Hello, I have seen some Fortigates with 802.3ad Aggregate interfaces that contain multiple VLAN, L3 interfaces.
This is confusing me, as I assumed that 802.3ad Aggregate interfaces were essentially bonded trunks (that would not contain multiple L3 interfaces).
Therefore, if you wanted to create a router-on-a-stick interface like this, can you also use an aggregate, bonded interface instead of a regular L3 interface with multiple VLAN tagged L3 interfaces ? Is there any advantage ?
Thanks for any clarifications.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
It's not only for FortiGate but virtually any other vendor's 802.3ad LAG (https://en.wikipedia.org/wiki/Link_aggregation) should work the same way. The LAG is just an L2 link between both ends regardless the number of physical circuits/connections in one LAG. It can be just one.
Just like any other L2 link, it can carry ethernet frames with a VLAN tag(s). Therefore you can put as many VLAN tagged traffic as you can configure over it.
The VLAN (sub)interfaces are just to terminate each VLAN traffic and bound to the LAG to direct L2 traffic toward/from it.
Cisco's switch/router's SVI interface like "Vlan10" "Vlan20" can pass traffic over a Port-channel 1 if you configured "switchport trunk allowed vlan 10,20" on the Po1. For FortiGate it's much easier because you don't have to configure it on the LAG interface side but need to specify on the VLAN interface side.
Toshi
It's not only for FortiGate but virtually any other vendor's 802.3ad LAG (https://en.wikipedia.org/wiki/Link_aggregation) should work the same way. The LAG is just an L2 link between both ends regardless the number of physical circuits/connections in one LAG. It can be just one.
Just like any other L2 link, it can carry ethernet frames with a VLAN tag(s). Therefore you can put as many VLAN tagged traffic as you can configure over it.
The VLAN (sub)interfaces are just to terminate each VLAN traffic and bound to the LAG to direct L2 traffic toward/from it.
Cisco's switch/router's SVI interface like "Vlan10" "Vlan20" can pass traffic over a Port-channel 1 if you configured "switchport trunk allowed vlan 10,20" on the Po1. For FortiGate it's much easier because you don't have to configure it on the LAG interface side but need to specify on the VLAN interface side.
Toshi
Just want to mention that using an LACP trunk has an intrinsic advantage.
All LANs using this trunk will potentially be able to use the aggregated bandwidth, even if it was just for a short period of time (like, e.g., for a backup job). Plus, if any single trunk member port fails, sessions will persist, with only the available bandwidth reduced by 1/n.
Following these lines of thought, you can create one big LACP trunk to the core switch (or better still, to the core switch stack, for physical redundancy), and run all VLANs across it, be it LAN or WAN. You still have full control in the policies by filtering addresses (instead of interfaces).
This way, all VLANs are secured by redundant links, and all might exploit the combined bandwidth if necessary. And on the core switch(es), port configuration is simplified.
Do it just like you’d do it on a switch.
If you’re not doing more exotic things, you can keep the physical interface configs relatively simple by using family bridge type syntax. It looks nearly identical an an EX with ELS style syntax.
Bind an IRB unit to the VLAN, and that’s where your L3 addressing goes.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.