- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- LACP between Cisco and Fortiswitch (MC-LAG) STP er...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LACP between Cisco and Fortiswitch (MC-LAG) STP error
i have a created a new trunk group on the fortiswitcch
mc-lag enabled, STP Enable , Edge port
lacp active
port 48,port48
Cisco
LACP mode active
Port channel 13
Cisco switch is running MST spanning tree mode (same as fortiswitch)
when i try to enable to port-channel i get STP error on the cisco side and the cisco ports go into err-disabeld state
any idea what going on?
does anyone have a working configuration of a similar environment?
Labels:
- Labels:
-
FortiSwitch
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @blackstark ,
Can you try disabling edge port and mclag on fortiswitch? I dont think you need them.
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it's up now. so one side is passive and the cisco side is active is the recommended approach? I always thought they should match on both side.
i disable edge port
for mc-lag - is this required because I am spanning across a 2 FSW.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's not mandatory to match but it should work with both nodes being active (maybe Cisco doesn't like the Fortinet LACP PDU), anyway having one side configured as active does the job fully since it still puts the problematic port immediately down and not cause any packet drops. Both nodes set as passive will not work and having static it's prone to packet drop since the other node is not aware if the link is not useful anymore.
- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
If you have found a solution, please like and accept it to make it easily accessible for others.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @blackstark ,
I think MCLAG is to have 1 logical FSW with 2 physical via an ICL link. I may be missing something..
REF: https://docs.fortinet.com/document/fortiswitch/7.2.5/administration-guide/860027/mclag
Abdel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @blackstark ,
Ah sorry my bad i misread it if you are spanning with 2 FSW you need MCLAG i thought you said MCLAG to the cisco switch.
Good to disable edge port because this is the same as portfast which disable STP
Thank
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have read somewhere:
On both FortiSwitches you have to change the STP announcement type from both to single.
Set to both to allow both core switches of an MCLAG to transmit STP BPDUs. Set to single to prevent both core switches of an MCLAG from transmitting STP BPDUs.
Log into the switch CLI and put this in...
config switch stp setting
set mclag-stp-bpdu single
end
On Cisco Side looks like:
*Jan 19 10:35:46.535: %SPANTREE-5-ROOTCHANGE: Root Changed for instance 0: New Root Port is Port-channel12. New Root Mac Address is 8439.1234.567a
*Jan 19 10:35:46.552: %SPANTREE-5-TOPOTRAP: Topology Change Trap for instance 0
*Jan 19 10:37:11.637: %PM-4-ERR_DISABLE: channel-misconfig error detected on Po12, putting Gi1/0/1 in err-disable state
*Jan 19 10:37:11.659: %PM-4-ERR_DISABLE: channel-misconfig error detected on Po12, putting Gi2/0/1 in err-disable state
*Jan 19 10:37:11.706: %PM-4-ERR_DISABLE: channel-misconfig error detected on Po12, putting Po12 in err-disable state
*Jan 19 10:37:12.639: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
Related Posts
- SFP+ Module compatibility 107 Views
- free vpn client certificate problems 167 Views
- new switch license 135 Views
- LDAPS issue, 'Can't contact LDAP server' 354 Views
- IPSec tunnel error : no SA... 165 Views
Labels
-
FortiGate
6,535 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
Firewall policy
23 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.