From: Tracy Blackmore (TracyB@xxxxxxxxx)
Date: Tue Nov 06 2001 - 13:55:30 GMT-3
John;
As I think about this... You need to find out what load-balancing software
they are using. If they are using StoneBeat, it has an option of using
multicast MACs OR using a unicast IP address to represent the cluster of
firewalls. If they choose to use the multicast MAC then you will have to
build the arp table on your router. If it is StoneBeat have them look into
using a unicast IP for the external interfaces. If it's not StoneBeat, I'm
sure that their product has some allowance for this. As before, I'm
available for hire if they need help.
Tracy W. Blackmore
Senior Security Engineer
T.S. Lad Consulting
1026 East Stanford Avenue
Gilbert, Arizona, 85234
-----Original Message-----
From: John Elias [mailto:jelias_@hotmail.com]
Sent: Tuesday, November 06, 2001 6:33 AM
To: ccielab@groupstudy.com
Subject: OT: static arps for multicast mac addresses
Guys,
I have a customer who is using 2 sun boxes running checkpoint firewall
connected with a hub to our router, then out to the internet. They are both
running as primary and are sharing a virtual ip and mac address. The
customer wants us to statically arp map 140 ips to mac addresses on the
router, which we are not willing to do as per upper management. I suggested
he try to implement it on his own box and arp them to us. He has informed
me that his firewall people told him that under normal conditions it would
work but since they are looking to arp map ips to multicast mac addresses it
would not work. Firewall guy says that cisco routers do this on purpose so
as to not to use the multicast mac addresses on the internet.
1. Is this true?
2. Is there any documentation on this? (Looked and did not find any)
John E.
CCIE #8150
This archive was generated by hypermail 2.1.4 : Fri Jun 21 2002 - 06:45:05 GMT-3