Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lcamilo
Staff
Staff

Created on ‎10-22-2024 09:00 AM

Article Id 351091

Technical Tip: Configuring MCLAG using switch-recommendation CLI commands

Description

 

This article describes the steps to configure an MCLAG topology from the FortiGate as a Switch Controller, and how to use 'diag switch-controller switch-recommendation' commands.
All configurations in this guide were designed to be triggered exclusively from the FortiGate Acting as the Switch controller.
The commands in this guide only support adding up to 2-tier level topologies. A third Tier can be added as a continuation of this KB (link TBD).

 

Scope

 

FortiOS 7.2.x and onwards.
FortiSwitch 2XX Series and higher.

 

Solution
  • Step 1 - Connect FSW_Core1 ONLY and allow it to be discovered, authorized and online.
  • Step 2 - Connect FSW_Core2 and allow it to be discovered, authorized and online. 
  • Step 3 - Building the tier1 mclag level between FSW_Core1 and FSW_Core2. 
  • Step 4 - Building the tier2 mclag level between Tier2_1 and Tier2_2
  • Step 5 - Building the tier2 mclag level between Tier2_3 and Tier2_4
  • Layer-3 Topology.
  • References.

 

Network Layer-2 and cabling topology. 

 

mclag_l2_diagrammclag_l2_diagram

 

Considerations: 

  • The Switch must be discovered, authorized and become online so it can receive commands, configurations and settings. 
  • Starting with FortiSwitch 7.2.0, all ports are enabled for fortilink auto-discovery by default.
  • Follow this guide as accurately as possible as loops may be introduced thus bringing all topology down. 
  • The FortiGate Firewalls are pre-configured in HA Active-Active or Active-Passive mode. 
  • The Switches are factory-reset and running the latest compatible firmware version according to the Fortiswitch Compatibility Matrix.  
  • Before FOS 7.2.x, the commands 'set-tier1-mclag-icl' and 'set-tier-plus-mclag-icl' were found under 'execute switch-controller switch-recommendations'.

 

Terminology: 

  • FortiSwitch Trunk = 802.3ad LACP aggregate interface.
  • FortiSwitch ICL  = Inter Chassis Link ( Switch Stack ).
  • FortiSwitch MCLAG = Multichassis LAG.

 

Step-by-step Guide: 

 

Step 1 - Connect FSW_Core1 ONLY and allow it to be discovered, authorized and online. 
Enable Fortilink split interface on the FortiGate fortilink interface temporarily as Core1 and Core2 will be initially discovered as 2 distinct switches. 

fortilink_0.png

 

Useful commands: 

  • exec switch-controller get-conn-status
  • exec switch-controller diagnose-connection

FSW_Core1FSW_Core1

 

Make sure there are no C, U, S, D or E flags before moving to the next step. 

 

Core1_1.png

 

Step 2 - Connect FSW_Core2 and allow it to be discovered, authorized and online. 

FSW_Core2FSW_Core2

 

Step 3 - Building the tier1 mclag level between FSW_Core1 and FSW_Core2. 
Replace fortilink, Core1_Serial and Core2_Serial from the command below according to the desired topology. 
Then Run the following command from the FortiGate SSH. 

 

diag switch-controller switch-recommendation set-tier1-mclag-icl fortilink Core1_Serial Core2_Serial

 

set-tier1-mclag-icl.png

 

Disable FortiLink split interface to allow both switches to actively communicate with the FortiGate.
As shown in the example below, port2 was brought down because split-interface was enabled, so disable it. 

 

fortilink_2.png

 

Allow it sometime after applying changes to process and recalculate the topology.
To confirm the MCLAG formation, use 'diagnose switch-controller switch-info mclag list'.
Ensure the local and peer ports match the ones according the desired topology. 

 

set-tier1-mclag-icl_1.png

 

To confirm the ICL formation, use 'diagnose switch-controller switch-info mclag icl'.

Notice the ICL was formed on port8 between the switches and also confirm the local and peer serial numbers. 

 

set-tier1-mclag-icl_2.png

 

By switching the GUI to the 'Topology' map, it is possible to confirm a few important items and mark the end of configuring the tier 1 devices. 

 

set-tier1-mclag-icl_3.png

 

Step 4 - Building the tier2 mclag level between Tier2_1 and Tier2_2. 

Power up and connect Tier2_1 and Tier2_2 Switches. Ensure they were discovered, authorized and are both UP. 

Make sure there are no C, U, S, D or E flags before moving to the next step.

 

set-tier-plus-mclag-icl_0.png

 

Replace fortilink, Core1_Serial, Core2_Serial, Tier2_1_Serial and Tier2_2_Serial from the command below according to the desired topology. 

Then Run the following command from the FortiGate SSH. 

 

diag switch-controller switch-recommendation set-tier-plus-mclag-icl fortilink Core1_Serial Core2_Serial Tier2_1_Serial  Tier2_2_Serial  tier2_A

 

set-tier-plus-mclag-icl_1.png

 

Use the following commands to confirm if those switches were properly configured.

 

  • diagnose switch-controller switch-info mclag list
  • diagnose switch-controller switch-info mclag icl
  • diagnose switch-controller switch-info mclag peer-consistency-check

The Topology should look like this at the end of this step: 

 

set-tier-plus-mclag-icl_2.png

 

Step 5 - Building the tier2 mclag level between Tier2_3 and Tier2_4. 

Power up and connect Tier2_3 and Tier2_4 Switches. Ensure they were discovered, authorized and are both UP. 

Make sure there are no C, U, S, D or E flags before moving to the next step.

 

set-tier-plus-mclag-icl_3.png

 

Replace FortiLink, Core1_Serial, Core2_Serial, Tier2_3_Serial and Tier2_4_Serial from the command below according to the desired topology. 

After, run the following command from the FortiGate SSH. 

 

diag switch-controller switch-recommendation set-tier-plus-mclag-icl fortilink Core1_Serial Core2_Serial Tier2_3_Serial Tier2_4_Serial tier2_B

 

set-tier-plus-mclag-icl_4.png

 

Use the following commands to confirm if those switches were properly configured.

 

  • diagnose switch-controller switch-info mclag list
  • diagnose switch-controller switch-info mclag icl
  • diagnose switch-controller switch-info mclag peer-consistency-check

The topology should look like this at the end of this step: 

 

set-tier-plus-mclag-icl_5.png

 

FortiSwitch Core1 and Core2 should have one Trunk (LACP) connection to the FortiGate named 'GVM04TM24005168' on port1 and port2:

  • One Trunk (LACP) ICL connection named '_FlInK1_ICL0_' on port8.
  • One Trunk (LACP) connection named 'tier2_A' on port3 to Switches Tier2_1 and Tier2_2.
  • One Trunk (LACP) connection named 'tier2_B' on port3 to Switches Tier2_3 and Tier2_4.

 

peer-consistency-check_0.png

 

Tier 2 FortiSwitches should have one Trunk (LACP) connection upstream named '_FlInK1_MLAG0_', and one Trunk (LACP) ICL connection named '_FlInK1_ICL0_' on port8:

 

peer-consistency-check_1.png

 

The Layer-3 topology should look like this and should help in interpreting the output above. 

 

mclag_L3.png

 

Use the command below to troubleshoot possible spanning tree problems: 

 

diagnose switch-controller switch-info stp

 

By using the commands and the guide above, it is possible to enable and configure an MCLAG 2-Tier using the FortiGate as a Switch Controller. 

 

Related documents:

Labels:
743
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.