Why does Fortigate require me to make LACP configurations separate networks?

khuffmanjr · ‎04-21-2023

Hi! First post.

I recently got into a Fortigate 40f and then quickly upgraded to a 60f (not a waste; I have another use coming up for the 40f). I have the Fortigate connected to multiple WANs (in SD-WAN), PC, TV/chromecast and a WAP. I'm also connected to a distant home office where I plan to have a cisco stack of two switches with some other PC/Server devices, TV/chromecast, another WAP and some IoT (wireless bulbs and cameras). I plan to LACP the cisco stack back to the Fortigate. I want everything on the same network and, in the future, I plan to move the WAPs and IoT off to a separate vlan.

My question is this: Why must I make the LACP connection to my cisco stack a separate network on the fortigate? This is essentially just etherchannelling "two" switches together - the Fortigate hardware switch and the cisco stack. Is there a way to have all Fortigate LAN and Fortilink ports on the same hardware switch and still use LACP to connect my cisco stack such that everything is on the same LAN segment?

Thanks!

Toshi_Esumi · ‎04-21-2023

Fortilink is for like FortiSwitches(FSWs) connected over CAPWAP. If you don't have FortiSwitches, you don't have to use Fortilink. You can "de-configure" fortilink A, B port to be independent ports.
Then you can configure LAG/LACP interface on your 60F, or even 40F.

Toshi

khuffmanjr · ‎04-21-2023

Right, I get that. But when I create an LACP Interface, I must put it on a separate network (IP). I don't want to. I want it to work like many other switches where I can just etherchannel them together and have one larger network that includes the Fortigate switch ports.

Thanks. Any other thoughts, please?

Toshi_Esumi · ‎04-21-2023

Why do you think you have to? I never did that before, or I thought it's not possible. Can you show us GUI or CLI what you're seeing?

Toshi

Toshi_Esumi · ‎04-21-2023

Or, are you talking about VLAN subinterfaces on the LAG/LACP interface?

khuffmanjr · ‎04-21-2023

Sure, and thank you for having a look with me.

This pic is for a new 802.3ad interface and seems to require different IP netowrk info than what I have for the built-in hardware switch on the fortigate.

Toshi_Esumi · ‎04-21-2023

Are you talking about the "Create address object matching subnet"? That's only for an address object you can use it later in FW policies or some other places. If you don't plan to use it, you can just disable it. You can create an address object later if/when you need it.

Toshi

Toshi_Esumi · ‎04-21-2023

Or, LAG/LACP interface is a logical interface. You have to define an IP on it just like Cisco's "Port-channel".

Toshi_Esumi · ‎04-21-2023

You can't have hard-switch/vlan-switch interfaces as a part of LAG/LACP members. You have to remove those ports from the hard-switch/vlan-switch interfaces, like "internal" (60F), or "lan" (40F).

Toshi

khuffmanjr · ‎04-21-2023

But you don't define an IP nor IP network for a cisco portchannel nor etherchannel. You can choose at what layer to apply load balancing but portchannels/etherchannels just extend the layer 2 network in the same way a simple ISL would do.

References:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5500/sw/interfaces/7x/b_5500_Interfac...

https://www.cisco.com/c/en/us/support/docs/lan-switching/etherchannel/19642-126.html

It seems Fortigate just arbitrarily requires you to create a new segment anytime you want to do LACP with some switch(es). This is not ideal.