Example Switch and Static ARP Configuration for an Active/Active FireCluster

Layer 3 switches that operate in default mode do not have issues with multicast traffic, so the FireCluster works without configuration changes. A layer 3 switch that has all ports configured in one VLAN also works without issues. If the layer 3 switch has ports configured for different VLANs you must change the configuration to enable the switch to operate correctly with a FireCluster.

Layer 3 switches that perform VLAN, and/or IP address routing, discard multicast traffic from the FireCluster members. The switch discards traffic to and through the router unless you configure static MAC and ARP entries for the FireCluster multicast MAC on the switch that receives the multicast traffic.

When you configure an active/active FireCluster, you might need to make some configuration changes on the FireCluster and on your network switches so that the FireCluster multicast MAC addresses work properly. For general information, go to:

This topic includes an example of how to configure the switches and the FireCluster static ARP settings for an active/active FireCluster.  This example does not include all the other steps to configure a FireCluster. For instructions to configure a FireCluster, go to Configure FireCluster.

Before you begin, make sure you have:

WatchGuard provides interoperability instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a non-WatchGuard product, see the documentation and support resources for that product.

Example Configuration

In this example, the FireCluster configuration has one external and one internal interface. The external interface of each cluster member is connected to a Cisco 3750 switch. The internal interface of each cluster member is connected to an Extreme Summit 15040 switch. For the equivalent commands to make these configuration changes on your switch, see the documentation for your switch. The commands for two different switches are included in this example.

IP addresses in this example:

  • FireCluster interface 0 (External) interface

IP address: 203.0.113.2/24

Multicast MAC address: 01:00:5e:00:71:02

  • FireCluster interface 1 (Trusted) interface

IP address: 10.0.1.1/24

Multicast MAC address: 01:00:5e:00:01:01

  • Cisco 3750 switch connected to the FireCluster external interface

IP address: 203.0.113.100

VLAN interface MAC address: 00:10:20:3f:48:10

VLAN ID: 1

Interface: gi1/0/11

  • Extreme Summit 48i switch connected to the FireCluster internal interface

IP address: 10.0.1.100

MAC address: 00:01:30:f3:f1:40

VLAN ID: Border-100

Interface: 9

Configure the Cisco Switch

In this example, the Cisco switch is connected to the FireCluster interface 0 (external). You must use the Cisco command line to add static MAC and ARP entries for the multicast MAC address of the external FireCluster interface.

  1. Start the Cisco 3750 command line interface.
  2. Add a static ARP entry for the multicast MAC address of the FireCluster interface.
    Type this command:
    arp <FireCluster interface IP address> <FireCluster MAC address> arpa
    For this example, type:
    arp 203.0.113.2 0100.5e00.7102 arpa
  3. Add an entry to the MAC address table.
    Type this command:
    mac-address-table static <FireCluster interface MAC address> vlan <ID> interface <#>
    For this example, type:
    mac-address-table static 0100.5e00.7102 vlan 1 interface gi1/0/11

Configure the Extreme Switch

In this example, the Extreme Summit switch is connected to the FireCluster interface 1 (trusted). You must use the Extreme Summit command line to add static MAC and ARP entries for the multicast MAC address of the trusted FireCluster interface. 

  1. Start the Extreme Summit 48i command line.
  2. Add a static ARP entry for the multicast MAC address of the FireCluster interface.
    Type this command:
    configured iparp add <ip address> <MAC Address>
    For this example, type:
    configured iparp add 10.0.1.1/24 01:00:5e:00:01:01
  3. Add an entry to the MAC address table.
    Type this command:
    create fdbentry <MAC> VLAN <ID> port <#> For this example, type:
    create fdbentry 01:00:5e:00:01:01 VLAN Border-100 port 9

Add Static ARP Entries to the FireCluster Configuration for Each Switch

For an explanation of why this is required, go to Add Static ARP Entries for an Active/Active FireCluster .

  1. In WatchGuard System Manager, use the cluster trusted interface IP address to connect to the FireCluster. Do not use the management IP address.
  2. Click the Policy Manager icon.
    Or, select Tools > Policy Manager.
    Policy Manager appears.
  3. Select Network > ARP Entries.
    The Static ARP Entries dialog box appears.
  4. Click Add.
    The Add ARP Entry dialog box appears.
  5. In the Interface drop-down list, select External.
  6. In the IP Address text box, type the IP address of the switch interface that is connected to the external interface.
    For this example, type: 203.0.113.100
  7. In the MAC Address text box, type the MAC address of the VLAN interface on the Cisco switch that is connected to the external interface.
    For this example, type: 00:10:20:3f:48:10
  8. Click OK.
    The static ARP entry is added to the Static ARP Entries list.
  9. Click Add.
    The Add ARP Entry dialog box appears.
  10. In the Interface drop-down list, select Trusted.
  11. In the IP Address text box, type the IP address of the switch interface that is connected to the trusted interface.
    For this example, type: 10.0.1.100
  12. In the MAC Address text box, type the MAC address of the switch interface that is connected to the trusted interface.
    For this example, type: 00:01:30:f3:f1:40
  13. Click OK.
    The static ARP entry is added to the Static ARP Entries list.
  14. Click OK to close the Static ARP Entries dialog box.
  15. Select File > Save > to Firebox to save the static ARP entries to the FireCluster.