Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Microsoft NLB and FWSM in transparent mode

Consider the following basic topology:

Diagram2.png

When configured in multicast mode, MS NLB will use a 03xx.xxxx.xxxx multicast address outside of the IANA range.

Normally, when there is no FWSM in path between client and NLB servers, you configure the switch in the way described here:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080a07203.shtml

or here:

https://supportforums.cisco.com/thread/2052888

In short, you need to add static ARP entries to your switches that route into the NLB VLAN  (this is necessary as the clients are going to access the NLB cluster at  its unicast IP which is tied to the multicast MAC, and Cisco devices do not accept an arp reply for a unicast IP address that contains a multicast MAC address.)

arp 172.16.63.241 <multicast MAC of the VIP>

and to add static MAC entries (fa2/3 and 2/4 are the switch ports the servers are connected to):
mac-address-table static <multicast MAC of the VIP> vlan 200 interface fa2/3 fa2/4

Now, consider the following topology, where we add a transparent FWSM bridging vlan 200 and 300:

Diagram1.png

If the NLB cluster is configured in multicast mode, the traffic going to the servers will be dropped by the FWSM, even though the switch is configured correctly. This is because the FWSM does not allows multicast MAC addresses outside of the IANA range through, when in bridged mode:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/fwmode_f.html#wp1222689

The solution is to configure the NLB cluster in Multicast mode with IGMP support, so that  the virtual mac-address of the NLB VIP will be in the IANA  range  0100.5Exx.xxxxx. Here is a link showing how to configure the NLB cluster accordingly:

http://support.microsoft.com/kb/323437/EN-US/

Version history
Revision #:
1 of 1
Last update:
‎03-02-2011 05:57 AM
Updated by:
 
Labels (1)