Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
589
Views
0
Helpful
8
Replies

Multicast packets - where are they coming from?

Go to solution
greggyd
Level 1
Level 1

‎03-08-2024 04:11 AM

Hi all - got an odd question as I've reached the limit of my multicast knowledge. I recently setup a new VLAN on our core switch (Cat9300 with routing enabled), which has an inbound ACL applied to it blocking anything except from specific allowed hosts. The ACL is working fine, but I noticed that it immediately started denying some strange multicast packets trying to get to a non-existent IP address.

Packets are coming from 224.0.0.18 and trying to hit a random IP in the VLAN, but nothing is using that IP address. It's not causing any major issues but does give me some cause for concern as its really spammy and could be affecting network performance. It's also filling up my switch logs with denied packets, making it hard to see any actual denied packets.

I was wondering if there was any way to find the source of these multicast packets? I'm not aware of anything on our network that would be sending them, but aside from knowing the IP range, my multicast knowledge is unfortunately extremely limited, as I don't really ever have to work with it.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
greggyd
Level 1
Level 1
In response to greggyd

‎03-08-2024 05:55 AM

Aaaah, just looking at what VRRP is - I think this might be our Meraki MX's.... our WAN edge use a pair of MX250's configured with a warm spare, which uses VRRP.

That'll be whats generating the traffic. Odd that its hitting a random interface IP though.

View solution in original post

0 Helpful

Go to solution
greggyd
Level 1
Level 1
In response to greggyd

‎03-08-2024 06:01 AM

Ok thanks for the replies, you have collectively helped me understand multicast better and figured out the issue!

It was definitely the Meraki MX250's sending out these packets from our WAN edge. Looks like a previous attempt was made to build this VLAN and someone setup a VLAN interface for it on the Meraki MX's, which is what was sending out these broadcast packets to this specific VLAN!

Found the offending interface and removed, all solved!

View solution in original post

0 Helpful
8 Replies 8

Go to solution
greggyd
Level 1
Level 1

‎03-08-2024 04:15 AM

I may have just answered my own question - it shows the multicast packets on the "show interfaces" command, so "show int | i line | multicast" is giving me some starting points!!

0 Helpful

Go to solution
Pulkit Mittal
Spotlight
Spotlight
In response to greggyd

‎03-08-2024 04:18 AM

Good job!

0 Helpful

Go to solution
Pulkit Mittal
Spotlight
Spotlight

‎03-08-2024 04:17 AM

Here, check this guide.

https://www.cisco.com/c/en/us/support/docs/ip/ip-multicast/16450-mcastguide0.html

If you find this useful, Mark this helpful and accept the solution.

0 Helpful

Go to solution
Harold Ritter
Level 12
Level 12

‎03-08-2024 05:43 AM

Hi @greggyd ,

The multicast group 224.0.0.18 is used by VRRP. So it appears that one of your routers is configured for VRRP.

https://www.iana.org/assignments/multicast-addresses/multicast-addresses.xhtml#multicast-addresses-1

Regards, 

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful

Go to solution
greggyd
Level 1
Level 1
In response to Harold Ritter

‎03-08-2024 05:52 AM

Thanks for this Harold. None of my routers are knowingly setup for this, so I'm still struggling to find what is generating this traffic.

Is there any way to trace these back to their source interface?

0 Helpful

Go to solution
greggyd
Level 1
Level 1
In response to greggyd

‎03-08-2024 05:55 AM

Aaaah, just looking at what VRRP is - I think this might be our Meraki MX's.... our WAN edge use a pair of MX250's configured with a warm spare, which uses VRRP.

That'll be whats generating the traffic. Odd that its hitting a random interface IP though.

0 Helpful

Go to solution
greggyd
Level 1
Level 1
In response to greggyd

‎03-08-2024 06:01 AM

Ok thanks for the replies, you have collectively helped me understand multicast better and figured out the issue!

It was definitely the Meraki MX250's sending out these packets from our WAN edge. Looks like a previous attempt was made to build this VLAN and someone setup a VLAN interface for it on the Meraki MX's, which is what was sending out these broadcast packets to this specific VLAN!

Found the offending interface and removed, all solved!

0 Helpful

Go to solution
Harold Ritter
Level 12
Level 12
In response to greggyd

‎03-08-2024 06:04 AM

Hi @greggyd ,

You need to look at the source address for these multicast packets and find out what is the device owning that address. You could then ping that source address, check what is the MAC address assigned to it trace back to the port where that device is connected.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card