Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Devices Managed by FortiOS

    Home FortiSwitch 7.0.8 Devices Managed by FortiOS
    7.0.8
    7.0.8
    7.0.4
    7.0.2
    7.0.1
    7.0.0
    6.4.5
    6.4.3
    6.4.2
    6.4.0
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.4
    6.0.3
    6.0.1
    6.0.0
    6.0.0
    3.6.3
    3.6.0
    3.5.4

    Replacing a managed FortiSwitch unit

    Replacing a managed FortiSwitch unit

    If a managed FortiSwitch unit fails, you can replace it with another FortiSwitch unit that is managed by the same FortiGate unit. The replacement FortiSwitch unit will inherit the configuration of the FortiSwitch unit that it replaces. The failed FortiSwitch unit is no longer managed by a FortiGate unit or discovered by FortiLink.

    NOTE:

    • Both FortiSwitch units must be of the same model.
    • After replacing the failed FortiSwitch unit, the automatically created trunk name does not change. If you want different trunk name, you need to delete the trunk. The new trunk is created automatically with an updated name. At the end of this section is a detailed procedure for renaming the MCLAG-ICL trunk.
    • If the replaced managed FortiSwitch unit is part of an MCLAG, only the ICL should be connected to the new switch to avoid any traffic loops. The other interfaces should be connected only to the switch that is fully managed the FortiGate unit with the correct configuration.
    To replace a managed FortiSwitch unit when split ports are not enabled:
    1. Remove the failed FortiSwitch unit from the network.

    2. Deauthorize the failed switch:

      config switch-controller managed-switch

      edit <failed_FortiSwitch_serial_number>

      set fsw-wan1-admin disable

      end

    3. If the replacement switch is not new, reset the replacement FortiSwitch unit to factory default settings with the execute factoryreset command.

    4. Without connecting to the existing network, upgrade the firmware of the replacement FortiSwitch unit to the same version as the firmware on the failed FortiSwitch unit. See Viewing and upgrading the FortiSwitch firmware version.

    5. On the FortiGate device, use the execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_FortiSwitch_serial_number> command to change the replacement switch name to match the failed switch name.

    6. Authorize the replacement switch:

      config switch-controller managed-switch

      edit <replacement_FortiSwitch_serial_number>

      set fsw-wan1-admin enable

      end

    7. Connect the replacement switch to the network.

    To replace a managed FortiSwitch unit when split ports are enabled:
    1. Remove the failed FortiSwitch unit from the network.

    2. Deauthorize the failed switch:

      config switch-controller managed-switch

      edit <failed_FortiSwitch_serial_number>

      set fsw-wan1-admin disable

      end

    3. If the replacement switch is not new, reset the replacement FortiSwitch unit to factory default settings with the execute factoryreset command.

    4. Without connecting to the existing network, upgrade the firmware of the replacement FortiSwitch unit to the same version as the firmware on the failed FortiSwitch unit. See Viewing and upgrading the FortiSwitch firmware version.

    5. Log in to the replacement switch and use the config switch phy-mode commands to configure the split ports with the same configuration that was on the failed switch.

    6. On the FortiGate device, use the execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_FortiSwitch_serial_number> command to change the replacement switch name to match the failed switch name.

    7. Authorize the replacement switch:

      config switch-controller managed-switch

      edit <replacement_FortiSwitch_serial_number>

      set fsw-wan1-admin enable

      end

    8. Connect the replacement switch to the network.

    To replace a managed FortiSwitch unit of an MCLAG pair:
    1. Remove the failed FortiSwitch unit from the network.

    2. Deauthorize the failed switch:

      config switch-controller managed-switch

      edit <failed_FortiSwitch_serial_number>

      set fsw-wan1-admin disable

      end

    3. If the replacement switch is not new, reset the replacement FortiSwitch unit to factory default settings with the execute factoryreset command.

    4. Without connecting to the existing network, upgrade the firmware of the replacement FortiSwitch unit to the same version as the firmware on the failed FortiSwitch unit. See Viewing and upgrading the FortiSwitch firmware version.

    5. On the FortiGate device, use the execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_FortiSwitch_serial_number> command to change the replacement switch name to match the failed switch name.

