cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2483
Views
5
Helpful
15
Replies

Multicast FWSM + 6500 Routing

anthony.baker
Level 1
Level 1

Hey all,

I have a server on a network off a FWSM that's playing out video using multicast.  If I have a PC on the same network I can connect using the muticast address and port number using UDP and it works.  I then enabled 'multicast routing' on the FWSM and I can do the same on another network off the same FWSM.

The next thing is to be able to watch the video from another network that's behind a different FWSM on another 6500, in a different area of our network.

What do I need to do to get that working?  The IP routing between the 6500's is OSPF and the flow would look something like this:

Source -- FWSM -- 6500 --  6500Cores -- 6500Office -- FWSM -- PC playout

The IP routing works fine so how do I go about adding mrouting to my configurations in the best way?

I am doing a lot of reading about it but wonder if you guys can offer any simple solutions?

Thanks,

Anthony

1 Accepted Solution

Accepted Solutions

Hi Anthony,

I'm glad to hear that! On the FWSM connected to the receivers, enable multicast and allow traffic in the access-lists on the interfaces. Next, the JOINs will have to be sent to the RP from the receivers, so you need to have the appropriate mroute, a default one would work.

The rest of it, needs to be done as on the other FWSM.

Let me know.

Regards,

Anu

View solution in original post

15 Replies 15

Anu M Chacko
Cisco Employee
Cisco Employee

Hi Anthony,

What mode of multicast are you using? You need to add mroutes on these devices just like you add the unicast routes.

Regards,

Anu

Hi,

Thanks for the response.  I am using PIM and was going to use dense-mode.

So I need to add static mroutes telling everything where the playout video's Muticast address is?  What's the best way to go about that?

Cheers!

Hi,

PIM dense mode is not supported on the FWSM. Only PIM Sparse mode, bi-directional PIM and stub mode are supported. Here is a link which explains the difference:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/multicast_f.pdf

static mroutes should do the trick.

Hope this helps!

Regards,

Anu

Ok, thanks - I presume I am providing static routes towards the source of the video, something like this:

FWSM with my PC (trying to conect to the source) would be stubbed so the VLAN of my PC forwards to the outside interface of the FWSM

On that 6500 an mroute towards the next 6500

On the next 6500 another mroute towards the next FWSM

On that FWSM a stub that has the outside interface forwarding to the one on which the source is located

The other thing is, I presume I'm using the multicast address in these static mroutes?

Thanks!

Hi Anthony,

That sounds right. Be careful about the stub configuration.You will need to enable multicast traffic, configure igmp and access-list on the appropriate interface. Refer to the following document if you have any doubts:

https://supportforums.cisco.com/docs/DOC-2639

The mroutes must point to next hop to reach a particular network, not for multicast addresses. The purpose of the mroutes is for the receivers to send traffic to the senders. So, if the sender is at 10.1.1.1 on the outside of the firewall, the mroute must be

mroute 10.1.1.1 255.255.255.255 outside

Here is a useful document:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807631d2.shtml

Regards,

Anu

P.S. Please mark the question as resolved if it has been answered. Do rate helpful posts.

Ok, so now I've enabled pim on all the links between switches and firewalls and have added static mroutes on each for the next hop.

I have also tried both running pim on the fwsm's and had a stub using the igmp forward command.

Unfortunately nothing seems to work!  Is there a way to tell how far down the route (similar to traceroute!!) things are getting?

Thanks!

Hi Anthony,

Did you configure the "igmp forward interface" on the FWSM interface connected to the source? Could you post the multicast configuration from the FWSMs here? Do the mroutes point back to the source?

Regards,

Anu

anthony.baker
Level 1
Level 1

Yes, on the FWSM with the source attached I have:

"igmp forward interface outside" -- but have also tried on interface outside "igmp forward interface "sourceinterface" -- which is correct?

I also have "multicast-routing" on but have added no mroutes on the FWSM's -- are they needed?

On the routers inbetween on all the L3 links I am running "ip pim sparse-dense-mode" as suggested in one of those docs and have mroute set as follows:

ip mroute "ipofsource" 255.255.255.255 "ipofnexthop6500"  -- on all 6500's without the FWSM in

ip mroute "ipofsource" 255.255.255.255 "ipofoutsideFWSM"  --  on the 6500 with the FWSM in

For the FWSM that the receivers are behind I have pim running and can see neighbours but no mroutes - do I need to do anything else with that one?

Finally, on the capture from the FWSM with the source I can see the packets on the source interface but not on the outside.  I have no denys on the log and all other traffic between is running with no problem

Sorry for all the questions and thanks for the help,

Anthony

Hi Anthony,

Enable "igmp forward interface "source interface"" on the outside interface of the FWSM.

mroutes will be needed for traffic coming back to the source. Before we start troublehooting on the 6500s, lets investigate why the captures show nothing on the FWSM connected to the source. Do you have an access-list applied on the inside interface of the FWSM? If yes, then you will need to permit traffic to the multicast group in it. After you do that, take captures on the FWSM outside int and check if you see packets.

Where is the RP located?

