Forum Discussion

NiHo_202842's avatar
NiHo_202842
Icon for Cirrostratus rankCirrostratus
Jan 12, 2017

How does MAC Masquerading work exactly?

Hi,

 

I am trying to grasp how exactly MAC Masquerading works, and how it behaves differently during a failover.

 

Situation without MAC Masquerading

 

Every floating Self IP & virtual IP will have a gARP anouncement with the new MAC address issued on the device becoming active, making the switches now route to the new device. Issues can arise if network equipment cannot handle the amount of gARPs.

 

Situation with MAC Masquerading

 

Every floating Self IP in the cluster has the same MAC address. Not sure about the vIPs. During failover, the switches need not learn a new MAC address but just learn it's now available on a new switch. (in our case, L3 switches with OSPF)

 

So how do vIPs fit in the mac masquerade story? And how do switches learn the vIPs/floating Self IPs are now on this port without gARPs? The DevCentral articles do not discuss this in great detail.

 

  • Hi NiHo,

     

    Situation with MAC Masquerading

     

    Every floating Self IP in the cluster has the same MAC address. Not sure about the vIPs. During failover, the switches need not learn a new MAC address but just learn it's now available on a new switch. (in our case, L3 switches with OSPF)

     

    This is not totally correct. The individual floating IPs in a cluster can still have different MACs, since its not the cluster that sticks to the Masquerade-MAC. Its more or less just a given Traffic-Group and each of its ressources (floatings, VIPs, etc.) that uses this Masquerade-MAC for network communications. And each traffic-group on a cluster can have a unique Masquerade-MAC setting which will then become inheriteted to the attached ressources...

     

    So how do vIPs fit in the mac masquerade story? And how do switches learn the vIPs/floating Self IPs are now on this port without gARPs? The DevCentral articles do not discuss this in great detail.

     

    The Masquerade-MAC feature still uses gARPs, but in this case the gARP is only required to overwrite Layer2 CAM-tables of the connected switches (this will cause a one-time Port-Flap during failover events) but without the need to overwrite the MAC-tables of each HOST within the broadcast domain (the ARP entry remains the same after the failover).

     

    In the end the Masquerade-MAC feature makes failover much less error prone (e.g. paket loss / collisions), since a single successful gARP regarless for which VIP, Floating, etc. would be enought to inform the entire network that a failover has been occoured. Without Masquerade-MAC each single VIP, Floating, etc. MUST be gARP anounced and each directly connected HOST much receive and update their own MAC-table.

     

    Buttomline: Always use the Masquerade-MAC feature. It makes the stuff much more robust and future device migrations much easier... ;-)

     

    Cheers, Kai