    6. Authorize the replacement switch:

      config switch-controller managed-switch

      edit <replacement_FortiSwitch_serial_number>

      set fsw-wan1-admin enable

      end

    7. Connect the ICL physical port(s) of the replacement MCLAG switch to the peer switch’s ICL ports. An ISL trunk with the peer’s name is formed on the replacement switch. Wait until the replacement switch’s FortiLink is up.

      • On the FortiGate device, if the failed switch had set lldp-profile default-auto-mclag-icl configured in the ICL ports of the switch, the replaced switch will not have these settings configured to begin with. Use the console or SSH to the replacement switch and manually configure set mclag-icl enable in the ISL trunk with the peer switch’s name. Then wait for the replaced switch to form FortiLink with the FortiGate device, and all configurations, including set lldp-profile default-auto-mclag-icl, are pushed to the replacement switch. After this is done, from the console or SSH to the replaced switch, delete the automatically formed ICL trunk, which then triggers the automatic formation of the FlInK1_ICL0_ trunk.

      • On the FortiGate device, if the failed switch did not have “set lldp-profile default-auto-mclag-icl” configured in the ICL ports of the switch, the replacement switch will not have the setting as well. SSH to the replacement switch, manually configure “set mclag-icl enable” in the ISL trunk with the peer switch’s name. Then wait for the replaced switch to form FortiLink with the FortiGate device, and all configurations are pushed to the replacement switch. After this is done, SSH to the peer switch to delete the ICL trunk (with the failed switch’s name) and configure “set mclag-icl enable” after a new ISL trunk with the replacement switch’s name forms automatically.
    8. Use the diagnose switch mclag icl command to make sure that there are no errors and that the ICL trunk is up.
    9. Check the neighbor peer switch to see if it has auto-isl-port-group configured. If it does, you need to configure the replacement switch with the same auto-isl-port-group name.
    10. Connect the rest of the ports to the replacement switch.
    11. Execute the diagnose switch mlcag peer-consistency-check command to make sure there are no MCLAG or ICL errors.
    To rename the MCLAG-ICL trunk:

    After replacing the failed FortiSwitch unit, the automatically created trunk name does not change. If you want different trunk name, you need to delete the trunk. The new trunk is created automatically with an updated name.

    Changing the name of the MCLAG-ICL trunk must be done on both the FortiGate unit and the MCLAG-ICL switches. You need a maintenance window for the change.

    1. Shut down the FortiLink interface on the FortiGate unit.
      1. On the FortiGate unit, execute the show system interface command. For example:

        FG3K2D3Z17800156 # show system interface root-lag
        config system interface
        edit "root-lag"
        set vdom "root"
        set fortilink enable
        set ip 10.105.60.254 255.255.255.0
        set allowaccess ping capwap
        set type aggregate
        set member "port45" "port48"
        config managed-device

      2. Write down the member port information. In this example, port45 and port48 are the member ports.
      3. Shut down the member ports with the config system interface, edit <member-port#>, set status down, and end commands. For example:

        FG3K2D3Z17800156 # config system interface
        FG3K2D3Z17800156 (interface) # edit port48
        FG3K2D3Z17800156 (port48) # set status down
        FG3K2D3Z17800156 (port48) # next // repeat for each member port
        FG3K2D3Z17800156 (interface) # edit port45
        FG3K2D3Z17800156 (port45) # set status down
        FG3K2D3Z17800156 (port45) # end

      4. Verify that FortiLink is down with the exec switch-controller get-conn-status command. For example:

        FG3K2D3Z17800156 # exec switch-controller get-conn-status
        Managed-devices in current vdom root:
        STACK-NAME: FortiSwitch-Stack-root-lag
        SWITCH-ID VERSION STATUS ADDRESS JOIN-TIME NAME
        FS1D483Z17000282 v6.0.0 Authorized/Down 0.0.0.0 N/A icl-sw2
        FS1D483Z17000348 v6.0.0 Authorized/Down 0.0.0.0 N/A icl-sw1

    2. Rename the MCLAG-ICL trunk name on both MCLAG-ICL switches.
      1. Execute the show switch trunk command on both MCLAG-ICL switches. Locate the ICL trunk that includes the set mclag-icl enable command in its configuration and write down the member ports and configuration information. For example:

        icl-sw1 # show switch trunk
        config switch trunk
        ...
        edit "D483Z17000282-0"
        set mode lacp-active
        set auto-isl 1
        set mclag-icl enable // look for this line
        set members "port27" "port28" // note the member ports
        next
        end

