Hi all,
I want to use MSDP to exchange multicast sources between different customer network domains where no BGP is used but OSFP.
Each domain uses it's own two rp for redundancy with anycast rp (without msdp meshgroups). Multicast routing protocol is PIM-SM. Routers learn default route via OSPF from firewall (and few more routes not relavant for this scenario). Routers are Cat6K, Firewall is third party.
I want to use MSDP peerings in a hierarchical design like shown below.
MSDP SAs originated in central site are accepted at the other sites and vice versa. Also multicast traffic works fine between central site and the other sites which means pim works as expected.
But MSDP SAs originated e.g. at site A (and "relayed" from central site) are not accepted at site B.
I played with local mesh groups between rp, originator id, and rfc3618 compliance activation, but I didn't find a working solution.
In debugging I see the following error message e.g. on site B router:
Peer RPF check failed for <rp ip address>, used ? route's peer 0.0.0.0
After activating rfc3618 compliance (ip msdp rpf rfc3618) error message is
<msdp peer ip address>: RPF check failed for <rp ip address>
I read cisco documentation (https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_pim/configuration/xe-16/imc-pim-xe-16-book/imc-msdp-im-pim-sim.pdf) and also rfc3618 and 4611.
In my understanding it seems that a scenario like this is not supported because of the Peer-RPF check which can not be successful here.
Does anybody know if it's possible to get MSDP working in this scenario?
Unfortunately using BGP is not an option.
I also thought about using a meshgroup between all rp but this does not scale well because there are several sites and many msdp peerings. Also SA filtering would be easy in the scenario above where it could be done at central site.
Thanks a lot in advance
Thorsten
Hello Giuseppe,
we've up to 10 routing domains to be connected which would be very complicated to full mesh all msdp peers within.
Anyway, this seems to be the only working solution at the moment in our scenario.
I finished tests in gns3 lab, I found out the following:
- without redundant msdp peerings no rpf check is done, so every received msdp sa is accepted
- with redundancy in msdp peerings (like shown in picture below for sw2, sw3, sw4) rpf check only works when all of the following conditions are met
- all (!) routing hops between two (or more) rp use msdp, with msdp peerings between all directly connected neighbor routers
- ip addresses of physical interfaces are used for msdp peerings (not loopback ip addresses) -> because rpf check checks for each received sa message if (unicast routing) next hop ip address in direction of originating rp is the ip address of the msdp peer sending the sa message
- msdp rfc 3618 compliance is activated on all msdp peers -> without activating, received sa messages are not accepted
SW3 and SW4 in the following pictures accepted msdp sa messages from SW2 only after the above mentioned conditions were met, that means especially msdp peerings were not between the shown MSDP /32 loopback ip addresses but the ip addresses of the physical interfaces (networks 10.2.2.0, 10.3.3.0, 10.4.4.0)
debug msdp message of accepted sa messages looks like the following:
*Aug 30 07:10:27.622: MSDP(0): 10.3.3.1: Received 20-byte msg 1165 from peer
*Aug 30 07:10:27.625: MSDP(0): 10.3.3.1: SA TLV, len: 20, ec: 1, RP: 10.100.1.2
*Aug 30 07:10:27.626: MSDP(0): 10.3.3.1: RPF check passed for 10.100.1.2, Peer is IGP next hop of best route
*Aug 30 07:10:27.631: MSDP(0): WAVL Insert SA Source 10.10.10.2 Group 239.192.0.1 RP 10.100.1.2 Successful
In our case this concept is not an option because we have lots of routers, and also the firewall between the routing domains, and we don't want to activate msdp on all this systems.
My conclusion here is that (at least) on catalyst switches MSDP with IGP like OSPF instead of BGP does not scale well in enterprise size high availability networks.
So we will evaluate full mesh with mesh groups now :-(
Best regards
Thorsten
