Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- 60C Link Aggregation
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
60C Link Aggregation
Hi guys,
I' ve been googling and searching here, but haven' t found an answer.
Does the 60C support link aggregation?
The data sheet here: http://www.fortinet.com/sites/default/files/productdatasheets/FortiGate-60C.pdf
Says " Multi-Link Aggregation (802.3ad)"
However, I' ve seen some internet search mentions of the 60C not supporting link aggregation.
Anyone know the truth?
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
- « Previous
- Next »
29 REPLIES 29
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Definitely... but that doesn' t quite answer the bit about how the fortigate handles the two interface connections internally, which was my big problem... I wanted to combine those two connections using aggregation, or interface redundancy, or something. I wanted a single IP across 2 connections, and each of those connections to a separate switch.
Essentially I' ve concluded that I agree with you I' d prefer not to use a software switch.. and so I' m going to do what is the only other option available to me since the 60C doesn' t support aggregation and " full mesh" ... meaning I' ll hook 60-C #1 up to switch #1... and 60-C #2 to switch #2... cross-connect switch 1 to switch 2... and just use fail-over monitoring so that if switch #1 died, then I' d fail-over to 60-C #2, which is setup on switch #2.
Not as good as a full mesh, because my setup wouldn' t be resilient against the unlikely scenario of 60-c #1 and switch #1 both dying at the same time.. but still pretty good.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could use the internal ports on each 60C in ' switch mode' , and connect each FGT to both switches. The switches should be linked to each other as well. But this setup, as well as your proposal, requires Spanning Tree protocol to be active on the switches. If available, Rapid STP is preferable as it converges more quickly.
Basically, a HA cluster is ONE device, with one IP address and only one MAC address. Any additional connection after the first between the cluster and the switches must be put into the ' blocked' state by the Spanning Tree protocol, or you will experience a broadcast storm.
So I don' t see why you shouldn' t configure a full mesh (4 connections) of which only 1 will be active/forwarding at any time. This is called resiliency, second best to ' full mesh active' . The latter would require that your switches form a cluster like the FGTs, called ' virtual cluster' (Juniper) or IRF (HP). IMHO a bit oversized for a pair of 60Cs.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could use the internal ports on each 60C in ' switch mode' , and connect each FGT to both switches. The switches should be linked to each other as well. But this setup, as well as your proposal, requires Spanning Tree protocol to be active on the switches. If available, Rapid STP is preferable as it converges more quickly.This is exactly what i have done, use the " built-in-switch" of the 60C.
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice,
60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail
100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B,
11C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know you know, and I' m glad you figured it out previously and tested it in practice. I just wanted to point out that you' d have to configure STP on the switch(es), or create network loops otherwise.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi guys,
Yep I' m with you... with my setup it' s a bit trickier than that because I have 3 VLANs to worry about (LAN WAN DMZ), so I can' t get away with using only the internal switch.
I' d have to enable interface mode and create software switches to accommodate all 3 VLANS.
However, I read this:
http://kb.fortinet.com/kb/viewContent.do?externalId=FD31769&sliceId=1
Which indicates " soft switch interfaces cannot be monitored by HA or used as HA heartbeat interfaces."
So end of the day I won' t be able to go that route if I can' t use HA monitoring on the software switches.
So still thinking my only option is just to go with one FGT hooked up to each switch and use FGT fail-over in case of switch failure
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
em, the 60C has got 4 independent interfaces even in switch mode - switch, WAN1, WAN2, DMZ. One of them would be your HA link, the switch for the VLANs. Should suffice.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thing is -
I have 2 FGTS and 3 VLANs: WAN, LAN, DMZ on 2 trunked switches.
I want each VLAN to have a redundant connection to each switch. So that' s 6 cables to each firewall, 12 cables total.
That' d mean something like (for each of fw01 and fw02):
WAN VLAN on switch01 connected to WAN1
WAN VLAN on switch 02 connected to WAN2
LAN VLAN on switch 01 connected to internal 1
LAN VLAN on switch 02 connected to internal 2
DMZ VLAN on switch 01 connected to DMZ
DMZ VLAN on switch 02 connected to internal 3
internal 5 for heartbeat between fw01/fw02
But the part I' ve been talking about above is how I can link those interfaces internally in the FGT. E.g. I want WAN1 and WAN2 in this example to be like a single interface with a single IP address. Same for internal1/2 and DMZ/internal3.
As per the subject of the thread, the best way is link aggregation or interface redundancy.. but those aren' t available... and a software switch is an option, but it' s not HA monitorable, doesn' t fail over as quickly, and has some downsides in performance I think.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think this is overly complicated, i.e. a bit theoretical. If you just connect each FGT to one switch you will have redundancy at 100% - if one switch dies, the disconnected FGT will fail over to it' s sibling, and traffic continues to flow. Only in A-A mode you' d notice less throughput. Just make sure you monitor at least one connection to the switch so that a switch failure gets noticed.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep, that' s also what I was saying above the last couple posts..
I' ve also decided to do it that way instead since otherwise I' d need a 200B with link aggregation to " do it the right way" with link aggregation and a full mesh setup.
Thanks for all the help guys, think I' ve got this settled
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Beware that creating a software switch causes traffic to traverse CPU!
As a FG60C has limited CPU power, I want to warn you for the implications. You may as yourself what the added value is of creating a sub version of redundant links in this setup.
Cheers, Eric
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
- « Previous
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Fortigate - Issue to Activate trial... 54 Views
- what is an Internal port and... 63 Views
- EMS server not creating download links... 340 Views
- Help with Fortigate 30E Dual WAN... 114 Views
- inter vdom from NAT vdom to... 444 Views
Labels
-
FortiGate
8,570 -
FortiClient
1,730 -
5.2
801 -
FortiManager
719 -
5.4
639 -
FortiAnalyzer
550 -
FortiSwitch
467 -
FortiAP
464 -
FortiClient EMS
418 -
6.0
416 -
5.6
362 -
FortiMail
313 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
230 -
Fortiweb
203 -
IPsec
197 -
5.0
196 -
FortiNAC
184 -
FortiGuard
137 -
6.4
128 -
SD-WAN
113 -
FortiGateCloud
101 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiAuthenticator
91 -
FortiToken
89 -
Customer Service
79 -
Wireless Controller
77 -
Firewall policy
75 -
4.0MR3
64 -
FortiProxy
59 -
High Availability
54 -
Fortivoice
53 -
FortiADC
53 -
FortiEDR
51 -
vlan
49 -
ZTNA
47 -
FortiExtender
45 -
FortiSandbox
44 -
Routing
43 -
FortiDNS
42 -
DNS
42 -
LDAP
41 -
BGP
40 -
FortiGate v5.4
35 -
SAML
35 -
Authentication
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
NAT
33 -
RADIUS
31 -
SSO
31 -
Interface
31 -
FortiLink
29 -
FortiConnect
28 -
FortiWAN
27 -
VDOM
26 -
Web profile
26 -
FortiConverter
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
FortiPAM
22 -
Virtual IP
22 -
SSL SSH inspection
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
snmp
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
FortiManager v4.0
10 -
IPS signature
10 -
Security profile
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Proxy policy
9 -
Intrusion prevention
9 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Antivirus profile
7 -
Fabric connector
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiGate-VM
3 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1669 | |
| 1082 | |
| 752 | |
| 446 | |
| 226 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.