      2. Note the output of the show switch interface <MCLAG-ICL-trunk-name>, diagnose switch mclag icl, and diagnose switch trunk summary <MCLAG-ICL-trunk-name> commands. For example:

        icl-sw1 # show switch interface D483Z17000282-0
        config switch interface
        edit "D483Z17000282-0"
        set native-vlan 4094
        set allowed-vlans 1,100,2001-2060,4093
        set dhcp-snooping trusted
        set stp-state disabled
        set edge-port disabled
        set igmp-snooping-flood-reports enable
        set mcast-snooping-flood-traffic enable
        set snmp-index 57
        next
        end

        icl-sw1 # diag switch mclag icl
        D483Z17000282-0
        icl-ports 27-28
        egress-block-ports 3-4,7-12,47-48
        interface-mac 70:4c:a5:86:6d:e5
        lacp-serial-number FS1D483Z17000348
        peer-mac 70:4c:a5:49:50:53
        peer-serial-number FS1D483Z17000282
        Local uptime 0 days 1h:49m:24s
        Peer uptime 0 days 1h:49m:17s
        MCLAG-STP-mac 70:4c:a5:49:50:52
        keepalive interval 1
        keepalive timeout 60

        Counters
        received keepalive packets 4852
        transmited keepalive packets 5293
        received keepalive drop packets 20
        receive keepalive miss 1

        icl-sw1 # diagnose switch trunk sum D483Z17000282-0
        Trunk Name Mode PSC MAC Status Up Time
        ________________ _________________________ ___________ _________________ ___________ _________________________________
        D483Z17000282-0 lacp-active(auto-isl,mclag-icl) src-dst-ip 70:4C:A5:86:6E:00 up(2/2) 0 days,0 hours,16 mins,4 secs

      3. Shut down the ICL member ports using the config switch physical-port, edit <member port#>, set status down, next, and end commands. For example:

        icl-sw1 # config switch physical-port
        icl-sw1 (physical-port) # edit port27
        icl-sw1 (port27) # set status down
        icl-sw1 (port27) # n // repeat for each ICL member port
        icl-sw1 (physical-port) # edit port28
        icl-sw1 (port28) # set status down
        icl-sw1 (port28) # next
        icl-sw1 (physical-port) # end

      4. Delete the original MCLAG-ICL trunk name on the switch using the config switch trunk, delete <mclag-icl-trunk-name>, and end commands. For example:

        icl-sw1 # config switch trunk
        icl-sw1 (trunk) # delete D483Z17000282-0

      5. Use the show switch trunk command to verify that the trunk is deleted.
      6. Create a new trunk for the MCLAG ICL using the original ICL trunk configuration collected in step 2b and the set auto-isl 0 command in the configuration. For example:

        icl-sw1 # config switch trunk

        icl-sw1 (trunk) # edit MCLAG-ICL
        new entry 'MCLAG-ICL' added
        icl-sw1 (MCLAG-ICL) #set mode lacp-active
        icl-sw1 (MCLAG-ICL) #set members "port27" "port28"
        icl-sw1 (MCLAG-ICL) #set mclag-icl enable
        icl-sw1 (MCLAG-ICL) # end

      7. Use the show switch trunk command to check the trunk configuration.
      8. Start the trunk member ports by using the config switch physical-port, edit <member port#>, set status up, next, and end commands. For example:

        icl-sw1 # config switch physical-port
        icl-sw1 (physical-port) # edit port27
        icl-sw1 (port27) # set status up
        icl-sw1 (port27) # next // repeat for each trunk member port
        icl-sw1 (physical-port) # edit port28
        icl-sw1 (port28) # set status up
        icl-sw1 (port28) # end

        NOTE: Follow steps 2a through 2h on both switches.
    3. Set up the FortiLink interface on the FortiGate unit. Enter the config system interface, edit <interface-member-port>, set status up, next, and end commands. For example:

