Virtual MACs (VMACs)¶
What Is a Virtual MAC?¶
A Virtual MAC (VMAC) is a randomly generated, globally unique MAC address that gets bound to a specific IP address on a server's switch port. It replaces the server's physical PXE MAC for that IP in the Juniper secure-access-port configuration.
Why Do We Need VMACs?¶
The Problem¶
When a dedicated server has multiple IPs, Juniper's port security requires each static-ip binding to have a unique MAC address. But all traffic from the server comes from the same physical NIC (same PXE MAC). If you try to bind multiple IPs to the same MAC on the same port, Junos rejects the configuration:
The Solution¶
VMACs solve this by giving each additional IP its own unique MAC address in the switch configuration. The server itself doesn't need to know about these MACs -- they're only used in the switch's secure-access-port table to satisfy the uniqueness requirement.
# Primary IP uses the real PXE MAC
set ethernet-switching-options secure-access-port interface ge-0/0/1.0 \
static-ip 10.0.48.5 vlan VLAN.13 mac aa:bb:cc:dd:ee:ff
# Additional IP uses a VMAC
set ethernet-switching-options secure-access-port interface ge-0/0/1.0 \
static-ip 10.0.48.6 vlan VLAN.13 mac 02:xx:xx:xx:xx:xx
How VMACs Work¶
- Generate -- Admin or automation creates a VMAC for a specific server + IP combination
- Switch Push -- The platform SSHs into the Juniper switch and adds/replaces the
secure-access-portbinding - Backup -- A configuration backup is taken automatically before any switch change
- Active -- The VMAC stays active until explicitly revoked
MAC Address Format¶
Generated VMACs use the 02:xx:xx:xx:xx:xx prefix (locally administered, unicast). This ensures they:
- Never conflict with real hardware MACs (which use manufacturer OUIs)
- Are recognized as locally administered by network equipment
- Are globally unique within the WSH network (enforced by the database)
VMAC Lifecycle¶
| Status | Meaning |
|---|---|
pending |
Created in DB, switch push in progress |
active |
Successfully bound on the switch |
failed |
Switch push failed (check logs) |
revoked |
Removed from switch, PXE MAC restored for that IP |
Database¶
VMACs are stored in the virtual_macs table in the wsh_infra database (not in Tenantos). Key fields:
server_id-- Tenantos server IDip_address-- The IP this VMAC is bound tomac_address-- The generated VMAC (normalized lowercase, colon-separated)vlan_name-- Resolved VLAN (e.g.,VLAN.13)status-- Current lifecycle stateswitch_bindings-- JSON record of which switches/ports were configured