About VIP and SGOS

If you decide to use VIP for high availability on Blue Coat ProxySG, then you need to understand how it works. It is very similar to VRRP. That is, both units are configured to share the same IP address, and a priority is configured on each unit to define which ProxySG will be the master. They use multicast to broadcast their status.

You want to have two Blue Coat ProxySG, so you connect them to two switches so that redundancy is improved. Like so:

Both ProxySG will then send multicast packets to advise the other ProxySG that it is up and the priority is contained in the multicast packet, along with the IP address of the VIP and so on. If you are going to have multiple VIPs in a single Layer 2 LAN segment, make sure you use different multicast addresses for each VIP cluster. Note also you can have some interesting design opportunities using three or four VIP per ProxySG for a active/active/backup design (maybe an article for another day, leave a comment if you are interested.).

Because you are using IP Multicast (2) your switch must be able to handle IP Multicast. There are two ways for a switch to handle IP Multicast, one is broadcast it to every port like a hub would, or to use Internet Group Multicast Protocol (IGMP). When broadcasting to every port, every host on that broadcast segment has to listen to the packets, receive into the IP buffer and read them before discarding the information.

This causes significant CPU cycles to be lost to unwanted traffic flows. IGMP is protocol that is enabled on the switch that monitors multicast packet for certain information and decides whether to enable or disable the multicast flows on switch ports. To join a Multicast flow the host or endpoint will issue an IGMP join message for a given IP address, the switch will record this and any responses from other hosts and make sure that those ports will not be closed for that Multicast IP address. After some time, other ports that do not request to be part of the Multicast address will have the Multicast traffic for that address blocked. (3)

By default, Cisco switches have IGMP enabled (4) and they will build an IGMP snooping table for all ports on the switch. Consider the following diagram:

• Step 1 – both ProxySG issue a IGMP membership to their switches
• Step 2 – switches record membership of the multicast group

What the Cisco switches do not do is notify their neighbour that they should forward the multicast traffic between SW1 and SW2. Which is exactly NOT what you would expect. The IGMP packets have been terminated by the switch and not forwarded. As a result, multicast traffic is not forwarded between the switches.

When using Blue Coat ProxySG you will know you have this problem because both VIPs will show as master.

Cisco switches need a Multicast router (mrouter)

The best solution to this problem is to setup a IOS device somewhere as Multicast router. When the switch gets an IGMP report it will then relay the notification to the mrouter. The mrouter will then send IGMP messages that notify all switches about their Multicast group membership and everything will be well.

Sample IOS configuration

interface Vlan1
ip address 198.18.1.10 255.255.255.0
ip pim sparse-dense-mode
end

Switch1#show ip igmp snooping mrouter
vlan ports
—–+—————————————-
1 Router

Use MPLS VRF to create a Multicast only interface

Use an MPLS VRF to create a completely isolated IP interface and enable IP on that interface.

!
!enable multicast routing
!
ip multicast-routing
!
!this creates a standalone vrf
!
ip vrf proxy
rd 100:104
!
!now create an interface that is in the VLAN that the ProxySG are using.
!
interface Vlan3502
ip add 198.18.1.1 255.255.255.0
ip vrf forwarding proxy
ip pim sparse-dense-mode
!

Enable IGMP Querier Feature on a Layer 2 Catalyst Switch

From the Cisco web site

“IGMP querier is a relatively new feature on Layer 2 switches. When a network/VLAN does not have a router that can take on the multicast router role and provide the mrouter discovery on the switches, you can turn on the IGMP querier feature. The feature allows the Layer 2 switch to proxy for a multicast router and send out periodic IGMP queries in that network. This action causes the switch to consider itself an mrouter port. The remaining switches in the network simply define their respective mrouter ports as the interface on which they received this IGMP query.”

Switch2(config)#ip igmp snooping querier

Switch2#show ip igmp snooping querier
Vlan IP Address IGMP Version Port
————————————————————-
1 1.1.1.2 v2 Switch

I don’t want to use Multicast.

If you have some passionate gripe about not enabling Multicast on a single interface, you can create static ARP entries for the Multicast MAC address on every switch that is in the data patch. If you have multiple data paths, remember to configure that on every switch in all possible data paths.(5)(6).

I would only recommend this in small networks.

Switch1(config)#mac-address-table static 0100.5e6f.efef vlan 1 interface gigabitethernet 2/46 gigabitethernet 2/48

!— Note: This command should be on one line.

Switch1#show mac-address-table multicast vlan 1

vlan mac address type learn qos ports
—–+—————+——–+—–+—+——————————–
1 0100.5e18.010a static Yes – Gi2/46,Gi2/48

Switch2(config)#mac-address-table static 0100.5e18.010a vlan 1 interface
gigabit 1/47

!— Note: This command should be on one line.

Switch2#show mac-address-table multicast vlan 1
Vlan Mac Address Type Ports
—- ———– —- —–
1 0100.5e18.010a USER Gig1/47

Disable IGMP Snooping on All the Switches

If you disable IGMP snooping, all switches treat multicast traffic as a broadcast traffic. This floods the traffic to all the ports in that VLAN, regardless of whether the ports have interested receivers for that multicast stream.

Switch1(config)#no ip igmp snooping

Switch2(config)#no ip igmp snooping