Cluster XL Multicast configuration Catalyst 6500 IOS

[ramoni]

Hi,

We are having some internal discussions about how to setup the cluster xl on NG FP3 and Catalyst 6500 with IOS. Does anyone run with this configuration? As long as I know from previous experience with Stonebeat, the syntax should be to put incoming port and then outgoing ports. For example, two nodes conected on Catalyst IOS switch on ports 4/1 and 4/2 and router on 4/3 should be:

mac-address-table static 01:00:5e:xx:xx:xx FE4/3 FE4/1 FE 4/2

If runing each node on a catalyst with a trunk port 1/1, nodes on 4/1 and routers on 4/5 should be:

Switch1: mac-address-table static 01:00:5e:xx:xx:xx FE4/5 FE4/1 G1/1
Switch2: mac-address-table static 01:00:5e:xx:xx:xx FE4/5 FE4/1 G1/1

I have not found any good documentation on this issue on all the resources I searched through (Checkpoint Knowledge Base, StoneBeat, CPUG, ...). If you have some, I would appreciate it.

Kind Regards,

Ramon Izaguirre

[maurox]

Try to see on this site ( the documents are for stonebeat but the configuration on the switch is the same).
Maurox

http://www.stonesoft.com/support/StoneBeat/?id=1169

[FERappel]

Check "Troubleshoot Interface Flapping" thread.

[bryancromwell]

Old thead but...

Add to the cisco:

arp 10.1.1.1 01:00:5e:a3:98 arpa (10.1.1.1 Being your FW Vip) #
This sends the multicast taffic to the unicast vip

int vlan 173
no igmp snooping # Cisco IGMP snooping see's
CP multicast as invalid and drops the packet.


This is required to Multicast LS, Also make sure you do a cphaconf set_ccp
broadcast on both firewalls. Multicast sync cause random failovers when
using cisco switchs (We run 6513's) . Last thing, upgrading to NGX R60 took
care of a few LS issues in our enviroment. If you need anymore info let me
know.

[l0wkey]

IGMP Snooping was supposed to be fixed in NGX HFA04, has any one confirmed this?

[kva.kva]

From release notes and SK -
http://secureknowledge.checkpoint.co....do?id=sk31934 - in HFA04 problem with IGMP was fixed.
Useful configuration doc - http://updates.checkpoint.com/filese...P_Snooping.pdf

[l0wkey]

Has anyone actually TRIED it though without turning off IGMP snooping in IOS? Just curious =)

[_d3nx]

disabling igmp snooping causes to flood the multicast traffic to all switch port. In this case switch behaves like hub for multicast traffic. It decreases performance of switch and security.

Here are my multicast setup on cisco 6500.

mac-address-table static 0100.5e58.28a1 vlan 101 interface GigabitEthernet1/2 Port-channel1
mac-address-table static 0100.5e58.28b1 vlan 102 interface GigabitEthernet1/8 Port-channel1
mac-address-table static 0100.5e58.28c1 vlan 103 interface GigabitEthernet1/11 Port-channel1

Since I have redundant switches, i have also added Port-Channel into command.

[jvalenzuela]

Quote:

Originally Posted by maurox

Try to see on this site ( the documents are for stonebeat but the configuration on the switch is the same).
Maurox

http://www.stonesoft.com/support/StoneBeat/?id=1169

Ehmm...Mauro....the link is not available. Don't you have another link?

Thanks

jorge

[hornsan]

Hi,

I have a ClusterXL problem here. I am using ClusterXL New Mode as well. When i bring down the FW1, FW2 takes over, but the Internet connection failed. We are using Cisco 6500 series (4-ports layer 2 VLAN created for this external subnet). According to CheckPoint, this mode is running on Unicast, we SHOULD NOT worry about the MULTICAST IGMP. Do i need to create the manual ARP??

The same solution works well in Cisco 4500 series switch.

Any idea?? please help.

[b0h3m3]

Quote:

Originally Posted by kva.kva

From release notes and SK -
http://secureknowledge.checkpoint.co....do?id=sk31934 - in HFA04 problem with IGMP was fixed.
Useful configuration doc - Check Point Software Technologies: Download Center

Thanks very kva.kva. That's exactly what I was looking for.