Knowledge Search


×
 

[ScreenOS] Sparse Mode Multicast configuration using PIM

  [KB21077] Show Article Properties


Summary:
This article describes the procedure of how to configure the sparse mode multicast, when receivers and source are directly connected to different interfaces of the same firewall.
Symptoms:
To configure sparse mode multicast when both receivers and source are present on the same firewall.

Solution:

Sample N/W Diagram:

192.168.1.254(client)--.1(e0/0)---(trust)((FW))(untrust)---(e0/1)192.168.2.1----(Src).254

We need to enable the IGMP on the interface connected to receivers, so that the host can join the group. Additionally, PIM on source as well as receiver side has to be enabled. RP, mcast policy, and normal policy for mcast group has to be setup as well.

  1. Configure the interfaces and Enable IGMP on the interface connected to the recipients:
    ssg20-wlan-> set interface e0/0 zone trust
    ssg20-wlan-> set interface e0/0 ip 192.168.1.1/24
    ssg20-wlan-> set interface e0/1 zone untrust
    ssg20-wlan-> set interface e0/1 ip 192.168.2.1/24

    ssg20-wlan-> set interface e0/0 proto igmp router
    ssg20-wlan-> set interface e0/0 proto igmp enable
  2. Enable PIM at the VR level:
    ssg20-wlan-> set vrouter trust proto pim
    ssg20-wlan-> set vrouter trust proto pim enable
  3. Enable PIM on the interface connected to the source as well as the destination:
    set interface ethernet0/0 protocol pim
    set interface ethernet0/0 protocol pim enable
    set interface ethernet0/1 protocol pim
    set interface ethernet0/1 protocol pim enable

  4. Configure the access list to control the multicast groups :
    set vrouter trust access-list 1 permit ip 239.1.1.1/24 1

  5. Configure the RP settings:
    set vrouter trust protocol pim zone trust rp address 192.168.2.1 mgroup-list 1 always
    (zone is from where request is coming to join group)
  6. Create a mgroup policy for the control traffic:

    Note:
    • It is only to allow the PIM control traffic to flow and not for data traffic.

    • You can use a specific mcast group or a subnet address here.

    set multicast-group-policy from "Trust" mgroup 239.1.1.1/32 to "Untrust" mgroup 239.1.1.1 pim-message bsr-static-rp join-prune bi-directional

  7. Create the policy for mcast traffic to flow:

    set policy from <source_zone> to <destination_zone> <source_subnet> <mcast_group> <services> permit log
    (choose relevant zones from the Source towards destination)

    For example: set policy from untrust to trust 1.1.1.0/29 10.10.10.1/32 any permit

    where, 1.1.1.0/29 and 10.10.10.1/32 are existing address book entries



Testing the routes and groups after initiating traffic and joining the group:--

For IGMP join:

ssg20-wlan-> get igmp group
total groups matched: 1
multicast group interface last reporter expire ver
239.1.1.1 ethernet0/0 192.168.1.254 256s v2

Verifying the PIM route:

ssg20-wlan-> get vrouter trust protocol pim mroute
trust-vr - PIM-SM routing table
-----------------------------------------------------------------------------
Register - R, Connected members - C, Pruned - P, Pending SPT Alert - G
Forward - F, Null - N , Negative Cache - E, Local Receivers - L
SPT - T, Proxy-Register - X, Imported - I, SGRpt state - Y, SSM Range Group - S
Turnaround Router - K
-----------------------------------------------------------------------------
Total PIM-SM mroutes: 2

(*, 239.1.1.1) RP 192.168.2.1 00:04:58/- Flags: LF
Zone : Untrust
Upstream : ethernet0/1 State : Joined
RPF Neighbor : local Expires : -
Downstream :
ethernet0/0 00:04:58/- Join 0.0.0.0 FC

(192.168.2.254/24, 239.1.1.1) 00:06:33/00:00:18 Flags: TLF Register Prune
Zone : Untrust
Upstream : ethernet0/1 State : Joined
RPF Neighbor : local Expires : -
Downstream :
ethernet0/0 00:04:58/- Join 0.0.0.0 192.168.2.254 FC

One thing to remember about the configuration, is that we always need a underlying destination route to reach the mcast source, even if we have multicast PIM route or static multicast route. In this setup we do not have a PIM neighbor; but in the scenario where we will have PIM neighbors, we need to have an underlying destination route to establish the neighborship.

Traffic Log for Policy:

(Src = "Untrust/Any-IPv4", Dst = "Trust/Any-IPv4", Service = "ANY")

Current system time is Thu, 3 Feb 2011 11:56:21
======================================================================================


Time Stamp Action Source Destination Translated Source Translated Dest Duration Bytes Sent Bytes Received Application Reason

2011-02-03 11:42:52 Permit 192.168.2.254:1234 239.1.1.1:1234 192.168.2.254:1234 239.1.1.1:1234 1 sec 230426 0 UDP PORT 1234


Related Links: