Introduction
To ensure high availability of critical network applications, the Operations team uses Microsoft's Network Load Balancer or NLB. NLB allows load balancing between servers without a dedicated stand alone box. To achieve this Microsoft performs some network hacks which require configuration on the network side.
NLB can work in two modes, unicast and multicast. Unicast is the default operation mode due to compatibility. In this mode the switch will have a common unicast mac-address. Since dynamic CAM entries cannot exist for two ports the switch floods all traffic going to a NLB host.
With multicast mode turned on the NLB uses a shared multicast mac-address with a unicast IP address. This mode works better with a Cisco network but has two drawback Due to this inconsistency with a unicast ip address and a multicast mac-address the router will refuse to learn the ARP for the IP address. In addition the switch cannot determine the membership ports in the multicast stream the traffic is still flooded to all hosts., although being a multicast mac-address has a lesser effect on the CPU of flooded hosts.
Fortunately we can create both static ARP entries and static CAM entries to allow the NLB hosts to behave correctly.
(Directly from Microsoft KB article)
When the local router must send a packet to the virtual IP address, the local router uses address resolution protocol (ARP) to determine the virtual IP's MAC address. WLBS replies to these ARP requests. When you mask the source MAC address, the ARP response from WLBS has a substitute source MAC address in the Ethernet frame, but contains the correct cluster MAC address in the ARP header. Some routers cannot make this ARP mapping and must make a static ARP entry in the router.
This problem occurs because a large number of unknown unicast and multicast packets are being blocked on the port of the switch to which the NLB virtual adapters are connected directly or uplinked through a hub. By default, NLB masks the source media access control (MAC) address on outbound packets, preventing switches from learning and forcing them to broadcast packets for unknown addresses to all ports.
Have the server team configure the NLB for multicast mode and read off the generated mac-address as well as the desired IP address. Log into the default gateway for the NLB and issue the following command:
For IOS
arp 10.1.12.18 03bf.0a01.0cdf ARPA
For PixOS
arp dmz 192.168.0.73 03bf.c0a8.0047
At this point the NLB ip address should be reachable. If not, double check the IP and mac-address with the server team.
First determine the two or more physical ports that are being used for the NLB. Server team should be able to help you trace these down with the physical mac address. Log into the switch which these ports are plugged into. This may or may not be the same device as above.
For IOS
mac-address-table static 03bf.0a01.0cdf vlan 12 interface fa4/5 fa5/5
Ensure that you still have connectivity to the NLB cluster