Description
This article describes how to change the VLAN protocol inside an Aggregate interface when connecting to 3rd party switches in MC-LAG.
Scope
Fortigate attached to downstream 3rd party switches in MC-LAG.
The interface IP of the FortiGate is 10.244.0.1 and is directly connected to the downstream switches through 10.244.0.5
The Interface name of the aggregate on the FortiGate is Aggregate-Intf (which includes port6 and port8). There is a sub-interface with VLAN ID – 1800 inside the Aggregate Interface.
When a new VLAN interface is created, there is an option to use either 802.1ad or 802.1q protocol.
If 802.1AD is choosen, although the downstream switch sends Tagged traffic on VLAN ID-1800, it is not matched to the sub-Interface VLAN-1800.
Solution
1) Take a packet capture on the parent interface as well as the VLAN-Interface:
2) Open the PCAP of the parent interface.
The FortiGate will send the ARP for 10.224.0.5 as VLAN-ID tagged using 802.1 AD.
The reply traffic is seen on 802.1q TAGGED VLAN-ID 1800. Although the ARP reply is on the same VLAN-ID, the protocol used for sending the traffic is 802.1AD and the reply is seen on 802.1Q. Therefore, FortiGate drops the traffic.
3) To fix this issue, delete the VLAN-ID 1800 sub-interface and re-add the same VLAN-ID interface under the Aggregate-Intf making sure the protocol used is 802.1 Q.
# config system interface
edit Vlan-ID-1800
set vlan-protocol 8021q
end
