cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9157
Views
10
Helpful
0
Comments
Ronaldo Renato Punzalan
Cisco Employee
Cisco Employee

 

 

Introduction

 

This document provides a sample configuration of stub multicast routing on the ASA and how to test using third party tools.

 

Prerequisites

Requirements

 

The document assumes the reader have full understanding on how multicast traffic flows and multicast terminologies.

 

As a summary, stub multicast routing on the ASA firewall is setting up the appliance to act as an IGMP proxy agent.  The ASA will forward the IGMP messages (join and leave) received from the ingress interface (e.g. inside) towards the egress interface (e.g. outside). In addition, the forwarded IGMP message source address will be modified to use the ASA engress ip address therefore not exposing the inside ip address to the outside.

 

Stub multicast routing is useful when the network does not need to participate in PIM.

 

In order for the multicast stream to be routed, multicast-routing must still be enabled. However, both PIM and Stub multicast routing are not supported concurrently. As a result, you need to disable any PIM parameters configured on the ASA (e.g. pim rp-address) to avoid conflict.  There is no need to specifically disable pim on the interfaces.

 

The sample configuration will simulate a multicast sender on the outside and receiver on the inside.

 

 

Components Used

 

Following components are used on this setup

 

  • ASA 5505 running 8.4.1

  • iperf traffic generator

 

Note: iperf is a freeware software that can be downloaded from the internet. Its available both on windows and unix/linux machines.

 

 

Configure

 

This section describes the information you need to configure the features described in this document.

 

Step 1. Enable multicast routing

 

   asa(config)# multicast-routing

 

 

Step 2. Remove any PIM specific configuration on the ASA if  there's any

 

   asa(config)# no pim rp-address x.x.x.x

 

 

Step 3. Enable igmp forward

 

  asa(config)# interface vlan1

  asa(config-if)# igmp forward interface outside

 

 

Step 4. Since the multicast stream will come from the outside, access-list is required

 

  asa(config)# access-list outside_in permit udp any host 239.1.1.1

    asa(config)# access-group outside_in in interface outside

 

 

 

Network Diagram

 

This document uses this network topology:

 

     sender---(outside)ASA5505(inside)----receiver

 

 

 

sender: 171.69.89.21

recevier: 192.168.16.203

multicast group: 239.1.1.1

 

 

Configurations

 

This document uses these configurations (stripped unnecessary lines) :

 

ASA Version 8.4(1)

!

hostname asa

domain-name cisco.com

multicast-routing

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.16.1 255.255.255.0

igmp forward interface outside

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

object network obj_any

  subnet 192.168.16.0 255.255.255.0

!

access-list outside_in extended permit udp any host 239.1.1.1

access-group outside_in in interface outside

!

object network obj_any

nat (inside,outside) dynamic interface

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

service-policy global_policy global

!

 

 

 

Verify

 

Use this section to confirm that your configuration works properly.

 

Step 1.  Install iperf both on the sender and receiver machines

 

Step 2.  Prepare the receiver to request for the multicast traffic on the preferred multicast group

 

On the receiver, execute the following iperf command.

 

     iperf -s -u -B 239.1.1.1 -i 1

 

     s – server

     u – udp

     B – binding

     i - interval

 

Note: Use the iperf documentation to learn more about the options used above.

 

The above iperf command will send an IGMP join to 239.1.1.1. To verify the ASA receives this, the “show igmp groups” can be used.

 

 

asa(config)# sh igmp groups

IGMP Connected Group Membership

Group Address    Interface            Uptime    Expires   Last Reporter

239.1.1.1        inside               00:00:02  00:04:18  192.168.16.203

 

 

 

In addition, the ASA will populate a shared tree (*,G) entry on the mroute table.

 

asa(config)# sh mroute 239.1.1.1

 

Multicast Routing Table

Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group,

       C - Connected, L - Local, I - Received Source Specific Host Report,

       P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set,

       J - Join SPT

Timers: Uptime/Expires

Interface state: Interface, State

 

(*, 239.1.1.1), 00:00:52/never, RP 0.0.0.0, flags: DC

  Incoming interface: Null

  RPF nbr: 0.0.0.0

  Immediate Outgoing interface list:

    inside, Forward, 00:00:52/never

 

 

 

 

Step 3.  Start sending multicast stream.

 

On the sender, execute the following

 

     iperf -c 239.1.1.1 -u -T 1 -t 3 -i 1

 

     c – client

     u – UDP

     T – ttl

          t - time

     i - interval

 

 

The ASA mroute table will have a source tree (S,G) entry for the sender upon receiving the traffic stream.

 

asa(config)# sh mroute 239.1.1.1

 

Multicast Routing Table

Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group,

       C - Connected, L - Local, I - Received Source Specific Host Report,

       P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set,

       J - Join SPT

Timers: Uptime/Expires

Interface state: Interface, State

 

(*, 239.1.1.1), 00:04:08/never, RP 0.0.0.0, flags: DC

  Incoming interface: Null

  RPF nbr: 0.0.0.0

  Immediate Outgoing interface list:

    inside, Forward, 00:04:08/never

 

(171.69.89.21, 239.1.1.1), 00:00:19/00:03:10, flags: DJT

  Incoming interface: outside

  RPF nbr: 171.69.89.21

  Inherited Outgoing interface list:

    inside, Forward, 00:04:08/never

 

 

 

 

Following are the outputs of iperf from the test above.

 

 

Sender

 

sender@ubuntu:~$ iperf -c 239.1.1.1 -u -T 1 -t 3 -i 1
------------------------------------------------------------
Client connecting to 239.1.1.1, UDP port 5001
Sending 1470 byte datagrams
Setting multicast TTL to 1
UDP buffer size:  112 KByte (default)
------------------------------------------------------------
[  3] local 171.69.89.21 port 42094 connected with 239.1.1.1 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0- 1.0 sec   129 KBytes  1.06 Mbits/sec
[  3]  1.0- 2.0 sec   128 KBytes  1.05 Mbits/sec
[  3]  2.0- 3.0 sec   128 KBytes  1.05 Mbits/sec
[  3]  0.0- 3.0 sec   386 KBytes  1.05 Mbits/sec
[  3] Sent 269 datagrams
rpunzala@rpunzala-lnx:~$

 

 

 

 

Receiver

 

receiver@ubuntu:~$ iperf -s -u -B 239.1.1.1 -i 1

------------------------------------------------------------

Server listening on UDP port 5001

Binding to local address 239.1.1.1

Joining multicast group  239.1.1.1

Receiving 1470 byte datagrams

UDP buffer size:   112 KByte (default)

------------------------------------------------------------

[  3] local 239.1.1.1 port 5001 connected with 171.69.89.21 port 42094

[ ID] Interval       Transfer     Bandwidth       Jitter   Lost/Total Datagrams

[  3]  0.0- 1.0 sec    128 KBytes  1.05 Mbits/sec  0.103 ms    0/   89 (0%)

[  3]  1.0- 2.0 sec    128 KBytes  1.05 Mbits/sec  0.095 ms    0/   89 (0%)

[  3]  2.0- 3.0 sec    128 KBytes  1.05 Mbits/sec  0.035 ms    0/   89 (0%)

[  3]  0.0- 3.0 sec    386 KBytes  1.05 Mbits/sec  0.049 ms    0/  269 (0%)

 

 

 

 

 

Related Information

 

Checkout the configuration guide for more info about ASA multicast routing

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: