10-13-2024 01:29 AM
Hello,
I am working on setting up HA for FTD appliances for a customer. I have been using the syntax aaaa.bbbb.xxx1 and aaaa.bbbb.xxx2 usually for assigning interface virtual MACs on the primary and secondary respectively. I have the below queries regarding this.
1- Is there any best practice like a specific mac range to be used? (for example, private mac addresses)
2- I can see two places to configure it. Under the interface advanced settings and under the high availability settings?. Usually I configure it under the high availability settings. Is this the recommended method?.
Thanks
Shabeeb
10-13-2024 05:16 AM
#1 - In general, even though it's only locally significant on this vlan in your environment, using easily identifiable private MAC addresses both prevents conflict and stand out when you're viewing the mac address tables on the switches.
Here are some guidelines, both old and new updated RFC, on private MAC addresses:
old, but easy to understand: https://www.oasys.net/fragments/identify-private-macs/
legacy rfc: https://www.rfc-editor.org/rfc/rfc7042.html#section-2.1
new rfc: https://www.rfc-editor.org/rfc/rfc9542
#2
Some of the guides also only reference configuring it under the high availability settings, but the only recommendation I've seen is only use one method, don't combine. (ie don't configure under both interface and high availability settings).
10-13-2024 05:52 AM
vMAC is recommended for above issue in FW HA
MHM
10-13-2024 06:31 AM
As other suggested, you can use private MAC address as long they are not used any where in the network by other devices, and make aware of others that you using MAC list centrally for visibility.
i am sure you followed below document, in case not, FYI :
10-13-2024 06:46 AM
Hi Guys,
Thanks a lot for the response. Could some one provide me example of a private MAC address range that you have used in FTD?.
10-13-2024 07:38 AM
One of the post given that information :example :
You can also check the community thread :
10-13-2024 07:42 AM
Hello,
Thanks a lot for your response. When we use these ranges, should we tell the customer to make sure that it should not be used for similar purposes?. As you are aware most of the smart phone vendors are enabling random MAC addresses by default, so is there any possibility that these can conflict with such devices?.
10-13-2024 08:21 AM
You may have duplicate MAC address, But the point here as long they do not cross the Layer 2 broadcast domain, that should be ok.
Like RFC1918 address space. every customer used 192.168,x,x always, but they don't be routable to public space.
10-13-2024 08:23 AM
Hello,
Thanks a lot for your response. Just to confirm, the recommendation from Cisco is to use these private MAC address range for virtual MAC right ?
10-13-2024 09:54 AM
Configuring virtual MAC addresses on an FTD HA pair is beneficial to the availability of a network. Virtual MAC addresses allow the primary and secondary FTD to maintain consistent MAC addresses which prevents certain traffic disruptions.
Without virtual MAC addresses configured, each unit of the HA pair boots using its burned-in MAC addresses. In the event the secondary unit boots without detecting the primary unit, it becomes the active unit and uses its burned-in MAC addresses. When the primary unit is eventually brought online, the secondary unit obtains the primary unit's MAC addresses which can cause network disruptions. New MAC addresses are also used if the primary unit is replaced with new hardware. Having virtual MAC addresses configured on the devices protects against this disruption. This is because the secondary unit knows the primary units MAC addresses at all times and continues using the correct MAC addresses when it is the active device, even if it comes online before the primary unit.
Note: The terms Virtual MAC address and Interface Mac address can be used interchangeably.
check the benefits here :
that is best practice we do, depends on the method you use - as engineer or designer need to understand how this works rather pure rely on the suggestion, make sure understand the documented by cisco, (if you still not clear, contact local partner (SME) or Cisco TAC.
10-13-2024 11:30 PM
This link show you virtual maç use by cisco
The maç use
Aaaa. Bbbbb. 11111
Aaaa. Bbbbb. 2222
MHM
10-13-2024 11:50 PM
Hello,
Thanks a lot for your response. I am currently using these for my customers. But are these MAC addresses reserved or there is a possibility that some vendors are already using it?.
10-14-2024 04:14 AM - edited 10-14-2024 04:15 AM
You can assign the virtual MACs from any of the private ranges provided in the link above but if a network admin happens to assign the same MAC to another device on your network you will have duplicate MACs on your network. This potential issue has nothing to do with the failover itself, it is part of your change control process because it could happen with any device on your network out of the firewalls failover.
An option you might want to evaluate would be instead of assigning new virtual MACs you could assign the virtual MACs with the same addresses as the burned-in MAC addresses of the primary and secondary firewalls. For instance, "failover mac address inside < primary firewall burned-in inside interface MAC > < secondary firewall burned-in inside interface MAC >". This way you don't have to worry about making up new MAC addresses. Obviously, if you happen to replace one of the two firewalls and you want to match the new burned-in MAC then you would need to update that command with the new burned-in address.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide