[c-nsp] Are multicast MAC addresses allowed in the source field?

[Benny Amorsen]

John Neiberger <jneiberger at gmail.com> writes:

> We have an application involving a firewall cluster where the cluster
> has a VIP associated with it, but the VIP apparently replies to ARP
> requests with a multicast MAC address. The idea, ultimately, is that
> both firewalls in the cluster will receive the same traffic all the
> time. To make this work, the router would have to accept an ARP reply
> that had a multicast source address (I have no idea if that's
> technically a problem or not) and the switches would have to populate
> their MAC address tables properly.

Sadly RFC 1812 hasn't been updated, so some routers (notably Juniper and
Cisco) do not accept multicast MAC addresses as ARP replies. For those
you need to configure static ARP, which is a pain. It is a shame that
none of the multicast-based cluster vendors (Stonesoft, Microsoft,
Checkpoint, I'm sure there are more) invested the effort required to get
this method officially RFC-blessed.

> It seems to me that this ought to work as long as we're not running
> IGMP snooping or anything like that on the switches.

IGMP snooping is something you actually want in this case, because the
firewalls properly join the IGMP group and therefore traffic isn't
broadcast to all interfaces.


/Benny