Forum Discussion

DFeike_160744's avatar
DFeike_160744
Icon for Nimbostratus rankNimbostratus
May 27, 2015

MAC Masquerading for VIPs on VLANs on the same Layer2 Network

Hello Guys, we've got a customer with a grown and old network design which causes some headache and i am evaluating possible solutions. During a manually triggered failover for a hotfix installation some of the 180 VS didn't accept traffic. I guess the switch thought that the sudden amount of GARPs might be an attack and dropped some advertisements. After around 15min everything was working fine again.

 

So to prevent something like this in the future i had the idea of using mac masquerading on the traffic group, but i am uncertain on the possible pro and cons. The BIG-IP has two vlans configured, internal and external. Each vlan is on a dedicated physical interface (1.1 and 1.3) and each is untagged, so basicly both vlans are on the same layer2 network.

 

What will happens once mac masquerading would be enabled? From my understanding each IP associated with an VS, each floating self ip will have the same MAC address in the traffic group, which seems like an bad idea for me in the given scenario.

 

I'd appreciate your input on this.

 

Best regards David

 

application delivery
availability
design
layer 2
LTM
mac masquerade

6 Replies

Sort By
  • Eric_St__John's avatar
    Eric_St__John
    Icon for Employee rankEmployee
    May 27, 2015

    MAC Masquerading is intended to address the exact issue you are describing. Since the MAC doesn't change during failover, it does not matter if the switch/firewall drops the GARP. The CAM table will update with the location of the MAC, and ARP does not have to update.

     

  • DFeike_160744's avatar
    DFeike_160744
    Icon for Nimbostratus rankNimbostratus
    May 27, 2015

    Thanks for verifying that MAC Masquerading is the correct thing to do if you have a lot of virtuals running, however are you sure, that there is no negative impact if both VLANs are untagged on the same switch? AFAIK switches usually associate a VLAN ID with a MAC. In this Case Masquerading would work like a charm since the switch delivers the frames to the correct physical port.

     

    However if both F5 "VLANs" are untagged and the switch is seeing the identical MAC on two different ports with no VLAN to differentiate, I believe that this will disrupt any communication.

     

  • Eric_St__John's avatar
    Eric_St__John
    Icon for Employee rankEmployee
    May 27, 2015

    While the frames are untagged, they arrive on the switch port and are immediately associated with the VLAN that is configured on the switch port. There is a MAC address table per VLAN, so you should not run into any issues.

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 01, 2015

    i agree with Eric. anyway, if you want mac masquerading per vlan, starting in 11.2 tm.macmasqaddr_per_vlan db key is introduced.

    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys db tm.macmasqaddr_per_vlan
sys db tm.macmasqaddr_per_vlan {
    value "false"
}
  • DFeike_160744's avatar
    DFeike_160744
    Icon for Nimbostratus rankNimbostratus
    Jun 09, 2015

    I thank you for your input, but there is one misunderstanding. The switchports of the switch don't have any vlan associated with them. As I said, both F5 "vlans" are in the same layer2 domain :) I guess this makes the mac masquerading a bit problematic.

     

  • Eric_St__John's avatar
    Eric_St__John
    Icon for Employee rankEmployee
    Jun 09, 2015

    L2 domains are generally defined by VLANs, unless you are using a hub. Is this one flat network? What does your switch port configuration look like? Does the switch assign a default VLAN for ports configured without them?