Fortigate 100F ( HA Cluster ) Link Aggregation for multiple vDoms

Matthew1 · ‎02-08-2021

Hello to all,

Iám new to the Fortinet Products.

At the moment i concern onself with the Fortigate 100F Firewall.

Question:

It is possible to configure one LACP link (with to ports) to a Switch, when i use multiple vDoms on the Fortigate 100F

and this Fortigate is also in a HA Cluster.

Because i read the below in the FortiOS 6.4.4 Adminstration Guide on Page 397:

Aggregation and redundancy

An interface is available to be an aggregate interface if:

[size="3"]It is in the same VDOM as the aggregated interface. [style="background-color: #ffff00;"]Aggregate ports cannot span multiple VDOMs[/style][/size]

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/7d5dfa98-3a77-11eb-96b9-005056...

Does this mean i need a dedicated Interface pair per vDOM ?, or can i use Vlan´s on the 802.1q Trunk and then

use one Vlan per vDom ?

Any recommendation / example configuration would be great.

Thank you.

[size="2"] [/size]

Matthew1 · ‎02-15-2021

Hello Toshi,

nice drawing.

When the green dotted lines are NO phy. Interface and the Vlans to the bottom switch are the same for the upper

switch. Mean Vlan 10,11 and 12 .

Then the answer is yes.

Is it possible ?

really thank you for the effort

Toshi_Esumi · ‎02-15-2021

If NAT mode, upper vlans and lower ones have to be different, otherwise the FGT can't route one side to the other. What do you expect the FGT to do if both sides (servers?) are on the same vlan? Then they would communicate each other without the FGT on Layer2.

Matthew1 · ‎02-18-2021

Hello Tohshi,

thank you that you mention that with the VLANs.

I didn´t thought about this.

With inter-vlan routing i could use the same vlans on both sides, if i understand it right.

Anyway is it possible with only 4 phy. Interfaces to achieve this solution in your drawing.

Without one phy. Interface per VDOM for the sub-interface (VLAN) ?

Maybe you have some example from your past work.

Thank you so much for the effort.

regards

Toshi_Esumi · ‎02-18-2021

I suggest opening a TT with TAC explaining exactly what you want to set up with your HA paired FGTs, which I still don't understand.

sekar_karthi · ‎02-18-2021

Here is a sample configuration... Keep in mind you cannot Aggregate (FW1-Port1 + FW2-Port1).

What you can Aggregate is (FW1-Port1 + FW1-Port2 + ...)

Your Aggregated Interfaces belongs to Root VDOM by default. You may create dot1q interfaces on top of that.

config global config sys interface edit "AGG_L3SW" set vdom "root" set allowaccess ping set type aggregate set member "port5" "port6" set description "to L3SW" next edit "VLAN100" set vdom "VDOM0" set ip 10.16.20.10/28 set allowaccess ping set interface "AGG_L3SW" set vlanid 100 next edit "VLAN200" set vdom "VDOM1" set ip 172.16.20.10/29 set allowaccess ping set interface "AGG_L3SW" set vlanid 200 next edit "VLAN300" set vdom "VDOM1" set ip 172.16.30.10/29 set allowaccess ping set interface "AGG_L3SW" set vlanid 300 next edit "VLAN400" set vdom "VDOM2" set ip 172.16.40.10/29 set allowaccess ping set interface "AGG_L3SW" set vlanid 400 next end

Matthew1 · ‎02-19-2021

Thank you Sekar.

Matthew1 · ‎02-19-2021

Hello Toshi and Sekar,

thanks for you effort.

Toshi i attached a toplogy (not so nice like yours) to make it more detailed.

Sorry for the headache :)

I want do use as less physical ports as possible on the FGT. Thats the main point.

Use VLANS to separate the traffic for VDOM root and VDOM 1 -3.

VDOM 1 -3 it is not necessary to communicate with each other.

Traffic from Server to LAN should go only over the primary path.

Only use the backup path in case the FGT 1 crashes or a link goes down on the primary path.

Any suggestion for this ?

regards

ZGB · ‎09-06-2023

have the same challenge with Fortinet 100F (FW 6.4.x). I connect a Multi-VDOM HA-Cluster to a stack with to switches. For my understanding to LACP LAGs are required for redundancy. Firewall-Cluster and Switch stack a full-meshed.

For default all interfaces are in root VDOM, which we want to use as mangement VDOM.

Each interface/LACP is assigned to a distinct VDOM. The VLANs on this LACP are then also in the assigned VDOM.

In which VDOM or context do I have to define LACP LAGS and VLANs?

Thanks in advance...

Toshi_Esumi · ‎09-06-2023

It doesn't mater where the physical LAG/LACP interface resides. Wherever it is, you can create as many VLANs as you want on the LAG and set a VDOM for each VLAN, Like your VLAN 2, 3, 4, 5.
I would leave the LAG at root VDOM though.

Toshi

ZGB · ‎09-06-2023

Thanks Toshi for your reply. I got it :)

Are there any security concerns on having the LACP-Interface, which is forwaring all VLAN-Frames, in the root-VDOM (Mangement VDOM)?