This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hugo_vd_Kooij
MVP Gold
MVP Gold
‎2025-08-20 12:22 AM
Jump to solution

Locally administrated MAC addresses

This is just a quest to fully understand a feature I noticed yesterday on a cluster.

The quest yesterday evening was to disable VMAC as we no loger needed the workaround as all system that weren't able to pickup GARP packets were finaly removed from the network.

While we were observing things in the Cisco swich fbric we noticed an unknown MAC address arriving from the firewall.

I could not find the MAC address OUI anywhere as is was 02:52:98:00:00:00 from one node and 02:52:98:00:00:01 from the other node in the cluster.

I know that R80.40 redesigned traffic flows from the Standby node in a cluster but untill today I never had noticed these MAC addresses from a Check Point cluster.

At this point my guess is that this localy administrated MAC address is assigned to prevent certain issues. But it is weird to see for example LDAPS traffic with this MAC addres as source. I nover observed it as destination.

Is anyone familiar with this feature and can they explain why it is used and how it works?

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
1 Solution

Accepted Solutions
Olegf
Employee
Employee
‎2025-08-20 06:35 AM
Jump to solution

Hi,
This is correction (forwarding) MAC between cluster members. We must change the original MAC of the traffic because of the intermediate switch that shouldn't see same source MAC entering different switch ports.

View solution in original post

3 Replies
Olegf
Employee
Employee
‎2025-08-20 06:35 AM
Jump to solution

Hi,
This is correction (forwarding) MAC between cluster members. We must change the original MAC of the traffic because of the intermediate switch that shouldn't see same source MAC entering different switch ports.

Hugo_vd_Kooij
MVP Gold
MVP Gold
‎2025-08-21 06:09 AM
In response to Olegf
Jump to solution

Thanks for the clarification so far.

But as aI am curious about the exact calculation of the MAC address can you add the missing information?

The first byte is 02. (Only the last 2 bits are exactly defined.)

The second and third byte differ per cluster. Can you explain how that is calculated?

The sixth byte is the node within the cluster. (Being 00 or 01)

Anything else you can share about this?

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Olegf
Employee
Employee
‎2025-09-09 03:24 AM
In response to Hugo_vd_Kooij
Jump to solution

1:         02
2-3:     Cluster ID
4-5:     VS ID
6:         Sending member ID

The cluster ID is unique 2 byte long number per cluster object in the management. From GW side we just receive it as is by policy.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events