Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiLink Guide

    Home FortiSwitch 7.4.5 FortiLink Guide
    7.4.5
    7.6.0
    7.4.5
    7.4.4
    7.4.2
    7.4.1
    7.4.0
    7.2.9
    7.2.6
    7.2.4
    7.2.1
    7.2.0

    Adding 802.3ad link aggregation groups (trunks)

    Adding 802.3ad link aggregation groups (trunks)

    If the trunk is in LACP mode and has ports with different speeds, the ports of the same negotiated speed are grouped in an aggregator.

    If multiple aggregators exist, one and only one of the aggregators is used by the trunk.

    You can use the CLI to specify how the aggregator is selected:

    • When the aggregator-mode is set to bandwidth, the aggregator with the largest bandwidth is selected. This mode is the default.
    • When the aggregator-mode is set to count, the aggregator with the largest number of ports is selected.

    Using the FortiGate GUI:

    1. Go to WiFi & Switch Controller > FortiSwitch Ports.
    2. Click Create New > Trunk.
    3. In the New Trunk Group page, enter a Name for the trunk group.
    4. Select two or more physical ports to add to the trunk group and then select Apply.
    5. Select the Mode: Static, Passive LACP, or Active LACP.
    6. Select Enabled or Disabled for the MCLAG.
      • An MCLAG peer group must be configured before adding a trunk with MCLAG enabled. See MCLAG peer groups.
      • Make sure to select ports from switches that are part of the same MCLAG peer group.
    7. Select OK.

    Using the FortiGate CLI:

    config switch-controller managed-switch

    edit <FortiSwitch_serial_number>

    config ports

    edit <trunk_name>

    set type trunk

    set mode {static | lacp-passive | lacp-active}

    set aggregator-mode {bandwidth | count}

    set bundle {enable | disable}

    set min-bundle <int>

    set max-bundle <int>

    set members <port1 port2 ...>

    next

    end

    end

    end

    MCLAG trunks

    The MCLAG trunk consists of 802.3ad link aggregation groups with members that belong to different FortiSwitch units. To configure an MCLAG trunk, you need an MCLAG peer group (see MCLAG peer groups). The MCLAG trunk members are selected from the same MCLAG peer group.

    Using the GUI
    1. Go to WiFi & Switch Controller > FortiSwitch Ports.
    2. Select Create New > Trunk.
    3. Enter a name for the MCLAG trunk.
    4. For the MCLAG status, select Enabled to create an active MCLAG trunk.
    5. For the mode, select Static, Passive LACP, or Active LACP.
      • Set to Static for static aggregation. In this mode, no control messages are sent, and received control messages are ignored.
      • Set to Passive LACP to passively use LACP to negotiate 802.3ad aggregation.
      • Set to Active LACP to actively use LACP to negotiate 802.3ad aggregation.
    6. For trunk members, select Select Members, select the ports to include in the MCLAG trunk, and then select OK to save the trunk members. NOTE: The members must belong to the same MCLAG peer group.
    7. Select OK to save the MCLAG configuration.
      The ports are listed as part of the MCLAG trunk on the FortiSwitch Ports page.
    Using the CLI

    Configure a trunk in each switch that is part of the MCLAG pair:

    • The trunk name for each switch must be the same.
    • The port members for each trunk can be different.
    • After you enable MCLAG, you can enable LACP if needed.

    config switch-controller managed-switch

    edit "<switch-id>"

    config ports

    edit "<trunk name>"

    set type trunk

    set mode {static | lacp-passive | lacp-active}

    set members "<port>,<port>"

    set mclag enable

    next

    end

    next

    Variable

    Description

    Default

    <switch-id>

    FortiSwitch serial number.

    No default

    <trunk name>

    Enter a name for the MCLAG trunk.

    NOTE: Each FortiSwitch unit that is part of the MCLAG must have the same MCLAG trunk name configured.

    No default

    type trunk

    Set the interface type to a trunk port.

    physical

    mode {static | lacp-passive | lacp-active}

    Set the LACP mode.

    • Set to static for static aggregation. In this mode, no control messages are sent, and received control messages are ignored.

    • Set to lacp-passive to passively use LACP to negotiate 802.3ad aggregation.

    • Set to lacp-active to actively use LACP to negotiate 802.3ad aggregation.

    lacp-active

    members "<port>,<port>"

    Set the aggregated LAG bundle interfaces.

