Multicasting and Engine Firewalls
After distinguishing between network layer multicasting and data link layer multicasting, we can now have a look at how the firewall uses multicasting and unicasting.
When using clustering technology, the clustered firewall nodes share a common unicast IP address, which is called a CVI (cluster virtual IP address). This shared IP address is assigned to the node that receives traffic that arrives from the network for distributing and load-balancing between all nodes. Any traffic that has a specific node in the cluster as its final destination (such as management connections) is sent to NDIs (node dedicated IP addresses).
CVIs allow the cluster to appear as a single virtual entity to other network devices, rather than a group of individual nodes. Traffic addressed to CVIs is load-balanced between the nodes according to the cluster’s load-balancing filters. The load-balancing filters determine which traffic is distributed to which individual nodes. This way, a specific node in a cluster handles all packets in the connection as long as the node stays online.
In addition to the shared unicast IP address, each node must also share a data link layer address (MAC) at the CVI. Only this way will each of the nodes be provided with the exact same traffic. There are different options for the cluster-wide MAC address, and the selection depends on the features of the other connected networking devices, such as switches and hubs. This document is not a definitive reference for different types of switch configurations, but it gives an overview of possible considerations when implementing firewall clusters in different types of network environments.
The method can be selected based on the surrounding network devices. Unicast MAC configuration can be used with hubs and with switches that support sending a specified unicast MAC address to several ports at the same time. When a layer 2 network is not able to do this, multicast MAC can be used instead. Because multicast MAC sends all packets to all ports, unicast MAC mode gives better performance with hubs. However, in large networks with large amounts of traffic, the action of sending packets to all ports can create extra load. In that situation, static MAC address forwarding tables can be used to limit traffic to Cluster multicast MAC to cluster ports only. With switches that do not support static MAC address forwarding tables, IGMP snooping can be used for the same task. With switches, Packet Dispatch mode creates less load to switches than unicast MAC or multicast MAC modes.
The different configuration options are presented in the following sections.