Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Sparse Mode Multicast configuration using PIM



Article ID: KB21077 KB Last Updated: 16 Oct 2013Version: 3.0
This article describes the procedure of how to configure the sparse mode multicast, when receivers and source are directly connected to different interfaces of the same firewall.
To configure sparse mode multicast when both receivers and source are present on the same firewall.


Sample N/W Diagram:

We need to enable the IGMP on the interface connected to receivers, so that the host can join the group. Additionally, PIM on source as well as receiver side has to be enabled. RP, mcast policy, and normal policy for mcast group has to be setup as well.

  1. Configure the interfaces and Enable IGMP on the interface connected to the recipients:
    ssg20-wlan-> set interface e0/0 zone trust
    ssg20-wlan-> set interface e0/0 ip
    ssg20-wlan-> set interface e0/1 zone untrust
    ssg20-wlan-> set interface e0/1 ip

    ssg20-wlan-> set interface e0/0 proto igmp router
    ssg20-wlan-> set interface e0/0 proto igmp enable
  2. Enable PIM at the VR level:
    ssg20-wlan-> set vrouter trust proto pim
    ssg20-wlan-> set vrouter trust proto pim enable
  3. Enable PIM on the interface connected to the source as well as the destination:
    set interface ethernet0/0 protocol pim
    set interface ethernet0/0 protocol pim enable
    set interface ethernet0/1 protocol pim
    set interface ethernet0/1 protocol pim enable

  4. Configure the access list to control the multicast groups :
    set vrouter trust access-list 1 permit ip 1

  5. Configure the RP settings:
    set vrouter trust protocol pim zone trust rp address mgroup-list 1 always
    (zone is from where request is coming to join group)
  6. Create a mgroup policy for the control traffic:

    • It is only to allow the PIM control traffic to flow and not for data traffic.

    • You can use a specific mcast group or a subnet address here.

    set multicast-group-policy from "Trust" mgroup to "Untrust" mgroup pim-message bsr-static-rp join-prune bi-directional

  7. Create the policy for mcast traffic to flow:

    set policy from <source_zone> to <destination_zone> <source_subnet> <mcast_group> <services> permit log
    (choose relevant zones from the Source towards destination)

    For example: set policy from untrust to trust any permit

    where, and are existing address book entries

Testing the routes and groups after initiating traffic and joining the group:--

For IGMP join:

ssg20-wlan-> get igmp group
total groups matched: 1
multicast group interface last reporter expire ver ethernet0/0 256s v2

Verifying the PIM route:

ssg20-wlan-> get vrouter trust protocol pim mroute
trust-vr - PIM-SM routing table
Register - R, Connected members - C, Pruned - P, Pending SPT Alert - G
Forward - F, Null - N , Negative Cache - E, Local Receivers - L
SPT - T, Proxy-Register - X, Imported - I, SGRpt state - Y, SSM Range Group - S
Turnaround Router - K
Total PIM-SM mroutes: 2

(*, RP 00:04:58/- Flags: LF
Zone : Untrust
Upstream : ethernet0/1 State : Joined
RPF Neighbor : local Expires : -
Downstream :
ethernet0/0 00:04:58/- Join FC

(, 00:06:33/00:00:18 Flags: TLF Register Prune
Zone : Untrust
Upstream : ethernet0/1 State : Joined
RPF Neighbor : local Expires : -
Downstream :
ethernet0/0 00:04:58/- Join FC

One thing to remember about the configuration, is that we always need a underlying destination route to reach the mcast source, even if we have multicast PIM route or static multicast route. In this setup we do not have a PIM neighbor; but in the scenario where we will have PIM neighbors, we need to have an underlying destination route to establish the neighborship.

Traffic Log for Policy:

(Src = "Untrust/Any-IPv4", Dst = "Trust/Any-IPv4", Service = "ANY")

Current system time is Thu, 3 Feb 2011 11:56:21

Time Stamp Action Source Destination Translated Source Translated Dest Duration Bytes Sent Bytes Received Application Reason

2011-02-03 11:42:52 Permit 1 sec 230426 0 UDP PORT 1234

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search