Configure Virtual MAC Addresses for FTD HA

Available Languages

Download Options

PDF (245.4 KB)
View with Adobe Reader on a variety of devices

Updated:July 29, 2024

Document ID:222235

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Background Information

Configuration

Verification

Introduction

This document describes how to configure Virtual MAC addresses on a Firewall Threat Defence (FTD) High-Availability (HA) pair.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

Secure Firewall Threat Defense (FTD)
Secure Firewall Management Center (FMC)

Components Used

FMC virtual version 7.2.8
FTD virtual version 7.2.7

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Background Information

Configuring virtual MAC addresses on an FTD HA pair is beneficial to the availability of a network. Virtual MAC addresses allow the primary and secondary FTD to maintain consistent MAC addresses which prevents certain traffic disruptions.

Without virtual MAC addresses configured, each unit of the HA pair boots using its burned-in MAC addresses. In the event the secondary unit boots without detecting the primary unit, it becomes the active unit and uses its burned-in MAC addresses. When the primary unit is eventually brought online, the secondary unit obtains the primary unit's MAC addresses which can cause network disruptions. New MAC addresses are also used if the primary unit is replaced with new hardware. Having virtual MAC addresses configured on the devices protects against this disruption. This is because the secondary unit knows the primary units MAC addresses at all times and continues using the correct MAC addresses when it is the active device, even if it comes online before the primary unit.

Note: The terms Virtual MAC address and Interface Mac address can be used interchangeably.

For additional information on the benefits of this configuration, refer to this guide.

Configuration

1. From the FMC GUI, navigate to the Devices page and edit the HA pair by clicking the pencil icon on the far right.

FTD HA Pair

2. Under the High Availability tab, locate the box labeled Interface MAC Addresses. Click the + icon to access the editor.

Interface MAC Addresses Box

3. From the editor, select the Physical Interface and configure the Active/Standby Interface Mac Addresses. Click OK when completed.

Interface Mac Address Creation

Note: When configuring the virtual MAC addresses, it is helpful to adhere to a standard convention. The addresses within the interfaces need to be valid MAC addresses but can be arbitrary in nature. Using a standard convention allows for ease of management when checking the upstream or downstream MAC address tables. MAC address formatting requires 12 hexadecimal digits with periods separating each set of 4 digits.

4. Repeat the process for any remaining interfaces needing virtual Mac address configurations.

5. Confirm the configurations are correct.

Interface Mac Address Configurations