ASA virtual mac best practice

Answered Question
Aug 20th, 2010

Will it cause issues if the burned in mac addresses are used as the virtual mac addresses when configuring failover on an ASA? Or will the cause issues in the case where the secondary comes up first and assumes the active state using the mac addresses off the primary? Some delay in applying the virtual mac addresses or something on the primary?

Or is it a better idea to define your own random mac addresses and use those instead as the virtual mac addresses?

I have this problem too.
0 votes
Correct Answer by grant.maynard about 9 months 5 days ago

You can't do it, the ASA rejects this and gives an error:

DC-FW/unit1/master(config)# int po 23
DC-FW/unit1/master(config-if)#  mac-address 8d64.2406.1cb7
ERROR: active address equals to burn-in address
DC-FW/unit1/master(config-if)# int po 24
DC-FW/unit1/master(config-if)#  mac-address 8d64.2406.1cbd
ERROR: active address equals to burn-in address

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jitendriya Athavale Fri, 08/20/2010 - 08:14

what exactly do you mean by virtual mac address

when in failover the mac-address of primary is used when primary comes up first and when secondary becomes active it gets this mac address

when in failover pair secondary comes up first since the failover cluster does not detect a primary it will use the mac of secondary to pass traffic


hope this is what you need

you can read more her

https://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1091288

ben.wiechman Fri, 08/20/2010 - 08:25

When the secondary comes up first and the primary is not available it will use its own mac address and not that of the primary. When the primary comes up the mac address will be updated to be that of the primary causing a short interruption. The recommendation is to configure a virtual mac address (https://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1073913) so that this does not happen.

Instead of inventing a set of mac addresses to use (and hoping that at some point there won't be duplication, etc) if it would cause issues to just use the actual physical mac addresses and configure those as the virtual mac addresses.

praprama Fri, 08/20/2010 - 08:36

Hey Ben,

I would think this will not cause problems. Since the virtual MACs will take precedence over the actual MAC addresses, even if we have the actual MAC addresses aas the virtual MACs, there shouldn't be a problem. But i must tell you that I have not really tried this before and also, the probabilities of duplication if you use invented virtual MAC addresses are really low

Thanks,

Prapanch

ben.wiechman Fri, 08/20/2010 - 08:48

I couldn't think of any reason why it wouldn't work, just wondered if anyone had tried it and ran into something goofy.

Thanks

praprama Fri, 08/20/2010 - 08:50

I think i will leave it for someone who has tried this to answer it if there can be any glitches. But my thought too is that it should work just fine. If you manage to try it out, let us know how it goes.

Thanks and Regards,

Prapanch

teater Fri, 09/21/2012 - 12:57

I would like to do the same and set the virtual MAC address as the real MAC address of the current active unit.  My reason is the ISP is very unresponsive (>4 hours) to clear their arp table which makes it difficult to plan sme future upgrades.

Has anyone set the virtual to be the same as the real MAC address?

Correct Answer
grant.maynard Tue, 03/08/2016 - 09:49

You can't do it, the ASA rejects this and gives an error:

DC-FW/unit1/master(config)# int po 23
DC-FW/unit1/master(config-if)#  mac-address 8d64.2406.1cb7
ERROR: active address equals to burn-in address
DC-FW/unit1/master(config-if)# int po 24
DC-FW/unit1/master(config-if)#  mac-address 8d64.2406.1cbd
ERROR: active address equals to burn-in address

Actions

This Discussion