Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
577
Views
1
Helpful
6
Replies

Same IP but Different Mac on Same VLAN

hs08
VIP
VIP

‎12-08-2024 11:16 PM

Hello,

Our core switch using C9500 with stacking enabled, and next year we will implement active active for my firewall using fortigate.

When the firewall configure as active active then we need 2 cables connected from firewall to the core switch and from firewall pov the ip address will same for both interfaces.

No i need some advice, how we can handle this from core switch pov. In my mind is we create VLAN on the core switch and assign 2 interfaces, set both interfaces as member of that VLAN and connect both cables to the firewall.

Will this scenario will work? Maybe from core switch pov, the core switch will see one ip address but with 2 different mac address

Labels:
6 Replies 6

Kasun Bandara
VIP
VIP

‎12-08-2024 11:22 PM

@hs08 hi, your understanding is correct. you can to create VLAN and assign to 2 ports in switch. then connect that to same respective ports (port-1 in firewall 1 and port-1 in firewall 2) in 2 firewalls. firewall will use virtual MAC to handle the HA cluster.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB
0 Helpful

MHM Cisco World
VIP
VIP

‎12-09-2024 12:17 AM

Yes it correct one IP for two MAC

MHM

0 Helpful

hs08
VIP
VIP
In response to MHM Cisco World

‎12-09-2024 12:22 AM

So there will be no issue one ip address with two different mac address on same vlan?

0 Helpful

Flavio Miranda
VIP
VIP

‎12-09-2024 05:50 AM

@hs08 

 Take a look on the Firewall documentation for Active-Active setup. As I could see, fortigate does what we call HA SSO. On this scenario, we have different IP address on the firewall but during the cluster formation, one Virtual IP address and mac address will be created and that IP will be used as gateway for your LAN.

0 Helpful

digistrivessolutions
Level 1
Level 1

‎12-09-2024 08:30 AM

Thank you for sharing your scenario. Configuring your network to support an active-active firewall setup with the Fortigate firewalls and Cisco C9500 core switch is a great step towards enhancing performance and redundancy. Let’s address your query regarding handling this setup from the core switch perspective.

Proposed Configuration and Considerations

Your idea to create a VLAN on the core switch and assign both interfaces to it is a common approach. However, it's important to consider how the core switch will handle the same IP address with two different MAC addresses. Here are key points to consider:

  1. Active-Active Firewall Mode
    In active-active mode, each firewall interface typically participates in the network and may have distinct MAC addresses while sharing a single IP address (through a Virtual IP). This setup relies on advanced load-sharing mechanisms, such as Equal-Cost Multi-Path (ECMP) routing or other load-balancing techniques.

  2. Switch VLAN Configuration
    Creating a dedicated VLAN and assigning both interfaces to it is a valid approach. Ensure the VLAN is properly configured with no IP address assigned on the switch side unless required for routing purposes.

  3. MAC Address Handling
    On the core switch, the same IP address with two MAC addresses may cause instability if handled improperly. To address this, consider enabling the following configurations:

    • PortChannel (Link Aggregation Group): Aggregate the two interfaces into a single PortChannel. This ensures the switch sees only one logical interface, simplifying MAC address handling.
    • Spanning Tree Protocol (STP): Ensure STP is configured correctly to avoid loops.
    • Dynamic ARP Inspection and DHCP Snooping: Enable these features to protect against IP spoofing or ARP attacks.

  4. Routing Implications
    Ensure the routing protocols on the core switch support ECMP or are compatible with Fortigate’s active-active setup. This will enable seamless traffic flow across both links.

Testing and Validation

Once configured, it’s essential to test the setup thoroughly in a staging environment. Validate the following:

  • Redundancy: Ensure failover works as expected.
  • Traffic Distribution: Verify proper load balancing.
  • Connectivity: Confirm there’s no ARP instability due to MAC address mismatches.

Final Advice

If your current hardware or design introduces limitations, consider consulting Fortigate’s best practices for active-active deployment. Detailed documentation often provides configuration nuances that can prevent common pitfalls. Additionally, ensure that your Cisco C9500 switch is running the latest stable IOS-XE version for optimal performance and compatibility.

For an in-depth guide on networking configurations, you can visit Digistrives, where we frequently cover best practices and troubleshooting for advanced network setups.

This setup will provide high availability and better utilization of your firewall resources. Let me know if you need further assistance!

0 Helpful

Htonieto
Level 1
Level 1

‎12-10-2024 08:32 AM

So what you will need:

  1. Create the VLAN in your core switch
  2. Assign one interface in each switch to this vlan
  3. Create a hardware switch in the Fortigate

The hardware switch provides the abilitity to FortiGate use the group as a single interface. The IP will be active only on the primary fortigate. An active‑active HA cluster consists of a primary unit that receives all communication sessions and load balances them among the primary unit and all of the subordinate units.

Also please validate the proper opertaion of the Hardware Switch by disconnecting one cable at time.

0 Helpful
Customers Also Viewed These Support Documents