FortiLink MCLAG-与第三方设备进行跨堆叠交换机聚合

组网需求

本测试基于上一个章节“FortiLink MCLAG-堆叠组网2 Tier配置举例”进行配置。

网络拓扑

image-20230313150512332

  1. Cisco SW1 的Port-Channel 10为三层接口,IP地址为192.168.10.101,我们在Core-FSW1和Core-FSW2跨交换机配置一个BOND 10的聚合接口与其对接,将其划分到VLAN10里面。
  2. Cisco SW2 的Port-Channel 20为三层接口,IP地址为192.168.20.101,我们在Access-FSW1和Access-FSW2跨交换机配置一个BOND 20的聚合接口与其对接,将其划分到VLAN20里面。

配置步骤

Cisco交换机配置

  1. Cisco SW1的聚合配置。

    !
    interface port-channel 10
    no switchport
    ip address 192.168.10.101 255.255.255.0
    !
    !
    interface FastEthernet2/0/3
    no switchport
    no ip address
    channel-group 10 mode active
    !
    interface FastEthernet2/0/4
    no switchport
    no ip address
    channel-group 10 mode active
    !
    
  2. Cisco SW2的聚合配置。

    !
    interface Port-channel20
    no switchport
    ip address 192.168.20.101 255.255.255.0
    !
    interface FastEthernet2/0/5
    no switchport
    no ip address
    channel-group 10 mode active
    !
    interface FastEthernet2/0/6
    no switchport
    no ip address
    channel-group 20 mode active
    !
    

FortiGate配置

  1. 配置基于Core-FSW1和Core-FSW2跨交换机对接的BOND 10。

    image-20230313155139779

    image-20230313161739747

  2. 进入FortiSwitch Port页面的Trunk视图模式,配置Bond10成员接口的本地VLAN为10(相当于Access VLAN 10)。

    image-20230313155926319

    Core-FSW1:
    config switch trunk
        edit "Bond10"
            set mode lacp-active
            set mclag enable
            set members "port8"         
        next
    end
    config switch interface
        edit "Bond10"
            set native-vlan 10
        next
    end
    
    Core-FSW2:
    config switch trunk
        edit "Bond10"
            set mode lacp-active
            set mclag enable
            set members "port8"         
        next
    end
    config switch interface
        edit "Bond10"
            set native-vlan 10
        next
    end
    
  3. 配置基于Access-FSW1和Access-FSW2跨交换机对接的BOND 20。

    image-20230313161509555

    image-20230313161710003

  4. 进入FortiSwitch Port页面的Trunk视图模式,配置Bond20成员接口的本地VLAN为20(相当于Access VLAN 20)。

    image-20230313161949760

    Access-FSW1:
    config switch trunk
        edit "Bond20"
            set mode lacp-active
            set mclag enable
            set members "port8"         
        next
    end
    config switch interface
        edit "Bond20"
            set native-vlan 20
        next
    end
    
    Access-FSW2:
    config switch trunk
        edit "Bond20"
            set mode lacp-active
            set mclag enable
            set members "port8"         
        next
    end
    config switch interface
        edit "Bond20"
            set native-vlan 20
        next
    end
    

注意事项

FortiSwitch的mclag-icl堆叠组网中,与Cisco交换机聚合口对接时,还必须在FortiSwitch的STP配置中增加如下配置(set mclag-stp-bpdu single)。

Core-FSW1:
config switch stp settings
    set mclag-stp-bpdu single
end

Core-FSW2:
config switch stp settings
    set mclag-stp-bpdu single
end

Access-FSW1:
config switch stp settings
    set mclag-stp-bpdu single
end

Access-FSW2:
config switch stp settings
    set mclag-stp-bpdu single
end

结果验证

Cisco-SW1

  1. 在思科交换机Cisco-SW1上查看聚合状态。

    Cisco-SW1#show interfaces port-channel 10 etherchannel
    
    Port-channel10   (Primary aggregator)
    Age of the Port-channel   = 0d:00h:35m:49s
    Logical slot/port   = 10/10          Number of ports = 2
    HotStandBy port = null
    Passive port list   = Fa2/0/3 Fa2/0/4 Fa2/0/5
    Port state          = Port-channel L3-Ag Ag-Inuse
    Protocol            =   LACP
    Port security       = Disabled
    Ports in the Port-channel:
    Index   Load   Port     EC state        No of bits
    ------+------+------+------------------+-----------
      0     00     Fa2/0/3  Active             0
      0     00     Fa2/0/4  Active             0
    Time since last port bundled:    0d:00h:28m:41s    Fa2/0/4
    
