Fortinet black logo

Administration Guide

Cluster virtual MAC addresses

Cluster virtual MAC addresses

In a cluster, the FGCP assigns virtual MAC addresses (VMACs) to each primary device interface. HA uses VMAC addresses so that if a failover occurs, the new primary device interfaces will have the same VMAC addresses and IP addresses as the failed primary device. As a result, most network equipment will identify the new primary device as the same device as the failed primary device and still be able to communicate with the cluster.

If a cluster is operating in NAT mode, the FGCP assigns a different VMAC address to each primary device interface. VLAN subinterfaces are assigned the same VMAC address as the physical interface that the VLAN subinterface is added to. Redundant or 802.3ad aggregate interfaces are assigned the VMAC address of the first interface in the redundant or aggregate list.

If a cluster is operating in transparent mode, the FGCP assigns a VMAC address to the primary device's management IP address. Since you can connect to the management IP address from any interface, all FortiGate interfaces appear to have the same VMAC address.

The MAC address of a reserved management interface does not change to a VMAC address; it keeps its original MAC address.

Note

Subordinate device MAC addresses do not change. Use diagnose hardware deviceinfo nic <interface> on the subordinate device to display the MAC addresses of each interface.

A MAC address conflict can occur when two clusters are operating on the same network using the same group ID (see Diagnosing packet loss). It is recommended that each cluster in the same network and broadcast domain uses a unique group ID.

Failover

When the new primary device is selected after a failover, the primary device sends gratuitous ARP packets to update the devices connected to the cluster interfaces (usually layer 2 switches) with the VMAC addresses. This is sometimes called using gratuitous ARP packets (or GARP packets) to train the network. The gratuitous ARP packets sent from the primary unit are intended to make sure that the layer 2 switch forwarding databases (FDBs) are updated as quickly as possible.

Sending gratuitous ARP packets is not a requirement because connected devices will eventually learn of the new ports to forward the packets to. However, many network switches will update their FDBs more quickly after a failover if the new primary device sends gratuitous ARP packets.

Configuring ARP packet settings

The following settings can be configured.

config system ha
    set arps <integer>
    set arps-interval <integer>
    set gratuitous-arps {enable | disable}
    set link-failed-signal {enable | disable}
end

arps <integer>

Set the number of gratuitous ARPs; lower the value to reduce traffic, and increase the value to reduce failover time (1 - 60, default = 5).

arps-interval <integer>

Set the time between gratuitous ARPs; lower the value to reduce failover time, and increase the value to reduce traffic, in seconds (1 - 20, default = 8).

gratuitous-arps {enable | disable}

Enable/disable gratuitous ARPs (default = enable).

link-failed-signal {enable | disable}

Enable/disable shutting down all interfaces for one second after a failover. Use if gratuitous ARPs do not update the network (default = disable).

If you disable sending gratuitous ARP packets, it is recommended to enable the link-failed-signal setting. The linked-fail-signal alerts the connected switches of a failed link, which triggers them to react immediately to the changes.

For more information about gratuitous ARP packets see RFC 826 and RFC 3927.

Determining VMAC addresses

A VMAC address is determined based on following formula:

<group-prefix>:<group-id_hex>:(<vcluster_integer> + <idx>)

The <group-prefix> is determined by the following set of group IDs:

  • Set 1: group IDs 0 - 255: group prefix 00:09:0f:09
  • Set 2: group IDs 256 - 511: group prefix e0:23:ff:fc
  • Set 3: group IDs 512 - 767: group prefix e0:23:ff:fd
  • Set 4: group IDs 768 - 1023: group prefix e0:23:ff:fe

The <group-id_hex> is determined by the group ID % 256, converted to hexadecimal. For example:

Group ID

Hexadecimal ID

0: 0 % 256 = 0

00

255: 255 % 256 = 255

ff

256: 256 % 256 = 0

00

511: 511 % 256 = 255

ff

512: 512 % 256 = 0

00

...

...

The <vcluster_integer> is 00 for virtual cluster 1, and 20 for virtual cluster 2. If VDOMs are not enabled, HA sets the virtual cluster to 1 and by default all interfaces are in the root VDOM. Including virtual cluster and VDOM factors in the VMAC address formula means that the same formula can be used whether or not VDOMs and virtual clustering are enabled.

The <idx> is the index number of the interface. Interfaces are numbered from 0 to x (where x is the number of interfaces). Interfaces are numbered according to their map order. The first interface has an index of 0. The second interface in the list has an index of 1, and so on.

