Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1999
Views
0
Helpful
3
Replies

Best option to configure FTD active/passive MAC

niko
Level 1
Level 1

‎08-26-2020 03:11 AM

What's the best way to configure static active/passive MAC address for a failover pair?

 

Asking, because there are basically two ways:

1) Under FTD interface configuration -> Advanced -. Active/Standby Mac address.

It is then being applied like this during deploy:

FMC >> interface  XYZ

FMC >> no mac-address

FMC >> mac-address xxxx.xxxx.xxxx standby yyyy.yyyy.yyyy

... which does not look too reliable, as negating and then re-applying it on EACH deployment and, given one case I'm researching, not sure if that is not even leading to some interruptions, but I won't jump to any conclusions yet.

 

2) Configuration under High Availability -> Interface MAC Address table.

It is then being applied like this during deploy:

FMC >> failover mac address XYZ xxxx.xxxx.xxxx yyyy.yyyy.yyyy

... again - on each deploy, but looks slightly cleaner as it is not negating and if the MAC hasn't changed, I'd say that re-applying this will not cause any issue. Haven't tried this out in a production.

 

If setting up both configuration options 1) comes first within the deploy and then when 2) follows, so the following Warning is shown:

ftd1 >> [info] : WARNING: MAC address already configured, single_vf interface IFNAME

...clearly using both of them does not look clean as well and is not even required as far as I see.

 

What's the best option here from reliability and stability perspective?

0 Helpful
3 Replies 3

Mohammed al Baqari
Level 11
Level 11

‎08-26-2020 03:39 AM

Hi,

Option two is the best practice for HA because it eliminates the service
interruption due to mac change in case of failover.

**** please remember to rate useful posts
0 Helpful

niko
Level 1
Level 1
In response to Mohammed al Baqari

‎08-26-2020 03:48 AM

Thank you for input, but aren't both options eliminating service interruptions in case of failover? As per my understanding both options are used to configure active/standby MAC address and in case of failover they will behave the same way, but is there any behavioral difference then I'm not aware of?

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to niko

‎08-26-2020 06:00 AM

The first commands one will change the mac address of the interface to the
one which you configure while the second command will use virtual mac
instead of changing the physical mac.

Both of them are used for HA however, here is a scenario where the first
method will cause interruption while the second method won't.

"if both units are not brought online at the same time and the secondary
unit boots first and becomes active, it uses the burned-in MAC addresses
for its own interfaces. When the primary unit comes online, the secondary
unit will obtain the MAC addresses from the primary unit. This change can
disrupt network traffic. Configuring virtual MAC addresses for the
interfaces ensures that the secondary unit uses the correct MAC address
when it is the active unit, even if it comes online before the primary unit.
"

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/f1.html#pgfId-2014020

*** please remember to rate useful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card