Fortigate Link Aggregration 802.3AD / LACP with Cisco Switching

I recently clustered a pair of Fortigate 240Ds in an Active/Active configuration and wanted to uplink the Fortigate firewalls to my Cisco 3750-Xs using a pair of 4 port LACP/Port Trunks. Now given that this would be cross vendor LAG I thought I’d document the settings required in order for the Fortigate to bring up the link successfully.

Ok, lets start with the Fortigate:

Fortigate_LAGG-1024x390

Configuration is very simple, and Fortinet have kindly made this easier in the later versions of FortiOS giving you a drop down which allows you to select ‘802.3AD Aggregate’ as your chosen interface type. After setting that, you can simply add in the ports you’d like to bond.

Now on to the Cisco 3750-Xs:

I’ll be carrying multple VLANs across my LAG so my config may be slightly different to yours, but here goes.

First, create your Port-Channels on the switch:

interface Port-channel2
description FW1-FGT-Top
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 200,201,202,203
switchport mode trunk
storm-control broadcast level 20.00
storm-control multicast level 20.00
storm-control action shutdown
storm-control action trap
!

interface Port-channel3
description FW1-FGT-Bottom
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 200,201,202,203
switchport mode trunk
storm-control broadcast level 20.00
storm-control multicast level 20.00
storm-control action shutdown
storm-control action trap
!

Now configure your ports, and add them to the channels:

interface GigabitEthernet1/0/1
description FW1-P1-Top
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 200,201,202,203
switchport mode trunk
storm-control broadcast level 20.00
storm-control multicast level 20.00
storm-control action shutdown
storm-control action trap
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
channel-group 2 mode active
!
interface GigabitEthernet1/0/2
description FW1-P1-Top
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 200,201,202,203
switchport mode trunk
storm-control broadcast level 20.00
storm-control multicast level 20.00
storm-control action shutdown
storm-control action trap
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
channel-group 2 mode active
!
interface GigabitEthernet1/0/3
description FW1-P1-Top
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 200,201,202,203
switchport mode trunk
storm-control broadcast level 20.00
storm-control multicast level 20.00
storm-control action shutdown
storm-control action trap
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
channel-group 3 mode active
!
interface GigabitEthernet1/0/4
description FW1-P1-Top
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 200,201,202,203
switchport mode trunk
storm-control broadcast level 20.00
storm-control multicast level 20.00
storm-control action shutdown
storm-control action trap
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
channel-group 3 mode active
!
interface GigabitEthernet2/0/1
description FW1-P1-Top
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 200,201,202,203
switchport mode trunk
storm-control broadcast level 20.00
storm-control multicast level 20.00
storm-control action shutdown
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
channel-group 2 mode active
!
interface GigabitEthernet2/0/2
switchport trunk allowed vlan 200,201,202,203
switchport mode trunk
storm-control broadcast level 20.00
storm-control multicast level 20.00
storm-control action shutdown
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
channel-group 2 mode active
!
interface GigabitEthernet2/0/3
description FW1-P1-Bottom
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 200,201,202,203
switchport mode trunk
storm-control broadcast level 20.00
storm-control multicast level 20.00
storm-control action shutdown
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
channel-group 3 mode active
!
interface GigabitEthernet2/0/4
description FW1-P1-Bottom
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 200,201,202,203
switchport mode trunk
storm-control broadcast level 20.00
storm-control multicast level 20.00
storm-control action shutdown
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
channel-group 3 mode active
!

The key config for the port channel / LAG to come up is ensure that the ‘channel-group’ mode is ‘active’, this ensures that the channel is using LACP, aka 802.3AD.

Check your link has come up on the Fortigate

Lagg_Up-1024x19

and then Cisco end via, ‘show interfaces port-channel x’.

port_channel2

2 thoughts on “Fortigate Link Aggregration 802.3AD / LACP with Cisco Switching

  1. Shane

    Thanks for the write up. But I don’t understand why some of your ports are set for portfast and some aren’t. Also some don’t have description, just a mis-type?

    Reply
  2. TheodoreJuicy

    I often visit your page and have noticed that you don’t update it often. More frequent updates will give your website higher rank & authority
    in google. I know that writing posts takes a lot of time, but you can always help yourself with miftolo’s tools
    which will shorten the time of creating an article to
    a few seconds.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.