Unicast MAC

A common unicast MAC can be defined at the CVIs if the cluster is connected to hubs or switches that can forward frames with a unicast destination to multiple ports.

This way the network devices forward the same packets to each of the connected firewall nodes sharing this combination of unicast IP and MAC addresses. This mode is recommended whenever the networking devices support sending packets to a specified unicast MAC address to a predefined set of ports at the same time (as opposed to one port, which is typically the default). Hubs by default support this; however, with switches this is not as frequent, and they usually need additional configuration. With unicast MAC, only the switches directly connected to the cluster need special configuration.

In addition to the common CVI IP address, each node can optionally have unique unicast IP addresses defined at the same physical interface as the CVI. These unicast IP addresses are assigned to NDIs (node dedicated IP addresses), and used when an individual node is the endpoint of a connection. Since there can only be one unicast MAC address at a given interface, also the node-specific NDI IP addresses are mapped to the common unicast MAC.

The following illustration exemplifies the IP and MAC address configuration of a cluster’s interfaces that are connected to an external network. By default, the CVI of each node share one unicast IP address. The CVI is mapped to a common unicast MAC address. In addition, for each node, an NDI is defined at the same physical interface as the CVI. The NDI IP addresses are unique, but they all are mapped to the same unicast MAC as the CVI IP address, as there can be only one unicast MAC defined for a physical interface. Traffic directed from the Internet to the cluster’s external CVI IP address is sent by the connected switch or hub to all nodes, since they all are identified by the same unicast MAC.

Figure: CVI with unicast MAC