Multicast Issue

dipak jaiswal · ‎08-05-2011

Hi,

We want to implement multicast on our network. We are going to use for online teaching purpose. I am very new at Multicast and not have much idea about it. We are not running any routing protocol in our network, only static route. The multicast server is located at One of our office and it is connected with L2 (Cisco 2960) switch, L2 switch is connected to L3 switch(Cisco 4948). L3(Cisco 4948) and Core Switch(Cisco 6509) with FWSM are connected with E-3 link with tunnel. Router 1 and Router 2 are connected with P2P ILL links which are terminated at serial interface. The Multicast Server IP is 192.168.2.131/25. The scenario of our network are mentioned below:

Multicast Server--->(L2 Switch)--->(L3 Switch)--->(Core Switch)--->(FWSM)--->(Router 1)---->(Router 2)--->(L2 Switch)--->(Multicast Client)

We have created a seprate vlan (i.e. vlan 102, interface IP is 192.168.2.129/25) for multicast at L3 switch, enable multicast routing, defined rp-address(i.e. 192.168.2.129/25), enable sparse-dense mode at multicast vlan as well as at some other vlan also for testing purpose and joined multicast group (i.e. Multicast IP is 224.3.3.5). At core switch we have also enabled multicast routing, defined rp-address (i.e. 19.268.2.129/25), enable sparse-dense mode at user vlan and inside vlan of FWSM and joined multicast group at user vlan and inside vlan. At FWSM we have enabled multicast routing, defined rp-address(192.168.2.129), doesn’t find any option to enable sparse-dense mode and joined Multicast group at inside vlan and router 1 vlan. At Router 1, we have configured the same thing. We have configured mroute at all the devices. We are able to ping from end to end. We are testing multicast by Multicast IP checker tool (provided by vendor). Multicast is working fine at L2 switch, L3 switch and Core Switch, but not from Router 1. Ping is reachable from Router 1. After doing mtrace at Router 1, the following output has come:

Router 1 (Mtrace with destination address 192.168.2.131)

mtrace 172.21.15.2 192.168.2.131 224.3.3.5

Type escape sequence to abort.

Mtrace from 172.21.254.50 to 192.168.2.131 via group 224.3.3.5

From source (?) to destination (?)

Querying full reverse path... * switching to hop-by-hop:

0 192.168.2.131

-1 * * * Timed out receiving responses

Perhaps no local router has a route for source, the receiver is not

a member of the multicast group or the multicast ttl is too low.

Router 1 (Mtrace with destination address 192.168.2.129)

mtrace 172.21.254.50 192.168.2.129 224.3.3.5

Type escape sequence to abort.

Mtrace from 172.21.254.50 to 192.168.2.129 via group 224.3.3.5

From source (?) to destination (?)

Querying full reverse path... * switching to hop-by-hop:

0 192.168.2.129

-1 * 172.31.255.250 PIM/Static Reached RP/Core [default]

-2 * 172.31.255.249 PIM/Static [172.21.254.48/29]

-2 172.21.254.50

192.168.2.129 = Multicast Server Gateway and Vlan 102 ip address

192.168.2.131 = Multicast Server IP address

172.31.255.250 = L3 Switch (Cisco 4948) Tunnel IP address

172.31.255.249 = Core Switch (Cisco 6509) Tunnel IP address

172.21.254.50 = Router 1 interface IP address

If , we do mtrace from gateway IP address(i.e. 192.168.2.129) as destination address then mtrace is getting completed, but if mtrace is done from Mutlicast server IP address(192.168.2.131) as destination address, then mtrace is not getting completed.

We have connected one laptop at Router 1 vlan to test Multicast. The host, which is connected to Router 1 vlan is able to send multicast packet to other host and other host at different vlan are receiving it , but it’s unable to receive multicast packet send by other host of different vlan.

Do I need to enable igmp snooping at L2 switch, L3 switch and Core Switch ?

I am not able to understand or can't figure out where i have configured wrong. Please help.

Thanks a lot in advance for all your help.

