Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 7.2 Failover virtual MAC Address clarification

Status
Not open for further replies.
rubbaninja

rubbaninja

MIS
Jun 1, 2002
217
US
Can someone clarify my understanding of how to specify MAC address for failover mac address command (single context)
I've read the docs and a couple of books and the help but the term "virtual" keeps rearing it's head and throws me for a loop.

failover mac address phy_if active_mac standby_mac

Do I use the actual MAC Address for the phy_if or do I make create one?

The book I have states the following.

"You must be able to give unique MAC address to both the active and standby unit interfaces. Finding unique values isn't always straightforward. An easy method is to display the burned-in addresses (BIA) of all interfaces on the primary and secondary firewall units with the show interface command. The addresses of the primary unit can always be assigned to the active firewall and those of the secondary unit can be assigned to the standby firewall..... save and reboot both firewall units to make sure the NEW MAC addresses are being used correctly."

At first I read this as "use the interface MAC on it's interface, simple."
Like this
BIA
Primary 0: Ext: Ethernet0 : address is 0005.3290.a83a
Secondary 0: Ext: Ethernet0 : address is 0005.b601.b81a

failover mac address ethernet0 0005.3290.a83a 0005.b601.b81a

Correct? That's not "virtual" since it's not made up although it would be virtual in the event of a failover I guess. We have suffered one time for not using failover mac address and I don't want a repeat of that.

Lend me your wisdom fellow PIX users.


 
Sort by date Sort by votes
I admit I've never had need to configure this command as the default is to use the BIA (Burned-In Address) of the interfaces in question anyway. I got the following from the PIX Command Reference that may go some way to clarifying your question:

The failover mac address command lets you configure virtual MAC addresses for an Active/Standby failover pair. If virtual MAC addresses are not defined, then when each failover unit boots it uses the burned-in MAC addresses for its interfaces and exchanges those addresses with its failover peer. The MAC addresses for the interfaces on the primary unit are used for the interfaces on the active unit.

However, if both units are not brought online at the same time and the secondary unit boots first and becomes active, it uses the burned-in MAC addresses for its own interfaces. When the primary unit comes online, the secondary unit will obtain the MAC addresses from the primary unit. This change can disrupt network traffic. Configuring virtual MAC addresses for the interfaces ensures that the secondary unit uses the correct MAC address when it is the active unit, even if it comes online before the primary unit.

The failover mac address command is unnecessary (and therefore cannot be used) on an interface configured for LAN-based failover because the failover lan interface command does not change the IP and MAC addresses when failover occurs. This command has no effect when the security appliance is configured for Active/Active failover.

When adding the failover mac address command to your configuration, it is best to configure the virtual MAC address, save the configuration to Flash memory, and then reload the failover pair. If the virtual MAC address is added when there are active connections, then those connections stop. Also, you must write the complete configuration, including the failover mac address command, to the Flash memory of the secondary security appliance for the virtual MAC addressing to take effect.

If the failover mac address is specified in the configuration of the primary unit, it should also be specified in the bootstrap configuration of the secondary unit.
 
Upvote 0 Downvote
Hmm, I did read almost the same text but the text from the command reference uses BIA and virtual in the same statement so I making up a MAC address seems to be what's needed. I configured our 6.3 PIX a couple of weeks ago with the BIA of the inside and outside interfaces, I better go back to that. I'm surprised PDM didn't complain. It was a spur of the moment in anticipation of memory change done by a vendor in the field.

Thanks for the information, much appreciated
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
776
Sameer258
Sameer258
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
162
brownmab53
brownmab53
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
119
xwray
xwray
TierOneTech
  • Locked
  • Question
TZ105 - can I define a second WAN interface for failover?
Replies
1
Views
123
jcarmichael1203
jcarmichael1203
quazimotto
  • Locked
  • Question
Correct Upgrade Path for PIX
Replies
7
Views
240
quazimotto
quazimotto

Part and Inventory Search

Sponsor

Back
Top