Same MAC for aggregated interface on two different cluster?

scheuri · ‎02-24-2022

Hello all

I have an odd issue:
I have TWO different cluster of fortigates (four fortigate 1100E altogether, two active/passive cluster). On each of those cluster the port 25 and port 26 are aggregated to one interface.

Now it turns out that the MAC address of this aggregated interface has the SAME MAC address on EACH of the clusters.

Unfortunately those two clusters have this interface in the same network - so that poses an issue.

Any one an idea why this happend and how I can actually change the MAC of an aggregated interface?

Thanks a lot

akristof · ‎02-24-2022

Hello,

Thank you for your question. 2 Clusters of same model having same virtual-mac address is expected in some cases. At least I am guessing that it is virtual-mac-address, as physical mac address of port25 and port26 should be different.

You will be able to change it by configuring different group-id of one of the clusters. More information:

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/996579/cluster-virtual-mac-addresses

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/614179/configuring-the-primary-fortigate

Adrian

View solution in original post

akristof · ‎02-24-2022

Hello,

Thank you for your question. 2 Clusters of same model having same virtual-mac address is expected in some cases. At least I am guessing that it is virtual-mac-address, as physical mac address of port25 and port26 should be different.

You will be able to change it by configuring different group-id of one of the clusters. More information:

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/996579/cluster-virtual-mac-addresses

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/614179/configuring-the-primary-fortigate

Adrian

scheuri · ‎02-24-2022

Hello akristof

Thank you very much for your reply, much appreciated.

This means that changing the HA group-id in one cluster should change the (virtual) MAC addresses.

Is a reboot required? Or restart of services?
I am unsure as I don't see any indication on https://docs.fortinet.com/document/fortigate/6.0.0/handbook/996579/cluster-virtual-mac-addresses (and changing the HA group-id alone didnt change the MAC address just yet).

thanks a lot

akristof · ‎02-24-2022

Hello,

Thanks for feedback. Did you already change group-id on both devices of the cluster (primary/secondary) and the virtual-mac address is still the same? Can you post here please some example output for some port:

diag hardware deviceinfo nic <port>

Adrian

scheuri · ‎02-24-2022

My apologies.

It appears that I was impatient. It worked!

After changing the HA group-id (and a reboot, which might not have been necessary) I got another virtual MAC address for the aggregated interface.

Thank you very much for your help, much appreciated

ede_pfau · ‎02-24-2022

The cited Handbook pasage says it all, and clearly so:

"The virtual MAC address is determined based on following formula:

00-09-0f-09-<group-id_hex>-(<vcluster_integer> + <idx>)"

Best practice calls for a non-default group ID for each and every cluster, other than "0". All values up to 255 are allowed.

Ede Kernel panic: Aiee, killing interrupt handler!

scheuri · ‎02-24-2022

Hello Ede

Absolutely - that was certainly my fault for not searching thoroughly enough. I should have found that article/passage/chapter on my own and earlier.

However, the second question only arose as I changed the group-id and the change weren't "immediate" - I wasn't sure whether it needs something additional to trigger a recalculation. Turns out that I was not patient enough and missed the point where it actually changed the MAC (I rebooted, but I rather confident that was not needed)

Same MAC for aggregated interface on two different cluster?

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website