Dear guru, Is there a way to check if we are using the same Virtual MAC for two HSRP group? Will our L3Switch notice that two of the HSRP groups are using the same MAC? Will there be any conflict error message occurs like IP conflict? Please advise, SEan
The only way to check is to do a show standby on the active hsrp router and look at the two separate vlans. As you will see, the mac addresses are the same for all hsrp addresses in the same group number (which you specify in configuration). As for your second question, the answer is no. First, it does not matter that two macs have two different IP addresses provided they are on two different networks. A mac can have multiple IPs, but an IP cannot have multiple MACs. For this reason, the routers only map the mac to a switched virtual interface.
As an example, when a node talks to its gateway, it goes to hsrp which say is in standby group 1. The router then forwards it out as necessary. But when the reply traffic comes, the router will either need to arp for the destination IP, or look it up via its routing table. Either way, it will find out that the host is in a particular vlan, and forward that traffic appropriately, and doesn't need to care at all about the hsrp address.
You don't even need to check. By default, the virtual MAC address depends only on the HSRP group number, and has this format:
0000.0c07.acxxwhere xx is the group number. You can change it with the command "standby mac-address" (IIRC).
So yes, it's possible that two HSRP groups (in different L2 networks) using the same group number use the same virtual MAC addresss.
Two devices can use the same MAC, as long as they are in different L2 networks. So you have no problem, since you can't have two HSRP groups using the same group number in the same L2 network: they would be all part of a single group (hence only one virtual MAC).
Thanks for both of you,that's very helpful,
The reason why I asked such questions are, I encountered a strange occassionally service disconnection when the traffic/packet passing through my firewall gateway, my connections (tcp and icmp *ping*) got disconnected for 5 packets and it will resume automatically and my gateway have 3 interfaces, External_net, Internet_net and DMZ, where the Ext_net and Int_net are connecting to a HSRP group, when capturing the packets from the gateway, it showed "TCP ACKed lost segment" or "
Topology My_PC -> Internal_r1 (HSRP) -> Internal_r2 (HSRP) VLAN40-> Gateway ->
External_router (HSRP)
Since the routers have been set up for ages by others, just discovered the Internal_r1 and External_router is sharing the same multicast virtual MAC.
Guess the duplicated HSRP setting maybe one of reasons, but it seems "not related"
This is not your problem. MAC addresses are layer 2 addresses, which are striped off when received by the firewall. The firewall software is only seeing the IP packet which has a source and destination IP addresses, which have nothing to do with the router. The only modification the router does to an IP packet is to decrement the TTL field and recompute the CRC.
thanks for your advice, Yes, firewall only works on L3, which is the IP layer, and all the L2 handled by the network device, routers and switches. I'm totally lost, I can connect to the server on the external-side, however, frequently got disconnected and I saw some "TCP ACKed lost segment" error in my tcpdump and ping got lost packets. It seems not much related to L3 since the connection can be made successfully from one point to another point, however, it got disconnected, so that's why i guess that's the problem of my networking device.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.