Description |
This article demonstrates via packet capture how FGCP High- Availability informs the layer 2 switch the virtual mac address of the FortiGate new master in the events of HA failover via Gratuitous ARP. |
Scope |
FortiGate. |
Solution |
Scenario:
FGT_1:
Gratuitous ARP is enabled.
FGT_1 (global) # config sys ha FGT_1 (ha) # get | grep -f grat gratuitous-arps : enable <--- FGT_1 (ha) #
- Port4 deviceinfo details (port4 is the LAN interface in this scenario). That will show the virtual MAC address of PORT 4 in FGT 1 HWaddr: 00:09:0f:09:64:03.
FGT_1 (global) # diag hard deviceinfo nic port4 Name: port4 Driver: virtio_net Version: 1.0.0 Bus: 0000:00:09.0 HWaddr: 00:09:0f:09:64:03 <- Permanent Hwaddr:00:4b:61:6e:0b:04 State: up Link: up Mtu: 1500 Supported: Advertised: Auto: disabled RX Ring: 256 TX Ring: 256 Rx packets: 154 Rx bytes: 9250 Rx compressed: 0 Rx dropped: 0 Rx errors: 0 Rx Length err: 0 Rx Buf overflow: 0 Rx Crc err: 0 Rx Frame err: 0 Rx Fifo overrun: 0 Rx Missed packets: 0 Tx packets: 6 Tx bytes: 394 Tx compressed: 0 Tx dropped: 0 Tx errors: 0 Tx Aborted err: 0 Tx Carrier err: 0 Tx Fifo overrun: 0 Tx Heartbeat err: 0 Tx Window err: 0 Multicasts: 0 Collisions: 0
- Port 4 interface IP address:
FGT_1 (root) # show sys inter port4 # config system interface edit "port4" set vdom "root" set ip 10.116.2.86 255.255.240.0 <- set allowaccess ping https ssh http telnet set type physical set snmp-index 4 next end
FGT_2:
- Gratuitous ARP is enabled:
FGT_2 (global) # config sys ha FGT_2 (ha) # get | grep -f grat gratuitous-arps : enable <--- FGT_2 (ha) #
- Port4 deviceinfo details ( port4 is the LAN interface in this scenario ). That will show the virtual MAC address of the PORT4 in FGT_2 HWaddr:00:41:6c:7a:0c:04.
FGT_2 (root) # sudo global diag hard deviceinfo nic port4 Name: port4 Driver: virtio_net Version: 1.0.0 Bus: 0000:00:09.0 HWaddr: 00:41:6c:7a:0c:04 <- Permanent Hwaddr:00:41:6c:7a:0c:04 State: up Link: up Mtu: 1500 Supported: Advertised: Auto: disabled RX Ring: 256 TX Ring: 256 Rx packets: 73316 Rx bytes: 5883076 Rx compressed: 0 Rx dropped: 0 Rx errors: 0 Rx Length err: 0 Rx Buf overflow: 0 Rx Crc err: 0 Rx Frame err: 0 Rx Fifo overrun: 0 Rx Missed packets: 0 Tx packets: 26 Tx bytes: 1920 Tx compressed: 0 Tx dropped: 0 Tx errors: 0 Tx Aborted err: 0 Tx Carrier err: 0 Tx Fifo overrun: 0 Tx Heartbeat err: 0 Tx Window err: 0 Multicasts: 0 Collisions: 0
- Port 4 interface IP address:
FGT_2 (root) # show sys inter port4 # config system interface edit "port4" set vdom "root" set ip 10.116.2.86 255.255.240.0 <- set allowaccess ping https ssh http telnet set type physical set snmp-index 4 next end
In this example, this capture is run on FGT_2 'diag sniff packet port4 ‘ ‘ 6 0 a' then triggers a failover from FGT 1 to FGT 2.
Here is the output of the sniff done on the FGT_2. In this screenshot shows that the FGT2 sends GARP to advertise its virtual mac address to switches using its IP address 10.116.2.86 so that the switch will learn the virtual mac address of 10.116.2.86 which is the virtual mac of FGT_2 and will now forward traffic to FGT_2 which is now the newly elected master.
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.