Is Mac masquerade necessary ?

Question

I have a pair of F5 7200v configured in single arm mode setup acting as Active/Standby.
Both of them are connected to nexus 7k distribution switches and the latter are connected to each other via trunk port. Both the distribution switches have ARP entries for the VIPs on the F5 load balancer.
"sh ip arp | in vip-ip" gives the same mac address for all the VIPs.&nbsp;
I do not see a reason why I should configure mac masquerade in this case!
Please explain.&nbsp;

tbyerly_229301 · Answer

Generally you do not need it.&nbsp;
"Ordinarily a failover to a new Active system will result in issuance of Gratuitous ARP broadcasts with the newly Active system’s MAC address supplied as L2 address for each L3 Failover Address (Virtual Addresses/VIPS, Floating Self-IP’s, NAT addresses)"&nbsp;
Some devices ignore Gratuitous ARP's..&nbsp;
So..MAC Masquerading solves these problems by using a common L2 address shared by BIG-IP devices for L3 traffic; no ARP entry is changed, only Switch’s MAC address/port forwarding table.&nbsp;

janholtz · Answer

Depends&nbsp;
IF the Nexus 7k is using F1 line cards, and IF the linecards are to remain default MAC update limits to &lt; 100 / second, and IF you have more than 100 virtual + floating addresses, YES you very much need mac masquerading.&nbsp;
You really don't want to ask me how I know this....&nbsp;
//Jan&nbsp;

Forum Discussion

Is Mac masquerade necessary ?

2 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

Lightboard Lessons: Mac Masquerade

MAC Masquerade

MAC address assignment in F5

CBC ciphers in relation to RFC7366 Encrypt-then-MAC

F5 apm on mac os resolve.conf patch