Technical Tip: Enhanced MAC VLAN support with HA setup

akileshc · ‎10-20-2022

Description

This article describes the support of EMAC in HA setup.

Scope

FortiGate.

Solution

The enhanced MAC VLAN is handled as a physical interface in high availability (HA) deployments.

It will be assigned a unique physical interface ID, and its MAC table is synced with the slaves in the same HA cluster.

The virtual MAC address is calculated using a standard algorithm, similar to any other physical interface in the cluster.

CLI Syntax:

config system interface
edit "emac-vlan"
set vdom "root"
set ip 10.150.5.253 255.255.240.0
set allowaccess ping
set type emac-vlan
set snmp-index 30
set interface "dmz"
set vlanid 150
next
end

di hardware deviceinfo nic emac-vlan
Description EMacvlan Ethernet driver v1.0
System_Device_Name emac-vlan
Lower_Device_Name dmz
Current_HWaddr 00:09:0f:09:64:18 <----- Traffic Egress/Ingress with this MAC.
Permanent_HWaddr 76:4c:a5:a6:80:f4
State up
Link up
npudev_oid 64
macvlan_id 0
vlan_id 150
learn_mac no
mode 2

Note.

If an interface is used in an enhanced MAC VLAN, it should not be used for anything else, including management, HA heartbeat, or Transparent VDOMs and the physical interface that is being utilized by an EMAC VLAN interface cannot be used in a Virtual Wire Pair.

Meanwhile, note that, if VIP is configured on EMAC-VLAN, FortiGate instead of responding with the EMAC-VLAN interface MAC address uses the parent-interface MAC address.:

Technical Tip: VIP on EMAC-VLAN interface responds with Parent interface MAC address