Hot!Building VPC between FortiSwitches (MCLAG/ICL) and Cisco Nexus 9K Switches

Author
bmduncan34
Bronze Member
  • Total Posts : 30
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/07/05 10:33:11
  • Status: offline
2019/07/18 12:10:05 (permalink)
0

Building VPC between FortiSwitches (MCLAG/ICL) and Cisco Nexus 9K Switches

I'm trying to bring up a trunk over a port-channel between a pair of 1048E's and a pair of Cisco 9504's that are configured using vPC.  One fibre connects one 1048 to one 9504, and the other fibre connects the other 1048 to the other 9504.  The VPC on the Cisco side fails, saying "vpc port channel mis-config due to vpc links in the 2 switches connected to different partners".  I am working with support and Cisco support, but I wanted to ask if others have gotten this working.  We're looking at possible spanning-tree issues, but also best practice guides on the Cisco side for VPC's.  I want to trunk my Fortinet distribution switches to my Cisco infrastructure so I can leverage other vlans in my Fortinet firewalls.  Any thoughts?
#1

14 Replies Related Threads

    rwpatterson
    Expert Member
    • Total Posts : 8490
    • Scores: 205
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: Building VPC between FortiSwitches (MCLAG/ICL) and Cisco Nexus 9K Switches 2019/07/18 13:06:29 (permalink)
    0
    Why not use industry standard LACP instead?

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF80CM (2)
    FWF81CM (3)
     
    #2
    hubertzw
    Gold Member
    • Total Posts : 196
    • Scores: 3
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: Building VPC between FortiSwitches (MCLAG/ICL) and Cisco Nexus 9K Switches 2019/07/18 14:26:54 (permalink)
    0
    bmduncan34
     "vpc port channel mis-config due to vpc links in the 2 switches connected to different partners"

     
    I think your cabling is wrong. Let's say VPC100 and VPC200 are configured on both switches. But VPC100 on both connects to FG1 and VPC200 to FG2 (on both).
     
    On FGT you configure LAG:
     
    edit "p1-p2"
    set vdom "root"
    set vlanforward enable
    set type aggregate
    set member "port1" "port2"
    set snmp-index 15

     

    Attached Image(s)

    #3
    bmduncan34
    Bronze Member
    • Total Posts : 30
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/07/05 10:33:11
    • Status: offline
    Re: Building VPC between FortiSwitches (MCLAG/ICL) and Cisco Nexus 9K Switches 2019/07/20 13:34:38 (permalink)
    0
    Thanks very much.  In my situation I'm terminating on managed 1048E switches; with 601E's hosting  the switch controller.  So I get the cabling and using two different vPCs on the 9K's, but on the FortiSwitch side would I have two mclags, that would correspond to VPC100 and VPC200?  So there would be an "MCLAG to VPC100" and an "MCLAG to VPC200".  Think that would work?
     
    Thanks again. 
    #4
    hubertzw
    Gold Member
    • Total Posts : 196
    • Scores: 3
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: Building VPC between FortiSwitches (MCLAG/ICL) and Cisco Nexus 9K Switches 2019/07/21 02:50:20 (permalink)
    0
    My fault, my reply was about n9k and Fortigate not Fortiswitch. It makes huge difference. I don't think you can use vpc between them.
    #5
    bmduncan34
    Bronze Member
    • Total Posts : 30
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/07/05 10:33:11
    • Status: offline
    Re: Building VPC between FortiSwitches (MCLAG/ICL) and Cisco Nexus 9K Switches 2019/07/28 08:58:13 (permalink)
    0
    I plan to get this working this week; been away, but I've been running this setup through my head.  So here's my conclusion; vPC's are what the Nexus 9Ks are using to present a single logical switch across two physical chassis, and mclag is what Fortinet is using to do the same thing.  In both cases the technology (vPC and mclag) result in a single logical switch with a single MAC being presented on either side.  So it's the same as if I were trying to build a port-channel (aggregate) between just one 1048E and one Nexus 9K.  And as far as cabling goes, that shouldn't matter one bit.  Of course it would be nice to build the port-channel in a full mesh, but not necessary.  The port-channel, using LACP with at least one end in Active mode, and the other in either Active or Passive, should just come up.  In my case with just two fibres connecting two different chassis.  Of course I can scale that out as needs be with additional fibres on the same mclag/vPC. 
     
    I'm going to tear out my vPC on the Nexus side and build a fresh one tomorrow.  I had been just re-using one that was no longer in production so perhaps there was some corruption there.  When I get this up and running I'll let you know what ended up working.  There must be some other folks out there who've had the same need, anyone want to share their experiences?
    #6
    elisha_wang
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/29 16:46:50
    • Status: offline
    Re: Building VPC between FortiSwitches (MCLAG/ICL) and Cisco Nexus 9K Switches 2019/07/29 16:53:42 (permalink)
    0
    Hi seems you topology wrong,
      for FT to Cisco, your topology should be one FT channel to one Cisco switch,
    you can not one FT channel to two Cisco switch.
     
    #7
    bmduncan34
    Bronze Member
    • Total Posts : 30
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/07/05 10:33:11
    • Status: offline
    Re: Building VPC between FortiSwitches (MCLAG/ICL) and Cisco Nexus 9K Switches 2019/07/30 04:45:03 (permalink)
    0
    I got this working finally.  I rebuilt the vPC on the Cisco side and the port-channel came up.  So now I've got a trunk between a pair of 1048E's (mclag+icl) and a pair of Cisco Nexus 9K's with vPC.  I'm having a problem getting the trunk to pass layer 2 traffic at the moment but I'll work with support to figure that out. 
    #8
    Huey
    Bronze Member
    • Total Posts : 29
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/01/18 07:17:09
    • Status: offline
    Re: Building VPC between FortiSwitches (MCLAG/ICL) and Cisco Nexus 9K Switches 2019/10/10 14:48:30 (permalink)
    0
    Trying to do this as well.  Can you share the FortiSwitch MCLAG config?  Heres what I have:
     
     
    edit "GCAS-LAG"
      set description "GCAS VLAN Uplink"
      set mode lacp-active
      set mclag enable
      set members "port43" "port44"
    next


    This is resulting in two separate LAGs and on one of the 1048E's the LAG is blocking while on the other 1048E it shows forwarding.  There could be a mis-config on the Cisco side but I dont have access.  Looks like 2 separate LAGs.
     
    Also, how did you solve the VLAN forwarding?
    #9
    bmduncan34
    Bronze Member
    • Total Posts : 30
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/07/05 10:33:11
    • Status: offline
    Re: Building VPC between FortiSwitches (MCLAG/ICL) and Cisco Nexus 9K Switches 2019/10/10 18:44:41 (permalink)
    0
    Is this MCLAG set as a trunk?  And if it's a trunk is STP turned off?  So this is a four-member MCLAG, with port43 and port44 on each 1048 as members?  Are you using the UI to build this MCLAG?  Sorry for all the questions.  In the UI I would just create a new trunk, then add those four ports (two from each 1048), then ensure you turn off spanning tree on the trunk.  The Cisco side should just be a port-channel configured as a trunk.  See if they're using an allowed vlan statement.  On your trunk build the vlan interfaces you want to see from the Cisco side and create them on the Fortinet side.  Then add those vlans to the trunk on your side. 
     
    The biggest thing to be careful of is spanning tree.  You run a risk of getting a loop in your network if you have spanning tree issues, and saw that a couple of times connecting to our Cisco environment. 
    #10
    bmduncan34
    Bronze Member
    • Total Posts : 30
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/07/05 10:33:11
    • Status: offline
    Re: Building VPC between FortiSwitches (MCLAG/ICL) and Cisco Nexus 9K Switches 2019/10/16 06:53:36 (permalink)
    0
    How did you make out?  Let me know as it's definitely working in my environment.
    #11
    emnoc
    Expert Member
    • Total Posts : 5748
    • Scores: 373
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Building VPC between FortiSwitches (MCLAG/ICL) and Cisco Nexus 9K Switches 2019/10/16 07:23:55 (permalink)
    0
    I believe that error is when the vpc-peerlink does NOT carry the vlan tag btw. So in vPC if you have a vlan and the van is NOT over the vpc-peerlink, vPC creation will fail.
     
