Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
riteshpv
Staff
Staff

Created on ‎12-05-2025 07:52 AM Edited on ‎12-05-2025 07:52 AM By Community Manager

Article Id 421153

Technical Tip: Connecting multiple Tier-2 MCLAG-ICL FortiSwitch pairs causes network instability

Description This article explains the reason and solution for network instability that occurs when multiple Tier-2 MCLAG-ICL FortiSwitch pairs are connected to a Tier-1 MCLAG-ICL pair when setup in FortiLink mode.
Scope FortiSwitch OS v7.4, v7.6.
Solution

Topology:

 

2-tier-mclag-icl.jpg

 

  • Tier-1 MCLAG-ICL: FortiSwitch1 and FortiSwitch2.

  • Tier-2 MCLAG-ICL Pair 1: FortiSwitch3 and FortiSwitch4.

  • Tier-2 MCLAG-ICL Pair 2: FortiSwitch5 and FortiSwitch6.

Note: this issue is only when the setup is in FortiLink Mode.

 

Reason:

  • Connecting the first Tier-2 MCLAG-ICL pair (Pair 1) to Tier-1 does not cause any issue. However, when the second Tier-2 MCLAG-ICL pair (Pair 2) is connected, the network becomes unstable.
  • The instability occurs because connecting pair1 or pair2 to the tier1 switches results in the creation of a single automatic FortiLink trunk, identified as FlInK1_MLAG0, on the tier1 MCLAG-ICL pair.

 

Example (Pair 1 connection):

 

When Pair 1 is connected to Tier-1, the following trunk is formed:

 

Output from FortiSwitch1 / FortiSwitch2

 

show switch trunk
    edit "_FlInK1_MLAG0_"
        set mode lacp-active
        set auto-isl 1
        set mclag enable
        set members "port4" "port5"
    next
end

 

Issue when Pair 2 is connected:

 

Instead of creating a new trunk for Pair 2, the Tier-1 FortiSwitch automatically appends the new ports to the existing trunk, causing loops and instability.

 

Output from FortiSwitch1 / FortiSwitch2

 

show switch trunk
    edit "_FlInK1_MLAG0_"
        set mode lacp-active
        set auto-isl 1
        set mclag enable
        set members "port4" "port5" "port6" "port7"
    next
end

 

This behavior results in both Tier-2 MCLAG-ICL pairs sharing the same trunk, which is not a valid design and leads to network instability.

 

Solution:

 

  1. Remove the existing auto-created trunk.

 

Disconnect the Tier-2 links from Tier-1 and verify that the trunk has been removed. If the trunk remains, delete it manually:

 

show switch trunk
delete "_FlInK1_MLAG0_"
next
end

 

  1. Create dedicated auto-ISL port groups for each Tier-2 MCLAG-ICL pair.

 

On the Tier-1 FortiSwitches (FortiSwitch1 / FortiSwitch2), configure separate port groups:

 

config switch auto-isl-port-group
    edit tier2-1
        set members port4 port5
    next
    edit tier2-2
        set members port6 port7
    next
end

 

This ensures that each Tier-2 pair forms its own independent trunk.

 

  1. Reconnect links and verify correct trunk formation.

 

After reconnecting the Tier-2 links, verify that separate trunks are created for each pair.

 

Output from FortiSwitch1 / FortiSwitch2:

 

show switch trunk
edit "edit tier2-1
        set mode lacp-active
        set auto-isl 1
        set mclag enable
        set members "port4" "port5"
    next
edit "edit tier2-2
        set mode lacp-active
        set auto-isl 1
        set mclag enable
        set members "port6" "port7"
    next
end
 
Note: The trunk name is automatically derived from the auto-isl-port-group name.
 
82
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.