How To | Configure An L3 Switch To Use Different MAC Addresses On Different VLANs Introduction Some switches are designed in such a way that each port of the switch has a different MAC address. Other switches are designed in such a way that there is only a single MAC address for the whole switch, so that every port has the same MAC address. Typically, this design does not impose any special requirements on the design of a network that includes these switches. However, there is one very specific situation in which the fact that every port of the switch has the same MAC address can cause problems. Several Allied Telesis switches use just one MAC address for the whole switch. What information will you find in this note? This How To Note provides information on: z The problem—packets with the same MAC address on page 2 z The solution to the problem on page 3 z The configuration script for the solution on page 4 Which products does it apply to? This Note applies to the following Allied Telesis managed layer 3 switches: C613-16043-00 REV C z AT-8600, AT-8700XL, AT-8800, Rapier, and Rapier i series switches z AT-9800 series switches z AT-8948 switches z AT-9900 series switches z AT-9900s series switches z x900 series switches z SwitchBlade series switches www.alliedtelesis.com The problem—packets with the same source MAC address Hosts connected to the two VLANs on the L2 switch are configured to use the L3 switch as their gateway device. Hence, packets being L3 switched into VLAN1, for example, will egress from the L3 switch with the MAC address of the L3 switch as their source addresses. But, packets being L3 switched into VLAN2 will also be emitted from the L3 switch with that same MAC address as their source address. Hence, there will be packets with the same source MAC address entering two different ports of the L2 switch. For many L2 switching devices, this will not be a problem, because their switching fabric will work in such a way that the Forwarding Data Base (FDB) can hold the same MAC address on 2 different ports, provided that those ports are in different VLANs. However, many L2 switching devices have an FDB design that simply cannot hold the same MAC address on two different ports. So, in cases where the L2 switch has this latter type of FDB design, there will be a problem. This situation is illustrated in the following figure. There is a Layer2 (L2) switch that has two of its ports connected to two ports of the Layer 3 (L3) switch. The two ports on the L2 switch are in different VLANs, as are the two ports on the L3 switch. VLAN 1 VLAN 2 Layer 2 switch IP interface configured as member of VRRP instance Simple Layer 2 switch that cannot have the same MAC address stored in its FDB on two different ports, even if they are in different VLANs IP interface configured as member of VRRP instance Layer 3 switch VLAN 1 VLAN 2 VLAN 3 Hosts 2 Hosts Layer 3 switch that uses the same MAC address on every port The solution to the problem The only solution to this problem is to force the L3 switch to use different MAC addresses on different ports. If the data being exchanged on the network consists entirely of IP packets, then there is a solution available that consists of making imaginative use of the Virtual Router Redundancy Protocol (VRRP). The key ingredient in the solution is the fact that VRRP uses a virtual MAC address. So, when a device is VRRP master, it will use the virtual MAC address as the source address of the IP packets it routes into the subnet on which it is VRRP master. So, basically, if we make the two ports on the L3 switch be master ports in two different VRRP instances, then the packets that are routed from those ports into their respective VLANs will use the VRRP virtual MAC addresses for their two VRRP instances. That is, they will use two different source MAC addresses. Therefore, the L2 switch will not have the problem of learning the same MAC address on two different ports. The virtual MAC address is, of course, also used when the VRRP master interfaces respond to ARP requests, as illustrated in the following figure. Host in VLAN 1 configured with gateway address: 192.168.1.254 Host in VLAN 2 configured with gateway address: 192.168.2.254 1. Host sends out ARP request for 192.168.1.254 4. Host sends out ARP request for 192.168.2.254 VLAN 1 2. L3 Switch responds with ARP response packet, using VRRP virtual MAC 00-00-5E-00-01-01 VLAN 2 5. Switch responds with ARP response packet, using VRRP virtual MAC 00-00-5E-00-01-02 Layer 2 switch Layer 3 switch 3. L2 switch learns MAC address 00-00-5E-00-01-01 into FDB 192.168.1.254 192.168.2.254 VLAN 1 VLAN 2 VLAN 3 6. L2 switch learns MAC address 00-00-5E-00-01-02 into FDB It should be noted, of course, that there is one very easy way to ensure that a particular device will be the VRRP master in any particular VRRP instance. The trick is, of course, to ensure that it is the only device in the VRRP instance. 3 The configuration script for this solution The configuration script on the Layer3 switch would be as follows: create vlan=2 vid=2 create vlan=3 vid=3 add vlan=2 port=<ports-in-vlan2> add vlan=3 port=<ports-in-vlan3> ena ip add ip int=vlan1 ip=192.168.1.254 add ip int=vlan2 ip=192.168.2.254 add ip int=vlan3 ip=192.168.3.254 enable vrrp create vrrp=1 over=vlan1 ipaddress=192.168.1.254 create vrrp=2 over=vlan2 ipaddress=192.168.2.254 USA Headquarters | 19800 North Creek Parkway | Suite 200 | Bothell | WA 98011 | USA | T: +1 800 424 4284 | F: +1 425 481 3895 European Headquarters | Via Motta 24 | 6830 Chiasso | Switzerland | T: +41 91 69769.00 | F: +41 91 69769.11 Asia-Pacific Headquarters | 11 Tai Seng Link | Singapore | 534182 | T: +65 6383 3832 | F: +65 6383 3830 www.alliedtelesis.com © 2007 Allied Telesis Inc. All rights reserved. Information in this document is subject to change without notice. All company names, logos, and product designs that are trademarks or registered trademarks are the property of their respective owners. C613-16043-00 REV C