Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Umesh
Contributor

LACP configuration FGT and cisco switch

Hi All,

 

I have doubt regarding LACP configuration in fortigate Firewall along with cisco switch, Can anybody explain it how can we implement it real environment.

 

Please find the attached snapshot where you can see what I want to design in our environment.

 

Thank you.lacp.JPG

 

9 REPLIES 9
ede_pfau
SuperUser
SuperUser

I think the missing element in this setup is the ISL between SW1 and SW2. If both switches were stacked one would immediately see that both LACP trunks would be operating with 2 ports each.

 

If one switch fails, the trunk from the active FGT would halfe in bandwidth but continue to work. If you need the complete bandwidth at all times, monitor those links to trigger a HA failover if one link fails.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
ede_pfau

Again: LACP trunks to 2 separate switches will not work. The solution is to stack these switches.

Can you do this? Are there sufficient ports free for a link? Does your model and firmware support this?

If not, you'd need to go with just one switch. Which, BTW, is not so uncommon, switches are much more resilient/reliable than devices with higher level functions like firewalls.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
gfleming
Staff
Staff

Yeah this won't work unless those two Cisco switches are either stacked together or using VPC. You can't establish a LAG split between two different independent switches.

 

What model Cisco switches are they?

Cheers,
Graham
Umesh

Hi Graham,

I would like to tell you that switch 1 and switch 2 are the normal L2 cisco switch, in this case can it work or not.

Case 1 - If Sw 1 goes down, traffic should move via sw2

 

jnielsen

As Graham said, you can not make a LAG between two independent L2 switches. You must either stack them (e.g. Catalyst stack-ring) or make a VPC (Cisco Nexus). If you only have two stand-alone L2 switches, the best you could do would be something like this:

Screenshot 2022-12-19 at 12.41.10.png
This will give you some link redundancy and aggregation, but in case of e.g. the switch of the active firewall goes down/is rebooted, it will trigger a HA-failover. 

Umesh

thank you for providing the solution

Umesh

They are basically L2 catalyst switches. 

Mohamed_Gaber
Contributor

You have to link the two switches to prevent loops in the network and have a path for the traffic that reaches one and needs to go through the other.

If you configure LACP on FortiGate you have to consider a point. Don't put the ports of both FortiGate units in one LACP group on the switch. You should add them to two different groups. If you do the setup as your design, FortiGate will detect different switches on the ports, and one of the ports will work and the other will not. But we have two FortiGate. will they both choose the same switch or the master will do it? I am not sure. If the two units activate the link on different switches STP should disable one.

Mohamed Gaber
Cell : +201001615878
E-mail : mohamed.gaber@alkancit.com
Mohamed GaberCell : +201001615878E-mail : mohamed.gaber@alkancit.com
Yurisk
SuperUser
SuperUser

For completeness sake - yes, as others have said, you CANNOT create an aggregate trunk to 2 separate Cisco switches WITH LACP (you would get an error on FGT side "mismatch aggregate ID" of a sort and one aggregate would not form) . On the other hand, you can create an aggregate if you disable LACP altogether, and form the aggregate statically. I can't vouch how good will it be, or will it work as expected, but aggregate will come up.  I had to do it (unfortunately) in specific circumstances and it worked - Fortigate to 2 Cisco switches w/o LACP.

 

If you feel adventurous, try doing LACP with debug enabled on FGT Fortigate LACP debug commands 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors