Wired Intelligent Edge

 View Only
last person joined: 2 days ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

LACP on VSF 2930F with Fortigate LACP

This thread has been viewed 15 times

  • 1.  LACP on VSF 2930F with Fortigate LACP

    Posted Sep 12, 2022 10:53 AM




    I have 2930F48G Switch 2no Both are Stacked through VSF and LACP on port1/10,2/10 &1/12,2/12.
    show lacp
    LACP Trunk Port LACP Admin Oper
    Port Enabled Group Status Partner Status Key Key
    ----- ------- ------- ------- ------- ------- ------ ------
    1/10 Active Trk1 Up Yes Success 0 532
    1/12 Active Trk2 Blocked Yes Failure 0 533
    2/10 Active Trk1 Blocked Yes Failure 0 532
    2/12 Active Trk2 Blocked Yes Failure 0 533
    Fortigate Confiured in HA Active-Passive Mode:
    diag netlink aggregate list
    List of 802.3ad link aggregation interfaces:
    1 name LAN status up algorithm L4 lacp-mode active

    diag netlink aggregate name LAN
    LACP flags: (A|P)(S|F)(A|I)(I|O)(E|D)(E|D)
    (A|P) - LACP mode is Active or Passive
    (S|F) - LACP speed is Slow or Fast
    (A|I) - Aggregatable or Individual
    (I|O) - Port In sync or Out of sync
    (E|D) - Frame collection is Enabled or Disabled
    (E|D) - Frame distribution is Enabled or Disabled
    status: up
    npu: y
    flush: n
    asic helper: y
    oid: 130
    ports: 2
    link-up-delay: 50ms
    min-links: 1
    ha: master
    distribution algorithm: L4
    LACP mode: active
    LACP speed: slow
    LACP HA: enable
    aggregator ID: 1
    actor key: 17
    actor MAC address: 08:5b:0e:7e:d4:34
    partner key: 532
    partner MAC address: 88:3a:30:37:1f:0b

    slave: port10
    index: 0
    link status: up
    link failure count: 5
    permanent MAC addr: 08:5b:0e:7e:d4:34
    LACP state: established
    actor state: ASAIEE
    actor port number/key/priority: 1 17 255
    partner state: ASAIEE
    partner port number/key/priority: 10 532 0
    partner system: 34048 88:3a:30:37:1f:0b
    aggregator ID: 1
    speed/duplex: 1000 1
    RX state: CURRENT 6
    MUX state: COLLECTING_DISTRIBUTING 4

    slave: port12
    index: 1
    link status: up
    link failure count: 4
    permanent MAC addr: 08:5b:0e:7e:d4:36
    LACP state: negotiating
    actor state: ASAODD
    actor port number/key/priority: 2 17 255
    partner state: ASAODD
    partner port number/key/priority: 65 533 0
    partner system: 34048 88:3a:30:37:1f:0b
    aggregator ID: 2
    speed/duplex: 1000 1
    RX state: CURRENT 6
    MUX state: WAITING 2

    Can you confirm following configuration is correct? Switch Side one port showing up remaining blocked why?.


  • 2.  RE: LACP on VSF 2930F with Fortigate LACP

    MVP GURU
    Posted Sep 12, 2022 01:10 PM
    It's not clear what local physical port (member of a particular Port Trunk) is connected to what other remote port of Firewall node, especially considering you have two Firewall nodes acting as two separate entities.

    Please note that Links Aggregation (Non Protocol or LACP), AKA Ports Trunk, requires that member ports (Say 1/10 and 2/10 of Trk1 from the VSF side, as example) will end into a device that should be seen (and act as) one logical entity (Firewall node 1 OR Firewall node 2, not both), those member ports - for the purpose of the links aggregation formation between peers - can't be terminated (they simply shouldn't end) into different logical entities (example: VSF port 1/10 into Firewall node 1 and VSF port 2/10 into Firewall node 2) because those Firewall nodes - no matter the HA deployment method used (Active/Active or Active/Passive) - don't form a single logical entity from the VSF (or just from a single switch) standpoint.



    Original Message


  • 3.  RE: LACP on VSF 2930F with Fortigate LACP

    Posted Nov 23, 2022 03:07 AM
    From what i see the you have configured only one trunk on the Switch. But the Fortigate HA Cluster still is shown as 2 devices. you should configure 2 LACP Trunks on the switch 1 fo teh Master Fortigate and one for the slave Fortigate then everything should work well
    Original Message