    Cisco-SW1#show interfaces port-channel 10
    
    Port-channel10 is up, line protocol is up (connected)
      Hardware is EtherChannel, address is 001c.b0c7.9741 (bia 001c.b0c7.9741)
      Internet address is 192.168.10.101/24
      MTU 1500 bytes, BW 200000 Kbit, DLY 100 usec,
         reliability 255/255, txload 1/255, rxload 1/255
      Encapsulation ARPA, loopback not set
      Full-duplex, 100Mb/s, link type is auto, media type is unknown
      input flow-control is off, output flow-control is unsupported
      Members in this channel: Fa2/0/3 Fa2/0/4
      ARP type: ARPA, ARP Timeout 04:00:00
      Last input 00:00:01, output 00:30:09, output hang never
      Last clearing of "show interface" counters never
      Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
      Queueing strategy: fifo
      Output queue: 0/40 (size/max)
      5 minute input rate 6000 bits/sec, 2 packets/sec
      5 minute output rate 0 bits/sec, 0 packets/sec
         4264 packets input, 1406340 bytes, 0 no buffer
         Received 4264 broadcasts (0 IP multicasts)
         0 runts, 0 giants, 0 throttles
         0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
         0 watchdog, 3034 multicast, 0 pause input
         0 input packets with dribble condition detected
         680 packets output, 100803 bytes, 0 underruns
         0 output errors, 0 collisions, 2 interface resets
         0 babbles, 0 late collision, 0 deferred
         0 lost carrier, 0 no carrier, 0 PAUSE output
         0 output buffer failures, 0 output buffers swapped out
    
  2. 在思科交换机Cisco-SW1上访问FortiGate的VLAN10。

    Cisco-SW1#ping 192.168.10.1 repeat 100
    
    Sending 100, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    Success rate is 100 percent (100/100), round-trip min/avg/max = 1/11/1007 ms
    

Cisco-SW2

  1. 在思科交换机Cisco-SW2上查看聚合状态。

    Cisco-SW2#show interfaces port-channel 20 etherchannel
    
    Port-channel20   (Primary aggregator)
    Age of the Port-channel   = 0d:00h:38m:50s
    Logical slot/port   = 10/20          Number of ports = 1
    HotStandBy port = null
    Passive port list   = Fa2/0/6
    Port state          = Port-channel L3-Ag Ag-Inuse
    Protocol            =   LACP
    Port security       = Disabled
    Ports in the Port-channel:
    Index   Load   Port     EC state        No of bits
    ------+------+------+------------------+-----------
      0     00     Fa2/0/6  Active             0
    Time since last port bundled:    0d:00h:10m:47s    Fa2/0/6
    
    Cisco-SW2#show interfaces port-channel 20
    
    Port-channel20 is up, line protocol is up (connected)
      Hardware is EtherChannel, address is 001c.b0c7.9744 (bia 001c.b0c7.9744)
      Internet address is 192.168.20.101/24
      MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
         reliability 255/255, txload 1/255, rxload 1/255
      Encapsulation ARPA, loopback not set
      Full-duplex, 100Mb/s, link type is auto, media type is unknown
      input flow-control is off, output flow-control is unsupported
      Members in this channel: Fa2/0/6
      ARP type: ARPA, ARP Timeout 04:00:00
      Last input 00:00:01, output 00:10:57, output hang never
      Last clearing of "show interface" counters never
      Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
      Queueing strategy: fifo
      Output queue: 0/40 (size/max)
      5 minute input rate 0 bits/sec, 0 packets/sec
      5 minute output rate 0 bits/sec, 0 packets/sec
         729 packets input, 249974 bytes, 0 no buffer
         Received 729 broadcasts (0 IP multicasts)
         0 runts, 0 giants, 0 throttles
         0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
         0 watchdog, 542 multicast, 0 pause input
         0 input packets with dribble condition detected
         126 packets output, 18528 bytes, 0 underruns
         0 output errors, 0 collisions, 2 interface resets
         0 babbles, 0 late collision, 0 deferred
         0 lost carrier, 0 no carrier, 0 PAUSE output
         0 output buffer failures, 0 output buffers swapped out
    
  2. 在思科交换机Cisco-SW2上访问FortiGate的VLAN20。

    Cisco-SW2#ping 192.168.20.1 repeat 100
    
    Sending 100, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    Success rate is 100 percent (100/100), round-trip min/avg/max = 1/11/1007 ms
    

注意事项

  1. 只能是堆叠交换机才可以跨交换机聚合,不同的堆叠交换机组,不支持配置为聚合接口。
  2. 如果是与FortiSwith对接,则是自动MCLAG聚合。
  3. 如果是和第三方设备对接,比如交换机、路由器、友商防火墙、服务器等等对接的话,推荐使用LACP Active方式动态聚合。

Copyright © 2024 Fortinet Inc. All rights reserved. Powered by Fortinet TAC Team.
📲扫描下方二维码分享此页面👇
该页面修订于: 2023-12-29 15:17:39

results matching ""

    No results matching ""