The Catalyst 2970 most likely will work, however you may need to upgrade to the Enhanced IOS image to support static MAC entries for multicast addresses. As for the cheap switches, I'm not sure. It depends on a couple of things: 1. If they recognise multicast MAC addresses (They all start with 01-00-5e) 2. What they do with them! If the switch doesn't recognise or care about multicast MAC addresses, it may bind the MAC to one port and one port only, effectively breaking load balancing. If the switch *does* know about multicast MAC addresses, the only way it would work is if it treated those in the same way it treats the broadcast MAC address (ff-ff-ff-ff-ff), and forwards these to every switch port. Of course, this effectively makes the switch a hub, which you probably don't really want. Personally, I would save the potential disasters and go straight to configurable switches such as the Cisco that can be *told* what to do, for every firewall interface. Here's a quick summary of everything you will need to do to make multicast load-sharing with ClusterXL work: On the Switches -------------------------------- mac address-table static 01:00:5e:xx:xx vlan XX interface fa1/0/XX fa1/0/XX (this lists both the ports that the firewall connects to) On any routers which the firewalls talk to: ------------------------------------------------------------- arp <Firewall Load Balanced IP Address> <Multicast MAC Address> arpa Do *not* stuff up the ARP address on the routers. I have been there, twice, at 2am for a big customer and the bizarre things that happen will blow your mind. None of these bizarre things point to you having stuffed the ARP entry on the router either, so you can chase your tail for days. Have fun, Ed Luck, GCFW (Hons) Senior Security Engineer Dimension Data Australia
On 9/14/05, Meyers, Duncan <[EMAIL PROTECTED]> wrote: > > I am in the throes of setting up ClusterXL on two SecurePlatform boxes. I > went looking for a list of switches at Checkpoint's support site that will > support load sharing multicast mode - but that requires a support contract > :-( > > Can anyone tell me if a Cisco Cat 2970 will work? I suspect it will, but > no harm in checking... > > Also, will multicast mode work with somenthing like a Linksys SD208 or > Netgear FS608 (for the insecure side of the cluster)? The router to the 'net > is a Cisco 1841. Is this OK? > > > > Thanks, > > Duncan > > > > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
