Firewall Wizards mailing list archives
RE: Changes in How ARP is Handled between PIX OS 5.x and OS6.3?
From: "Mike McNutt" <mike.mcnutt () aqssys com>
Date: Tue, 10 Feb 2004 11:35:17 -0600
Harry, Does the follwing excerpt from MS white paper (nlbtech2.doc) help out? I would have tried to summarize, but I'm not sure I understand the PIX well enough to know if this is applicable or not - I just vaguely remembered something about WLBS reassigning the cluster node's MAC addy. HIH! Mike ----- Distribution of Cluster Traffic Network Load Balancing uses layer-two broadcast or multicast to simultaneously distribute incoming network traffic to all cluster hosts. In its default unicast mode of operation, Network Load Balancing reassigns the station address ("MAC" address) of the network adapter for which it is enabled (called the cluster adapter), and all cluster hosts are assigned the same MAC address. Incoming packets are thereby received by all cluster hosts and passed up to the Network Load Balancing driver for filtering. To insure uniqueness, the MAC address is derived from the cluster's primary IP address entered in the Network Load Balancing Properties dialog box. For a primary IP address of 1.2.3.4, the unicast MAC address is set to 02-BF-1-2-3-4. Network Load Balancing automatically modifies the cluster adapter's MAC address by setting a registry entry and then reloading the adapter's driver; the operating system does not have to be restarted. If the cluster hosts are attached to a switch instead of a hub, the use of a common MAC address would create a conflict since layer-two switches expect to see unique source MAC addresses on all switch ports. To avoid this problem, Network Load Balancing uniquely modifies the source MAC address for outgoing packets; a cluster MAC address of 02-BF-1-2-3-4 is set to 02-h-1-2-3-4, where h is the host's priority within the cluster (set in the Network Load Balancing Properties dialog box). This technique prevents the switch from learning the cluster's actual MAC address, and as a result, incoming packets for the cluster are delivered to all switch ports. If the cluster hosts are connected directly to a hub instead of to a switch, Network Load Balancing's masking of the source MAC address in unicast mode can be disabled to avoid flooding upstream switches. This is accomplished by setting the Network Load Balancing registry parameter MaskSourceMAC to 0. The use of an upstream level three switch will also limit switch flooding. -----
-----Original Message----- From: Dario Calia [mailto:dario_calia () yahoo com] Sent: Tuesday, February 10, 2004 2:42 AM To: Harry Whitehouse; firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] Changes in How ARP is Handled between PIX OS 5.x and OS6.3? Hello Harry, You most likely want to look @ CSCdt01808 and CSCdw57969. Which version of 5.x where you using? Thanks, Dario --- Harry Whitehouse <harry () endicia com> wrote:Hello All! I'm trying to upgrade my PIX firewall and ran into a problem with a Windows Load Balanced Array (WLBS). In my PIX 5.x operating system (which I set up 2 years ago), it seemed to require that I have an APR statement like this: arp inside 192.168.100.246 03bf.C0A8.6416 alias This production box has worked flawlessly for 2+ years. I have a conduit bridging an outside public address to this internal IP address and running https traffic. When I tried to replace my 5.x PIX box with a new PIX running OS 6.3, the load balancing stopped working completely. I set up a separate test bed with the new PIX and a test Load Balanced array and it seems that WLBS will work WITHOUT the ARP statement, but will not work with the ARP statement. Does anyone know of changes between the PIX OS versions which would explain this behavior? TIA Harry _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs comhttp://honor.icsalabs.com/mailman/listinfo/firewall-wizards __________________________________ Do you Yahoo!? Yahoo! Finance: Get your refund fast by filing online. http://taxes.yahoo.com/filing.html _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Changes in How ARP is Handled between PIX OS 5.x and OS6.3? Harry Whitehouse (Feb 04)
- Re: Changes in How ARP is Handled between PIX OS 5.x and OS6.3? Dario Calia (Feb 10)
- <Possible follow-ups>
- RE: Changes in How ARP is Handled between PIX OS 5.x and OS6.3? Mike McNutt (Feb 10)
- RE: Changes in How ARP is Handled between PIX OS 5.x and OS6.3? Harry Whitehouse (Feb 10)