MAC Masquerade

Overview

Avi Vantage supports MAC masquerade for use in conjunction with Avi SE IP routing to accelerate legacy HA SE failover in Linux server clouds.

Feature

In general, when an IP address fails over between Service Engines, a gratuitious ARP (GARP) is sent to inform endpoints on the subnet of the change in MAC address and to allow layer 2 and layer 3 switches to update their forwarding tables as necessary.

While this is sufficient in the majority of cases, some endpoints either ignore the GARP message or do not process it in a timely manner, resulting in these endpoints clinging to the previous MAC address until the corresponding ARP entry ages out. This can have a detrimental effect on failover times

The MAC Masquerade feature alleviates this issue by allowing such ‘floating’ IP addresses to be associated with a virtual MAC address that also fails over between Service Engines. As the virtual MAC does not change during failover, there is no need for ARP entries to be updated, resulting in faster and more consistent failover.

Note: A GARP is still transmitted to allow L2 switches to update forwarding tables for the virtual MAC as needed.

Refer to the following table for compatibility details of this feature:

VMware read or write Atleast one virtual service must be configured
VMware no-access IP routing must be enabled
Linux server cloud IP routing must be enabled

Note: Below are the security settings required to support MAC masquerade in a VMware environment. These settings are required on each port group to which vNICs with a floating IP configuration are attached.

security settings for VMware no-access deployment

MAC Masquerade is supported for Active/Standby SE Groups configured for IP Routing and using the floating IP address configuration. Each floating IP address will be associated with a distinct virtual MAC address, computed automatically based on the SE group and floating IP. Other secondary IP addresses which failover between active and standby SEs, such as VIPs and SNAT IPs, that are within the same subnet as a floating IP will also be associated with this virtual MAC address.

Note: Secondary IP addresses which are not within the same subnet as any configured floating IP address will not utilise virtual MAC and will instead be associated with the interface MAC as normal and will failover by using the GARP mechanism.

CLI Interface

Mac Masquerade feature is configurable via Network Service. Refer to Network Service configuration page for more details.

The following command-line interface enables the feature under serviceenginegroup configuration:

[admin:10-140-1-4]: > configure serviceenginegroup Default-Group
[admin:10-140-1-4]: serviceenginegroup> enable_vmac
Overwriting the previously entered value for enable_vmac
[admin:10-140-1-4]: serviceenginegroup> save
[admin:10-140-1-4]: >

To disable the feature, use the no-form of the CLI:

Starting with Avi Vantage version 18.2.5, Mac Masquerade feature is configurable via Network Service. Refer to Network Service configuration page for more details.

For prior releases, MAC Masquerade is configured directly in the Service Engine group as follows:”For prior releases, MAC Masquerade is configured directly in the Service Engine group as follows:

[admin:10-140-1-4]: > configure serviceenginegroup Default-Group
[admin:10-140-1-4]: serviceenginegroup> no enable_vmac
[admin:10-140-1-4]: serviceenginegroup> save
[admin:10-140-1-4]: >