Fortinet black logo

Cookbook

Aggregation and redundancy

Copy Link
Copy Doc ID 664e9f16-22ad-11eb-96b9-00505692583a:567758
Download PDF

Aggregation and redundancy

Link aggregation (IEEE 802.3ad) enables you to bind two or more physical interfaces together to form an aggregated (combined) link. This new link has the bandwidth of all the links combined. If a link in the group fails, traffic is transferred automatically to the remaining interfaces. The only noticeable effect is reduced bandwidth.

This feature is similar to redundant interfaces. The major difference is a redundant interface group only uses one link at a time, where an aggregate link group uses the total bandwidth of the functioning links in the group, up to eight (or more).

An interface is available to be an aggregate interface if:

  • It is a physical interface and not a VLAN interface or subinterface.
  • It is not already part of an aggregate or redundant interface.
  • It is in the same VDOM as the aggregated interface. Aggregate ports cannot span multiple VDOMs.
  • It does not have an IP address and is not configured for DHCP or PPPoE.
  • It is not referenced in any security policy, VIP, IP Pool, or multicast policy.
  • It is not an HA heartbeat interface.
  • It is not one of the FortiGate-5000 series backplane interfaces.

When an interface is included in an aggregate interface, it is not listed on the Network > Interfaces page. Interfaces still appear in the CLI although configuration for those interfaces do not take affect. You cannot configure the interface individually and it is not available for inclusion in security policies, VIPs, IP pools, or routing.

Sample configuration

This example creates an aggregate interface on a FortiGate-140D POE using ports 3-5 with an internal IP address of 10.1.1.123, as well as the administrative access to HTTPS and SSH.

To create an aggregate interface using the GUI:
  1. Go to Network > Interfaces and select Create New > Interface.
  2. For Interface Name, enter Aggregate.
  3. For the Type, select 802.3ad Aggregate.
  4. In the physical Interface Members, click to add interfaces and select ports 4, 5, and 6.
  5. For Addressing mode, select Manual.
  6. For the IP address for the port, enter 10.1.1.123/24.
  7. For Administrative Access, select HTTPS and SSH.
  8. Select OK.
To create an aggregate interface using the CLI:
FG140P3G15800330 (aggregate) # show
config system interface
    edit "aggregate"
        set vdom "root"
        set ip 10.1.1.123 255.255.255.0
        set allowaccess ping https ssh snmp http fgfm radius-acct capwap ftm
        set type aggregate
        set member "port3" "port4" "port5"
        set device-identification enable
        set lldp-transmission enable
        set fortiheartbeat enable
        set role lan
        set snmp-index 45
    next
end

Redundancy

In a redundant interface, traffic only goes over one interface at any time. This differs from an aggregated interface where traffic goes over all interfaces for increased bandwidth. This difference means redundant interfaces can have more robust configurations with fewer possible points of failure. This is important in a fully-meshed HA configuration.

An interface is available to be in a redundant interface if:

  • It is a physical interface and not a VLAN interface.
  • It is not already part of an aggregated or redundant interface.
  • It is in the same VDOM as the redundant interface.
  • It does not have an IP address and is not configured for DHCP or PPPoE.
  • It has no DHCP server or relay configured on it.
  • It does not have any VLAN subinterfaces.
  • It is not referenced in any security policy, VIP, or multicast policy.
  • It is not monitored by HA.
  • It is not one of the FortiGate-5000 series backplane interfaces.

When an interface is included in a redundant interface, it is not listed on the Network > Interfaces page. You cannot configure the interface individually and it is not available for inclusion in security policies, VIPs, or routing.

Sample configuration

To create a redundant interface using the GUI:
  1. Go to Network > Interfaces and select Create New > Interface.
  2. For Interface Name, enter Redundant.
  3. For the Type, select Redundant Interface.
  4. In the physical Interface Members, click to add interfaces and select ports 4, 5, and 6.
  5. For Addressing mode, select Manual.
  6. For the IP address for the port, enter 10.13.101.100/24.
  7. For Administrative Access, select HTTPS and SSH.
  8. Select OK.
To create a redundant interface using the CLI:
config system interface
    edit "red"
        set vdom "root"
        set ip 10.13.101.100 255.255.255.0
        set allowaccess https http
        set type redundant
        set member "port4" "port5" "port6"
        set device-identification enable
        set role lan
        set snmp-index 9
    next
end

Aggregation and redundancy

Link aggregation (IEEE 802.3ad) enables you to bind two or more physical interfaces together to form an aggregated (combined) link. This new link has the bandwidth of all the links combined. If a link in the group fails, traffic is transferred automatically to the remaining interfaces. The only noticeable effect is reduced bandwidth.

