The NLB default setting is unicast mode. In unicast mode, NLB replaces the actual MAC address of each server in the cluster to a common NLB MAC address. When all the server in the cluster have the same MAC address, all packets forwarded to that address are sent to all members of the cluster. However, a problem with this configuration is when the servers NLB cluster are connected to the same switch, you cannot have two ports on the switch register the same MAC address. NLB solves this problem by masking the cluster MAC address. The switch looks at the source MAC address in the Ethernet frame header in order to learn which MAC addresses are associated with its ports. NLB creates a bogus MAC address and assigns that bogus MAC address to each server in the NLB cluster. NLB assigns each NLB server a different bogus MAC address based on the host ID of the member. This address appears in the Ethernet frame header.

For example, the NLB cluster MAC address is 00-bf-ac-10-00-01. NLB in unicast mode takes the cluster MAC address and, for each cluster member, NLB changes the second octet so that it consists of the NLB member’s host ID. For example, server number 1 as the bogus MAC address 00-01-ac-10-00-01, host ID number 2 has the bogus MAC address 00-02-ac-10-00-01, so on. If a unique MAC address is registered on each switch port, packets are not delivered to all members of the array; rather packets should still be sent to the individual switch ports based on the MAC address assigned to that port. To make frames delivered to all members of the NLB cluster when each switch port connected to an NLB cluster member registers a different MAC address it uses an ARP broadcast are used. When the router sends an ARP request for the MAC address of the virtual IP address, the reply contains an ARP header with the actual NLB cluster MAC address 00-bf-ac-10-00-01, as per the example given above and not the bogus MAC address.

The clients use the MAC address in the ARP header, not the Ethernet header. The switch uses the MAC address in the Ethernet header, not the ARP header. The issue is when a client sends a packet to the NLB cluster with destination MAC address as cluster MAC address 00-bf-ac-10-00-01, the switch looks at the CAM table for the MAC address 00-bf-ac-10-00-01. Since there is no port registered with the NLB cluster MAC address 00-bf-ac-10-00-01, the frame is delivered to all switch ports. This introduces switch flooding. Switch flooding causes issues when significant amount of traffic is flowing and also when having other servers on the same switch. A solution to switch flooding is to put a simple hub in front of the NLB cluster members and then uplink the hub to a switch port. This solution does not even need to mask the NLB cluster MAC address because the single switch port connected to the hub learns the NLB cluster MAC address. This avoids the problem of two switch ports registering the same MAC address. When the client sends packets to the NLB cluster MAC address, the packets go directly to the switch port connected to the hub and then to the NLB cluster members.