Regards

Dipak

Marwan ALshawi · ‎08-05-2011

Hi Dipak,

first of all mroute routing is not required unless you have RPF issue which means you have the multicast routing traffic coming thorugh an interface is not used by unicast routing as preferred path

if you do not have this issue which i think so because you are using flat network with one path using static route then no need to it but it dose not harm anyway if you put it right

igmp snooping is must on L2 switches, by default it is on but double check it

for Mcast thorugh FWSM you will need a certain version see the link bellow it might be the issue

https://supportforums.cisco.com/docs/DOC-3579

also can you post show ip mroute of the L3 switch and R1

HTH

if helpful Rate

dipak jaiswal · ‎08-05-2011

Hi,

I have forgot to say that ospf is running between Two Core Switches(i.e. Primary and Secondary Core Switch of Cisco 6509 with HSRP. Both the core switches have FWSM module installed).

OSPF configuration at Primary and Secondary Core Switch(Cisco 6509) :

router ospf 100

log-adjacency-changes

redistribute connected

redistribute static subnets

network 0.0.0.0 255.255.255.255 area 0

Route and Mroute are mentioned below:

L3 Switch (Cisco 4948) route and mroute:

ip route 172.21.1.0 255.255.255.0 172.31.255.249 name DC-DR-E3-Link

ip route 172.21.2.0 255.255.255.128 172.31.255.249 name DC-DR-E3-Link

ip route 172.21.3.0 255.255.255.128 172.31.255.249 name DC-DR-E3-Link

ip route 172.21.4.0 255.255.255.0 172.31.255.249 name DC-DR-E3-Link

ip route 172.21.10.0 255.255.255.0 172.31.255.249 name DC-DR-E3-Link

ip route 172.21.15.0 255.255.255.128 172.31.255.249 name DC-DR-E3-Link

ip route 172.21.15.128 255.255.255.128 172.31.255.249 name DC-DR-E3-Link

ip route 172.21.16.0 255.255.255.128 172.31.255.249 name DC-DR-E3-Link

ip route 172.21.16.128 255.255.255.128 172.31.255.249 name DC-DR-E3-Link

ip route 172.21.254.0 255.255.255.0 172.31.255.249 name DC-NETWORK-DEVICE

ip route 192.168.51.7 255.255.255.255 172.31.255.249 name HUGHES-SSEL-REPORTING-PORTAL

ip mroute 0.0.0.0 0.0.0.0 172.31.255.249

Core Switch (Cisco 6509) route and mroute:

ip route 0.0.0.0 0.0.0.0 172.21.254.17 (Default route towards FWSM)

ip route 192.168.1.0 255.255.255.0 172.31.255.250 (Route towards toward L3 switch via tunnel)

ip route 192.168.2.0 255.255.255.0 172.31.255.250 (Route towards toward L3 switch via tunnel)

ip route 192.168.3.0 255.255.255.0 172.31.255.250 (Route towards toward L3 switch via tunnel)

ip route 192.168.4.0 255.255.255.0 172.31.255.250 (Route towards toward L3 switch via tunnel)

ip route 192.168.255.0 255.255.255.0 172.31.255.250 (Route towards toward L3 switch via tunnel)

ip mroute 192.168.3.0 255.255.255.128 172.31.255.250 (Mroute towards toward L3 switch via tunnel)

ip mroute 192.168.4.0 255.255.255.128 172.31.255.250 (Mroute towards toward L3 switch via tunnel)

ip mroute 192.168.1.0 255.255.255.128 172.31.255.250 (Mroute towards toward L3 switch via tunnel)

ip mroute 192.168.2.0 255.255.255.128 172.31.255.250 (Mroute towards toward L3 switch via tunnel)

ip mroute 10.40.0.0 255.255.0.0 172.21.254.17 (Mroute towards toward FWSM)

ip mroute 10.41.0.0 255.255.0.0 172.21.254.17 (Mroute towards toward FWSM)

ip mroute 10.2.2.0 255.255.255.252 172.21.254.17 (Mroute towards toward FWSM)

ip mroute 172.21.254.48 255.255.255.248 172.21.254.17 (Mroute towards toward FWSM)

ip mroute 192.168.51.0 255.255.255.0 172.21.254.17 (Mroute towards toward FWSM)

ip mroute 0.0.0.0 0.0.0.0 172.21.254.17 (Default Mroute towards toward FWSM was configued for testing purpose)

