Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
riteshpv
Staff
Staff

Created on ‎10-20-2025 06:27 AM

Article Id 412821

Technical Tip: Configuring uplinks for MCLAG-ICL pair in L3 FortiSwitch deployment

Description This article describes the trunk configuration required on FortiSwitch uplinks when deployed as an MCLAG-ICL pair and connecting to dual routers or firewalls in an L3 topology.
Scope FortiSwitch v7.4, v7.6.
Solution
Topology Overview:
 
L3.jpg
 

  • FortiSwitch is managed by FortiSwitch Manager over L3.

  • FortiGate operates as the router between FortiSwitch and FortiSwitch Manager.

  • FortiSwitch devices are deployed in an MCLAG-ICL pair.

  • In a FortiGate HA Active-Passive setup, separate uplink trunks are required from FortiSwitch to each FortiGate.

  • For background on understanding FortiSwitch over L3, refer to: fortilink-mode-over-a-layer-3-network
 
Configuration when FortiGate HA (Active-Passive) is used:
 
In this setup, each FortiSwitch connects separately to each FortiGate.
 
config switch trunk
    edit "FGT01"   
        set auto-isl 1
        set mclag enable
        set static-isl enable
        set members "port29"
    next
    edit "FGT02"
        set auto-isl 1
        set mclag enable
        set static-isl enable
        set members "port30"
    next
   edit "_FlInK1_ICL0_"
        set mode lacp-active
        set auto-isl 1
        set mclag-icl enable
        set members "port31"
    next
end
 
Here: 
  • FGT01 -> uplink to FortiGate1
  • FGT02 -> uplink to FortiGate 2
_FlInK1_ICL0_ -> automatically formed ICL trunk using the 'Transitioning from a FortiLink split interface to a FortiLink MCLAG' LLDP profile:
 
Configuration when upstream devices operate as a single logical system:
 
If the upstream devices function as a single logical system (for example, load-balanced firewalls, routers, or Cisco VPC pair), a single trunk can be configured on FortiSwitch.
 
config switch trunk
    edit "Uplink"   
        set auto-isl 1
        set mclag enable
        set static-isl enable
        set members "port29" "port30"
    next
   edit "_FlInK1_ICL0_"
        set mode lacp-active
        set auto-isl 1
        set mclag-icl enable
        set members "port31"
    next
end
 
Note: Uplink represents the aggregated trunk to the upstream router/firewall/load balancer.
Use this configuration only when the upstream devices forward traffic as a single logical system.
45
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.