Description
This article describes how to verify the MAC addresses assigned to FortiGate interfaces.
Solution
- The following commands display the current and permanent hardware addresses for a standalone FortiGate.
- Used without any option, the command below will list all interfaces available:
diagnose hardware deviceinfo nic
Usage:
diagnose hardware deviceinfo nic <nic name>
The following NICs are available:
port4-ha
port3
port2
port1
- Used with the interface name, the command will give the MAC address information:
diagnose hardware deviceinfo nic port1
[...]
System_Device_Name port1
Current_HWaddr 00:09:0F:85:AD:8B
Permanent_HWaddr 00:09:0F:85:AD:8B
[...]
-
During HA operation, the current hardware address becomes the HA Virtual MAC address as shown below for a FortiGate in a cluster.
diagnose hardware deviceinfo nic port1
[...]
System_Device_Name port1
Current_HWaddr 00:09:0F:09:00:00
Permanent_HWaddr 00:09:0F:85:AD:8B
[...]
Note 1:
In the following examples, two MAC addresses are used:
- Current_HWaddr: this is the current hardware address of the interface and the one seen in the network. This address can be changed from the CLI when the FortiGate is running in standalone mode.
- Permanent_HWaddr: The MAC address programmed by the NIC manufacturer for the Vendor; also called burnt-in MAC address. This address cannot be changed.
By default, the Current_HWaddr is the same as the Permanent_HWaddr.
When configuring HA mode active-active or active-passive, all interface MAC addresses are modified with the corresponding virtual MAC address (based on VDOM ID, port, and HA group).
Note 2:
How to change a MAC address of a physical interface (standalone mode only):
config system interface
edit "port1"
set macaddr 00:01:02:03:04:05
next
end
Furthermore, the 'diagnose sys ha mac' command displays the Physical and Virtual MAC of the Master and Backup HA cluster unit interfaces.
FGT # diagnose sys ha mac
HA mac msg
serial#=FGXXXXXXXXXXXX1 Primary
prio=0, phy_index= 0, itf_name= mgmt, mac=90.6c.ac.fb.b3.75, vmac=00.09.0f.09.64.00, linkfail=0
prio=0, phy_index= 1, itf_name= ha, mac=90.6c.ac.fb.b3.74, vmac=00.09.0f.09.64.01, linkfail=0
prio=0, phy_index= 2, itf_name= wan1, mac=90.6c.ac.fb.b3.80, vmac=00.09.0f.09.64.02, linkfail=0
prio=0, phy_index= 3, itf_name= wan2, mac=90.6c.ac.fb.b3.81, vmac=00.09.0f.09.64.03, linkfail=0
prio=0, phy_index= 4, itf_name= port1, mac=90.6c.ac.fb.b3.82, vmac=00.09.0f.09.64.04, linkfail=0
prio=0, phy_index= 5, itf_name= port2, mac=90.6c.ac.fb.b3.83, vmac=00.09.0f.09.64.05, linkfail=0
prio=0, phy_index= 6, itf_name= port3, mac=90.6c.ac.fb.b3.84, vmac=00.09.0f.09.64.06, linkfail=1
prio=0, phy_index= 7, itf_name= port4, mac=90.6c.ac.fb.b3.85, vmac=00.09.0f.09.64.07, linkfail=1
prio=0, phy_index= 8, itf_name= port5, mac=90.6c.ac.fb.b3.86, vmac=00.09.0f.09.64.08, linkfail=1
prio=0, phy_index= 9, itf_name= port6, mac=90.6c.ac.fb.b3.87, vmac=00.09.0f.09.64.09, linkfail=1
prio=0, phy_index=10, itf_name= port7, mac=90.6c.ac.fb.b3.88, vmac=00.09.0f.09.64.0a, linkfail=1
prio=0, phy_index=11, itf_name= port8, mac=90.6c.ac.fb.b3.89, vmac=00.09.0f.09.64.0b, linkfail=1
prio=0, phy_index=12, itf_name= port9, mac=90.6c.ac.fb.b3.76, vmac=00.09.0f.09.64.0c, linkfail=1
prio=0, phy_index=13, itf_name=port10, mac=90.6c.ac.fb.b3.77, vmac=00.09.0f.09.64.0d, linkfail=1
prio=0, phy_index=14, itf_name=port11, mac=90.6c.ac.fb.b3.78, vmac=00.09.0f.09.64.0e, linkfail=1
prio=0, phy_index=15, itf_name=port12, mac=90.6c.ac.fb.b3.79, vmac=00.09.0f.09.64.0f, linkfail=1
prio=0, phy_index=16, itf_name=port13, mac=90.6c.ac.fb.b3.7a, vmac=00.09.0f.09.64.11, linkfail=1
prio=0, phy_index=17, itf_name=port14, mac=90.6c.ac.fb.b3.7b, vmac=00.09.0f.09.64.11, linkfail=1
