Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
asharma02
New Contributor

Created on ‎11-05-2020 01:09 AM Edited on ‎02-13-2024 05:21 AM By Moderator

Article Id 195452

Technical Tip: Three-tier MCLAG configuration on managed FortiSwitch

Description

 

This article describes how to configure and troubleshoot the 3-tier FortiLink MCLAG configuration.

Related document:
Deploying MCLAG topologies


Network Topologies -> Three-Tier Fortilink MCLAG configuration.

Scope

 

Version 6.2 and above.

Solution

 

Three-tier FortiLink MCLAG configuration.

To create a three-tier FortiLink MCLAG topology, use FortiOS 6.2.3 GA or later and FortiSwitchOS 6.2.3 GA or later.


 
To configure the FortiSwitch units in the core:
 
  1. First, connect the core switches to the FortiGate aggregate interface and connect the link between the core switches (SW 1 and SW 2 in the example above). Both switches will form 2 trunks – one with FortiGate and one ISL (inter-switch link).

  2. Push lldp-profile default-auto-mclag-icl to the ISL FortiSwitch ports to establish MCLAG ICL.

    Transitioning from a FortiLink split interface to a FortiLink MCLAG

  3. Wait for both switches SW 1 and SW 2 to come online. Verify the status of  'diagnose switch mclag peer-consistency-check' and diag switch mclag icl on both FortiSwitches.

  4. Create downlink trunks on the MCLAG-ICL switches.

    Note: Only the trunks from the higher tier MCLAG-ICL switches to the next tier MCLAG-ICL switches need this configuration.

  5. Add an auto-isl-port-group for the tier-2 MCLAG SW 3 and SW 4 on both the switches SW 1 and SW 2:

    On SW 1:

    config switch auto-isl-port-group
        edit tier-2
            set members port22
    end

    On SW 2:

        edit tier-2
            set members port21
        next
    end

  6. Note: Do not make all the connections at this point. Connect only SW 3 to SW 1 and once SW 3 is online, connect SW 4 to SW 3. Wait for SW4 to come online and then enable mclag icl between SW4 and SW3 - wait for ICL to get established and then connect SW4 to SW2 (similar to point 2, it is necessary to push lldp-profile default-auto-mclag-icl).

  7. Add two auto-isl-port-group for the tier-3 MCLAG switches on both switch SW 3 and switch SW 4:

    On both SW3 and SW4:

    config switch auto-isl-port-group
        edit tier-3-SW5_6
            set member port20
    end

  8. Now, connect only SW 5 to SW 3 and once SW 5 is online, connect SW 6 to SW 5. Wait for SW6 to come online. Now, enable mclag icl between SW5 and SW6 - wait for ICL to get established and then connect SW6 to SW4 (Similar to point 2, it is necessary to push lldp-profile default-auto-mclag-icl and verify the MCLAG ICL commands).

  9. Verify that all the FortiLinks are up and double-check the MCLAG-ICL configuration on each MCLAG FortiSwitch.

Useful commands on FortiSwitch:

diagnose switch mclag peer-consistency-check
diagnose switch mclag peer-consistency-check _FlInK1_MLAG0_
diagnose switch trunk list
diag switch mclag icl
diag switch mclag list
show switch auto-isl-port-group
 
Useful commands on FortiGate:
 
diagnose switch-controller switch-info mclag icl <FSW sn>
diagnose switch-controller switch-info mclag list <FSW sn>
diagnose switch-controller switch-info mclag peer-consistency-check <FSW SN>
execute switch-controller get-physical-conn dot <fortilink interface>
execute switch-controller get-physical-conn standard <fortilink interface>
13504
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.