John Neiberger <[email protected]> writes: > We have an application involving a firewall cluster where the cluster > has a VIP associated with it, but the VIP apparently replies to ARP > requests with a multicast MAC address. The idea, ultimately, is that > both firewalls in the cluster will receive the same traffic all the > time. To make this work, the router would have to accept an ARP reply > that had a multicast source address (I have no idea if that's > technically a problem or not) and the switches would have to populate > their MAC address tables properly.
Sadly RFC 1812 hasn't been updated, so some routers (notably Juniper and Cisco) do not accept multicast MAC addresses as ARP replies. For those you need to configure static ARP, which is a pain. It is a shame that none of the multicast-based cluster vendors (Stonesoft, Microsoft, Checkpoint, I'm sure there are more) invested the effort required to get this method officially RFC-blessed. > It seems to me that this ought to work as long as we're not running > IGMP snooping or anything like that on the switches. IGMP snooping is something you actually want in this case, because the firewalls properly join the IGMP group and therefore traffic isn't broadcast to all interfaces. /Benny _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