      FG3K2D3Z17800156 # config system interface
      FG3K2D3Z17800156 (interface) # edit port45
      FG3K2D3Z17800156 (port45) # set status up
      FG3K2D3Z17800156 (port45) # next // repeat on all member ports
      FG3K2D3Z17800156 (interface) # edit port48
      FG3K2D3Z17800156 (port48) # set status up
      FG3K2D3Z17800156 (port48) # next
      FG3K2D3Z17800156 (interface) # end

    4. Check the configuration and status on both MCLAG-ICL switches
      1. Enter the show switch trunk, diagnose switch mclag icl, and diagnose switch trunk summary <new-trunk-name> commands. For example:

        icl-sw1 # show switch trunk
        config switch trunk
        <snip>
        edit "MCLAG-ICL"
        set mode lacp-active
        set mclag-icl enable
        set members "port27" "port28"
        next
        end

        icl-sw1 # show switch interface MCLAG-ICL
        config switch interface
        edit "MCLAG-ICL"
        set native-vlan 4094
        set allowed-vlans 1,100,2001-2060,4093
        set dhcp-snooping trusted
        set stp-state disabled
        set igmp-snooping-flood-reports enable
        set mcast-snooping-flood-traffic enable
        set snmp-index 56
        next
        end

        icl-sw1 # diagnose switch mclag icl
        MCLAG-ICL
        icl-ports 27-28
        egress-block-ports 3-4,7-12,47-48
        interface-mac 70:4c:a5:86:6d:e5
        lacp-serial-number FS1D483Z17000348
        peer-mac 70:4c:a5:49:50:5
        peer-serial-number FS1D483Z17000282
        Local uptime 0 days 2h:11m:13s
        Peer uptime 0 days 2h:11m: 7s
        MCLAG-STP-mac 70:4c:a5:49:50:52
        keepalive interval 1
        keepalive timeout 60

        Counters
        received keepalive packets 5838
        transmited keepalive packets 6279
        received keepalive drop packets 27
        receive keepalive miss 1

        icl-sw1 # diagnose switch trunk summary MCLAG-ICL

        Trunk Name Mode PSC MAC Status Up Time
        ________________ _________________________ ___________ _________________ ___________ _________________________________

        MCLAG-ICL lacp-active(auto-isl,mclag-icl) src-dst-ip 70:4C:A5:86:6E:00 up(2/2) 0 days,1 hours,4 mins,57 secs

      2. Compare the command results in step 4a with the command results in step 2b.
    Previous
    Next

    Replacing a managed FortiSwitch unit

    Replacing a managed FortiSwitch unit

    If a managed FortiSwitch unit fails, you can replace it with another FortiSwitch unit that is managed by the same FortiGate unit. The replacement FortiSwitch unit will inherit the configuration of the FortiSwitch unit that it replaces. The failed FortiSwitch unit is no longer managed by a FortiGate unit or discovered by FortiLink.

    NOTE:

    • Both FortiSwitch units must be of the same model.
    • After replacing the failed FortiSwitch unit, the automatically created trunk name does not change. If you want different trunk name, you need to delete the trunk. The new trunk is created automatically with an updated name. At the end of this section is a detailed procedure for renaming the MCLAG-ICL trunk.
    • If the replaced managed FortiSwitch unit is part of an MCLAG, only the ICL should be connected to the new switch to avoid any traffic loops. The other interfaces should be connected only to the switch that is fully managed the FortiGate unit with the correct configuration.
    To replace a managed FortiSwitch unit when split ports are not enabled:
    1. Remove the failed FortiSwitch unit from the network.

    2. Deauthorize the failed switch:

      config switch-controller managed-switch

      edit <failed_FortiSwitch_serial_number>

      set fsw-wan1-admin disable

      end

    3. If the replacement switch is not new, reset the replacement FortiSwitch unit to factory default settings with the execute factoryreset command.

    4. Without connecting to the existing network, upgrade the firmware of the replacement FortiSwitch unit to the same version as the firmware on the failed FortiSwitch unit. See Viewing and upgrading the FortiSwitch firmware version.

    5. On the FortiGate device, use the execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_FortiSwitch_serial_number> command to change the replacement switch name to match the failed switch name.

    6. Authorize the replacement switch:

      config switch-controller managed-switch

      edit <replacement_FortiSwitch_serial_number>

      set fsw-wan1-admin enable

      end

    7. Connect the replacement switch to the network.

    To replace a managed FortiSwitch unit when split ports are enabled:
    1. Remove the failed FortiSwitch unit from the network.