Router 1 route and mroute:

ip route 0.0.0.0 0.0.0.0 10.2.2.2 name BHARTI (Default route towards Router 2)

ip route 0.0.0.0 0.0.0.0 10.1.36.197 name VSNL-MPLS (Default route towards Router 2)

ip route 172.21.0.0 255.255.0.0 172.21.254.49 name DC-SALTLAKE

ip route 172.21.1.0 255.255.255.0 172.21.254.49 name DC-SALTLAKE-MZ

ip route 172.21.2.0 255.255.255.0 172.21.254.49 name DC-SALTLAKE-INT-SRV

ip route 172.21.10.0 255.255.255.0 172.21.254.49 name DC-SALTLAKE-DMZ

ip route 172.21.15.0 255.255.255.0 172.21.254.49 name DC-SALTLAKE-LAN

ip route 192.168.1.0 255.255.255.0 172.21.254.49 name BHARTI-SREI-SERVERS

ip route 192.168.2.0 255.255.255.0 172.21.254.49 name BHARTI-SREI-SERVERS

ip route 192.168.3.0 255.255.255.0 172.21.254.49 name BHARTI-SREI-SERVERS

ip route 192.168.4.0 255.255.255.0 172.21.254.49 name BHARTI-SREI-SERVERS

ip mroute 192.168.2.0 255.255.255.0 172.21.254.49

ip mroute 192.168.3.0 255.255.255.0 172.21.254.49

ip mroute 192.168.4.0 255.255.255.0 172.21.254.49

ip mroute 192.168.1.0 255.255.255.0 172.21.254.49

ip mroute 172.31.255.248 255.255.255.252 172.21.254.49

ip mroute 172.21.15.0 255.255.255.0 172.21.254.49

ip mroute 10.40.0.0 255.255.0.0 10.2.2.2

ip mroute 10.41.0.0 255.255.0.0 10.2.2.2

ip mroute 192.168.51.0 255.255.255.0 10.2.2.2

172.21.254.49 is Router 1 vlan configured at FWSM.

FWSM route and mroute:

route INSIDE IT-User 255.255.255.128 172.21.254.21 1

route INSIDE 172.21.17.0 255.255.255.128 172.21.254.21 1

route INSIDE 172.21.15.128 255.255.255.128 172.21.254.21 1

route INSIDE 172.21.16.128 255.255.255.128 172.21.254.21 1

route INSIDE 172.21.17.128 255.255.255.128 172.21.254.21 1

route INSIDE 192.168.10.0 255.255.255.192 172.21.254.21 1

route INSIDE 192.168.4.0 255.255.255.0 172.21.254.21 1

route INSIDE 192.168.3.0 255.255.255.0 172.21.254.21 1

route INSIDE 192.168.2.0 255.255.255.0 172.21.254.21 1

route INSIDE 10.6.84.0 255.255.255.0 172.21.254.21 1

route INSIDE 172.21.7.240 255.255.255.240 172.21.254.21 1

route INSIDE 172.21.16.0 255.255.255.128 172.21.254.21 1

route INSIDE 192.168.255.0 255.255.255.0 172.21.254.21 1

mroute 192.168.2.0 255.255.255.0 INSIDE

mroute 192.168.3.0 255.255.255.0 INSIDE

mroute 192.168.4.0 255.255.255.0 INSIDE

mroute IT-User 255.255.255.0 INSIDE

mroute 172.31.255.248 255.255.255.252 INSIDE

mroute 10.40.0.0 255.255.0.0 HughesCSC

mroute 10.41.0.0 255.255.0.0 HughesCSC

mroute 10.2.2.0 255.255.255.252 HughesCSC

mroute 192.168.51.0 255.255.255.0 HughesCSC

Is OSPF is creating a problem ?

Thanks a lot in advance.

Regards

Dipak

Mohamed Sobair · ‎08-05-2011

Hi Dipak,

Its very clear from your describtion and the output is that Multicast got broken at the (FWSM). the reason is because your FWSM is not routing multicast and there is no pim neighborship with router1 and Core Switch.

Therfore, a quick and easiest solution to your problem is to have a (GRE Tunnel) between Router-1 and the Core Switch. enable Pim sparse-dense over the tunnel , make sure you allow connectivity between the tunnel interfaces on the FWSM.

doing so should provide the multicast traffic to your clients without a problem.

let me know if this solves your issue.

