Fortinet FortiGate 4000 User Manual

98

Fortinet Inc.

Active-Active cluster packet flow

High availability

In NAT/Route mode, the HA cluster works as a gateway when it responds to ARP
requests. Therefore, the client and the server only know the gateway MAC address
(MAC_V), which is a virtual MAC address created by the HA cluster. The virtual MAC
address is 00-09-0f-06-ff-00.

Switch 1 and 2 know where the virtual MAC address and the real MAC address are.
Packets are routed through the subordinate unit as follows.

A request packet from a client on the internal network to a server on the external
network:

1

Source is MAC_C and destination is MAC_V (from client to primary)

2

Source is MAC_V and destination is MAC_S_I (from primary to subordinate internal)

3

Source is MAC_S_E and destination is MAC_S (from subordinate external to server)

A response packet from a server on the external network to a client on the internal
network:

1

Source is MAC_S and destination is MAC_V (from server to primary)

2

Source is MAC_V and destination is MAC_S_E (from primary to subordinate external)

3

Source is MAC_S_I and destination is MAC_C (from subordinate internal to client)

Configuring switches to work with a NAT/Route mode cluster

Some switch vendors use a Global MAC address table for the entire switch instead of
multiple MAC address tables, one for each interface and VLAN. The Global MAC
address table feature causes interoperability problems with FortiGate HA. For a switch
to work with FortiGate HA, the switch should support and be configured to use
individual MAC address tables for each switch interface.

The following are examples of switches that are compatible with the FGCP because
they use a Global MAC address table:

• HP 4100 GL series,
• HP2628,
• HP5300,
• Cisco Catalyst,
• Cisco 2850,
• Cisco 3550,
• Nortel PP8600,
• Nortel XLR.