Re: Multicast config with Checkpoint HA Cluster

todd.adamson · ‎04-04-2005

I am relatively new to multicasting, so bear with me. We have a client that has a pair of Checkpoint firewalls running in a HA cluster mode. It has been configured with a multicast mac address on each shared IP address. If we set the default gateway on our machines to point directly to the checkpoint, traffic goes through just fine. If we have to cross a router, it fails. We apparently need to setup something on the router for it to recognize the multicast mac address of the cluster, but I feel confused by it all. A rough diagram looks as such:

192.168.22.0 segment

|

(192.168.22.1)

Cisco Router

(10.0.0.1)

|

(10.0.0.10 - Cluster IP w/ multicast mac)

Checkpoint firewall

I think all I need is to turn on multicast-routing and ip pim dense mode on the interface, but I could be very wrong.

What am I missing here? All of the documentation that I have read so far uses a multicast IP address also. That isn't the case here. Does it make a differance?

Todd

alagrawa · ‎04-05-2005

Hi Todd,

Thanks for writing in.

Cisco adheres to RFC1812, "Requirements for IP Version 4 Routers," which states ...

"A router MUST not believe any ARP reply that claims that the Link Layer address of another host

or router is a broadcast or multicast address."

If the solution (Firewalls, Load-Balancers, etc.) requires the router to send packets to a Layer 3 unicast IP address using a Layer 2 multicast MAC address...the router must be configured with a static ARP entry.

Hence, you need to configure a static arp entry on the cisco router to map the checkpoint cluster ip to the multicast mac address.

arp 10.0.0.10 0100.1234.1234 arpa

where 0100.1234.1234 is the multicast mac address.

Please try this and let us know if it works.

regards

-Alok