converting a multicast mac to a unicast mac

jfarrer · ‎06-11-2006

We have an extranet segment on our network that connects to several customer networks to allow secure access to our resourses. These routers are not managed by us. We are upgrading our firewalls (checkpoint running in load balancing mode) to a Checkpoint HVA pair. I was not around when the first pair were put in, but apparently, a static arp entry needed to be put in each of our 3rd party routers that mapped the VIP IP address on the firewalls to a multicast mac address that the firewalls would respond to. In the HVA configuration, the need for this goes away. My problem is the inability to get the static arp entries out of all of the 3rd party routers at the same time. This will be something that will have to happen over a few weeks. Keeping in mind that I have several NAT addresses on the firewall, is there a way to convert the multicast mac address being used by the 3rd party routers to the unicast mac address in use by the VIP on the firewalls.

Thanks,

Jack

david.bradley · ‎06-12-2006

So presumably the 3rd party routers ARPd for the firewall VIP mac, the firewall responded and there was a problem so there had to be a static arp entry... and this was a multicast mac address 0x0100.5E...etc..? seems strange, why do you think this had to be a multicast mac address?

If you can't control the 3rd party routers I think you're going to struggle.

jfarrer · ‎06-12-2006

I wasn't around when the first firewalls were set up, but this is what I have been told. I have put up a sniffer and watched traffic going to several of my NAT addresses and they are using a multicast mac as the destination mac.

jfarrer · ‎06-23-2006

I finally got it working. What I did was install another router on the segment and used a 'multicast helper' command to forward traffic going to the multicast MAC to the new firewalls.