FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
New Contributor
Article Id 195452



This article describes how to configure and troubleshoot the 3-tier FortiLink MCLAG configuration.

Related document:
Deploying MCLAG topologies

Network Topologies -> Three-Tier Fortilink MCLAG configuration.



Version 6.2 and above.



Three-tier FortiLink MCLAG configuration.

To create a three-tier FortiLink MCLAG topology, use FortiOS 6.2.3 GA or later and FortiSwitchOS 6.2.3 GA or later.

To configure the FortiSwitch units in the core:
  1. First, connect the core switches to the FortiGate aggregate interface and connect the link between the core switches (SW 1 and SW 2 in the example above). Both switches will form 2 trunks – one with FortiGate and one ISL (inter-switch link).

  2. Push lldp-profile default-auto-mclag-icl to the ISL FortiSwitch ports to establish MCLAG ICL.

    Transitioning from a FortiLink split interface to a FortiLink MCLAG

  3. Wait for both switches SW 1 and SW 2 to come online. Verify the status of  'diagnose switch mclag peer-consistency-check' and diag switch mclag icl on both FortiSwitches.

  4. Create downlink trunks on the MCLAG-ICL switches.

    Note: Only the trunks from the higher tier MCLAG-ICL switches to the next tier MCLAG-ICL switches need this configuration.

  5. Add an auto-isl-port-group for the tier-2 MCLAG SW 3 and SW 4 on both the switches SW 1 and SW 2:

    On SW 1:

    config switch auto-isl-port-group
        edit tier-2
            set members port22

    On SW 2:

        edit tier-2
            set members port21

  6. Note: Do not make all the connections at this point. Connect only SW 3 to SW 1 and once SW 3 is online, connect SW 4 to SW 3. Wait for SW4 to come online and then enable mclag icl between SW4 and SW3 - wait for ICL to get established and then connect SW4 to SW2 (similar to point 2, it is necessary to push lldp-profile default-auto-mclag-icl).

  7. Add two auto-isl-port-group for the tier-3 MCLAG switches on both switch SW 3 and switch SW 4:

    On both SW3 and SW4:

    config switch auto-isl-port-group
        edit tier-3-SW5_6
            set member port20

  8. Now, connect only SW 5 to SW 3 and once SW 5 is online, connect SW 6 to SW 5. Wait for SW6 to come online. Now, enable mclag icl between SW5 and SW6 - wait for ICL to get established and then connect SW6 to SW4 (Similar to point 2, it is necessary to push lldp-profile default-auto-mclag-icl and verify the MCLAG ICL commands).

  9. Verify that all the FortiLinks are up and double-check the MCLAG-ICL configuration on each MCLAG FortiSwitch.

Useful commands on FortiSwitch:

diagnose switch mclag peer-consistency-check
diagnose switch mclag peer-consistency-check _FlInK1_MLAG0_
diagnose switch trunk list
diag switch mclag icl
diag switch mclag list
show switch auto-isl-port-group
Useful commands on FortiGate:
diagnose switch-controller switch-info mclag icl <FSW sn>
diagnose switch-controller switch-info mclag list <FSW sn>
diagnose switch-controller switch-info mclag peer-consistency-check <FSW SN>
execute switch-controller get-physical-conn dot <fortilink interface>
execute switch-controller get-physical-conn standard <fortilink interface>