Hi Team -

am working on a project where the engineering group is looking at deploying a pair of Nexus 6001 devices at the Aggregation Layer & a pair of Checkpoint 4800 firewalls in a ClusterXL configuration, wherein the FW's Active/Active mode (aka Load Sharing Multicast in default config) passes 'keep alive / state' communication via multicast. The potential case for dropped communication between the L2 switches & the Checkpoint Cluster occurs where the proprietary keepalive packets might get dropped due to the fact that the L2 Switch wont pass the packets sent to the multicast MAC address b/c it cant match the dest IP to an IGMP group (which IGMP membership is disabled by default on CP 4800 firewalls ver R76) -- packets get dropped, and the cluster gets triggered into a potential incorrect failover, throwing warnings, etc

there is a recommendation of disabling IGMP snooping on the ports/VLAN connected to the Checkpoint Cluster members  - doing this globally on Nexus will disable all VLANs apparently  - but apparently can be done on a per-VLAN basis

http://www.cisco.com/en/US/docs/switches/datacenter/nexus6000/sw/layer2/6x/b_6k_Layer2_Config_602N12_chapter_01011.html

there is also recommendation of entering static multicast MAC entries so the switches know where to pass the packets since the IGMP query timers will expire -- however, in the L2 config guide for Nexus 6K - i dont see anything about adding static multicast MAC entries

http://www.cisco.com/en/US/docs/switches/datacenter/nexus6000/sw/layer2/6x/b_6k_Layer2_Config_602N12_chapter_01010.html 

I dont have a lot of experience w/ IGMP - but something tells me that disabling this on the Nexus ports leading to the CP FW Cluster is a bad idea

I also dont like the idea of having to add these static Multicast MAC entries either

Anyone have any thoughts on this?

Let me know if I need to clarify on anything.