FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable


Description This article describes issues about operating FortiGate clusters with third party layer-2 switches.
Products FortiGate operating in High Availability (HA) mode.

Issues may occur because of the way an HA cluster assigns MAC addresses to the primary cluster unit.


In a functioning HA cluster, all primary cluster unit interfaces are assigned the same virtual MAC address.


This virtual MAC address is in the format 00-09-0f-06-ff-xx.

The last byte of the virtual MAC address is the hexadecimal equivalent of the HA group ID.


Figure 1.

Typical HA configuration, each interface connected to a different switch




Assigning the virtual MAC addresses in this way results in two restrictions when installing HA clusters:


- Two clusters with the same group ID can not connect to the same switch and cannot be installed on the same network unless they are separated by a router.


- Two or more interfaces on the same primary cluster unit cannot be connected to the same switch unless the traffic is separated using VLANs and unless the switch is VLAN-aware.


Layer-2 switch restrictions.


In Figure 1, FortiGate #1 and FortiGate #2 are running as an HA cluster.

The internal interfaces of both FortiGates are connected to the internal switch.


The external interfaces of both FortiGates connect to the external switch.

In this configuration, the HA cluster works with any layer-2 switches from any vendor.

There are no issues associated with virtual MAC addresses in this configuration.


In Figure 2, the internal interfaces of both FortiGate units connect to VLAN 100 and the external interfaces of both FortiGate units connect to VLAN 200 of the same switch. This design may have problem depends on the function of the switch.

Figure 2: Both FortiGates connected to separate VLANs on the same switch.



If FortiGate #1 is the primary unit, then its internal and external interfaces have the same virtual MAC address.


The switch detects the same MAC address at interfaces 3 and 11.

If the switch’s MAC forwarding table recognizes VLANs, separate entries are added to the forwarding table for interface 3 and 11.


Interface 3 forwards packets to the virtual MAC address and VLAN 100.


Interface 11 forwards packets to the virtual MAC address and VLAN 200.


If the switch supports a global MAC-forwarding table that is not VLAN-aware, the switch detects a MAC address conflict between interface 3 and 11.


In this case, only one entry is added to the MAC forwarding table. For some switches, the forwarding interface for the virtual MAC address will be either 3 or 11.


For other switches, the forwarding interface for the virtual MAC address alternates between 3 and 11.


In either case, the cluster will not function correctly.

If there is the global MAC-forwarding table problem with the switch, the current workaround is to use two switches in a configuration similar to Figure 1.


Configuring layer-2 switch MAC address tables.


Some switches support the ability to statically configure MAC addresses to multiple ports.

For example many Cisco switches that normally use a global MAC address table will allow use of the command:


mac-address-table static hw-addr in-port out-port-list



The MAC address to add to the address table.




The input port from which packets received with a destination address of hw-addr are forwarded to the list of ports in the out-port-list. The in-port must belong to the same VLAN as all the ports in the out-port-list.


The list of ports to which packets received on ports in in-port are forwarded. All ports in the list must belong to the same VLAN.


Related Articles

Articles about HA with third-party products

List of most popular articles related to Troubleshooting