Symptoms
The BIG-IP system allows the Masquerade MAC to be set to an Ethernet multicast address, which may cause traffic intended for an Active BIG-IP to be flooded to all devices on the local network.
Impact
Depending on the behavior and configuration of devices on your network:
- Excessive traffic may be flooded to all devices on your network
- Traffic may not be delivered correctly to the Active BIG-IP device
- ARP resolution may fail for failover objects
Conditions
You have configured MAC Masquerade with a multicast address.
Multicast addresses are defined by having the lowest bit in the first octet set. For example, the following address:
00:01:d7:ab:cd:ef
has a first octet which is:
00000000
in binary. With the lowest bit flipped:
00000001
it becomes:
01:01:d7:ab:cd:ef
Workaround
Choose a unicast (non-multicast) address for MAC Masquerade. SOL3523 contains recommendations for choosing a safe MAC Masquerade address.
