New Member

Question

Building VPC between FortiSwitches (MCLAG/ICL) and Cisco Nexus 9K Switches

Forum|Forum|6 years ago
July 18, 2019
5 replies
27999 views

I'm trying to bring up a trunk over a port-channel between a pair of 1048E's and a pair of Cisco 9504's that are configured using vPC. One fibre connects one 1048 to one 9504, and the other fibre connects the other 1048 to the other 9504. The VPC on the Cisco side fails, saying "vpc port channel mis-config due to vpc links in the 2 switches connected to different partners". I am working with support and Cisco support, but I wanted to ask if others have gotten this working. We're looking at possible spanning-tree issues, but also best practice guides on the Cisco side for VPC's. I want to trunk my Fortinet distribution switches to my Cisco infrastructure so I can leverage other vlans in my Fortinet firewalls. Any thoughts?

rwpatterson

New Member

Why not use industry standard LACP instead?

hubertzw

New Member

bmduncan34 wrote:
"vpc port channel mis-config due to vpc links in the 2 switches connected to different partners"

I think your cabling is wrong. Let's say VPC100 and VPC200 are configured on both switches. But VPC100 on both connects to FG1 and VPC200 to FG2 (on both).

On FGT you configure LAG:

edit "p1-p2"
set vdom "root"
set vlanforward enable
set type aggregate
set member "port1" "port2"
set snmp-index 15

fgt-vpc.jpg

bmduncan34Author

New Member

Thanks very much. In my situation I'm terminating on managed 1048E switches; with 601E's hosting the switch controller. So I get the cabling and using two different vPCs on the 9K's, but on the FortiSwitch side would I have two mclags, that would correspond to VPC100 and VPC200? So there would be an "MCLAG to VPC100" and an "MCLAG to VPC200". Think that would work?

Thanks again.

hubertzw

New Member

My fault, my reply was about n9k and Fortigate not Fortiswitch. It makes huge difference. I don't think you can use vpc between them.

elisha_wang

New Member

Hi seems you topology wrong,

for FT to Cisco, your topology should be one FT channel to one Cisco switch,

you can not one FT channel to two Cisco switch.

J_Andersen

New Member

I have a similar issue.

My setup contains 2 FortiSwitch 248D, managed via 2 FortiGate100Es. The two FortiSwitches are configures connected with a MCLAG-ICL link. I'm trying to connect my two FortiSwitches with my Cisco2960X (stacked as one logical switch) via LACP.

The LACP link goes does as soon as I connect the port from the second Fortiswitch to the LAG ports. On my Cisco switch, my ether-channel is err-dis. due to channel-misconfig (receiving BDPU's from a different sender).

Looking at my MCLAG link on the Fortiswitch, they should send LACP BDPU's with the same ID:

SW1:

# diagnose switch mclag list

(*) - Using local system-id in LACP BPDU

Po1(*)

------

Local system ID 70:4c:a5:6f:37:4a

Peer system ID 70:4c:a5:6f:37:4a

Current system ID 70:4c:a5:6f:37:4a

Local ports 43-44

Peer ports 43-44

Local uptime 0 days 1h:16m: 3s

Peer uptime 0 days 0h: 0m: 0s

Local LAG is configured as LACP active.

Atleast one local LAG port is UP.

Peer LAG is configured as LACP active

All peer LAG ports are down,

ICL traffic may be forwarded to local LAG port.

Updates sent to peer 8108

Updates received from peer 8105

SW2:

# diagnose switch mclag list

(*) - Using local system-id in LACP BPDU

Po1

---

Local system ID 70:4c:a5:6f:2a:36

Peer system ID 70:4c:a5:6f:37:4a

Current system ID 70:4c:a5:6f:37:4a

Local ports 43-44

Peer ports 43-44

Local uptime 0 days 0h: 0m: 0s

Peer uptime 0 days 1h:14m:47s

Local LAG is configured as LACP active.

Peer system id is used in LACP BPDU.

Peer LAG is configured as LACP active

Atleast one peer LAG port is UP,

local LAG ports are filtered for ICL traffic.

Updates sent to peer 8030

Updates received from peer 8033

I havn't been able to solve it yet.

I really don't want to disable the channel-missconfig on my Cisco stack.

/Jonas

bmduncan34Author

New Member

Is the mclag a trunk on the Fortiswitches? What is going on with spanning tree? I had to disable spanning tree on the mclag/trunk on my 1048's, that are ICL'd to each other. Measure twice, cut once, when messing with spanning tree! But for me, I had to disable that and the port-channel came up fine. Also, if you are configuring in the GUI, click one one mclag member, hold control key, and then select the second member. THEN right-click to disable STP. I tried doing it to individual mclag members and it wasn't pretty.

Huey

New Member

I have a PDF but cant attach. Send me your email and I'll email to you. I was able to build a LACP bundle but you need to follow the order of the instructions in the pdf.

wjanmayka_FTNT

Staff

Hi Huey,

Please give me your instructions pdf. I face the same issue with Cisco vPC with FS3032E MCLAG.

Regards,

Wittaya J.

FortiJason

Staff

Hello @wjanmayka_FTNT did you ever get this information. I am faced with the same issue with a customer and seems difficult to find how to configure this.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded