From: saheed Balogun (saheedb@gmail.com)
Date: Fri Mar 28 2008 - 13:53:00 ART
Hi Yemi,
The command is not neccessary to make your failover work.
It may be useful "If the secondary unit boots first and becomes active, uses
the burned-in MAC address for its interfaces. When the primary unit comes
online, the secondary unit obtains the MAC addresses from the primary unit".
The change of mac-address from the secondary to the primary may disrupt
network traffic.
On 3/28/08, Salau, Yemi <yemi.salau@siemens.com> wrote:
>
> Hello Guys
>
> Apologies as I have searched through the groupstudy archives and could
> only come up with this post:
> http://www.groupstudy.com/archives/security/200510/msg00000.html which
> isn't exactly what I'm looking for, or rather didn't address the issue
> I'm thinking of.
>
> This is relating to the issue highlighted in this Cisco link:
> http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/f
> ailover.html#wp1073913 for 7.1(2) Security Appliance version & the
> Command Reference Documentation:
> http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/ef_
> 711.html#wp1679904
>
> So, I'm thinking, do we really need this "failover mac address" command
> for failover to work properly. I'm not a security expert, so I will love
> to hear from the PIX & ASA gurus in the house.
>
> But my own take on this is:
> - Primary unit's mac-address is always associated with the active unit
> as stated in the first Cisco Link I highlighted.
> - If Failover occurs for whatsoever reason to the Secondary unit, it
> uses its burnt-in-mac for the LAN interfaces, until it somehow gets the
> primary unit's mac-address information.
> - A part of my brian thinks Secondary unit also send it's mac-address
> info to the Primary unit, another part doesn't. (Although this isn't
> highlighted in Cisco Documentation link above. It's just my best guess!
> - A part of my brian thinks even if the Secondary & Primary units
> exchange mac-address information for the LAN connections, there
> shouldn't be any problem, as this process is completely transparent to
> users behind the firewall.
> - I also think now that the "if & when" Secondary and Primary unit
> exchange the mac-address inforamtion, that confuses the Switches behind
> them.
>
> So, I can be wrong as most of my bullet points are only hypothesis....my
> best guess. So, the question is, do we really need the command "failover
> mac address" to resolve such scenerio, and if we do, what are the
> implications of not using this command ... bearing in mind that Cisco
> classified this configuration as "Optional" on their documentation page.
>
> Many Thanks
>
> Yemi Salau
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Apr 01 2008 - 07:53:54 ART