Forum Discussion
CirrusVE LTM Frequently Reporting Bandwidth Exceeding 75% of Licensed 1000 Mbps
CirrusThanks Cirrus!
I'll check if packets are being dropped and try to figure out what they are intended for.
We recently replaced legacy LTM platforms with the VEs reporting the bandwidth alerts. Our legacy MAC Masquerade settings were also applied to the VEs. When the VEs were activated, pools were green but no traffic in or out. I found the vmware article you referenced during the maintenance to enable promiscuous mode. I was not sure what would happen in HA failovers if MAC Masquerade was disabled and asked our vmware admin if they could try enabling it on the interface configured with portgroup/trunk VLAN 4095 (to allow all vlans). As soon as they did, traffic started flowing and we left it in place.
I do not know much about vmware; is promiscuous mode required to enable a portgroup on a VE interface?Do you recommend disabling MAC Masquerade on our VEs (ESXi) and turning off promiscuous mode in vmware? Our (platform) failovers (with MAC Masquerade) have been seamless in the past; what difference could be expected in a failover event with MAC Masquerade disabled in vmware? I’m sure that depends on the network and other factors, but I’m wondering if dropped connections should be expected on a typical network if we do disable.
Incidentally, because of the vmware warnings about promiscuous mode, I posted another question to DevCentral about this very topic titled, "VE MAC Masquerade in VMware - Good or Bad?"
Hi speachey ,
When promiscuous mode is enabled at the virtual switch level, all portgroups within the vSwitch will default to allowing promiscuous mode. However, promiscuous mode can be explicitly disabled at one or more portgroups within the vSwitch, which override the vSwitch defined default.
For MAC masquerading
To optimize traffic flow during failover events, you can configure MAC masquerade addresses for any defined traffic groups on the BIG-IP system. A MAC masquerade address is a unique, floating MAC address that you create. You can assign one MAC masquerade address to each traffic group on a BIG-IP device. By assigning a MAC masquerade address to a traffic group, you associate that address with any floating IP addresses associated with the traffic group.
The BIG-IP system uses the MAC masquerade MAC address when sending a gratuitous ARP during a failover event.
Gratuitous ARP announcements for masqueraded MAC addresses are not limited to the specific VLANs that virtual address instances reside. The virtual addresses gratuitous ARP announcements are sent out on all configured VLANs.
MAC masquerade does not affect health monitor traffic. The BIG-IP systems continue to use the original MAC address when performing health checks.
When configuring traffic-group MAC masquerading for BIG-IP Virtual Edition (VE) on VMware ESX or ESXi servers, you must set the virtual switch's Forged Transmits and Promiscuous Mode settings to Accept. (These settings are disabled by default).
For information about enabling Promiscuous Mode and Forged Transmits on the virtual switch, refer to the VMware knowledge base article listed in the Supplemental section or in the VMware documentation for your specific VMware version.
F5 Recommendations
F5 recommends that hypervisor administrators be very conservative with regard to interface usage after you enable promiscuous mode.
All packets are mirrored to all interfaces in the same portgroup or vSwitch on which promiscuous mode is enabled. For each interface in the vSwitch or portgroup, an additional hypervisor CPU is required to copy these packets.
This can lead to CPU exhaustion for the hypervisor, even if an interface is uninitialized on the BIG-IP system. F5 recommends that you use only one interface in a portgroup or vSwitch on which promiscuous mode is enabled.
Additionally, you should never use the standby unit on the same hypervisor as the active unit (which is normally a best practice for BIG-IP VEs) because, in promiscuous mode, the system copies all traffic to both the active and standby devices when MAC masquerade is in use on VMware.
Starting from VMware ESXI 6.7, Promiscuous Mode can be replaced by MAC Learning in a supported environment, that is, Promiscuous Mode can be set to Reject when MAC Learning is enabled on the vSwitch on which BIGIP's VM is part of that network. The MAC Learning feature is supported only on Distributed Virtual (DV) Port groups.
To optimize the flow of traffic during failover events, you can configure MAC masquerade addresses for any defined traffic groups on the BIG-IP system. A MAC masquerade address is a unique, floating MAC address that you create. You can assign one MAC masquerade address to each traffic group on a BIG-IP device. By assigning a MAC masquerade address to a traffic group, you associate that address with any floating IP addresses associated with the traffic group. By configuring a MAC masquerade address for each traffic group, a single VLAN can potentially carry traffic and services for multiple traffic groups, with each service having its own MAC masquerade address.
K3523: Choosing a unique MAC address for MAC masquerade
https://support.f5.com/csp/article/K3523
Please let me know for more details and i will be glad to assist you further.
HTH
