FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable
Article Id 197941

Article

Description

Link Aggregation on a FortiGate unit

Components

FortiGate units, running FortiOS firmware version 4.00 MR2, 4.00 MR3 and 5.0.x

Content

What is link aggregation?

Link aggregation, otherwise known as the IEEE 802.3ad standard, allows the grouping of interfaces into a larger bandwidth 'trunk'. It also allows for high availability (HA) by automatically redirecting traffic from a failed link in a trunk to the remaining links in that trunk.

Are there other names for link aggregation?

Link aggregation is also called Ethernet trunk, NIC teaming, port teaming, port trunking, and NIC bonding.
 
Is link aggregation supported in FortiOS versions 4.00 MR2, 4.00 MR3 and 5.0.x?
 
Yes, but not necessarily on every FortiGate hardware platform.

How can I check if 802.3ad is supported on my FortiGate unit?

Create a new interface (System > Network > Interface) with a type of 802.3ad Aggregate. If this option does not appear, then link aggregation is not supported on your FortiGate unit.

What is LACP?

Link Aggregation Control Protocol is the Layer-2 negotiation protocol used by both ends of the aggregated links to establish the actual links. The other end of the links is called the peer.

When do I need to use LACP?

If you are creating an aggregate between two FortiGate units, you can turn LACP off (lacp-mode static). If your FortiGate unit is connecting to a non-FortiGate device, you will need LACP enabled to negotiate the link connections.

When is it a good idea to use link aggregation?

Link aggregation makes sense

  • if you need the redundancy of HA,
  • if you need 1.1 - 8 Gig of  bandwidth, or
  • if you can't justify the cost of 10 Gig equipment.

What devices are compatible with FortiGate unit link aggregation?

The FortiGate unit should support any device that supports the 802.3ad standard. At this time, almost any medium sized switch will support 802.3ad.

What devices are not compatible with FortiGate 802.3ad link aggregation?

Before 802.3ad some companies added their own standards to their products - these generally do not work with 802.3ad. For example Cisco PAgP (Port Aggregation Protocol), and Adaptec Duralink trunking will not work with 802.3ad.

How many interfaces can I aggregate at once on a FortiGate?

The 802.3ad standard and Fortinet allow a maximum of eight interfaces to be aggregated. However, at this time the number of physical interfaces available on FortiGate units may limit this further. Because of the hash algorithm used to distribute the traffic in the link, it is recommended to use either 2, 4 or 8 physical ports in the aggregate.

Can I split the links on one end of the trunk between two devices, say two FortiGate 500x blades?

No. A trunk must terminate on one device. The one possible exception to this is if a FortiGate unit has a trunk of say four links that connect to two Nortel boxes (two links each) that share an MLT (MultiLink Trunking) link. This setup has not been tested with FortiGate but is theoretically possible.

Can I aggregate ports of different types, for example a GigE and three 10/100 ports?

The FortiGate unit will allow you to put ports with a different speed in an aggregate. An aggregate between two FortiGate units will let you mix speeds (LACP is not used). If LACP is being used (default mode), it is up to the peer if all the ports will aggregate successfully. Non-Fortinet vendors may not allow mixing of speeds.

What happens when a link in a trunk fails and comes back up?

If LACP is enabled, when the link carrier signal is detected LACP starts negotiation and if successful the link will be re-integrated. If LACP is not used, the port will be marked as up and can be used by the trunk.

Are there restrictions on configuring a trunk?

The FortiGate Administration Guide chapter on creating interfaces lists the restrictions for creating a trunk. Some of it is included below.

An interface is available for aggregation only if

  • it is a physical interface, not a VLAN interface
  • it is not already part of an aggregated interface
  • it is in the same VDOM as the aggregated interface
  • it has no defined IP address and is not configured for DHCP or PPPoE
  • it has no DHCP server or relay configured on it
  • it does not have any VLAN subinterfaces
  • it is not referenced in any firewall policy, VIP, IP Pool or multicast policy
  • it is not an HA heartbeat interface
  • if it is a FGT-5000 backplane interface, it must be visible

Are there restrictions on what I can do on a trunk once it is configured, use VLANs for example?

You can do almost anything on a trunk interface that you can do on a regular interface, with the exceptions listed above. This includes being allowed to configure VLANs on the trunk.

What log events are associated with link aggregation?

There are currently no log events only for link aggregation. However, since aggregated links are virtual interfaces log events related to VLANs should apply.

What SNMP traps are associated with link aggregation?

SNMP reports the trunk's speed as the number of ports mulitplied by the speed of statically configured ports in the trunk (if there are three 100 M/s ports, the trunk has a reported speed of 300 M/s). There is no speed reporting for dynamically configured ports. There is currently no documenting standard for this feature. The method Cisco uses is similar to the Fortinet method of reporting this feature. Apart from the trunk speed, there are no SNMP traps particular to link aggregation. However, since it is a virtual interface it should have traps similar to VLANs.

 

Related Articles

Technical Tip: Initial troubleshooting steps for LACP (Link Aggregation - 802.3ad)

Link Aggregation how tos

Contributors