Hi,

thank you for answering.

I've solved the problem - "no cgmp" was the key ;-)

Hello,

I've disabled CGMP but still having problems.

I had some problems with L2 multicast traffic with CheckPoint FW-1 using clusterXL application.. Switches are 3524XL on the following topology:

BorderRouter BorderRouter

| |

|- 100Full ethernet | 100Full Ethernet

| |

3524XL ------ 100Full------- 3524XL

| |

| |

FW-1 (1) FW-1 (2)

Border routers have an arp entry associating VIP of FW-1 cluster with a multicast mac-address.. Each border router and firewall is connected to each 3524XL.. I've done some implementations but it did not work... Should I configure the input ports of static mac pointing to BoderRouters interfaces and to the uplink port between catalysts...

appretiate you help..

thaks

rps

Hi,

we're using Stonesofts FullCluster instead of ClusterXL. But the basics are the same, because you talk about L2 multicast. Maybe clusterxl uses a different setup - I can tell you only how it works with FullCluster and XL swicthes.

For *every* system (Server, Router) which is directly connected to a cluster VLAN (DMZ) you need to define a "mac-address-table static" entry with the correspondig L2 Multicast address the cluster has in that VLAN. Furthermore, you define the input port and the output port(s).

Example:

mac-address static 0100.5e34.000d FastEthernet 0/2 FastEthernet 0/1 GigabitEthernet 0/1 vlan 152

where

- 0100.5e34.000d is the Multicast MAC for the Cluster IP in VLAN 152

- Fa0/2 is the port of one Server in that VLAN (input port); in your setup also the border routers!

- Fa0/1 is the port of one of your Firewall nodes

- Gi0/1 is a trunk port to the other switch, who provides a switch port to the second node of the cluster

The idea behind is that you define: "Ok, when the switch receives a multicast frame with destination address 0100.5e34.000d from port Fa 0/2, forward it to Fa0/1, on which the first node is connected to, and in addition, forward the frame to the trunk on Gi0/1, so that the second node, which is connected at the second switch, will also receive the traffic".

On the second switch you need to define the trunk port as an input port to "mac-address-table static":

mac-address-table static 0100.5e34.000d GigabitEthernet 0/1 FastEthernet 0/1 vlan 152

saying that the second node is also connected to Fa0/1 for that VLAN.

-> Repeat that setup (both switches) for every server in that VLAN

-> Repeat that setup for all other VLANs (DMZs)

And finally, for what is this all good for? It prevents the flooding of multicast frames to all ports in a VLAN. Only the cluster members need to receive these packets.

The arp entires for the multicast MAC on your routers are required for IP connectivity because Cisco routers do not learn such L2 multicast addresses via arp. Windoze NT/2k and most Unices do not need to have such static entries.

This whole setup is much more easier to implement on Cat 2950/3550 switches, because you do not need to define any input ports (only vlan and output ports)...

HTH,

Christian