prio=0, phy_index=18, itf_name=port15, mac=90.6c.ac.fb.b3.7c, vmac=00.09.0f.09.64.12, linkfail=1
prio=0, phy_index=19, itf_name=port16, mac=90.6c.ac.fb.b3.7d, vmac=00.09.0f.09.64.13, linkfail=1
prio=0, phy_index=20, itf_name=port17, mac=90.6c.ac.fb.b3.7e, vmac=00.09.0f.09.64.14, linkfail=1
prio=0, phy_index=21, itf_name=port18, mac=90.6c.ac.fb.b3.7f, vmac=00.09.0f.09.64.15, linkfail=1
serial#=FGXXXXXXXXXXXX2 Secondary
prio=1, phy_index= 0, itf_name= mgmt, mac=e8.1c.aa.aa.80.7f, vmac=--.--.--.--.--.--, linkfail=0
prio=1, phy_index= 1, itf_name= ha, mac=e8.1c.aa.aa.80.7e, vmac=--.--.--.--.--.--, linkfail=0
prio=1, phy_index= 2, itf_name= wan1, mac=e8.1c.aa.aa.80.8a, vmac=--.--.--.--.--.--, linkfail=0
prio=1, phy_index= 3, itf_name= wan2, mac=e8.1c.aa.aa.80.8b, vmac=--.--.--.--.--.--, linkfail=0
prio=1, phy_index= 4, itf_name= port1, mac=e8.1c.aa.aa.80.8c, vmac=--.--.--.--.--.--, linkfail=0
prio=1, phy_index= 5, itf_name= port2, mac=e8.1c.aa.aa.80.8d, vmac=--.--.--.--.--.--, linkfail=0
prio=1, phy_index= 6, itf_name= port3, mac=e8.1c.aa.aa.80.8e, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index= 7, itf_name= port4, mac=e8.1c.aa.aa.80.8f, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index= 8, itf_name= port5, mac=e8.1c.aa.aa.80.90, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index= 9, itf_name= port6, mac=e8.1c.aa.aa.80.91, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index=10, itf_name= port7, mac=e8.1c.aa.aa.80.92, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index=11, itf_name= port8, mac=e8.1c.aa.aa.80.93, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index=12, itf_name= port9, mac=e8.1c.aa.aa.80.80, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index=13, itf_name=port10, mac=e8.1c.aa.aa.80.81, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index=14, itf_name=port11, mac=e8.1c.aa.aa.80.82, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index=15, itf_name=port12, mac=e8.1c.aa.aa.80.83, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index=16, itf_name=port13, mac=e8.1c.aa.aa.80.84, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index=17, itf_name=port14, mac=e8.1c.aa.aa.80.85, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index=18, itf_name=port15, mac=e8.1c.aa.aa.80.86, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index=19, itf_name=port16, mac=e8.1c.aa.aa.80.87, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index=20, itf_name=port17, mac=e8.1c.aa.aa.80.88, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index=21, itf_name=port18, mac=e8.1c.aa.aa.80.89, vmac=--.--.--.--.--.--, linkfail=1
Note:
If the management interface is part of HA then the virtual MAC will not be visible, and the below output appears.
prio=0, phy_index= 5, itf_name= port6, mac=00.65.72.62.83.06, vmac=--.--.--.--.--.--, linkfail=0
Configuration:
config system ha
set group-id 1
set group-name "DC_HA_Gateway"
set mode a-p
set password ENC C+HwzdCNwRPs+vWyj4ims6Sm61R/CPm0Y4e8dq5O3EqEUjzRVdgpRXJJzqHybhobxOWJPB/2dzyGLGtU0GWWbx0CjVTbhYkVf1y6vipW7GzJCgXBJePjyR2OAp1SIV9f8Qj/8EnsZ6i1/3mRcUneJaanqIMtthr82jP81gB+zWjGQKjfZUgl0RyJ1oVU3RL3HBunEFlmMjY3dkVA
set hbdev "port10" 0
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface "port6" <<<<<<<<<<<<<<
next
end
set override disable
set priority 254
set monitor "port1" "port2" "port3" "port4" "port5"
end
From FortiOS v7.6.0, FortiGate supports three methods of assigning virtual MAC address
- Manual assignment per interface.
- Automatic assignment.
- Group ID-based assignment (existing process).
Related documents:
Technical Tip: HA Cluster virtual MAC addresses
