FAQ-When will USG9100 enable virtual MAC function and what the limitation for networking after that?
A: scene of condition:
For devices which not record MAC address connected among devices which connected with firewall upstream and downstream, most devices forwarding according to route, firewall will send free ARP to update ARP table of upstream and downstream devices after primary/secondary exchanged. If firewall send message without virtual MAC address, service will not disabled when primary/secondary exchanged, so, enable virtual MAC function not recommended in this situation.
Devices from upstream and downstream can save connection records and encapsulate send message according to MAC address saved in connection records, interface address recorded in connection records of this device when firewall configured two-node cluster hot backup, in order to avoid this device send message to troubled firewall after primary/secondary changed, firewall function of virtual MAC address send message should be enabled.
Limited networking for virtual MAC:
1、 path of back and forth difference
for networking whose path of back and forth difference, message send by the interface which in VRRP secondary status of firewall, the interface doesn’t send virtual MAC out, so, MAC address of interface is the interface address of firewall, if firewall connected with devices similar with BIG-IP2400 upstream and downstream at this time, it will record message whose interface in VRRP secondary status, message returned from BIG-IP2400 will send to interface of firewall where it came out, devices similar with BIG-IP2400 guarantee that where message come from, where message returned, so, path of back and forth difference doesn’t support the function.
2、 Binding VRRP group with subinterface
For subinterface bind with VRRP, subinterface is the PCT table of public primary interface, MAC address recorded in PCT table, if subinterface enabled virtual MAC address to announce interface address, then, MAC address recorded by primary interface and other subinterface will be modified, if other subinterface has bind with VRRP group and enabled function of announce virtual MAC address, then, firewall could only bind with one virtual MAC address and needs to announce several virtual MAC at he same time.