    2. Deauthorize the failed switch:

      config switch-controller managed-switch

      edit <failed_FortiSwitch_serial_number>

      set fsw-wan1-admin disable

      end

    3. If the replacement switch is not new, reset the replacement FortiSwitch unit to factory default settings with the execute factoryreset command.

    4. Without connecting to the existing network, upgrade the firmware of the replacement FortiSwitch unit to the same version as the firmware on the failed FortiSwitch unit. See Viewing and upgrading the FortiSwitch firmware version.

    5. Log in to the replacement switch and use the config switch phy-mode commands to configure the split ports with the same configuration that was on the failed switch.

    6. On the FortiGate device, use the execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_FortiSwitch_serial_number> command to change the replacement switch name to match the failed switch name.

    7. Authorize the replacement switch:

      config switch-controller managed-switch

      edit <replacement_FortiSwitch_serial_number>

      set fsw-wan1-admin enable

      end

    8. Connect the replacement switch to the network.

    To replace a managed FortiSwitch unit of an MCLAG pair:
    1. Remove the failed FortiSwitch unit from the network.

    2. Deauthorize the failed switch:

      config switch-controller managed-switch

      edit <failed_FortiSwitch_serial_number>

      set fsw-wan1-admin disable

      end

    3. If the replacement switch is not new, reset the replacement FortiSwitch unit to factory default settings with the execute factoryreset command.

    4. Without connecting to the existing network, upgrade the firmware of the replacement FortiSwitch unit to the same version as the firmware on the failed FortiSwitch unit. See Viewing and upgrading the FortiSwitch firmware version.

    5. On the FortiGate device, use the execute replace-device fortiswitch <failed_FortiSwitch_serial_number> <replacement_FortiSwitch_serial_number> command to change the replacement switch name to match the failed switch name.

    6. Authorize the replacement switch:

      config switch-controller managed-switch

      edit <replacement_FortiSwitch_serial_number>

      set fsw-wan1-admin enable

      end

    7. Connect the ICL physical port(s) of the replacement MCLAG switch to the peer switch’s ICL ports. An ISL trunk with the peer’s name is formed on the replacement switch. Wait until the replacement switch’s FortiLink is up.

      • On the FortiGate device, if the failed switch had set lldp-profile default-auto-mclag-icl configured in the ICL ports of the switch, the replaced switch will not have these settings configured to begin with. Use the console or SSH to the replacement switch and manually configure set mclag-icl enable in the ISL trunk with the peer switch’s name. Then wait for the replaced switch to form FortiLink with the FortiGate device, and all configurations, including set lldp-profile default-auto-mclag-icl, are pushed to the replacement switch. After this is done, from the console or SSH to the replaced switch, delete the automatically formed ICL trunk, which then triggers the automatic formation of the FlInK1_ICL0_ trunk.

      • On the FortiGate device, if the failed switch did not have “set lldp-profile default-auto-mclag-icl” configured in the ICL ports of the switch, the replacement switch will not have the setting as well. SSH to the replacement switch, manually configure “set mclag-icl enable” in the ISL trunk with the peer switch’s name. Then wait for the replaced switch to form FortiLink with the FortiGate device, and all configurations are pushed to the replacement switch. After this is done, SSH to the peer switch to delete the ICL trunk (with the failed switch’s name) and configure “set mclag-icl enable” after a new ISL trunk with the replacement switch’s name forms automatically.
    8. Use the diagnose switch mclag icl command to make sure that there are no errors and that the ICL trunk is up.
    9. Check the neighbor peer switch to see if it has auto-isl-port-group configured. If it does, you need to configure the replacement switch with the same auto-isl-port-group name.
    10. Connect the rest of the ports to the replacement switch.
    11. Execute the diagnose switch mlcag peer-consistency-check command to make sure there are no MCLAG or ICL errors.
    To rename the MCLAG-ICL trunk:

    After replacing the failed FortiSwitch unit, the automatically created trunk name does not change. If you want different trunk name, you need to delete the trunk. The new trunk is created automatically with an updated name.

    Changing the name of the MCLAG-ICL trunk must be done on both the FortiGate unit and the MCLAG-ICL switches. You need a maintenance window for the change.

