l0stbyte wrote: > > It could be related to the problem described here: > http://www.firewall-1.org/2002-05/msg00646.html
That page describes two routers that are on the same segment as each other and also on the same segment as the firewalls. For some unexlained reason the routers are forwarding multicasts. Routers don't normally do that so they must have been misconfigured in some way. You have switches and your firewalls are only connected to one of the switches, isn't that so? I think your topology is completely different. In that URL, every packet was arriving at the firewall a couple hundred times, until the IP time-to-live (TTL) timed out. Is that what is happening on your network? What problem are you trying to solve? What are the symptoms of the problem? I realize language may be a barrier, but can you tell us more about this? It's essential for you to understand the problem. Perhaps writing about it, despite the difficulties, would help you understand it and and would help us help you. Also, maybe you could tell us more about what your firewall vendor said. What kind of firewall is it anyway? What model switches are you using? Definitely look into IGMP snooping and/or CGMP. One of those might solve your problem. They both have the same goal, which is to make switches multicast-aware and smarter about which multicasts they do and don't forward. Maybe issues with firewall clustering, multicasts, and Cisco switches will ring a bell for someone else? Anyone else have some ideas? Priscilla > > l0stbyte > > Priscilla Oppenheimer wrote: > > > Can you help us understand the situation better? Thanks. > > See some questions inline. > > > > l0stbyte wrote: > > > > >Hitesh Pathak R wrote: > > > > > > > > >>Dear Group, > > >> > > >>Need your help in setting up the following :- > > >> > > >>SETUP :- There are 2 core switches SW1 & Sw2 (connected back > > > > > >to back with > > > > > >>both > > >>the SUP GE ports Fiber uplink (Channeld and trunk). On one > of > > > > > >the switch > > > > > >>(SW1) > > >>I have 2 firewalls connected in cluster mode. For this > > > > > >clustered > > > > > >>firewall I > > >>have bind the multicast mac address on the switch SW1 as the > > > > > >recommended > > > > > >>method by the firewall vendor by the command (set cam > > > > > >permanent ). > > > > > > On SW1, you have a permanent cam entry for the multicast > address used > > by the > > firewall cluster? Why? How is that permanent entry used and > why is it > > necessary? Sorry if this is a stupid question, but I think it > will help us > > understand what you are trying to accomplish. > > > > > > >>Now the problem faced here is since they have only bind the > > > > > >mac > > > > > >>address to 2 > > >>ports on SW1 (switch one ONLY) there seems to be some > > > > > >multicast packets > > > > > >>flooding on my second core switch SW2 for that multicast > > > > > >address. > > > > > > Switches flood multicasts by default. So it makes sense that > the multicast > > is flowing over to SW2 also. > > > > > > >>The customer wants to stop this broadcast from hapening on > > > > > >2nd switch > > > > > >>SW2 and > > >>hence wants to bind the same multicast mac address on the > 2nd > > > > > >Switch > > > > > >>with the > > >>trunk ports going to SW1 from SW2. > > > > > > The multicast will come across the trunk, so you should be > able to put a > > permanent cam entry mapping the multicast address to the > trunk port. But > > what problem will that solve? Are you trying to stop the > multicast from > > flowing out the other ports on SW2? How does a permanent cam > entry > > help with > > that? > > > > Maybe you should look into CGMP or IGMP snooping. They can > stop multicasts > > on switches, if the applications send IGMP joins. > > > > Anyone else have any suggestions or understand his situation? > > > > Priscilla > > > > > > >>Has anybody faced similar situation ?? Is this configuration > > >>supported. Can I > > >>bind the cam entry to my trunk port on the SW2 as well with > > > > > >the same > > > > > >>multicast > > >>mac address?? > > >> > > >>Many thanks in advance. > > >> > > >>Thanks > > >>Hitesh > > >>DISCLAIMER: > > >>Information contained and transmitted by this E-MAIL is > > > > > >proprietary to > > > > > >>Wipro > > >>Limited and is intended for use only by the individual or > > > > > >entity to > > > > > >>which it > > >>is addressed, and may contain information that is > privileged, > > > > > >confidential > > > > > >>or exempt from disclosure under applicable law. If this is a > > > > > >forwarded > > > > > >>message, the content of this E-MAIL may not have been sent > > > > > >with the > > > > > >>authority of the Company. If you are not the intended > > > > > >recipient, an > > > > > >>agent of > > >>the intended recipient or a person responsible for > > > > > >delivering the > > > > > >>information to the named recipient, you are notified that > > > > > >any use, > > > > > >>distribution, transmission, printing, copying or > > > > > >dissemination of this > > > > > >>information in any way or in any manner is strictly > > > > > >prohibited. If you > > > > > >>have > > >>received this communication in error, please delete this > mail > > > > > >& notify us > > > > > >>immediately at [EMAIL PROTECTED] > > > > > >is it a checkpoint FWs cluster? > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60259&t=60235 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
