Fortinet white logo
Fortinet white logo

Handbook

6.0.0

Aggregate interfaces

Aggregate interfaces

Link aggregation (IEEE 802.3ad) allows you to bind two or more physical interfaces together to form an aggregated link. This new link has the bandwidth of all the links combined. If a link in the group fails, traffic is automatically transferred to the remaining interfaces with the only noticeable effect being reduced bandwidth.

This is similar to redundant interfaces, with the major difference being that a redundant interface group uses only one link at a time, while an aggregate link group uses the total bandwidth of the functioning links in the group, up to eight (or more).

Some FortiGate models support the IEEE standard 802.3ad for link aggregation.

An interface can be an aggregate interface if it meets the following criteria:

  • It's a physical interface, not a VLAN interface or subinterface.
  • It's not already part of an aggregate or redundant interface.
  • It's in the same VDOM as the aggregated interface. Aggregate ports can't span multiple VDOMs.
  • It doesn't have an IP address and isn't configured for DHCP or PPPoE.
  • It's not referenced in any security policy, VIP, IP pool, or multicast policy.
  • It's not an HA heartbeat interface.
  • It's not one of the backplane interfaces of the FortiGate 5000 series.

Some FortiGate models don't support aggregate interfaces. In this case, the aggregate option isn't available in the FortiGate GUI or CLI. Also, you can't create aggregate interfaces from interfaces in a switch port.

To see if a port is being used or has other dependencies - CLI:

diagnose sys cmdb refcnt show system.interface.name <interface_name>

When an interface is included in an aggregate interface, it's not listed in the Network > Interfaces page in the FortiGate GUI. Interfaces still appear in the CLI, but if you configure those interfaces, it won't take effect. You can't configure the interface individually and it's not available to include in security policies, VIPs, IP pools, or routing.

To avoid unintentional network issues when you configure Link Aggregation Control Protocol (LACP), disconnect the interfaces that you want to add to the aggregate interface. After you finish configuring LACP, reconnect the interfaces.

The following example creates an aggregate interface on a FortiGate, using ports 4 to 6, with an internal IP address of 10.13.101.100, and administrative access to HTTPS and SSH.

To create an aggregate interface - GUI:
  1. Go to Network > Interfaces and select Create New, then Interface.
  2. Enter the Name as Aggregate.
  3. For the Type, select 802.3ad Aggregate.
  4. If this option doesn't appear, the FortiGate doesn't support aggregate interfaces.

  5. In the Interface Members field, click + to add interfaces. Select port 4, 5, and 6.
  6. In the Addressing mode field, select Manual.
  7. Enter the IP address for the port of 10.13.101.100/24.
  8. For Administrative Access, select HTTPS and SSH.
  9. Select OK.
To create aggregate interface - CLI:

config system interface

edit aggregate

set type aggregate

set member port4 port5 port6

set vdom root

set ip 172.20.120.100/24

set allowaccess https ssh

next

end

Sending GARP on aggregate MAC changes

A FortiGate sends out Gratuitous Address Resolution Protocol (GARP) announcements if the MAC address of a link aggregated interface changes to a new IP pool address due to a link failure or change in ports. This is needed when you use networking devices, such as some switches that don't perform this function when they receive LACP (Link Aggregation Control Protocol) information about changes in the MAC information.

Aggregate interfaces

Aggregate interfaces

Link aggregation (IEEE 802.3ad) allows you to bind two or more physical interfaces together to form an aggregated link. This new link has the bandwidth of all the links combined. If a link in the group fails, traffic is automatically transferred to the remaining interfaces with the only noticeable effect being reduced bandwidth.

This is similar to redundant interfaces, with the major difference being that a redundant interface group uses only one link at a time, while an aggregate link group uses the total bandwidth of the functioning links in the group, up to eight (or more).

Some FortiGate models support the IEEE standard 802.3ad for link aggregation.

An interface can be an aggregate interface if it meets the following criteria:

  • It's a physical interface, not a VLAN interface or subinterface.
  • It's not already part of an aggregate or redundant interface.
  • It's in the same VDOM as the aggregated interface. Aggregate ports can't span multiple VDOMs.
  • It doesn't have an IP address and isn't configured for DHCP or PPPoE.
  • It's not referenced in any security policy, VIP, IP pool, or multicast policy.
  • It's not an HA heartbeat interface.
  • It's not one of the backplane interfaces of the FortiGate 5000 series.

Some FortiGate models don't support aggregate interfaces. In this case, the aggregate option isn't available in the FortiGate GUI or CLI. Also, you can't create aggregate interfaces from interfaces in a switch port.

To see if a port is being used or has other dependencies - CLI:

diagnose sys cmdb refcnt show system.interface.name <interface_name>

When an interface is included in an aggregate interface, it's not listed in the Network > Interfaces page in the FortiGate GUI. Interfaces still appear in the CLI, but if you configure those interfaces, it won't take effect. You can't configure the interface individually and it's not available to include in security policies, VIPs, IP pools, or routing.

To avoid unintentional network issues when you configure Link Aggregation Control Protocol (LACP), disconnect the interfaces that you want to add to the aggregate interface. After you finish configuring LACP, reconnect the interfaces.

The following example creates an aggregate interface on a FortiGate, using ports 4 to 6, with an internal IP address of 10.13.101.100, and administrative access to HTTPS and SSH.

To create an aggregate interface - GUI:
  1. Go to Network > Interfaces and select Create New, then Interface.
  2. Enter the Name as Aggregate.
  3. For the Type, select 802.3ad Aggregate.
  4. If this option doesn't appear, the FortiGate doesn't support aggregate interfaces.

  5. In the Interface Members field, click + to add interfaces. Select port 4, 5, and 6.
  6. In the Addressing mode field, select Manual.
  7. Enter the IP address for the port of 10.13.101.100/24.
  8. For Administrative Access, select HTTPS and SSH.
  9. Select OK.
To create aggregate interface - CLI:

config system interface

edit aggregate

set type aggregate

set member port4 port5 port6

set vdom root

set ip 172.20.120.100/24

set allowaccess https ssh

next

end

Sending GARP on aggregate MAC changes

A FortiGate sends out Gratuitous Address Resolution Protocol (GARP) announcements if the MAC address of a link aggregated interface changes to a new IP pool address due to a link failure or change in ports. This is needed when you use networking devices, such as some switches that don't perform this function when they receive LACP (Link Aggregation Control Protocol) information about changes in the MAC information.