Re: Cisco ASA failover virtual MAC with Port-Channel interface.

satish.txt1 · ‎12-03-2020

I have Cisco ASA 5585-X with SSP-60 running in HA (Active-Standby). I would like to configure failover virtual mac address to avoid arp issue during secondary to primary failover. (Its Cisco best practice to use virtual mac).

In my case i have bunch of VLAN interface on top of Port-Channel in that case how do i configure virtual mac.

I didn't find any official document about show to deal with Port-Channel scenario

Question:

1. Should i configure virtual mac address for Physical interface only?

2. Configure failover virtual mac for each interface (no matter portchannel or vlan sub-interface)?

3. If i have two phy interface configured for port-channel in that case both phy interface has different mac so how do i deal with that?

Example: E0/6 + E0/7 = Po1 so should i use just Po1 to configure virtual mac?

asa-fw1/pri/act# show int TenGigabitEthernet0/6 | grep MAC
	MAC address f0f7.5543.a4c8, MTU not set
asa-fw1/pri/act# show int TenGigabitEthernet0/7 | grep MAC
	MAC address f0f7.5543.a4c9, MTU not set
asa-fw1/pri/act# show int po1 | grep MAC
	MAC address f0f7.5543.a4c8, MTU not set

Same goes with VLAN sub-interface also?

asa-fw1/pri/act# show ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       outside               69.25.225.60    255.255.255.248 CONFIG
TenGigabitEthernet0/8.4  dci                   172.30.1.254    255.255.254.0   CONFIG
TenGigabitEthernet0/8.5  ilo                   172.30.8.1      255.255.248.0   CONFIG
Port-channel1.64         inside                 10.64.0.1       255.255.248.0   CONFIG
Port-channel1.65         mgmt                   10.65.0.1       255.255.248.0   CONFIG
Port-channel1.66         ops                    10.66.0.1       255.255.248.0   manual
Port-channel1.67         dmz-1                  10.67.0.1       255.255.248.0   CONFIG
Port-channel1.68         dmz-2                  10.68.0.1       255.255.248.0   CONFIG
Port-channel1.69         lab                    10.69.0.1       255.255.248.0   manual
Port-channel1.70         pxe_boot               10.70.0.1       255.255.248.0   CONFIG
Redundant1               FailoverLink           192.168.100.1   255.255.255.0   unset

Karsten Iwen · ‎12-04-2020

The failover mac addresses are used to give the neighbors a stable mapping for their ARP-adjacency. As these adjacencies are only build to the PO-interface and not to the members, failover mac addresses are not needed on the members.

If you configure the failover mac on the main port-channel, the subinterfaces inherit this mac-address.

And that's what I always do, configure failover mac addresses for all port-chanels and regular interfaces.

satish.txt1 · ‎12-06-2020

Thank you for your reply,

So in my case i should be configuring failover mac address on following interfaces, right?

GigabitEthernet0/0
TenGigabitEthernet0
Port-channel1

Karsten Iwen · ‎12-06-2020

Yes, that should be fine for your setup.

satish.txt1 · ‎01-11-2021

Karsten,

Sorry for delay response, You said just configured virtual mac for Port-Channel1 interface but in my case i don't have any interface_name for Po1 so what i should use in following command

interface Port-channel1
 description ** vPC Link to leaf-2-[1,2] **
 lacp max-bundle 8
 no nameif
 no security-level
 no ip address

what interface name i should be using here?

failover mac address <interface_name>

I have many VLAN interface on Po1 so should i add failover mac for each with same mac?

Port-channel1.64         inside                 10.64.0.1       255.255.248.0   CONFIG
Port-channel1.65         mgmt                   10.65.0.1       255.255.248.0   CONFIG
Port-channel1.66         ops                    10.66.0.1       255.255.248.0   manual
Port-channel1.67         dmz-1                  10.67.0.1       255.255.248.0   CONFIG
Port-channel1.68         dmz-2                  10.68.0.1       255.255.248.0   CONFIG
Port-channel1.69         lab                    10.69.0.1       255.255.248.0   manual
Port-channel1.70         pxe_boot               10.70.0.1       255.255.248.0   CONFIG