Regards,

Anu

I have attempted to make the 6500 with the FWSM with the source attached as the RP (using it's loopback address).

From the FWSM:

interface Vlan120

nameif outside

security-level 0

ip address 10.1.120.1 255.255.255.0

igmp forward interface ltmisc  --  Where the source is located

access-list ltmisc extended permit ip any host 239.0.71.1

access-list antcapture line 1 extended permit ip any host 239.0.71.1 (hitcnt=0)

access-list antcapture line 2 extended permit ip host 239.0.71.1 any (hitcnt=0)

capture antcapture type raw-data access-list antcapture interface outside

0 packet captured

0 packet shown

Also, it doesn't have the 239.0.71.1 in the show mroute...

Thanks...

I've had some packets through now as follows:

15 packets captured

   1: 15:35:17.742654424 802.1Q vlan#120 P0 10.1.120.2 > 239.0.71.1:  ip-proto-2, length 8

   2: 15:36:32.742728804 802.1Q vlan#120 P0 10.1.120.2 > 239.0.71.1:  ip-proto-2, length 8

   3: 15:36:38.742734864 802.1Q vlan#120 P0 10.1.120.2 > 239.0.71.1:  ip-proto-2, length 8

   4: 15:36:40.742737014 802.1Q vlan#120 P0 10.1.120.1 > 239.0.71.1:  ip-proto-2, length 8

   5: 15:36:41.742738194 802.1Q vlan#120 P0 10.1.120.1 > 239.0.71.1:  ip-proto-2, length 8

   6: 15:42:07.743063464 802.1Q vlan#120 P0 10.1.120.1 > 239.0.71.1:  ip-proto-2, length 8

   7: 15:42:07.743064194 802.1Q vlan#120 P0 10.1.120.1 > 239.0.71.1:  ip-proto-2, length 8

   8: 15:42:46.743102944 802.1Q vlan#120 P0 10.1.120.1 > 239.0.71.1:  ip-proto-2, length 8

   9: 15:42:56.743113444 802.1Q vlan#120 P0 10.1.120.1 > 239.0.71.1:  ip-proto-2, length 8

  10: 15:43:47.743164444 802.1Q vlan#120 P0 10.1.120.2 > 239.0.71.1:  ip-proto-2, length 8

  11: 15:44:23.743199484 802.1Q vlan#120 P0 10.1.120.1 > 239.0.71.1:  ip-proto-2, length 8

  12: 15:44:23.743199694 802.1Q vlan#120 P0 10.1.120.1 > 239.0.71.1:  ip-proto-2, length 8

  13: 15:44:24.743200694 802.1Q vlan#120 P0 10.1.120.1 > 239.0.71.1:  ip-proto-2, length 8

  14: 15:44:24.743201194 802.1Q vlan#120 P0 10.1.120.1 > 239.0.71.1:  ip-proto-2, length 8

  15: 15:45:01.743237694 802.1Q vlan#120 P0 10.1.120.1 > 239.0.71.1:  ip-proto-2, length 8

I attempted to manually join the outside interface to the igmp group 239.0.71.1 using the following:

ip igmp join-group 239.0.71.1

I can now see this in the mroute table:

(*, 239.0.71.1), 00:06:59/never, RP 0.0.0.0, flags: DCL
  Incoming interface: Null
  RPF nbr: 0.0.0.0
  Outgoing interface list:
    outside, Forward, 00:06:59/never

(10.1.216.200, 239.0.71.1), 00:06:59/00:03:01, flags: DJT
  Incoming interface: ltmisc
  RPF nbr: 10.1.216.200
  Immediate Outgoing interface list: Null

Have had some success...

I can now see the video if I put my receiver on a VLAN on the 6500 that has the Source's FWSM in it (the VLAN isn't part of the FWSM and is directly on the switch). 

So my config for the FWSM would appear ok now.  It's igmp-forward on the outside interface with the join command also.

I then had to add ip pim sparse-dense-mode to the VLAN connected to the FWSM and the VLAN on which my receiver is sat.

So, my next question is how do I set up my other FWSM behind which will sit my eventual receivers?  Would this be set up in the same way? 

Hi Anthony,

I'm glad to hear that! On the FWSM connected to the receivers, enable multicast and allow traffic in the access-lists on the interfaces. Next, the JOINs will have to be sent to the RP from the receivers, so you need to have the appropriate mroute, a default one would work.

The rest of it, needs to be done as on the other FWSM.

Let me know.

Regards,

Anu

Ok, I managed to get this working!

I set the FW with the receivers to be the opposite of the source one so on the VLAN with the receivers in it I set the igmp-forward interface outside

On all the 6500 links and VLANs up to the FWSM's I enabled pim using sparse-dense-mode

I didn't need to add any static mroutes I'm guessing because it would follow the normal routing of the network

I did have to add the appropriate access-lists and nonat statements to the FWSM's

I set the RP to the 6500 that has the FWSM with the source in it

With all that it seems to work!!  I get the video and the sound and I don't have packets from the stream seen at other places on the network that haven't joined the group.

Anu, thanks for all your help and between us we came to the right answer!

Regards,

Anthony

Review Cisco Networking for a $25 gift card