Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
Xav_FTNT
Staff
Staff

Created on ‎11-03-2011 03:17 AM

Article Id 196680

Technical Note : Configuring port extension on FortiSwitch 4.0 MR3

Purpose
This article explains and provides the configuration steps for using the port extension feature available on FortiSwitch 4.0 MR3.

The port extension feature allows the backplane fabric interface of a FortiSwitch 5003A or FortiSwitch 5003B to be brought down automatically upon the failure of a front panel trunk interface. By bringing down automatically the fabric switch backplane interface, the FortiGate blades can detect the failure of the backplane link. Then, relying on the configuration of the Fortigate HA cluster, it can be used to trigger a failover to a slave blade in a different chassis.

Scope

This feature is available on the FortiSwitch 5003A and the FortiSwitch 5003B, in order to bring failure detection in multiple chassis design.


Expectations, Requirements

The port extension features requires that a LACP trunk is configured. This trunk port will be monitored. When a configurable number of trunk member ports are down, all the switch fabric interface belonging to the same switch domain will be brought down.


Configuration
In this configuration example a specific switch domain will be added in order to only bring down one port of the backplane fabric (slot-9). The trunk port that will be monitored will have f5 and f6 as members. The trigger will be configured with a value of 2. This means that backplane ports will be brought down only if the 2 trunk member ports have failed.

Turn on the global port-extension feature:
config system global
   set port-extension enable
end
Create a dedicated switching domain:
config switch domain
   edit "portext"
      set vcluster-id 2
      set priority 128
   next
end
Notes

1. Only the switch ports in the same switch domain can communicate with each other.

2. If it is necessary to bring all backplane ports down upon the failure of a trunk then use the default switch domain 'root'. If this is the case then all ports can be left in the default switch domain.

Configure the ports in 'portext' switch domain:
config switch fabric-channel physical-port
   edit "f5"
      set domain "portext"
      set status up
   next
   edit "f6"
      set domain "portext"
      set status up
   next
   edit "slot-9"
      set domain "portext"
      set status up
   next
end
Create the LACP trunk with f5 and f6 as members. Enable port-extension. Configure the trigger to '2':
config switch fabric-channel trunk
   edit "LACP_TRUNK"
      set description "Core Switch Link"
      set mode lacp-active
      set port-extension enable
      set port-extension-trigger 2
      set members "f5"  "f6"
      set lacp-speed fast
   next
end
 

Verification
1. Bring the LACP port down by unplugging the network cables of by bringing it down from the Core Switch side.

2. Check the status page of the FortiSwitch; the backplane interface (slot-9) should be down.

3. Logon to the FortiGate CLI and check the status of backplane fabric ports:

diag hard dev nic rtm/1
diag hard dev nic fabric1

Troubleshooting
The commands to troubleshoot are:
diagnose debug enable
diagnose system port-ext dump
diagnose switch fabric-channel trunk list
Sample output working case (f6 is down, LACP_TRUNK and slot-9 are up):

Fortiswitch# diagnose switch fabric-channel trunk list
   Switch Trunk Information, fabric-Channel
   Trunk Name: LACP_TRUNK
   Port Selection Algorithm: src-dst-ip
  
   Active Port Update Time
   ___________ ____________________
  
   f5 20:18:34 Nov-03-2011
  
   Non-Active Port Status
   _______________ ____________________
  
   f6 BLOCK
  
   LACP flags: (A|P)(S|F)(A|I)(I|O)(E|D)(E|D)
   (A|P) - LACP mode is Active or Passive
   (S|F) - LACP speed is Slow or Fast
   (A|I) - Aggregatable or Individual
   (I|O) - Port In sync or Out of sync
   (E|D) - Frame collection is Enabled or Disabled
   (E|D) - Frame distribution is Enabled or Disabled
  
  
  status: up
   ports: 2
   LACP mode: active
   LACP speed: fast
   aggregator ID: 1
   actor key: 1
   actor MAC address: 00:09:0f:62:0a:2a
   partner key: 1
   partner MAC address: 00:09:0f:61:00:0b
   slave: f5
   status: up
   link failure count: 2
   permanent MAC addr: 00:09:0f:62:0a:2a
   actor state: AFAIEE
   partner state: AFAIEE
   aggregator ID: 1
  
   slave: f6
   status: down
   link failure count: 0
   permanent MAC addr: 00:09:0f:62:0a:2b
   actor state: AFAIDD
   partner state: PSIODD
   aggregator ID: 2
   Fortiswitch# diagnose system port-ext dump
  
   status px-enabled=1
   count cfg-dirty=6 px-down=4 px-up=6 px-scan=2243
  
   domain=root px-state=UP
   trunks:
   front-ports:
   slot-ports:
   port name=slot-2/1 type=slot unit=1 num=0 admin-status=1
   port name=slot-3 type=slot unit=1 num=1 admin-status=1
   port name=slot-4 type=slot unit=1 num=2 admin-status=1
   port name=slot-5 type=slot unit=1 num=3 admin-status=1
   port name=slot-6 type=slot unit=1 num=4 admin-status=1
   port name=slot-7 type=slot unit=1 num=5 admin-status=1
   port name=slot-8 type=slot unit=1 num=6 admin-status=1
   port name=slot-10 type=slot unit=1 num=8 admin-status=1
   port name=slot-11 type=slot unit=1 num=9 admin-status=1
   port name=slot-12 type=slot unit=1 num=10 admin-status=1
   port name=slot-13 type=slot unit=1 num=11 admin-status=1
  
