HA architecture and design

How the virtual MAC address is assigned and how packets flow through an HA cluster.

The virtual MAC address design, and packet flow through XG Firewall is explained below.

Virtual MAC design

The HA cluster uses a virtual MAC address, which is always owned by the current primary device. The virtual MAC address isn't the same as the physical MAC address of any interface in the cluster.

The primary device uses the virtual MAC address to respond to ARP requests made to the cluster. The auxiliary device never responds to ARP requests. The auxiliary device uses its own physical MAC address.

All clients connecting to the cluster use the virtual MAC address. There's one virtual MAC address for each interface, except the dedicated HA link.

The image below shows where the virtual MAC address is assigned and the response to an ARP packet.

Diagram showing virtual MAC address and response to an ARP packet

Packet flow

Traffic is always sent to the primary device because it responds to ARP requests with the virtual MAC address. The primary device sends the packet to the destination. When the primary device receives the reply from the destination, it sends it back to the source.

The diagram below shows the packet flow when the primary device processes a packet. This could be either:

  • Active-passive, where the primary is processing all the traffic.
  • Active-active, where the primary is processing a packet.
Primary device packet flow