Description
This article describes how to setup Tier-1 MCLAG-ICL and how to troubleshoot it in managed FortiSwitches after version 7.X.X.
Scope
FortiSwtich, Setup steps from MCLAG-ICL configs and Troubleshooting.
Solution
Configure FortiLink on FortiGate.
Step 1: Enable FortiLink and authorize FortiSwitch.
- Go to Wifi & Switch-controller in FortiLink Interface on FortiGate GUI.
- Configure the FortiLink interface by adding the FortiGate port connected to FortiLink (for enabling FortiLink on any aggregate interface, it can only be done on FortiGate CLI, with 'set enable fortilink' under system interface).
- Set NTP to be local under DHCP on FortiLink.
- Once the FortiSwitch is discovered, authorize the FSW1 under Wifi & Switch-controller and managed FortiSwitches on FortiGate GUI:
- Verify if FortiSwitch is Up and connected.
- Connect second FortiSwitch (FSW-2) to First FortiSwitch (FSW-1) and authorize:
- Once both FortiSwitches are online, connect to CLI on FortiGate and set lldp-profile to 'default-auto-mclag-icl'. This profile needs to be set on the ports that are connected only between the FortiSwitches:
- Disable the 'FortiLink split interface' on FortiLink interface.
- Connect 2nd cable from FortiGate to FSW-2. And add the port on the Fortigate under FortiLink interface.
- FortiLink will take about 1-3min and will be from MCLAG-ICL with both the FortiSwitches.
- Lastly, connect a 3rd Fortiswitch to the existing Peer group.
Troubleshooting Fortilink and MCLAG issues.
If Fortiswitch is not up, verify the below setting:
On FortiGate CLI:
execute switch-controller get-conn-status <----- Should show authorized/up and should have an IP address from the FortiLink interface.
exe switch-controller diagnose-connection <serial_number><----- Check for any warnings in this output.
On FortiSwitch CLI:
get sys interface <----- IP Address should be assigned on the internal interface from FortiLink interface IP.
diagnose switch trunk summary <----- Trunk should be formed with the uplink port.
If the trunk is not forming, check below:
Before Version V7.2.0:
config switch global
set switch-mgmt-mode fortilink
end
After Version V7.2.0:
config switch auto-network
set mgmt-vlan 4094
set status enable
end
config switch physical-port
edit port<>
set lldp-profile default-auto-isl ----- lldp profile needs to be set.
end
diagnose sys ntp status <----- Should be reachable and in sync with FortiLink IP Address.
get sys status <----- Time needs to be in sync.
- Check that Fortiswitch and FortiGate versions are compatible.
- If the uplink ports are SFP ports, check if compatible transceivers are used.
- Reboot FortiGate and FortiSwitch.
If the switch is still not coming up after the above checks, reach out to Technical support with the output of the following from FortiGate CLI.
- FortiGate CLI.
execute switch-controller get-conn-status
exe switch-controller diagnose-connection
get sys status
- FortiSwitch CLI:
diagnose debug report
show full
If MCLAG-ICL is not forming or flapping on the FortiSwitches, check below:
diagnose switch trunk summary <----- Make sure trunk is up.
diagnose switch mclag-peer-consistency check <----- all inconsistencies needs to be cleared.
diagnose switch mclag icl <----- Should see the correct peer port.
diagnose switch physical-port linerate <portno> <----- Make sure Rx and Tx is passing on the port.
diagnose stp instance list<----- Check for TCN events and any loops.
If peer FortiSwitches are still not up, reach out to Technical support with the output of the above commands.
Notes:
- Both MCLAG Peer switches need to be of the same model and the same version
- Only FortiSwitches above the FS-2XX series will support it. FS-1XX doesn’t support MCLAG.
- Cannot have more than 2 FortiSwitches in one MCLAG Peer group.