Regards,

Mohamed

Marwan ALshawi · ‎08-06-2011

As mohamed mentioned you can use a GRE tunnel from you switch ( if your switch support the GRE tunneling ) to the Router and permit GRE through the FWSM

other option to have the FWSM in the Mcast path using the recommendations in the link provided above

or you might think about having the multicast to bypass the FWSM ( less secure ) but still an option you might think about it

HTH

dipak jaiswal · ‎08-07-2011

Hi,

We have lot of dependency at FWSM. All the vlan’s are created at FWSM. Please go through at some configuration of FWSM.

FWSM:

interface Vlan9

no nameif

no security-level

no ip address

!

interface Vlan10

nameif OUTSIDE

security-level 10

ip address 172.21.254.1 255.255.255.248 standby 172.21.254.2

no igmp

!

interface Vlan30

shutdown

nameif DC-DR-BH

security-level 30

no ip address

no igmp

!

interface Vlan40

description @@@ CSC ZONE @@@

nameif CSC

security-level 40

ip address 172.21.254.33 255.255.255.248 standby 172.21.254.35

no igmp

!

interface Vlan41

description @@@ Airtel CSC ZONE @@@

nameif AirtelCSC

security-level 41

ip address 172.21.254.41 255.255.255.248 standby 172.21.254.43

no igmp

!

interface Vlan42

description @@@ Hughes CSC Zone @@@

nameif HughesCSC

security-level 42

ip address 172.21.254.49 255.255.255.248 standby 172.21.254.51

igmp join-group 224.3.3.5

igmp join-group 239.1.34.1

!

interface Vlan50

description @@@ NMS ILO ZONE @@@

nameif NMS-ILO

security-level 50

ip address 172.21.4.1 255.255.255.0 standby 172.21.4.2

no pim

no igmp

!

interface Vlan60

description @@@ PRE PRODUCTION ZONE @@@

nameif PRE-PROD

security-level 60

ip address 172.21.3.1 255.255.255.128 standby 172.21.3.2

no igmp

!

interface Vlan70

description @@@ E-COMMERCE ZONE @@@

nameif E-COMMERCE

security-level 70

ip address 172.21.2.129 255.255.255.128 standby 172.21.2.130

no igmp

!

interface Vlan80

description @@@ INTERNET SERVER ZONE @@@

nameif ISERVER

security-level 80

ip address 172.21.2.1 255.255.255.128 standby 172.21.2.2

no igmp

!

interface Vlan90

description @@@ SERVER ZONE @@@

nameif SERVER

security-level 90

ip address 172.21.1.1 255.255.255.0 standby 172.21.1.2

dhcprelay server 172.21.2.11

dhcprelay information trusted

no igmp

!

interface Vlan100

description @@@ INSIDE ZONE @@@

nameif INSIDE

security-level 100

ip address 172.21.254.17 255.255.255.248 standby 172.21.254.20

igmp join-group 224.3.3.5

!

interface Vlan101

description STATE Failover Interface

!

interface Vlan102

description LAN Failover Interface

!

route OUTSIDE 0.0.0.0 0.0.0.0 172.21.254.3 1 (Default route pointing towards Internet ASA)

