Aggregate interfaces
Link aggregation (IEEE 802.3ad) allows you to bind two or more physical interfaces together to form an aggregated link. This new link has the bandwidth of all the links combined. If a link in the group fails, traffic is automatically transferred to the remaining interfaces with the only noticeable effect being reduced bandwidth.
This is similar to redundant interfaces, with the major difference being that a redundant interface group uses only one link at a time, while an aggregate link group uses the total bandwidth of the functioning links in the group, up to eight (or more).
Some FortiGate models support the IEEE standard 802.3ad for link aggregation.
An interface can be an aggregate interface if it meets the following criteria:
- It's a physical interface, not a VLAN interface or subinterface.
- It's not already part of an aggregate or redundant interface.
- It's in the same VDOM as the aggregated interface. Aggregate ports can't span multiple VDOMs.
- It doesn't have an IP address and isn't configured for DHCP or PPPoE.
- It's not referenced in any security policy, VIP, IP pool, or multicast policy.
- It's not an HA heartbeat interface.
- It's not one of the backplane interfaces of the FortiGate 5000 series.
Some FortiGate models don't support aggregate interfaces. In this case, the aggregate option isn't available in the FortiGate GUI or CLI. Also, you can't create aggregate interfaces from interfaces in a switch port.
To see if a port is being used or has other dependencies - CLI:
diagnose sys cmdb refcnt show system.interface.name <interface_name>
When an interface is included in an aggregate interface, it's not listed in the Network > Interfaces page in the FortiGate GUI. Interfaces still appear in the CLI, but if you configure those interfaces, it won't take effect. You can't configure the interface individually and it's not available to include in security policies, VIPs, IP pools, or routing.
To avoid unintentional network issues when you configure Link Aggregation Control Protocol (LACP), disconnect the interfaces that you want to add to the aggregate interface. After you finish configuring LACP, reconnect the interfaces.
The following example creates an aggregate interface on a FortiGate, using ports 4 to 6, with an internal IP address of 10.13.101.100, and administrative access to HTTPS and SSH.
To create an aggregate interface - GUI:
- Go to Network > Interfaces and select Create New, then Interface.
- Enter the Name as
Aggregate
. - For the Type, select 802.3ad Aggregate.
- In the Interface Members field, click + to add interfaces. Select port 4, 5, and 6.
- In the Addressing mode field, select Manual.
- Enter the IP address for the port of 10.13.101.100/24.
- For Administrative Access, select HTTPS and SSH.
- Select OK.
If this option doesn't appear, the FortiGate doesn't support aggregate interfaces.
To create aggregate interface - CLI:
config system interface
edit aggregate
set type aggregate
set member port4 port5 port6
set vdom root
set ip 172.20.120.100/24
set allowaccess https ssh
next
end
Sending GARP on aggregate MAC changes
A FortiGate sends out Gratuitous Address Resolution Protocol (GARP) announcements if the MAC address of a link aggregated interface changes to a new IP pool address due to a link failure or change in ports. This is needed when you use networking devices, such as some switches that don't perform this function when they receive LACP (Link Aggregation Control Protocol) information about changes in the MAC information.