Staff

Technical Tip: Configuring MCLAG using switch-recommendation CLI commands

Forum|Forum|1 year ago
October 22, 2024
0 replies
8019 views

Description

This article describes the steps to configure an MCLAG topology from the FortiGate as a Switch Controller, and how to use 'diag switch-controller switch-recommendation' commands.
All configurations in this guide were designed to be triggered exclusively from the FortiGate Acting as the Switch controller.
The commands in this guide only support adding up to 2-tier level topologies. A third Tier can be added as a continuation of this KB (link TBD).

Scope

FortiOS 7.2.x and onwards.
FortiSwitch 2XX Series and higher.

Solution

Step 1 - Connect FSW_Core1 ONLY and allow it to be discovered, authorized and online.
Step 2 - Connect FSW_Core2 and allow it to be discovered, authorized and online.
Step 3 - Building the tier1 mclag level between FSW_Core1 and FSW_Core2.
Step 4 - Building the tier2 mclag level between Tier2_1 and Tier2_2.
Step 5 - Building the tier2 mclag level between Tier2_3 and Tier2_4.
Layer-3 Topology.
References.

Network Layer-2 and cabling topology.

mclag_l2_diagram

Considerations:

The Switch must be discovered, authorized and become online so it can receive commands, configurations and settings.
Starting with FortiSwitch 7.2.0, all ports are enabled for fortilink auto-discovery by default.
Follow this guide as accurately as possible as loops may be introduced thus bringing all topology down.
The FortiGate Firewalls are pre-configured in HA Active-Active or Active-Passive mode.
The Switches are factory-reset and running the latest compatible firmware version according to the Fortiswitch Compatibility Matrix.
Before FOS 7.2.x, the commands 'set-tier1-mclag-icl' and 'set-tier-plus-mclag-icl' were found under 'execute switch-controller switch-recommendations'.

Terminology:

FortiSwitch Trunk = 802.3ad LACP aggregate interface.
FortiSwitch ICL = Inter Chassis Link ( Switch Stack ).
FortiSwitch MCLAG = Multichassis LAG.

Step-by-step Guide:

Step 1 - Connect FSW_Core1 ONLY and allow it to be discovered, authorized and online.
Enable Fortilink split interface on the FortiGate fortilink interface temporarily as Core1 and Core2 will be initially discovered as 2 distinct switches.

Useful commands:

exec switch-controller get-conn-status
exec switch-controller diagnose-connection

FSW_Core1

Make sure there are no C, U, S, D or E flags before moving to the next step.

Step 2 - Connect FSW_Core2 and allow it to be discovered, authorized and online.

FSW_Core2

Step 3 - Building the tier1 mclag level between FSW_Core1 and FSW_Core2.
Replace fortilink, Core1_Serial and Core2_Serial from the command below according to the desired topology.
Then Run the following command from the FortiGate SSH.

diag switch-controller switch-recommendation set-tier1-mclag-icl fortilink Core1_Serial Core2_Serial

Disable FortiLink split interface to allow both switches to actively communicate with the FortiGate.
As shown in the example below, port2 was brought down because split-interface was enabled, so disable it.

Allow it sometime after applying changes to process and recalculate the topology.
To confirm the MCLAG formation, use 'diagnose switch-controller switch-info mclag list'.
Ensure the local and peer ports match the ones according the desired topology.

To confirm the ICL formation, use 'diagnose switch-controller switch-info mclag icl'.

Notice the ICL was formed on port8 between the switches and also confirm the local and peer serial numbers.

By switching the GUI to the 'Topology' map, it is possible to confirm a few important items and mark the end of configuring the tier 1 devices.

Step 4 - Building the tier2 mclag level between Tier2_1 and Tier2_2.

Power up and connect Tier2_1 and Tier2_2 Switches. Ensure they were discovered, authorized and are both UP.

Make sure there are no C, U, S, D or E flags before moving to the next step.

Replace fortilink, Core1_Serial, Core2_Serial, Tier2_1_Serial and Tier2_2_Serial from the command below according to the desired topology.

Then Run the following command from the FortiGate SSH.

diag switch-controller switch-recommendation set-tier-plus-mclag-icl fortilink Core1_Serial Core2_Serial Tier2_1_Serial Tier2_2_Serial tier2_A

Use the following commands to confirm if those switches were properly configured.

diagnose switch-controller switch-info mclag list
diagnose switch-controller switch-info mclag icl
diagnose switch-controller switch-info mclag peer-consistency-check

The Topology should look like this at the end of this step:

Step 5 - Building the tier2 mclag level between Tier2_3 and Tier2_4.

Power up and connect Tier2_3 and Tier2_4 Switches. Ensure they were discovered, authorized and are both UP.

Make sure there are no C, U, S, D or E flags before moving to the next step.

Replace FortiLink, Core1_Serial, Core2_Serial, Tier2_3_Serial and Tier2_4_Serial from the command below according to the desired topology.

After, run the following command from the FortiGate SSH.

diag switch-controller switch-recommendation set-tier-plus-mclag-icl fortilink Core1_Serial Core2_Serial Tier2_3_Serial Tier2_4_Serial tier2_B

Use the following commands to confirm if those switches were properly configured.

diagnose switch-controller switch-info mclag list
diagnose switch-controller switch-info mclag icl
diagnose switch-controller switch-info mclag peer-consistency-check

The topology should look like this at the end of this step:

FortiSwitch Core1 and Core2 should have one Trunk (LACP) connection to the FortiGate named 'GVM04TM24005168' on port1 and port2:

One Trunk (LACP) ICL connection named '_FlInK1_ICL0_' on port8.
One Trunk (LACP) connection named 'tier2_A' on port3 to Switches Tier2_1 and Tier2_2.
One Trunk (LACP) connection named 'tier2_B' on port3 to Switches Tier2_3 and Tier2_4.

Tier 2 FortiSwitches should have one Trunk (LACP) connection upstream named '_FlInK1_MLAG0_', and one Trunk (LACP) ICL connection named '_FlInK1_ICL0_' on port8: