Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Borys_DE
New Contributor II

Created on ‎07-24-2025 07:21 AM

Configuration MCLAG between Fortiswitches and Aruba

Hallo everyone. 

I recently started working for a company that has this network topology.

network_topology.png

I see that the Aruba switches are set to MСLAG with Fortiswitches, but from the Fortiswich side there are no MCLAG settings. At the same time, Fortiswiches are online and available through Fortigate. 

I tried to set up MСLAG on FortiSwitch, but I encountered the fact that the Aruba side is specified as native VLAN 4094, and there is no such VLAN on FortiSwitches, at least I don’t see it through Fortigate GUI.
Should I create a new VLAN with ID 4094 or is it better to change the native VLAN on Aruba?
I am confused that VLAN with ID 4094 is specified everywhere in Aruba settings as native and the network works.

Labels:
376
1 Solution
fricci_FTNT
Staff
Staff
In response to Borys_DE

Created on ‎07-25-2025 02:45 AM

Hi @Borys_DE ,

Correct, if one of the Aruba switches dies, the spanning tree will be recalculated and the traffic will go through the other Aruba switch.

 

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.

View solution in original post

240
7 REPLIES 7
ebilcari
Staff
Staff

Created on ‎07-24-2025 07:39 AM

VLAN 4094 is dedicated for FortiLink, you can try to change it in the Aruba or in the Fortiswitches.

Some details are shown here: Troubleshooting Tip: Change FortiLink management vlan from 4094 to customized management VLAN

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
366
fricci_FTNT
Staff
Staff

Created on ‎07-24-2025 07:48 AM

Hi @Borys_DE ,

 

You do not see VLAN 4094 on FortiGate GUI because it is the default management VLAN for managed FortiSwitches.
Regarding your question:
>>"Should I create a new VLAN with ID 4094 or is it better to change the native VLAN on Aruba?"
I would not change it and would leave it as it is.
From the FortiSwitch CLI you can check the default management VLAN with "show switch auto-network".

Are the Aruba switches directly connected by a LAG or single port? From the diagram they do not seem to be directly connected.

For a MCLAG configuration you can check the following documentation:
https://docs.fortinet.com/document/fortiswitch/7.2.8/administration-guide/860027/mclag

Please keep in mind that making MCLAG changes on the FortiSwitches might create brief network disruptions.
 
Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
360
Borys_DE
New Contributor II
In response to fricci_FTNT

Created on ‎07-24-2025 10:48 PM

Hi,

Here are the settings on each Aruba switch:
 
"interface lag 11 multi-chassis
description FTG1_X1_X2
no shutdown
no routing
vlan trunk native 4094
vlan trunk allowed 5,11,21,31,41,110,130,140,150,170,180,1606,1610,2110,2168,2505,2550,2998,4042,4047,4083,4088-4094
lacp mode active
spanning-tree port-type admin-edge
interface lag 12 multi-chassis
description FTG2_X1_X2
no shutdown
no routing
vlan trunk native 4094
vlan trunk allowed 5,11,21,31,41,110,130,140,150,170,180,1606,1610,2110,2168,2505,2550,2998,4042,4047,4083,4088-4094
lacp mode active
spanning-tree port-type admin-edge
interface lag 21 multi-chassis
description FSw1_P51_P52
no shutdown
no routing
vlan trunk native 4094
vlan trunk allowed 5,11,21,31,41,110,130,140,150,170,180,1606,1610,2110,2168,2505,2550,2998,4042,4047,4088-4094
lacp mode active
spanning-tree root-guard
interface lag 22 multi-chassis
description FSw2_P51_P52
no shutdown
no routing
vlan trunk native 4094
vlan trunk allowed 5,11,21,31,41,110,130,140,150,170,180,1606,1610,2110,2168,2505,2550,2998,4042,4047,4088-4094
lacp mode active
spanning-tree root-guard
interface lag 23 multi-chassis
description FSw3_P51_P52
no shutdown
no routing
vlan trunk native 4094
vlan trunk allowed 5,11,21,31,41,110,130,140,150,170,180,1606,1610,2110,2168,2505,2550,2998,4042,4047,4088-4094
lacp mode active
spanning-tree root-guard
interface lag 24 multi-chassis
description FSw4_P51_P52
no shutdown
no routing
vlan trunk native 4094
vlan trunk allowed 5,11,21,31,41,110,130,140,150,170,180,1606,1610,2110,2168,2505,2550,2998,4042,4047,4088-4094
lacp mode active
spanning-tree root-guard"
 
As I understand it, both Fortigates and FortiSwitches are connected to Aruba via MCLAG. But the lack of any settings on the FortiSwitches side confuses me. MCLAG must be configured on both sides, otherwise it simply does not work.
 

 

297
fricci_FTNT
Staff
Staff
In response to Borys_DE

Created on ‎07-25-2025 01:46 AM Edited on ‎07-25-2025 01:49 AM

Hi @Borys_DE ,

 

Regarding your doubt:
>>"But the lack of any settings on the FortiSwitches side confuses me. MCLAG must be configured on both sides, otherwise it simply does not work."
If you want to have MCLAG from the point-of-view of the FortiSwitches towards the Aruba, then yes, you have to configure them on FortiSwitches as well. If MCLAG is not configured on FortiSwitches towards the Aruba, the traffic will flow according to the spanning tree.
Hope this helps.


Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
266
Borys_DE
New Contributor II
In response to fricci_FTNT

Created on ‎07-25-2025 02:18 AM

Hi @fricci_FTNT ,

thank you for your answer, but what about nod-level redundency?  If one of the Aruba switches is disconnected, traffic will simply go through the second switch, am I right?

253
fricci_FTNT
Staff
Staff
In response to Borys_DE

Created on ‎07-25-2025 02:45 AM

Hi @Borys_DE ,

Correct, if one of the Aruba switches dies, the spanning tree will be recalculated and the traffic will go through the other Aruba switch.

 

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
241
ebilcari
Staff
Staff
In response to Borys_DE

Created on ‎07-25-2025 03:06 AM

The Aruba switches should be also configured for VSX/MCLAG, when one switch dies the LAG will remove the faulty link from its calculations.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
230
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.