I have Cisco ASA 5585-X with SSP-60 running in HA (Active-Standby). I would like to configure failover virtual mac address to avoid arp issue during secondary to primary failover. (Its Cisco best practice to use virtual mac).
In my case i have bunch of VLAN interface on top of Port-Channel in that case how do i configure virtual mac.
I didn't find any official document about show to deal with Port-Channel scenario
1. Should i configure virtual mac address for Physical interface only?
2. Configure failover virtual mac for each interface (no matter portchannel or vlan sub-interface)?
3. If i have two phy interface configured for port-channel in that case both phy interface has different mac so how do i deal with that?
Example: E0/6 + E0/7 = Po1 so should i use just Po1 to configure virtual mac?
asa-fw1/pri/act# show int TenGigabitEthernet0/6 | grep MAC MAC address f0f7.5543.a4c8, MTU not set asa-fw1/pri/act# show int TenGigabitEthernet0/7 | grep MAC MAC address f0f7.5543.a4c9, MTU not set asa-fw1/pri/act# show int po1 | grep MAC MAC address f0f7.5543.a4c8, MTU not set
Same goes with VLAN sub-interface also?
asa-fw1/pri/act# show ip System IP Addresses: Interface Name IP address Subnet mask Method GigabitEthernet0/0 outside 184.108.40.206 255.255.255.248 CONFIG TenGigabitEthernet0/8.4 dci 172.30.1.254 255.255.254.0 CONFIG TenGigabitEthernet0/8.5 ilo 172.30.8.1 255.255.248.0 CONFIG Port-channel1.64 inside 10.64.0.1 255.255.248.0 CONFIG Port-channel1.65 mgmt 10.65.0.1 255.255.248.0 CONFIG Port-channel1.66 ops 10.66.0.1 255.255.248.0 manual Port-channel1.67 dmz-1 10.67.0.1 255.255.248.0 CONFIG Port-channel1.68 dmz-2 10.68.0.1 255.255.248.0 CONFIG Port-channel1.69 lab 10.69.0.1 255.255.248.0 manual Port-channel1.70 pxe_boot 10.70.0.1 255.255.248.0 CONFIG Redundant1 FailoverLink 192.168.100.1 255.255.255.0 unset
The failover mac addresses are used to give the neighbors a stable mapping for their ARP-adjacency. As these adjacencies are only build to the PO-interface and not to the members, failover mac addresses are not needed on the members.
If you configure the failover mac on the main port-channel, the subinterfaces inherit this mac-address.
And that's what I always do, configure failover mac addresses for all port-chanels and regular interfaces.
Thank you for your reply,
So in my case i should be configuring failover mac address on following interfaces, right?
GigabitEthernet0/0 TenGigabitEthernet0 Port-channel1
Yes, that should be fine for your setup.
Sorry for delay response, You said just configured virtual mac for Port-Channel1 interface but in my case i don't have any interface_name for Po1 so what i should use in following command
interface Port-channel1 description ** vPC Link to leaf-2-[1,2] ** lacp max-bundle 8 no nameif no security-level no ip address
what interface name i should be using here?
failover mac address <interface_name>
I have many VLAN interface on Po1 so should i add failover mac for each with same mac?
Port-channel1.64 inside 10.64.0.1 255.255.248.0 CONFIG Port-channel1.65 mgmt 10.65.0.1 255.255.248.0 CONFIG Port-channel1.66 ops 10.66.0.1 255.255.248.0 manual Port-channel1.67 dmz-1 10.67.0.1 255.255.248.0 CONFIG Port-channel1.68 dmz-2 10.68.0.1 255.255.248.0 CONFIG Port-channel1.69 lab 10.69.0.1 255.255.248.0 manual Port-channel1.70 pxe_boot 10.70.0.1 255.255.248.0 CONFIG