forwarding (MBF) enabled, when a request reaches the NetScaler appliance, the
appliance remembers the source MAC address of the frame and uses it as the
destination MAC address for the resulting replies. MAC-based forwarding can be
used to avoid multiple-route/ARP lookups and to avoid asymmetrical packet
flows. MAC-based forwarding may be required when the NetScaler is connected to
multiple stateful devices, such as VPNs or firewalls, because it ensures that
the return traffic is sent to the same device that the initial traffic came
forwarding is useful when you use VPN devices, because it guarantees that all
traffic flowing through a VPN passes back through the same VPN device.
topology diagram illustrates the process of MAC-based forwarding.
Figure 1. MAC-Based
forwarding (MBF) is enabled, the NetScaler caches the MAC address of:
- The source (a transmitting
device such as router, firewall, or VPN device) of the inbound connection.
- The server that responds to
When a server
replies through the NetScaler appliance, the appliance sets the destination MAC
address of the response packet to the cached address, ensuring that the traffic
flows in a symmetric manner, and then forwards the response to the client. The
process bypasses the route table lookup and ARP lookup functions. However, when
the NetScaler initiates a connection, it uses the route and ARP tables for the
lookup function. In a direct server return configuration, you must enable
For more information about direct server return configurations, see "Load Balancing."
topologies may require the incoming and outgoing paths to flow through
different routers. MAC-based forwarding would break this topology design.
MBF should be
disabled in the following situations:
When MBF is
disabled, the NetScaler uses L2 or L3 connectivity to forward the responses
from servers to the clients. Depending on the route table, the routers used for
outgoing connection and incoming connection can be different. In the case of
reverse traffic (response from the server):
- If the source and
destination are on different IP subnets, the NetScaler uses the route lookup to
locate the destination.
- If the source is on the
same subnet as the destination, the NetScaler looks up the ARP table to locate
the network interface and forwards the traffic to it. If the ARP table does not
exist, the NetScaler requests the ARP entries.