Trending Now

LACP (802.3ad) connection between Cisco Switch and Fortigate Firewall

Uncategorized
admin

LACP (802.3ad) connection between Cisco Switch and Fortigate Firewall

LACP (Link Aggregation Control Protocol) is part of the IEEE 802.3ad standard that allows multiple physical Ethernet links to be combined into a single logical link, called a link aggregation group (LAG) or EtherChannel (in Cisco terms).

Why do we need LACP?

Increased Bandwidth: Combine several links for higher throughput.

Redundancy: If one link fails, traffic continues over the remaining links.

Simplified Management: Multiple links are treated as a single connection.

In this lab, we will use LACP 802.3ad protocol to create a uplink from Cisco layer 3 switch to Fortigate firewall. First we will configure the switch side then we will proceed with Fortigate firewall. Then we will check the LACP status on both devices.

We could use LACP as layer 2 or layer 3 level. But in my case, I want to use it as a trunk and move VLAN data to firewall. Therefore i used layer 2 LACP which helps me to carry all vlan traffic over LACP. Also depending on the topology and requirement you can set it as Layer 3 LACP with ip addresses on interfaces, rather than using switchport it will convert to a routed port.

SWITCH CONFIGURATION:

Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname CORESW
CORESW(config)#vlan 10
CORESW(config-vlan)#vlan 20
CORESW(config-vlan)#exit
CORESW(config)#int vlan 10

CORESW(config-if)#ip address 192.168.10.1 255.255.255.0
CORESW(config-if)#no sh
CORESW(config-if)#ex
CORESW(config)#int vlan 20

CORESW(config-if)#ip address 192.168.20.1 255.255.255.0
CORESW(config-if)#no shutdown
CORESW(config-if)#exit
CORESW(config)#ip routing
CORESW(config)#
*Jul 9 17:56:00.675: %LINK-3-UPDOWN: Interface Vlan20, changed state to down
CORESW(config)#int port-channel 1
CORESW(config-if)#description LINK TO FORTINET
CORESW(config-if)#switchport trunk encapsulation dot1q
CORESW(config-if)#switchport mode trunk
CORESW(config-if)#switchport trunk allow vlan all
CORESW(config-if)#no shutdown
CORESW(config-if)#exit


CORESW(config)#interface e0/0
CORESW(config-if)#description LACP TO FORTI PORT1
CORESW(config-if)#switchport trunk encapsulation dot1q
CORESW(config-if)#switchport mode trunk
CORESW(config-if)#switchport trunk allow vlan all
CORESW(config-if)#no shutdown
CORESW(config-if)#exit


CORESW(config)#interface e0/1
CORESW(config-if)#description LACP TO FORTI PORT2
CORESW(config-if)#switchport trunk encapsulation dot1q
CORESW(config-if)#switchport mode trunk
CORESW(config-if)#switchport trunk allow vlan all
CORESW(config-if)#no shutdown
CORESW(config-if)#exit


CORESW(config)#interface range e0/0-1
CORESW(config-if-range)#channel-group 1 mode active
CORESW(config-if-range)#no shutdown
CORESW(config-if-range)#exit
CORESW(config)#do copy run start
Destination filename [startup-config]?
Building configuration…
Compressed configuration from 1259 bytes to 818 bytes[OK]
CORESW(config)#
*Jul 9 17:58:15.314: %EC-5-L3DONTBNDL2: Et0/1 suspended: LACP currently not enabled on the remote port.
*Jul 9 17:58:15.327: %EC-5-L3DONTBNDL2: Et0/0 suspended: LACP currently not enabled on the remote port.
CORESW(config)#

FORTIGATE CONFIGURATION:

FortiGate-VM64-KVM login: admin
Password:
You are forced to change your password. Please input a new password.
New Password:
Confirm Password:
Welcome!

FortiGate-VM64-KVM # config system interface

FortiGate-VM64-KVM (interface) # edit AGGREGATE1
new entry ‘AGGREGATE1’ added

FortiGate-VM64-KVM (AGGREGATE1) # set vdom “root”

FortiGate-VM64-KVM (AGGREGATE1) # set type aggregate

FortiGate-VM64-KVM (AGGREGATE1) # set role lan

FortiGate-VM64-KVM (AGGREGATE1) # set lacp-mode active

FortiGate-VM64-KVM (AGGREGATE1) # set member “port2” “port4”

FortiGate-VM64-KVM (AGGREGATE1) # set allowaccess ssh ping https

FortiGate-VM64-KVM (AGGREGATE1) # next

FortiGate-VM64-KVM (interface) # end

LACP CHECK ON FORTIGATE:

FortiGate-VM64-KVM # diagnose netlink aggregate name AGGREGATE1
LACP flags: (A|P)(S|F)(A|I)(I|O)(E|D)(E|D)
(A|P) – LACP mode is Active or Passive
(S|F) – LACP speed is Slow or Fast
(A|I) – Aggregatable or Individual
(I|O) – Port In sync or Out of sync
(E|D) – Frame collection is Enabled or Disabled
(E|D) – Frame distribution is Enabled or Disabled

status: up
npu: n
flush: n
asic helper: y
ports: 2
link-up-delay: 50ms
min-links: 1
ha: master
distribution algorithm: L4
LACP mode: active
LACP speed: slow
LACP HA: enable
aggregator ID: 1
actor key: 33
actor MAC address: 50:00:00:03:00:01
partner key: 1
partner MAC address: aa:bb:cc:80:20:00

slave: port2
index: 0
link status: up
link failure count: 0
permanent MAC addr: 50:00:00:03:00:01
LACP state: established
actor state: ASAIEE
actor port number/key/priority: 1 33 255
partner state: ASAIEE
partner port number/key/priority: 2 1 32768
partner system: 19586 aa:bb:cc:80:20:00
aggregator ID: 1
speed/duplex: 10000 1
RX state: CURRENT 6
MUX state: COLLECTING_DISTRIBUTING 4

slave: port4
index: 1
link status: up
link failure count: 0
permanent MAC addr: 50:00:00:03:00:03
LACP state: established
actor state: ASAIEE
actor port number/key/priority: 2 33 255
partner state: ASAIEE
partner port number/key/priority: 1 1 32768
partner system: 19586 aa:bb:cc:80:20:00
aggregator ID: 1
speed/duplex: 10000 1
RX state: CURRENT 6
MUX state: COLLECTING_DISTRIBUTING 4

FortiGate-VM64-KVM #

LACP CHECK ON SWITCH:


CORESW#show int po1
Port-channel1 is up, line protocol is up (connected)
Hardware is EtherChannel, address is aabb.cc00.2010 (bia aabb.cc00.2010)
Description: LINK TO FORTINET
MTU 1500 bytes, BW 20000 Kbit/sec, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, Auto-speed, media type is RJ45
input flow-control is off, output flow-control is unsupported
Members in this channel: Et0/0 Et0/1
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:11, output never, output hang never
Last clearing of “show interface” counters never
Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
2 packets input, 268 bytes, 0 no buffer
Received 2 broadcasts (0 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
84 packets output, 11956 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
CORESW#

Please dont hesitate to contact me if you have further questions.

Happy networking 🙂

Website https://barisyuksel.com.tr

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Back To Top
error: Content is protected !!