Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
331
Views
0
Helpful
3
Replies

If the Cat.2900 has two MAC from one destination?

starjake2002
Level 1
Level 1

‎01-23-2003 04:14 PM - edited ‎03-02-2019 04:29 AM

Recently, We have tried to connect two Firewalls with Cat2900.

One firewall is active, another is standby.

and the other side of firewall has a cat2900 switch also.

Unfortunatly, I didn't check the mac table of the switch.

When I'd tested the ping to the switch over the the firewall, there was so many failures...

I reset the switch and ping test has been working properly.

So, I think the swich had have two MAC from one destination. so the result of ping test was not good.

I wonder the event can happen again... This is very critical... because if the firewall or switch doesn't work properly, I can not offer good service...

The symptom can happen?

Labels:
0 Helpful
3 Replies 3

thomas.chen
Level 6
Level 6

‎01-29-2003 12:46 PM

If you are talking about the ARP table in the switch, it can have only one MAC address mapped to a particular IP address. Two MAC addresses cannot be mapped to the same IP address. If you are talking about the MAC address table on the switch, duplicate MAC addresses are allowed only across different VLANs. Within the same VLAN, the switch cannot have two same MAC addresses in the address table. Next time you get a similar problem, you can check the MAC address and ARP tables on the switch to find out the problem.

0 Helpful

wkumari
Level 1
Level 1

‎01-29-2003 05:55 PM

Hmmm. You didn't mention what type of firewalls these are. Many version of Checkpoint have a very odd system where they use a multicast mac address. If you are runnning Checkpoint, you may want see if it is using the multicast mac failover system, and if so, statically hard-code the ARP entry. For some reason this helps immensly. If you are not running Checkpoint, you probably are not running into this problem (most other firewall failover systems use a VRRP type failover (or a physically down port)). You may want to check the mac entry and then try force a failover a few times to confirm that failover helps.

--Warren.

0 Helpful

starjake2002
Level 1
Level 1
In response to wkumari

‎02-03-2003 06:13 PM

First of all... thank you for your responding.

We configured two firewall as same IP and Mac. So, backup Firewall's state is 'unplumb' or 'shutdown'. so it has not sent any packet to the switches.

There is no possibility get any information from backup firewall as the switches.

Indead, the port of the switches have represented inpacket is 0.

The firewall is using Checkpoint and if the master get down, backup takeover the whole ip and mac of the master.... in fact, they have same ip and mac address... Backup firewall just takeover the work master doing....

They test each other through heartbeat link.

When we configured same ip and different mac to the firewalls we had some trouble to commuicate each vlan. Whenever the backup firewall takeover, we should clear arp cache of the router. So to reduce this useless effort, we fixed the ip and mac as same.

Actually, they had worked for 10 days. And the symptom as I mensioned happened and we reloaded the master firewall.

I'm anticipating your reply....

0 Helpful
Customers Also Viewed These Support Documents