Description

This article describes how to change the VLAN protocol inside an Aggregate interface when connecting to 3^rd party switches in MC-LAG.

Scope

Fortigate attached to downstream 3^rd party switches in MC-LAG.

The interface IP of the FortiGate is 10.244.0.1 and is directly connected to the downstream switches through 10.244.0.5

The Interface name of the aggregate on the FortiGate is Aggregate-Intf (which includes port6 and port8). There is a sub-interface with VLAN ID – 1800 inside the Aggregate Interface.

When a new VLAN interface is created, there is an option to use either 802.1ad or 802.1q protocol.

If 802.1AD is choosen, although the downstream switch sends Tagged traffic on VLAN ID-1800, it is not matched to the sub-Interface VLAN-1800.

Solution

1) Take a packet capture on the parent interface as well as the VLAN-Interface:

2) Open the PCAP of the parent interface.

The FortiGate will send the ARP for 10.224.0.5 as VLAN-ID tagged using 802.1 AD.

The reply traffic is seen on 802.1q TAGGED VLAN-ID 1800. Although the ARP reply is on the same VLAN-ID, the protocol used for sending the traffic is 802.1AD and the reply is seen on 802.1Q. Therefore, FortiGate drops the traffic.

3) To fix this issue, delete the VLAN-ID 1800 sub-interface and re-add the same VLAN-ID interface under the Aggregate-Intf making sure the protocol used is 802.1 Q.

# config system interface

    edit Vlan-ID-1800

        set vlan-protocol 8021q

    end