route CSC 10.1.48.112 255.255.255.252 172.21.254.34 1

route CSC 10.10.110.0 255.255.255.0 172.21.254.34 1

route CSC 10.10.112.0 255.255.240.0 172.21.254.34 1

route CSC 10.10.128.0 255.255.248.0 172.21.254.34 1

route CSC 10.10.136.0 255.255.252.0 172.21.254.34 1

route CSC 10.10.140.0 255.255.255.0 172.21.254.34 1

route CSC 10.10.141.0 255.255.255.0 172.21.254.34 1

route CSC 10.10.111.0 255.255.255.0 172.21.254.34 1

route CSC 10.10.133.0 255.255.255.0 172.21.254.34 1

route CSC 192.168.0.126 255.255.255.255 172.21.254.34 1

route CSC 192.168.0.50 255.255.255.255 172.21.254.34 1

route AirtelCSC 10.211.0.0 255.255.0.0 172.21.254.42 1

route HughesCSC 10.40.0.0 255.255.0.0 172.21.254.50 1

route HughesCSC 10.41.0.0 255.255.0.0 172.21.254.50 1

route HughesCSC 192.168.51.7 255.255.255.255 172.21.254.50 1

route HughesCSC 10.1.36.196 255.255.255.252 172.21.254.50 1

route HughesCSC 10.2.2.0 255.255.255.252 172.21.254.50 1

route HughesCSC 221.171.85.110 255.255.255.255 172.21.254.50 1

route HughesCSC 172.21.21.0 255.255.255.252 172.21.254.50 1

route HughesCSC 10.10.255.0 255.255.255.252 172.21.254.50 1

route INSIDE IT-User 255.255.255.128 172.21.254.21 1

route INSIDE 172.21.17.0 255.255.255.128 172.21.254.21 1

route INSIDE 172.21.15.128 255.255.255.128 172.21.254.21 1

route INSIDE 172.21.16.128 255.255.255.128 172.21.254.21 1

route INSIDE 172.21.17.128 255.255.255.128 172.21.254.21 1

route INSIDE 192.168.10.0 255.255.255.192 172.21.254.21 1

route INSIDE 192.168.4.0 255.255.255.0 172.21.254.21 1

route INSIDE 192.168.3.0 255.255.255.0 172.21.254.21 1

route INSIDE 192.168.2.0 255.255.255.0 172.21.254.21 1

route INSIDE 10.6.84.0 255.255.255.0 172.21.254.21 1

route INSIDE 172.21.7.240 255.255.255.240 172.21.254.21 1

route INSIDE 172.21.16.0 255.255.255.128 172.21.254.21 1

route INSIDE 192.168.255.0 255.255.255.0 172.21.254.21 1

route INSIDE MGMT 255.255.255.0 172.21.254.21 1

Primary Core Configuration for FWSM:

firewall multiple-vlan-interfaces

firewall module 1 vlan-group 10

firewall vlan-group 10 10,30,40-42,50,60,70,80,90,100-102

!

ip route 0.0.0.0 0.0.0.0 172.21.254.17 (default route pointing towards fwsm)

May be i am wrong, but i think If we create GRE-Tunnel between Core Switch and Router 1, then we have to do a lot of changes in our configuration ?

Is there is anyother way ?

Please suggest.

Thanks a lot in advance.

Regards

Dipak

dipak jaiswal · ‎08-07-2011

Hi,

We have lot of dependency at FWSM. All the vlan’s are created at FWSM. Please go through at some configuration of FWSM.

FWSM:

interface Vlan9

no nameif

no security-level

no ip address

!

interface Vlan10

nameif OUTSIDE

security-level 10

ip address 172.21.254.1 255.255.255.248 standby 172.21.254.2

no igmp

!

interface Vlan30

shutdown

nameif DC-DR-BH

security-level 30

no ip address

no igmp

!

interface Vlan40

description @@@ CSC ZONE @@@

nameif CSC

security-level 40

ip address 172.21.254.33 255.255.255.248 standby 172.21.254.35

no igmp

!

interface Vlan41

description @@@ Airtel CSC ZONE @@@

nameif AirtelCSC

security-level 41

ip address 172.21.254.41 255.255.255.248 standby 172.21.254.43

no igmp

!

interface Vlan42

description @@@ Hughes CSC Zone @@@

nameif HughesCSC

security-level 42

ip address 172.21.254.49 255.255.255.248 standby 172.21.254.51

igmp join-group 224.3.3.5

igmp join-group 239.1.34.1

!

interface Vlan50

description @@@ NMS ILO ZONE @@@

nameif NMS-ILO

security-level 50

ip address 172.21.4.1 255.255.255.0 standby 172.21.4.2

no pim

no igmp

!

interface Vlan60

description @@@ PRE PRODUCTION ZONE @@@

nameif PRE-PROD

security-level 60

ip address 172.21.3.1 255.255.255.128 standby 172.21.3.2

no igmp

!

interface Vlan70

description @@@ E-COMMERCE ZONE @@@

nameif E-COMMERCE

security-level 70

ip address 172.21.2.129 255.255.255.128 standby 172.21.2.130

no igmp

!

interface Vlan80

description @@@ INTERNET SERVER ZONE @@@

nameif ISERVER

security-level 80

ip address 172.21.2.1 255.255.255.128 standby 172.21.2.2

no igmp

!

