Technical Tip: HA Cluster virtual MAC addresses
Description
This article describes the HA Cluster virtual MAC addresses.
Virtual MAC addresses are assigned to all the interfaces except for the HA heartbeat and the HA reserved management interfaces. During failover, the new primary adopts the same virtual MAC addresses for the equivalent interface.
Notes:
- If a cluster is operating in NAT mode, FGCP assigns a different VMAC address to each primary device interface.
- VLAN subinterfaces are assigned the same VMAC address as the physical interface to which the VLAN subinterface is added.
- LAG or 802.3ad aggregate interfaces are assigned the VMAC address of the first interface in the aggregate list.
Scope
FortiGate.
Solution
The virtual MAC address is determined based on the following formula on virtual cluster 1:
<group-prefix>:<group-id_hex>:(<vcluster_integer> + <idx>)
Where:
<group-prefix> is determined by the set of group IDs:
Set 1: group IDs 0 - 255: group prefix 00:09:0f:09.
Set 2: group IDs 256 - 511: group prefix e0:23:ff:fc.
Set 3: group IDs 512 - 767: group prefix e0:23:ff:fd.
Set 4: group IDs 768 - 1023: group prefix e0:23:ff:fe.
To check the group-id, use 'get system ha'.
<group-id_hex> is the HA Group ID for the cluster converted to hexadecimal. The following table lists the virtual MAC address set for each group ID.
It is strongly recommended to assign a unique HA group ID to each cluster.
If multiple HA clusters within the same broadcast domain share the same HA group ID, MAC address conflicts may occur.
HA group ID in integer and hexadecimal format:
| Integer Group ID | Hexadecimal Group ID |
|---|---|
| 0 | 00 |
| 1 | 01 |
| 2 | 02 |
| 3 | 03 |
| 4 | 04 |
| ... | ... |
| 10 | 0a |
| 11 | 0b |
| ... | ... |
| 63 | 3f |
| ... | ... |
| 255 | ff |
<vcluster_integer> is 0 for virtual cluster 1 and 20 for virtual cluster 2. If virtual domains are not enabled, HA sets the virtual cluster to 1, and by default, all interfaces are in the root virtual domain. Including virtual cluster and virtual domain factors in the virtual MAC address formula means that the same formula can be used whether or not virtual domains and virtual clustering are enabled.
<idx> is the index number of the interface. Interfaces are numbered from 0 to x (where x is the number of interfaces). Interfaces are numbered according to their map order. The first interface has an index of 0. The second interface in the list has an index of 1 and so on.
For example:
When the HA group ID is 0 (i.e., default) & the mgmt1 phy_index= 0, itf_name= mgmt1, Physical mac=e0.23.ff.a0.98.04,
then the Virtual-mac=00.09.0f.09.00(group ID is 0).00(vcluster_integer for vcluster 1 is '0' and index of the interface is 0).
If the same interface is changed to virtual cluster 2, the MAC address should add 8 to the second last digit, i.e., add 80 in hexadecimal:
Add 80 in hexadecimal: 00 -> 80.
Therefore, it is necessary to follow the virtual MAC address: 00.09.0f.09.00.80.
Note: Starting from FortiOS v7.6.0, there are three methods available for assigning a Virtual MAC address.
- Manual assignment per interface:
config system interface
edit <interface>
set virtual-mac <mac_address>
next
end
- Automatic assignment:
config system ha
set group-id 25
set auto-virtual-mac-interface "port1" "port2" "port8" "dmz"
end
- Group ID-based assignment (default process).
Related documents: