I recently had to configure a LACP port-channel between two FortiSwitches and a stack of two Cisco switches. there is no clear information available on how to do this.
I had to connect two FortiSwitch in MCLAG-ICL configuration to a Cisco 4500 Catalyst switch with a bundle of redundant links. The FortiSwitches were managed by a HA Cluster of two FortiGates in Active/Passive HA mode. The Cisco Catalyst 4500 switch consisted of several 10Gb blades with SFP+ modules.
The fortiSwitches are connected following the diagram shown below.
When you want to connect this all together you have to make sure the FortiSwitches are all connected the right way. My experience is when the FortiSwitches are all showing up in the FortiGate dashboard, this doesn’t mean the MCLAG-ICL is working well. You can check the configuration of the FortiSwitch cluster with the following cli command on the FortiGate:
diag switch mclag peer-consistency-check
After everything is checked and the consistency check shows no errors, you can configure the port channel. First login to the Fortigate and configure the switch controller. Mention the serial numbers of the managed switches where you want to configure the lacp port-channel on.
config switch-controller managed-switch
edit "FS1E48T419000108"
config ports
edit "port46"
set port-owner "mclag-cisco4500"
set speed 10000full
set description "MCLAG-CISCO4500"
next
edit "mclag-cisco4500"
set vlan "vsw.FLink"
set allowed-vlans-all enable
set untagged-vlans "qtn.FLink"
set type trunk
set dhcp-snooping trusted
set stp-state disabled
set description "cisco4500"
set mode lacp-passive
set bundle enable
set mclag enable
set members "port46"
next
end
next
edit "FS1E48T419000155"
config ports
edit "port46"
set port-owner "mclag-cisco4500"
set speed 10000full
set description "MCLAG-CISCO4500"
next
edit "mclag-cisco4500"
set vlan "vsw.FLink"
set allowed-vlans-all enable
set untagged-vlans "qtn.FLink"
set type trunk
set dhcp-snooping trusted
set stp-state disabled
set description "cisco4500"
set mode lacp-passive
set bundle enable
set mclag enable
set members "port46"
next
end
next
end
The following command is used to name the port channel. This has to be the same on both switches to form a lacp trunk.
edit "mclag-cisco4500"
In this case I disabled stp with the “set stp-state disabled” command. You have to match the stp version on both the FortiSwitches and Cisco switches. Fortiswitches default use rapid spanning-tree. After the above configuration has been made you have to do some configuration on the Fortiswitches. Logon to the fortiswitches with the following command:
execute ssh [email protected]
Replace the ip address with the address of the fortiswitches. Put the following configuration on the ports of the port-channel. You can use lacp-passive on the fortiswitches and lacp-active on the cisco switches.
config switch physical-port edit "port46" set cdp-status tx-rx set description "MCLAG-CISCO4500" set lldp-profile "default-auto-isl" set speed 1000full next config switch trunk edit "mclag-cisco4500" set description "cisco4500" set mode lacp-passive set bundle enable set max-bundle 24 set mclag enable set members "port46" next
When this has been done you can proceed configuring the Cisco switches.
You can configure the switches by using the following commands:
! interface Port-channel11 switchport switchport mode trunk spanning-tree portfast trunk spanning-tree bpdufilter enable spanning-tree bpduguard disable end ! interface TenGigabitEthernet1/1/11 switchport mode trunk channel-protocol lacp channel-group 11 mode active spanning-tree portfast trunk spanning-tree bpdufilter enable spanning-tree bpduguard disable end ! interface TenGigabitEthernet2/1/11 switchport mode trunk channel-protocol lacp channel-group 11 mode active spanning-tree portfast trunk spanning-tree bpdufilter enable spanning-tree bpduguard disable end
When this has been done you are ready to connect the switches together.