Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Configuration example - Multicast PIM Dense mode

0

0

Article ID: KB24781 KB Last Updated: 22 Jul 2020Version: 4.0
Summary:

This article demonstrates a basic configuration of PIM-Dense mode.

Solution:

Network Topology:

In the network, it is assumed that a Multicast source is connected to interface ge-0/0/0 of the SRX and the receiver is connected via interface ge-0/0/1.

Source(1.1.1.5) ------- SRX ------- Receiver (192.168.2.2)
                ge-0/0/0   ge-0/0/1

Configuration Steps:

  1. Configure the interfaces on the SRX:

    set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.2/24
    set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24

  2. Enable PIM on the interfaces under the protocol hierarchy and specify the mode as dense. IGMP v2 is enabled by default when we enable PIM on the interface.

    set protocols pim interface ge-0/0/0.0 mode dense
    set protocols pim interface ge-0/0/1.0 mode dense

  3. Enable PIM as host inbound traffic for the relevant security zones. Also create the required address book entries:

    set security zones security-zone trust address-book address 1.1.1.0/24 1.1.1.0/24
    set security zones security-zone trust host-inbound-traffic protocols pim
    set security zones security-zone trust interfaces ge-0/0/0.0
    set security zones security-zone untrust address-book address 234.1.1.10 234.1.1.10/32
    set security zones security-zone untrust host-inbound-traffic protocols pim
    set security zones security-zone untrust interfaces ge-0/0/1.0

  4. Create a security policy to allow the traffic between the security zones:

    set security policies from-zone trust to-zone untrust policy p1 match source-address 1.1.1.0/24
    set security policies from-zone trust to-zone untrust policy p1 match destination-address 234.1.1.10
    set security policies from-zone trust to-zone untrust policy p1 match application junos-udp-any
    set security policies from-zone trust to-zone untrust policy p1 then permit

  5. If there are multiple intermediate devices between the source and the destination, make sure that the route to the source is given through the correct interface. Otherwise, the traffic will be dropped due to the RPF check.

Note: If you get a a commit error "configuration check-out failed", refer to [KB20977] - Commit check failing with the error: Cannot parse routing-option max-interface-supported in Junos 11.1 and 11.2.


Verification:

  1. Verify the PIM join status and see whether the upstream and downstream interfaces are showed correctly:

    root@srx> show pim join extensive
    Instance: PIM.master Family: INET
    R = Rendezvous Point Tree, S = Sparse, W = Wildcard

    Group: 234.1.1.10
    Source: 1.1.1.5
    Flags: dense
    Upstream interface: ge-0/0/0.0
    Upstream neighbor: Direct
    Downstream interfaces:
    ge-0/0/1.0

    Instance: PIM.master Family: INET6
    R = Rendezvous Point Tree, S = Sparse, W = Wildcard

  2. Verify the multicast routing table:

    root@srx> show multicast route
    Family: INET

    Group: 234.1.1.10
        Source: 1.1.1.5/32
        Upstream interface: ge-0/0/0.0
        Downstream interface list:
            ge-0/0/1.0

    Family: INET6

  3. Verify the flow session:

    root@srx> show security flow session destination-prefix 234.1.1.10
    Session ID: 2969, Policy name: N/A, Timeout: 58, Valid
      In: 1.1.1.5/1189 --> 234.1.1.10/10000;udp, If: ge-0/0/0.0, Pkts: 0, Bytes: 0
      Out: 255.255.255.255/10000 --> 255.255.255.255/1189;udp, If: .local..0, Pkts: 0, Bytes: 0

    Session ID: 2970, Policy name: p1/4, Timeout: -1, Valid
      In: 1.1.1.5/1189 --> 234.1.1.10/10000;udp, If: ge-0/0/0.0, Pkts: 10, Bytes: 600
      Out: 234.1.1.10/10000 --> 1.1.1.5/1189;udp, If: ge-0/0/1.0, Pkts: 0, Bytes: 0
    Total sessions: 2

     

Troubleshooting:

  1. Enable PIM traceoptions:

    # set protocols pim traceoptions file pim-trace
    # set protocols pim flag all

  2. Enable flow traceoptions:

    # set security flow traceoptions flag basic-datapath
    # set security flow traceoptions file multicast
    # set security flow traceoptions packet-filter p1 destination-prefix <multicast IP>
    # set security flow traceoptions packet-filter p2 source-prefix <source-IP>

Modification History:
2020-07-15: Article reviewed for accuracy; no changes required.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search