Fortigate + HP ProCurve Load Balancing
A trunk in HP terms is basically 802.23AD link aggregation, and you can optionally use that with LACP which can help verify that each link is capable of participating before actually sending data across it.
The Fortigate will need to support link aggregation and potentially LACP in order to communicate with the switch in this manner. Also, you can only use aggregation to the same switch, or switches combined with a stacking protocol or that support multi-chassis LAGs.
EDIT: Check the Fortigate admin guide page 166: http://docs.fortinet.com/fgt/handbook/50/fortigate-install-system-admin-50.pdf I see no mention of LACP support, be sure you do not turn that on at the switch, or it will kill the links.
config system interface
edit Aggregate
set type aggregate
set member port4 port5 port6
set vdom root
set ip 172.20.120.100/24
set allowaccess https ssh
end
Now, if I might steer you more effectively I see that IMIX throughput of a 100D is effectively 1Gbps so I don't really understand what you're trying to accomplish here. Do you have an upstream provider that is handing off a link larger than 1Gb?
Related videos on Youtube
07 : 31
![SD-WAN | Load Balancing configuration on FortiGate Firewall with Failover Test [PART 1]](https://i.ytimg.com/vi/pdqkn-x5ZIE/hqdefault.jpg?sqp=-oaymwEcCOADEI4CSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLBVqTaJfcRpHZoKEjJj1Oerb3KlzA)
14 : 23
05 : 15
02 : 03
08 : 14
Myles Gray
Updated on September 18, 2022Comments
-
Myles Gray over 1 year
I have a FortiGate 100D + HP ProCurve 2824 linked together by 4x 1Gb links.
The ProCurve is configured to have ports 21-24 trunked together and load balance them.
The 4 cables from these ports are then fed into the 100D on ports 1-4 which are configured as a software switch (which should mean all 4 interfaces have the same IP address).
However when I connect the 4 links to the 100D the 100D itself becomes unaccessable but the network continues to function (the ProCurve must be using it's internal table to direct traffic) and there is no flood of packets as there would be in a network loop.
Has anyone ever run this kind of config on a FortiGate?
I'm convinced it's the FG end as the ProCurve is basically stock.
Cheers, Myles
-
Myles Gray over 11 yearsJust noticed that on my box, I can only 802.3ad on wan+ha ports. I was experimenting with it as typically a CAT5E cable will not transmit near to 1Gbs, thus an ECMP type setup would have remedied that?
-
SpacemanSpiff over 11 yearsCAT5e can certainly achieve 1Gbps. There are a number of overheads that prevent you from reaching it though. Link aggregation won't fix this unless both ends participating are configured to perform load balancing on both destination IP address and port, otherwise it will hash once and still only use one link per conversation. ECMP is a layer 3 balancing protocol. For this to work, your L3 switch would need to support it, as would the firewall.