    1. Shut down the FortiLink interface on the FortiGate unit.
      1. On the FortiGate unit, execute the show system interface command. For example:

        FG3K2D3Z17800156 # show system interface root-lag
        config system interface
        edit "root-lag"
        set vdom "root"
        set fortilink enable
        set ip 10.105.60.254 255.255.255.0
        set allowaccess ping capwap
        set type aggregate
        set member "port45" "port48"
        config managed-device

      2. Write down the member port information. In this example, port45 and port48 are the member ports.
      3. Shut down the member ports with the config system interface, edit <member-port#>, set status down, and end commands. For example:

        FG3K2D3Z17800156 # config system interface
        FG3K2D3Z17800156 (interface) # edit port48
        FG3K2D3Z17800156 (port48) # set status down
        FG3K2D3Z17800156 (port48) # next // repeat for each member port
        FG3K2D3Z17800156 (interface) # edit port45
        FG3K2D3Z17800156 (port45) # set status down
        FG3K2D3Z17800156 (port45) # end

      4. Verify that FortiLink is down with the exec switch-controller get-conn-status command. For example:

        FG3K2D3Z17800156 # exec switch-controller get-conn-status
        Managed-devices in current vdom root:
        STACK-NAME: FortiSwitch-Stack-root-lag
        SWITCH-ID VERSION STATUS ADDRESS JOIN-TIME NAME
        FS1D483Z17000282 v6.0.0 Authorized/Down 0.0.0.0 N/A icl-sw2
        FS1D483Z17000348 v6.0.0 Authorized/Down 0.0.0.0 N/A icl-sw1

    2. Rename the MCLAG-ICL trunk name on both MCLAG-ICL switches.
      1. Execute the show switch trunk command on both MCLAG-ICL switches. Locate the ICL trunk that includes the set mclag-icl enable command in its configuration and write down the member ports and configuration information. For example:

        icl-sw1 # show switch trunk
        config switch trunk
        ...
        edit "D483Z17000282-0"
        set mode lacp-active
        set auto-isl 1
        set mclag-icl enable // look for this line
        set members "port27" "port28" // note the member ports
        next
        end

      2. Note the output of the show switch interface <MCLAG-ICL-trunk-name>, diagnose switch mclag icl, and diagnose switch trunk summary <MCLAG-ICL-trunk-name> commands. For example:

        icl-sw1 # show switch interface D483Z17000282-0
        config switch interface
        edit "D483Z17000282-0"
        set native-vlan 4094
        set allowed-vlans 1,100,2001-2060,4093
        set dhcp-snooping trusted
        set stp-state disabled
        set edge-port disabled
        set igmp-snooping-flood-reports enable
        set mcast-snooping-flood-traffic enable
        set snmp-index 57
        next
        end

        icl-sw1 # diag switch mclag icl
        D483Z17000282-0
        icl-ports 27-28
        egress-block-ports 3-4,7-12,47-48
        interface-mac 70:4c:a5:86:6d:e5
        lacp-serial-number FS1D483Z17000348
        peer-mac 70:4c:a5:49:50:53
        peer-serial-number FS1D483Z17000282
        Local uptime 0 days 1h:49m:24s
        Peer uptime 0 days 1h:49m:17s
        MCLAG-STP-mac 70:4c:a5:49:50:52
        keepalive interval 1
        keepalive timeout 60

        Counters
        received keepalive packets 4852
        transmited keepalive packets 5293
        received keepalive drop packets 20
        receive keepalive miss 1

        icl-sw1 # diagnose switch trunk sum D483Z17000282-0
        Trunk Name Mode PSC MAC Status Up Time
        ________________ _________________________ ___________ _________________ ___________ _________________________________
        D483Z17000282-0 lacp-active(auto-isl,mclag-icl) src-dst-ip 70:4C:A5:86:6E:00 up(2/2) 0 days,0 hours,16 mins,4 secs

      3. Shut down the ICL member ports using the config switch physical-port, edit <member port#>, set status down, next, and end commands. For example:

        icl-sw1 # config switch physical-port
        icl-sw1 (physical-port) # edit port27
        icl-sw1 (port27) # set status down
        icl-sw1 (port27) # n // repeat for each ICL member port
        icl-sw1 (physical-port) # edit port28
        icl-sw1 (port28) # set status down
        icl-sw1 (port28) # next
        icl-sw1 (physical-port) # end