    No default

    mclag enable

    Enable or disable the MCLAG.

    disable

    LACP fallback mode

    Starting in FortiOS 7.4.4, LACP fallback mode is supported in the CLI. LACP fallback mode allows a selected port to stay up so that a device not running LACP can still connect to the network. LACP fallback mode is useful if you have a preboot execution environment (PXE) and need to download an image from the network before running LACP in active mode.

    When you select the fallback port for a switch trunk, the aggregate interface will use the LACP fallback mode if the trunk does not receive any LACP protocol data units (PDUs). The fallback port is set to up, and all other ports are blocked. When the trunk starts receiving LACP PDUs again, the switch trunk changes from fallback mode to LACP active mode.

    When the switch trunk is running LACP in active mode and stops receiving LACP PDUs:

    • There is a 90-second delay before LACP fallback mode if the lacp-speed for the switch trunk is set to slow.

    • There is a 30-second delay before LACP fallback mode if the lacp-speed for the switch trunk is set to fast.

    The following are the requirements and limitations for LACP fallback mode:

    • The switch trunk must be running in lacp-active mode.

    • If you are using MCLAG, do not configure fallback mode on more than one MCLAG switch. If you configure fallback mode on both MCLAG switches, the diagnose switch mclag peer-consistency-check command will report it as a mismatch.

    • You cannot use fallback mode with the min_bundle or max_bundle setting.

    • You cannot use fallback mode with an MCLAG split-brain state.

    To configure LACP fallback mode:

    config switch-controller managed-switch

    edit <FortiSwitch_serial_number>

    config ports

    edit <port_name>

    set type trunk

    set mode lacp-active

    set members <port_name_1> <port_name_2> ...

    set fallback-port <port_name>

    next

    end

    next

    end

    For example:

    config switch-controller managed-switch

    edit S524DF4K15000024

    config ports

    edit "first-mclag"

    set vlan "_default.39"

    set allowed-vlans "quarantine.39"

    set untagged-vlans "quarantine.39"

    set type trunk

    set mac-addr 80:80:2c:a3:c5:58

    set mode lacp-active

    set mclag enable

    set members "port7" "port8"

    set fallback-port "port8"

    next

    end

    next

    end

    Previous
    Next

    Adding 802.3ad link aggregation groups (trunks)

    Adding 802.3ad link aggregation groups (trunks)

    If the trunk is in LACP mode and has ports with different speeds, the ports of the same negotiated speed are grouped in an aggregator.

    If multiple aggregators exist, one and only one of the aggregators is used by the trunk.

    You can use the CLI to specify how the aggregator is selected:

    • When the aggregator-mode is set to bandwidth, the aggregator with the largest bandwidth is selected. This mode is the default.
    • When the aggregator-mode is set to count, the aggregator with the largest number of ports is selected.

    Using the FortiGate GUI:

    1. Go to WiFi & Switch Controller > FortiSwitch Ports.
    2. Click Create New > Trunk.
    3. In the New Trunk Group page, enter a Name for the trunk group.
    4. Select two or more physical ports to add to the trunk group and then select Apply.
    5. Select the Mode: Static, Passive LACP, or Active LACP.
    6. Select Enabled or Disabled for the MCLAG.
      • An MCLAG peer group must be configured before adding a trunk with MCLAG enabled. See MCLAG peer groups.
      • Make sure to select ports from switches that are part of the same MCLAG peer group.
    7. Select OK.

    Using the FortiGate CLI:

    config switch-controller managed-switch

    edit <FortiSwitch_serial_number>

    config ports

    edit <trunk_name>

    set type trunk

    set mode {static | lacp-passive | lacp-active}

    set aggregator-mode {bandwidth | count}

    set bundle {enable | disable}

    set min-bundle <int>

    set max-bundle <int>

    set members <port1 port2 ...>

    next

    end

    end

    end

    MCLAG trunks

    The MCLAG trunk consists of 802.3ad link aggregation groups with members that belong to different FortiSwitch units. To configure an MCLAG trunk, you need an MCLAG peer group (see MCLAG peer groups). The MCLAG trunk members are selected from the same MCLAG peer group.