This feature is similar to redundant interfaces. The major difference is a redundant interface group only uses one link at a time, where an aggregate link group uses the total bandwidth of the functioning links in the group, up to eight (or more).

An interface is available to be an aggregate interface if:

  • It is a physical interface and not a VLAN interface or subinterface.
  • It is not already part of an aggregate or redundant interface.
  • It is in the same VDOM as the aggregated interface. Aggregate ports cannot span multiple VDOMs.
  • It does not have an IP address and is not configured for DHCP or PPPoE.
  • It is not referenced in any security policy, VIP, IP Pool, or multicast policy.
  • It is not an HA heartbeat interface.
  • It is not one of the FortiGate-5000 series backplane interfaces.

When an interface is included in an aggregate interface, it is not listed on the Network > Interfaces page. Interfaces still appear in the CLI although configuration for those interfaces do not take affect. You cannot configure the interface individually and it is not available for inclusion in security policies, VIPs, IP pools, or routing.

Sample configuration

This example creates an aggregate interface on a FortiGate-140D POE using ports 3-5 with an internal IP address of 10.1.1.123, as well as the administrative access to HTTPS and SSH.

To create an aggregate interface using the GUI:
  1. Go to Network > Interfaces and select Create New > Interface.
  2. For Interface Name, enter Aggregate.
  3. For the Type, select 802.3ad Aggregate.
  4. In the physical Interface Members, click to add interfaces and select ports 4, 5, and 6.
  5. For Addressing mode, select Manual.
  6. For the IP address for the port, enter 10.1.1.123/24.
  7. For Administrative Access, select HTTPS and SSH.
  8. Select OK.
To create an aggregate interface using the CLI:
FG140P3G15800330 (aggregate) # show
config system interface
    edit "aggregate"
        set vdom "root"
        set ip 10.1.1.123 255.255.255.0
        set allowaccess ping https ssh snmp http fgfm radius-acct capwap ftm
        set type aggregate
        set member "port3" "port4" "port5"
        set device-identification enable
        set lldp-transmission enable
        set fortiheartbeat enable
        set role lan
        set snmp-index 45
    next
end

Redundancy

In a redundant interface, traffic only goes over one interface at any time. This differs from an aggregated interface where traffic goes over all interfaces for increased bandwidth. This difference means redundant interfaces can have more robust configurations with fewer possible points of failure. This is important in a fully-meshed HA configuration.

An interface is available to be in a redundant interface if:

  • It is a physical interface and not a VLAN interface.
  • It is not already part of an aggregated or redundant interface.
  • It is in the same VDOM as the redundant interface.
  • It does not have an IP address and is not configured for DHCP or PPPoE.
  • It has no DHCP server or relay configured on it.
  • It does not have any VLAN subinterfaces.
  • It is not referenced in any security policy, VIP, or multicast policy.
  • It is not monitored by HA.
  • It is not one of the FortiGate-5000 series backplane interfaces.

When an interface is included in a redundant interface, it is not listed on the Network > Interfaces page. You cannot configure the interface individually and it is not available for inclusion in security policies, VIPs, or routing.

Sample configuration

To create a redundant interface using the GUI:
  1. Go to Network > Interfaces and select Create New > Interface.
  2. For Interface Name, enter Redundant.
  3. For the Type, select Redundant Interface.
  4. In the physical Interface Members, click to add interfaces and select ports 4, 5, and 6.
  5. For Addressing mode, select Manual.
  6. For the IP address for the port, enter 10.13.101.100/24.
  7. For Administrative Access, select HTTPS and SSH.
  8. Select OK.
To create a redundant interface using the CLI:
config system interface
    edit "red"
        set vdom "root"
        set ip 10.13.101.100 255.255.255.0
        set allowaccess https http
        set type redundant
        set member "port4" "port5" "port6"
        set device-identification enable
        set role lan
        set snmp-index 9
    next
end