[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] StoneBeat Multicast configuration problem
I had what sounds like the same issue with Stonebeat and never really solved it. Actually it's a Cisco problem. If you do a packet capture you should see that routers on the segment are mistakenly picking up the packets addressed to the multicast MAC address and re-transmitting them. So you get a multicast flood that only stops when the packet TTL runs out. We had this configuration (R = cisco router running HSRP) F = firewall (FW1 + Stonebeat) R1-- --F1 |--| R2-- --F2 Every time a packet came through one of the routers (say R1), it sent it to the firewall multicast MAC (as it should). Router R2 SHOULD ignore this packet, because it is sent to a multicast address that the Cisco is NOT listening on (0900.x.x). But instead, router R2 accepts the packets for routing. So it sends a copy to the cluster multicast address (and decrements the TTL). R1 then sees this new packet and again accepts it for routing, and sends a copy to the cluster multicast MAC. Router R2 sees this packet and accepts it .... etc, etc. This carries on until the TTL times out. But every copy of the packet DOES arrive at the firewall, and is dutifully forwarded on it's way. So you get 200+ copies of every packet all the way from the routers to the destination device. I imagine if there'd been 3 routers on the subnet we would have got 400+ copies of each packet instead. I believe this is a Cisco problem because the Cisco routers (like any host) should only accept packets that are addressed to their unicast address, the broadcast address, or a multicast MAC address that the router is actively listening on (such as the HSRP multicast address). Putting CAM entries on the switches didn't help. The routers still saw and repeated the multicast packets. I searched for "cisco" on the stonebeat site, and searched for "stonebeat" on the cisco site. The stonebeat doc recomended using multicast groups, but the cisco site said not to do this as it would interfere with HSRP. General internet searches didn't find anything. I put the question to the cisco forums and got a few suggestions but mainly the email equivalent of a shrug. Then I moved onto another project so don't know if it was eventually solved or not!
Manuel Antonio Cabrera Silva wrote: Hello,... ...The cluster is connected to Catalyst 4000, this switch has propagated VLANS from Catalyst 6500 via truncking. The Cat. 6500 has a routing module too. The ping shows that sometimes there is loop between the cluster and the router that made expire TTL.
|