Why does Fortigate require me to make LACP configurations separate networks?

khuffmanjr · ‎04-21-2023

Hi! First post.

I recently got into a Fortigate 40f and then quickly upgraded to a 60f (not a waste; I have another use coming up for the 40f). I have the Fortigate connected to multiple WANs (in SD-WAN), PC, TV/chromecast and a WAP. I'm also connected to a distant home office where I plan to have a cisco stack of two switches with some other PC/Server devices, TV/chromecast, another WAP and some IoT (wireless bulbs and cameras). I plan to LACP the cisco stack back to the Fortigate. I want everything on the same network and, in the future, I plan to move the WAPs and IoT off to a separate vlan.

My question is this: Why must I make the LACP connection to my cisco stack a separate network on the fortigate? This is essentially just etherchannelling "two" switches together - the Fortigate hardware switch and the cisco stack. Is there a way to have all Fortigate LAN and Fortilink ports on the same hardware switch and still use LACP to connect my cisco stack such that everything is on the same LAN segment?

Thanks!

Toshi_Esumi · ‎04-21-2023

You're thinking to use the LAG/LACP on the FortiGate(FGT) as just L2 interface, right? FortiGate is a router and have to have an IP on the interface like LAG/LACP to route traffic and firewall it. Especially with FGT, you can't make it as L2 interface then pass L3 packets to SVI interface, like you're thinking. The SVI concept doesn't exist, or almost doesn't exist (because 60F's vlan-switch mimic that), in FGTs.
If you don't like it, you need to look for a different manufacturer's L2/L3 router/switch products from Cisco, Juniper, etc.

Toshi

khuffmanjr · ‎04-21-2023

Understood, thanks. Looks like I made a poor choice.

Toshi_Esumi · ‎04-21-2023

I felt the same when I first dealt with FGTs 15+ years ago because it operates like Cisco 2600, 1800 or other L3 routers with vlan-subinterfaces. Not a L2/L3 switch/router like 6500.

But I've changed my mindset "this is a firewall, not a switch/router" then started designing network around it, and soon got used to it.

Toshi

khuffmanjr · ‎04-21-2023

Sure, I get it. My physical layout makes it supremely advantageous to use the LAN ports on the Fortigate though. Its a bummer I can't have a flat network and still use a LAG.

Toshi_Esumi · ‎04-22-2023

By the way, if you have to share the same IP/network between the LAG/LACP interface and other physical ports or even hardswitch interface without defining a separate IP on the LAG, you can use softswitch interface.

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/277799/software-switch

Just keep it in mind this is not done by hardware/chip but software, so performance would not be the same with the hardswitch.

Toshi

khuffmanjr · ‎04-22-2023

Thanks. I wish I had some hard data to gauge how much I'm losing with the software switch. I will already have to use PPPoE for my internet when I get gigabit fiber soon and I know that is not offloaded. So the software switch could sink me....or maybe it would be fine. Who knows, lol. Anyway, thanks again.

gfleming · ‎04-22-2023

@Toshi_Esumi has done an excellent job explaining how FortiGate's work (yeah they aren't L2 switches) and what your options are here.

One last question for you: do you actually need to use a LACP port to connect to your FGT? I'm assuming you don't need it for the bandwidth but most likely just for redundancy...

What about using two layer 3 routed ports between the FGT and the Cisco stack?

Or just use good old fashioned STP and have one of the links blocking.

Cheers,
Graham

khuffmanjr · ‎04-26-2023

Redundancy is the main concern, yes. Can you please provide a bit more info on what you mean by layer 3 routed ports? I want everything in a flat network between the FGT lan and the cisco stack. Would that fulfill the need?

gfleming · ‎04-26-2023

Oh OK no in that case if you want same L2 domain on FGT ports and Cisco ports you would need to use STP for redundancy.

Cheers,
Graham

khuffmanjr · ‎04-27-2023

Ok, fair enough. I'm actually now considering a thrid switch in the stack to be placed at the FGT. I would need three cables between "rooms" in that case: One for cross-stack uplink member and two for stack links between switches. I can make the cabling work, get a more complex stack (which will be slightly more fun than two switches) and then just put everything from both rooms on the stacked switches. The stack can connect to an LACP interface on the FGT and bob's your uncle, flat network. I'd have all my FGT LAN ports open if I ever want to put anything there that I don't mind routing to the rest of the network.

Does that sound reasonable? Thanks!