topic Re: ASA virtual mac best practice in Network Security

ASA virtual mac best practice

ben.wiechman — Mon, 11 Mar 2019 18:28:40 GMT

Will it cause issues if the burned in mac addresses are used as the virtual mac addresses when configuring failover on an ASA? Or will the cause issues in the case where the secondary comes up first and assumes the active state using the mac addresses off the primary? Some delay in applying the virtual mac addresses or something on the primary?

Or is it a better idea to define your own random mac addresses and use those instead as the virtual mac addresses?

Re: ASA virtual mac best practice

Jitendriya Athavale — Fri, 20 Aug 2010 15:14:49 GMT

what exactly do you mean by virtual mac address

when in failover the mac-address of primary is used when primary comes up first and when secondary becomes active it gets this mac address

when in failover pair secondary comes up first since the failover cluster does not detect a primary it will use the mac of secondary to pass traffic

hope this is what you need

you can read more her

https://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1091288

Re: ASA virtual mac best practice

ben.wiechman — Fri, 20 Aug 2010 15:25:11 GMT

When the secondary comes up first and the primary is not available it will use its own mac address and not that of the primary. When the primary comes up the mac address will be updated to be that of the primary causing a short interruption. The recommendation is to configure a virtual mac address (https://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1073913) so that this does not happen.

Instead of inventing a set of mac addresses to use (and hoping that at some point there won't be duplication, etc) if it would cause issues to just use the actual physical mac addresses and configure those as the virtual mac addresses.

Re: ASA virtual mac best practice

praprama — Fri, 20 Aug 2010 15:36:14 GMT

Hey Ben,

I would think this will not cause problems. Since the virtual MACs will take precedence over the actual MAC addresses, even if we have the actual MAC addresses aas the virtual MACs, there shouldn't be a problem. But i must tell you that I have not really tried this before and also, the probabilities of duplication if you use invented virtual MAC addresses are really low

Thanks,

Prapanch

Re: ASA virtual mac best practice

ben.wiechman — Fri, 20 Aug 2010 15:48:13 GMT

I couldn't think of any reason why it wouldn't work, just wondered if anyone had tried it and ran into something goofy.

Thanks

Re: ASA virtual mac best practice

praprama — Fri, 20 Aug 2010 15:50:57 GMT

I think i will leave it for someone who has tried this to answer it if there can be any glitches. But my thought too is that it should work just fine. If you manage to try it out, let us know how it goes.

Thanks and Regards,

Prapanch

ASA virtual mac best practice

NeverOutofTune — Fri, 21 Sep 2012 19:57:45 GMT

I would like to do the same and set the virtual MAC address as the real MAC address of the current active unit. My reason is the ISP is very unresponsive (>4 hours) to clear their arp table which makes it difficult to plan sme future upgrades.

Has anyone set the virtual to be the same as the real MAC address?

You can't do it, the ASA

grant.maynard — Tue, 08 Mar 2016 17:49:00 GMT

You can't do it, the ASA rejects this and gives an error:

DC-FW/unit1/master(config)# int po 23
DC-FW/unit1/master(config-if)# mac-address 8d64.2406.1cb7
ERROR: active address equals to burn-in address
DC-FW/unit1/master(config-if)# int po 24
DC-FW/unit1/master(config-if)# mac-address 8d64.2406.1cbd
ERROR: active address equals to burn-in address

Wanted to clarify this answer

JViveiros — Tue, 06 Jun 2017 21:15:18 GMT

Wanted to clarify this answer - the syntax for defining the failover mac addresses is 'failover mac address <interface> <active mac> <standby mac>'

And yes you can use the interface physical MAC addresses when using the failover syntax.