    The following commands can be helpful;
     
      show vpc brief
      show vpc peer
      show port-channel summary
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #12
    J.Andersen
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/07/14 15:25:53
    • Status: offline
    Re: Building VPC between FortiSwitches (MCLAG/ICL) and Cisco Nexus 9K Switches 2020/02/10 08:54:28 (permalink)
    0
    I have a similar issue.
    My setup contains 2 FortiSwitch 248D, managed via 2 FortiGate100Es.
    The two FortiSwitches are configures connected with a MCLAG-ICL link. I'm trying to connect my two FortiSwitches with my Cisco2960X (stacked as one logical switch) via LACP.
    The LACP link goes does as soon as I connect the port from the second Fortiswitch to the LAG ports.
    On my Cisco switch, my ether-channel is err-dis. due to channel-misconfig (receiving BDPU's from a different sender).
     
    Looking at my MCLAG link on the Fortiswitch, they should send LACP BDPU's with the same ID:


    SW1:
    # diagnose switch mclag list
    (*) - Using local system-id in LACP BPDU
     
    Po1(*)
    ------
        Local system ID              70:4c:a5:6f:37:4a
        Peer system ID               70:4c:a5:6f:37:4a
        Current system ID            70:4c:a5:6f:37:4a
        Local ports                  43-44
        Peer ports                   43-44
        Local uptime                 0 days  1h:16m: 3s
        Peer uptime                  0 days  0h: 0m: 0s
        Local LAG is configured as LACP active.
        Atleast one local LAG port is UP.
        Peer LAG is configured as LACP active
        All peer LAG ports are down,
        ICL traffic may be forwarded to local LAG port.
        Updates sent to peer         8108
        Updates received from peer   8105
     
    SW2:
    # diagnose switch mclag list  
    (*) - Using local system-id in LACP BPDU
     
    Po1
    ---
        Local system ID              70:4c:a5:6f:2a:36
        Peer system ID               70:4c:a5:6f:37:4a
        Current system ID            70:4c:a5:6f:37:4a
        Local ports                  43-44
        Peer ports                   43-44
        Local uptime                 0 days  0h: 0m: 0s
        Peer uptime                  0 days  1h:14m:47s
        Local LAG is configured as LACP active.
        Peer system id is used in LACP BPDU.
        Peer LAG is configured as LACP active
        Atleast one peer LAG port is UP,
        local LAG ports are filtered for ICL traffic.
        Updates sent to peer         8030
        Updates received from peer   8033
     
    I havn't been able to solve it yet. 
    I really don't want to disable the channel-missconfig on my Cisco stack.
     
    /Jonas 
    #13
    bmduncan34
    Bronze Member
    • Total Posts : 30
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/07/05 10:33:11
    • Status: offline
    Re: Building VPC between FortiSwitches (MCLAG/ICL) and Cisco Nexus 9K Switches 2020/02/10 12:35:35 (permalink)
    0
    Is the mclag a trunk on the Fortiswitches?  What is going on with spanning tree?  I had to disable spanning tree on the mclag/trunk on my 1048's, that are ICL'd to each other.  Measure twice, cut once, when messing with spanning tree!  But for me, I had to disable that and the port-channel came up fine.  Also, if you are configuring in the GUI, click one one mclag member, hold control key, and then select the second member.  THEN right-click to disable STP.  I tried doing it to individual mclag members and it wasn't pretty.
    #14
    Huey
    Bronze Member
    • Total Posts : 29
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/01/18 07:17:09
    • Status: offline
    Re: Building VPC between FortiSwitches (MCLAG/ICL) and Cisco Nexus 9K Switches 2020/02/11 11:55:01 (permalink)
    0
    I have a PDF but cant attach.  Send me your email and I'll email to you.  I was able to build a LACP bundle but you need to follow the order of the instructions in the pdf.
    #15
    Jump to:
    © 2020 APG vNext Commercial Version 5.5