03-13-2011 12:23 PM
HI guys, I have a questions: I replaced a HP2626 Layer 3 switch with an SG 300-20 which is also configured to act as Layer3 Switch.
Now I have two Issues and maybe I'm just too blind to see the solution, but at the moment it's driving me nuts.
1. Behind the Switch are 2 Microsoft Forefornt Firewalls behing tagged Ports acting as a Loadbalancer/Failover. They have a common IP working over IGMP Multicase. Which is not reachable.
2. If I'm doing a traceroute for example to the Headquater the first Hop, the SG 300-20 is not shown.
1 * * * Zeitüberschreitung der Anforderung.
2 <1 ms <1 ms * 10.127.199.21
3 27 ms 26 ms 26 ms 10.127.198.3
4 27 ms 28 ms 27 ms 10.127.201.114
If I'm changing the Microsoft Forefont Firewall to work over Unicast the all problems nearly disappear. Traceroutes to the Company are working and the Loadbalanced IP is reachable, but the performance of the Forefronts is not usable, timeouts over and over again, thats why we where using IGMP Multicasts bevor.
Also over Unicasts the IP of the SG 300-20 is shown in the traceroute.
Thanks for your help.
Regards
Martin
03-13-2011 08:22 PM
Hello,
Unicast works and mcast does not ... hummm.
When you say mcast does not work, does this mean that one side will not see the other side when using mcast? Meaning that the messages are not getting from one device to the other?
You have a L3 boundary between the two firewalls? You also mentioned they are tagged ports ... are you running multiple vlans to each firewall?
I am not sure I understand your setup and how your have implemented lb.
Any chance you can have a single vlan for which both firewalls reside in?
What is the lb protocol? VRRP?
Many thanks,
Andrew Lissitz
03-14-2011 03:09 AM
Yes, when MCast is enabled they cannot see each other and no messages are send. Yes we are running Multiple VLans to the Firewall. Also the Firewalls are Virtual Machnines, thats why we are using VLans. Both sit on Citrix XenServers. As a loadbalancing setup, it#s the basic Windows 2008 loadbalancing technic, I'm not quit sure which technic and protocoll they are using.
03-13-2011 11:19 PM
Hello Martin,
Did you configure both ports connecting to the Microsoft Firewall(s) as a LAG (link aggregation) ? This could be the issue here.
I would suggest to try configuring these ports as a LAG and also verify the multicast filtering settings.
Best regards,
Nico Muselle
Sr. Network Engineer - CCNA
03-14-2011 03:55 AM
If I configure LAG, it makes no diffrence.
Is multicast filtering enabled by default?
Regards
Martin
03-16-2011 07:52 AM
Sorry for the delay in my response.
It sounds a bit that you are crossing L3 boundaries ...
When unicast works, what unicast addresses do you use? Same subnet or different?
You have me intrigued to say the least. Can you email me your contact info and perhaps a quick call? Not sure if this would work, as I am just outside of NYC.
Thanks
Andrew
03-16-2011 07:55 AM
I'm in Germany, but this should be no problem. Just tell me where to send the details.
03-16-2011 08:18 AM
Wowsers!
I loved Germany, cannot wait to go back on day. I sent you a PM, but I may not be the right resource for you since we are in such different timezones.
Hummm .. the contact support numbers can be found here:
http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
Can you confirm If you have different vlans and intervlan routing running? Mcast on the same vlan is no problem, however when you want to route the mcast messages, then this become more of a config. Do please let me know.
Andrew
03-16-2011 03:54 PM
Hello Wonderful Community,
Martin and I are working this offline ... and will post an answer once we make some progress.
All suggestions are appreciated, however stay tuned and a solution will soon be posted.
Many thanks,
Andrew Lee Lissitz
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide