Home

FortiSwitch MCLAG Configuration Guide: Enterprise Network Resilience Through Multichassis Link Aggregation

.

In today's digital infrastructure, network downtime is not an option. Organizations require resilient switching architectures that eliminate single points of failure while maintaining operational simplicity. Multichassis Link Aggregation (MCLAG) technology addresses this critical need by allowing two FortiSwitch units to operate as a single logical switch, providing node-level redundancy that traditional Spanning Tree Protocol (STP) cannot match. This comprehensive guide synthesizes official Fortinet documentation to deliver actionable insights for deploying MCLAG across various enterprise topologies—from basic server connectivity to complex multi-tier campus networks. With proper implementation, MCLAG creates seamless failover capabilities that maintain network continuity even during switch hardware failures, fundamentally transforming network resilience strategies.

Understanding MCLAG Fundamentals and Deployment Prerequisites

What is MCLAG and Why It Matters

MCLAG represents a significant advancement in network redundancy design. Unlike traditional link aggregation (LAG) that operates within a single switch, MCLAG extends this capability across two separate physical switches, creating what appears to downstream devices as a single aggregated link. This configuration delivers dual benefits: elimination of spanning tree blocking states for increased bandwidth utilization, and protection against complete switch failure. According to Fortinet's deployment documentation, MCLAG "increases network resiliency and eliminates the delays associated with the Spanning Tree Protocol (STP)," making it particularly valuable for environments where millisecond-level downtime carries substantial business impact.

Critical Prerequisites and Compatibility Notes

Before initiating any MCLAG deployment, administrators must verify several foundational requirements. FortiOS 6.2.3 GA or later and FortiSwitchOS 6.2.3 GA or later are mandatory for basic MCLAG functionality, with specific features requiring even newer versions—HA-mode FortiGate units in different sites, for example, need FortiOS/FortiSwitchOS 6.4.2 or higher. The global switch setting mclag-stp-aware must remain enabled (default setting) alongside STP on all Inter-Chassis Link (ICL) trunks. For multicast environments using IGMP snooping, administrators must ensure mclag-igmpsnooping-aware is enabled globally while configuring mcast-snooping-flood-traffic and igmp-snooping-flood-reports appropriately—disabled on ISL and FortiLink trunks but enabled on ICL trunks.

Core MCLAG Topologies and Configuration Procedures

Dual-Homed Servers: Basic MCLAG Implementation

The foundational MCLAG topology connects critical servers to a pair of FortiSwitch units, providing path redundancy without server configuration changes. Configuration follows a sequential three-step process:

  1. Establish ICL Foundation: Verify the MCLAG Inter-Chassis Link between FortiSwitch peers using the diagnostic command diagnose switch-controller switch-info mclag icl. Fortinet explicitly recommends "using at least two links for ICL redundancy" to prevent the ICL itself from becoming a single point of failure.

  2. Configure Server-Facing Trunks: For each server, select one port on each FortiSwitch unit and configure them as an MCLAG-enabled trunk. For example, Server 1 might use port10 on FortiSwitch 1 and port10 on FortiSwitch 2, while Server 2 uses port15 on both switches.

  3. Validation and Verification: Execute diagnose switch-controller switch-info mclag list to confirm proper MCLAG formation, checking that both switches recognize the aggregated link and that LACP negotiation completes successfully.

This topology maintains full functionality even when the managing FortiGate operates in HA mode, providing consistent server connectivity through gateway redundancy.

Multi-Tiered Campus Deployments

Large campus environments benefit from hierarchical MCLAG structures that extend redundancy across core, distribution, and access layers. The FortiSwitchOS 7.4.0 Large Campus Switching Deployment Guide outlines a systematic deployment approach that begins at the network core and progresses outward:

Tier-1 (Core) Configuration:

  • Wire two core FortiSwitch units to FortiGate devices
  • Using FortiGate CLI, assign the LLDP profile default-auto-mclag-icl to ports forming the MCLAG ICL
  • Disable the split interface in the FortiLink interface with set fortilink-split-interface disable
  • Enable LACP active mode on the aggregate interface (set lacp-mode active)

Tier-2 and Tier-3 Deployment Strategy: A critical configuration element in multi-tier deployments is the auto-isl-port-group setting, which must be configured directly on the FortiSwitch unit CLI (not through FortiGate management). This setting "instructs the switches to group ports from MCLAG peers together into one MCLAG when the inter-switch link (ISL) is formed."

The deployment follows a phased physical connectivity approach:

  1. Connect only tier-2 MCLAG switches to tier-1, waiting for discovery and authorization
  2. Assign the default-auto-mclag-icl LLDP profile to ICL ports via FortiGate CLI
  3. Configure auto-isl-port-group on tier-1 switches for each tier-2 peer group
  4. Wire tier-3 MCLAG switches, repeating the LLDP profile assignment
  5. Configure auto-isl-port-group on tier-2 switches for tier-3 connections
  6. Connect access switches, allowing automatic ISL formation

This sequential method ensures proper switch authorization and prevents network loops during deployment.

