SG550 LACP to Fortigate 60E Issue, Fortigate 60E Forwarding capacity

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

thatoneswitch

New Member
Apr 13, 2021
2
0
1
Hi guys,

I've been struggling with this issue for months and figured I'd ask for help here.

Fortigate 60Es are rated as 3/3/3 Gbps on their spec sheet. https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiGate_FortiWiFi_60E_Series.pdf

- Does that mean that they can forward 3 Gbps from vlan to vlan? Also, does that work with Link Aggregation?

I can't seem to get my LACP/Link Aggregation to work properly with an SG550, or at least I think. I've attached a network diagram.
  1. I've configured two ports as LACP in SG550 and connected them to the 60E, using IP/MAC Address Load Balance Algorithm.
  2. I've configured an 802.3ad Aggregate on the 60E and created vlans under the Aggregate interface.
  3. Static routes on both devices for vlans are pointed at each other.
  4. It seems like the network speed is sharing 1 Gbps when I Iperf from two devices on vlans 5 and 6 to two other devices on vlans 1 and 3.

- Vlan 1 Device (Firewall Interfaced) - 192.168.10.1
- Vlan 2 Device (Firewall Interfaced) - 192.168.20.1
- Vlan 5 Device (Switch Interfaced) - 192.168.50.1
- Vlan 6 Device (Switch Interfaced) - 192.168.60.1

1. 192.168.50.1 Iperf to 192.168.10.1
2. 192.168.60.1 Iperf to 192.168.20.1

Iperf 1 gets 750 Mbps while Iperf 2 will get 95 Mbps while both are happening concurrently.

Any help is appreciated, thanks everyone.
 

Attachments

Frank Bello

Member
Nov 14, 2018
36
12
8
As a suggestion, try to find out if both traffic streams are going down the same cable (check port counters). That seems the most likely scenario. If so then it just means that the load-balancer has picked the same link for both combinations of IP+MAC. Unfortunately, this is a problem with link aggregation and small numbers of clients.

The other option is that your LAG bundle hasn't worked, i.e. one cable has dropped out of the group. Cisco boxes generally show this as an error (show etherchannel sum, also check the log for this type of error: Warning %TRUNK-W-PORTREMOVED: Port xx/y/z removed from Po1); for Fortigate, this might help: Technical Tip: Initial troubleshooting steps for LACP (Link Aggregation - 802.3ad)