Troubleshooting Tip: Cisco switch portchannel in the ERR-DISABLE state when connected to MCLAG peers

PaolGraz · ‎09-11-2024

Description

This article describes that by default, both MCLAG peers send BPDUs to the third-party switch connected via a LAG / portchannel.

The BPDUs frames are sent with different source MAC addresses (one for each MCLAG peer) and this is detected by the Cisco switch as an STP misconfiguration and potential loop, causing the portchannel to go in the ERR-DISABLE state.

Scope

Managed FortiSwitches in MCLAG configuration.

Solution

A FortiSwitch CLI command will prevent one of the MCLAG peers to send BPDUs:

FSW-A # config switch stp settings
set mclag-stp-bpdu single
end

The default setting is both and this will cause the error on the Cisco switch:

In the example, the Cisco switch is connected to the MCLAG peers with a portchannel (LACP) that includes Ethernet0/0 and Ethernet0/1:

Capturing traffic on both links, it is possible to see that with the default setting of mclag-stp-bpdu frames are sent by both peers, each using their own source MAC address:

fsw-mclag-cisco-stp-wireshark stp frames after enable.png

When the setting is changed to single, only one switch is sending the BPDUs:

fsw-mclag-cisco-stp-wireshark no stp frames from fswa.png

LAG configuration is the default (as created on the FortiGate GUI):

FSW-A:

edit "cisco"
set vlan "ISP1"
set type trunk
set mac-addr 0c:94:32:64:00:01
set mode lacp-active
set mclag enable
set members "port1"
next

FSW-B:

edit "cisco"
set vlan "ISP1"
set type trunk
set mac-addr 0c:dd:b1:93:00:01
set mode lacp-active
set mclag enable
set members "port1"
next

The Cisco portchannel is configured as follows:

CiscoL2#sh run int eth0/0
interface Ethernet0/0
switchport access vlan 101
channel-group 1 mode active
end

CiscoL2#sh run int eth0/1
interface Ethernet0/1
switchport access vlan 101
channel-group 1 mode active
end

CiscoL2#sh run int po1
interface Port-channel1
switchport access vlan 101
end