Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Setting up HA on two NSA 2650's. Unclear instruction in guide.

Under step 3 for the SonicOS 6.5 setup it says:

https://www.sonicwall.com/support/knowledge-base/how-to-configure-high-availability-ha/170503978252820/

"Check "Enable Virtual MAC". Virtual MAC allows the Primary and Backup appliances to share a single MAC address. This greatly simplifies the process of updating network routing tables when a Failover occurs. Only the WAN or LAN switch to which the two appliances are connected needs to be notified. All outside devices will continue to route to the single shared MAC address.

My question is what does it mean by "notifying" the upstream or downstream switches that are going to see both of these MAC addresses showing up on different ports. Typically that'd result in STP blocking one of the ports as it'd see it as a switching loop. Is that all that's required here is to let STP on those devices do its normal thing, or is there something else I need to do to "notify" those devices?

Any help appreciated!

Category: Mid Range Firewalls
Reply

Answers

  • AjishlalAjishlal All-Knowing Sage ✭✭✭✭

    @MattF

    The Virtual MAC address allows the High Availability pair to share the same MAC address, which dramatically reduces convergence time following a fail-over. Convergence time is the amount of time it takes for the devices in a network to adapt their routing tables to the changes introduced by high availability.

    Without Virtual MAC enabled, the Active and Standby firewalls each have their own MAC addresses. Because the firewalls are using the same IP address, when a fail-over occurs, it breaks the mapping between the IP address and MAC address in the ARP cache of all clients and network resources. The Secondary firewall must issue an ARP request, announcing the new MAC address/IP address pair. Until this ARP request propagates through the network, traffic intended for the Primary firewall’s MAC address can be lost.

    The Virtual MAC address greatly simplifies this process by using the same MAC address for both the Primary and Secondary firewalls. When a fail-over occurs, all routes to and from the Primary firewall are still valid for the Secondary firewall. All clients and remote sites continue to use the same Virtual MAC address and IP address without interruption.

    By default, this Virtual MAC address is provided by the SonicWall firmware and is different from the physical MAC address of either the Primary or Secondary firewalls. This eliminates the possibility of configuration errors and ensures the uniqueness of the Virtual MAC address, which prevents possible conflicts. Optionally, you can manually configure the Virtual MAC address on the High Availability > Monitoring page.

    The Virtual MAC setting is available even if Stateful High Availability is not licensed. When Virtual MAC is enabled, it is always used even if Stateful Synchronization is not enabled.

    If you are connecting the Primary and Secondary firewalls to an Ethernet switch that uses the spanning tree protocol, be aware that it may be necessary to adjust the link activation time on the switch port to which the SonicWall interfaces connect. For example, on a Cisco Catalyst-series switch, it is necessary to activate spanning tree port fast for each port connecting to the SonicWall firewall’s interfaces.

    I hope above explanation will help you to understand more about the SonicWALL HA & Virtual MAC.

Sign In or Register to comment.