  
  domain=portext px-state=UP
   trunks:
   trunk name=LACP_TRUNK px-trigger=1
   port name=f5 type=trunk-member unit=1 num=17 admin-status=1 status=1
   front-ports:
   slot-ports:
   port name=slot-9 type=slot unit=1 num=7 admin-status=1
  
 
status px-enabled=1
   count cfg-dirty=6 px-down=4 px-up=6 px-scan=2288
  
   domain=root px-state=UP
   trunks:
   front-ports:
   slot-ports:
   port name=slot-2/1 type=slot unit=1 num=0 admin-status=1
   port name=slot-3 type=slot unit=1 num=1 admin-status=1
   port name=slot-4 type=slot unit=1 num=2 admin-status=1
   port name=slot-5 type=slot unit=1 num=3 admin-status=1
   port name=slot-6 type=slot unit=1 num=4 admin-status=1
   port name=slot-7 type=slot unit=1 num=5 admin-status=1
   port name=slot-8 type=slot unit=1 num=6 admin-status=1
   port name=slot-10 type=slot unit=1 num=8 admin-status=1
   port name=slot-11 type=slot unit=1 num=9 admin-status=1
   port name=slot-12 type=slot unit=1 num=10 admin-status=1
   port name=slot-13 type=slot unit=1 num=11 admin-status=1
  
   domain=portext
  px-state=UP
   trunks:
   trunk name=LACP_TRUNK px-trigger=1
   port name=f5 type=trunk-member unit=1 num=17 admin-status=1
  status=1
   front-ports:
   slot-ports:
   port name=slot-9 type=slot unit=1 num=7 admin-status=1
Example output in a non working case (f5 and f6 are down therefore LACP_TRUNK is down and slot-9 is disabled):
   Fortiswitch# diagnose switch fabric-channel trunk list
  
   Switch Trunk Information, fabric-Channel
   Trunk Name: LACP_TRUNK
   Port Selection Algorithm: UNKNOWN
  
   Active Port Update Time
   ___________ ____________________
  
   Non-Active Port Status
   _______________ ____________________
  
   f5 BLOCK
   f6 BLOCK
  
   LACP flags: (A|P)(S|F)(A|I)(I|O)(E|D)(E|D)
   (A|P) - LACP mode is Active or Passive
   (S|F) - LACP speed is Slow or Fast
   (A|I) - Aggregatable or Individual
   (I|O) - Port In sync or Out of sync
   (E|D) - Frame collection is Enabled or Disabled
   (E|D) - Frame distribution is Enabled or Disabled
  
   status: down
   ports: 2
   LACP mode: active
   LACP speed: fast
   aggregator ID: 1
   actor key: 0
   actor MAC address: 00:09:0f:62:0a:2a
   partner key: 1
   partner MAC address: 00:00:00:00:00:00
  
   slave: f5
   status: down
   link failure count: 3
   permanent MAC addr: 00:09:0f:62:0a:2a
   actor state: AFAIDD
   partner state: PSIODD
   aggregator ID: 1
  
   slave: f6
   status: down
   link failure count: 0
   permanent MAC addr: 00:09:0f:62:0a:2b
   actor state: AFAIDD
   partner state: PSIODD
   aggregator ID: 2
  
   Fortiswitch# diagnose system port-ext dump
status px-enabled=1
   count cfg-dirty=6 px-down=5 px-up=6 px-scan=2324
  
   domain=root px-state=UP
   trunks:
   front-ports:
   slot-ports:
   port name=slot-2/1 type=slot unit=1 num=0 admin-status=1
   port name=slot-3 type=slot unit=1 num=1 admin-status=1
   port name=slot-4 type=slot unit=1 num=2 admin-status=1
   port name=slot-5 type=slot unit=1 num=3 admin-status=1
   port name=slot-6 type=slot unit=1 num=4 admin-status=1
   port name=slot-7 type=slot unit=1 num=5 admin-status=1
   port name=slot-8 type=slot unit=1 num=6 admin-status=1
   port name=slot-10 type=slot unit=1 num=8 admin-status=1
   port name=slot-11 type=slot unit=1 num=9 admin-status=1
   port name=slot-12 type=slot unit=1 num=10 admin-status=1
   port name=slot-13 type=slot unit=1 num=11 admin-status=1
  
   domain=portext
  px-state=DOWN
   trunks:
   trunk name=LACP_TRUNK px-trigger=1
   port name=f5 type=trunk-member unit=1 num=17 admin-status=1
  status=0
   front-ports:
   slot-ports:
   port name=slot-9 type=slot unit=1 num=7 admin-status=1
 
Labels:
3983
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.