PIX - Failover mac address

From: Salau, Yemi (yemi.salau@siemens.com)
Date: Fri Mar 28 2008 - 10:24:27 ART

• Next message: Lars Christensen: "RE: NotePad in the lab"
• Previous message: ccievoice1: "Re: NotePad in the lab"
• Next in thread: saheed Balogun: "Re: PIX - Failover mac address"
• Maybe reply: saheed Balogun: "Re: PIX - Failover mac address"
• Maybe reply: Salau, Yemi: "RE: PIX - Failover mac address"
• Maybe reply: saheed Balogun: "Re: PIX - Failover mac address"
• Maybe reply: Salau, Yemi: "RE: PIX - Failover mac address"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello Guys

Apologies as I have searched through the groupstudy archives and could
only come up with this post:
http://www.groupstudy.com/archives/security/200510/msg00000.html which
isn't exactly what I'm looking for, or rather didn't address the issue
I'm thinking of.

This is relating to the issue highlighted in this Cisco link:
http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/f
ailover.html#wp1073913 for 7.1(2) Security Appliance version & the
Command Reference Documentation:
http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/ef_
711.html#wp1679904
 
So, I'm thinking, do we really need this "failover mac address" command
for failover to work properly. I'm not a security expert, so I will love
to hear from the PIX & ASA gurus in the house.

But my own take on this is:
- Primary unit's mac-address is always associated with the active unit
as stated in the first Cisco Link I highlighted.
- If Failover occurs for whatsoever reason to the Secondary unit, it
uses its burnt-in-mac for the LAN interfaces, until it somehow gets the
primary unit's mac-address information.
- A part of my brian thinks Secondary unit also send it's mac-address
info to the Primary unit, another part doesn't. (Although this isn't
highlighted in Cisco Documentation link above. It's just my best guess!
- A part of my brian thinks even if the Secondary & Primary units
exchange mac-address information for the LAN connections, there
shouldn't be any problem, as this process is completely transparent to
users behind the firewall.
- I also think now that the "if & when" Secondary and Primary unit
exchange the mac-address inforamtion, that confuses the Switches behind
them.

So, I can be wrong as most of my bullet points are only hypothesis....my
best guess. So, the question is, do we really need the command "failover
mac address" to resolve such scenerio, and if we do, what are the
implications of not using this command ... bearing in mind that Cisco
classified this configuration as "Optional" on their documentation page.

Many Thanks
 
Yemi Salau

• Next message: Lars Christensen: "RE: NotePad in the lab"
• Previous message: ccievoice1: "Re: NotePad in the lab"
• Next in thread: saheed Balogun: "Re: PIX - Failover mac address"
• Maybe reply: saheed Balogun: "Re: PIX - Failover mac address"
• Maybe reply: Salau, Yemi: "RE: PIX - Failover mac address"
• Maybe reply: saheed Balogun: "Re: PIX - Failover mac address"
• Maybe reply: Salau, Yemi: "RE: PIX - Failover mac address"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Apr 01 2008 - 07:53:54 ART