Configuring an MCLAG with managed FortiSwitch units

Configuring an MCLAG with managed FortiSwitch units

A multichassis LAG (MCLAG) provides node-level redundancy by grouping two FortiSwitch models together so that they appear as a single switch on the network. If either switch fails, the MCLAG continues to function without any interruption, increasing network resiliency and eliminating the delays associated with the Spanning Tree Protocol (STP). For the network topology, see Dual-homed servers connected to FortiLink tier-1 FortiSwitch units using an MCLAG on page 45 and Standalone FortiGate unit with dual-homed FortiSwitch access on page 46. Notes

  • Both peer switches should be of the same hardware model and same software version. Mismatched configurations might work but are unsupported. l There is a maximum of two FortiSwitch models per MCLAG. l The routing feature is not available within an MCLAG.
  • For static MAC addresses within an MCLAG, if one FortiSwitch learns the MAC address, the second FortiSwitch will automatically learn the MAC address.

To configure an MCLAG with managed FortiSwitch unis:

  1. For each MCLAG peer switch, log into the FortiSwitch to create a LAG:

config switch trunk edit “LAG-member” set mode lacp-active set mclag-icl enable set members “<port>” “<port>”

next

  1. Enable the MCLAG on each managed FortiSwitch:

config switch-controller managed-switch edit “<switch-id>” config ports edit “<trunk name>”

FortiGate CLI support for FortiSwitch features (on non-FortiLink ports)

set type trunk

set mode {static | lacp-passive | lacp-active} set bundle {enable | disable} set members “<port>,<port>” set mclag {enable | disable}

next

end

next

  1. Log into each managed FortiSwitch to check the MCLAG configuration:

diagnose switch mclag

After the FortiSwitch units are configured as MCLAG peer switches, any port that supports advanced features on the FortiSwitch can become a LAG port. When mclag is enabled and the LAG port names match, an MCLAG peer set is automatically formed. The member ports for each FortiSwitch in the MCLAG do not need to be identical to the member ports on the peer FortiSwitch.

This entry was posted in Administration Guides, FortiOS 6, FortiSwitch on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

3 thoughts on “Configuring an MCLAG with managed FortiSwitch units

  1. Diego Martin

    Sorry but dont undestand the MCLAG in fortinet. The Ports of MCLAG ICL enable are the port for VLANs trafic and the port for MCLAG enable are the interswitch link chasis conection?.

    Thanxs

    Reply
  2. Taha

    Hi,
    Can you please give alittle bit detail information about the relation between the MC-LAG and Spanning-tree, Should i configure the both switch as ROOT or not is there any information for suboptimal path with MC-LAG.
    Unfortunately the fortiswitch guide is to poor for this kind of explanation.
    Thanks in advance
    Taha from Turkey

    Reply
  3. Sam

    there is no documentation from Fortinet showing configuration of a 3 (or more) switch LAG at the second tier. Any available configurations do not show the port numbers on the network diagrams.
    Have you tried this?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.