Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiLink Guide

    Home FortiSwitch 7.6.0 FortiLink Guide
    7.6.0
    7.6.0
    7.4.5
    7.4.4
    7.4.2
    7.4.1
    7.4.0
    7.2.9
    7.2.6
    7.2.4
    7.2.1
    7.2.0

    Transitioning from a FortiLink split interface to a FortiLink MCLAG

    Transitioning from a FortiLink split interface to a FortiLink MCLAG

    You can use the FortiLink split interface to connect the FortiLink aggregate interface from one FortiGate unit to two FortiSwitch units. When the FortiLink split interface is enabled, only one link remains active.

    In this topology, the FortiLink split interface connects a FortiLink aggregate interface from one FortiGate unit to two FortiSwitch units. The aggregate interface of the FortiGate unit for this configuration contains at least one physical port connected to each FortiSwitch unit.

    NOTE:

    • Make sure that the split interface is enabled.
    • This procedure also applies to a FortiGate unit in HA mode.
    • More links can be added between the FortiGate unit and FortiSwitch unit.
    • On the global switch level, mclag-stp-aware must be enabled, and STP must be enabled on all ICL trunks. They are both enabled by default.
    • Fortinet recommends using at least two links for ICL redundancy.

    NOTE: If you are going to use IGMP snooping with an MCLAG topology:

    • On the global switch level, mclag-igmpsnooping-aware must be enabled. It is enabled by default.
    • The mcast-snooping-flood-traffic and igmp-snooping-flood-reports settings must be disabled on the ISL and FortiLink trunks; but the mcast-snooping-flood-traffic and igmp-snooping-flood-reports settings must be enabled on ICL trunks. These settings are enabled by default.
    • IGMP proxy must be enabled.

    Use the FortiGate CLI to change the FortiSwitch unitsʼ configuration without losing their management from the FortiGate unit. You do not need to change anything on the individual FortiSwitch units.

    1. You can use the GUI (starting in FortiOS 7.2.4) or CLI to form the MCLAG between two switches.

      To use the FortiGate GUI:

      1. Go to Security Fabric > Security Rating. Look under Failed > Enable MC-LAG to find which pair of switches can form a tier-1 MCLAG.

      2. Go to WiFi & Switch Controller > Managed FortiSwitches. In the Topology view, hover over the inter-switch link between the pair of switches and then click Create MC-LAG pair in the dialog.

      To use the FortiGate CLI:

      1. Assign the LLDP profile “default-auto-mclag-icl” to the ports that should form the MCLAG ICL in FortiSwitch unit 1. For example:

        FGT_Switch_Controller # config switch-controller managed-switch

        FGT_Switch_Controller (managed-switch) # edit FS1E48T419000051

        FGT_Switch_Controller (FS1E48T419000051) # config ports

        FGT_Switch_Controller (ports) # edit port49

        FGT_Switch_Controller (port49) # set lldp-profile default-auto-mclag-icl

        FGT_Switch_Controller (port49) # end

        FGT_Switch_Controller (FS1E48T419000051) # end

      2. Assign the LLDP profile “default-auto-mclag-icl” to the ports that should form the MCLAG ICL in FortiSwitch unit 2. The port numbers can be different.

    2. Disable the split interface in the FortiLink interface. For example:

      config system interface

      edit <aggregate_name>

      set fortilink-split-interface disable

      next

      end

    3. From the FortiGate unit, enable the LACP active mode if not already set:

      config system interface

      edit <aggregate_name>

      set lacp-mode active

      next

      end

      NOTE: If you are using FortiOS 6.2 or earlier, use the set lacp-mode static command instead.

    4. Check that the LAG is working correctly. For example:

      diagnose netlink aggregate name <aggregate_name>

    Note

    If you disable the MCLAG ICL, you need to enable the fortilink-split-interface.
    Previous
    Next

    Transitioning from a FortiLink split interface to a FortiLink MCLAG

    Transitioning from a FortiLink split interface to a FortiLink MCLAG

    You can use the FortiLink split interface to connect the FortiLink aggregate interface from one FortiGate unit to two FortiSwitch units. When the FortiLink split interface is enabled, only one link remains active.

    In this topology, the FortiLink split interface connects a FortiLink aggregate interface from one FortiGate unit to two FortiSwitch units. The aggregate interface of the FortiGate unit for this configuration contains at least one physical port connected to each FortiSwitch unit.

    NOTE:

    • Make sure that the split interface is enabled.
    • This procedure also applies to a FortiGate unit in HA mode.
    • More links can be added between the FortiGate unit and FortiSwitch unit.
    • On the global switch level, mclag-stp-aware must be enabled, and STP must be enabled on all ICL trunks. They are both enabled by default.
    • Fortinet recommends using at least two links for ICL redundancy.

    NOTE: If you are going to use IGMP snooping with an MCLAG topology:

    • On the global switch level, mclag-igmpsnooping-aware must be enabled. It is enabled by default.
    • The mcast-snooping-flood-traffic and igmp-snooping-flood-reports settings must be disabled on the ISL and FortiLink trunks; but the mcast-snooping-flood-traffic and igmp-snooping-flood-reports settings must be enabled on ICL trunks. These settings are enabled by default.
    • IGMP proxy must be enabled.

    Use the FortiGate CLI to change the FortiSwitch unitsʼ configuration without losing their management from the FortiGate unit. You do not need to change anything on the individual FortiSwitch units.

    1. You can use the GUI (starting in FortiOS 7.2.4) or CLI to form the MCLAG between two switches.

      To use the FortiGate GUI:

      1. Go to Security Fabric > Security Rating. Look under Failed > Enable MC-LAG to find which pair of switches can form a tier-1 MCLAG.

      2. Go to WiFi & Switch Controller > Managed FortiSwitches. In the Topology view, hover over the inter-switch link between the pair of switches and then click Create MC-LAG pair in the dialog.

      To use the FortiGate CLI:

      1. Assign the LLDP profile “default-auto-mclag-icl” to the ports that should form the MCLAG ICL in FortiSwitch unit 1. For example:

        FGT_Switch_Controller # config switch-controller managed-switch

        FGT_Switch_Controller (managed-switch) # edit FS1E48T419000051

        FGT_Switch_Controller (FS1E48T419000051) # config ports

        FGT_Switch_Controller (ports) # edit port49

        FGT_Switch_Controller (port49) # set lldp-profile default-auto-mclag-icl

        FGT_Switch_Controller (port49) # end

        FGT_Switch_Controller (FS1E48T419000051) # end

      2. Assign the LLDP profile “default-auto-mclag-icl” to the ports that should form the MCLAG ICL in FortiSwitch unit 2. The port numbers can be different.

    2. Disable the split interface in the FortiLink interface. For example:

      config system interface

      edit <aggregate_name>

      set fortilink-split-interface disable

      next

      end

    3. From the FortiGate unit, enable the LACP active mode if not already set:

      config system interface

      edit <aggregate_name>

      set lacp-mode active

      next

      end

      NOTE: If you are using FortiOS 6.2 or earlier, use the set lacp-mode static command instead.

    4. Check that the LAG is working correctly. For example:

      diagnose netlink aggregate name <aggregate_name>

    Note

    If you disable the MCLAG ICL, you need to enable the fortilink-split-interface.
    Previous
    Next