configure a LACP Port-Channel between FortiSwitch and Cisco Switch
I recently had to configure a LACP port-channel between two FortiSwitches and a stack of two Cisco switches. there is no clear information available on how to do this.
I had to connect two FortiSwitch in MCLAG-ICL configuration to a Cisco 4500 Catalyst switch with a bundle of redundant links. The FortiSwitches were managed by a HA Cluster of two FortiGates in Active/Passive HA mode. The Cisco Catalyst 4500 switch consisted of several 10Gb blades with SFP+ modules.
The fortiSwitches are connected following the diagram shown below.
When you want to connect this all together you have to make sure the FortiSwitches are all connected the right way. My experience is when the FortiSwitches are all showing up in the FortiGate dashboard, this doesn’t mean the MCLAG-ICL is working well. You can check the configuration of the FortiSwitch cluster with the following cli command on the FortiGate:
diag switch mclag peer-consistency-check
After everything is checked and the consistency check shows no errors, you can configure the port channel. First login to the Fortigate and configure the switch controller. Mention the serial numbers of the managed switches where you want to configure the lacp port-channel on.
config switch-controller managed-switch
edit "FS1E48T419000108"
config ports
edit "port46"
set port-owner "mclag-cisco4500"
set speed 10000full
set description "MCLAG-CISCO4500"
next
edit "mclag-cisco4500"
set vlan "vsw.FLink"
set allowed-vlans-all enable
set untagged-vlans "qtn.FLink"
set type trunk
set dhcp-snooping trusted
set stp-state disabled
set description "cisco4500"
set mode lacp-passive
set bundle enable
set mclag enable
set members "port46"
next
end
next
edit "FS1E48T419000155"
config ports
edit "port46"
set port-owner "mclag-cisco4500"
set speed 10000full
set description "MCLAG-CISCO4500"
next
edit "mclag-cisco4500"
set vlan "vsw.FLink"
set allowed-vlans-all enable
set untagged-vlans "qtn.FLink"
set type trunk
set dhcp-snooping trusted
set stp-state disabled
set description "cisco4500"
set mode lacp-passive
set bundle enable
set mclag enable
set members "port46"
next
end
next
endThe following command is used to name the port channel. This has to be the same on both switches to form a lacp trunk.
edit "mclag-cisco4500"
In this case I disabled stp with the “set stp-state disabled” command. You have to match the stp version on both the FortiSwitches and Cisco switches. Fortiswitches default use rapid spanning-tree. After the above configuration has been made you have to do some configuration on the Fortiswitches. Logon to the fortiswitches with the following command:
execute ssh admin@169.254.1.2
Replace the ip address with the address of the fortiswitches. Put the following configuration on the ports of the port-channel. You can use lacp-passive on the fortiswitches and lacp-active on the cisco switches.
config switch physical-port edit "port46" set cdp-status tx-rx set description "MCLAG-CISCO4500" set lldp-profile "default-auto-isl" set speed 1000full next config switch trunk edit "mclag-cisco4500" set description "cisco4500" set mode lacp-passive set bundle enable set max-bundle 24 set mclag enable set members "port46" next
When this has been done you can proceed configuring the Cisco switches.
You can configure the switches by using the following commands:
! interface Port-channel11 switchport switchport mode trunk spanning-tree portfast trunk spanning-tree bpdufilter enable spanning-tree bpduguard disable end ! interface TenGigabitEthernet1/1/11 switchport mode trunk channel-protocol lacp channel-group 11 mode active spanning-tree portfast trunk spanning-tree bpdufilter enable spanning-tree bpduguard disable end ! interface TenGigabitEthernet2/1/11 switchport mode trunk channel-protocol lacp channel-group 11 mode active spanning-tree portfast trunk spanning-tree bpdufilter enable spanning-tree bpduguard disable end
When this has been done you are ready to connect the switches together.
Dear Roel,
configuration you presented seems very accurate. I would like to ask you regarding the lacp configuration between Cisco switch 3650 and Fortinet 60E. Do you have any idea how this can be done, tried many ways to make this work but unfortunately without any result ?
Hi Antonis,
I see that lacp (802.3ad) has been added recently to the fortigate 60D version. I think this was not possible before. You have to install firmware 6.2.0 for this to work: https://docs.fortinet.com/document/fortigate/6.2.0/new-features/226063/lacp-support-on-entry-level-e-series-devices
Best regards,
Roel
Hi Roel,
Can you also post How to configure an LACP port-channel between FortiGate managed switch and Linux LACP bonding?
Thanks
Hi Kiran,
I don’t have any config available for Linux lacp bonding but it is similar as fortiswitch to cisco