Description
This article describes some technical considerations when FortiGate devices in an HA Cluster, Active-Passive mode, are connected to L2 switch(es) with LACP (802.3ad).
Scope
FortiGate.
Solution
The following network diagram is used to illustrate this article :
The LACP groups (LAG) defined on the L2 switch must be different for each FortiGate (hence creating independent bundles) in order to avoid incoming traffic being sent to the Subordinate.
Note:
For this reason, Nortel devices in SMLT are not supported:
- if different LAGs cannot be configured on the L2 switch, use the following command to prevent the subordinate units from participating in LACP negotiation with an aggregate interface; note that in this mode, the failover time can be longer as it will include the LACP negotiation between the newly elected Primary Unit and the L2 switch.
config system interface
edit <aggregate_name>
set lacp-ha-slave disable
end
It is recommended to set LACP mode to Static on both sides (FortiGate and switch) if the ports are connected with a back-to-back cable.
Note:
Starting from version 7.2.1, lacp-ha-slave has been replaced with lacp-ha-secondary.
