Can Layer 2 Bridged Mode and Virtual MAC be used at the same time.
I Recently got my second Firewall installed and set up HA but that quickly resulted in internet connectivity dropping for the entire building. I had a technician help me work through the issue and right at the end of my appointment we discovered a port set up as a Layer 2 Bridge was what was causing the issue. We both had other appointments to get to so I didn't have the opportunity to ask why that was or how it could be addressed. so i simply made due without the bridge.
On this site here https://www.sonicwall.com/support/knowledge-base/l2-bridge-mode-with-high-availability/200513163606743/
they say Virtual MAC isn't useful......
Under Manage | High Availability | Base Setup does not enable the Virtual MAC option when configuring High Availability. In a Layer 2 Bridged Mode configuration, this function is not useful.
Is this what was causing my issue?
Answers
I can't say for certain if this configuration is causing your issue but it does seem possible. Just to be transparent here, please keep in mind that L2 Bridge Mode is uncommon. We don't see that very often so I do have limited data to go by.
When using Bridge mode, the traffic passing interfaces are BRIDGED and the interfaces do not have ip addresses assigned (no use for it). Therefore, with no ip addresses, why do we need the Virtual Mac feature?
There is no ARP-ing of MAC addresses since the traffic simply passes through the sonicwall at a layer 2 level (no routing). Virtual MAC usually comes into play when there are interfaces with IP's on the SonicWall that need to failover. This is literally a bridge between two networks. Given all the variables with switches and cam tables, including timers, then it does seem like this could potentially cause some interruptions / confusion. Also keep in mind that Portshield (basic switch) and Bridge mode require the firewall interfaces to behave like a switch with switch behavior. I'm guessing that the Virtual Mac option may have caused issues or confusion in the past especially some switches, especially edge models will sometimes have Gratuitous Arp support disabled for security reasons.
Once again, limited experience/data to go on here. HTH.
My understanding of the Virtual MACFeature is specifically for HA so if a failover does happen, nothing changes from the end user device stand point. all systems, servers and other devices continue to talk to the same MAC Address as they were previously. whereas without the Virtual MAC feature, there would be some changeover time for each device.
Is this incorrect?
The reason we had a bridged interface was to get a WiFi SSID onto the same network subnet and VLAN as a wired interface. We had some software that was using broadcasts that needed to go over WiFi, we have since changed to using Multicast but we're also running into issues with Multicast.
JORDONCLUNICH
Your statements are correct believe. I see we are getting more details now so this is setup. You are using a standard Gateway/Routed setup. I honestly wasn't sure if that was the case or i f you were trying to do a L2 Bridge Mode HA setup (rare). This is good though. The KB(s) on Configuring High Availability all mention that you are not supposed to use Portshield or Bridge mode with HA. I don't know the exact details as to the why or the history, at least not fully, but if it isn't supported then let's find another way to meet this need.
I would advise reaching out to your local SE to run some options by that person. Personally, I cover TOLA for Customers and Partners. IF you are not sure your SE is, then feel free to email me and I will find out. Also, your partner should be able to tell you. moctavian@