08-05-2011 01:07 PM - edited 03-04-2019 01:11 PM
Hi,
We want to implement multicast on our network. We are going to use for online teaching purpose. I am very new at Multicast and not have much idea about it. We are not running any routing protocol in our network, only static route. The multicast server is located at One of our office and it is connected with L2 (Cisco 2960) switch, L2 switch is connected to L3 switch(Cisco 4948). L3(Cisco 4948) and Core Switch(Cisco 6509) with FWSM are connected with E-3 link with tunnel. Router 1 and Router 2 are connected with P2P ILL links which are terminated at serial interface. The Multicast Server IP is 192.168.2.131/25. The scenario of our network are mentioned below:
Multicast Server--->(L2 Switch)--->(L3 Switch)--->(Core Switch)--->(FWSM)--->(Router 1)---->(Router 2)--->(L2 Switch)--->(Multicast Client)
We have created a seprate vlan (i.e. vlan 102, interface IP is 192.168.2.129/25) for multicast at L3 switch, enable multicast routing, defined rp-address(i.e. 192.168.2.129/25), enable sparse-dense mode at multicast vlan as well as at some other vlan also for testing purpose and joined multicast group (i.e. Multicast IP is 224.3.3.5). At core switch we have also enabled multicast routing, defined rp-address (i.e. 19.268.2.129/25), enable sparse-dense mode at user vlan and inside vlan of FWSM and joined multicast group at user vlan and inside vlan. At FWSM we have enabled multicast routing, defined rp-address(192.168.2.129), doesn’t find any option to enable sparse-dense mode and joined Multicast group at inside vlan and router 1 vlan. At Router 1, we have configured the same thing. We have configured mroute at all the devices. We are able to ping from end to end. We are testing multicast by Multicast IP checker tool (provided by vendor). Multicast is working fine at L2 switch, L3 switch and Core Switch, but not from Router 1. Ping is reachable from Router 1. After doing mtrace at Router 1, the following output has come:
Router 1 (Mtrace with destination address 192.168.2.131)
mtrace 172.21.15.2 192.168.2.131 224.3.3.5
Type escape sequence to abort.
Mtrace from 172.21.254.50 to 192.168.2.131 via group 224.3.3.5
From source (?) to destination (?)
Querying full reverse path... * switching to hop-by-hop:
0 192.168.2.131
-1 * * * Timed out receiving responses
Perhaps no local router has a route for source, the receiver is not
a member of the multicast group or the multicast ttl is too low.
Router 1 (Mtrace with destination address 192.168.2.129)
mtrace 172.21.254.50 192.168.2.129 224.3.3.5
Type escape sequence to abort.
Mtrace from 172.21.254.50 to 192.168.2.129 via group 224.3.3.5
From source (?) to destination (?)
Querying full reverse path... * switching to hop-by-hop:
0 192.168.2.129
-1 * 172.31.255.250 PIM/Static Reached RP/Core [default]
-2 * 172.31.255.249 PIM/Static [172.21.254.48/29]
-2 172.21.254.50
192.168.2.129 = Multicast Server Gateway and Vlan 102 ip address
192.168.2.131 = Multicast Server IP address
172.31.255.250 = L3 Switch (Cisco 4948) Tunnel IP address
172.31.255.249 = Core Switch (Cisco 6509) Tunnel IP address
172.21.254.50 = Router 1 interface IP address
If , we do mtrace from gateway IP address(i.e. 192.168.2.129) as destination address then mtrace is getting completed, but if mtrace is done from Mutlicast server IP address(192.168.2.131) as destination address, then mtrace is not getting completed.
We have connected one laptop at Router 1 vlan to test Multicast. The host, which is connected to Router 1 vlan is able to send multicast packet to other host and other host at different vlan are receiving it , but it’s unable to receive multicast packet send by other host of different vlan.
Do I need to enable igmp snooping at L2 switch, L3 switch and Core Switch ?
I am not able to understand or can't figure out where i have configured wrong. Please help.
Thanks a lot in advance for all your help.
