multicast, hsrp, switching

ntra1 · ‎07-15-2002

hi all

we have 2 cisco 4006 with ws-x4232-l3 route modules in them for switch and router redunancy, each switch has a firewall attached to it also for redunancy. The route modules are configured to load balance vlans between the two. The firewall has a virtual ip address which we've added a cam statement to the switches and also an arp entry for the route modules. We have a problem where when one firewall goes down, the route module that is doing the routing for the firewall that is off line will not route the data to the virtual ip address of the firewall. IE if FW1 dies vlans routed on sw1 will not be able to reach FW2. FYI the firewalls are a stonebeat cluster, all routes point to the virtual ip address, cam statement include the port in which the firewalls are attached to and also the trunk port connecting the two switches. Any ideas to what may be wrong?

Sw1 X

4006 I_I-------- FW1

|

hsrp | virtual IP address

|

Sw2 X

4006 I_I---------FW2

bradwong · ‎07-16-2002

Can you provide us some extra info here - the Virtual Address of the Stonebeat cluster is this a unicast IP address using a multicast MAC? I know stonebeat supports this for load balancing/redundancy, but I am not sure if this is how you have set this up.

ntra1 · ‎07-16-2002

We using a multicast MAC address, below is the relavent configs of the route modules and the switches.

On the switches we have placed a cam permanent statement to the trunk port connecting to the other switch and also to the port on which one of the firewalls are connected to.

LDC-PRIMARY-4006> (enable) sho cam permanent

* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.

X = Port Security Entry

VLAN Dest MAC/Route Des [CoS] Destination Ports or VCs / [Protocol Type]

---- ------------------ ----- -------------------------------------------

69 01-00-5e-7c-02-02 + 1/2,2/12

Total Matching CAM Entries Displayed = 1

LDC-SECONDARY-4006> (enable) sho cam perm

* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.

X = Port Security Entry

VLAN Dest MAC/Route Des [CoS] Destination Ports or VCs / [Protocol Type]

---- ------------------ ----- -------------------------------------------

69 01-00-5e-7c-02-02 + 1/2,2/12

Total Matching CAM Entries Displayed = 1

On the route modules we have them running hsrp. and we've added an arp entry for the multicast mac address of the firewalls. All routes point to the virtual address of the firewalls.

On the primary,

!

interface Port-channel1.69

description *** 'Internal' DMZ. LDC 69 VLAN ***

encapsulation dot1Q 69

ip address 203.14.69.2 255.255.255.224

ip access-group 110 in

no ip redirects

no ip directed-broadcast

ip accounting output-packets

standby 69 priority 140 preempt

standby 69 ip 203.14.69.1

!

arp 203.14.69.17 0100.5e7c.0202 ARPA

On the secondary

!

interface Port-channel1.69

description *** 'Internal' DMZ. LDC 69 VLAN ***

encapsulation dot1Q 69

ip address 203.14.69.3 255.255.255.224

no ip redirects

no ip directed-broadcast

ip accounting output-packets

standby 69 priority 130 preempt

standby 69 ip 203.14.69.1

!

arp 203.14.69.17 0100.5e7c.0202 ARPA

dcayer · ‎10-10-2002

We've encountered similar symptoms with using "cam permanent" and Stonebeat firewalls with multi-cast MAC for their cluster IP. We have 2 CAT4006 switches with SUP-II modules WS-X4013 running CatOS 6.3(5). While testing firewall fail-over capabilies, we noticed that the switches don't forward ethernet packets as specified by the "cam permanent" configurations. As soon as we "clear cam permanent", the connectivity resumes. Our work-around is therefore not to use the "cam permanent" commands, which means, unfortunately, that all traffic sent to the Stonebeat cluster IP is multi-casted to every port on that VLAN. But hey; better a little too much traffic than none at all!