08-22-2019 05:13 AM
Hi all,
I want to use MSDP to exchange multicast sources between different customer network domains where no BGP is used but OSFP.
Each domain uses it's own two rp for redundancy with anycast rp (without msdp meshgroups). Multicast routing protocol is PIM-SM. Routers learn default route via OSPF from firewall (and few more routes not relavant for this scenario). Routers are Cat6K, Firewall is third party.
I want to use MSDP peerings in a hierarchical design like shown below.
MSDP SAs originated in central site are accepted at the other sites and vice versa. Also multicast traffic works fine between central site and the other sites which means pim works as expected.
But MSDP SAs originated e.g. at site A (and "relayed" from central site) are not accepted at site B.
I played with local mesh groups between rp, originator id, and rfc3618 compliance activation, but I didn't find a working solution.
In debugging I see the following error message e.g. on site B router:
Peer RPF check failed for <rp ip address>, used ? route's peer 0.0.0.0
After activating rfc3618 compliance (ip msdp rpf rfc3618) error message is
<msdp peer ip address>: RPF check failed for <rp ip address>
I read cisco documentation (https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_pim/configuration/xe-16/imc-pim-xe-16-book/imc-msdp-im-pim-sim.pdf) and also rfc3618 and 4611.
In my understanding it seems that a scenario like this is not supported because of the Peer-RPF check which can not be successful here.
Does anybody know if it's possible to get MSDP working in this scenario?
Unfortunately using BGP is not an option.
I also thought about using a meshgroup between all rp but this does not scale well because there are several sites and many msdp peerings. Also SA filtering would be easy in the scenario above where it could be done at central site.
Thanks a lot in advance
Thorsten
08-26-2019 05:41 AM
Hello Thorsten,
>>
<source> --- <rp = msdp peer 1> --- <intermediate msdp peer 2> --- <msdp peer 3>
Actually you have:
<source> --- <rp = msdp peer 1> --- <intermediate msdp peer 2> - FW OSPF peer -- <msdp peer 3>
If my understanding is correct the FW is the OSPF neighbor of each router so it is not possible to satisfy the RFC 3618 condition that IGP next-hop is also the intermediate MSDP peer as the FW is on the path.
Deploying point to point GRE tunnels to hide the FW next-hop could be a solution but the risk is to create recursive routing error is high.
For using p2p GRE tunnels you should disable PIM on current OSPF links and use PIM only on the GRE links.
I don't know if it is possible to create a working solution for all aspects.
Hope to help
Giuseppe
08-26-2019 06:13 AM
Hello Guiseppe,
you are right.
But SAs are also not accepted by central site RT2 when received from direct msdp neighbor central site RT1 (originated from Site A/B RT1).
<source>
<rp Site A = msdp peer>
<FW OSPF peer>
<Central Site RT1 = intermediate msdp peer>
<Central Site RT2 = msdp peer>
So in my understanding the firewall does not play a role.
Anyway, I'll try to build a small gns3 lab network in the next days to check this.
Best regards
Thorsten
08-26-2019 06:28 AM
Hello Thorsten,
yes for central site RT1 to RT2 what happens is that the OSPF next-hop is a physical IP address and the MSDP peer is a loopback address so they are different.
You are right that also in this case RT2 is not able to accept indirect SA messages propagated by RT1 even if the FW is not on the path.
I was referring to what happens on site B looking at SA messages received from a central site router.
If the number of involved routers is not high a full mesh of MSDP sessions can be used to avoid the issues with indirect MSDP SA messages.
Hope to help
Giuseppe
08-30-2019 01:37 AM
Hello Giuseppe,
we've up to 10 routing domains to be connected which would be very complicated to full mesh all msdp peers within.
Anyway, this seems to be the only working solution at the moment in our scenario.
I finished tests in gns3 lab, I found out the following:
SW3 and SW4 in the following pictures accepted msdp sa messages from SW2 only after the above mentioned conditions were met, that means especially msdp peerings were not between the shown MSDP /32 loopback ip addresses but the ip addresses of the physical interfaces (networks 10.2.2.0, 10.3.3.0, 10.4.4.0)
debug msdp message of accepted sa messages looks like the following:
*Aug 30 07:10:27.622: MSDP(0): 10.3.3.1: Received 20-byte msg 1165 from peer
*Aug 30 07:10:27.625: MSDP(0): 10.3.3.1: SA TLV, len: 20, ec: 1, RP: 10.100.1.2
*Aug 30 07:10:27.626: MSDP(0): 10.3.3.1: RPF check passed for 10.100.1.2, Peer is IGP next hop of best route
*Aug 30 07:10:27.631: MSDP(0): WAVL Insert SA Source 10.10.10.2 Group 239.192.0.1 RP 10.100.1.2 Successful
In our case this concept is not an option because we have lots of routers, and also the firewall between the routing domains, and we don't want to activate msdp on all this systems.
My conclusion here is that (at least) on catalyst switches MSDP with IGP like OSPF instead of BGP does not scale well in enterprise size high availability networks.
So we will evaluate full mesh with mesh groups now :-(
Best regards
Thorsten
08-30-2019 03:25 AM
Hello Thorsten,
thanks for sharing the results of your GNS3 lab test
>> *Aug 30 07:10:27.626: MSDP(0): 10.3.3.1: RPF check passed for 10.100.1.2, Peer is IGP next hop of best route
We finally see this happening !
But yes it is not a viable option for your production network.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide