Article
| Description | This article describes issues about operating FortiGate clusters with third party layer-2 switches. | ||||||
| Products | FortiGate operating in High Availability (HA) mode. | ||||||
| Details |
Issues may occur because of the way an HA cluster assigns MAC addresses to the primary cluster unit.
In a functioning HA cluster, all primary cluster unit interfaces are assigned the same virtual MAC address.
This virtual MAC address is in the format The last byte of the virtual MAC address is the hexadecimal equivalent of the HA group ID.
Figure 1. Typical HA configuration, each interface connected to a different switch
Assigning the virtual MAC addresses in this way results in two restrictions when installing HA clusters:
- Two clusters with the same group ID can not connect to the same switch and cannot be installed on the same network unless they are separated by a router.
- Two or more interfaces on the same primary cluster unit cannot be connected to the same switch unless the traffic is separated using VLANs and unless the switch is VLAN-aware.
Layer-2 switch restrictions.
In Figure 1, FortiGate #1 and FortiGate #2 are running as an HA cluster. The internal interfaces of both FortiGates are connected to the internal switch.
The external interfaces of both FortiGates connect to the external switch. In this configuration, the HA cluster works with any layer-2 switches from any vendor. There are no issues associated with virtual MAC addresses in this configuration.
In Figure 2, the internal interfaces of both FortiGate units connect to VLAN 100 and the external interfaces of both FortiGate units connect to VLAN 200 of the same switch. This design may have problem depends on the function of the switch. Figure 2: Both FortiGates connected to separate VLANs on the same switch.
If FortiGate #1 is the primary unit, then its internal and external interfaces have the same virtual MAC address.
The switch detects the same MAC address at interfaces 3 and 11. If the switch’s MAC forwarding table recognizes VLANs, separate entries are added to the forwarding table for interface 3 and 11.
Interface 3 forwards packets to the virtual MAC address and VLAN 100.
Interface 11 forwards packets to the virtual MAC address and VLAN 200.
If the switch supports a global MAC-forwarding table that is not VLAN-aware, the switch detects a MAC address conflict between interface 3 and 11.
In this case, only one entry is added to the MAC forwarding table. For some switches, the forwarding interface for the virtual MAC address will be either 3 or 11.
For other switches, the forwarding interface for the virtual MAC address alternates between 3 and 11.
In either case, the cluster will not function correctly. If there is the global MAC-forwarding table problem with the switch, the current workaround is to use two switches in a configuration similar to Figure 1.
Configuring layer-2 switch MAC address tables.
Some switches support the ability to statically configure MAC addresses to multiple ports. For example many Cisco switches that normally use a global MAC address table will allow use of the command:
mac-address-table static hw-addr in-port out-port-list
|
Related Articles
