Skip to content

Configure a Link Aggregation Group (LAG)

A LAG (also called LACP, port channel, EtherChannel) bonds multiple physical links into one logical link — higher bandwidth + redundancy. Use for switch-to-switch trunks, server NIC bonding, FortiGate-to-FortiSwitch trunks.

Before You Start

  • 2+ ports on the FortiSwitch (and same number on the other end).
  • Other end supports LACP (most modern switches do).
  • Both ends must be configured identically (same VLANs, speed, mode).

Steps

Create the LAG on the FortiSwitch

  1. WiFi & Switch Controller → FortiSwitch Ports+ Add Link Aggregation Group (sometimes in the action menu).
  2. Fill in:
    • Name — e.g. LAG-to-CoreSwitch.
    • ModeLACP active (recommended) or Static (no LACP negotiation).
    • Member Ports — pick the physical ports to bond.
    • Native VLAN — for trunk: the untagged VLAN.
    • Allowed VLANs — tagged VLANs (for trunks).
  3. OK.

The selected ports now appear as a single LAG in the port list.

Configure the other end

Mirror the config on the connected switch / server. LACP mode and VLAN config must match exactly.

📸 Screenshot needed

LAG create dialog showing member ports + LACP active mode selected.

CLI Equivalent

config switch-controller managed-switch
edit "S108EXXXXXXXXX"
    config ports
        edit "lag1"
            set type trunk
            set mode lacp-active
            set member-withdrawal-behavior block
            set members "port21" "port22"
            set vlan "internal"
            set allowed-vlans "sales-vlan" "engineering-vlan"
        next
    end
next
end

Verify

diagnose switch-controller switch-info trunk

Shows LAG status, active member count, and per-member health.

LACP negotiation succeeds when both ends agree. Both ports should show "active" in the LAG.

Common Issues

  • LAG won't form. Other end is static, not LACP. Match modes.
  • Only one port active. LACP negotiation failed on one port. Check link state on both ends.
  • Throughput not doubled. LAGs distribute by hash (typically src/dst MAC or IP). Single client-to-server flow uses one member. Aggregate throughput requires multiple flows.
  • VLAN mismatch breaks LAG. Both sides MUST allow the same VLAN list. Even one mismatch can cause weird forwarding.