Regards
Dipak
08-05-2011 05:30 PM
Hi Dipak,
first of all mroute routing is not required unless you have RPF issue which means you have the multicast routing traffic coming thorugh an interface is not used by unicast routing as preferred path
if you do not have this issue which i think so because you are using flat network with one path using static route then no need to it but it dose not harm anyway if you put it right
igmp snooping is must on L2 switches, by default it is on but double check it
for Mcast thorugh FWSM you will need a certain version see the link bellow it might be the issue
https://supportforums.cisco.com/docs/DOC-3579
also can you post show ip mroute of the L3 switch and R1
HTH
if helpful Rate
08-05-2011 10:33 PM
Hi,
I have forgot to say that ospf is running between Two Core Switches(i.e. Primary and Secondary Core Switch of Cisco 6509 with HSRP. Both the core switches have FWSM module installed).
OSPF configuration at Primary and Secondary Core Switch(Cisco 6509) :
router ospf 100
log-adjacency-changes
redistribute connected
redistribute static subnets
network 0.0.0.0 255.255.255.255 area 0
Route and Mroute are mentioned below:
L3 Switch (Cisco 4948) route and mroute:
ip route 172.21.1.0 255.255.255.0 172.31.255.249 name DC-DR-E3-Link
ip route 172.21.2.0 255.255.255.128 172.31.255.249 name DC-DR-E3-Link
ip route 172.21.3.0 255.255.255.128 172.31.255.249 name DC-DR-E3-Link
ip route 172.21.4.0 255.255.255.0 172.31.255.249 name DC-DR-E3-Link
ip route 172.21.10.0 255.255.255.0 172.31.255.249 name DC-DR-E3-Link
ip route 172.21.15.0 255.255.255.128 172.31.255.249 name DC-DR-E3-Link
ip route 172.21.15.128 255.255.255.128 172.31.255.249 name DC-DR-E3-Link
ip route 172.21.16.0 255.255.255.128 172.31.255.249 name DC-DR-E3-Link
ip route 172.21.16.128 255.255.255.128 172.31.255.249 name DC-DR-E3-Link
ip route 172.21.254.0 255.255.255.0 172.31.255.249 name DC-NETWORK-DEVICE
ip route 192.168.51.7 255.255.255.255 172.31.255.249 name HUGHES-SSEL-REPORTING-PORTAL
ip mroute 0.0.0.0 0.0.0.0 172.31.255.249
Core Switch (Cisco 6509) route and mroute:
ip route 0.0.0.0 0.0.0.0 172.21.254.17 (Default route towards FWSM)
ip route 192.168.1.0 255.255.255.0 172.31.255.250 (Route towards toward L3 switch via tunnel)
ip route 192.168.2.0 255.255.255.0 172.31.255.250 (Route towards toward L3 switch via tunnel)
ip route 192.168.3.0 255.255.255.0 172.31.255.250 (Route towards toward L3 switch via tunnel)
ip route 192.168.4.0 255.255.255.0 172.31.255.250 (Route towards toward L3 switch via tunnel)
ip route 192.168.255.0 255.255.255.0 172.31.255.250 (Route towards toward L3 switch via tunnel)
ip mroute 192.168.3.0 255.255.255.128 172.31.255.250 (Mroute towards toward L3 switch via tunnel)
ip mroute 192.168.4.0 255.255.255.128 172.31.255.250 (Mroute towards toward L3 switch via tunnel)
ip mroute 192.168.1.0 255.255.255.128 172.31.255.250 (Mroute towards toward L3 switch via tunnel)
ip mroute 192.168.2.0 255.255.255.128 172.31.255.250 (Mroute towards toward L3 switch via tunnel)
ip mroute 10.40.0.0 255.255.0.0 172.21.254.17 (Mroute towards toward FWSM)
ip mroute 10.41.0.0 255.255.0.0 172.21.254.17 (Mroute towards toward FWSM)
ip mroute 10.2.2.0 255.255.255.252 172.21.254.17 (Mroute towards toward FWSM)
ip mroute 172.21.254.48 255.255.255.248 172.21.254.17 (Mroute towards toward FWSM)
