HSRP on Cisco720x and Firewall-1 using Stonebeat-Cluster Multicast-MAC
We have a setup with 2 Cisco 720x, IOS 12.2(10) running HSRP and two SunSolaris running Firewall-1 with Stonebeat-Cluster using a multicast-mac addresses (01:00:5e:7c:00:06) all on the same LAN.
The two Cisco see all the packets intended for the firewalls (with destination = multicast mac), and send the packets again with their source address into the LAN. This packets will be seen by the other CISCO and it will behave the same (sending this packet out again).
What we get is a LAN overload and firewalls with high cpu and lost connections.
Workaround: We just unplugged one Cisco.
We changed switched HW, changed from VLAN to dedicated HW for that VLAN with no effect.
We are running a smilar configuration with IOS Version 12.2(4)T3 and Firewall-1 and Stonebeat using multicast mac which runs fine.
Re: HSRP on Cisco720x and Firewall-1 using Stonebeat-Cluster Mul
A couple of points. the MAC address you specified is not a Multicast MAC address. Are you sure you configured Stonbeat to use Multicast MAC and not Unicast MAC? Multicast MAC addresses beging with 09..........
Normaly when you configure Stonbeat with Multicast MAC addresses you need to add a static arp entry on any layer 3 cisco device that talks directly to the cluster address of the firewall. Check your stonbeat config to make sure that it is using multicast mac address - it normaly generates an address for you you when doing this startting with 09 but you can change this manulay but it must start with 09.
Also if you are using Unicast MAC addresses f(as appears) for Cluster IP address and you are using cisco switches - this is not a valid configuration as the Switches do not support forwarding to multiple ports (i.e. 2 ports supporting firewall nodes).
I would double check you Multicast MAC address config on stonebeat and get it to regenrate a proper M MAC address and add static arp entires to the cisco box's and see if this resolves the issue.
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...