topic Re: Best option to configure FTD active/passive MAC in Network Security

Best option to configure FTD active/passive MAC

niko — Wed, 26 Aug 2020 10:11:13 GMT

What's the best way to configure static active/passive MAC address for a failover pair?

Asking, because there are basically two ways:

1) Under FTD interface configuration -> Advanced -. Active/Standby Mac address.

It is then being applied like this during deploy:

FMC >> interface XYZ

FMC >> no mac-address

FMC >> mac-address xxxx.xxxx.xxxx standby yyyy.yyyy.yyyy

... which does not look too reliable, as negating and then re-applying it on EACH deployment and, given one case I'm researching, not sure if that is not even leading to some interruptions, but I won't jump to any conclusions yet.

2) Configuration under High Availability -> Interface MAC Address table.

It is then being applied like this during deploy:

FMC >> failover mac address XYZ xxxx.xxxx.xxxx yyyy.yyyy.yyyy

... again - on each deploy, but looks slightly cleaner as it is not negating and if the MAC hasn't changed, I'd say that re-applying this will not cause any issue. Haven't tried this out in a production.

If setting up both configuration options 1) comes first within the deploy and then when 2) follows, so the following Warning is shown:

ftd1 >> [info] : WARNING: MAC address already configured, single_vf interface IFNAME

...clearly using both of them does not look clean as well and is not even required as far as I see.

What's the best option here from reliability and stability perspective?

Re: Best option to configure FTD active/passive MAC

Mohammed al Baqari — Wed, 26 Aug 2020 10:39:01 GMT

Hi,

Option two is the best practice for HA because it eliminates the service
interruption due to mac change in case of failover.

**** please remember to rate useful posts

Re: Best option to configure FTD active/passive MAC

niko — Wed, 26 Aug 2020 10:48:02 GMT

Thank you for input, but aren't both options eliminating service interruptions in case of failover? As per my understanding both options are used to configure active/standby MAC address and in case of failover they will behave the same way, but is there any behavioral difference then I'm not aware of?

Re: Best option to configure FTD active/passive MAC

Mohammed al Baqari — Wed, 26 Aug 2020 13:00:01 GMT

The first commands one will change the mac address of the interface to the
one which you configure while the second command will use virtual mac
instead of changing the physical mac.

Both of them are used for HA however, here is a scenario where the first
method will cause interruption while the second method won't.

"if both units are not brought online at the same time and the secondary
unit boots first and becomes active, it uses the burned-in MAC addresses
for its own interfaces. When the primary unit comes online, the secondary
unit will obtain the MAC addresses from the primary unit. This change can
disrupt network traffic. Configuring virtual MAC addresses for the
interfaces ensures that the secondary unit uses the correct MAC address
when it is the active unit, even if it comes online before the primary unit.
"

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/f1.html#pgfId-2014020

*** please remember to rate useful posts