Forum Discussion

DFeike_160744's avatar
DFeike_160744
Icon for Nimbostratus rankNimbostratus
May 27, 2015

MAC Masquerading for VIPs on VLANs on the same Layer2 Network

Hello Guys, we've got a customer with a grown and old network design which causes some headache and i am evaluating possible solutions. During a manually triggered failover for a hotfix installation some of the 180 VS didn't accept traffic. I guess the switch thought that the sudden amount of GARPs might be an attack and dropped some advertisements. After around 15min everything was working fine again.

 

So to prevent something like this in the future i had the idea of using mac masquerading on the traffic group, but i am uncertain on the possible pro and cons. The BIG-IP has two vlans configured, internal and external. Each vlan is on a dedicated physical interface (1.1 and 1.3) and each is untagged, so basicly both vlans are on the same layer2 network.

 

What will happens once mac masquerading would be enabled? From my understanding each IP associated with an VS, each floating self ip will have the same MAC address in the traffic group, which seems like an bad idea for me in the given scenario.

 

I'd appreciate your input on this.

 

Best regards David

 

  • MAC Masquerading is intended to address the exact issue you are describing. Since the MAC doesn't change during failover, it does not matter if the switch/firewall drops the GARP. The CAM table will update with the location of the MAC, and ARP does not have to update.

     

  • Thanks for verifying that MAC Masquerading is the correct thing to do if you have a lot of virtuals running, however are you sure, that there is no negative impact if both VLANs are untagged on the same switch? AFAIK switches usually associate a VLAN ID with a MAC. In this Case Masquerading would work like a charm since the switch delivers the frames to the correct physical port.

     

    However if both F5 "VLANs" are untagged and the switch is seeing the identical MAC on two different ports with no VLAN to differentiate, I believe that this will disrupt any communication.

     

  • While the frames are untagged, they arrive on the switch port and are immediately associated with the VLAN that is configured on the switch port. There is a MAC address table per VLAN, so you should not run into any issues.

     

  • i agree with Eric. anyway, if you want mac masquerading per vlan, starting in 11.2 tm.macmasqaddr_per_vlan db key is introduced.

    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys db tm.macmasqaddr_per_vlan
    sys db tm.macmasqaddr_per_vlan {
        value "false"
    }
    
  • I thank you for your input, but there is one misunderstanding. The switchports of the switch don't have any vlan associated with them. As I said, both F5 "vlans" are in the same layer2 domain :) I guess this makes the mac masquerading a bit problematic.

     

  • L2 domains are generally defined by VLANs, unless you are using a hub. Is this one flat network? What does your switch port configuration look like? Does the switch assign a default VLAN for ports configured without them?