Hypervisor Assigned MAC Addresses

By default, the VM-Series firewall uses the MAC address assigned to the physical interface by the host/hypervisor and use that MAC address on the VM-Series firewall deployed with Layer 3 interfaces. The firewall can then use the hypervisor assigned MAC address in its ARP responses. This capability allows non-learning switches, such as the VMware vSwitch to forward traffic to the dataplane interface on the firewall without requiring that promiscuous mode be enabled on the vSwitch. If neither promiscuous mode nor the use of hypervisor assigned MAC address is enabled, the host will drop the frame when it detects a mismatch between the destination MAC address for an interface and the host-assigned MAC address.
There is no option to enable or disable the use of hypervisor assigned MAC addresses on AWS and Azure. It is enabled by default for both platforms and cannot be disabled.
If you are deploying the VM-Series firewall in Layer 2, virtual wire, or tap interface modes, you must enable promiscuous mode on the virtual switch to which the firewall is connected. The use of hypervisor assigned MAC address is only relevant for Layer 3 deployments where the firewall is typically the default gateway for the guest virtual machines.
When hypervisor assigned MAC address functionality is enabled on the VM-Series firewall, make note of the following requirements:
  • IPv6 Address on an Interface—In an active/passive HA configuration (see VM-Series in High Availability), Layer 3 interfaces using IPv6 addresses must not use the EUI-64 generated address as the interface identifier (Interface ID). Because the EUI-64 uses the 48-bit MAC address of the interface to derive the IPv6 address for the interface, the IP address is not static. This results in a change in the IP address for the HA peer when the hardware hosting the VM-Series firewall changes on failover, and leads to an HA failure.
  • Lease on an IP Address—When the MAC address changes, DHCP client, DHCP relay and PPPoE interfaces might release the IP address because the original IP address lease could terminate.
  • MAC address and Gratuitous ARP—VM-Series firewalls with hypervisor assigned MAC addresses in a high-availability configuration behave differently than the hardware appliances with respect to MAC addressing. Hardware firewalls use self-generated floating MAC addresses between devices in an HA pair, and the unique MAC address used on each dataplane interface (say eth 1/1) is replaced with a virtual MAC address that is common to the dataplane interface on both HA peers. When you enable the use of the hypervisor assigned MAC address on the VM-Series firewall in HA, the virtual MAC address is not used. The dataplane interface on each HA peer is unique and as specified by the hypervisor.
    Because each dataplane interface has a unique MAC address, when a failover occurs, the now active VM-Series firewall must send a gratuitous ARP so that neighboring devices can learn the updated MAC/IP address pairing. Hence, to enable a stateful failover, the internetworking devices must not block or ignore gratuitous ARPs; make sure to disable the anti-ARP poisoning feature on the internetworking devices, if required.
Perform the following steps to configure the VM-Series firewall to use the interface MAC addresses provided by the host/hypervisor.
  1. Select DeviceManagementSetup.
  2. Disable (clear) the option to Use Hypervisor Assigned MAC Address.
    When the MAC address change occurs, the firewall generates a system log to record this transition and the interface generates a gratuitous ARP.
  3. Commit the change on the firewall. You do not need to reboot the firewall.

Related Documentation