[Solved] Cisco ME3400E "no ip igmp snooping" still master/master

  • Hi,

    my 2 pfsenses are connected to an ISP access switch Cisco ME3400E but sadly both are master.
    ISP said he disabled globaly igmp snooping he even showed me the config, still master/master.

    Any ideas what else I can check?

  • ISP called me and said: The problem occurs because the MAC address of the VIP is 00:00:5E:00:01:01 and it has to be 01:00:5E:00:01:01 that the Cisco ME3400E can forward those multicast packets.

    So, how can I change that VIP MAC?

  • LAYER 8 Netgate

    You don't.

    The CARP MAC address that is used in ARP responses for the CARP VIP address use this format: 00:00:5e:00:01:01, where the last octet is the VHID (1 in this case).

    The actual CARP advertisements are sent to this MAC address: 01:00:5e:00:00:12. That is the traffic that needs to be multicast between the nodes. If the secondary was receiving those from the primary, it would not be CARP MASTER but CARP BACKUP instead.

    It is sometimes easier to tell them you are trying to use VRRP. The multicast characteristics of the advertisements are the same and they might not freak out as much as when you say CARP.

  • I called to ISP and this is his response:
    The Cisco ME3400E is not multicast routing, because it would automatic route the traffic to ist WAN interface too.
    And as a Provider they can't allow their backbone to be flooded with multicast packets from clients.

    I have sent them a packettrace dump from the second firewall WAN interface (just CARP) and forwarded to ISP for further investigation, he replied:
    The Problem is that the source MAC is no mulicast MAC address so the Cisco ME3400E is dropping those packets.
    You should be able to change the source MAC on your firewall.


    Any idea what should I reply?

  • LAYER 8 Netgate

    Get another ISP or perhaps a different (business class?) service with them I guess. The multicast should just be on your interface with them. CARP/VRRP are standardized. You cannot change the MAC address. And even if you could it does not sound like it would make it work.

    You could also try your own outside switch then connect that to the ISP device. That should eliminate most if not all of the issues with the ISP device. They won't even have to move the CARP MAC from switchport to switchport on a failover.

  • Now I even bought the same Cisco ME3400E and built up an test environment.
    Correct me if I am wrong: pfsense doesn't join a multicast group, they send their packets as unregistred multicast.

    Because I could see two different behavior:
    .) with the ME3400E so far it doesn't work
    But if I change the ME3400E to a SG300 with the same IP and VLAN settings, it works.
    The SG300 has a option called: "unregistred multicast" and its set on all ports to forwarding. If I set it to filtering on port of slave pfsense, CARP is going to master/master.

    Example pic: alt text

  • I finally found the solution 😸 YaY
    On Cisco ME3400E the default port-type is UNI and it has to be set to NNI.

    From official Cisco config guide:

    Traffic is not switched between these ports, and all arriving traffic at UNIs or ENIs must leave on NNIs to prevent a user from gaining access to another user's private network.

Log in to reply