Create a Post
Showing results for 
Search instead for 
Did you mean: 

Check Point firewall entries in Cisco ARP table

Hi everyone


This is probably a simple one so apologies in advance. I have a Check Point 5800 HA cluster in a Data Centre and following some work on a Cisco Nexus, looked at the ARP table and saw the following for my firewalls:


Internet 0 001c.7f81.0908 ARPA GigabitEthernet0/0/0 (CP VRRP)
Internet 0 001c.7f81.13a8 ARPA GigabitEthernet0/0/0 (CP 1 interface)
Internet 0 001c.7f81.0908 ARPA GigabitEthernet0/0/0 (CP 2 interface)


Can someone tell me why CP2 MAC address is the same as CP VRRP? I was thinking that CP2 is acting as the master but would appreciate if this could be confirmed.


Many thanks



0 Kudos
2 Replies

Depending on the configuration that seems…plausible.

0 Kudos

ClusterXL uses the same MAC unless you tell it to use a vMAC, VRRP however by default uses a vMAC, which type is defined by the command you add your VIP addresses with.

These are the options to set the vMAC per VIP:


VRRP - Sets the VMAC to the format outlined in the VRRP protocol specification RFC 3768. It is automatically set to the same value on all Security Gateways in a Virtual Router. This is the default.

Interface - Sets the VMAC to the local interface MAC address. If you define this mode for the master and the backup, the VMAC is different for each. VRRP IP addresses are related to different VMACs because they are dependent on the physical interface MAC address of the current master.

Static - Manually set the VMAC address. Enter the VMAC address after the static-mac keyword.

Note - If you configure different VMACs on the master and backup, you must make sure that you select the correct proxy ARP setting for NAT.

Extended - Gaia dynamically calculates and adds three bytes to the interface MAC address to generate more random address. If you select this mode, Gaia constructs the same MAC address for master and backups in the Virtual Router.

Note - If you set the VMAC mode to Interface or Static, syslog error messages show when you restart the computer or during failover. This is caused by duplicate IP addresses for the master and backup. This is expected behavior because the master and backups temporarily use the same virtual IP address until they get master and backup status.

So it looks like your VRRP VIP for this interface has been set with the option vmac-mode interface.

in clish do:

show configuration mcvr

This will show you all VIP commands.


Regards, Maarten
0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events