interface Vlan90

description @@@ SERVER ZONE @@@

nameif SERVER

security-level 90

ip address 172.21.1.1 255.255.255.0 standby 172.21.1.2

dhcprelay server 172.21.2.11

dhcprelay information trusted

no igmp

!

interface Vlan100

description @@@ INSIDE ZONE @@@

nameif INSIDE

security-level 100

ip address 172.21.254.17 255.255.255.248 standby 172.21.254.20

igmp join-group 224.3.3.5

!

interface Vlan101

description STATE Failover Interface

!

interface Vlan102

description LAN Failover Interface

!

route OUTSIDE 0.0.0.0 0.0.0.0 172.21.254.3 1 (Default route pointing towards Internet ASA)

route CSC 10.1.48.112 255.255.255.252 172.21.254.34 1

route CSC 10.10.110.0 255.255.255.0 172.21.254.34 1

route CSC 10.10.112.0 255.255.240.0 172.21.254.34 1

route CSC 10.10.128.0 255.255.248.0 172.21.254.34 1

route CSC 10.10.136.0 255.255.252.0 172.21.254.34 1

route CSC 10.10.140.0 255.255.255.0 172.21.254.34 1

route CSC 10.10.141.0 255.255.255.0 172.21.254.34 1

route CSC 10.10.111.0 255.255.255.0 172.21.254.34 1

route CSC 10.10.133.0 255.255.255.0 172.21.254.34 1

route CSC 192.168.0.126 255.255.255.255 172.21.254.34 1

route CSC 192.168.0.50 255.255.255.255 172.21.254.34 1

route AirtelCSC 10.211.0.0 255.255.0.0 172.21.254.42 1

route HughesCSC 10.40.0.0 255.255.0.0 172.21.254.50 1

route HughesCSC 10.41.0.0 255.255.0.0 172.21.254.50 1

route HughesCSC 192.168.51.7 255.255.255.255 172.21.254.50 1

route HughesCSC 10.1.36.196 255.255.255.252 172.21.254.50 1

route HughesCSC 10.2.2.0 255.255.255.252 172.21.254.50 1

route HughesCSC 221.171.85.110 255.255.255.255 172.21.254.50 1

route HughesCSC 172.21.21.0 255.255.255.252 172.21.254.50 1

route HughesCSC 10.10.255.0 255.255.255.252 172.21.254.50 1

route INSIDE IT-User 255.255.255.128 172.21.254.21 1

route INSIDE 172.21.17.0 255.255.255.128 172.21.254.21 1

route INSIDE 172.21.15.128 255.255.255.128 172.21.254.21 1

route INSIDE 172.21.16.128 255.255.255.128 172.21.254.21 1

route INSIDE 172.21.17.128 255.255.255.128 172.21.254.21 1

route INSIDE 192.168.10.0 255.255.255.192 172.21.254.21 1

route INSIDE 192.168.4.0 255.255.255.0 172.21.254.21 1

route INSIDE 192.168.3.0 255.255.255.0 172.21.254.21 1

route INSIDE 192.168.2.0 255.255.255.0 172.21.254.21 1

route INSIDE 10.6.84.0 255.255.255.0 172.21.254.21 1

route INSIDE 172.21.7.240 255.255.255.240 172.21.254.21 1

route INSIDE 172.21.16.0 255.255.255.128 172.21.254.21 1

route INSIDE 192.168.255.0 255.255.255.0 172.21.254.21 1

route INSIDE MGMT 255.255.255.0 172.21.254.21 1

Primary Core Configuration for FWSM:

firewall multiple-vlan-interfaces

firewall module 1 vlan-group 10

firewall vlan-group 10 10,30,40-42,50,60,70,80,90,100-102

!

ip route 0.0.0.0 0.0.0.0 172.21.254.17 (default route pointing towards fwsm)

May be i am wrong, but i think If we create GRE-Tunnel between Core Switch and Router 1, then we have to do a lot of changes in our configuration ?

Please suggest.

Thanks a lot in advance.

Regards

Dipak

Mohamed Sobair · ‎08-07-2011

Hi Dipak,

You dont need to creat too much configuration, its only two steps . please post the configuration and interfaces of both (Primary Core Switch) and (Router 1) here.

