Well, I really banged my head against the wall on this one. Here is a summary of my problem:
My current architecture is 2 Catalyst 6509 with MSFC for my core, and redundant perimeter routers to the internet. All hosts reside on a Class C we have assigned to us.
Our Elearning project and the Online labs we use require that most hosts on this network be accessible and fully controllable via the internet. With that I limited all hosts using Private VLANS. Here is idea what it looks like
| Cat6509 | <----Trunk -----> | Cat6509 |
The PVLANS are trunked between switches and the MSFC on both provide Redundant layer 3 (ala HSRP). This works good.
Problem: Multicasting Ghost images to the before mentioned lab machines would knock all hosts off the network(ghost box was a whopper of a system). Multicast was not being contained.
The obvious solutions: CGMP or IGMP-Snooping, or GMRP(not support by ghost).
Results from CGMP: Ports in the private VLAN were being peeled out of the multicast group even tho hosts were present.
Suspected Cause: The MSFC(multicast router) was telling the switch to peel hosts out of the group that were not on the VLAN it received the IGMP join.
The MSFC did not recognize that the IGMP join came in on a Private VLAN, not the Primary or Parent VLAN(used to carry PVLAN traffic).
I did EVERYTHING I could thing to limit multicast including the port commands(not supported with my 6248 module).
Jonathan Nantel CCNP, CCDP
Director - Cisco Department
Advanced Training & Services