cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
585
Views
0
Helpful
5
Replies

Need help to integrate two multicast networks

Chhabi Thapa
Level 1
Level 1

HELP HELP HELP

 

Need help to connect NETWORK A and NETWORK B.

NC.png

 

 

NETWORK A :

1.Endpoints - Total 20,000 endpoints including 12000 cameras and SOC workstations.
2.Cisco ISE 2.4
3.IGMP V2
4.OSPF is used as IGP.
5.iBGP neighborship is formed from all Site A/B & X devices to both Route Reflectors.
6.IGMP V2 for multicast
7.Separate VRFs for different services.
8.SITE A/B Nexus-VSS configured and CORE and PEs NEXUS vPC configured
9.All the endpoints are authenticated with ISE.

NETWORK B :

1.Endpoints - 6000
2.LAN design and setup NO CLUE.
3.Core switches - VSS


Project Requirement :

1.Only SOC team from NETWORK B should be able to access the NETWORK A servers and NETWORK B cameras.
2.NETWORK B workstations should be authenticated with NETWORK A ISE.
3.Connection failure between NETWORK A and NETWORK B should not impact NETWORK B workstations(ISE failure)

---------------------------------------------------------------------------------------------------

EDIT :

---------------------------------------------------------------------------------------------------

I'll try to elaborate the current scenario as much as i can.


Client : Same client but two different teams of Network A and Network B and separate Active Directory domain.

Network Setup :

1.All PE11,PE12,PE21,PE22 have one common ip which is used as an multicast RP by other sites.
2.Firewall cluster is behind all PEs.
3.All camera traffic bypasses the firewall but all other endpoint traffic passes through the firewall including ISE.
4.All the links from sites and PE to core are L3.

 

Project Phase :

Phase 1 : Connect both SITE A and SITE B to SITE X(we already have other 4 pairs at 4 Sites,similar to SITE A/B requirement)
Phase 2 : Connect Network B to SITE A.Test network reachability and all applications.
Phase 3 : Connect Network B to SITE B.TEST network reachability and all applications.

 

5 Replies 5

Hello,

 

what do you have configured so far ? What are L2 and what are L3 devices ? Post the configs of all relevant devices including IP addresses...

Hi Georg ,

The devices we are using are mentioned in the right corner of the drawing and all PEs and Site devices are acting as L2/L3 devices.Regarding configs i'm really sorry as i can't share them here in public platform.But i've provided more information in the EDIT section.

balaji.bandi
Hall of Fame
Hall of Fame

Intresting design, like to know more information as suggested other post we like to see where are you upto where did you stuck ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Chhabi,

your thread title suggests that you would like to perform multicast routing between two networks A and B.

From what you have written we understand the following:

a) you have complete control or knowledge of network A and almost no knowledge of network B.

This can happen if you are in the network team of company that owns and uses network A or if that company is your customer.

Of network B you know they use multicast ( Any Source Multicast ASM that is IGMP version 2 or SSM that uses IGMP v3 this is an important aspect that you need to know to build a multicast inter network routing)  and they have a VSS pair as front end to you.

M-BGP ( = MP BGP for address family ipv4 multicast)  and MSDP can be a good set of tools with MSDP spoken between RPs of each network.

This is quite classic and not so challenging (just need to take care of RPF checks on the multiple links between Network A and Network B they must agree on what is the best path for multicast both directions).

 

b)   then you provide a list of requirements that look like more related to unicast communications

>>

Project Requirement :

1.Only SOC team from NETWORK B should be able to access the NETWORK A servers and NETWORK B cameras.
2.NETWORK B workstations should be authenticated with NETWORK A ISE.
3.Connection failure between NETWORK A and NETWORK B should not impact NETWORK B workstations(ISE failure)

 

Authentication with ISE for a multicast receiver is something simply not possible as far as I know. So I look at these set of requirements as referring to unicast communications.

 

Can you clarify these points and provide more details as suggested by Georg and Balaji ?

 

 

Hope to help

Giuseppe

 

 

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Chhabi,

 

>>

I'll try to elaborate the current scenario as much as i can.


Client : Same client but two different teams of Network A and Network B and separate Active Directory domain.

Network Setup :

1.All PE11,PE12,PE21,PE22 have one common ip which is used as an multicast RP by other sites.
2.Firewall cluster is behind all PEs.
3.All camera traffic bypasses the firewall but all other endpoint traffic passes through the firewall including ISE.
4.All the links from sites and PE to core are L3.

 

Project Phase :

Phase 1 : Connect both SITE A and SITE B to SITE X(we already have other 4 pairs at 4 Sites,similar to SITE A/B requirement)
Phase 2 : Connect Network B to SITE A.Test network reachability and all applications.
Phase 3 : Connect Network B to SITE B.TEST network reachability and all applications.

 

1) >> All PE11,PE12,PE21,PE22 have one common ip which is used as an multicast RP by other sites.

Do you mean an anycast RP solution ? You will need MSDP running between these devices to build an anycast RP solution.

 

What kind of MVPN is implemented ?  the old GRE based draft Rosen (using a GRE encapsulation and global routing tables multicast addresses) or the newer NG MVPN (using mLDP, MP BGP ?).

 

>> 2.Firewall cluster is behind all PEs.

OK this is normal.

>> 3.All camera traffic bypasses the firewall but all other endpoint traffic passes through the firewall including ISE.

This means the cameras are in a dedicated VRF and they have a direct path that bypasses the FWs ?

 

>> 4.All the links from sites and PE to core are L3.

it is a combination of MPLS L3 VPN and a form of MVPN so L3 routed links are needed.

 

About the Project Phase:

 

>> Phase 1 : Connect both SITE A and SITE B to SITE X(we already have other 4 pairs at 4 Sites,similar to SITE A/B requirement)
Looking at your network diagram we see that SITEA and SITEB are intermediate "POPs" between Network A and Network B.

This should be easy if each pair of Cisco 6880 are in a VSS pair they will act as a single network device.

You need to enable all the required protocols that may include:

BGP for unicast address family

BGP for multicast addres family

MSDP

PIM SM

 

>> Phase 2 : Connect Network B to SITE A.Test network reachability and all applications.

This again requires enabling all required protocols that may include:

BGP for unicast address family

BGP for multicast addres family

MSDP

PIM SM

 

>> Phase 3 : Connect Network B to SITE B.TEST network reachability and all applications.

For the multicast when you connect Network B to both SITEA and SITEB you have redundancy that you must manage.

One path for example via SITEA will be primary both for Network B to Network A and for the opposite direction

Site B should be used only when SITEA is not available.

You can play with BGP weight or local preference to make routes via SITEA preferred on site X and on Network B

 

Hint: unicast traffic support load balancing , multicast traffic does not support it by default.

 

Hope to help

Giuseppe

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: