F5 Lab 1.22 MAC Masquerading

After configuring HA Group for my F5 HA on my last article here, the next thing is how to optimize the failover in the event of failure. One of the method to optimize the failover process is implementing MAC Masquerading. By default, when failover is triggered the F5 will send GARP (Gratuitous Address Resolution Protocol) packet to the servers/other devices for requesting the servers/other devices to update their ARP cache with the new MAC address. Let's see the diagram below for how it works, when on the steady state not using MAC Masquerading:

Servers ARP Table and Switch MAC Address Table:

All the respond for the traffic to the floating IP address is handled by F5-HA1. The MAC address for floating IP which used for server's gateway is the MAC address on F5-HA1 or the active device.

On the event of failure, the floating IP address will move to the F5-HA2 then the new active F5 in this case F5-HA2 will sends GARP to servers and switch. This GARP used to updates the MAC address of the floating IP on their ARP table and switch MAC address table.

After GARP request received, the switch will update MAC address table dan the servers will update the ARP table as below:

The floating IP's MAC address will change to the MAC address which coming from F5-HA2.

Let's verify and do the test on the lab for scenario MAC masquerading is not implemented:

• Switch MAC Address Table

• Server-1 ARP Table

• Failover Test

When test the failover by shutdown the interface on the switch server to current active F5 on F5-HA1, then F5 immediately failover to F5-HA2 and the ping is dropped for a while.

From the packet capture on the F5-HA2 towards the server switch, it shows there are some GARP packet captured. The sender of the packet is MAC address of F5-HA2 (50:7f:a0:00:09:01) and the destination is broadcast MAC address (ff:ff:ff:ff:ff:ff). This packet is sends to all endpoints to update the ARP table for IP address 192.0.2.254 from MAC address F5-HA1 to MAC address of F5-HA2 (50:7f:a0:00:09:01).

Let's implement MAC Masquerading to our traffic group. The MAC Masquerading is assigned per traffic group, the steps are:

1. Choose MAC Address for MAC Masquerading

The MAC address on the networking system is must be unique to avoiding confuse on the network. For the MAC masquerading, F5 recommends to custom existing physical MAC address on the device by using this guideline.

2. Add the MAC Address to traffic group.

By using the converting based on guideline on the step 1, my custom MAC is 52:fe:54:00:04:01 then add to the traffic group. Then save the configuration.

3. After adding the MAC Masquerading, it will need to sync the configuration then Sync the config.

Let's verify and do the test on the lab for scenario MAC masquerading is implemented:

• Server-1 ARP Table

The server ARP table shows the floating IP address is changed to new custom MAC address.

• Switch MAC Address Table

The switch server is already learn new custom MAC address for MAC Masquerading, it learns from interface connected to F5-HA1 on port Gi0/0 interface.

• Failover Test

When test the failover by shutdown the interface on the switch server to current active F5 on F5-HA1, then F5 immediately failover to F5-HA2.

Although the ARP table on the endpoint is doesn't need to be updated but GARP packet is still need to be existed.

The purpose of the GARP packet is for MAC address learning process on the switch because when failover occurs, the MAC Masquerade address is moving from the port towards F5-HA1 on interface Gi0/0 to F5-HA2 on interface Gi0/1. Based on the results, the MAC Masquerading is useful for improving convergence time because imagine if there are many endpoints need to update the ARP table it will take many time to network to be converged and by leveraging the MAC Masquerading it will shorten the process.

References:

• F5 - Create Custom MAC for MAC Masquerading
• F5 - Configure MAC Masquerading