ip mroute 192.168.51.0 255.255.255.0 172.21.254.17 (Mroute towards toward FWSM)
ip mroute 0.0.0.0 0.0.0.0 172.21.254.17 (Default Mroute towards toward FWSM was configued for testing purpose)
Router 1 route and mroute:
ip route 0.0.0.0 0.0.0.0 10.2.2.2 name BHARTI (Default route towards Router 2)
ip route 0.0.0.0 0.0.0.0 10.1.36.197 name VSNL-MPLS (Default route towards Router 2)
ip route 172.21.0.0 255.255.0.0 172.21.254.49 name DC-SALTLAKE
ip route 172.21.1.0 255.255.255.0 172.21.254.49 name DC-SALTLAKE-MZ
ip route 172.21.2.0 255.255.255.0 172.21.254.49 name DC-SALTLAKE-INT-SRV
ip route 172.21.10.0 255.255.255.0 172.21.254.49 name DC-SALTLAKE-DMZ
ip route 172.21.15.0 255.255.255.0 172.21.254.49 name DC-SALTLAKE-LAN
ip route 192.168.1.0 255.255.255.0 172.21.254.49 name BHARTI-SREI-SERVERS
ip route 192.168.2.0 255.255.255.0 172.21.254.49 name BHARTI-SREI-SERVERS
ip route 192.168.3.0 255.255.255.0 172.21.254.49 name BHARTI-SREI-SERVERS
ip route 192.168.4.0 255.255.255.0 172.21.254.49 name BHARTI-SREI-SERVERS
ip mroute 192.168.2.0 255.255.255.0 172.21.254.49
ip mroute 192.168.3.0 255.255.255.0 172.21.254.49
ip mroute 192.168.4.0 255.255.255.0 172.21.254.49
ip mroute 192.168.1.0 255.255.255.0 172.21.254.49
ip mroute 172.31.255.248 255.255.255.252 172.21.254.49
ip mroute 172.21.15.0 255.255.255.0 172.21.254.49
ip mroute 10.40.0.0 255.255.0.0 10.2.2.2
ip mroute 10.41.0.0 255.255.0.0 10.2.2.2
ip mroute 192.168.51.0 255.255.255.0 10.2.2.2
172.21.254.49 is Router 1 vlan configured at FWSM.
FWSM route and mroute:
route INSIDE IT-User 255.255.255.128 172.21.254.21 1
route INSIDE 172.21.17.0 255.255.255.128 172.21.254.21 1
route INSIDE 172.21.15.128 255.255.255.128 172.21.254.21 1
route INSIDE 172.21.16.128 255.255.255.128 172.21.254.21 1
route INSIDE 172.21.17.128 255.255.255.128 172.21.254.21 1
route INSIDE 192.168.10.0 255.255.255.192 172.21.254.21 1
route INSIDE 192.168.4.0 255.255.255.0 172.21.254.21 1
route INSIDE 192.168.3.0 255.255.255.0 172.21.254.21 1
route INSIDE 192.168.2.0 255.255.255.0 172.21.254.21 1
route INSIDE 10.6.84.0 255.255.255.0 172.21.254.21 1
route INSIDE 172.21.7.240 255.255.255.240 172.21.254.21 1
route INSIDE 172.21.16.0 255.255.255.128 172.21.254.21 1
route INSIDE 192.168.255.0 255.255.255.0 172.21.254.21 1
mroute 192.168.2.0 255.255.255.0 INSIDE
mroute 192.168.3.0 255.255.255.0 INSIDE
mroute 192.168.4.0 255.255.255.0 INSIDE
mroute IT-User 255.255.255.0 INSIDE
mroute 172.31.255.248 255.255.255.252 INSIDE
mroute 10.40.0.0 255.255.0.0 HughesCSC
mroute 10.41.0.0 255.255.0.0 HughesCSC
mroute 10.2.2.0 255.255.255.252 HughesCSC
mroute 192.168.51.0 255.255.255.0 HughesCSC
Is OSPF is creating a problem ?
Thanks a lot in advance.
Regards
Dipak
08-05-2011 05:31 PM
Hi Dipak,
Its very clear from your describtion and the output is that Multicast got broken at the (FWSM). the reason is because your FWSM is not routing multicast and there is no pim neighborship with router1 and Core Switch.
Therfore, a quick and easiest solution to your problem is to have a (GRE Tunnel) between Router-1 and the Core Switch. enable Pim sparse-dense over the tunnel , make sure you allow connectivity between the tunnel interfaces on the FWSM.
doing so should provide the multicast traffic to your clients without a problem.
let me know if this solves your issue.
