Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tedauction
New Contributor III

Bonded aggregate interface with multiple L3 interfaces ?

Hello, I have seen some Fortigates with 802.3ad Aggregate interfaces that contain multiple VLAN, L3 interfaces.

This is confusing me, as I assumed that 802.3ad Aggregate interfaces were essentially bonded trunks (that would not contain multiple L3 interfaces).

Therefore, if you wanted to create a router-on-a-stick interface like this, can you also use an aggregate, bonded interface instead of a regular L3 interface with multiple VLAN tagged L3 interfaces ? Is there any advantage ?

Thanks for any clarifications.

1 Solution
Toshi_Esumi
Esteemed Contributor III

It's not only for FortiGate but virtually any other vendor's 802.3ad LAG (https://en.wikipedia.org/wiki/Link_aggregation) should work the same way. The LAG is just an L2 link between both ends regardless the number of physical circuits/connections in one LAG. It can be just one.

Just like any other L2 link, it can carry ethernet frames with a VLAN tag(s). Therefore you can put as many VLAN tagged traffic as you can configure over it. 
The VLAN (sub)interfaces are just to terminate each VLAN traffic and bound to the LAG to direct L2 traffic toward/from it.

Cisco's switch/router's SVI interface like "Vlan10" "Vlan20" can pass traffic over a Port-channel 1 if you configured  "switchport trunk allowed vlan 10,20" on the Po1. For FortiGate it's much easier because you don't have to configure it on the LAG interface side but need to specify on the VLAN interface side.

 

Toshi

View solution in original post

3 REPLIES 3
Toshi_Esumi
Esteemed Contributor III

It's not only for FortiGate but virtually any other vendor's 802.3ad LAG (https://en.wikipedia.org/wiki/Link_aggregation) should work the same way. The LAG is just an L2 link between both ends regardless the number of physical circuits/connections in one LAG. It can be just one.

Just like any other L2 link, it can carry ethernet frames with a VLAN tag(s). Therefore you can put as many VLAN tagged traffic as you can configure over it. 
The VLAN (sub)interfaces are just to terminate each VLAN traffic and bound to the LAG to direct L2 traffic toward/from it.

Cisco's switch/router's SVI interface like "Vlan10" "Vlan20" can pass traffic over a Port-channel 1 if you configured  "switchport trunk allowed vlan 10,20" on the Po1. For FortiGate it's much easier because you don't have to configure it on the LAG interface side but need to specify on the VLAN interface side.

 

Toshi

ede_pfau
Esteemed Contributor III

Just want to mention that using an LACP trunk has an intrinsic advantage.

All LANs using this trunk will potentially be able to use the aggregated bandwidth, even if it was just for a short period of time (like, e.g., for a backup job). Plus, if any single trunk member port fails, sessions will persist, with only the available bandwidth reduced by 1/n.

 

Following these lines of thought, you can create one big LACP trunk to the core switch (or better still, to the core switch stack, for physical redundancy), and run all VLANs across it, be it LAN or WAN. You still have full control in the policies by filtering addresses (instead of interfaces).

This way, all VLANs are secured by redundant links, and all might exploit the combined bandwidth if necessary. And on the core switch(es), port configuration is simplified.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
subhash06
New Contributor

Do it just like you’d do it on a switch.

If you’re not doing more exotic things, you can keep the physical interface configs relatively simple by using family bridge type syntax. It looks nearly identical an an EX with ELS style syntax.

Bind an IRB unit to the VLAN, and that’s where your L3 addressing goes.

omegle xender
Labels
Top Kudoed Authors