Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDLP
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGuard
- FortiGate Cloud
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Fortigate 100F ( HA Cluster ) Link Aggregation for...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate 100F ( HA Cluster ) Link Aggregation for multiple vDoms
Hello to all,
Iám new to the Fortinet Products.
At the moment i concern onself with the Fortigate 100F Firewall.
Question:
It is possible to configure one LACP link (with to ports) to a Switch, when i use multiple vDoms on the Fortigate 100F
and this Fortigate is also in a HA Cluster.
Because i read the below in the FortiOS 6.4.4 Adminstration Guide on Page 397:
Aggregation and redundancy
An interface is available to be an aggregate interface if:
[size="3"]It is in the same VDOM as the aggregated interface. [style="background-color: #ffff00;"]Aggregate ports cannot span multiple VDOMs[/style][/size]
Does this mean i need a dedicated Interface pair per vDOM ?, or can i use Vlan´s on the 802.1q Trunk and then
use one Vlan per vDom ?
Any recommendation / example configuration would be great.
Thank you.
[size="2"] [/size]Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
20 REPLIES 20
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Toshi,
nice drawing.
When the green dotted lines are NO phy. Interface and the Vlans to the bottom switch are the same for the upper
switch. Mean Vlan 10,11 and 12 .
Then the answer is yes.
Is it possible ?
really thank you for the effort
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If NAT mode, upper vlans and lower ones have to be different, otherwise the FGT can't route one side to the other. What do you expect the FGT to do if both sides (servers?) are on the same vlan? Then they would communicate each other without the FGT on Layer2.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Tohshi,
thank you that you mention that with the VLANs.
I didn´t thought about this.
With inter-vlan routing i could use the same vlans on both sides, if i understand it right.
Anyway is it possible with only 4 phy. Interfaces to achieve this solution in your drawing.
Without one phy. Interface per VDOM for the sub-interface (VLAN) ?
Maybe you have some example from your past work.
Thank you so much for the effort.
regards
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I suggest opening a TT with TAC explaining exactly what you want to set up with your HA paired FGTs, which I still don't understand.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is a sample configuration... Keep in mind you cannot Aggregate (FW1-Port1 + FW2-Port1).
What you can Aggregate is (FW1-Port1 + FW1-Port2 + ...)
Your Aggregated Interfaces belongs to Root VDOM by default. You may create dot1q interfaces on top of that.
config global config sys interface edit "AGG_L3SW" set vdom "root" set allowaccess ping set type aggregate set member "port5" "port6" set description "to L3SW" next edit "VLAN100" set vdom "VDOM0" set ip 10.16.20.10/28 set allowaccess ping set interface "AGG_L3SW" set vlanid 100 next edit "VLAN200" set vdom "VDOM1" set ip 172.16.20.10/29 set allowaccess ping set interface "AGG_L3SW" set vlanid 200 next edit "VLAN300" set vdom "VDOM1" set ip 172.16.30.10/29 set allowaccess ping set interface "AGG_L3SW" set vlanid 300 next edit "VLAN400" set vdom "VDOM2" set ip 172.16.40.10/29 set allowaccess ping set interface "AGG_L3SW" set vlanid 400 next end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Sekar.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Toshi and Sekar,
thanks for you effort.
Toshi i attached a toplogy (not so nice like yours) to make it more detailed.
Sorry for the headache :)
I want do use as less physical ports as possible on the FGT. Thats the main point.
Use VLANS to separate the traffic for VDOM root and VDOM 1 -3.
VDOM 1 -3 it is not necessary to communicate with each other.
Traffic from Server to LAN should go only over the primary path.
Only use the backup path in case the FGT 1 crashes or a link goes down on the primary path.
Any suggestion for this ?
regards
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
have the same challenge with Fortinet 100F (FW 6.4.x). I connect a Multi-VDOM HA-Cluster to a stack with to switches. For my understanding to LACP LAGs are required for redundancy. Firewall-Cluster and Switch stack a full-meshed.
For default all interfaces are in root VDOM, which we want to use as mangement VDOM.
Each interface/LACP is assigned to a distinct VDOM. The VLANs on this LACP are then also in the assigned VDOM.
In which VDOM or context do I have to define LACP LAGS and VLANs?
Thanks in advance...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It doesn't mater where the physical LAG/LACP interface resides. Wherever it is, you can create as many VLANs as you want on the LAG and set a VDOM for each VLAN, Like your VLAN 2, 3, 4, 5.
I would leave the LAG at root VDOM though.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Toshi for your reply. I got it :)
Are there any security concerns on having the LACP-Interface, which is forwaring all VLAN-Frames, in the root-VDOM (Mangement VDOM)?
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
Labels
-
FortiGate
8,341 -
FortiClient
1,686 -
5.2
801 -
FortiManager
703 -
5.4
639 -
FortiAnalyzer
532 -
FortiSwitch
452 -
FortiAP
446 -
6.0
416 -
FortiClient EMS
392 -
5.6
362 -
FortiMail
307 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
205 -
5.0
196 -
FortiWeb
194 -
IPsec
174 -
FortiNAC
171 -
FortiGuard
132 -
6.4
128 -
SD-WAN
102 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
95 -
FortiToken
88 -
FortiAuthenticator
80 -
Customer Service
76 -
Wireless Controller
76 -
Firewall policy
67 -
4.0MR3
64 -
FortiProxy
56 -
FortiADC
51 -
Fortivoice
50 -
FortiEDR
50 -
High Availability
48 -
vlan
47 -
ZTNA
45 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
BGP
37 -
LDAP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Interface
31 -
NAT
30 -
Authentication
29 -
SSO
29 -
FortiConnect
28 -
RADIUS
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Web profile
23 -
Application control
22 -
Virtual IP
22 -
Logging
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
FortiPAM
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
FortiGate v5.0
14 -
OSPF
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
WAN optimization
13 -
FortiCASB
12 -
SNMP
12 -
Automation
12 -
Admin
12 -
System settings
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiSOAR
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
Proxy policy
9 -
FortiBridge
8 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
Traffic shaping policy
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
Explicit proxy
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1633 | |
| 1063 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.