Regards,
Mohamed
08-06-2011 01:46 AM
As mohamed mentioned you can use a GRE tunnel from you switch ( if your switch support the GRE tunneling ) to the Router and permit GRE through the FWSM
other option to have the FWSM in the Mcast path using the recommendations in the link provided above
or you might think about having the multicast to bypass the FWSM ( less secure ) but still an option you might think about it
HTH
08-07-2011 12:43 PM
Hi,
We have lot of dependency at FWSM. All the vlan’s are created at FWSM. Please go through at some configuration of FWSM.
FWSM:
interface Vlan9
no nameif
no security-level
no ip address
!
interface Vlan10
nameif OUTSIDE
security-level 10
ip address 172.21.254.1 255.255.255.248 standby 172.21.254.2
no igmp
!
interface Vlan30
shutdown
nameif DC-DR-BH
security-level 30
no ip address
no igmp
!
interface Vlan40
description @@@ CSC ZONE @@@
nameif CSC
security-level 40
ip address 172.21.254.33 255.255.255.248 standby 172.21.254.35
no igmp
!
interface Vlan41
description @@@ Airtel CSC ZONE @@@
nameif AirtelCSC
security-level 41
ip address 172.21.254.41 255.255.255.248 standby 172.21.254.43
no igmp
!
interface Vlan42
description @@@ Hughes CSC Zone @@@
nameif HughesCSC
security-level 42
ip address 172.21.254.49 255.255.255.248 standby 172.21.254.51
igmp join-group 224.3.3.5
igmp join-group 239.1.34.1
!
interface Vlan50
description @@@ NMS ILO ZONE @@@
nameif NMS-ILO
security-level 50
ip address 172.21.4.1 255.255.255.0 standby 172.21.4.2
no pim
no igmp
!
interface Vlan60
description @@@ PRE PRODUCTION ZONE @@@
nameif PRE-PROD
security-level 60
ip address 172.21.3.1 255.255.255.128 standby 172.21.3.2
no igmp
!
interface Vlan70
description @@@ E-COMMERCE ZONE @@@
nameif E-COMMERCE
security-level 70
ip address 172.21.2.129 255.255.255.128 standby 172.21.2.130
no igmp
!
interface Vlan80
description @@@ INTERNET SERVER ZONE @@@
nameif ISERVER
security-level 80
ip address 172.21.2.1 255.255.255.128 standby 172.21.2.2
no igmp
!
interface Vlan90
description @@@ SERVER ZONE @@@
nameif SERVER
security-level 90
ip address 172.21.1.1 255.255.255.0 standby 172.21.1.2
dhcprelay server 172.21.2.11
dhcprelay information trusted
no igmp
!
interface Vlan100
description @@@ INSIDE ZONE @@@
nameif INSIDE
security-level 100
ip address 172.21.254.17 255.255.255.248 standby 172.21.254.20
igmp join-group 224.3.3.5
!
interface Vlan101
description STATE Failover Interface
!
interface Vlan102
description LAN Failover Interface
!
route OUTSIDE 0.0.0.0 0.0.0.0 172.21.254.3 1 (Default route pointing towards Internet ASA)
route CSC 10.1.48.112 255.255.255.252 172.21.254.34 1
route CSC 10.10.110.0 255.255.255.0 172.21.254.34 1
route CSC 10.10.112.0 255.255.240.0 172.21.254.34 1
route CSC 10.10.128.0 255.255.248.0 172.21.254.34 1
route CSC 10.10.136.0 255.255.252.0 172.21.254.34 1
route CSC 10.10.140.0 255.255.255.0 172.21.254.34 1
route CSC 10.10.141.0 255.255.255.0 172.21.254.34 1
route CSC 10.10.111.0 255.255.255.0 172.21.254.34 1
route CSC 10.10.133.0 255.255.255.0 172.21.254.34 1
route CSC 192.168.0.126 255.255.255.255 172.21.254.34 1
route CSC 192.168.0.50 255.255.255.255 172.21.254.34 1
route AirtelCSC 10.211.0.0 255.255.0.0 172.21.254.42 1
route HughesCSC 10.40.0.0 255.255.0.0 172.21.254.50 1
route HughesCSC 10.41.0.0 255.255.0.0 172.21.254.50 1
route HughesCSC 192.168.51.7 255.255.255.255 172.21.254.50 1
route HughesCSC 10.1.36.196 255.255.255.252 172.21.254.50 1
route HughesCSC 10.2.2.0 255.255.255.252 172.21.254.50 1
route HughesCSC 221.171.85.110 255.255.255.255 172.21.254.50 1
route HughesCSC 172.21.21.0 255.255.255.252 172.21.254.50 1
route HughesCSC 10.10.255.0 255.255.255.252 172.21.254.50 1
route INSIDE IT-User 255.255.255.128 172.21.254.21 1
route INSIDE 172.21.17.0 255.255.255.128 172.21.254.21 1
route INSIDE 172.21.15.128 255.255.255.128 172.21.254.21 1
route INSIDE 172.21.16.128 255.255.255.128 172.21.254.21 1
route INSIDE 172.21.17.128 255.255.255.128 172.21.254.21 1
route INSIDE 192.168.10.0 255.255.255.192 172.21.254.21 1
route INSIDE 192.168.4.0 255.255.255.0 172.21.254.21 1
route INSIDE 192.168.3.0 255.255.255.0 172.21.254.21 1
route INSIDE 192.168.2.0 255.255.255.0 172.21.254.21 1
route INSIDE 10.6.84.0 255.255.255.0 172.21.254.21 1
route INSIDE 172.21.7.240 255.255.255.240 172.21.254.21 1
route INSIDE 172.21.16.0 255.255.255.128 172.21.254.21 1
route INSIDE 192.168.255.0 255.255.255.0 172.21.254.21 1
route INSIDE MGMT 255.255.255.0 172.21.254.21 1
Primary Core Configuration for FWSM:
firewall multiple-vlan-interfaces
firewall module 1 vlan-group 10
firewall vlan-group 10 10,30,40-42,50,60,70,80,90,100-102
!
ip route 0.0.0.0 0.0.0.0 172.21.254.17 (default route pointing towards fwsm)
May be i am wrong, but i think If we create GRE-Tunnel between Core Switch and Router 1, then we have to do a lot of changes in our configuration ?
Is there is anyother way ?
Please suggest.
Thanks a lot in advance.
Regards
Dipak
08-07-2011 12:46 PM
Hi,
We have lot of dependency at FWSM. All the vlan’s are created at FWSM. Please go through at some configuration of FWSM.
FWSM:
interface Vlan9
no nameif
no security-level
no ip address
!
interface Vlan10
nameif OUTSIDE
security-level 10
ip address 172.21.254.1 255.255.255.248 standby 172.21.254.2
no igmp
!
interface Vlan30
shutdown
nameif DC-DR-BH
security-level 30
no ip address
no igmp
!
interface Vlan40
description @@@ CSC ZONE @@@
nameif CSC
security-level 40
ip address 172.21.254.33 255.255.255.248 standby 172.21.254.35
no igmp
!
interface Vlan41
description @@@ Airtel CSC ZONE @@@
nameif AirtelCSC
security-level 41
ip address 172.21.254.41 255.255.255.248 standby 172.21.254.43
no igmp
!
interface Vlan42
description @@@ Hughes CSC Zone @@@
nameif HughesCSC
security-level 42
ip address 172.21.254.49 255.255.255.248 standby 172.21.254.51
igmp join-group 224.3.3.5
igmp join-group 239.1.34.1
!
interface Vlan50
description @@@ NMS ILO ZONE @@@
nameif NMS-ILO
security-level 50
ip address 172.21.4.1 255.255.255.0 standby 172.21.4.2
no pim
no igmp
!
interface Vlan60
description @@@ PRE PRODUCTION ZONE @@@
nameif PRE-PROD
security-level 60
ip address 172.21.3.1 255.255.255.128 standby 172.21.3.2
no igmp
!
interface Vlan70
description @@@ E-COMMERCE ZONE @@@
nameif E-COMMERCE
security-level 70
ip address 172.21.2.129 255.255.255.128 standby 172.21.2.130
no igmp
!
interface Vlan80
description @@@ INTERNET SERVER ZONE @@@
nameif ISERVER
security-level 80
ip address 172.21.2.1 255.255.255.128 standby 172.21.2.2
no igmp
!
interface Vlan90
description @@@ SERVER ZONE @@@
nameif SERVER
security-level 90
ip address 172.21.1.1 255.255.255.0 standby 172.21.1.2
dhcprelay server 172.21.2.11
dhcprelay information trusted
no igmp
!
interface Vlan100
description @@@ INSIDE ZONE @@@
nameif INSIDE
security-level 100
ip address 172.21.254.17 255.255.255.248 standby 172.21.254.20
igmp join-group 224.3.3.5
!
interface Vlan101
description STATE Failover Interface
!
interface Vlan102
description LAN Failover Interface
!
route OUTSIDE 0.0.0.0 0.0.0.0 172.21.254.3 1 (Default route pointing towards Internet ASA)
route CSC 10.1.48.112 255.255.255.252 172.21.254.34 1
route CSC 10.10.110.0 255.255.255.0 172.21.254.34 1
route CSC 10.10.112.0 255.255.240.0 172.21.254.34 1
route CSC 10.10.128.0 255.255.248.0 172.21.254.34 1
route CSC 10.10.136.0 255.255.252.0 172.21.254.34 1
route CSC 10.10.140.0 255.255.255.0 172.21.254.34 1
route CSC 10.10.141.0 255.255.255.0 172.21.254.34 1
route CSC 10.10.111.0 255.255.255.0 172.21.254.34 1
route CSC 10.10.133.0 255.255.255.0 172.21.254.34 1
route CSC 192.168.0.126 255.255.255.255 172.21.254.34 1
route CSC 192.168.0.50 255.255.255.255 172.21.254.34 1
route AirtelCSC 10.211.0.0 255.255.0.0 172.21.254.42 1
route HughesCSC 10.40.0.0 255.255.0.0 172.21.254.50 1
route HughesCSC 10.41.0.0 255.255.0.0 172.21.254.50 1
route HughesCSC 192.168.51.7 255.255.255.255 172.21.254.50 1
route HughesCSC 10.1.36.196 255.255.255.252 172.21.254.50 1
route HughesCSC 10.2.2.0 255.255.255.252 172.21.254.50 1
route HughesCSC 221.171.85.110 255.255.255.255 172.21.254.50 1
route HughesCSC 172.21.21.0 255.255.255.252 172.21.254.50 1
route HughesCSC 10.10.255.0 255.255.255.252 172.21.254.50 1
route INSIDE IT-User 255.255.255.128 172.21.254.21 1
route INSIDE 172.21.17.0 255.255.255.128 172.21.254.21 1
route INSIDE 172.21.15.128 255.255.255.128 172.21.254.21 1
route INSIDE 172.21.16.128 255.255.255.128 172.21.254.21 1
route INSIDE 172.21.17.128 255.255.255.128 172.21.254.21 1
route INSIDE 192.168.10.0 255.255.255.192 172.21.254.21 1
route INSIDE 192.168.4.0 255.255.255.0 172.21.254.21 1
route INSIDE 192.168.3.0 255.255.255.0 172.21.254.21 1
route INSIDE 192.168.2.0 255.255.255.0 172.21.254.21 1
route INSIDE 10.6.84.0 255.255.255.0 172.21.254.21 1
route INSIDE 172.21.7.240 255.255.255.240 172.21.254.21 1
route INSIDE 172.21.16.0 255.255.255.128 172.21.254.21 1
route INSIDE 192.168.255.0 255.255.255.0 172.21.254.21 1
route INSIDE MGMT 255.255.255.0 172.21.254.21 1
Primary Core Configuration for FWSM:
firewall multiple-vlan-interfaces
firewall module 1 vlan-group 10
firewall vlan-group 10 10,30,40-42,50,60,70,80,90,100-102
!
ip route 0.0.0.0 0.0.0.0 172.21.254.17 (default route pointing towards fwsm)
May be i am wrong, but i think If we create GRE-Tunnel between Core Switch and Router 1, then we have to do a lot of changes in our configuration ?
Please suggest.
Thanks a lot in advance.
Regards
Dipak
08-07-2011 01:51 PM
Hi Dipak,
You dont need to creat too much configuration, its only two steps . please post the configuration and interfaces of both (Primary Core Switch) and (Router 1) here.
