• Introduction
• Prerequisites
• Configure
• Verify
• Related Information

Introduction

This document provides a sample configuration of stub multicast routing on the ASA and how to test using third party tools.

Prerequisites

Requirements

The document assumes the reader have full understanding on how multicast traffic flows and multicast terminologies.

As a summary, stub multicast routing on the ASA firewall is setting up the appliance to act as an IGMP proxy agent.  The ASA will forward the IGMP messages (join and leave) received from the ingress interface (e.g. inside) towards the egress interface (e.g. outside). In addition, the forwarded IGMP message source address will be modified to use the ASA engress ip address therefore not exposing the inside ip address to the outside.

Stub multicast routing is useful when the network does not need to participate in PIM.

In order for the multicast stream to be routed, multicast-routing must still be enabled. However, both PIM and Stub multicast routing are not supported concurrently. As a result, you need to disable any PIM parameters configured on the ASA (e.g. pim rp-address) to avoid conflict.  There is no need to specifically disable pim on the interfaces.

The sample configuration will simulate a multicast sender on the outside and receiver on the inside.

Components Used

Following components are used on this setup

• ASA 5505 running 8.4.1

• iperf traffic generator

Note: iperf is a freeware software that can be downloaded from the internet. Its available both on windows and unix/linux machines.

Configure

This section describes the information you need to configure the features described in this document.

Step 1. Enable multicast routing

   asa(config)# multicast-routing

Step 2. Remove any PIM specific configuration on the ASA if  there's any

   asa(config)# no pim rp-address x.x.x.x

Step 3. Enable igmp forward

  asa(config)# interface vlan1

  asa(config-if)# igmp forward interface outside

Step 4. Since the multicast stream will come from the outside, access-list is required

  asa(config)# access-list outside_in permit udp any host 239.1.1.1

    asa(config)# access-group outside_in in interface outside

Network Diagram

This document uses this network topology:

     sender---(outside)ASA5505(inside)----receiver

sender: 171.69.89.21

recevier: 192.168.16.203

multicast group: 239.1.1.1

Configurations

This document uses these configurations (stripped unnecessary lines) :

ASA Version 8.4(1)

!

hostname asa

domain-name cisco.com

multicast-routing

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.16.1 255.255.255.0

igmp forward interface outside

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

object network obj_any

  subnet 192.168.16.0 255.255.255.0

!

access-list outside_in extended permit udp any host 239.1.1.1

access-group outside_in in interface outside

!

object network obj_any

nat (inside,outside) dynamic interface

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

service-policy global_policy global

!

Verify

Use this section to confirm that your configuration works properly.

Step 1.  Install iperf both on the sender and receiver machines

Step 2.  Prepare the receiver to request for the multicast traffic on the preferred multicast group

On the receiver, execute the following iperf command.

     iperf -s -u -B 239.1.1.1 -i 1

     s – server

     u – udp

     B – binding

     i - interval

Note: Use the iperf documentation to learn more about the options used above.

The above iperf command will send an IGMP join to 239.1.1.1. To verify the ASA receives this, the “show igmp groups” can be used.

asa(config)# sh igmp groups

IGMP Connected Group Membership

Group Address    Interface            Uptime    Expires   Last Reporter

239.1.1.1        inside               00:00:02  00:04:18  192.168.16.203

In addition, the ASA will populate a shared tree (*,G) entry on the mroute table.

asa(config)# sh mroute 239.1.1.1

Multicast Routing Table

Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group,

       C - Connected, L - Local, I - Received Source Specific Host Report,

       P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set,

       J - Join SPT

Timers: Uptime/Expires

Interface state: Interface, State

(*, 239.1.1.1), 00:00:52/never, RP 0.0.0.0, flags: DC

  Incoming interface: Null

  RPF nbr: 0.0.0.0

  Immediate Outgoing interface list:

    inside, Forward, 00:00:52/never

Step 3.  Start sending multicast stream.

On the sender, execute the following

     iperf -c 239.1.1.1 -u -T 1 -t 3 -i 1

     c – client

     u – UDP

     T – ttl

          t - time

     i - interval

The ASA mroute table will have a source tree (S,G) entry for the sender upon receiving the traffic stream.

asa(config)# sh mroute 239.1.1.1

Multicast Routing Table

Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group,

       C - Connected, L - Local, I - Received Source Specific Host Report,

       P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set,

       J - Join SPT

Timers: Uptime/Expires

Interface state: Interface, State

(*, 239.1.1.1), 00:04:08/never, RP 0.0.0.0, flags: DC

  Incoming interface: Null

  RPF nbr: 0.0.0.0

  Immediate Outgoing interface list:

    inside, Forward, 00:04:08/never

(171.69.89.21, 239.1.1.1), 00:00:19/00:03:10, flags: DJT

  Incoming interface: outside

  RPF nbr: 171.69.89.21

  Inherited Outgoing interface list:

    inside, Forward, 00:04:08/never

Following are the outputs of iperf from the test above.

Sender

sender@ubuntu:~$ iperf -c 239.1.1.1 -u -T 1 -t 3 -i 1
------------------------------------------------------------
Client connecting to 239.1.1.1, UDP port 5001
Sending 1470 byte datagrams
Setting multicast TTL to 1
UDP buffer size:  112 KByte (default)
------------------------------------------------------------
[  3] local 171.69.89.21 port 42094 connected with 239.1.1.1 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0- 1.0 sec   129 KBytes  1.06 Mbits/sec
[  3]  1.0- 2.0 sec   128 KBytes  1.05 Mbits/sec
[  3]  2.0- 3.0 sec   128 KBytes  1.05 Mbits/sec
[  3]  0.0- 3.0 sec   386 KBytes  1.05 Mbits/sec
[  3] Sent 269 datagrams
rpunzala@rpunzala-lnx:~$

Receiver

receiver@ubuntu:~$ iperf -s -u -B 239.1.1.1 -i 1

------------------------------------------------------------

Server listening on UDP port 5001

Binding to local address 239.1.1.1

Joining multicast group  239.1.1.1

Receiving 1470 byte datagrams

UDP buffer size:   112 KByte (default)

------------------------------------------------------------

[  3] local 239.1.1.1 port 5001 connected with 171.69.89.21 port 42094

[ ID] Interval       Transfer     Bandwidth       Jitter   Lost/Total Datagrams

[  3]  0.0- 1.0 sec    128 KBytes  1.05 Mbits/sec  0.103 ms    0/   89 (0%)

[  3]  1.0- 2.0 sec    128 KBytes  1.05 Mbits/sec  0.095 ms    0/   89 (0%)

[  3]  2.0- 3.0 sec    128 KBytes  1.05 Mbits/sec  0.035 ms    0/   89 (0%)

[  3]  0.0- 3.0 sec    386 KBytes  1.05 Mbits/sec  0.049 ms    0/  269 (0%)

Related Information

Checkout the configuration guide for more info about ASA multicast routing