Regards,

Mohamed

dipak jaiswal · ‎08-09-2011

Hi,

We have configured tunnel on Primary Core Switch and Router 1. The configuration are mentioned below:

Primary Core Switch:

interface loopback 0

ip address 2.2.2.1 255.255.255.252

!

interface tunnel 3

ip address 172.31.24.1 255.255.255.252

tunnel source loopback 0

tunnel destination 2.2.2.2

Router 1:

interface loopback 0

ip address 2.2.2.2 255.255.255.252

!

interface tunnel 3

ip address 172.31.24.2 255.255.255.252

tunnnel source loopback 0

tunnel destination 2.2.2.1

When we are trying to ping tunnel or loopback ip address(i.e. if we ping from primary core switch, ping 172.31.24.2 and vice versa), it's not pinging. We haven't configured anything at FWSM for tunnel. I am not able to understand or can't figure out, why it's not pinging. Do i need to configured anything more for tunnel ?

Please suggest.

Thanks a lot in advance.

Regards

Dipak

Mohamed Sobair · ‎08-09-2011

Dipak,

You wont be able to ping of course because your tunnel source and destination is not routed on the FWSM, you also need to permit communication between the GRE source and destination with ACL in the Firwall service Module.

To avoid all of this, I asked you to submit the configuration and interfaces of both (ROuter 1 and Primary Core 1) here. please post the config and I will suggest you a configuration.

Thanks,

Mohamed

Marwan ALshawi · ‎08-09-2011

as per the above poster if you put your conif we might give you a suggested config

but in any way you can use the bellow config:

Primary Core Switch:

interface loopback 0

ip address 2.2.2.1 255.255.255.252

!

interface tunnel 3

ip address 172.31.24.1 255.255.255.252

tunnel source loopback 0

tunnel destination 2.2.2.2

ip pim spars-dense mode

remove the ip mroutes you have and ad the bellow one

ip mroute 0.0.0.0 0.0.0.0 tunnel 3

Router 1:

interface loopback 0

ip address 2.2.2.2 255.255.255.252

!

interface tunnel 3

ip address 172.31.24.2 255.255.255.252

tunnnel source loopback 0

tunnel destination 2.2.2.1

ip pim spars-dense mode

ip mroute 0.0.0.0 0.0.0.0 tunnel 3

in the firewall allow GRE tunnel from both side in and out using source and destination as bellow

in to out

GRE source 2.2.2.1 destination 2.2.2.2

out to in

GRE source 2.2.2.2 destination 2.2.2.1

also add route in the FW for 2.2.2.1 point to the next hope as the L3 switch and another route for 2.2.2.2 point to R1

HTH

dipak jaiswal · ‎08-09-2011

Hi,

As suggested by you, i have configured the same at Primary Core Switch, Router 1 and FWSM. From FWSM we are able to ping both the loopback IP address only. Tunnel IP address is not pinging from FWSM, Primary Core Switch and Router 1 and also loopback addrress is not pinging from Primary Core Switch and Router 1. The following command is not supported by FWSM:

in the firewall allow GRE tunnel from both side in and out using source and destination as bellow

in to out

GRE source 2.2.2.1 destination 2.2.2.2

out to in

GRE source 2.2.2.2 destination 2.2.2.1

As suugested by you, we have configure following route at FWSM:

route HughesCSC 2.2.2.2 255.255.255.255 172.21.254.50 1

route INSIDE 2.2.2.1 255.255.255.255 172.21.254.21 1

172.21.254.50 = IP address of Router 1 interface

172.21.254.21 = IP address of INSIDE vlan virtual ip configured at Primary Core Switch(L3 Switch i.e. 6509)

We have also configure following ACL at FWSM:

access-list HughesCSC_access_in extended permit ip any any

access-list HughesCSC_access_in extended permit igmp any any

access-list inside line 1 extended permit ip any any

While trying to allow igmp, the following error is coming:

[ERROR] access-list inside line 2 extended permit igmp 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

access-list (inside) is assigned to nat0 acl and can't have protocol or port

Do we need to configure rp-address at FWSM ?

Please suggest.

Thanks a lot in advance.