Regards,
Mohamed
08-09-2011 10:43 AM
Hi,
We have configured tunnel on Primary Core Switch and Router 1. The configuration are mentioned below:
Primary Core Switch:
interface loopback 0
ip address 2.2.2.1 255.255.255.252
!
interface tunnel 3
ip address 172.31.24.1 255.255.255.252
tunnel source loopback 0
tunnel destination 2.2.2.2
Router 1:
interface loopback 0
ip address 2.2.2.2 255.255.255.252
!
interface tunnel 3
ip address 172.31.24.2 255.255.255.252
tunnnel source loopback 0
tunnel destination 2.2.2.1
When we are trying to ping tunnel or loopback ip address(i.e. if we ping from primary core switch, ping 172.31.24.2 and vice versa), it's not pinging. We haven't configured anything at FWSM for tunnel. I am not able to understand or can't figure out, why it's not pinging. Do i need to configured anything more for tunnel ?
Please suggest.
Thanks a lot in advance.
Regards
Dipak
08-09-2011 10:59 AM
Dipak,
You wont be able to ping of course because your tunnel source and destination is not routed on the FWSM, you also need to permit communication between the GRE source and destination with ACL in the Firwall service Module.
To avoid all of this, I asked you to submit the configuration and interfaces of both (ROuter 1 and Primary Core 1) here. please post the config and I will suggest you a configuration.
Thanks,
Mohamed
08-09-2011 06:28 PM
as per the above poster if you put your conif we might give you a suggested config
but in any way you can use the bellow config:
Primary Core Switch:
interface loopback 0
ip address 2.2.2.1 255.255.255.252
!
interface tunnel 3
ip address 172.31.24.1 255.255.255.252
tunnel source loopback 0
tunnel destination 2.2.2.2
ip pim spars-dense mode
remove the ip mroutes you have and ad the bellow one
ip mroute 0.0.0.0 0.0.0.0 tunnel 3
Router 1:
interface loopback 0
ip address 2.2.2.2 255.255.255.252
!
interface tunnel 3
ip address 172.31.24.2 255.255.255.252
tunnnel source loopback 0
tunnel destination 2.2.2.1
ip pim spars-dense mode
ip mroute 0.0.0.0 0.0.0.0 tunnel 3
in the firewall allow GRE tunnel from both side in and out using source and destination as bellow
in to out
GRE source 2.2.2.1 destination 2.2.2.2
out to in
GRE source 2.2.2.2 destination 2.2.2.1
also add route in the FW for 2.2.2.1 point to the next hope as the L3 switch and another route for 2.2.2.2 point to R1
HTH
08-09-2011 09:44 PM
Hi,
As suggested by you, i have configured the same at Primary Core Switch, Router 1 and FWSM. From FWSM we are able to ping both the loopback IP address only. Tunnel IP address is not pinging from FWSM, Primary Core Switch and Router 1 and also loopback addrress is not pinging from Primary Core Switch and Router 1. The following command is not supported by FWSM:
in the firewall allow GRE tunnel from both side in and out using source and destination as bellow
in to out
GRE source 2.2.2.1 destination 2.2.2.2
out to in
GRE source 2.2.2.2 destination 2.2.2.1
As suugested by you, we have configure following route at FWSM:
route HughesCSC 2.2.2.2 255.255.255.255 172.21.254.50 1
route INSIDE 2.2.2.1 255.255.255.255 172.21.254.21 1
172.21.254.50 = IP address of Router 1 interface
172.21.254.21 = IP address of INSIDE vlan virtual ip configured at Primary Core Switch(L3 Switch i.e. 6509)
We have also configure following ACL at FWSM:
access-list HughesCSC_access_in extended permit ip any any
access-list HughesCSC_access_in extended permit igmp any any
access-list inside line 1 extended permit ip any any
While trying to allow igmp, the following error is coming:
[ERROR] access-list inside line 2 extended permit igmp 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list (inside) is assigned to nat0 acl and can't have protocol or port
Do we need to configure rp-address at FWSM ?
Please suggest.
Thanks a lot in advance.
