- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Cisco c2960 switches to Fotigate 400e in HA aggreg...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cisco c2960 switches to Fotigate 400e in HA aggregation
Hi, Need urgent attention with an issue related to trunking aggregated ports in criss-cross HA environment. I am sharing below configs from cisco c2960 switch1 and cisco c2960 switch 2 with on the firewall fortigate 400E with ports 9,10,11,12 in 802.3ad aggregate. Switch C2960 -1 interface GigabitEthernet1/0/33 switchport trunk native vlan 400 switchport trunk allowed vlan 2,3,11,15,18,50,52-54,62,64-66,161,171-174,181 switchport trunk allowed vlan add 400 switchport mode trunk switchport nonegotiate channel-protocol lacp channel-group 11 mode active ! interface GigabitEthernet1/0/34 switchport trunk native vlan 400 switchport trunk allowed vlan 2,3,11,15,18,50,52-54,62,64-66,161,171-174,181 switchport trunk allowed vlan add 400 switchport mode trunk switchport nonegotiate channel-protocol lacp channel-group 11 mode active ! interface GigabitEthernet1/0/35 switchport trunk native vlan 400 switchport trunk allowed vlan 2,3,11,15,18,50,52-54,62,64-66,161,171-174,181 switchport trunk allowed vlan add 400 switchport mode trunk switchport nonegotiate channel-protocol lacp channel-group 12 mode active ! interface GigabitEthernet1/0/36 switchport trunk native vlan 400 switchport trunk allowed vlan 2,3,11,15,18,50,52-54,62,64-66,161,171-174,181 switchport trunk allowed vlan add 400 switchport mode trunk switchport nonegotiate channel-protocol lacp channel-group 12 mode active and portchannel 11 and 12 config as below : interface Port-channel11 switchport trunk native vlan 400 switchport trunk allowed vlan 2,3,11,15,18,50,52-54,62,64-66,161,171-174,181 switchport trunk allowed vlan add 400 switchport mode trunk switchport nonegotiate ! interface Port-channel12 switchport trunk native vlan 400 switchport trunk allowed vlan 2,3,11,15,18,50,52-54,62,64-66,161,171-174,181 switchport trunk allowed vlan add 400 switchport mode trunk switchport nonegotiate Switch C2960 - 2 interface GigabitEthernet1/0/33 switchport trunk native vlan 400 switchport trunk allowed vlan 2,3,11,15,18,50,52-54,62,64-66,161,171-174,181 switchport trunk allowed vlan add 400 switchport mode trunk switchport nonegotiate channel-protocol lacp channel-group 11 mode active ! interface GigabitEthernet1/0/34 switchport trunk native vlan 400 switchport trunk allowed vlan 2,3,11,15,18,50,52-54,62,64-66,161,171-174,181 switchport trunk allowed vlan add 400 switchport mode trunk switchport nonegotiate channel-protocol lacp channel-group 11 mode active ! interface GigabitEthernet1/0/35 switchport trunk native vlan 400 switchport trunk allowed vlan 2,3,11,15,18,50,52-54,62,64-66,161,171-174,181 switchport trunk allowed vlan add 400 switchport mode trunk switchport nonegotiate channel-protocol lacp channel-group 12 mode active ! interface GigabitEthernet1/0/36 switchport trunk native vlan 400 switchport trunk allowed vlan 2,3,11,15,18,50,52-54,62,64-66,161,171-174,181 switchport trunk allowed vlan add 400 switchport mode trunk switchport nonegotiate channel-protocol lacp channel-group 12 mode active ! and portchannel 11 and 12 config on switch 2 interface Port-channel11 switchport trunk native vlan 400 switchport trunk allowed vlan 2,3,11,15,18,50,52-54,62,64-66,161,171-174,181 switchport trunk allowed vlan add 400 switchport mode trunk switchport nonegotiate ! interface Port-channel12 switchport trunk native vlan 400 switchport trunk allowed vlan 2,3,11,15,18,50,52-54,62,64-66,161,171-174,181 switchport trunk allowed vlan add 400 switchport mode trunk switchport nonegotiate And the configuration i have done on Fortigate 400E(HA) - 1 & 2 is as below : edit "Cisco_LAN" set vdom "root" set vlanforward enable set type aggregate set member "port9" "port10" "port11" "port12" Now the issue is with the ports. One switch acting as active and the other shows standby/passive(ports 33,34,35,36). If i disconnect switch-1 which is active then other switch starts the traffic after 30 seconds on particular ports 33,34,35,36 only. I want to achieve the network as active-active and which will be useful for me in case if needs more pipe. Please help with the config. Simple network diagram attached. Thanks Rohit K
Rohit K
Rohit K
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is only possible, if the two switches are stacked or acting as MLAG-domain.
You cannot span LACP-bonds over two independent switches.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear ,
How you configured Cisco Switch - is in stack or standalone mode ?
If you have configured cisco switch as stack then it will be good to go with this setup.
Regards,
Harmesh Yadav
CCNP CCSE
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for the replies.
These are in standalone presently and I have to stack them. Just finding way out if it feasible to stack in C2960XR-48TS-I.
Regards,
Rohit
Rohit K
Rohit K
Related Posts
- FortiGate/FortiSwitch VLANs 341 Views
- fortigate design 479 Views
- Advantages/Disadvantages of deploying Fortilink as hardware... 1659 Views
- Fortiswitch stack 6396 Views
- HA cluster "split brain" when downstream... 413 Views
Labels
-
FortiGate
6,457 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.