Skip to main content
scheuri
scheuri
Explorer III
February 24, 2022
Solved

Same MAC for aggregated interface on two different cluster?

  • February 24, 2022
  • 2 replies
  • 6715 views

Hello all

 

I have an odd issue:
I have TWO different cluster of fortigates (four fortigate 1100E altogether, two active/passive cluster). On each of those cluster the port 25 and port 26 are aggregated to one interface.

Now it turns out that the MAC address of this aggregated interface has the SAME MAC address on EACH of the clusters.

Unfortunately those two clusters have this interface in the same network - so that poses an issue.

 

Any one an idea why this happend and how I can actually change the MAC of an aggregated interface?

 

Thanks a lot

Best answer by akristof

Hello,

 

Thank you for your question. 2 Clusters of same model having same virtual-mac address is expected in some cases. At least I am guessing that it is virtual-mac-address, as physical mac address of port25 and port26 should be different.

You will be able to change it by configuring different group-id of one of the clusters. More information:

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/996579/cluster-virtual-mac-addresses

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/614179/configuring-the-primary-fortigate

2 replies

akristof
Staff
akristofAnswer
Staff
February 24, 2022

Hello,

 

Thank you for your question. 2 Clusters of same model having same virtual-mac address is expected in some cases. At least I am guessing that it is virtual-mac-address, as physical mac address of port25 and port26 should be different.

You will be able to change it by configuring different group-id of one of the clusters. More information:

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/996579/cluster-virtual-mac-addresses

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/614179/configuring-the-primary-fortigate

    scheuri
    scheuriAuthor
    Explorer III
    February 24, 2022

    Hello akristof

    Thank you very much for your reply, much appreciated.

     

    This means that changing the HA group-id in one cluster should change the (virtual) MAC addresses.

     

    Is a reboot required? Or restart of services?
    I am unsure as I don't see any indication on https://docs.fortinet.com/document/fortigate/6.0.0/handbook/996579/cluster-virtual-mac-addresses (and changing the HA group-id alone didnt change the MAC address just yet).

     

    thanks a lot

    akristof
    Staff
    akristof
    Staff
    February 24, 2022

    Hello,

     

    Thanks for feedback. Did you already change group-id on both devices of the cluster (primary/secondary) and the virtual-mac address is still the same? Can you post here please some example output for some port:

    diag hardware deviceinfo nic <port>

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    February 24, 2022

    The cited Handbook pasage says it all, and clearly so:

    "The virtual MAC address is determined based on following formula:

    00-09-0f-09-<group-id_hex>-(<vcluster_integer> + <idx>)"

     

    Best practice calls for a non-default group ID for each and every cluster, other than "0". All values up to 255 are allowed.

    scheuri
    scheuriAuthor
    Explorer III
    February 24, 2022

    Hello Ede

     

    Absolutely - that was certainly my fault for not searching thoroughly enough. I should have found that article/passage/chapter on my own and earlier.

     

    However, the second question only arose as I changed the group-id and the change weren't "immediate" - I wasn't sure whether it needs something additional to trigger a recalculation. Turns out that I was not patient enough and missed the point where it actually changed the MAC (I rebooted, but I rather confident that was not needed)

    Terms & ConditionsAccessibility statement