Regargs
Dipak
08-09-2011 10:04 PM
Hi
GRE is like VPN it encapsulate the IP traffic so th efirewall will not see any multicast traffic it will see GRE
thats why you do not need the allow igm or enable any multicasting in the firewall
once the GRE can pass between your L3 switchand router 1
in router one add the following command on its loopback interface
ip-ogmp join group 239.1.1.1
then from L3 switch ping 239.1.1.1
and post the show ip mroute
make sure the ip mroute configured as advised above
and you enbale pim sparse-dens mode on the tunnel interfaces
08-09-2011 09:59 PM
Hi,
Please go through the following configuration of Router 1and Primary Core Switch:
Router 1:
ip multicast-routing
!
interface Tunnel3
ip address 172.31.24.2 255.255.255.252
ip pim sparse-dense-mode
tunnel source Loopback0
tunnel destination 2.2.2.1
!
interface Loopback0
ip address 2.2.2.2 255.255.255.252
!
interface Loopback1
no ip address
!
interface GigabitEthernet0/0
bandwidth 1024
ip address 10.1.36.198 255.255.255.252
ip load-sharing per-packet
ip nbar protocol-discovery
duplex auto
speed auto
media-type rj45
negotiation auto
max-reserved-bandwidth 100
!
interface GigabitEthernet0/1
ip address 172.21.254.50 255.255.255.248
ip nbar protocol-discovery
ip flow ingress
ip pim sparse-dense-mode
ip route-cache flow
ip igmp join-group 224.3.3.5
duplex auto
speed auto
media-type rj45
negotiation auto
!
interface Serial0/3/0
bandwidth 2048
ip address 10.2.2.1 255.255.255.252
no ip redirects
no ip proxy-arp
ip load-sharing per-packet
ip nbar protocol-discovery
ip pim sparse-dense-mode
encapsulation ppp
fair-queue
max-reserved-bandwidth 100
!
ip route 0.0.0.0 0.0.0.0 10.2.2.2
ip route 0.0.0.0 0.0.0.0 10.1.36.197
ip route 10.40.0.0 255.255.0.0 10.2.2.2
ip route 10.40.0.0 255.255.0.0 10.1.36.197
ip route 10.41.0.0 255.255.0.0 10.2.2.2
ip route 10.41.0.0 255.255.0.0 10.1.36.197
ip route 172.21.0.0 255.255.0.0 172.21.254.49
ip route 172.21.1.0 255.255.255.0 172.21.254.49
ip route 172.21.2.0 255.255.255.0 172.21.254.49
ip route 172.21.10.0 255.255.255.0 172.21.254.49
ip route 172.21.15.0 255.255.255.0 172.21.254.49
ip route 192.168.1.0 255.255.255.0 172.21.254.49
ip route 192.168.2.0 255.255.255.0 172.21.254.49
ip route 192.168.3.0 255.255.255.0 172.21.254.49
ip route 192.168.4.0 255.255.255.0 172.21.254.49
Primary Core Switch:
firewall multiple-vlan-interfaces
firewall module 1 vlan-group 10
firewall vlan-group 10 10,30,40-42,50,60,70,80,90,100-102
intrusion-detection module 4 management-port access-vlan 204
intrusion-detection module 4 data-port 1 capture allowed-vlan 201
!
ip multicast-routing
!
interface Loopback0
ip address 2.2.2.1 255.255.255.252
!
interface Tunnel3
ip address 172.31.24.1 255.255.255.252
ip pim sparse-dense-mode
tunnel source Loopback0
tunnel destination 2.2.2.2
!
interface Vlan100
ip address 172.21.254.18 255.255.255.248
ip pim sparse-dense-mode
ip route-cache flow
ip igmp static-group 224.3.3.5
standby 100 ip 172.21.254.21
standby 100 priority 110
standby 100 preempt
!
ip route 0.0.0.0 0.0.0.0 172.21.254.17
ip route 192.168.1.0 255.255.255.0 172.31.255.250
ip route 192.168.2.0 255.255.255.0 172.31.255.250
ip route 192.168.3.0 255.255.255.0 172.31.255.250
ip route 192.168.4.0 255.255.255.0 172.31.255.250
!
ip mroute 0.0.0.0 0.0.0.0 Tunnel3
Please suggest.
Thanks a lot in advance.
Regards
Dipak
08-09-2011 10:39 PM
add this to router 1
ip mroute 0.0.0.0 0.0.0.0 Tunnel3
and permit the GRE over the FW
then from the switch do ping 224.3.3.5
and provide the ping result and the show ip mroute after the ping
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide