Related Topics
Example Switch and Static ARP Configuration for an Active/Active FireCluster
Layer 3 switches that operate in default mode do not have issues with multicast traffic, so the FireCluster works without configuration changes. A layer 3 switch that has all ports configured in one VLAN also works without issues. If the layer 3 switch has ports configured for different VLANs you must change the configuration to enable the switch to operate correctly with a FireCluster.
Layer 3 switches that perform VLAN, and/or IP address routing, discard multicast traffic from the FireCluster members. The switch discards traffic to and through the router unless you configure static MAC and ARP entries for the FireCluster multicast MAC on the switch that receives the multicast traffic.
When you configure an active/active FireCluster, you might need to make some configuration changes on the FireCluster and on your network switches so that the FireCluster multicast MAC addresses work properly. For general information, see:
- Switch and Router Requirements for an Active/Active FireCluster
- Add Static ARP Entries for an Active/Active FireCluster
This topic includes an example of how to configure the switches and the FireCluster static ARP settings for an active/active FireCluster. This example does not include all the other steps to configure a FireCluster. For instructions to configure a FireCluster, see Configure FireCluster.
Before you begin, make sure you have:
- The IP address and multicast MAC address of the FireCluster interface to which the switch is connected.
For more information, see Find the Multicast MAC Addresses for an Active/Active Cluster. - The IP address and MAC address of each switch or router connected to the FireCluster interfaces.
WatchGuard provides interoperability instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a non-WatchGuard product, see the documentation and support resources for that product.
Example Configuration
In this example, the FireCluster configuration has one external and one internal interface. The external interface of each cluster member is connected to a Cisco 3750 switch. The internal interface of each cluster member is connected to an Extreme Summit 15040 switch. For the equivalent commands to make these configuration changes on your switch, see the documentation for your switch. The commands for two different switches are included in this example.
IP addresses in this example:
- FireCluster interface 0 (External) interface
IP address: 203.0.113.2/24
Multicast MAC address: 01:00:5e:00:71:02
- FireCluster interface 1 (Trusted) interface
IP address: 10.0.1.1/24
Multicast MAC address: 01:00:5e:00:01:01
- Cisco 3750 switch connected to the FireCluster external interface
IP address: 203.0.113.100
VLAN interface MAC address: 00:10:20:3f:48:10
VLAN ID: 1
Interface: gi1/0/11
- Extreme Summit 48i switch connected to the FireCluster internal interface
IP address: 10.0.1.100
MAC address: 00:01:30:f3:f1:40
VLAN ID: Border-100
Interface: 9
Configure the Cisco Switch
In this example, the Cisco switch is connected to the FireCluster interface 0 (external). You must use the Cisco command line to add static MAC and ARP entries for the multicast MAC address of the external FireCluster interface.
- Start the Cisco 3750 command line interface.
- Add a static ARP entry for the multicast MAC address of the FireCluster interface.
Type this command:
arp <FireCluster interface IP address> <FireCluster MAC address> arpa
For this example, type:
arp 203.0.113.2 0100.5e00.7102 arpa - Add an entry to the MAC address table.
Type this command:
mac-address-table static <FireCluster interface MAC address> vlan <ID> interface <#>
For this example, type:
mac-address-table static 0100.5e00.7102 vlan 1 interface gi1/0/11
Configure the Extreme Switch
In this example, the Extreme Summit switch is connected to the FireCluster interface 1 (trusted). You must use the Extreme Summit command line to add static MAC and ARP entries for the multicast MAC address of the trusted FireCluster interface.
- Start the Extreme Summit 48i command line.
- Add a static ARP entry for the multicast MAC address of the FireCluster interface.
Type this command:
configured iparp add <ip address> <MAC Address>
For this example, type:
configured iparp add 10.0.1.1/24 01:00:5e:00:01:01 - Add an entry to the MAC address table.
Type this command:
create fdbentry <MAC> VLAN <ID> port <#> For this example, type:
create fdbentry 01:00:5e:00:01:01 VLAN Border-100 port 9
Add Static ARP Entries to the FireCluster Configuration for Each Switch
For an explanation of why this is required, see Add Static ARP Entries for an Active/Active FireCluster .
- In WatchGuard System Manager, use the cluster trusted interface IP address to connect to the FireCluster. Do not use the management IP address.
- Click .
Or, select Tools > Policy Manager.
Policy Manager appears. - Select Network > ARP Entries.
The Static ARP Entries dialog box appears. - Click Add.
The Add ARP Entry dialog box appears. - In the Interface drop-down list, select External.
- In the IP Address text box, type the IP address of the switch interface that is connected to the external interface.
For this example, type: 203.0.113.100 - In the MAC Address text box, type the MAC address of the VLAN interface on the Cisco switch that is connected to the external interface.
For this example, type: 00:10:20:3f:48:10 - Click OK.
The static ARP entry is added to the Static ARP Entries list. - Click Add.
The Add ARP Entry dialog box appears. - In the Interface drop-down list, select Trusted.
- In the IP Address text box, type the IP address of the switch interface that is connected to the trusted interface.
For this example, type: 10.0.1.100 - In the MAC Address text box, type the MAC address of the switch interface that is connected to the trusted interface.
For this example, type: 00:01:30:f3:f1:40 - Click OK.
The static ARP entry is added to the Static ARP Entries list. - Click OK to close the Static ARP Entries dialog box.
- Select File > Save > to Firebox to save the static ARP entries to the FireCluster.