Hi,
I have an active/active cluster of 2 x 3200D's. There are 2 ports dedicated to HA communication, port47 and port48. In order to see these HA port's physical and virtual MAC addresses, I do this:
FGT-3200D (root) # diagnose sys ha mac
[... other interfaces which have VLAN(s) attached for user data ...]
prio=0, phy_index=46, itf_name=port47, mac=e8.1c.ba.x.x.x, vmac=00.09.0f.09.00.2e, linkfail=0
prio=0, phy_index=47, itf_name=port48, mac=e8.1c.ba.x.x.x, vmac=00.09.0f.09.00.2f, linkfail=0
[... other interfaces which have VLAN(s) attached for user data ...]
Unlike the interfaces for user data, where I can see the HA VMAC on the L2 infrastructure of the network, I cannot see the HA specific VMACs (00.09.0f.09.00.2e and 00.09.0f.09.00.2f above) on the L2 infrastructure. The cables from ports47 and 48 do go into switches and are not directly connected. And I do see the physical HA MAC addresses on the switches!
Can someone explain why I cannot see the VMACs of the HA interfaces in the L2 network?
Thanks
Mark
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
As far as I am aware, HA ports do not use vmacs in the infrastructure. They use real MACs and establish IP connectivity using the real MACs. vmacs are only used on interfaces participating in HA failover for user traffic flows (so endpoints know which FW to talk to). Your HA ports are not providing connectivity to any other device besides the FortiGates so there is no need to advertise or use the vmac for this connectivity.
As far as I am aware, HA ports do not use vmacs in the infrastructure. They use real MACs and establish IP connectivity using the real MACs. vmacs are only used on interfaces participating in HA failover for user traffic flows (so endpoints know which FW to talk to). Your HA ports are not providing connectivity to any other device besides the FortiGates so there is no need to advertise or use the vmac for this connectivity.
Thanks Graham. Makes sense. Though slightly confusing for me that in the GUI it shows the VMAC :)
Yes I agree it's a bit confusing. But as soon as you enable HA the system generates vMACs for all interfaces.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1502 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.