Forum Discussion
canuck
Altostratus
AltostratusMAC masquerade and BIGIP-VE
Does anyone have experience setting up BIGIP-VE MAC Masquerade in an ESX environment without using Promiscuous mode?
Is it possible to not use Promiscuous mode and just set Accept for MAC address changes and Forged transmits?
Environment is BIGIP-VE 14.1, VMware ESXi 6.7
Katherine_VillaAltocumulus
Hi! What problem did you have? Unreachable VS?
canuckNo problem. I was trying to optimize usage of my 10gig interfaces and heard conflicting information regarding HA network configuration with ESXi. I am presently configured to accept Promiscuous mode, MAC address changes, and Forged transmits. Some users said Promiscuous mode was not needed, but I didn't have time to test without it, so I still do not know. My end-goal is to maintain sub-second BIGIP LTM failover with minimal network overhead.
Hi Canuck,
I and assume if you need to enable promiscuous support for the vswitch in esxi.
In that case you need to see use of VLAN groups (CR137596)
Use of VLAN groups with BIG-IP Local Traffic Manager VE requires proper configuration of VMware vSwitch or VMware vSwitch portgroup security policies. The Promiscuous Mode and Forged Transmits properties must be set to Accept.
By default, Promiscuous Mode is set to Reject.
For information on how to configure these options, refer to the vSwitch sections of VMware's vSphere manuals.
To configure BIG-IP VE MAC masquerade on an ESX environment without using Promiscuous mode, leverage the "MAC Learning" feature on the virtual switch, which allows the ESXi host to learn MAC addresses on the network while preventing unauthorized traffic by setting Promiscuous mode to "Reject" on the relevant port group or virtual switch where the BIG-IP VM resides; this effectively achieves MAC masquerade functionality without relying on promiscuous mode.
Key points to remember:
- Enable MAC Learning:
- Navigate to your ESXi host's virtual switch settings and enable MAC Learning on the port group or switch where the BIG-IP VM is attached.
- Set Promiscuous Mode to Reject:
- Within the same virtual switch settings, ensure that Promiscuous Mode is set to "Reject" to prevent unauthorized traffic while still allowing the BIG-IP to learn MAC addresses.
- Configure MAC Masquerade on BIG-IP:
- On the BIG-IP device, configure the MAC masquerade feature according to your specific network requirements, assigning a unique MAC address for each traffic group or as needed.
Benefits of using MAC Learning instead of Promiscuous mode:
- Enhanced Security:
- By only allowing the ESXi host to learn MAC addresses on the network, you mitigate the security risks associated with promiscuous mode where all traffic is captured.
- Improved Performance:
- When properly configured, MAC Learning can provide better network performance compared to promiscuous mode.
Important considerations:
- Compatibility: Verify that your ESXi version supports MAC Learning functionality.
- Network Design: Ensure your network configuration allows for proper MAC address learning and management.
- You can ask the VMware team if they could enable promiscuous mode on a port group via a VMware.com link referenced here (https://support.f5.com/csp/article/K31552842).
- In my opinion I would prefer to disable MAC masquerade in all virtualized deployments. The benefits of MAC masquerade are not that huge in contrast to impact that enabling promiscuous mode may have on the remaining network environment.
-
On the other hand I always enable MAC masquerade for physical deployments, since you don't have any negative side effects. Only pure benefits...
Please refer this article: - https://my.f5.com/manage/s/article/K13502
-
K13502: Configuring MAC masquerade (11.x - 17.x)
let me know for more discussion on this.
Please mark it as solution in case if you feel your query has been responded and saved your time and giving pointers toward resolving your issue, as it will help other to use your query scenario to solve their similar issue.
Best Regards,
F5 Design Engineer
