Nat/route mode packet flow – Fortinet FortiGate-800 User Manual
Page 90
90
Fortinet Inc.
Active-Active cluster packet flow
High availability
NAT/Route mode packet flow
In NAT/Route mode, five MAC addresses are involved in active-active communication
between a client and a server if the cluster routes the packets to the subordinate unit
in the cluster:
• Virtual cluster MAC address (MAC_V)
• Client MAC address (MAC_C),
• Server MAC address (MAC_S),
• Subordinate unit internal MAC address (MAC_S_I),
• Subordinate unit external MAC address (MAC_S_E).
In NAT/Route mode, the HA cluster works as a gateway when it responds to ARP
requests. Therefore, the client and the server only know the gateway MAC address
(MAC_V), which is a virtual MAC address created by the HA cluster. The virtual MAC
address is 00-09-0f-06-ff-00.
Switch 1 and 2 know where the virtual MAC address and the real MAC address are.
Packets are routed through the subordinate unit as follows.
A request packet from a client on the internal network to a server on the external
network:
1
Source is MAC_C and destination is MAC_V (from client to primary)
2
Source is MAC_V and destination is MAC_S_I (from primary to subordinate internal)
3
Source is MAC_S_E and destination is MAC_S (from subordinate external to server)
A response packet from a server on the external network to a client on the internal
network:
1
Source is MAC_S and destination is MAC_V (from server to primary)
2
Source is MAC_V and destination is MAC_S_E (from primary to subordinate external)
3
Source is MAC_S_I and destination is MAC_C (from subordinate internal to client)
Configuring switches to work with a NAT/Route mode cluster
Some switch vendors use a Global MAC address table for the entire switch instead of
multiple MAC address tables, one for each interface and VLAN. The Global MAC
address table feature causes interoperability problems with FortiGate HA. For a switch
to work with FortiGate HA, the switch should support and be configured to use
individual MAC address tables for each switch interface.