[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] StoneBeat Multicast configuration problem
I had what sounds like the same issue with Stonebeat and never really
solved it. Actually it's a Cisco problem. If you do a packet capture you
should see that routers on the segment are mistakenly picking up the
packets addressed to the multicast MAC address and re-transmitting them.
So you get a multicast flood that only stops when the packet TTL runs out.
We had this configuration (R = cisco router running HSRP) F = firewall
(FW1 + Stonebeat)
R1-- --F1
|--|
R2-- --F2
Every time a packet came through one of the routers (say R1), it sent it
to the firewall multicast MAC (as it should). Router R2 SHOULD ignore
this packet, because it is sent to a multicast address that the Cisco is
NOT listening on (0900.x.x). But instead, router R2 accepts the
packets for routing. So it sends a copy to the cluster multicast address
(and decrements the TTL). R1 then sees this new packet and again accepts
it for routing, and sends a copy to the cluster multicast MAC. Router R2
sees this packet and accepts it .... etc, etc. This carries on until the
TTL times out.
But every copy of the packet DOES arrive at the firewall, and is
dutifully forwarded on it's way. So you get 200+ copies of every packet
all the way from the routers to the destination device. I imagine if
there'd been 3 routers on the subnet we would have got 400+ copies of
each packet instead.
I believe this is a Cisco problem because the Cisco routers (like any
host) should only accept packets that are addressed to their unicast
address, the broadcast address, or a multicast MAC address that the
router is actively listening on (such as the HSRP multicast address).
Putting CAM entries on the switches didn't help. The routers still saw
and repeated the multicast packets. I searched for "cisco" on the
stonebeat site, and searched for "stonebeat" on the cisco site. The
stonebeat doc recomended using multicast groups, but the cisco site said
not to do this as it would interfere with HSRP. General internet
searches didn't find anything. I put the question to the cisco forums
and got a few suggestions but mainly the email equivalent of a shrug.
Then I moved onto another project so don't know if it was eventually
solved or not!
Darryl Luff
[email protected]
Manuel Antonio Cabrera Silva wrote:
Hello,
I need help with cluster configuration, I setup a two node cluster with
Firewall-1 NG FP1 and StoneBeat Fullcluster 3.0 HF 2 over Solaris 8 in 64
bits mode. The cluster has 11 ONICS. It appears that I missing somethig on
NG, StoneBeat or Switch configuration. I would appreciate any sugestion.
The problem is that I need to configure multicast in thecluster because it
is connected to switches and to avoid flooding I configured them, but the
conections are unstable. The switches are:
...
The cluster is connected to Catalyst 4000, this switch has propagated VLANS
from Catalyst 6500 via truncking. The Cat. 6500 has a routing module too.
...
The ping shows that sometimes there is loop between the cluster and the
router that made expire TTL.
Thanks in advance,
Manuel Cabrera
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
