Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
ebrlima
Staff
Staff

Created on ‎03-25-2025 10:27 PM Edited on ‎03-25-2025 10:28 PM By Community Manager

Article Id 383726

Technical Tip: How to set up MCLAG with ISP routers redundancy

Description This article describes how to set up MCLAG with ISP router redundancy for Standalone FortiSwitches.
Scope FortiSwitch Standalone.
Solution

Example of MCLAG topology with ISP routers and crossed links for redundancy:

 

fsw-mclag.png

       

In this scenario, each FortiSwitch member of the MCLAG has one connection with each ISP Router.

  • Configure the ICL (InterChassis Link) connection between both FortiSwitch devices: Configuration must match on both switches.

 

FSW1:

 

config switch trunk

    edit ICL-Trunk

        set mode lacp-active

        set mclag-icl enable

        set members "port10" "port11"

    next

end

 

FSW2:

 

config switch trunk

    edit ICL-Trunk

        set mode lacp-active

        set mclag-icl enable

        set members "port10" "port11"

    next

end

 

  • Configure MCLAG trunks with the ISP Routers in both FortiSwitch devices: Configuration must be identical, but member ports can be different among the switches

 

FSW1:

 

config switch trunk

    edit "mclag-ISP"

        set mode lacp-active

        set mclag enable

        set members "port3" "port4"

    next

end

 

FSW2:

 

config switch trunk

    edit "mclag-ISP"

        set mode lacp-active

        set mclag enable

        set members "port7" "port8"

    next

end

 

  • For VLAN traffic between the MCLAG members, the necessary VLANs must be allowed in the ICL Trunk:

 

FSW1:

 

config switch interface

    edit ICL-Trunk

        set allowed-vlans 1-4094 <----- This allows all VLANs to flow through the ICL Trunk.

        set dhcp-snooping trusted

        set edge-port disabled

        set igmp-snooping-flood-reports enable

        set mcast-snooping-flood-traffic enable

    next

end

 

FSW2:

 

config switch interface

    edit ICL-Trunk

        set allowed-vlans 1-4094 <----- This allows all VLANs to flow through the ICL Trunk.

        set dhcp-snooping trusted

        set edge-port disabled

        set igmp-snooping-flood-reports enable

        set mcast-snooping-flood-traffic enable

    next

end

 

  • Allow the necessary VLANs in the Trunk interfaces that connect to the ISP routers: Same VLANs must be configured in both switches, even if some VLANs do not exist in both routers. The trunks must have the same configuration in both MCLAG peers.

 

FSW1:

 

config switch interface

    edit mclag-ISP

        set allowed-vlans 10,20,30,200

    next

end

 

FSW2:

 

config switch interface

    edit mclag-ISP

        set allowed-vlans 10,20,30,200

    next

end
289
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.