MCLAG
A link aggregation group (LAG) provides link-level redundancy. A multichassis LAG (MCLAG) provides node-level redundancy by grouping two FortiSwitch models together so that they appear as a single switch on the network. If either switch fails, the MCLAG continues to function without any interruption, increasing network resiliency and eliminating the delays associated with the Spanning Tree Protocol (STP).
This chapter covers the following topics:
- Notes
- Example configuration
- Detecting a split-brain state
- Viewing the configured trunk
- Configuring an MCLAG with IGMP snooping
Notes
- When min_bundle or max_bundle is combined with MCLAG, the bundle limit properties are applied only to the local aggregate interface.
- Fortinet recommends that both peer switches be of the same hardware model and same software version. Mismatched configurations might work but are unsupported.
- There is a maximum of two FortiSwitch models per MCLAG.
- The routing feature is not available within a MCLAG.
- Starting in FortiSwitchOS 3.6.4, by default, the MCLAG can use the STP.
- To use static MAC addresses within a MCLAG, you need to configure MAC addresses on both switches that form the LAG.
- When you run an MCLAG, Fortinet recommends but does not require that peers use the same hardware and software versions. Some hosts might not be dual-home supported when MCLAG peers have different hardware; administrators need to size the layer-2 network to the MCLAG peer with the lowest capacity.
Example configuration
The following is an example CLI configurations for a MCLAG:
- Create a LAG by configuring the ports for each FortiSwitch unit:
config switch trunk
edit "MCLAG-ICL-trunk"
set mclag-icl enable
set members "port15" "port16"
set mode lacp-active
next
end
- Set up the MCLAG:
config switch trunk
edit "first-mclag"
set mclag enable
set members "port2"
next
end
- If you do not want the MCLAG to use the STP:
config switch global
set mclag-stp-aware disabled
end
Detecting a split-brain state
When the split-brain state occurs, one of switches in the MCLAG goes dormant. Any devices connected to the dormant switch will lose network connectivity. The switch that goes dormant is the switch with the lowest numerical MAC address between the two peers.
Starting in FortiSwitchOS 6.2.2, you can use the CLI to detect when an MCLAG is in a split-brain state when the MCLAG ICL trunk is down. When the LACP is up again, the MCLAG trunk is reestablished. You can use this command in both one-tier and two-tier MCLAG topologies.
By default, split-brain detection is disabled. To enable the detection of the split-brain state:
config switch global
set mclag-split-brain-detect enable
end
NOTE:
- Enabling split-brain detection can cause some traffic loss while the LACP is renegotiated.
- You can configure only one mclag-split-brain-detect at a time on a tier one or tier two of a two-tier MCLAG topology.
- Only one failure in a system is supported.
Viewing the configured trunk
Using the GUI:
Go to Switch > Monitor > Trunks.
Using the CLI:
diagnose switch mclag icl
diagnose switch mclag list
Configuring an MCLAG with IGMP snooping
For IGMP snooping to work correctly in an MCLAG, you need to use the set mclag-igmpsnooping-aware enable
command on all FortiSwitch units in the network topology and use the set igmp-snooping-flood-reports enable
command on each MCLAG core FortiSwitch unit. For example:
config switch global
set mac-aging-interval 600
set mclag-igmpsnooping-aware enable
config port-security
set max-reauth-attempt 3
end
end
config switch interface
edit "D483Z15000094-0"
set native-vlan 4094
set allowed-vlans 1-4094
set dhcp-snooping trusted
set stp-state disabled
set edge-port disabled
set igmp-snooping-flood-reports enable
set snmp-index 58
next
end