mode) on your Aruba switch. Once done, they should negotiate almost immediately. 

 

You can see the link status and LACP states with the bellow commands:

diag netlink aggregate list
diag netlink aggregate name <aggregate_port>

 

NOTE: You should always schedule a maintenance window and have at least OOB access to your appliances if you cannot be physically on the sate. 

 

View solution in original post

4 REPLIES 4
Toshi_Esumi
Esteemed Contributor II

By default lacp-mode should be active on any LAG like below. So you don't have remote access to the 100F? You should set up a VPN for secure remote admin.

 

xxx-fg1 (AggPath) # show full | grep lacp
set lacp-mode active
set lacp-ha-slave enable
set lacp-speed slow

 

xxx-fg1 (AggPath) # set lacp-mode ?
static       Use static aggregation, do not send and ignore any LACP messages.
passive   Passively use LACP to negotiate 802.3ad aggregation.
active      Actively use LACP to negotiate 802.3ad aggregation.

 

Toshi

andersh
New Contributor

Thanks for the reply, I do have remote access, I was asking if you can set the LACP mode on a LAG which is already configured, set up and running with many references. If I attempt it now remotely, I will break it and lose access, or I could go to site, arrange downtime and find out I can't change the setting!

bpozdena_FTNT


@andersh wrote:

My question is, can this be changed to active or passive on an already configured Fortigate LAG?


Yes, you can of course change the LCAP mode on the fly.

 

If the mode is currently for some reason set to 'static' on your aggregate interface, it means that LCAP is disabled. It is therefore expected that the aggregate link would not come up when LACP was enabled on your Aruba switch.

 

You can enable LACP with the bellow command:

config system interface
    edit <aggregate_port>
        set lacp-mode active
    next
end

 

Just note that the moment you enable LACP in Fortigate, the link will go down and it will remain down until you also enable LACP (active or passive mode) on your Aruba switch. Once done, they should negotiate almost immediately. 

 

You can see the link status and LACP states with the bellow commands:

diag netlink aggregate list
diag netlink aggregate name <aggregate_port>

 

NOTE: You should always schedule a maintenance window and have at least OOB access to your appliances if you cannot be physically on the sate. 

 

Toshi_Esumi
Esteemed Contributor II

If your remote access is coming through the link you change the config, I would never do the change remotely regardless if it's in maintenance window or not. Only in case I have another path to get in I would do that.

 

By the way, just in case your FGT is multi-vdom environment, the diag netlink aggregate commands bpozdena_FTNT showed need to be run under one of vdoms, it doesn't matter which one but not under "global".

 

Toshi