Cisco Support Community
Community Member

PIX Failover with Virtual MAC


I'm looking at configuring Failover between two PIX 535s and read about failover MAC addresses. I believe that this would be necessary as I dont want to have to wait for ARP to timeout after a failover...I would like the virtual MAC to be used instead, as this would never change and failover would happen much faster. What I am wondering is if there is any sort of user defined MAC conventions or issues I should be aware of when creating these virutal MACs? Can I just go ahead and create them using any HEX combo? I was thinking of using something along the lines of 0009.8a00.5351 (Pri) and 0009.8a00.5352 (Secondary). Would these be OK?

Thanks very much.

Community Member

Re: PIX Failover with Virtual MAC

I don't think you will need to do any messing with virtual MAC addresses. Let's say you're running off the primary right now. When the PIX fails over from primary to secondary, the failover unit takes over both the IP and the MAC address (the primary then takes over the secondary IP and MAC address). The bootom line is, whichever firewall is running, it will always be the same IP and MAC address according to the rest of your networking equipment.

Also, as I understand it, the PIX does not detect failover based on an ARP timeout. Instead, it constantly sends hello packets across all interfaces from one unit to the other.

We have a pair of 535s that failed over once or twice, and have never run into any time issues during a failover event. In fact, it was so transparent that we wouldn't have known it if our syslog server didn't send us the alerts.

Hope this helps.

CreatePlease to create content