cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
427
Views
0
Helpful
12
Replies

Cisco FTD failover - Interface Virtual MAC Queries

Hello,

I am working on setting up HA for FTD appliances for a customer. I have been using the syntax aaaa.bbbb.xxx1 and aaaa.bbbb.xxx2 usually for assigning interface virtual MACs on the primary and secondary respectively. I have the below queries regarding this.

1- Is there any best practice like a specific mac range to be used? (for example, private mac addresses)

2- I can see two places to configure it. Under the interface advanced settings and under the high availability settings?. Usually I configure it under the high availability settings. Is this the recommended method?.

Thanks

Shabeeb

12 Replies 12

#1 - In general, even though it's only locally significant on this vlan in your environment, using easily identifiable private MAC addresses both prevents conflict and stand out when you're viewing the mac address tables on the switches.

Here are some guidelines, both old and new updated RFC, on private MAC addresses:

old, but easy to understand: https://www.oasys.net/fragments/identify-private-macs/

legacy rfc: https://www.rfc-editor.org/rfc/rfc7042.html#section-2.1

new rfc: https://www.rfc-editor.org/rfc/rfc9542

#2

Some of the guides also only reference configuring it under the high availability settings, but the only recommendation I've seen is only use one method, don't combine. (ie don't configure under both interface and high availability settings).

 

 

balaji.bandi
Hall of Fame
Hall of Fame

As other suggested, you can use private MAC address as long they are not used any where in the network by other devices, and make aware of others that you using MAC list centrally for visibility.

i am sure you followed below document, in case not, FYI :

 

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212699-configure-ftd-high-availability-on-firep.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi Guys,

Thanks a lot for the response. Could some one provide me example of a private MAC address range that you have used in FTD?.

One of the post given that information :example :

  • x2-xx-xx-xx-xx-xx
  • x6-xx-xx-xx-xx-xx
  • xA-xx-xx-xx-xx-xx
  • xE-xx-xx-xx-xx-xx

You can also check the community thread :

https://community.cisco.com/t5/other-network-architecture-subjects/private-mac-address-range/td-p/585316#:~:text=In%20Ethernet%20MAC%20addresses%20the,is%20effectively%20a%20private%20MAC.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello,

Thanks a lot for your response. When we use these ranges, should we tell the customer to make sure that it should not be used for similar purposes?. As you are aware most of the smart phone vendors are enabling random MAC addresses by default, so is there any possibility that these can conflict with such devices?.

You may have duplicate MAC address, But the point here as long they do not cross the Layer 2 broadcast domain, that should be ok.

Like RFC1918 address space. every customer used 192.168,x,x always, but they don't  be routable to public space.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello,

Thanks a lot for your response. Just to confirm, the recommendation from Cisco is to use these private MAC address range for virtual MAC right ? 

Configuring virtual MAC addresses on an FTD HA pair is beneficial to the availability of a network. Virtual MAC addresses allow the primary and secondary FTD to maintain consistent MAC addresses which prevents certain traffic disruptions.

Without virtual MAC addresses configured, each unit of the HA pair boots using its burned-in MAC addresses. In the event the secondary unit boots without detecting the primary unit, it becomes the active unit and uses its burned-in MAC addresses. When the primary unit is eventually brought online, the secondary unit obtains the primary unit's MAC addresses which can cause network disruptions. New MAC addresses are also used if the primary unit is replaced with new hardware. Having virtual MAC addresses configured on the devices protects against this disruption. This is because the secondary unit knows the primary units MAC addresses at all times and continues using the correct MAC addresses when it is the active device, even if it comes online before the primary unit.

Note: The terms Virtual MAC address and Interface Mac address can be used interchangeably.

check the benefits here :

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/high-availability.html?bookSearch=true

 

that is best practice we do, depends on the method you use - as engineer or designer need to understand how this works rather pure rely on the suggestion, make sure understand the documented by cisco, (if you still not clear, contact local partner (SME) or Cisco TAC.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212699-configure-ftd-high-availability-on-firep.html

This link show you virtual maç use by cisco

The maç use

Aaaa. Bbbbb. 11111

Aaaa. Bbbbb. 2222

MHM

Hello,

Thanks a lot for your response. I am currently using these for my customers. But are these MAC addresses reserved or there is a possibility that some vendors are already using it?.

You can assign the virtual MACs from any of the private ranges provided in the link above but if a network admin happens to assign the same MAC to another device on your network you will have duplicate MACs on your network. This potential issue has nothing to do with the failover itself, it is part of your change control process because it could happen with any device on your network out of the firewalls failover.

An option you might want to evaluate would be instead of assigning new virtual MACs you could assign the virtual MACs with the same addresses as the burned-in MAC addresses of the primary and secondary firewalls. For instance, "failover mac address inside < primary firewall burned-in inside interface MAC > < secondary firewall burned-in inside interface MAC >". This way you don't have to worry about making up new MAC addresses. Obviously, if you happen to replace one of the two firewalls and you want to match the new burned-in MAC then you would need to update that command with the new burned-in address.

Review Cisco Networking for a $25 gift card