Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cfinn
New Contributor

Link Aggregation for Physical Interfaces with VLAN Subinterfaces

I am in the process of designing a HA environment with four VLANS, two redundant fortigate 200b' s (in NAT/Route mode), and two stacked switches. The Fortigates would serve as the default gateway for each VLAN, with subinterfaces defined for each, and be configured with HA in Active/Passive mode. I would like to integrate a full mesh topology to eliminate single points of failure between the switches and the Fortigates. My question is, is it possible to combine two physical interfaces on the fortigate 200B into one logical interface with VLAN subinterfaces, IE NIC Teaming or link aggregation? Ideally, I' d like to combine interfaces 13 and 14 on each Fortigate and create subinterfaces for each of the VLANs, so I can physically connect each interface to a different physical switch. Is it possible to achieve what I am describing? If NIC teaming or aggregation isn' t an option, what' s the best way to achieve full redundancy with two Fortigate' s and two switches with multiple vlans? Thanks in advance!
14 REPLIES 14
Carl_Wallmark
Valued Contributor

Hi and welcome, Thats no problem, Interfaces 13-16 support link aggregation or redundant interfaces.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
emnoc
Esteemed Contributor III

Ideally, I' d like to combine interfaces 13 and 14 on each Fortigate and create subinterfaces for each of the VLANs, so I can physically connect each interface to a different physical switch.
If I can chime in here, you can' t do that unless you have; A cisco VSS/VPc solution A pair of cisco stack or other vendor stack switches or some other devices that support multichassis-ether-channel ( MEC )

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
cfinn
New Contributor

Interfaces 13-16 support link aggregation or redundant interfaces.
If I can chime in here, you can' t do that unless you have; A cisco VSS/VPc solution A pair of cisco stack or other vendor stack switches or some other devices that support multichassis-ether-channel ( MEC )
Thank you both for the replies. We will be using a pair of stacked Cisco 3750x switches. If I' m understanding you correctly, I' ll need to create a etherchannel port group for the two ports that will connect to the Fortigate? Is there any additional configuration I' ll need on the switches (besides VLAN configuration, port assignment, etc)? I' m not familiar with Cisco VSS/VPC...is that required in addition to the switch stack? Thank you again for the help.
Carl_Wallmark
Valued Contributor

Yes that is correct.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
emnoc
Esteemed Contributor III

No if you want redundancey, just pick 2 like-as ports one on each stack member and added then to the FGT. This is common on the 3750E/G/X models of the cisco stacking models.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
cfinn
New Contributor

No if you want redundancey, just pick 2 like-as ports one on each stack member and added then to the FGT. This is common on the 3750E/G/X models of the cisco stacking models.
Thanks, that makes sense...I' m also assuming that the switch ports will need to be configured as 802.11Q trunks, in order to pass VLAN IDs to the fortigate, correct?
emnoc
Esteemed Contributor III

Will ... yes. But you actually configured the port-channel interface. interface port 10 switchport switch trunk allow vlan 10,23,30-40,50,66 description gig 1/1+ gi 2/1 to FGT200B-fw1 port 13+14 ! ! int range gi 1/1, 1/2 no shut channel-group 10 mode active channel-protocol lacp ! !

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Silver
New Contributor

Hi Everyone, I want to setup a full mesh HA with link aggregation refer to the attached diagram. And I want to create sub interface for intervlan routing on the FGT link aggregation itself will it possible. The HA will work as active and passive. And both link aggregation both FGT will need to be in two different group or single group for both. what i mean from SW1 port 1 connect to FGT 1 port 1 in group 1 and from SW2 port 1 connect to FGT 1 port 2 in group 1 and for SW2 port 2 connect to FGT 2 group 2 and SW1 port 2 connect to FGT 2 port 2 group 2
Silver
New Contributor

Any feedback plz
Labels
Top Kudoed Authors