HA architecture and design
How the virtual MAC address is assigned and how packets flow through an HA cluster.
The virtual MAC address design, and packet flow through Sophos Firewall is explained below.
Virtual MAC design
The HA cluster uses a virtual MAC address, which is always owned by the current primary device. The virtual MAC address isn't the same as the physical MAC address of any interface in the cluster.
The primary device uses the virtual MAC address to respond to ARP requests made to the cluster. The auxiliary device never responds to ARP requests. The auxiliary device uses its own physical MAC address.
All clients connecting to the cluster use the virtual MAC address. There's one virtual MAC address for each interface, except the dedicated HA link.
The virtual MAC address is calculated based on the cluster ID that you assign. Therefore, you must use a unique ID for each HA cluster.
The image below shows where the virtual MAC address is assigned and the response to an ARP packet.
Traffic is always sent to the primary device because it responds to ARP requests with the virtual MAC address. The primary device sends the packet to the destination. When the primary device receives the reply from the destination, it sends it back to the source.
The diagram below shows the packet flow when the primary device processes a packet. This could be either:
- Active-passive, where the primary is processing all the traffic.
- Active-active, where the primary is processing a packet.
The IP addresses shown in the image are examples only. The IP addresses of your network may be different.