Skip to main content
riteshpv
Staff
riteshpv
Staff
December 5, 2025

Technical Tip: Connecting multiple Tier-2 MCLAG-ICL FortiSwitch pairs causes network instability

  • December 5, 2025
  • 0 replies
  • 1418 views
Description This article explains the reason and solution for network instability that occurs when multiple Tier-2 MCLAG-ICL FortiSwitch pairs are connected to a Tier-1 MCLAG-ICL pair when setup in FortiLink mode.
Scope FortiSwitch OS v7.4, v7.6.
Solution

Topology:

 

2-tier-mclag-icl.jpg

 

  • Tier-1 MCLAG-ICL: FortiSwitch1 and FortiSwitch2.

  • Tier-2 MCLAG-ICL Pair 1: FortiSwitch3 and FortiSwitch4.

  • Tier-2 MCLAG-ICL Pair 2: FortiSwitch5 and FortiSwitch6.

Note: this issue is only when the setup is in FortiLink Mode.

 

Reason:

  • Connecting the first Tier-2 MCLAG-ICL pair (Pair 1) to Tier-1 does not cause any issue. However, when the second Tier-2 MCLAG-ICL pair (Pair 2) is connected, the network becomes unstable.
  • The instability occurs because connecting pair1 or pair2 to the tier1 switches results in the creation of a single automatic FortiLink trunk, identified as FlInK1_MLAG0, on the tier1 MCLAG-ICL pair.

 

Example (Pair 1 connection):

 

When Pair 1 is connected to Tier-1, the following trunk is formed:

 

Output from FortiSwitch1 / FortiSwitch2

 

show switch trunk
    edit "_FlInK1_MLAG0_"
        set mode lacp-active
        set auto-isl 1
        set mclag enable
        set members "port4" "port5"
    next
end

 

Issue when Pair 2 is connected:

 

Instead of creating a new trunk for Pair 2, the Tier-1 FortiSwitch automatically appends the new ports to the existing trunk, causing loops and instability.

 

Output from FortiSwitch1 / FortiSwitch2

 

show switch trunk
    edit "_FlInK1_MLAG0_"
        set mode lacp-active
        set auto-isl 1
        set mclag enable
        set members "port4" "port5" "port6" "port7"
    next
end

 

This behavior results in both Tier-2 MCLAG-ICL pairs sharing the same trunk, which is not a valid design and leads to network instability.

 

Solution:

 

  1. Remove the existing auto-created trunk.

 

Disconnect the Tier-2 links from Tier-1 and verify that the trunk has been removed. If the trunk remains, delete it manually:

 

show switch trunk
delete "_FlInK1_MLAG0_"
next
end

 

  1. Create dedicated auto-ISL port groups for each Tier-2 MCLAG-ICL pair.

 

On the Tier-1 FortiSwitches (FortiSwitch1 / FortiSwitch2), configure separate port groups:

 

config switch auto-isl-port-group
    edit tier2-1
        set members port4 port5
    next
    edit tier2-2
        set members port6 port7
    next
end

 

This ensures that each Tier-2 pair forms its own independent trunk.

 

  1. Reconnect links and verify correct trunk formation.

 

After reconnecting the Tier-2 links, verify that separate trunks are created for each pair.

 

Output from FortiSwitch1 / FortiSwitch2:

 

show switch trunk
edit "edit tier2-1
        set mode lacp-active
        set auto-isl 1
        set mclag enable
        set members "port4" "port5"
    next
edit "edit tier2-2
        set mode lacp-active
        set auto-isl 1
        set mclag enable
        set members "port6" "port7"
    next
end
 
Note: The trunk name is automatically derived from the auto-isl-port-group name. MCLAG peers verify that it is the same trunk based on the name, so both MCLAG peers should have the same auto-isl-portgroup name if it is a shared trunk (the same trunk on the other peer).
 
    Terms & ConditionsAccessibility statement