Hi,
I have changed our core switching to a pair of ArubaOS-CX devices and wanted to move the existing Fortigate LAG on X1/X2 on a 100F (6.0.14) to go to each of the Arubas.
The Aruba multi-chassis LAG can only be set up with LACP and it didn't come up so ended up creating a non-LACP LAG to just one of the switches to get us up and running. I have looked at the Fortigate and seen that the LACP type is static. My question is, can this be changed to active or passive on an already configured Fortigate LAG? Or like with everything else, do I have to remove all config and start again to create a new one?
I don't want to have to travel to the site to find out it can't be changed with a CLI command. Thanks!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
@andersh wrote:My question is, can this be changed to active or passive on an already configured Fortigate LAG?
Yes, you can of course change the LCAP mode on the fly.
If the mode is currently for some reason set to 'static' on your aggregate interface, it means that LCAP is disabled. It is therefore expected that the aggregate link would not come up when LACP was enabled on your Aruba switch.
You can enable LACP with the bellow command:
config system interface
edit <aggregate_port>
set lacp-mode active
next
end
Just note that the moment you enable LACP in Fortigate, the link will go down and it will remain down until you also enable LACP (active or passive mode) on your Aruba switch. Once done, they should negotiate almost immediately.
You can see the link status and LACP states with the bellow commands:
diag netlink aggregate list
diag netlink aggregate name <aggregate_port>
NOTE: You should always schedule a maintenance window and have at least OOB access to your appliances if you cannot be physically on the sate.
By default lacp-mode should be active on any LAG like below. So you don't have remote access to the 100F? You should set up a VPN for secure remote admin.
xxx-fg1 (AggPath) # show full | grep lacp
set lacp-mode active
set lacp-ha-slave enable
set lacp-speed slow
xxx-fg1 (AggPath) # set lacp-mode ?
static Use static aggregation, do not send and ignore any LACP messages.
passive Passively use LACP to negotiate 802.3ad aggregation.
active Actively use LACP to negotiate 802.3ad aggregation.
Toshi
Thanks for the reply, I do have remote access, I was asking if you can set the LACP mode on a LAG which is already configured, set up and running with many references. If I attempt it now remotely, I will break it and lose access, or I could go to site, arrange downtime and find out I can't change the setting!
@andersh wrote:My question is, can this be changed to active or passive on an already configured Fortigate LAG?
Yes, you can of course change the LCAP mode on the fly.
If the mode is currently for some reason set to 'static' on your aggregate interface, it means that LCAP is disabled. It is therefore expected that the aggregate link would not come up when LACP was enabled on your Aruba switch.
You can enable LACP with the bellow command:
config system interface
edit <aggregate_port>
set lacp-mode active
next
end
Just note that the moment you enable LACP in Fortigate, the link will go down and it will remain down until you also enable LACP (active or passive mode) on your Aruba switch. Once done, they should negotiate almost immediately.
You can see the link status and LACP states with the bellow commands:
diag netlink aggregate list
diag netlink aggregate name <aggregate_port>
NOTE: You should always schedule a maintenance window and have at least OOB access to your appliances if you cannot be physically on the sate.
If your remote access is coming through the link you change the config, I would never do the change remotely regardless if it's in maintenance window or not. Only in case I have another path to get in I would do that.
By the way, just in case your FGT is multi-vdom environment, the diag netlink aggregate commands bpozdena_FTNT showed need to be run under one of vdoms, it doesn't matter which one but not under "global".
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1522 | |
1020 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.