I am setting up active/active cluster on WatchGuard XTM 5's.  This requires me to configure static arp and static MAC entries on all switches and routers in the upstream/downstream of the data path.  So I have Port 1 of each WatchGuard patched to VLAN 1 the Cisco 3750 stack.  

My problem is - Configuring static MAC entries in Network Assistant asks for MAC address, Vlan, and Output Interface.  Is the Output interface they are looking for the port where the Port1 of the Watchgaurds are coming into the switch?  I assumed it was but first of all it is worded"output" not "input" which makes me think they mean the port in the stack that goes out to the internet or some other route and second, when I try to add entries for both those WatchGuard connected ports (1 cable per WatchGuard in the cluster" it tells me I can't have duplicates.  Please help

I looked at the link posted by dpk_wal, it was helpful.

You're going to need more than one port from each cluster member. I suggest you don't use VLAN 1, it's bad practice to use it for data.

Here's an example:
Each cluster member, WG1 and WG2, use Port 0 as external and Port 1 as trusted
The switch stack has VLAN 10, name OUTSIDE, and VLAN 20, name INSIDE
Switch1 has:
Port 19 configured for VLAN 10, connected to WG1/Port 0
Port 20 configured for VLAN 20, connected to WG1/Port 1
Switch2 has:
Port 19 configured for VLAN 10, connected to WG2/Port 0
Port 20 configured for VLAN 20, connected to WG2/Port 1

For Active/Active, each member interface shares the same multicast MAC address, so on the stack:
For the Port 0 multicast address you have a static entry for VLAN 10, outgoing interfaces Switch1/19 and Switch2/19
For the Port 1 multicast address you have a static entry for VLAN 20, outgoing interfaces Switch1/20 and Switch2/20

If you have any other switches connected to the stack that have devices that talk directly to the cluster, then you need to have the static entries but for the outgoing interface or interfaces used to connect to the stack.

Have a look at article below and see if it helps you with anything:

Thank you.
KingPezAuthor Commented:
Not sure how that relates to my questions at all but thanks for your response.
The link talk about finding multicast MAC; if you were talking about "how to add static ARP entry on the switch/router" then yes this link is useless.
When you configure a static MAC entry, you configure the output ports to which a switch will send traffic for this address.
You only need to configure the entries on switches involved in the layer 2 paths between cluster members. For example, one member on switch1 connected by a trunk to switch2 which has another member; both switch1 and switch 2 should have a static entry for the MAC address for the member port and the trunk port/vlan.

You should only need to configure static ARP entries on any router devices connected to the cluster.
KingPezAuthor Commented:
Frabble:  So just to clear it up . . . Switch 1 and 2 are in a stack.  Let's say cluster WatchGuard member1 is in port 19 of switch1 and WG member 2 is on port 20 of switch2.  Both ports in same VLAN 1.

So I assign static Mac entries to sw1 port 19 and sw2 port 20.  Is that it?  Only two places?  You mentioned a trunk/vlan?

Thanks again.
KingPezAuthor Commented:
Thanks Frabble
