Benny, it's not only ARP reply that takes into account when talking operability of such solutions.
At one particular case, we had been hit hard with this clustering method. Over the time, everything worked as the old switches were slightly lax on RFP compliance. After upgrading to a 3C[XL] system, we have experienced the packet with multicast source MAC were getting dropped under some circumstances in hardware. It took quite a deal of an effort of us and cisco to explain the customer that this is not a bug, but a result of the hardware becoming more strict as RFC1812 and related dictate (which was intentional by Cisco in this case, as an initiative to cleanup behaviour of their boxen in such corner situations). And it took even more effort to convice the customer to move to proper loadbalancing methods, such as an ACE. Clearly a Microsoft way of doing things - let's bend the standard, let it spread, and then let the end users beat those who do comply. -- deejay > -----Original Message----- > From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- > boun...@puck.nether.net] On Behalf Of Benny Amorsen > Sent: Monday, October 18, 2010 8:05 PM > To: John Neiberger > Cc: cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] Are multicast MAC addresses allowed in the source > field? > > John Neiberger <jneiber...@gmail.com> writes: > > > We have an application involving a firewall cluster where the cluster > > has a VIP associated with it, but the VIP apparently replies to ARP > > requests with a multicast MAC address. The idea, ultimately, is that > > both firewalls in the cluster will receive the same traffic all the > > time. To make this work, the router would have to accept an ARP reply > > that had a multicast source address (I have no idea if that's > > technically a problem or not) and the switches would have to populate > > their MAC address tables properly. > > Sadly RFC 1812 hasn't been updated, so some routers (notably Juniper and > Cisco) do not accept multicast MAC addresses as ARP replies. For those > you need to configure static ARP, which is a pain. It is a shame that > none of the multicast-based cluster vendors (Stonesoft, Microsoft, > Checkpoint, I'm sure there are more) invested the effort required to get > this method officially RFC-blessed. > > > It seems to me that this ought to work as long as we're not running > > IGMP snooping or anything like that on the switches. > > IGMP snooping is something you actually want in this case, because the > firewalls properly join the IGMP group and therefore traffic isn't > broadcast to all interfaces. > > > /Benny > > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
