Skip to main content
DiegMarc
Staff
DiegMarc
Staff
February 3, 2026

Technical Tip: Designing, implementing, and troubleshooting MCLAG on FortiSwitches managed by FortiGate

  • February 3, 2026
  • 0 replies
  • 1344 views

 

Description

This article describes how to design, implement, and troubleshoot Multichassis Link Aggregation Group (MCLAG) on FortiSwitches operating in FortiGate-managed mode. It includes architectural considerations, configuration, best practices, and diagnostic commands.
Scope

FortiGate: v7.4.8 build2795 and above.

FortiSwitch: TF1F24-V7.4.8-build929 and above.
Solution

Multichassis Link Aggregation Group (MCLAG) is a technology supported by multiple network vendors, with vendor-specific implementations. It enables link aggregation across two independent physical switches, presenting them as a single logical switch to connected devices.

 

Although each switch is managed independently, they operate as a single logical entity from the perspective of the Spanning Tree Protocol (STP).

 

Use cases and benefits.

MCLAG improves network resiliency and performance by providing the following benefits:

  • Link and device redundancy: Network connectivity is maintained in the event of a link or switch failure.
  • High availability: Eliminates single points of failure.
  • Increased bandwidth: Multiple physical links can be utilized concurrently.
  • STP optimization: Prevents Spanning Tree from blocking redundant links.

 

Requirements and limitations.

To deploy MCLAG on FortiSwitches managed by FortiGate, the following requirements must be met:

  • FortiSwitch models FS-2xx, FS-4xx, FS-5xx, FS-6xx, or higher.
  • FS-1xx models do not support MCLAG.
  • Each MCLAG domain supports a maximum of two FortiSwitches.
  • Both switches must:
    • Be the same hardware model.
    • Run the same FortiSwitchOS version.
  • On the FortiLink interface, the split interface must be disabled
  • Use at least two links to ensure ICL redundancy
  • When connecting devices to an MCLAG group:
    • Connect them to both switches
    • Use aggregated 802.3ad (LACP) interfaces
    • Routing is not supported within an MCLAG
  • At the global switch level:
    • mclag-stp-aware must be enabled (enabled by default).
    • STP must be enabled on all ICL trunks (enabled by default).
    • mclag-igmpsnooping-aware must be enabled (enabled by default).

 

Design considerations.

Recommended design practices.

  • Use two or more links to form the ICL to provide redundancy.
  • Connect downstream devices to both MCLAG members using LACP-based aggregated interfaces.

 

Design scenarios to avoid.

  • Orphaned links connected to only one MCLAG member.
  • Direct interconnections between access switches that introduce Layer 2 loops (ring topologies).

 

DiegMarc_0-1767970204157.png

 

Figure 1. Illustrative example of improper design, corrections, and the recommended scenario.

 

Configuration example.

This section provides an example configuration for a Tier-1 topology using MCLAG. The example outlines both physical connectivity and configuration steps for FortiGate and FortiSwitch.

 

DiegMarc_1-1767970204162.png

 

Figure 2. Proposed topology used in this configuration example.

 

Below is a guide with the sequence of configurations and connections.
Important: Follow the steps in the proposed order to ensure the network is configured correctly and remains stable.

 

  1. Connect the FortiGate to only one of the MC-LAG FortiSwitches according to the topology below and authorize the FortiSwitches.

 

DiegMarc_2-1767970204163.png

 

Figure 3. Initial physical connection.

 

Select the FortiSwitches and authorize them.

 

DiegMarc_3-1767970204169.png

 

Figure 4. FortiSwitch authorization.

 

Select the Topology option in the upper-right corner to verify the created topology.

 

DiegMarc_4-1767970204175.png

 

Figure 5. Topology updated.

 

  1. Create the Tier 1 MC-LAG on FortiSwitches 1 and 2.

 

Hover over the physical links between FortiSwitches 1 and 2 and select Create MC-LAG pair. 

 

DiegMarc_0-1767979673279.jpeg

 

Figure 6. MC-LAG creation.

 

DiegMarc_6-1767970204187.png

 

Figure 7. Confirm the creation of the MC-LAG.

 

Wait approximately 3 minutes for the creation to be completed and for the topology to be updated.

 

DiegMarc_7-1767970204190.png

 

Figure 8. Updated topology with Tier 1 MC-LAG.

 

  1. Disable the FortiLink Split Interface and connect interface B of the FortiGate to interface 1 of the FortiSwitch 2.

 

Disable the FortiLink Split Interface to prevent physical connection B from being blocked by STP.

 

DiegMarc_8-1767970204195.png

 

Figure 9. Disable the FortiLink split interface.

 

Connect interface B of the FortiGate to interface 1 of the FortiSwitch 2.

 

DiegMarc_0-1767980223604.png

 

Figure 10. Physical connection between the FortiGate and the FortiSwitch 2.

