Explorer III

Question

auto-isl-port-group best practice

Forum|Forum|2 years ago
January 24, 2024
6 replies
13878 views

Hi all,

Wonder if someone can help me understand the use case for the auto-isl-port-group command on FortiSwitch. Taking the below diagram as an example, if the the distribution layer layer is already configured for MCLAG ICL when the access layer switches are attached the distribution layer switches will automatically establish automatically a trunk as per below:

edit "_FlInK1_MLAG0_"
set mode lacp-active
set auto-isl 1
set mclag enable
set members "port29" "port30"

Network Diagram.png

Since these trunks are automatically established when connecting switches to an exiting MCLAG ICL peer group what is the use case for the auto-isl-port-group command and what difference is there in letting the trunks establish automatically rather than manually setting the auto-isl-port-group?

Thanks in advance.

Dan_Eng52

FortiSwitch

Anthony_E

Staff

Hello Dan,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Best Regards

Dan_Eng52Author

Explorer III

Hi Anthony_E,

I've been trying to find an answer but haven't managed to find anything as of yet so that would be greatly appreciated.

Thanks,
Dan.

Anthony_E

Staff

Hello Dan,

We are contacting experts to provide the best answer :)!

Regards,

Best Regards

Anthony_E

Staff

Hi Dan,

Did you already have a look at this document?:

https://docs.fortinet.com/document/fortiswitch/6.4.2/devices-managed-by-fortios/617516/network-topologies

Tell me if it is helping. If not, we will continue to look for an answer.

Regards,

Best Regards

Dan_Eng52Author

Explorer III

Hi Anthony,

Yes, it was actually that document that sparked my curiosity but did not answer my question. If you're able to find an answer for me, that would be greatly appreciated.

Regards,

Dan.

Anthony_E

Staff

Oh ok!

Let me find an FSW expert!

Best Regards

sachitdas_FTNT

Staff

Hi Dan,

We configure auto-isl-port-group when we configure multi tier mclag setup. For eg. in tier1 and tier2 mclag, we will configure auto-isl-port-group on tier1 mclag FSWs. In the auto-isl-port-group, we will add the ports as member that are connecting to tier2 mclag FSWs.

Technical Tip: Three-tier MCLAG configuration on m... - Fortinet Community

Dan_Eng52Author

Explorer III

Hi Sachit Das,

Thanks for your response.

What does this achieve compared to leaving the MCLAG tiers automatically establish their trunks automatically? If I have two tiers of MCLAG peer switches already setup and I connect them together, they will automatically create the trunks as below:

edit "_FlInK1_MLAG0_"
set mode lacp-active
set auto-isl 1
set mclag enable
set members "port29" "port30"

If I already have a multi tier MCLAG setup with the above automatically created trunks, is there any merit or difference to issuing the auto-isl-port-group and would this cause any issues on a live environment?

Am I correct in stating that if we issue the auto-isl-port-group the name must match across the MCLAG peer switches but the ports themselves in that group will be local to that device?

Many thanks in advance,

Dan.

sachitdas_FTNT

Staff

Hi Dan, it will create STP loops and inconsistency in the network if you do not configure auto-isl-port-group (as per design). Yes, names should be the same on both MCLAG-ICL peers. This setting instructs the switches to group ports from MCLAG peers together into one MCLAG when the inter-switch link (ISL) is formed.

Dan_Eng52Author

Explorer III

Hi Gatlinllon,

This will need to be configured only on links connecting to downstream tiers if you have a multi-tier deployment, the auto-isl-group name must match among MCLAG-ICL peers. This setting instructs the switches to group ports from MCLAG peers together into one MCLAG when the inter-switch link (ISL) is formed.

In the initial phase of deployment I didn't have this setup and the FortiSwitch devices established their ISL's automatically. Although this is not recommended by design this did not cause any STP issue or inconsistencies. I have since however, resolved this by issuing the below custom command on the FortiGate switch-controller since I have a full-stack deployment.

config switch auto-isl-port-group
edit tier-2
set members port29 port30
end

config switch-controller custom-command
edit "auto-isl-port-group-tier-2"
set command "config switch auto-isl-port-group %0a edit tier-2 %0a set members port29 port30 %0a end %0a"
end

In your case if you are connecting multi-tiers, this is required on the downstream links. Without it, there is a possibility of causing STP issue and inconsistencies which could affect network and since it is a recommendation and easy to implement.

If you're not implementing multi-tier MCLAG you do not need to worry about this.

Thanks,

Dan.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded