Fortinet black logo

Version:

7.2.3
7.2.2
7.2.1

Version:

7.2.0
7.0.4
7.0.3

Version:

7.0.2
7.0.1
7.0.0

Version:

6.4.11
6.4.6
6.4.5

Version:

6.4.3
6.4.2
6.4.0

Version:

6.2.5
6.2.2
6.2.1

Version:

6.2.0

Table of Contents

Administration Guide

7.0.2
7.2.3
7.2.2
7.2.1
7.2.0
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.11
6.4.6
6.4.5
6.4.3
6.4.2
6.4.0
6.2.5
6.2.2
6.2.1
6.2.0
Download PDF
Copy Link

MCLAG

A link aggregation group (LAG) provides link-level redundancy. A multichassis LAG (MCLAG) provides node-level redundancy by grouping two FortiSwitch models together so that they appear as a single switch on the network. If either switch fails, the MCLAG continues to function without any interruption, increasing network resiliency and eliminating the delays associated with the Spanning Tree Protocol (STP).

This section covers the following topics:

Notes

Tooltip

For static routes in standalone, MCLAG, or layer-3 MCLAG network topologies, Fortinet recommends using a link monitor or BFD to detect whether the gateway is available.
  • When you form a MCLAG from two switches, the trunk name must be the same in each switch configuration.
  • When min_bundle or max_bundle is combined with MCLAG, the bundle limit properties are applied only to the local aggregate interface.
  • Fortinet recommends that both peer switches be of the same hardware model and same software version. Mismatched configurations might work but are unsupported.
  • There is a maximum of two FortiSwitch models per MCLAG.
  • Starting in FortiSwitchOS 3.6.4, by default, the MCLAG can use the STP.
  • To use static MAC addresses within a MCLAG, you need to configure MAC addresses on both switches that form the LAG.
  • When you run an MCLAG, Fortinet recommends but does not require that peers use the same hardware and software versions. Some hosts might not be dual-home supported when MCLAG peers have different hardware; administrators need to size the layer-2 network to the MCLAG peer with the lowest capacity.
  • From the STP treeʼs point of view, the MCLAG switches should not present themselves differently as a single MCLAG dual-home virtual switch (accessed through an MCLAG trunk) and as a pair of STP running switches (accessed through asymmetric individual ports, typically in a ring topology). For example, the spanning tree with its root bridge outside of the MCLAG switches cannot connect to it through a dual-homed trunk on one side, while connecting to the MCLAG switches with asymmetric ports at the same time. Such configurations present a mixed view of the MCLAG switches to the STP instance and are not supported.

Example configuration

The following is an example CLI configurations for a MCLAG:

  1. Create a LAG by configuring the ports for Switch1:

     

    config switch trunk

    edit "MCLAG-ICL-trunk"

    set mode lacp-active

    set mclag-icl enable

    set members "port15" "port16"

    next

    end

     

  2. Set up the MCLAG for Switch1:

     

    config switch trunk

    edit "first-mclag"

    set mode lacp-active

    set mclag enable

    set members "port7" "port8"

    next

    end

     

  3. Create a LAG by configuring the ports for Switch2:

     

    config switch trunk

    edit "MCLAG-ICL-trunk"

    set mode lacp-active

    set mclag-icl enable

    set members "port6" "port7"

    next

    end

     

  4. Set up the MCLAG for Switch2:

     

    config switch trunk

    edit "first-mclag"

    set mode lacp-active

    set mclag enable

    set members "port9" "port10"

    next

    end

     

  5. Set up the dual-home trunk for Switch3:

     

    config switch trunk

    edit "dht"

    set mode lacp-active

    set members "port1" "port2" "port3" "port4"

    next

    end

Detecting a split-brain state

When the split-brain state occurs, one of switches in the MCLAG goes dormant. The switch that goes dormant is the switch with the lowest numerical MAC address between the two peers. By default, split-brain detection is disabled.

Starting in FortiSwitchOS 6.2.2, you can use the CLI to detect when an MCLAG is in a split-brain state when the MCLAG ICL trunk is down. When the LACP is up again, the MCLAG trunk is reestablished. You can use this command in both one-tier and two-tier MCLAG topologies.

