FTD HA Monitored Interface and Virtual MAC address configuration

SaintEvn · ‎01-12-2021

Hi ,

I'm configuring FTD HA managed by FMC.

I was confused with Monitored Interface configuration when configuring FTD HA.

I've outside interface going to router an inside interface connected to switch.

If I put standby IP address for monitored interfaces when configuring HA, how should I configure static route at the switch and router side?

What is the gateway address for router and switch? I’m pointing active unit IP address as gateway but what if active unit fails?

And I also would like to know about active and standby MAC address.

Can I add any MAC address as long as it is within MAC address format?

(for example, can I use 1111.2222.3333.4444 as active MAC and 1111.2222.3333.4455 as standby MAC?)

Thank you all!

Rob Ingram · ‎01-12-2021

Hi @SaintEvn

The active unit always uses the primary unit's IP addresses and MAC addresses.
When the active unit fails over, the standby unit assumes the IP addresses and MAC addresses of the failed unit and begins passing traffic.

Reference here

https://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/fpmc-config-guide-v601_chapter_01100110.html#ID-2107-000000a8

So on the router and switch define the primary IP address as the next hop.

HTH

SaintEvn · ‎01-12-2021

So, Standby IP address are just for interface monitoring purpose and no concern with other process ?

Rob Ingram · ‎01-12-2021

Correct, it's not necessarily required but recommended.

Without a standby IP address, the active unit cannot perform network tests to check the standby interface health; it can only track the link state. You also cannot connect to the standby unit on that interface for management purposes.