Forum Discussion
VE MAC Masquerade in VMware - Good or Bad?
Hi Speachey,
I've disabled MAC masquerade in all virtualized deployments. The benefits of MAC masquerade are not that huge in contrast to impact that enabling promiscous mode may have on the remaining network environment.
On the other hand I always enable MAC masquerade for pysical deployments, since you dont have any negative side effects. Only pure benefits...
Cheers, Kai
Thanks Kai!
I'm curious to learn any issues you have noticed with virtualized failovers without MAC Masquerade (dropped sessions, etc.).
- Kai_WilkeDec 17, 2022MVP
So far I haven't experienced any "known" issues (at least I've not detected any).
Let me explain what is happening behind the scenes to understand the more or less "theoretical" impact the setting is fighting...
During a failover event, all your floating IPs (Selfs, VIPs, SNATs) are going to send a gratuitous ARP packet telling the entire network that a given IP is now using this MAC address.
Masquerade Enabled: You dont change the MAC for a given IP during a Failover. You still send those gratuitous ARP packets, but those are basically only used to tell your switches to forward traffic for your Masquerade MAC to a new switch port. Every L3 instances in your network will refresh the MAC table (nothing changed). Gratious ARP packets may become lost in transit, but luckily you probably send those for a bunch of floating IPs so that a single gratious ARP packet would be enough to train your switches to use a new port.
Masquerade Disabled: You change the MAC address of your floating IPs during failover. Gratious ARP needs now explain this change for every single floating IP to every single L3 instance in your network. The impact of gratuitous ARP packet loss is now in a exponential growth. The more floating IPs you use and the more L3 instances are connected to your network the more likely is a single packet loss. When a L3 instance missed to receive a gratuitous ARP packet, it will not be able to connect to the floating IP until ARP caches timed out. The issues will be sporadic and will probably only affect a few floating IPs and a few connected L3 devices...
Note: Beside of what was written above. Some L3 router are limiting the amount of gratuitous ARP packet to become processed per second. If their limit is configured to 250 and you going to failover 251 floating IPs, then this will always fail for 1 random floating IP.
Cheers, Kai
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com