Hi All,
I have doubt regarding LACP configuration in fortigate Firewall along with cisco switch, Can anybody explain it how can we implement it real environment.
Please find the attached snapshot where you can see what I want to design in our environment.
Thank you.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I think the missing element in this setup is the ISL between SW1 and SW2. If both switches were stacked one would immediately see that both LACP trunks would be operating with 2 ports each.
If one switch fails, the trunk from the active FGT would halfe in bandwidth but continue to work. If you need the complete bandwidth at all times, monitor those links to trigger a HA failover if one link fails.
Again: LACP trunks to 2 separate switches will not work. The solution is to stack these switches.
Can you do this? Are there sufficient ports free for a link? Does your model and firmware support this?
If not, you'd need to go with just one switch. Which, BTW, is not so uncommon, switches are much more resilient/reliable than devices with higher level functions like firewalls.
Yeah this won't work unless those two Cisco switches are either stacked together or using VPC. You can't establish a LAG split between two different independent switches.
What model Cisco switches are they?
Created on 12-19-2022 02:36 AM Edited on 12-19-2022 02:37 AM
Hi Graham,
I would like to tell you that switch 1 and switch 2 are the normal L2 cisco switch, in this case can it work or not.
Case 1 - If Sw 1 goes down, traffic should move via sw2
As Graham said, you can not make a LAG between two independent L2 switches. You must either stack them (e.g. Catalyst stack-ring) or make a VPC (Cisco Nexus). If you only have two stand-alone L2 switches, the best you could do would be something like this:
This will give you some link redundancy and aggregation, but in case of e.g. the switch of the active firewall goes down/is rebooted, it will trigger a HA-failover.
thank you for providing the solution
They are basically L2 catalyst switches.
You have to link the two switches to prevent loops in the network and have a path for the traffic that reaches one and needs to go through the other.
If you configure LACP on FortiGate you have to consider a point. Don't put the ports of both FortiGate units in one LACP group on the switch. You should add them to two different groups. If you do the setup as your design, FortiGate will detect different switches on the ports, and one of the ports will work and the other will not. But we have two FortiGate. will they both choose the same switch or the master will do it? I am not sure. If the two units activate the link on different switches STP should disable one.
For completeness sake - yes, as others have said, you CANNOT create an aggregate trunk to 2 separate Cisco switches WITH LACP (you would get an error on FGT side "mismatch aggregate ID" of a sort and one aggregate would not form) . On the other hand, you can create an aggregate if you disable LACP altogether, and form the aggregate statically. I can't vouch how good will it be, or will it work as expected, but aggregate will come up. I had to do it (unfortunately) in specific circumstances and it worked - Fortigate to 2 Cisco switches w/o LACP.
If you feel adventurous, try doing LACP with debug enabled on FGT Fortigate LACP debug commands
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.