Configuring MAC-Based Forwarding
With MAC-based forwarding (MBF) enabled, when a request reaches the NetScaler appliance, the appliance remembers the source MAC address of the frame and uses it as the destination MAC address for the resulting replies. MAC-based forwarding can be used to avoid multiple-route/ARP lookups and to avoid asymmetrical packet flows. MAC-based forwarding may be required when the NetScaler is connected to multiple stateful devices, such as VPNs or firewalls, because it ensures that the return traffic is sent to the same device that the initial traffic came from.
MAC-based forwarding is useful when you use VPN devices, because it guarantees that all traffic flowing through a VPN passes back through the same VPN device.
The following topology diagram illustrates the process of MAC-based forwarding.
Figure 1. MAC-Based Forwarding Mode
When MAC-based forwarding (MBF) is enabled, the NetScaler caches the MAC address of:
- The source (a transmitting device such as router, firewall, or VPN device) of the inbound connection.
- The server that responds to the requests.
When a server replies through the NetScaler appliance, the appliance sets the destination MAC address of the response packet to the cached address, ensuring that the traffic flows in a symmetric manner, and then forwards the response to the client. The process bypasses the route table lookup and ARP lookup functions. However, when the NetScaler initiates a connection, it uses the route and ARP tables for the lookup function. In a direct server return configuration, you must enable MAC-based forwarding.
For more information about direct server return configurations, see Load Balancing.
Some deployment topologies may require the incoming and outgoing paths to flow through different routers. MAC-based forwarding would break this topology design.
MBF should be disabled in the following situations:
- When you configure link load balancing. In this case, asymmetric traffic flows are desirable because of link costs.
- When a server uses network interface card (NIC) teaming without using LACP (802.1ad Link Aggregation). To enable MAC-based forwarding in this situation, you must use a layer 3 device between the NetScaler and server. Note: MBF can be enabled when the server uses NIC teaming with LACP, because the virtual interface uses one MAC address.
- When firewall clustering is used. Firewall clustering assumes that ARP is used to resolve the MAC address for inbound traffic. Sometimes the inbound MAC address can be a non-clustered MAC address and should not be used for inbound packet processing.
When MBF is disabled, the NetScaler uses L2 or L3 connectivity to forward the responses from servers to the clients. Depending on the route table, the routers used for outgoing connection and incoming connection can be different. In the case of reverse traffic (response from the server):
- If the source and destination are on different IP subnets, the NetScaler uses the route lookup to locate the destination.
- If the source is on the same subnet as the destination, the NetScaler looks up the ARP table to locate the network interface and forwards the traffic to it. If the ARP table does not exist, the NetScaler requests the ARP entries.
To enable or disable MAC-based forwarding by using the NetScaler command line:
At the command prompt, type:
- enable ns mode MBF
- disable ns mode MBF
To enable or disable MAC-based forwarding by using the NetScaler GUI:
- Navigate to System > Settings, in the Modes and Features group, click Configure modes.
- Select or clear the MAC-based forwarding option.