Skip to main content
darrencarr
darrencarr
New Member
May 14, 2009
Question

VLANs on Fortigate

  • May 14, 2009
  • 5 replies
  • 7703 views
Guys I am experiencing a bit of an issue. I have two Fortigate 1000A' s that I am trying to connect over a L2 circuit. I only have one physical port available on each of the Fortigates so am trying to make use of VLANs. I have created the VLAN on each of the interfaces (Int 8). However when I patch into the Foritgate I get a MAC flapping issue. When I investigate further I have found that both VLANs are using the same MAC address 0009.0f09.0008 Is there anyway I can adjust this? I am guessing this is how the Fortigate creates its VLANs and the 8 at the end of the MAC relates to the interface number? Anyone experienced anything like this? I dont really want to start adjusting MAC addresses in the config if I am going to run into issues? I cannot upload the network diagram for some reason... will try again off another connection...

    5 replies

    g3rman
    g3rman
    New Member
    May 14, 2009
    Looks like both of your Fortigates are in HA mode. I also assume that they are not in the same cluster. If that' s the case go ahead and configure each unit for a different cluster ID (http://kc.fortinet.com/default.asp?id=1772&Lang=1).
    darrencarr
    darrencarrAuthor
    New Member
    May 14, 2009
    Hi You are correct my Fortigates are in HA mode. I was hoping that if I used interface 2 instead of 8 I would get a different MAC address for the VLAN and this would solve my issue. I am having trouble attaching the network diagram, can email if you want to have a look? Thanks D
    g3rman
    g3rman
    New Member
    May 14, 2009
    Are they in the same HA cluster? If not I really would recommend simply changing the cluster ID on one. That is the best way to do it.
    darrencarr
    darrencarrAuthor
    New Member
    May 14, 2009
    Hi I have four Fortigates in total in my network. Two are in a HA cluster at HQ and two are in a HQ cluster at the other site. I am trying to connect interface 8on both of the Fortigates with a L2 WAN connection but am getting the MAC address flap issue on the switch I am patching the Fortigate into. If you believe that changing the cluster id could solve the issue what is the impact to the cluster? Thanks D p.s. would it help if I sent you the network diagram? thanks for your help
    g3rman
    g3rman
    New Member
    May 14, 2009
    I can' t comment on the actual impact, of course scheduling a maintenance window would be wise ;) At worst you would experience a few dropped pings, the firewalls should not have to reboot. Also, make sure you clear the ARP cache on any surrounding devices once you make the change as the virtual MAC addresses will change on the firewall you modify. Not quite sure what you mean by the second question. Can you elaborate?
    darrencarr
    darrencarrAuthor
    New Member
    May 14, 2009
    Thanks for the information :) What I was wondering was if I have created a VLAN lets say VLAN1029 on the physical interface Interface 8 and assign an ip of 172.31.33.1/30 how do I view the MAC-ADDRESS of this interface? Or do I not get to see it as it is hidden behind the virtual one associated with the physical interface in the cluster? I am just trying to document how the network will look and can' t quite get my head around how the cluster will manage VLANs associated with a virtual mac-address for a given interface? Thanks.. hope this makes sense... again I can flick you a jpeg of the network which may make things easier?
    g3rman
    g3rman
    New Member
    May 14, 2009
    Two things: -Under System -> Network edit Port 8. This gives you the physical MAC address for Port 8. This works for units in standalone mode. -The MAC address for your Port 8 in HA mode (and any VLANs trunked to the port) will be 00-09-0f-09-00-0b (assuming your cluster ID is 0). You never see the physical MAC for Port 8 on the network, only the virtual MAC. Let me know if I' m still not answering the question .. I am a bit slow at times :)
    darrencarr
    darrencarrAuthor
    New Member
    May 14, 2009
    Hi Thanks again for getting back to me and taking the time to explain this. I read over HA component last night and understand this now. I' ve looked over the Firewall config and this issue is definetly (as you have suggested) being caused by the group ID. One last question I have is regarding my design. In my network I have two L2 WAN circuits that I need to patch into a single Fortigate interface. For this reason I am creating two VLANs on the physical interface lets say VLAN 1029, 1332. I have patched the two circuits into access ports in a L2 Cisco switch (in their respective VLAN) and from here I have a trunk connection from the switch into the Fortigate interface (one from each switch into the physical interface 8) of each of the Fortigates. I' m just wondering how the Fortigate manages the failover of a Fortigate for the VLANs and how you view a VLAN on a Fortigate? i.e. one of the VLANs has an address of 172.31.33.1 and the other 172.31.32.1 (.2 on the other side). When sending traffic how does it look up the MAC address of these interfaces to send traffic? Sorry if I' m not being clear here.... we will get there in the end!
    darrencarr
    darrencarrAuthor
    New Member
    May 15, 2009
    Hi g3rman I found what I was looking for in a HA configuration document. It would appear that all sub-interfaces (VLANs) are assigned the same virtual MAC as the physical interface. The Fortigate must simply manage this internally? (unique VLAN id' s). Thanks for all your help. We can close off this call. Darren
    Terms & ConditionsAccessibility statement