HA-Mode FortiGate Units Across Separate Sites

A sophisticated MCLAG implementation extends high availability across geographically separate sites with FortiGate units in active-passive HA mode. This configuration utilizes FortiSwitch units as heartbeat connections between sites when direct physical connections are limited. The configuration process requires meticulous attention to VLAN segregation and connection sequencing:

  1. Site Isolation Preparation: Begin with all physical connections between sites disconnected to prevent premature heartbeat establishment.

  2. Site-Specific Configuration: On Site 1, establish FortiLinks, enable MCLAG-ICL on core switches, configure HA heartbeat ports on FortiGate-1 (e.g., set hbdev "port1" 242 "port2" 25), and create dedicated VLANs for FortiGate HA heartbeats (VLAN 998 and 999 in documentation examples).

  3. Native VLAN Assignment: Under config switch-controller managed-switch, assign the native VLAN of switch ports connected to heartbeat ports using the VLANs created in step 2. This ensures heartbeat traffic isolation from production data.

  4. Mirror Configuration: Repeat the configuration on Site 2 with adjusted HA priority settings.

  5. Controlled Inter-Site Connection: After confirming both sites' FortiLinks are operational, connect cables between core switch pairs, configure auto-isl-port-group settings on MCLAG peer group switches in both directions, and finally reconnect FortiGate HA and FortiLink interfaces.

Advanced Configuration Considerations and Troubleshooting

Performance Optimization and Best Practices

Successful MCLAG deployment extends beyond basic connectivity to encompass performance tuning and operational sustainability. Administrators should implement several key practices:

  • Link Capacity Planning: The deployment guide reveals substantial port requirements for large campuses, documenting sample deployments with "1,408 1G ports, 416 2.5G ports, 318 10G ports, and 100 100G/40G ports" totaling 2,242 access ports. Scaling to 10,000 1G access ports requires approximately twenty 48-port switches per floor.

  • Traffic Flow Optimization: For multicast-intensive environments, ensure proper IGMP proxy configuration alongside the previously mentioned IGMP snooping settings. This prevents multicast flooding across MCLAG trunks while maintaining necessary traffic flows.

  • Firmware Consistency: Maintain identical FortiSwitchOS versions across MCLAG peers to prevent compatibility issues with synchronization protocols and failover mechanisms.

Essential Diagnostic Commands

Effective MCLAG management requires mastery of several critical diagnostic commands:

  • diagnose switch-controller switch-info mclag icl: Verifies ICL status and health between MCLAG peers
  • diagnose switch-controller switch-info mclag list: Displays all configured MCLAGs and their operational status
  • get system ha status: On HA FortiGate configurations, confirms proper HA status across sites
  • execute switch-controller get-conn-status: From the active FortiGate unit, checks switch connection status in distributed deployments

Regular monitoring using these commands enables proactive issue identification before service degradation occurs.

Frequently Asked Questions

What is the primary advantage of MCLAG over traditional spanning tree configurations? MCLAG provides active-active utilization of all links in the aggregation while eliminating STP convergence delays during failures. Unlike STP which blocks redundant paths, MCLAG enables full bandwidth utilization across all links with sub-second failover.

Can I configure MCLAG through the FortiGate GUI or is CLI required? While basic MCLAG settings appear in the GUI, advanced configurations—particularly auto-isl-port-group settings for multi-tier deployments—require CLI configuration directly on FortiSwitch units. The FortiGate CLI manages many aspects, but some settings necessitate switch-level access.

How many links should form the Inter-Chassis Link (ICL) between MCLAG peers? Fortinet explicitly recommends "at least two links for ICL redundancy." The ICL carries synchronization data and failover communications between peers, making its redundancy critical to prevent a single point of failure in the MCLAG architecture itself.

Does MCLAG work with FortiGate units in active-active HA mode? Yes, starting with FortiOS 6.2.0, MCLAG supports both active-passive and active-active FortiGate HA modes. Earlier versions (before 6.2.0) required active-passive HA mode for proper MCLAG operation with managed switches.

What happens if one switch in an MCLAG pair fails? The surviving switch seamlessly assumes the role of the failed peer, maintaining all network connections without requiring downstream device reconfiguration. This transparent failover occurs within sub-second timeframes, minimizing application disruption.

Can I mix different FortiSwitch models in an MCLAG pair? While technically possible in some scenarios, Fortinet recommends using identical switch models in MCLAG pairs to ensure consistent performance characteristics, buffer sizes, and forwarding capabilities. Mixed models may create asymmetric performance during failover scenarios.