ARP requests if the response contains a multicast MAC address.

howie4ccna · ‎11-26-2015

Hi all;

Cisco newby, but I am managing pretty good so far. However, I do need a little direction on this one.

I am implementing a Watchguard "FireCluster" in an Active/Active configuration. From the Watchguard doc's, they say the following:

""All switches and routers in an active/active FireCluster broadcast domain must meet these requirements.

All switches and routers in the broadcast domain must not block ARP requests if the response contains a multicast MAC address.
This is the default behavior for most layer 2 switches.
For routers and layer 3 switches, the default behavior is to follow RFC 1812, which says that the router must not believe any ARP reply that claims that the Link Layer address of another host or router is a broadcast or multcast address. If possible, disable this behavior. If you are unable to block RFC 1812 support, you might need to configure static MAC and static ARP entries on your routing device.""

One one side of this Watchguard is my Cisco switches (PLC network) and the other side is my HP switches (Corp Network).

Cisco side has: (all Lan Base)

2 x 2960x (v15.0(2a)EX5-UniversalK9 - Stacked

2 x IE5000 (v15.2(2)EB1 (Cryto) Universal

23 x IE2000 (v15.0(2)EA-1-UniversalK9

HP side has: 20 or so more switches but the Core is:

4 x A5500-4SFP-HI (IRF)

Would someone like to elaborate on how this can be accomplished? Do I have to create entries on each and every switch in the broadcast domain manually, once I get pointed in the right direction and know what I need to do?

Any input or advice would be much appreciated.

Thank you

julijime · ‎11-26-2015

Hi howie4ccna,

I'm not too familiar with the Watchguard FireCluster, but after reading a little bit about this cluster it seems that it uses a Multicast MAC address assisgned to a Unicast IP address, similar to another solution like the Microsoft's NLB.

Based on this behavior, you will encounter two inconvinients:

A multicast MAC address is never used as source address for a packet. Such addresses do not appear in the MAC address table, and the switch has no method for learning them.
As you mentioned previosly, devices do not accept an ARP reply for a unicast IP address that contains a multicast MAC address.

In order to modify this behavior, you can statically configure the ARP and MAC entries within your broadcast domain. The following commands and link can be a good reference:

arp 172.16.63.241 0100.5e11.1111
mac-address-table static 0100.5e11.1111 vlan 200 interface fa2/3

http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/107995-config-catalyst-00.html#mm

HTH

Julio

Tanja Troescher · ‎10-26-2022

Hi all,

we have the same problem with a Cisco SG350-52 switch.

On port 19 we have a device (A) with a unicast IP (192.168.1.2) but a multicast MAC (11:22:33:44:55:66).

When we now try to ping this device from another device (B) which is connected on port 1 we can see that the arp request goes out of port 19 to the device (A) which has the multicast MAC, and that the device (A) with the multicast MAC sends the arp reply back to port 19.

BUT the arp reply is not send from port 1 back to device (B).

Julio explained why we do not get an arp reply:

@julijime wrote:
Based on this behavior, you will encounter two inconvinients:
A multicast MAC address is never used as source address for a packet. Such addresses do not appear in the MAC address table, and the switch has no method for learning them.
As you mentioned previosly, devices do not accept an ARP reply for a unicast IP address that contains a multicast MAC address.

But he also wrote that it is possible to define the entries static:

@julijime wrote:
...
In order to modify this behavior, you can statically configure the ARP and MAC entries within your broadcast domain. The following commands and link can be a good reference:
arp 172.16.63.241 0100.5e11.1111
mac-address-table static 0100.5e11.1111 vlan 200 interface fa2/3
...

But when we try to define this static entries for arp and the mac address table we get always the error response:

“ARP MAC address must be Unicast address.”

Do we any mistakes or are these static entries for a multicast MAC only possible with Catalyst switches and not possible with a SG350-52?

Kind Regards

Tanja

Richard Burts · ‎10-27-2022

Tanja

I am not authoritative on this question, and if someone who is authoritative would jump in that would be great. But I believe that you are correct that the SG350 is significantly different from the Catalyst switches and one of the differences is that the SG350 code does not allow configuration to use the multicast mac and the Catalyst code does.

HTH

Rick

Tanja Troescher · ‎10-28-2022

Hi Rick,

@Richard Burts wrote:
and one of the differences is that the SG350 code does not allow configuration to use the multicast mac and the Catalyst code does.

Your answer verifies our assumption that the SG350 does not have the feature to enter multicast mac in the static table.

THANKS.

Best Regards

Tanja

rais · ‎10-27-2022

Having static arp entries for multicast addresses could be a way to direct traffic to destination ports but would this be scalable? Generally IGMP snooping would be used to dynamically populate mac table for multicast traffic and SG350 do support IGMP snooping.

Tanja Troescher · ‎10-28-2022

Hi rais,

your right this is not a scalable solution, but in this specific case we just want to make the static entry.
Do you agree or disagree with Rick that it is not possible to configure a static entrie for a multicast mac on the SG350?

Best Regards

Tanja

rais · ‎10-31-2022

Cisco products are many and use many OS - IOS, XE, XR, NX. I don't expect all the products to have the same commands/features.