MS-NLB-virtserver

Answered Question
Jun 19th, 2008

hello

we installed recently 2 microsoft servers that use network load balancing configured in NIC cards.

as a consequence, i discovered that any packet sent to these servers is broadcasted to all switch ports!

using sniffer i found that MAc destination address was: MS-NLB-virtserver.

so it seems to be like if cisco switch consider this address as multicast or broadcast, that's why it sends it to all ports.

any suggestion to fix this problem?

i thought about static mac to port mapping, but is it possible to define 2 static entries for the same MAC?

Correct Answer by andrew.butterworth about 8 years 7 months ago

On each of the access switches in the Layer-2 broadcast domain enter the command:

mac address-table static 1111.1111.1111 vlan 10 interface FastEthernet0/1 FastEthernet0/2

Obviously change the MAC address from 1111.1111.1111 and the intefaces to the real interfaces where the Cluster is (you can have several interfaces in the list). If the Cluster isn't directly connected to the switch but the switch is in the same layer-2 domain you will need to add it to the uplink. If you have a redundant (STP) topology you will need to add it to each potential path.

HTH

Andy

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
jsivulka Wed, 06/25/2008 - 06:11

If the cluster hosts are attached to a switch instead of a hub, the use of a common MAC address would create a conflict since layer-two switches expect to see unique source MAC addresses on all switch ports. To avoid this problem, Network Load Balancing uniquely modifies the source MAC address for outgoing packets; a cluster MAC address of 02-BF-1-2-3-4 is

set to 02-h-1-2-3-4, where h is the host's priority within the cluster (set in the Network Load Balancing Properties dialog box). This technique prevents the switch from learning the cluster's actual MAC address, and as a result, incoming packets for the cluster are delivered to all switch ports.

The below URL addresses a problem where Windows Load Balancing Server (WLBS) causes slow traffic through switches.

http://www.cisco.com/en/US/tech/tk870/tk877/tk880/technologies_tech_note09186a008011b481.shtml

http://support.microsoft.com/default.aspx?scid=kb;en-us;193602

andrew.butterworth Wed, 06/25/2008 - 06:44

MS NLB works in several ways - unicast, multicast Layer-2 and Multicast IP with IGMP. It looks like you have it installed with Unicast. With this there is a virtual MAC & IP address assigned to the application that is clustered. The MAC is a virtual MAC address that never appears on the network, however the Cluser members respond to ARPs using this virtual MAC. What happens is within the Layer-2 domain the MAC is not seen so is flooded to all ports. This is the expected behaviour; check the CAM tables on the switches in the Layer-2 domain and you won't find it, however it will be in the ARP tables on the Layer-3 devices withing the domain.

I have seen a few networks drop to their knees when MS-NLB is deployed without consultation from the Network administrators....

HTH

Andy

ohassairi Thu, 06/26/2008 - 02:25

thank you both for your help.

so according to what i read there is no solution for this problem.

the only thing that we can do is to put the 2 NIC in separate vlan!

can you confirm it?

thanks

andrew.butterworth Thu, 06/26/2008 - 02:33

Depending on the number of switches in the layer-2 broadcast domain you could hard-code the Virtual MAC address into the CAM tables. You can also do the same for Layer-2 Multicast. If you use Layer-3 Mutlicast & IGMP then if you have Multicast routing enabled & IGMP snooping in your network it should all be automatic since the IGMP snooping mechanism would learn which hosts want to receive the IP Multicast traffic.

What you suggest though is a good way forward. Create a new VLAN and limit where it goes - keep it confined to one or two switches where the Cluster hosts are.

HTH

Andy

ohassairi Thu, 06/26/2008 - 10:41

thanks andrew, actually we did not activate IGMP and it will bi very difficult to create new vlans this will perturbate the network design.

however it could be a good idea to hardcode the virtual mac-address into the cam since number of sw is limited.

ohassairi Thu, 06/26/2008 - 10:57

could you advice with the commands? shall we have 2 static entries for the same MAc using mac-address-table static.....

Correct Answer
andrew.butterworth Thu, 06/26/2008 - 11:07

On each of the access switches in the Layer-2 broadcast domain enter the command:

mac address-table static 1111.1111.1111 vlan 10 interface FastEthernet0/1 FastEthernet0/2

Obviously change the MAC address from 1111.1111.1111 and the intefaces to the real interfaces where the Cluster is (you can have several interfaces in the list). If the Cluster isn't directly connected to the switch but the switch is in the same layer-2 domain you will need to add it to the uplink. If you have a redundant (STP) topology you will need to add it to each potential path.

HTH

Andy

ahmad82pkn Mon, 04/29/2013 - 16:20

i did as Andy said, but no luck.

any thought why so?

connected a L2 switch with port-channel 48 and mentioned all CAS MAC address against that Port Channel, but still traffic is flooding, what else i can check?

HAMP6509CORE#sh run | inc static

mac-address-table static 0201.0a50.0a81 vlan 810 interface Port-channel48

mac-address-table static 0202.0a50.0a81 vlan 810 interface Port-channel48

mac-address-table static 02bf.0a50.0a81 vlan 810 interface Port-channel48

Actions

This Discussion