Knowledge Search


×
 

[ScreenOS] How is the virtual MAC address for a pair of Active/Passive firewalls derived?

  [KB7435] Show Article Properties


Summary:
How is the virtual MAC address for a pair of Active/Passive firewalls derived?
Symptoms:

Environment:

  • NSRP Active Passive
  • VMAC
  • ARP table on router or switch

Symptoms & Errors: 

  • Duplicate MAC address seen when 2 NSRP Clusters with same Cluster ID and VSD-Group are attached to the same switch.
Solution:
NOTE:  If running ScreenOS 6.1 or later, also refer to KB11150 - Virtual MAC (VMAC) address for HA pair when using nsrp-max-cluster and nsrp-max-vsd variables.
 

The virtual MAC address for the shared interface of an Active/Passive NSRP pair has the following format:  

00.10.db.ff.<wx>.<yz>

where

w - cluster ID (id:1 -> 2, id:2 -> 4, id:3 -> 6, id:4 -> 8, id:5 -> a, id:6 -> c, id:7 -> e)
xy - interface number in hex
z - vsd group


For example, you can see the virtual MAC address for eth2/1 below (shown in the 'get int' output). 

eth2/1           0.0.0.0/0          Trust       0010.dbff.a070    -   D   0   Root

The cluster ID is 5 (which translates to a from the above formula). 
The interface # is 07 (shown in the 'get int eth2/1' output). 
The VSD group ID is 0.

ns5200(M)-> get config | inc nsrp
set nsrp cluster id 5
set nsrp vsd-group id 0 priority 100

ns5200(M)-> get int eth2/1
Interface ethernet2/1(VSI):
  number 7, if_info 229432, if_index 0, mode nat


 
Modification History:
2017-12-26: Article reviewed for accuracy. Added ScreenOS tag to the title. Article is correct and complete.
Related Links: