I was informed today that certain models do not support link aggregation of their 10Gbps interfaces, specifically the 900D and 1000D, or perhaps it's better to say that it doesn't work.
Is this true?
If so, are there other models that don't support this, like the 600D?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I haven't heard that, but you only have 2x 10gige ports. Unless they are on some limit fabric maybe this a limitation in the hardware.
A SSE from FTNT could better answer any limitation within the 2port ( 10gige ) FGT models.
PCNSE
NSE
StrongSwan
I actually heard this from a FTNT SE but can't seem to find anything on it in any documentation, so wanted to throw this one out their for further comment. As i understood it it's a hardware limitation?
It doesn't seem to be a problem on the 800C and 1000C and we have a good few customers link aggregating their 10gig interfaces on those models.
Could be, but we have Link Aggregation on 2x10GIGE interfaces on the 1500D. I believe this chassis is built on the same base hardware of that of a 900/1000D but just with more 10gige ports ;)
Did you SE say what fortiOS version where effected? and if any CSB was drafted?
Ken
PCNSE
NSE
StrongSwan
As i understand it, the 1200D and 1500D are OK and that this is not firmware related but hardware.
If there is a limitation, then fair enough, but it needs to be communicated effectively in the documentation.
That's pretty much all i've heard.
This is a hardware limitation, independent of the FortiOS version.
This affects the FG-900D and the 1000D - with 2 NP6 and no ISF.
These models simply do not have an Internal Switch Fabric (ISF) connecting the NP6s. One NP6 can support up to 4 10G ports but on the affected models, one NP6 is wired to one 10G and several 1G ports. So you cannot combine 10G ports.
IMHO this is one of the rare hardware limitations which should be known to Fortinet partners beforehand. My local SE has stressed this point in our last meeting without being questioned so he did what he could do.
(edit: affected models)
Nicely buried in the hardware acceleration for FortiOS 5.2 documentation i found this..
The increase in offloading capacity offered by LAGs and multiple NP6s is supported by the integrated switch fabric (ISF) that allows multiple NP6 processors to share session information. Most FortiGate units with multiple NP6 processors also have an ISF. However, the FortiGate-1000D does not have an ISF. On this model and others that have more than one NP6 and no ISF, if you attempt to add interfaces connected to different NP6 processors to a LAG the system displays an error message.
Interesting notes but I'm not surprised. This is why POCs are crucial and you need to test what your needs are now and any possible needs in the future. I'm so glad we went with 1500D.
Ken
PCNSE
NSE
StrongSwan
A follow up on this, i've found out that the 600D is not affected as it only has the one NP6
There's also a useful Fortinet blog post about the NP6 platform architecture
https://blog.fortinet.com/post/optimizing-your-network-design-with-the-np6-platform
That's right regarding the 900D.
The two 10G ports are located on different NPs and there is no internal switch fabric.
I've received this information from a Fortinet SE at a partner meeting in Frankfurt, Germany.
Fortinet Platinum Partner
FCSNP v4
FCSNP v5
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.