Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ForIT
New Contributor

LACP between Cisco 3850 and Fortigate 100D

Hello all,

 

can you  please tell me where can I find up to date configuration for the LACP between cisco and fortigate. Last I found the configuration with dot1q command which is not supported anymore. 

My LACP is up but no traffic passes through.

 

CHZHSTFW01 # diagnose netlink aggregate name test
 
CHZHSTFW01 # diagnose netlink aggregate name Test
LACP flags: (A|P)(S|F)(A|I)(I|O)(E|D)(E|D)
(A|P) - LACP mode is Active or Passive
(S|F) - LACP speed is Slow or Fast
(A|I) - Aggregatable or Individual
(I|O) - Port In sync or Out of sync
(E|D) - Frame collection is Enabled or Disabled
(E|D) - Frame distribution is Enabled or Disabled
 
status: up
ports: 1
link-up-delay: 50ms
min-links: 1
ha: master
distribution algorithm: L4
LACP mode: active
LACP speed: slow
LACP HA: enable
aggregator ID: 1
actor key: 17
actor MAC address: 90:6c:ac:52:3a:5a
partner key: 2
partner MAC address: a0:f8:49:cd:5c:00
 
slave: port5
  link status: up
  link failure count: 5
  permanent MAC addr: 90:6c:ac:52:3a:5a
  LACP state: established
  actor state: ASAIEE
  actor port number/key/priority: 1 17 255
  partner state: ASAIEE
  partner port number/key/priority: 266 2 32768
  partner system: 34817 a0:f8:49:cd:5c:00
  aggregator ID: 1
  speed/duplex: 1000 1
  RX state: CURRENT 6
  MUX state: COLLECTING_DISTRIBUTING 4
  

  

CHZHSTFW01 # diagnose sniffer packet Test
interfaces=[Test]
filters=[none]
pcap_lookupnet: Test: no IPv4 address assigned
9.624169 loopback
10.534169 802.3ad LACPDU (32768,A0-F8-49-CD-5C-00,0002,32768,0266) ASAIEE (65535,90-6C-AC-52-3A-5A,0017,0255,0001) ASAIEE
19.624169 loopback
23.674169 llc unnumbered, ui, flags [command], length 46
29.174169 llc unnumbered, ui, flags [command], length 469
29.624169 loopback
^C
6 packets received by filter
0 packets dropped by kernel
 
CHZHSTFW01 #  

 

 

Cisco side is 

interface Port-channel2 switchport trunk allowed vlan 208 switchport mode trunk

 

interface TenGigabitEthernet1/0/9

switchport trunk allowed vlan 208

switchport mode trunk channel-protocol lacp

channel-group 2 mode active

 

Thanks

 

5 REPLIES 5
Toshi_Esumi
Esteemed Contributor II

Nothing seems to be wrong in terms of aggregation/port-chanel interface config. Did you configure the vlan interface (vlanid 28) attached to the "Test" interface on the FG side? 

SamCrenshaw

This the configuration I am using:

 

interface Port-channel3 switchport trunk native vlan 1046 switchport trunk allowed vlan 1024 switchport mode trunk

interface GigabitEthernet1/0/3 description port2.zzz2 switchport trunk native vlan 1046 switchport trunk allowed vlan 1024 switchport mode trunk no snmp trap link-status no lldp transmit no lldp receive no cdp enable channel-protocol lacp channel-group 3 mode active

config sys inter edit "zzz2.po2" set vdom "inet" set type aggregate set member "port2" "port6" set alias "zzz2.po2" set role lan set snmp-index 16 next edit "zzz.int.po2" set vdom "inet" set ip 10.1.201.2 255.255.255.192 set allowaccess ping set alias "zzz.int" set role lan set snmp-index 8 config ipv6 set ip6-allowaccess ping end set interface "zzz2.po2" set vlanid 1024 next end

blackhole_route

You've just identified your problem. The 100D doesn't have any ten gig ports so trying to do connectivity from 1 gig on the Fortigate to the Cisco 10 gig interface just isn't going to work. One option you could pursue is drop a 1 gig sfp optic in the 3850 and dumb down the port to a 1 gig port. I don't know for certain, but I had in mind that the 3850 does support this, if you have the sfp optic.

ede_pfau
Esteemed Contributor III

IIRC Cisco by default uses 'slow' BPDUs whereas FortiOS assumes 'fast', where slow means 1 packet in 30 seconds, and fast 1 packet per second. Just as a notice, this is not the root cause here.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
ForIT

Hello, thank you for your answer. I altered the configuration as I didn't' have native vlan but no success.

Cisco

interface Port-channel2

 switchport trunk native vlan 4093

 switchport trunk allowed vlan 208

 switchport mode trunk

 

interface TenGigabitEthernet1/0/9

 switchport trunk native vlan 4093

 switchport trunk allowed vlan 208

 switchport mode trunk

 channel-protocol lacp

 channel-group 2 mode active

 

Forti 

    edit "Test"

        set vdom "root"

        set type aggregate

        set member "port5"

        set snmp-index 60

    next

    edit "IF_Test"

        set vdom "root"

        set ip 192.168.0.209 255.255.255.252

        set allowaccess ping https

        set snmp-index 61

        set interface "Test"

        set vlanid 208

 

As we have already one trunk between cisco SG500 (lower level model) and FG here is the config as well but it is not working if I try the same.

 

interface Port-channel2

 description IF_Aggr

 switchport trunk allowed vlan add 530 

 switchport trunk native vlan 445 

 

interface gigabitethernet1/1/24

 channel-group 2 mode auto 

 

Now if I do the same instead of LACG paGp will be configured and it will not work.

Can it be because I am using 10Gb port on the 3850 cisco whereas Fortigate is 1Gb?