Enterprise FortiSwitch Secure Access

This cookbook article documents a highly resilient 2-tier FortiSwitch architecture (faster convergence) that take advantage of the full performance (bandwidth utilization) offered by MCLAG (multichassis LAG). 

The FortiGates, for the exercise, are under FortiOS 6.0.1 and FortiSwitch at 6.0 or 3.6.6 (depending on platform compatibility). FortiSwitch must be at least at 3.6.4 in order to deploy MCLAG with access ring. 

Also ensure that the FortiSwitch models used for MCLAG supports the feature: FortiSwitch Datasheet

In the end, the following topology will be deployed:

1. Logging

  • Increase the level of logging to follow the deployments steps

2. FortiLink Configuration

  • From Network > Interfaces, create a 802.3ad port
  • Add the 2 member ports that will form the LAG and will be interconnected from the FortiGate-Master to the distribution 1 & 2 
  • Select the addressing mode “Dedicated to FortiSwitch
  • By default, the FortiLink segment is configured in an APIPA address range. In the present context, we will make sure that this segment is routable in order to validate certain metrics on the FortiSwitch GUI. Ensure in an enterprise context that this environment is accessible only through legitimate and restricted privileges.
  • For the purpose of the exercise, we will ensure that FortiSwitch are not automatically authorized to validate certain steps. But it is quite possible to speed up the process and allow automatic authorization.
  • Make sure at first that split interface is enabled (until MCLAG configuration)

  • Connect the FG1-Master to Disti-1 (port9 to port 48)


  • And confirm the discovery of the FSW in the logs

  • Authorize the Disti-1 thereafter

  • At this point the switch will reboot and will be converted from standalone to managed mode

  • And receive an IP address in the previously configured segment

  • The CAPWAP tunnel will appear as UP in the logs

  • Disti-1 will now be managed

  • Link the Distribution 1 to Distribution 2 as follows :
  • And allow the addition of the Disti2

3. MCLAG Configuration

  • Connect in CLI to Disti2

  • Enable MCLAG-ICL on the Trunk toward Disti-1
  • Which will result in the following confirmation at log level

  • Connect to the Disti-1 in CLI

  • Enable MCLAG-ICL on the trunk toward Disti-2

  • Disable Split-Interface from FortiLink and enable automatic authorization


  • Close the loop, from the Disti-2 to the 2nd port of the FortiLink LAG of the FortiGate Master
  • Resulting FortiSwitch presentation:

  • You can validate consistency at the MCLAG level using the following command:
  • Several other commands allow you to diagnose the feature:
    • On FortiGate : diagnose netlinkaggregate name fortilink
    • On FortiSwitch Disti : diagnose switch trunk list __FoRtI1LiNk0__
    • On FortiSwitch Disti : diagnose switch mclag list __FoRtI1LiNk0__
    • On FortiSwitch Disti : diagnose switch mclag icl

4. IDF Configuration

  • Interconnect the Disti-1 cascading the switches that make up the stack of the IDF, as follows:

  • All that remains is to connect the IDF-3 to the Disti-2

5. HA Configuration

  • Configure HA in Active-Passive mode
  • Make sure the configuration is well synchronized

  • Connect the balance of the links in order to coherently replicate the wiring of the FortiGate Master and FortiGate Slave, as follows:

  • What will result in the Managed FortiSwitch

  • Finalize by doubling the ICL links between the 2 distribution switches


  • And validate the automatic integration into the trunk (LAG)


6. Validations

  • To ensure the robustness of the topology, create a test VLAN that will be assigned, for example, to one of the IDF switches.

  • And allow access to the internet





  • You should be able to reboot the FortiGate-Master, remove some links (Disti1 port to IDF-1 in our case), generate HA balancing via the loss of the monitored link (WAN) and see at most only the loss of some packets:

7. Security Fabric Visibility 

  • With the Security Fabric, in addition to extend your control and protection, you get unparalleled end-to-end visibility:


1. FortiSwitch Access

  • To access the FortiSwitch, make sure to configure a policy in CLI

  • Which will appear in GUI

  • This will allow you to get access to the FSW

  • Tangible result  😎