 

DiegMarc_1-1767980223608.png

 

Figure 11. Both FortiGate connections are active.

 

  1. Connect the FortiSwitch 3 to FortiSwitch 1. Next, connect FortiSwitches 3 and 4 using two links to form the ICL, and authorize them on the FortiGate.

 

DiegMarc_0-1767980298006.png

 

Figure 12. Physical connection between FortiSwitch 1 and FortiSwitch 3.

 

Authorize FortiSwitches 3 and 4.

 

DiegMarc_1-1767980298013.png

 

Figure 13. FortiSwitches 3 and 4 authorization.

 

DiegMarc_2-1767980350082.png

 

Figure 14. Connected FortiSwitches.

 

  1. Connect the remaining links of FortiSwitches 3 and 4.

 

DiegMarc_3-1767980350084.png

 

Figure 15. Redundant connections of FortiSwitches 3 and 4.

 

  1. Create the Tier 2 MC-LAG on FortiSwitches 3 and 4.

 

Hover over the physical links between FortiSwitches 3 and 4 and select Create MC-LAG pair.

 

DiegMarc_0-1767980536938.png

 

Figure 16. MC-LAG creation.

 

DiegMarc_1-1767980536944.png

 

Figure 17. Tier 2 MC-LAG creation.

 

Wait for 3 minutes until the topology is updated.

 

DiegMarc_2-1767980536949.png

 

Figure 18. Updated topology with Tier 2 MC-LAG.

 

  1. Connect FortiSwitch 5 to FortiSwitches 3 and 4, and verify that both interfaces are active and not blocked by Spanning Tree.

 

DiegMarc_3-1767980632143.png

 

Figure 19. Physical connections of the FortiSwitch 5.

 

Authorize FortiSwitch 5 and wait up to 3 minutes for the topology to update.

 

DiegMarc_4-1767980632156.png

 

Figure 20. Final topology.

 

Recommended additional configuration.

The following features are optional but strongly recommended to improve network stability:

  • Enable Loop Guard on uplink interfaces.
  • Enable BPDU Guard on access interfaces.
  • Set the root bridge priority to 0 via a custom command to prevent other switches in the network from being elected as the root bridge.
  • In deployments with third-party switches, it is important to configure both switches participating in the MC-LAG and connected to a third-party switch using LACP to send a single BPDU message per MC-LAG switch pair. Otherwise, LACP may not form correctly on the third-party switch, as it may interpret them as separate devices, creating redundant looping paths.

 

Example of how to change the root bridge configuration using a custom command.

 

FortiGate-91G #config switch-controller custom-command

    edit "STP_PRIORITY"

        set command "config switch stp instance %0a edit 0 %0a set priority 0 %0a end %0a"

    next

end

end

 

Apply the custom-command to the switches that will have root priority 0 in the network.

 

FortiGate-91G # config switch-controller managed-switch

    edit TF1F24TF24 xxxxxx

        config custom-command

            edit "1"

                set command-name "STP_PRIORITY"

            next

        end

end

 

FortiGate-91G # config switch-controller managed-switch

    edit TF1F24TF24 xxxxxx

        config custom-command

            edit "1"

                set command-name "STP_PRIORITY"

            next

        end

end

 

Example of a custom-command to configure the transmission of a single BPDU per MC-LAG pair connected to a third-party switch.

 

FortiGate-91G #config switch-controller custom-command

    edit "MCLAG_SINGLE_MAC"

        set command "config switch stp settings %0a set mclag-stp-bpdu single %0a end %0a"

    next

    end

end

 

Apply the custom-command to the FortiSwitches that connect to the third-party switch using LACP.

 

FortiGate-91G # config switch-controller managed-switch

    edit TF1F24TF24xxxxxx

        config custom-command

            edit "2"

                set command-name "MCLAG_SINGLE_MAC"

            next

        end

end

 

FortiGate-91G # config switch-controller managed-switch

    edit TF1F24TF24xxxxxx

        config custom-command

            edit "2"

                set command-name "MCLAG_SINGLE_MAC"

            next

        end

end

 

Important: Avoid applying configurations directly in the FortiSwitch CLI when it is managed by a FortiGate. Instead, apply them using custom commands in the FortiGate CLI so that the configurations are stored on the FortiGate and are not lost when the FortiSwitches are rebooted.

 

Troubleshooting and diagnostics.

The following commands can be used to verify MCLAG status and diagnose issues.

 

MCLAG consistency between peer switches:

 

diagnose switch switch-info mclag peer-consistency-check

 

ICL status and details:

 

diagnose switch-controller switch-info mclag icl

 

MCLAG domain information:

 

diagnose switch-controller switch-info mclag list

 

Spanning Tree Protocol (STP) status of the environment:

 

diagnose switch-controller switch-info stp

 

Related documents:

Switching Reference Architecture Guide

FortiSwitchOS Feature Matrix

FortiLink Guide
    Terms & ConditionsAccessibility statement