Thursday, March 5, 2009

Windows Network Load Balancing: MAC (Layer 2) Address Resolution

I was asked today (by a very astute fellow) what MAC address clients receive when connecting to Exchange Client Access Servers using Windows Network Load Balancing. This person had a very good understanding of how networking and load balancing works, and as I was describing how the system used a shared name and a shared IP address, he wanted me to explain what MAC address was added to the ARP (Address Resolution Protocol) table in clients. Which physical machine's MAC address is used? The answer is actually, neither.

This was not a question I could answer at that time. However, after a quick query on Google and a little reading, I now have a much better understanding of how this works.

Windows Network Load Balancing uses a "virtual" MAC address that is derived from a combination of the "cluster adapter" IP address and the priority of the node within the NLB configuration. For example, the cluster adapter IP address is and there are two nodes (node 1 and node 2). The MAC address used when a client hits node 1 would be 02-01-5-5-5-5. The MAC address for the second node would be 02-02-5-5-5-5. The format for this MAC address is 02-h-5-5-5-5, where h = the priority number of the node (set in NLB) and 5-5-5-5 is based on the IP address of the cluster adapter (shared by both nodes).

This is actually a pretty cool way to do it because you can scale nodes without worrying about physical MAC addresses because, the MAC addresses are virtual and thus don't require physical hardware.

Source: Microsoft (

1 comment:

paul said...

So - how does failover work? If I have MAC address for host 1 in my ARP cache (02-01-05-05-05-05), but node 1 goes down, aren't I screwed until that entry times out of my ARP cache? More importantly, since the cluster is likely to be on a remote subnet from the users, won't EVERYONE be screwed until the default gateway times out its ARP entry?

Would it be faster/ better/ cooler to have a shared (hot/standby) MAC address as Cisco does with HSRP? Therefore the secondary node will respond to the original MAC address once it realizes that its partner is no longer alive...

I'd like to read your opinion on this, since you seem to be a "cluster-fan"...