NetXMS Support Forum

Hi,

I've been gradually adding devices to NetXMS and now that I have three firewall clusters in the system, I stumbled over the fact that they are all using VRRP with the same MAC addresses (VRRP using 00:00:5E:00:01:XX for MAC addresses). As they belong to completely different networks that's not a problem for the firewalls themselves, but it does cause NetXMS to move firewalls into other networks on Layer 2 Topology maps and you can't really use the MAC address finder tool on them either.
I have been excluding the relevant interfaces from Topology Discovery to avoid the Topology map issue, but at the same time that means the firewalls are invisible on any such maps.

Is it possible to restrict Topology Discovery for devices or interfaces to specific zones?
That way switches could be configured to only see the VRRP MACs in their zone, which would fix Topology mapping.
I guess the Find MAC Address tool would then also need a Zone selector (probably an optional setting for the search, as most MACs "should" be unique).

Is that already possible in some way?

Cheers

Hi,

actually NetXMS server should handle VRRP MACs differently, as they will not be unique. Zoning will not help because you may have multiple VRRP interfaces within same zone. As for the topology - usually routers also provide information about real interfaces with unique MACs and VRRP MAC address should be shown only for VRRP interface, so router could be placed into correct network using it's physical interfaces. If VRRP MACs will be excluded routers should be placed correctly in L2 topology.
I've registered issue for that: https://dev.raden.solutions/issues/1196

Best regards,
Victor

Hi,

I'm currently investigation VRRP issue and it works as expected on my devices. Could you please provide more information about your devices? I'm interesting in vendor/model information, are you using SNMP or agent for monitoring, for SNMP devices result of SNMP walk on .1.3.6.1.2.1.2.2.1, for agents - content of Net.InterfaceList list.

Best regards,
Victor

Hi Victor,

The devices are WatchGuard firewalls (XTM870, XTM330 and M200) and monitoring is done via SNMP.
I've attached the snmpwalk output.

Cheers

Hi,

so those devices really reports VRRP virtual MAC address as interface's MAC address. Currently I've changed server to ignore VRRP and HSRP MAC addresses, so it won't try to use them for building L2 topology. However, because those devices do not provide real MAC addresses for interfaces (at least not through standard MIB) they won't appear on L2 topology map. It is actually a bug in WatchGuard's SNMP agent - it should return interface's own MAC instead of VRRP MAC even if VRRP is configured on interface.

Best regards,
Victor