Multicast-questions

Hi guys,

​

i am currently troubleshooting a strange problem, which I can't really grasp right now. While troubleshooting, I've got some questions concerning multicast-traffic and igmp-snooping on switches.

For the sake of clarity our internal network in this post is 172.16.0.0/16. This might be relevant later.

​

Our CheckPoint-Firewall-Cluster spams our intranet with it's multicast packets. IGMP Snooping is active at the cisco coreswitch, where the firewalls are connected to.

In order to troubleshoot that issue, i've looked at the switch, and both firewall ports got recognized and grouped with a multicast-address.

CORESWITCH#sh ip igmp snooping groups Vlan Group Type Version Port List 1 224.1.1.10 igmp v2 Gi3/0/36, Gi4/0/36 

Next, I've mirrored one of the interfaces, and looked at the multicast traffic itself. After searching around on the internet and looking at MDNS-Broadcasts etc. with Wireshark, my understanding is that a 'proper' multicast packet looks like this (internal IP-Adresses and MACs are changed/randomized):

​

Source IP	Destination IP	Source MAC	Destination MAC
172.16.3.4	224.0.0.251	0f:1d:ef:73:d4:ab	01:00:5e:00:00:fb

​

So for me the proper multicast packet has a normal source IP and MAC and a multicast destination IP and MAC.

Now looking at the Check Point High Availability multicasts which are my problem, i see the following:

​

Source IP	Destination IP	Source MAC	Destination MAC
0.0.0.0	172.16.0.0	00:00:00:00:fe:01	01:00:5e:01:01:0a

so for me the Check Point CPHA multicast looks strange, and the problem is, it gets forwarded via our whole campus.

My next step would be to talk to our check point consultant, and looking into the 'weird' multicast packets sent by the cehckpoints.

​

My Question is:

• is my discovery right, that the checkpoint multicasts are not real multicasts rather than broadcasts, and that they are being forwarded because of this?
• what could i do to troubleshoot this further?

Thank you guys in advance for any help, it is much appreciated.