This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

multicast-mac = the virtual MAC address that belongs to the NLB

0

NLB is configured using multicast, on SRX device as follows:

set interfaces ge-0/0/1 unit 0 family inet address 1.1.1.1/24 arp 1.1.1.10 multicast-mac 01:00:5e:00:00:04

Where the parameters are as follows:

1.1.1.1 = the JSRX interface IP address
arp = the NLB address
multicast-mac = the virtual MAC address that belongs to the NLB

So,the packets being captured on Wireshark with target IP 1.1.1.10 originating from the firewall should have target MAC address 01:00:5e:00:00:04 , but they do not.

Please advise.

asked 20 Nov '13, 08:19

MASS's gravatar image

MASS
11112
accept rate: 0%

One Answer:

0

The firewall will (most certainly) answer to packets with DESTINATION MAC 01:00:5e:00:00:04 and destination IP 1.1.1.10. So, if another system uses the IP 1.1.1.10 as default gateway you should see that MAC address as the destination address. But if the firewall itself sends something into the network, it will (most certainly) use the 'native' MAC address of its interface. At least that's how other systems work I know of.

Regards
Kurt

answered 20 Nov '13, 09:30

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Hi Kurt, Thanks for looking this.

As host is not directly connects to the firewall, I have a switch behind the firewall.

My understanding is Microsoft NLB works by using a virtual IP address (VIP). An ARP for VIP will result in a cluster mac address. The problem is that the cluster mac address is not used to send any traffic, sending traffic by the nodes in the cluster is done from other mac addresses.

As the switches do not know on which switch port the cluster mac address is found, it will send the packets to all ports in the VLAN. This results in that all cluster members will receive the traffic and the NLB driver on each cluster node will determine which node should handle each request.

Any thoughts?

(21 Nov '13, 02:59) MASS

sending traffic by the nodes in the cluster is done from other mac addresses.

as I said. And that's no problem in most environment. Why is that a problem in your environment?

As the switches do not know on which switch port the cluster mac address is found, it will send the packets to all ports

That's not the case, because the switch will look at the destination MAC and not the source MAC.

(21 Nov '13, 03:05) Kurt Knochner ♦

As the switches do not know on which switch port the cluster mac address is found, it will send the packets to all ports in the VLAN.

Ah, wait you mean: if some other system tries to reach the cluster IP, right? In that case the request will go to the cluster MAC address (destination) and that will indeed be flooded to all ports or all ports in the VLAN (depends on the switch config). That's how it works, if you are using a multicast MAC address (first bit of first octet set).

This results in that all cluster members will receive the traffic and the NLB driver on each cluster node will determine which node should handle each request.

Yes. And that is what you want, right? Otherwise NLB would not make much sense.

Sounds like you have a standard NLB setup, that works like any other NLB setup.

But maybe I don't understand your problem. If so, please be more specific in your problem description.

(21 Nov '13, 05:57) Kurt Knochner ♦