The following table compares the VMAC addresses for interfaces with an unchanged HA group ID (0) with VDOMs not enabled and interfaces when the group ID is changed to 34:

Interface

VMAC address with unchanged group ID (0)

VMAC address with changed group ID (34)

port5

00-09-0f-09-00-0a

00-09-0f-09-22-0a

port6

00-09-0f-09-00-0b

00-09-0f-09-22-0b

port7

00-09-0f-09-00-0c

00-09-0f-09-22-0c

port8

00-09-0f-09-00-0d

00-09-0f-09-22-0d

Using the same interfaces, a cluster with VDOMs is enabled and the group ID changes to 35. The root VDOM contains port5 and port6 (virtual cluster 1), and vdom_1 contains port7 and port8 (virtual cluster 2). The interfaces have the following VMAC addresses:

Interface

VMAC address with group ID 35

port5

00-09-0f-09-23-0a

port6

00-09-0f-09-23-0b

port7

00-09-0f-09-23-2c

port8

00-09-0f-09-23-2d

Displaying VMAC addresses

Each FortiGate physical interface has two MAC addresses: the permanent and current hardware addresses. The permanent hardware address cannot be changed, as it is the actual MAC address of the interface hardware. The current hardware address can be changed, as it is the address seen by the network.

To change the current hardware address on a FortiGate not operating in HA:
config system interface
    edit <name>
        set macaddr <address>
    next
end

In an operating cluster, the current hardware address of each cluster device interface is changed to the HA virtual MAC address by the FGCP. The macaddr option is not available for a functioning cluster.

To display MAC addresses on a FortiGate operating in HA:
# diagnose hardware deviceinfo nic port1
...
Current_HWaddr 00:09:0f:09:ff:02
Permanent_HWaddr 08:5b:0e:72:3b:b2

Diagnosing packet loss

A network can experience packet loss when two FortiGate HA clusters are deployed in the same broadcast domain due to MAC address conflicts. You can resolve the MAC address conflict by changing the HA group ID (or cluster ID) configuration of the two clusters.

You can diagnose packet loss by pinging from one cluster to the other, or by pinging both of the clusters from a device within the broadcast domain.

To check for a MAC address conflict in a HA cluster:
  1. On Cluster_1 and Cluster_2, check the VMAC address (Current_HWaddr) used in an interface on the primary device:
    # diagnose hardware deviceinfo nic <interface>

    If the group prefix and group hexadecimal ID are identical, there will be MAC address conflicts.

  2. Change one of the clusters to use a different group ID:
    config system ha
        set group-id <integer>
    end

Cluster virtual MAC addresses

In a cluster, the FGCP assigns virtual MAC addresses (VMACs) to each primary device interface. HA uses VMAC addresses so that if a failover occurs, the new primary device interfaces will have the same VMAC addresses and IP addresses as the failed primary device. As a result, most network equipment will identify the new primary device as the same device as the failed primary device and still be able to communicate with the cluster.

If a cluster is operating in NAT mode, the FGCP assigns a different VMAC address to each primary device interface. VLAN subinterfaces are assigned the same VMAC address as the physical interface that the VLAN subinterface is added to. Redundant or 802.3ad aggregate interfaces are assigned the VMAC address of the first interface in the redundant or aggregate list.

If a cluster is operating in transparent mode, the FGCP assigns a VMAC address to the primary device's management IP address. Since you can connect to the management IP address from any interface, all FortiGate interfaces appear to have the same VMAC address.

The MAC address of a reserved management interface does not change to a VMAC address; it keeps its original MAC address.

Note

Subordinate device MAC addresses do not change. Use diagnose hardware deviceinfo nic <interface> on the subordinate device to display the MAC addresses of each interface.

A MAC address conflict can occur when two clusters are operating on the same network using the same group ID (see Diagnosing packet loss). It is recommended that each cluster in the same network and broadcast domain uses a unique group ID.

Failover

When the new primary device is selected after a failover, the primary device sends gratuitous ARP packets to update the devices connected to the cluster interfaces (usually layer 2 switches) with the VMAC addresses. This is sometimes called using gratuitous ARP packets (or GARP packets) to train the network. The gratuitous ARP packets sent from the primary unit are intended to make sure that the layer 2 switch forwarding databases (FDBs) are updated as quickly as possible.

Sending gratuitous ARP packets is not a requirement because connected devices will eventually learn of the new ports to forward the packets to. However, many network switches will update their FDBs more quickly after a failover if the new primary device sends gratuitous ARP packets.

