FortiOSv3.0HAClustervirtualMACaddresses

The cluster virtual MAC addresses depend on the cluster group ID. In most cases you can operate the cluster with the default group ID of zero. However, if you have more than one FortiGate cluster on the same network, each cluster should have a different group ID. If two clusters on the same network have the same group ID, duplicate MAC addresses could cause addressing conflicts on the network. You can change the group ID from the FortiGate CLI using the following command:

config system ha
    set group-id
end

How the virtual MAC address is determined

The virtual MAC address is determined based on following formula:

00-09-0f-06--

where

is the HA group ID for the cluster converted to hexadecimal.

is 0 for virtual cluster 1 and 2 for virtual cluster 2. If virtual domains are not enabled, HA sets the virtual cluster to 1 and by default all interfaces are in the root virtual domain. Including virtual cluster and virtual domain factors in the virtual MAC address formula means that the same formula can be used whether or not virtual domains and virtual clustering is enabled.

iIn NAT/Route mode, interfaces are numbered from 0 to x (where x is the number of interfaces). The interfaces are listed in alphabetical order on the web-based manager and CLI. The interface at the top of the interface list is first in alphabetical order by name and has an index of 0. The second interface in the list has an index of 1 and so on. In Transparent mode, the index number foe the management IP address is 0.

The second last part of the virtual MAC address depends on the HA group ID and is the same for each cluster interface. The last part of the virtual MAC address is different for each cluster interface.

Example virtual MAC addresses

A FortiGate-500 operating in HA mode where the HA group ID has not been changed (default=0) and virtual domains have not been enabled would have the following virtual MAC addresses:

• dmz interface virtual MAC: 00-09-0f-09-00-00
• external interface virtual MAC: 00-09-0f-09-00-01
• ha interface virtual MAC: 00-09-0f-09-00-02
• Internal interface virtual MAC: 00-09-0f-09-00-03
• port1 interface virtual MAC: 00-09-0f-09-00-04
• port2 interface virtual MAC: 00-09-0f-09-00-05
• port3 interface virtual MAC: 00-09-0f-09-00-06
• port4 interface virtual MAC: 00-09-0f-09-00-07
• port5 interface virtual MAC: 00-09-0f-09-00-08
• port6 interface virtual MAC: 00-09-0f-09-00-09
• port7 interface virtual MAC: 00-09-0f-09-00-0a
• port8 interface virtual MAC: 00-09-0f-09-00-0b

If the group ID is changed to 34 these virtual MAC addresses change to:

• dmz interface virtual MAC: 00-09-0f-09-22-00
• external interface virtual MAC: 00-09-0f-09-22-01
• ha interface virtual MAC: 00-09-0f-09-22-02
• Internal interface virtual MAC: 00-09-0f-09-22-03
• port1 interface virtual MAC: 00-09-0f-09-22-04
• port2 interface virtual MAC: 00-09-0f-09-22-05
• port3 interface virtual MAC: 00-09-0f-09-22-06
• port4 interface virtual MAC: 00-09-0f-09-22-07
• port5 interface virtual MAC: 00-09-0f-09-22-08
• port6 interface virtual MAC: 00-09-0f-09-22-09
• port7 interface virtual MAC: 00-09-0f-09-22-0a
• port8 interface virtual MAC: 00-09-0f-09-22-0b

All of the interfaces of a FortiGate-800 HA cluster operating in Transparent mode with group ID set to 10 have the virtual MAC 00-09-0f-09-0a-00.

A FortiGate-5001SX operating in HA mode with virtual domains enabled where the HA group ID has been changed to 23, port5 and port 6 are in the root virtual domain (which is in virtual cluster1), and port7 and port8 are in the vdom_1 virtual domain (which is in virtual cluster 2) would have the following virtual MAC addresses:

• port5 interface virtual MAC: 00-09-0f-09-23-05
• port6 interface virtual MAC: 00-09-0f-09-23-06
• port7 interface virtual MAC: 00-09-0f-09-23-27
• port8 interface virtual MAC: 00-09-0f-09-23-28

Virtual MAC address conflicts

If two or more clusters are operating on the same network, there is a possibility that a MAC address conflict can occur. Because all clusters use the same formula to calculate cluster virtual MAC addresses, a MAC address conflict can occur in the following configurations:

• Two clusters are operating on the same network in NAT/Route mode and both clusters have the cluster interface with the same index number connected to the network. For example, both clusters could be using the same FortiGate model and the same interface of each cluster could be connected to the network. This can also happen if each cluster is using a different FortiGate model but the interfaces connected to the network have the same network index.
• Two clusters are operating on the same network in Transparent mode. In this case, all interfaces of both clusters have the same MAC address.
• Two clusters are operating on the same network, one in NAT/Route mode and one in Transparent mode. In this case a conflict can occur of NAT/Route mode cluster interface with interface index 0 is connected to the same network as the cluster operating in Transparent mode.

The solution to all of these conflicts is to use the config system ha group-id CLI command to change the HA group ID of one or both of the clusters. In general it is recommended that you change the group-id if you are connecting two clusters to the same network.