Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
455
Views
0
Helpful
3
Replies

IP multicast over VPN

bbillian
Level 1
Level 1

‎06-20-2006 05:55 AM - edited ‎02-21-2020 02:29 PM

I am trying to configure a network that is capable of spoke-to-spoke multicast traffic. The end result will be effectively a multicast bridge for multiple seperate networks.

I have read over the "Multicast over IPsec VPN Design Guide" as well as the relevant sections in the "IPsec VPN Design" book and "The Complete Cisco VPN Configuration Guide" book and I am still at a loss.

I am using a Cisco 1841 router as the VPN hub and two (soon to be more) Cisco 1811 router as the VPN spokes.

Currently I am trying to use DMVPN to configure and IPsec VPN system, but if I am reading the "Multicast over IPsec VPN Design Guide" correctly, spoke-to-spoke multicast traffic is not possible. I am refering to the third paragraph in the overview section on page 29 of that PDF.

I have been able to connect both of the spokes to the hub and send unicast traffic from each spoke to the other and to the hub. I have also been able to send IP multicast traffic from the hub (server) to the spokes (clients). However when I configure the system so that spoke A (server) is sending the IP multicast traffic, the hub receives the traffic correctly, but the spoke B only receives the very first multicast packet of the stream from spoke A.

My main question is this, can an IPsec (or other) VPN support spoke-to-spoke mutlicast traffic. And if so, how will I need to configure it.

Any information that you can provide related to this will be very appreciated.

Labels:
Preview file
6 KB
Preview file
6 KB
Preview file
6 KB
0 Helpful
3 Replies 3

attrgautam
Level 5
Level 5

‎06-21-2006 06:21 AM

One of my colleagues pointed to this so i thought ill refer this to you as well

http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008061864e.html

Let me know how it works if u test it out

0 Helpful

bbillian
Level 1
Level 1
In response to attrgautam

‎06-21-2006 06:52 AM

Thanks for the reply. If am reading that link correctly it allows for the encryption of the IP multicast traffic over a network that already supports IP multicast. I am trying to tunnel between private networks that are attached to public links that do not support IP multicast. I will keep reading over that link, but it doesn't seem like it will do the trick. Thanks for the helpful suggestion though.

0 Helpful

xponet
Level 1
Level 1

‎08-04-2006 11:55 AM

Hey B,

You read the document correctly; spoke to spoke multicast is not supported on a DMVPN. Essentially the spoke to hub connection (in the recommended implementation) is a GRE tunnel protected by IPSEC. GRE can tunnel multicast as well as unicast. However, when a spoke wants to communicate to a spoke, it retrieves the end point IP address from the hub and then sets up an IPSEC connection. Straight IPSEc cannot tunnel multicast traffic.

If you need spoke to spoke multicast, your best bet would be to set up a point-to-point GRE tunnel. Of course, that doesn't scale well if you'd like to have adhoc multicast between any of your sites (as you'd have to manually create the full mesh -- which is what DMVPN is supposed to solve for us.)

Best regards,

Josh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents