Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1842
Views
0
Helpful
4
Replies

Cisco ASA failover virtual MAC with Port-Channel interface.

satish.txt1
Level 1
Level 1

‎12-03-2020 06:58 PM

I have Cisco ASA 5585-X with SSP-60 running in HA (Active-Standby). I would like to configure failover virtual mac address to avoid arp issue during secondary to primary failover. (Its Cisco best practice to use virtual mac). 

In my case i have bunch of VLAN interface on top of Port-Channel in that case how do i configure virtual mac.

 

I didn't find any official document about show to deal with Port-Channel scenario  

 

Question:

1. Should i configure virtual mac address for Physical interface only?

2. Configure failover virtual mac for each interface (no matter portchannel or vlan sub-interface)?

3. If i have two phy interface configured for port-channel in that case both phy interface has different mac so how do i deal with that? 

 

Example: E0/6 + E0/7 = Po1 so should i use just Po1 to configure virtual mac? 

asa-fw1/pri/act# show int TenGigabitEthernet0/6 | grep MAC
	MAC address f0f7.5543.a4c8, MTU not set
asa-fw1/pri/act# show int TenGigabitEthernet0/7 | grep MAC
	MAC address f0f7.5543.a4c9, MTU not set
asa-fw1/pri/act# show int po1 | grep MAC
	MAC address f0f7.5543.a4c8, MTU not set

Same goes with VLAN sub-interface also?

asa-fw1/pri/act# show ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       outside               69.25.225.60    255.255.255.248 CONFIG
TenGigabitEthernet0/8.4  dci                   172.30.1.254    255.255.254.0   CONFIG
TenGigabitEthernet0/8.5  ilo                   172.30.8.1      255.255.248.0   CONFIG
Port-channel1.64         inside                 10.64.0.1       255.255.248.0   CONFIG
Port-channel1.65         mgmt                   10.65.0.1       255.255.248.0   CONFIG
Port-channel1.66         ops                    10.66.0.1       255.255.248.0   manual
Port-channel1.67         dmz-1                  10.67.0.1       255.255.248.0   CONFIG
Port-channel1.68         dmz-2                  10.68.0.1       255.255.248.0   CONFIG
Port-channel1.69         lab                    10.69.0.1       255.255.248.0   manual
Port-channel1.70         pxe_boot               10.70.0.1       255.255.248.0   CONFIG
Redundant1               FailoverLink           192.168.100.1   255.255.255.0   unset

 

Labels:
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎12-04-2020 12:36 AM

The failover mac addresses are used to give the neighbors a stable mapping for their ARP-adjacency. As these adjacencies are only build to the PO-interface and not to the members, failover mac addresses are not needed on the members.

If you configure the failover mac on the main port-channel, the subinterfaces inherit this mac-address.

And that's what I always do, configure failover mac addresses for all port-chanels and regular interfaces.

0 Helpful

satish.txt1
Level 1
Level 1
In response to Karsten Iwen

‎12-06-2020 08:39 PM

Thank you for your reply,

 

So in my case i should be configuring failover mac address on following interfaces, right?

 

GigabitEthernet0/0
TenGigabitEthernet0
Port-channel1

 

 

0 Helpful

Karsten Iwen
VIP
VIP
In response to satish.txt1

‎12-06-2020 11:37 PM

Yes, that should be fine for your setup.

0 Helpful

satish.txt1
Level 1
Level 1
In response to Karsten Iwen

‎01-11-2021 07:44 PM

Karsten,

 

Sorry for delay response, You said just configured virtual mac for Port-Channel1 interface but in my case i don't have any interface_name for Po1 so what i should use in following command

 

interface Port-channel1
 description ** vPC Link to leaf-2-[1,2] **
 lacp max-bundle 8
 no nameif
 no security-level
 no ip address

what interface name i should be using here? 

failover mac address <interface_name>

I have many VLAN interface on Po1 so should i add failover mac for each with same mac?

Port-channel1.64         inside                 10.64.0.1       255.255.248.0   CONFIG
Port-channel1.65         mgmt                   10.65.0.1       255.255.248.0   CONFIG
Port-channel1.66         ops                    10.66.0.1       255.255.248.0   manual
Port-channel1.67         dmz-1                  10.67.0.1       255.255.248.0   CONFIG
Port-channel1.68         dmz-2                  10.68.0.1       255.255.248.0   CONFIG
Port-channel1.69         lab                    10.69.0.1       255.255.248.0   manual
Port-channel1.70         pxe_boot               10.70.0.1       255.255.248.0   CONFIG

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents