Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Building VPC between FortiSwitches (MCLAG/ICL)...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Building VPC between FortiSwitches (MCLAG/ICL) and Cisco Nexus 9K Switches
I'm trying to bring up a trunk over a port-channel between a pair of 1048E's and a pair of Cisco 9504's that are configured using vPC. One fibre connects one 1048 to one 9504, and the other fibre connects the other 1048 to the other 9504. The VPC on the Cisco side fails, saying "vpc port channel mis-config due to vpc links in the 2 switches connected to different partners". I am working with support and Cisco support, but I wanted to ask if others have gotten this working. We're looking at possible spanning-tree issues, but also best practice guides on the Cisco side for VPC's. I want to trunk my Fortinet distribution switches to my Cisco infrastructure so I can leverage other vlans in my Fortinet firewalls. Any thoughts?
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
- « Previous
-
- 1
- 2
- Next »
15 REPLIES 15
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe that error is when the vpc-peerlink does NOT carry the vlan tag btw. So in vPC if you have a vlan and the van is NOT over the vpc-peerlink, vPC creation will fail.
The following commands can be helpful;
show vpc brief show vpc peer show port-channel summary Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi seems you topology wrong,
for FT to Cisco, your topology should be one FT channel to one Cisco switch,
you can not one FT channel to two Cisco switch.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a similar issue.
My setup contains 2 FortiSwitch 248D, managed via 2 FortiGate100Es. The two FortiSwitches are configures connected with a MCLAG-ICL link. I'm trying to connect my two FortiSwitches with my Cisco2960X (stacked as one logical switch) via LACP.
The LACP link goes does as soon as I connect the port from the second Fortiswitch to the LAG ports. On my Cisco switch, my ether-channel is err-dis. due to channel-misconfig (receiving BDPU's from a different sender).
Looking at my MCLAG link on the Fortiswitch, they should send LACP BDPU's with the same ID:
SW1:
# diagnose switch mclag list(*) - Using local system-id in LACP BPDU Po1(*)------ Local system ID 70:4c:a5:6f:37:4a Peer system ID 70:4c:a5:6f:37:4a Current system ID 70:4c:a5:6f:37:4a Local ports 43-44 Peer ports 43-44 Local uptime 0 days 1h:16m: 3s Peer uptime 0 days 0h: 0m: 0s Local LAG is configured as LACP active. Atleast one local LAG port is UP. Peer LAG is configured as LACP active All peer LAG ports are down, ICL traffic may be forwarded to local LAG port. Updates sent to peer 8108 Updates received from peer 8105 SW2:# diagnose switch mclag list (*) - Using local system-id in LACP BPDU Po1--- Local system ID 70:4c:a5:6f:2a:36 Peer system ID 70:4c:a5:6f:37:4a Current system ID 70:4c:a5:6f:37:4a Local ports 43-44 Peer ports 43-44 Local uptime 0 days 0h: 0m: 0s Peer uptime 0 days 1h:14m:47s Local LAG is configured as LACP active. Peer system id is used in LACP BPDU. Peer LAG is configured as LACP active Atleast one peer LAG port is UP, local LAG ports are filtered for ICL traffic. Updates sent to peer 8030 Updates received from peer 8033 I havn't been able to solve it yet. I really don't want to disable the channel-missconfig on my Cisco stack. /JonasOptions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the mclag a trunk on the Fortiswitches? What is going on with spanning tree? I had to disable spanning tree on the mclag/trunk on my 1048's, that are ICL'd to each other. Measure twice, cut once, when messing with spanning tree! But for me, I had to disable that and the port-channel came up fine. Also, if you are configuring in the GUI, click one one mclag member, hold control key, and then select the second member. THEN right-click to disable STP. I tried doing it to individual mclag members and it wasn't pretty.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a PDF but cant attach. Send me your email and I'll email to you. I was able to build a LACP bundle but you need to follow the order of the instructions in the pdf.
Layer8 Consulting
http://www.L8C.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Huey,
Please give me your instructions pdf. I face the same issue with Cisco vPC with FS3032E MCLAG.
Regards,
Wittaya J.
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,680 -
FortiClient
1,755 -
5.2
801 -
FortiManager
727 -
5.4
639 -
FortiAnalyzer
556 -
FortiSwitch
474 -
FortiAP
470 -
FortiClient EMS
429 -
6.0
416 -
5.6
362 -
FortiMail
317 -
6.2
251 -
SSL-VPN
242 -
FortiAuthenticator v5.5
234 -
IPsec
207 -
FortiWeb
205 -
5.0
196 -
FortiNAC
188 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiGateCloud
102 -
FortiAuthenticator
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
91 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
51 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
DNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
Certificate
34 -
RADIUS
33 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiGate-VM
12 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
TACACS
2 -
Schedule
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1705 | |
| 1093 | |
| 752 | |
| 446 | |
| 230 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.