Firewall Wizards mailing list archives

RE: Changes in How ARP is Handled between PIX OS 5.x and OS6.3?

From: "Mike McNutt" <mike.mcnutt () aqssys com>
Date: Tue, 10 Feb 2004 11:35:17 -0600

Harry,

Does the follwing excerpt from MS white paper (nlbtech2.doc) help out? I would have tried to summarize, but I'm not
sure I understand the PIX well enough to know if this is applicable or not - I just vaguely remembered something about
WLBS reassigning the cluster node's MAC addy. HIH!

Mike

-----

Distribution of Cluster Traffic

Network Load Balancing uses layer-two broadcast or multicast to simultaneously distribute incoming network
traffic to all cluster hosts. In its default unicast mode of operation, Network Load Balancing reassigns the station
address ("MAC" address) of the network adapter for which it is enabled (called the cluster adapter), and all cluster
hosts are assigned the same MAC address. Incoming packets are thereby received by all cluster hosts and passed up to
the Network Load Balancing driver for filtering. To insure uniqueness, the MAC address is derived from the cluster's
primary IP address entered in the Network Load Balancing Properties dialog box. For a primary IP address of 1.2.3.4,
the unicast MAC address is set to 02-BF-1-2-3-4. Network Load Balancing automatically modifies the cluster adapter's
MAC address by setting a registry entry and then reloading the adapter's driver; the operating system does not have to
be restarted.
If the cluster hosts are attached to a switch instead of a hub, the use of a common MAC address would create a
conflict since layer-two switches expect to see unique source MAC addresses on all switch ports. To avoid this problem,
Network Load Balancing uniquely modifies the source MAC address for outgoing packets; a cluster MAC address of
02-BF-1-2-3-4 is set to 02-h-1-2-3-4, where h is the host's priority within the cluster (set in the Network Load
Balancing Properties dialog box). This technique prevents the switch from learning the cluster's actual MAC address,
and as a result, incoming packets for the cluster are delivered to all switch ports. If the cluster hosts are connected
directly to a hub instead of to a switch, Network Load Balancing's masking of the source MAC address in unicast mode
can be disabled to avoid flooding upstream switches. This is accomplished by setting the Network Load Balancing
registry parameter MaskSourceMAC to 0. The use of an upstream level three switch will also limit switch flooding.

-----

-----Original Message-----
From: Dario Calia [mailto:dario_calia () yahoo com]
Sent: Tuesday, February 10, 2004 2:42 AM
To: Harry Whitehouse; firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] Changes in How ARP is Handled between PIX OS 5.x
and OS6.3?


Hello Harry,

You most likely want to look @ CSCdt01808 and
CSCdw57969.  Which version of 5.x where you
using?

Thanks, Dario


--- Harry Whitehouse <harry () endicia com> wrote:

Hello All!

I'm trying to upgrade my PIX firewall and ran into a
problem with a
Windows Load Balanced Array (WLBS).  In my PIX 5.x
operating system
(which I set up 2 years ago), it seemed to require
that I have an APR
statement like this:

arp inside 192.168.100.246 03bf.C0A8.6416 alias

This production box has worked flawlessly for 2+
years.  I have a
conduit bridging an outside public address to this
internal IP address
and running https traffic.

When I tried to replace my 5.x PIX box with a new
PIX running OS 6.3,
the load balancing stopped working completely.  I
set up a separate test
bed with the new PIX and a test Load Balanced array
and it seems that
WLBS will work WITHOUT the ARP statement, but will
not work with the ARP
statement.

Does anyone know of changes between the PIX OS
versions which would
explain this behavior?

TIA

Harry

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com

http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


__________________________________
Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online.
http://taxes.yahoo.com/filing.html
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Changes in How ARP is Handled between PIX OS 5.x and OS6.3? Harry Whitehouse (Feb 04)
- Re: Changes in How ARP is Handled between PIX OS 5.x and OS6.3? Dario Calia (Feb 10)
- <Possible follow-ups>
- RE: Changes in How ARP is Handled between PIX OS 5.x and OS6.3? Mike McNutt (Feb 10)
- RE: Changes in How ARP is Handled between PIX OS 5.x and OS6.3? Harry Whitehouse (Feb 10)