It's complicated. It depends on the NLB operating mode (Unicast / Multicast / Multicast+IGMP) and who is acting as the L3 router on the NLB segment.
The ERS does not have explicit support for Microsoft NLB, you would be much better off if using a VSP platform.
If the NLB mode is Unicast, when the router ARPs for the NLB Cluster IP, the Microsoft servers reply with a bogus MAC (which does not exist in the FDB MAC table); ERS are happy to install this ARP, however the ARP entry will point to the port where it was received. When using this ARP to send traffic the ERS will only send traffic out of that port. So if the ERS is acting as router, it cannot be the switch where all the NLB Servers are conected, because it will not flood traffic to multiple ports (the topology shown in 2.2.2 is ok in this respect, as the ERS router is different from the ERS switches where servers are connected).
If the NLB mode is Multicast, when the router ARPs for the NLB Cluster IP, the Microsoft servers reply with a multicast MAC address; ERS won't install this; you need to create a static ARP entry. You will need to provide a single port when you do so; same constraint as above.
In NLB mode is Multicast+IGMP is similar to the vanilla Multicast mode but in addition the Microsft servers will generate IGMP report messages; the idea is that the switch can leverage this info to dynamically flooding traffic where is sees IGMP membership; this will never work on ERS and you should avoid this mode as most modern L2 switches perform snooping on the IP Multicast address (which Microsoft NLB does not use) and not the multicast MAC (which Microsoft NLB uses in Multicast+IGMP mode). If you want to limit the flooding to just the NLB Servers, then simply put them in the same VLAN (instead of trying to use the Multicast+IGMP mode) and use either Unicast or simple Multicast modes.
