Hello all,
can you please tell me where can I find up to date configuration for the LACP between cisco and fortigate. Last I found the configuration with dot1q command which is not supported anymore.
My LACP is up but no traffic passes through.
CHZHSTFW01 # diagnose netlink aggregate name test
CHZHSTFW01 # diagnose netlink aggregate name Test
LACP flags: (A|P)(S|F)(A|I)(I|O)(E|D)(E|D)
(A|P) - LACP mode is Active or Passive
(S|F) - LACP speed is Slow or Fast
(A|I) - Aggregatable or Individual
(I|O) - Port In sync or Out of sync
(E|D) - Frame collection is Enabled or Disabled
(E|D) - Frame distribution is Enabled or Disabled
status: up
ports: 1
link-up-delay: 50ms
min-links: 1
ha: master
distribution algorithm: L4
LACP mode: active
LACP speed: slow
LACP HA: enable
aggregator ID: 1
actor key: 17
actor MAC address: 90:6c:ac:52:3a:5a
partner key: 2
partner MAC address: a0:f8:49:cd:5c:00
slave: port5
link status: up
link failure count: 5
permanent MAC addr: 90:6c:ac:52:3a:5a
LACP state: established
actor state: ASAIEE
actor port number/key/priority: 1 17 255
partner state: ASAIEE
partner port number/key/priority: 266 2 32768
partner system: 34817 a0:f8:49:cd:5c:00
aggregator ID: 1
speed/duplex: 1000 1
RX state: CURRENT 6
MUX state: COLLECTING_DISTRIBUTING 4
CHZHSTFW01 # diagnose sniffer packet Test
interfaces=[Test]
filters=[none]
pcap_lookupnet: Test: no IPv4 address assigned
9.624169 loopback
10.534169 802.3ad LACPDU (32768,A0-F8-49-CD-5C-00,0002,32768,0266) ASAIEE (65535,90-6C-AC-52-3A-5A,0017,0255,0001) ASAIEE
19.624169 loopback
23.674169 llc unnumbered, ui, flags [command], length 46
29.174169 llc unnumbered, ui, flags [command], length 469
29.624169 loopback
^C
6 packets received by filter
0 packets dropped by kernel
CHZHSTFW01 #
Cisco side is
interface Port-channel2 switchport trunk allowed vlan 208 switchport mode trunk
interface TenGigabitEthernet1/0/9
switchport trunk allowed vlan 208
switchport mode trunk channel-protocol lacp
channel-group 2 mode active
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Nothing seems to be wrong in terms of aggregation/port-chanel interface config. Did you configure the vlan interface (vlanid 28) attached to the "Test" interface on the FG side?
This the configuration I am using:
interface Port-channel3 switchport trunk native vlan 1046 switchport trunk allowed vlan 1024 switchport mode trunk
interface GigabitEthernet1/0/3 description port2.zzz2 switchport trunk native vlan 1046 switchport trunk allowed vlan 1024 switchport mode trunk no snmp trap link-status no lldp transmit no lldp receive no cdp enable channel-protocol lacp channel-group 3 mode active
config sys inter edit "zzz2.po2" set vdom "inet" set type aggregate set member "port2" "port6" set alias "zzz2.po2" set role lan set snmp-index 16 next edit "zzz.int.po2" set vdom "inet" set ip 10.1.201.2 255.255.255.192 set allowaccess ping set alias "zzz.int" set role lan set snmp-index 8 config ipv6 set ip6-allowaccess ping end set interface "zzz2.po2" set vlanid 1024 next end
You've just identified your problem. The 100D doesn't have any ten gig ports so trying to do connectivity from 1 gig on the Fortigate to the Cisco 10 gig interface just isn't going to work. One option you could pursue is drop a 1 gig sfp optic in the 3850 and dumb down the port to a 1 gig port. I don't know for certain, but I had in mind that the 3850 does support this, if you have the sfp optic.
IIRC Cisco by default uses 'slow' BPDUs whereas FortiOS assumes 'fast', where slow means 1 packet in 30 seconds, and fast 1 packet per second. Just as a notice, this is not the root cause here.
Hello, thank you for your answer. I altered the configuration as I didn't' have native vlan but no success.
Cisco
interface Port-channel2
switchport trunk native vlan 4093
switchport trunk allowed vlan 208
switchport mode trunk
interface TenGigabitEthernet1/0/9
switchport trunk native vlan 4093
switchport trunk allowed vlan 208
switchport mode trunk
channel-protocol lacp
channel-group 2 mode active
Forti
edit "Test"
set vdom "root"
set type aggregate
set member "port5"
set snmp-index 60
next
edit "IF_Test"
set vdom "root"
set ip 192.168.0.209 255.255.255.252
set allowaccess ping https
set snmp-index 61
set interface "Test"
set vlanid 208
As we have already one trunk between cisco SG500 (lower level model) and FG here is the config as well but it is not working if I try the same.
interface Port-channel2
description IF_Aggr
switchport trunk allowed vlan add 530
switchport trunk native vlan 445
interface gigabitethernet1/1/24
channel-group 2 mode auto
Now if I do the same instead of LACG paGp will be configured and it will not work.
Can it be because I am using 10Gb port on the 3850 cisco whereas Fortigate is 1Gb?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1731 | |
1105 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.