Technical Tip: Updating MAC forwarding tables when an HA link failover occurs
| Description | This article describes a phenomenon in which some switches on a network fail to detect that a primary device has become a subordinate device and continue to forward packets to the same device. |
| Scope | FortiGate. |
| Solution | When a FortiGate HA cluster is operating, and a monitored interface fails on the primary unit, the primary unit usually becomes a subordinate unit, and another unit in the cluster becomes the primary unit. After a link failover, the new primary unit sends special ARP packets(called Gratuitous-ARP or G-ARP) to refresh the MAC forwarding tables (also called ARP tables) of the switches connected to the cluster. This is a normal link failover operation.
This command forces the primary device to shut down all interfaces except the heartbeat device interface for 1 second when a failover occurs, so that the switch detects the failover and clears its MAC forwarding table. If the primary unit interfaces are shut down for one second, the switch should be able to detect this failure and clear its MAC forwarding tables. Then, when the new primary unit is operating, the switch can detect the G-ARP packets and update its MAC forwarding table correctly.
Command:
config system ha
Helpful command to check:
diagnose sniffer packet <VLAN interface> "host switch ip" 4 0 a Related article: |