Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hlngan
Staff
Staff

Created on ‎06-28-2006 12:00 AM Edited on ‎09-12-2024 05:04 PM By Staff

Article Id 194239

Technical Tip: HA Cluster virtual MAC addresses

Article
The virtual MAC address is determined based on following formula on virtual cluster 1:
<group-prefix>:<group-id_hex>:(<vcluster_integer> + <idx>)

Where:

 

<group-prefix> is determined by the set of group IDs:

Set 1: group IDs 0 - 255: group prefix 00:09:0f:09

Set 2: group IDs 256 - 511: group prefix e0:23:ff:fc

Set 3: group IDs 512 - 767: group prefix e0:23:ff:fd

Set 4: group IDs 768 - 1023: group prefix e0:23:ff:fe

 

To check the group-id, use "get system ha".

 

<group-id_hex> is the HA Group ID for the cluster converted to hexadecimal. The following table lists the virtual MAC address set for each group ID.

HA group ID in integer and hexadecimal format
Integer Group ID Hexadecimal Group ID
0 00
1 01
2 02
3 03
4 04
... ...
10 0a
11 0b
... ...
63 3f
... ...
255 ff


<vcluster_integer> is 0 for virtual cluster 1 and 20 for virtual cluster 2. If virtual domains are not enabled, HA sets the virtual cluster to 1 and by default all interfaces are in the root virtual domain. Including virtual cluster and virtual domain factors in the virtual MAC address formula means that the same formula can be used whether or not virtual domains and virtual clustering is enabled.

 

<idx> is the index number of the interface. Interfaces are numbered from 0 to x (where x is the number of interfaces). Interfaces are numbered according to their has map order. The first interface has an index of 0. The second interface in the list has an index of 1 and so on


For example,
When the HA group ID is 0 (i.e default) &  the mgmt1 phy_index= 0, itf_name= mgmt1, Physical mac=e0.23.ff.a0.98.04,

then the Virtual-mac=00.09.0f.09.00(group ID is 0).00(vcluster_integer for vcluster 1 is "0" and index of the interface is 0)

 

If the same interface is change to virtual cluster 2, the mac address should add 8 on the second last digit, i.e., add 80 in hexadecimal:

add 80 in hexadecimal: 00 -> 80

Therefore it is necessary to follow virtual mac address: 00.09.0f.09.00.80

Related Articles

Troubleshooting Tip: Verifying physical and HA Virtual MAC addresses of FortiGate interfaces

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/996579/cluster-virtual-mac-addresses

Labels:
55773
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.