Esempio di configurazione LACP 802.3ad tra una coppia di firewall FortiGate in cluster e due switch cisco nexus in vpc:

 

ARCHITETTURA DI RIFERIMENTO

 

fwfg nexus lacp

FWFG-01/02

 

config system interface

   

 edit "to_NEXUS"

  set vdom "root"

  set allowaccess ping

  set vlanforward enable

  set type aggregate

  set member "port35" "port36"

  next

    edit "port35"

        set vdom "root"

        set type physical

    next

    edit "port36"

        set vdom "root"

        set type physical

       

    next

end

!

 

 

N5K-1:

 

feature lacp

feature vpc

feature lldp

feature vtp

feature fex

!

vtp mode transparent

!

vpc domain 1

  peer-switch

  role priority 110

  system-priority 1000

  peer-keepalive destination a.b.c.x source a.b.c.y

  delay restore 150

  peer-gateway

  ip arp synchronize

!

interface port-channel 1

  description ** To  N5K-2  vPC peer-link **

  switchport mode trunk

  spanning-tree port type network

  speed 10000

  vpc peer-link

!

interface port-channel 10

  description ** To Firewall-1 **

  switchport mode trunk

  switchport trunk allowed vlan < vlan-id range >

  spanning-tree port type normal

  speed 10000

  storm-control broadcast level 5.00

  storm-control multicast level 5.00

  vpc 10

!

interface port-channel 20

  description ** To Firewall-2 **

  switchport mode trunk

  switchport trunk allowed vlan < vlan-id range >

  spanning-tree port type normal

  speed 10000

  storm-control broadcast level 5.00

  storm-control multicast level 5.00

  vpc 20

!

interface Ethernet1/1

  description ** To Firewall-1 **

  switchport mode trunk

  switchport trunk allowed vlan < vlan-id range >

  logging event port link-status

  logging event port trunk-status

  storm-control broadcast level 5.00

  storm-control multicast level 5.00

  channel-group 10 mode active

!

interface Ethernet1/2

  description ** To Firewall-2 **

  switchport mode trunk

  switchport trunk allowed vlan < vlan-id range >

  logging event port link-status

  logging event port trunk-status

  storm-control broadcast level 5.00

  storm-control multicast level 5.00

  channel-group 20 mode active

!

interface Ethernet1/16

  description ** To  N5K-2 vPC peer-link **

  switchport mode trunk

  channel-group 1 mode active

!

interface Ethernet1/32

  description ** To  N5K-2 vPC peer-link **

  switchport mode trunk

  channel-group 1 mode active

 

 

 

N5K-2:

 

feature lacp

feature vpc

feature lldp

feature vtp

feature fex

!

vtp mode transparent

!

vpc domain 1

  peer-switch

  role priority 90

  system-priority 1000

  peer-keepalive destination a.b.c.y source a.b.c.x

  delay restore 150

  peer-gateway

  ip arp synchronize

!

interface port-channel 1

  description ** To  N5K-1  vPC peer-link **

  switchport mode trunk

  spanning-tree port type network

  speed 10000

  vpc peer-link

!

interface port-channel 10

  description ** To Firewall-1 **

  switchport mode trunk

  switchport trunk allowed vlan < vlan-id range >

  spanning-tree port type normal

  speed 10000

  storm-control broadcast level 5.00

  storm-control multicast level 5.00

  vpc 10

!

interface port-channel 20

  description ** To Firewall-2 **

  switchport mode trunk

  switchport trunk allowed vlan < vlan-id range >

  spanning-tree port type normal

  speed 10000

  storm-control broadcast level 5.00

  storm-control multicast level 5.00

  vpc 20

!

interface Ethernet1/1

  description ** To Firewall-1 **

  switchport mode trunk

  switchport trunk allowed vlan < vlan-id range >

  logging event port link-status

  logging event port trunk-status

  storm-control broadcast level 5.00

  storm-control multicast level 5.00

  channel-group 10 mode active

!

interface Ethernet1/2

  description ** To Firewall-2 **

  switchport mode trunk

  switchport trunk allowed vlan < vlan-id range >

  logging event port link-status

  logging event port trunk-status

  storm-control broadcast level 5.00

  storm-control multicast level 5.00

  channel-group 20 mode active

!

interface Ethernet1/16

  description ** To  N5K-1 vPC peer-link **

  switchport mode trunk

  channel-group 1 mode active

!

interface Ethernet1/32

  description ** To  N5K-1 vPC peer-link **

  switchport mode trunk

  channel-group 1 mode active