Starting in FortiSwitchOS 7.0.1, you can use the set mclag-split-brain-priority command to specify which switch goes dormant when the split-brain state occurs by setting the priority of each switch. The priority can be 0-100 and is 50 by default. The switch peer with the lowest priority value goes dormant when the split-brain state occurs. If both switch peers have the same priority, the switch with the lowest numerical MAC address goes dormant when the split-brain state occurs.

Starting in FortiSwitchOS 7.0.1, you can enable the set mclag-split-brain-all-ports-down command to force the switch going dormant to shut down all ports before going dormant. The state of the ICL trunk ports is not changed. By default, this option is disabled.

For example:

  1. Configure the detection of the split-brain state for Switch1:

     

    config switch global

    set mclag-split-brain-detect enable

    set mclag-split-brain-all-ports-down {enable | disable}

    set mclag-split-brain-priority <0-100>

    end

     

  2. Configure the detection of the split-brain state for Switch2:

     

    config switch global

    set mclag-split-brain-detect enable

    set mclag-split-brain-all-ports-down {enable | disable}

    set mclag-split-brain-priority <0-100>

    end

     

  3. Set up the dual-home trunk for Switch3. NOTE: You must include the set mclag enable command on the dual-home trunk.

     

    config switch trunk

    edit "dht"

    set mode lacp-active

    set mclag enable

    set members "port1" "port2" "port3" "port4"

    next

    end

NOTE:

  • You must configure set mclag-split-brain-detect enable on both MCLAG peer switches.
  • Enabling split-brain detection can cause some traffic loss while the LACP is renegotiated.
  • You can configure split-brain detection for multiple MCLAG pairs, but only one split-brain failure in a system is supported. You must fix the split-brain failure before proceeding.

Viewing the configured trunk

Using the GUI:

Go to Switch > Monitor > Trunks.

Using the CLI:

diagnose switch mclag icl

diagnose switch mclag list

Configuring an MCLAG with IGMP snooping

For IGMP snooping to work correctly in an MCLAG, you need to use the set mclag-igmpsnooping-aware enable command on all FortiSwitch units in the network topology and use the set igmp-snooping-flood-reports enable command on each MCLAG core FortiSwitch unit. For example:

config switch global

set mac-aging-interval 600

set mclag-igmpsnooping-aware enable

config port-security

set max-reauth-attempt 3

end

end

config switch interface

edit "D483Z15000094-0"

set native-vlan 4094

set allowed-vlans 1-4094

set dhcp-snooping trusted

set stp-state disabled

set edge-port disabled

set igmp-snooping-flood-reports enable

set snmp-index 58

next

end

MCLAG

A link aggregation group (LAG) provides link-level redundancy. A multichassis LAG (MCLAG) provides node-level redundancy by grouping two FortiSwitch models together so that they appear as a single switch on the network. If either switch fails, the MCLAG continues to function without any interruption, increasing network resiliency and eliminating the delays associated with the Spanning Tree Protocol (STP).

This section covers the following topics:

Notes

Tooltip

For static routes in standalone, MCLAG, or layer-3 MCLAG network topologies, Fortinet recommends using a link monitor or BFD to detect whether the gateway is available.
  • When you form a MCLAG from two switches, the trunk name must be the same in each switch configuration.
  • When min_bundle or max_bundle is combined with MCLAG, the bundle limit properties are applied only to the local aggregate interface.
  • Fortinet recommends that both peer switches be of the same hardware model and same software version. Mismatched configurations might work but are unsupported.
  • There is a maximum of two FortiSwitch models per MCLAG.
  • Starting in FortiSwitchOS 3.6.4, by default, the MCLAG can use the STP.
  • To use static MAC addresses within a MCLAG, you need to configure MAC addresses on both switches that form the LAG.
  • When you run an MCLAG, Fortinet recommends but does not require that peers use the same hardware and software versions. Some hosts might not be dual-home supported when MCLAG peers have different hardware; administrators need to size the layer-2 network to the MCLAG peer with the lowest capacity.
  • From the STP treeʼs point of view, the MCLAG switches should not present themselves differently as a single MCLAG dual-home virtual switch (accessed through an MCLAG trunk) and as a pair of STP running switches (accessed through asymmetric individual ports, typically in a ring topology). For example, the spanning tree with its root bridge outside of the MCLAG switches cannot connect to it through a dual-homed trunk on one side, while connecting to the MCLAG switches with asymmetric ports at the same time. Such configurations present a mixed view of the MCLAG switches to the STP instance and are not supported.

Example configuration

The following is an example CLI configurations for a MCLAG:

  1. Create a LAG by configuring the ports for Switch1:

     

    config switch trunk

    edit "MCLAG-ICL-trunk"

    set mode lacp-active

    set mclag-icl enable

    set members "port15" "port16"

    next

    end

     

  2. Set up the MCLAG for Switch1:

     

    config switch trunk

    edit "first-mclag"

    set mode lacp-active

    set mclag enable

    set members "port7" "port8"

    next

    end

     

  3. Create a LAG by configuring the ports for Switch2:

     

    config switch trunk

    edit "MCLAG-ICL-trunk"

    set mode lacp-active

    set mclag-icl enable

    set members "port6" "port7"

    next

    end

     

  4. Set up the MCLAG for Switch2:

     

    config switch trunk

    edit "first-mclag"

    set mode lacp-active

    set mclag enable

    set members "port9" "port10"

    next

    end

     

  5. Set up the dual-home trunk for Switch3:

     

    config switch trunk

    edit "dht"

    set mode lacp-active

    set members "port1" "port2" "port3" "port4"

    next

    end

Detecting a split-brain state

When the split-brain state occurs, one of switches in the MCLAG goes dormant. The switch that goes dormant is the switch with the lowest numerical MAC address between the two peers. By default, split-brain detection is disabled.

Starting in FortiSwitchOS 6.2.2, you can use the CLI to detect when an MCLAG is in a split-brain state when the MCLAG ICL trunk is down. When the LACP is up again, the MCLAG trunk is reestablished. You can use this command in both one-tier and two-tier MCLAG topologies.

Starting in FortiSwitchOS 7.0.1, you can use the set mclag-split-brain-priority command to specify which switch goes dormant when the split-brain state occurs by setting the priority of each switch. The priority can be 0-100 and is 50 by default. The switch peer with the lowest priority value goes dormant when the split-brain state occurs. If both switch peers have the same priority, the switch with the lowest numerical MAC address goes dormant when the split-brain state occurs.

Starting in FortiSwitchOS 7.0.1, you can enable the set mclag-split-brain-all-ports-down command to force the switch going dormant to shut down all ports before going dormant. The state of the ICL trunk ports is not changed. By default, this option is disabled.

For example:

  1. Configure the detection of the split-brain state for Switch1:

     

    config switch global

    set mclag-split-brain-detect enable

    set mclag-split-brain-all-ports-down {enable | disable}

    set mclag-split-brain-priority <0-100>

    end

     

  2. Configure the detection of the split-brain state for Switch2:

     

    config switch global

    set mclag-split-brain-detect enable

    set mclag-split-brain-all-ports-down {enable | disable}

    set mclag-split-brain-priority <0-100>

    end

     

  3. Set up the dual-home trunk for Switch3. NOTE: You must include the set mclag enable command on the dual-home trunk.

     

    config switch trunk

    edit "dht"

    set mode lacp-active

    set mclag enable

    set members "port1" "port2" "port3" "port4"

    next

    end

NOTE:

  • You must configure set mclag-split-brain-detect enable on both MCLAG peer switches.
  • Enabling split-brain detection can cause some traffic loss while the LACP is renegotiated.
  • You can configure split-brain detection for multiple MCLAG pairs, but only one split-brain failure in a system is supported. You must fix the split-brain failure before proceeding.

Viewing the configured trunk

Using the GUI:

Go to Switch > Monitor > Trunks.

Using the CLI:

diagnose switch mclag icl

diagnose switch mclag list

Configuring an MCLAG with IGMP snooping

For IGMP snooping to work correctly in an MCLAG, you need to use the set mclag-igmpsnooping-aware enable command on all FortiSwitch units in the network topology and use the set igmp-snooping-flood-reports enable command on each MCLAG core FortiSwitch unit. For example:

config switch global

set mac-aging-interval 600

set mclag-igmpsnooping-aware enable

config port-security

set max-reauth-attempt 3

end

end

config switch interface

edit "D483Z15000094-0"

set native-vlan 4094

set allowed-vlans 1-4094

set dhcp-snooping trusted

set stp-state disabled

set edge-port disabled

set igmp-snooping-flood-reports enable

set snmp-index 58

next

end