Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
scottikon
Contributor

Manually specify MAC address used in VMAC mode

I have a colleague who is migrating a customer from one cluster running legacy R77 version to a new cluster running R80.20. The customer is very sensitive to down time and when they tried migration attempt 1, it appears that some network devices took longer to clear the ARP cache and therefore they had minutes of downtime for certain services. 

 

Normally we would ask the customer to liaise with the 3rd party who manages the network to co-ordinate with us and clear the ARP cache during the maintenance window post migration but for reasons I won't go into, this is not an option. 

 

This got me to thinking about VMAC mode. We use this when clustered gateways which have a lot of interfaces and the volume of G-ARPs after a failover means that the switches ignore them. Would it be possible to manually configure the MAC address used in the VMAC mode. This way, we can configure this on the new cluster and make live after halting the old cluster. This way the network devices don't have to re-learn anything other than associated switch ports for the MACs. 

 

Look forward to feedback and any other alternative suggestions. 

Kind Regards

Scott

0 Kudos
5 Replies
Kaspars_Zibarts
Employee Employee
Employee

Why don't you write a script to arping all your next hop gateways, that should "force" these gateways to learn new IP-MAC associations.

Else read this article regarding VMACs and magic numbers
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Maarten_Sjouw
Champion
Champion

From my cheat sheet:
Gratuitous ARP to force a new MAC addess towards the router

Enable binding to non-local IP addresses on-the-fly (IP not on the interface itself, in fact the proxy arp IP's):
cat /proc/sys/net/ipv4/ip_nonlocal_bind
echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
#----^ 0=off, 1=on
cat /proc/sys/net/ipv4/ip_nonlocal_bind
For each IP you need to send the Gratuitous ARP use the following command:
arping -c 4 -A -I eth2 1.2.1.5
Regards, Maarten
scottikon
Contributor

Thank you for your reply Maarten. What will the above achieve?

Thanks
0 Kudos
Maarten_Sjouw
Champion
Champion

arping is the command that is used to broadcast the new ARP's that you have setup. This is what Kaspars meant when he was telling you to use a script to send the new MAC addresses out.
Regards, Maarten
0 Kudos
Maarten_Sjouw
Champion
Champion

Also be aware that yopu need to check if all Proxy ARP's are working after the migration, we have had a number of occasions where we needed to push policy 3 times before the proxy ARPs appeared.
Use 'fw ctl arp' to check.
Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events