      4. Delete the original MCLAG-ICL trunk name on the switch using the config switch trunk, delete <mclag-icl-trunk-name>, and end commands. For example:

        icl-sw1 # config switch trunk
        icl-sw1 (trunk) # delete D483Z17000282-0

      5. Use the show switch trunk command to verify that the trunk is deleted.
      6. Create a new trunk for the MCLAG ICL using the original ICL trunk configuration collected in step 2b and the set auto-isl 0 command in the configuration. For example:

        icl-sw1 # config switch trunk

        icl-sw1 (trunk) # edit MCLAG-ICL
        new entry 'MCLAG-ICL' added
        icl-sw1 (MCLAG-ICL) #set mode lacp-active
        icl-sw1 (MCLAG-ICL) #set members "port27" "port28"
        icl-sw1 (MCLAG-ICL) #set mclag-icl enable
        icl-sw1 (MCLAG-ICL) # end

      7. Use the show switch trunk command to check the trunk configuration.
      8. Start the trunk member ports by using the config switch physical-port, edit <member port#>, set status up, next, and end commands. For example:

        icl-sw1 # config switch physical-port
        icl-sw1 (physical-port) # edit port27
        icl-sw1 (port27) # set status up
        icl-sw1 (port27) # next // repeat for each trunk member port
        icl-sw1 (physical-port) # edit port28
        icl-sw1 (port28) # set status up
        icl-sw1 (port28) # end

        NOTE: Follow steps 2a through 2h on both switches.
    3. Set up the FortiLink interface on the FortiGate unit. Enter the config system interface, edit <interface-member-port>, set status up, next, and end commands. For example:

      FG3K2D3Z17800156 # config system interface
      FG3K2D3Z17800156 (interface) # edit port45
      FG3K2D3Z17800156 (port45) # set status up
      FG3K2D3Z17800156 (port45) # next // repeat on all member ports
      FG3K2D3Z17800156 (interface) # edit port48
      FG3K2D3Z17800156 (port48) # set status up
      FG3K2D3Z17800156 (port48) # next
      FG3K2D3Z17800156 (interface) # end

    4. Check the configuration and status on both MCLAG-ICL switches
      1. Enter the show switch trunk, diagnose switch mclag icl, and diagnose switch trunk summary <new-trunk-name> commands. For example:

        icl-sw1 # show switch trunk
        config switch trunk
        <snip>
        edit "MCLAG-ICL"
        set mode lacp-active
        set mclag-icl enable
        set members "port27" "port28"
        next
        end

        icl-sw1 # show switch interface MCLAG-ICL
        config switch interface
        edit "MCLAG-ICL"
        set native-vlan 4094
        set allowed-vlans 1,100,2001-2060,4093
        set dhcp-snooping trusted
        set stp-state disabled
        set igmp-snooping-flood-reports enable
        set mcast-snooping-flood-traffic enable
        set snmp-index 56
        next
        end

        icl-sw1 # diagnose switch mclag icl
        MCLAG-ICL
        icl-ports 27-28
        egress-block-ports 3-4,7-12,47-48
        interface-mac 70:4c:a5:86:6d:e5
        lacp-serial-number FS1D483Z17000348
        peer-mac 70:4c:a5:49:50:5
        peer-serial-number FS1D483Z17000282
        Local uptime 0 days 2h:11m:13s
        Peer uptime 0 days 2h:11m: 7s
        MCLAG-STP-mac 70:4c:a5:49:50:52
        keepalive interval 1
        keepalive timeout 60

        Counters
        received keepalive packets 5838
        transmited keepalive packets 6279
        received keepalive drop packets 27
        receive keepalive miss 1

        icl-sw1 # diagnose switch trunk summary MCLAG-ICL

        Trunk Name Mode PSC MAC Status Up Time
        ________________ _________________________ ___________ _________________ ___________ _________________________________

        MCLAG-ICL lacp-active(auto-isl,mclag-icl) src-dst-ip 70:4C:A5:86:6E:00 up(2/2) 0 days,1 hours,4 mins,57 secs

      2. Compare the command results in step 4a with the command results in step 2b.
    Previous
    Next