    Using the GUI
    1. Go to WiFi & Switch Controller > FortiSwitch Ports.
    2. Select Create New > Trunk.
    3. Enter a name for the MCLAG trunk.
    4. For the MCLAG status, select Enabled to create an active MCLAG trunk.
    5. For the mode, select Static, Passive LACP, or Active LACP.
      • Set to Static for static aggregation. In this mode, no control messages are sent, and received control messages are ignored.
      • Set to Passive LACP to passively use LACP to negotiate 802.3ad aggregation.
      • Set to Active LACP to actively use LACP to negotiate 802.3ad aggregation.
    6. For trunk members, select Select Members, select the ports to include in the MCLAG trunk, and then select OK to save the trunk members. NOTE: The members must belong to the same MCLAG peer group.
    7. Select OK to save the MCLAG configuration.
      The ports are listed as part of the MCLAG trunk on the FortiSwitch Ports page.
    Using the CLI

    Configure a trunk in each switch that is part of the MCLAG pair:

    • The trunk name for each switch must be the same.
    • The port members for each trunk can be different.
    • After you enable MCLAG, you can enable LACP if needed.

    config switch-controller managed-switch

    edit "<switch-id>"

    config ports

    edit "<trunk name>"

    set type trunk

    set mode {static | lacp-passive | lacp-active}

    set members "<port>,<port>"

    set mclag enable

    next

    end

    next

    Variable

    Description

    Default

    <switch-id>

    FortiSwitch serial number.

    No default

    <trunk name>

    Enter a name for the MCLAG trunk.

    NOTE: Each FortiSwitch unit that is part of the MCLAG must have the same MCLAG trunk name configured.

    No default

    type trunk

    Set the interface type to a trunk port.

    physical

    mode {static | lacp-passive | lacp-active}

    Set the LACP mode.

    • Set to static for static aggregation. In this mode, no control messages are sent, and received control messages are ignored.

    • Set to lacp-passive to passively use LACP to negotiate 802.3ad aggregation.

    • Set to lacp-active to actively use LACP to negotiate 802.3ad aggregation.

    lacp-active

    members "<port>,<port>"

    Set the aggregated LAG bundle interfaces.

    No default

    mclag enable

    Enable or disable the MCLAG.

    disable

    LACP fallback mode

    Starting in FortiOS 7.4.4, LACP fallback mode is supported in the CLI. LACP fallback mode allows a selected port to stay up so that a device not running LACP can still connect to the network. LACP fallback mode is useful if you have a preboot execution environment (PXE) and need to download an image from the network before running LACP in active mode.

    When you select the fallback port for a switch trunk, the aggregate interface will use the LACP fallback mode if the trunk does not receive any LACP protocol data units (PDUs). The fallback port is set to up, and all other ports are blocked. When the trunk starts receiving LACP PDUs again, the switch trunk changes from fallback mode to LACP active mode.

    When the switch trunk is running LACP in active mode and stops receiving LACP PDUs:

    • There is a 90-second delay before LACP fallback mode if the lacp-speed for the switch trunk is set to slow.

    • There is a 30-second delay before LACP fallback mode if the lacp-speed for the switch trunk is set to fast.

    The following are the requirements and limitations for LACP fallback mode:

    • The switch trunk must be running in lacp-active mode.

    • If you are using MCLAG, do not configure fallback mode on more than one MCLAG switch. If you configure fallback mode on both MCLAG switches, the diagnose switch mclag peer-consistency-check command will report it as a mismatch.

    • You cannot use fallback mode with the min_bundle or max_bundle setting.

    • You cannot use fallback mode with an MCLAG split-brain state.

    To configure LACP fallback mode:

    config switch-controller managed-switch

    edit <FortiSwitch_serial_number>

    config ports

    edit <port_name>

    set type trunk

    set mode lacp-active

    set members <port_name_1> <port_name_2> ...

    set fallback-port <port_name>

    next

    end

    next

    end

    For example:

    config switch-controller managed-switch

    edit S524DF4K15000024

    config ports

    edit "first-mclag"

    set vlan "_default.39"

    set allowed-vlans "quarantine.39"

    set untagged-vlans "quarantine.39"

    set type trunk

    set mac-addr 80:80:2c:a3:c5:58

    set mode lacp-active

    set mclag enable

    set members "port7" "port8"

    set fallback-port "port8"

    next

    end

    next

    end

    Previous
    Next