Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Matthew1
New Contributor

Created on ‎02-08-2021 07:27 AM

Fortigate 100F ( HA Cluster ) Link Aggregation for multiple vDoms

Hello to all,

 

Iám  new to the Fortinet Products.

At the moment i concern onself with the Fortigate 100F Firewall.

 

Question:

 

It is possible to configure one LACP link (with to ports)  to a Switch, when i use multiple vDoms on the Fortigate 100F

and this Fortigate is also in a HA Cluster.

 

Because i read the below in the FortiOS 6.4.4 Adminstration Guide on Page 397:

 

Aggregation and redundancy

An interface is available to be an aggregate interface if:

[size="3"]It is in the same VDOM as the aggregated interface. [style="background-color: #ffff00;"]Aggregate ports cannot span multiple VDOMs[/style][/size]

 

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/7d5dfa98-3a77-11eb-96b9-005056...

 

Does this mean i need a dedicated Interface pair per vDOM ?, or can i use Vlan´s on the 802.1q Trunk and then 

use one Vlan per vDom ?

 

Any recommendation / example configuration would be great.

 

Thank you.

    [size="2"] [/size]
12850
0 Kudos
20 REPLIES 20
Toshi_Esumi
Esteemed Contributor III

Created on ‎02-08-2021 10:53 AM

In multi-vdom environment, you generally want to use VLANs on the trunked agg interface. Each VLAN subinterface can be bound to any vdom independently.

5366
0 Kudos
Matthew1
New Contributor
In response to Toshi_Esumi

Created on ‎02-09-2021 12:27 AM

Thank you for the quick reply Toshi.

 

If i get it right, you configure a LACP Interface with 2 physical Port´s on the Fortigate for each vDOM ?

or for the root vDOM alone and then use Vlan´s in the other vDOMs and bound it to the LACP Interface on the root

vDOM?

 

Some configuration example may make it clear for me.

 

Thank you.

 

5366
0 Kudos
Toshi_Esumi
Esteemed Contributor III
In response to Matthew1

Created on ‎02-09-2021 08:21 AM

By assuming the other end is terminated at a VLAN capable switch, regardless where/what vdom the physical agg interface is terminated at, we regularly don't assign any IP on it, or don't use non-tagged interface, but use only VLANs for all VDOM uses including root. Where on the other end it's switched with/without tags is up to the switch.

5365
0 Kudos
Matthew1
New Contributor
In response to Toshi_Esumi

Created on ‎02-09-2021 08:50 AM

Thank you for the reply Toshi and interest.

 

Still not 100% clear for me.

 

Fortigate Interface 1 to  Switch(1) Interface 1 - LACP and 802.1q

Fortigate Interface 2 to  Switch(2) Interface 1 - LACP and 802.1q

 

Per VDOM : physical interface --> devided into subinterface for each VLAN -----> Fortigate tag the Vlan and send it across the link 

is this correct ?

 

How to achieve a LACP link with 802.1q trunking ?

 

thank you 

5364
0 Kudos
Toshi_Esumi
Esteemed Contributor III
In response to Matthew1

Created on ‎02-09-2021 09:45 AM

Yes. Although each vdom doesn't care about physical interfaces.

Below thread includes LACP config in the middle. All about mode, speed and algorithm config. I think it's automatically configured on any agg interface with active/slow/L3. We always use active-active to avoid any incompatibility issues.

https://forum.fortinet.com/tm.aspx?m=174862

 

 

5364
0 Kudos
Matthew1
New Contributor
In response to Toshi_Esumi

Created on ‎02-12-2021 02:34 AM

Thank you Toshi for the reply and interest.

 

Iám still a liitle bit confused.

 

Toplogy: Full mesh High Availability  Virtual Cluster with two FG.

 

full mesh consist of 4 Switches ( switch pair stacked) and 2 FG with 3 VDOMS. No Inter-VDOM-routing necessary.

 

                        Server

                            |

              Switch Stack (2 Switches)

                agg. Trunk 802.1q

           FG 1 Primary-Hearbeat- FG 2 Secondary  ( VDOMS same one each FG)

              agg.  Trunk 802.1q

             Switch Stack (2 Switches)

                            |

                         Server

 

Just to get it right now, each VDOM has normally 2 phy. Ports ingress and egress.

I don´t want to use two dedicated phy. Ports for each VDOM.

Is it instead possible to use a logical Interface in the shape of 802.1q trunk for each VDOM.

So that at the end , i use  two phy. ports on each FG for the upper stacked switches agg. trunk and two phy. ports for the agg. trunk to bottom stacked switches ????

 

regards

 

 

     

5364
0 Kudos
Toshi_Esumi
Esteemed Contributor III
In response to Matthew1

Created on ‎02-12-2021 01:51 PM

Yes, that's what I've been trying to explain. Each VDOM takes only a VLAN interface (physical interfaces and the agg interfaces need to be in one of them but doesn't matter which one).

In case of "stacked two switches" and one leg goes to the first switch and another goes to the second, it's not generally called as "full-mesh" but practically accomplishes the same so we almost always use that topology for HA.

5365
0 Kudos
Matthew1
New Contributor

Created on ‎02-15-2021 05:30 AM

Hi Toshi,

thank´s for your effort.

This Solution ist not what iám looking for.

I only want to use 4 phy. Interfaces per FG Firewall ( 2 leg for the upper 2 switch´s with agg. 802.1q Trunk

and 2 legs to the bottom switch with agg. 802.1q Trunk.

Then use logical Interface and bound it to the agg. Trunk Interface. 

Not a additional phy. Interface per VDOM.

Just 4 phy. Interfaces and 3 VDOMs per FG Firewall that´s it.

thank you.

5365
0 Kudos
Toshi_Esumi
Esteemed Contributor III
In response to Matthew1

Created on ‎02-15-2021 10:11 AM

Isn't this what you want??

Preview file
185 KB
5366
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.