topic FWSM and Multicast in Network Security

FWSM and Multicast

anazarenko — Tue, 12 Mar 2019 02:01:24 GMT

I have the following config

multicast-routing

pim rp-address 10.200.59.10

I don't have any PIM neighbors, I just need to pass multicast stream from Vlan107 to Vlan126.

interface Vlan107

nameif eDIN

security-level 40

ip address 10.90.23.254 255.255.254.0 standby 10.90.23.253

interface Vlan126

nameif OPE_TCE

security-level 20

ip address 10.11.40.1 255.255.0.0 standby 10.11.40.2

igmp static-group 226.1.1.1

access-group eDIN_access_in in interface eDIN

....

access-list eDIN_access_in extended permit ip any host 226.1.1.1

show access-list

access-list eDIN_access_in line 18 extended permit ip any host 226.1.1.1 (hitcnt=504349) 0x3cfe4253

# sh int vlan107 | incl input

13422433 packets input, 8096406276 bytes

# sh int vlan107 | incl input

13422499 packets input, 8096503432 bytes

# sh conn

0 in use, 13 most used

....

Multicast sessions:

Network Processor 1 connections

Network Processor 2 connections

IPv6 connections:

# sh mroute

Multicast Routing Table

Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group,

C - Connected, L - Local, I - Received Source Specific Host Report,

P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set,

J - Join SPT

Timers: Uptime/Expires

Interface state: Interface, State

(*, 226.1.1.1), 01:36:16/never, RP 10.200.59.10, flags: SCJ

Incoming interface: Tunnel0

RPF nbr: 10.200.59.10

Outgoing interface list:

OPE_TCE, Forward, 01:36:16/never

I don't see (S,G) entry for my multicast stream. ANy help would be appreciated.

FWSM and Multicast

Julio Carvajal — Fri, 21 Jun 2013 18:45:18 GMT

Hello,

This means that the registration process has not finished yet,

Who is this guy 10.200.59.10 ( Core router, etc),

Also you are running PIM sparse-mode on the FWSM and you do not see any neigbhorship, ofcourse you will not receive any traffic, you must build a PIM relationship between you and the device that connects to the RP address

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

FWSM and Multicast

anazarenko — Fri, 21 Jun 2013 18:59:25 GMT

Dear Sir,

10.200.59.10 is FWSM itself.

I just need to pass the traffic from one VLAN to another one. (light version of PIM, without neighbors)

My subscriber is sitting in OPE_TCE VLAN.

FWSM and Multicast

Julio Carvajal — Fri, 21 Jun 2013 19:13:48 GMT

Okey, got it,

So basically multicast traffic will only flow across the FWSM

The source of the traffic is on the eDIN interface,

What happens if you apply captures and generate some traffic? Do u see the traffic reaching both interfaces?

Can you use the eDIN interface as the RP address ( As I do not see the 10.200.59.10 listed on the config, just want to be sure)

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

FWSM and Multicast

anazarenko — Mon, 24 Jun 2013 09:19:46 GMT

Ok, today i managed to change RP to Vlan eDIN.

MMFWIB11/eGON/act# sh mroute

Multicast Routing Table

Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group,

C - Connected, L - Local, I - Received Source Specific Host Report,

P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set,

J - Join SPT

Timers: Uptime/Expires

Interface state: Interface, State

(*, 226.1.1.1), 2d23h/never, RP 10.11.40.1, flags: SCJ

Incoming interface: Tunnel1

RPF nbr: 10.11.40.1

Outgoing interface list:

OPE_TCE, Forward, 2d23h/never

# sh capture

capture vlan107 type raw-data access-list mcast interface eDIN[Buffer Full - 524220 bytes]

capture vlan126 type raw-data interface OPE_TCE[Capturing - 0 bytes]

# sh capture vlan107

132699 packets seen, 6244 packets captured

1: 08:53:28.323060160 802.1Q vlan#107 P0 10.10.11.2.53539 > 226.1.1.1.5001: udp 1470

2: 08:53:28.323060180 802.1Q vlan#107 P0 10.10.11.2.53539 > 226.1.1.1.5001: udp 1470

#sh route | incl 10.10.11.2

S 10.10.11.2 255.255.255.255 [1/0] via 10.90.23.253, eDIN

and nothing on outgoing interface.