Configuring ARP packet settings

The following settings can be configured.

config system ha
    set arps <integer>
    set arps-interval <integer>
    set gratuitous-arps {enable | disable}
    set link-failed-signal {enable | disable}
end

arps <integer>

Set the number of gratuitous ARPs; lower the value to reduce traffic, and increase the value to reduce failover time (1 - 60, default = 5).

arps-interval <integer>

Set the time between gratuitous ARPs; lower the value to reduce failover time, and increase the value to reduce traffic, in seconds (1 - 20, default = 8).

gratuitous-arps {enable | disable}

Enable/disable gratuitous ARPs (default = enable).

link-failed-signal {enable | disable}

Enable/disable shutting down all interfaces for one second after a failover. Use if gratuitous ARPs do not update the network (default = disable).

If you disable sending gratuitous ARP packets, it is recommended to enable the link-failed-signal setting. The linked-fail-signal alerts the connected switches of a failed link, which triggers them to react immediately to the changes.

For more information about gratuitous ARP packets see RFC 826 and RFC 3927.

Determining VMAC addresses

A VMAC address is determined based on following formula:

<group-prefix>:<group-id_hex>:(<vcluster_integer> + <idx>)

The <group-prefix> is determined by the following set of group IDs:

  • Set 1: group IDs 0 - 255: group prefix 00:09:0f:09
  • Set 2: group IDs 256 - 511: group prefix e0:23:ff:fc
  • Set 3: group IDs 512 - 767: group prefix e0:23:ff:fd
  • Set 4: group IDs 768 - 1023: group prefix e0:23:ff:fe

The <group-id_hex> is determined by the group ID % 256, converted to hexadecimal. For example:

Group ID

Hexadecimal ID

0: 0 % 256 = 0

00

255: 255 % 256 = 255

ff

256: 256 % 256 = 0

00

511: 511 % 256 = 255

ff

512: 512 % 256 = 0

00

...

...

The <vcluster_integer> is 00 for virtual cluster 1, and 20 for virtual cluster 2. If VDOMs are not enabled, HA sets the virtual cluster to 1 and by default all interfaces are in the root VDOM. Including virtual cluster and VDOM factors in the VMAC address formula means that the same formula can be used whether or not VDOMs and virtual clustering are enabled.

The <idx> is the index number of the interface. Interfaces are numbered from 0 to x (where x is the number of interfaces). Interfaces are numbered according to their map order. The first interface has an index of 0. The second interface in the list has an index of 1, and so on.

The following table compares the VMAC addresses for interfaces with an unchanged HA group ID (0) with VDOMs not enabled and interfaces when the group ID is changed to 34:

Interface

VMAC address with unchanged group ID (0)

VMAC address with changed group ID (34)

port5

00-09-0f-09-00-0a

00-09-0f-09-22-0a

port6

00-09-0f-09-00-0b

00-09-0f-09-22-0b

port7

00-09-0f-09-00-0c

00-09-0f-09-22-0c

port8

00-09-0f-09-00-0d

00-09-0f-09-22-0d

Using the same interfaces, a cluster with VDOMs is enabled and the group ID changes to 35. The root VDOM contains port5 and port6 (virtual cluster 1), and vdom_1 contains port7 and port8 (virtual cluster 2). The interfaces have the following VMAC addresses:

Interface

VMAC address with group ID 35

port5

00-09-0f-09-23-0a

port6

00-09-0f-09-23-0b

port7

00-09-0f-09-23-2c

port8

00-09-0f-09-23-2d

Displaying VMAC addresses

Each FortiGate physical interface has two MAC addresses: the permanent and current hardware addresses. The permanent hardware address cannot be changed, as it is the actual MAC address of the interface hardware. The current hardware address can be changed, as it is the address seen by the network.

To change the current hardware address on a FortiGate not operating in HA:
config system interface
    edit <name>
        set macaddr <address>
    next
end

In an operating cluster, the current hardware address of each cluster device interface is changed to the HA virtual MAC address by the FGCP. The macaddr option is not available for a functioning cluster.

To display MAC addresses on a FortiGate operating in HA:
# diagnose hardware deviceinfo nic port1
...
Current_HWaddr 00:09:0f:09:ff:02
Permanent_HWaddr 08:5b:0e:72:3b:b2

Diagnosing packet loss

A network can experience packet loss when two FortiGate HA clusters are deployed in the same broadcast domain due to MAC address conflicts. You can resolve the MAC address conflict by changing the HA group ID (or cluster ID) configuration of the two clusters.

You can diagnose packet loss by pinging from one cluster to the other, or by pinging both of the clusters from a device within the broadcast domain.

To check for a MAC address conflict in a HA cluster:
  1. On Cluster_1 and Cluster_2, check the VMAC address (Current_HWaddr) used in an interface on the primary device:
    # diagnose hardware deviceinfo nic <interface>

    If the group prefix and group hexadecimal ID are identical, there will be MAC address conflicts.

  2. Change one of the clusters to use a different group ID:
    config system ha
        set group-id <integer>
    end