Regargs

Dipak

Marwan ALshawi · ‎08-09-2011

Hi

GRE is like VPN it encapsulate the IP traffic so th efirewall will not see any multicast traffic it will see GRE

thats why you do not need the allow igm or enable any multicasting in the firewall

once the GRE can pass between your L3 switchand router 1

in router one add the following command on its loopback interface

ip-ogmp join group 239.1.1.1

then from L3 switch ping 239.1.1.1

and post the show ip mroute

make sure the ip mroute configured as advised above

and you enbale pim sparse-dens mode on the tunnel interfaces

dipak jaiswal · ‎08-09-2011

Hi,

Please go through the following configuration of Router 1and Primary Core Switch:

Router 1:

ip multicast-routing

!

interface Tunnel3

ip address 172.31.24.2 255.255.255.252

ip pim sparse-dense-mode

tunnel source Loopback0

tunnel destination 2.2.2.1

!

interface Loopback0

ip address 2.2.2.2 255.255.255.252

!

interface Loopback1

no ip address

!

interface GigabitEthernet0/0

bandwidth 1024

ip address 10.1.36.198 255.255.255.252

ip load-sharing per-packet

ip nbar protocol-discovery

duplex auto

speed auto

media-type rj45

negotiation auto

max-reserved-bandwidth 100

!

interface GigabitEthernet0/1

ip address 172.21.254.50 255.255.255.248

ip nbar protocol-discovery

ip flow ingress

ip pim sparse-dense-mode

ip route-cache flow

ip igmp join-group 224.3.3.5

duplex auto

speed auto

media-type rj45

negotiation auto

!

interface Serial0/3/0

bandwidth 2048

ip address 10.2.2.1 255.255.255.252

no ip redirects

no ip proxy-arp

ip load-sharing per-packet

ip nbar protocol-discovery

ip pim sparse-dense-mode

encapsulation ppp

fair-queue

max-reserved-bandwidth 100

!

ip route 0.0.0.0 0.0.0.0 10.2.2.2

ip route 0.0.0.0 0.0.0.0 10.1.36.197

ip route 10.40.0.0 255.255.0.0 10.2.2.2

ip route 10.40.0.0 255.255.0.0 10.1.36.197

ip route 10.41.0.0 255.255.0.0 10.2.2.2

ip route 10.41.0.0 255.255.0.0 10.1.36.197

ip route 172.21.0.0 255.255.0.0 172.21.254.49

ip route 172.21.1.0 255.255.255.0 172.21.254.49

ip route 172.21.2.0 255.255.255.0 172.21.254.49

ip route 172.21.10.0 255.255.255.0 172.21.254.49

ip route 172.21.15.0 255.255.255.0 172.21.254.49

ip route 192.168.1.0 255.255.255.0 172.21.254.49

ip route 192.168.2.0 255.255.255.0 172.21.254.49

ip route 192.168.3.0 255.255.255.0 172.21.254.49

ip route 192.168.4.0 255.255.255.0 172.21.254.49

Primary Core Switch:

firewall multiple-vlan-interfaces

firewall module 1 vlan-group 10

firewall vlan-group 10 10,30,40-42,50,60,70,80,90,100-102

intrusion-detection module 4 management-port access-vlan 204

intrusion-detection module 4 data-port 1 capture allowed-vlan 201

!

ip multicast-routing

!

interface Loopback0

ip address 2.2.2.1 255.255.255.252

!

interface Tunnel3

ip address 172.31.24.1 255.255.255.252

ip pim sparse-dense-mode

tunnel source Loopback0

tunnel destination 2.2.2.2

!

interface Vlan100

ip address 172.21.254.18 255.255.255.248

ip pim sparse-dense-mode

ip route-cache flow

ip igmp static-group 224.3.3.5

standby 100 ip 172.21.254.21

standby 100 priority 110

standby 100 preempt

!

ip route 0.0.0.0 0.0.0.0 172.21.254.17

ip route 192.168.1.0 255.255.255.0 172.31.255.250

ip route 192.168.2.0 255.255.255.0 172.31.255.250

ip route 192.168.3.0 255.255.255.0 172.31.255.250

ip route 192.168.4.0 255.255.255.0 172.31.255.250

!

ip mroute 0.0.0.0 0.0.0.0 Tunnel3

Please suggest.

Thanks a lot in advance.

Regards

Dipak

Marwan ALshawi · ‎08-09-2011

add this to router 1

ip mroute 0.0.0.0 0.0.0.0 Tunnel3

and permit the GRE over the FW

then from the switch do ping 224.3.3.5

and provide the ping result and the show ip mroute after the ping