12-12-2017 07:50 AM - edited 03-08-2019 01:05 PM
Hello all,
I have a issue configuring LACP between cisco 3850 and fortigate 100D.
We have a smaller swtiches from cisco (SG500) and we were able to configure LACP in no time. Because we needed a bit stronger switches we purchased 3850 and now I applied the config to them (2x stacked switches) but it is not working.
Can you please help?
Creation Process_
Fortigate LACP is created rather simple - new interface -> 802.3ad aggregation and port added.
Cisco config is based on:
and
http://thuongnguyen.net/fortigate-link-aggregration-802-3ad-lacp-with-cisco-switching/
what I saw is that the command "switchport trunk encapsulation dot1q " is not possible anymore. I am not sure if this is why it is not working.
My Current Configuration
interface Port-channel2
switchport trunk allowed vlan 208
switchport mode trunk
interface TenGigabitEthernet1/0/9
switchport trunk allowed vlan 208
switchport mode trunk
channel-protocol lacp <- This line I added after searching for the solution. Not sure if needed.
channel-group 2 mode active
switch(config-if)#do sh lacp neigh
Flags: S - Device is requesting Slow LACPDUs
F - Device is requesting Fast LACPDUs
A - Device is in Active mode P - Device is in Passive mode
Channel group 1 neighbors
Partner's information:
LACP port Admin Oper Port Port
Port Flags Priority Dev ID Age key Key Number State
Channel group 2 neighbors
Partner's information:
LACP port Admin Oper Port Port
Port Flags Priority Dev ID Age key Key Number State
Te1/0/9 SA 255 0x3D
Switch #sh spanning-tree vlan 208
VLAN0208
Spanning tree enabled protocol rstp
Root ID Priority 32976
Address a0f8.49cd.5c00
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32976 (priority 32768 sys-id-ext 208)
Address a0f8.49cd.5c00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Po2 Desg FWD 4 128.2316 P2p
switch(config-if)#do sh int port-channel 2
Port-channel2 is up, line protocol is up (connected)
Hardware is EtherChannel, address is a0f8.49cd.5c09 (bia a0f8.49cd.5c09)
MTU 9000 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, link type is auto, media type is
input flow-control is off, output flow-control is unsupported
Members in this channel: Te1/0/9
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
2850 packets input, 354456 bytes, 0 no buffer
Received 2850 broadcasts (2683 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 2683 multicast, 0 pause input
0 input packets with dribble condition detected
54751 packets output, 4336270 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
switch#sh vlan id 208
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
208 test active Po2
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
208 enet 100208 1500 - - - - - 0 0
Remote SPAN VLAN
----------------
Disabled
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
12-12-2017 08:31 AM
Hi,
what I saw is that the command "switchport trunk encapsulation dot1q " is not possible anymore. I am not sure if this is why it is not working.
You don't need to specifically use this command on newer switches/IOS version as dot1q is the default encapsulation.
Your Cisco config looks correct.
What is the output of "sh ether su"?
Are physical interfaces in up and up mode?
Also, have you tried mode active on one side and passive on the other side?
HTH
12-19-2017 06:31 AM
sh eth su
2 Po2(SU) LACP Te1/0/9(P)
chzhtmbesw01#sh ip int te1/0/9
TenGigabitEthernet1/0/9 is up, line protocol is up
Inbound access list is not set
Outgoing access list is not set
I didn't try active pasive. What I realized is that 3850 is 10Gb switch and Fortigate is 1Gb router.
Can this be the issue?
12-19-2017 06:43 AM - edited 12-19-2017 06:47 AM
It looks like Forti has lacp negotiation problems with Cisco, maybe they're using lacp fast-rate?
12-19-2017 07:01 AM
I tried with executing command
set lacp-mode slow on fortigate but nothing.
LACP packets are arriving but no communication with the network. ...
Can it be because of the interface speed?
Cisco Te and Forti Ge
12-19-2017 07:12 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide