Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Multicast routes not updated throughout PIM-SM network, when RP proxy configured

0

0

Article ID: KB9519 KB Last Updated: 11 Aug 2010Version: 5.0
Summary:

Three Juniper firewall devices are used to build a Multicast network in a lab for training purposes. IGMP is enabled on the Internet facing firewalls and PIM is enabled on all 3 firewalls. PIM-SM is not updating the Multicast routes throughout the PIM-SM network.

 

 

Symptoms:

Three Juniper firewall devices are used to build a Multicast network in a lab for training purposes. IGMP is enabled on the Internet facing firewalls and PIM is enabled on all 3 firewalls. PIM-SM (Protocol Independent Multicast - Sparse-Mode) is not updating the Multicast routes throughout the PIM-SM network.


The issue occurs when RP Proxy is configured on all Juniper firewalls.

The following is the networking diagram used for the lab.

  • Right hand SSG20 eth0/1 interface serves as static RP.
  • RP Proxy used on each of the firewalls, such as, set zone "Untrust" rp proxy.

network_diagram

The following lists the lab devices' configurations:

ISG1000:

set interface "ethernet2/3" zone "group3"
set interface "ethernet2/4" zone "mgmt"
set interface ethernet2/3 ip 1.1.3.1/24
set interface ethernet2/3 route
set interface ethernet2/4 ip 1.1.4.1/24
set interface ethernet2/4 route
set access-list 2
set access-list 2 permit ip 224.0.0.0/4 10
set interface ethernet2/3 protocol rip
set interface ethernet2/3 protocol rip enable
set interface ethernet2/3 protocol rip send-version v1v2
set interface ethernet2/3 protocol rip receive-version v1v2
set interface ethernet2/4 protocol rip
set interface ethernet2/4 protocol rip enable
set interface ethernet2/4 protocol rip send-version v1v2
set interface ethernet2/4 protocol rip receive-version v1v2
set interface ethernet2/3 protocol pim
set interface ethernet2/3 protocol pim enable
set interface ethernet2/4 protocol pim
set interface ethernet2/4 protocol pim enable
set vrouter "trust-vr"
set protocol pim
set zone "group3" rp address 10.4.1.1 mgroup-list 2 always
set zone "group3" rp proxy
set zone "mgmt" rp address 10.4.1.1 mgroup-list 2 always
set zone "mgmt" rp proxy
exit
set multicast-group-policy from "group3" mgroup any to "mgmt" pim-message bsr-static-rp join-prune bi-directional

SSG on the left:

set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "Trust"
set access-list 2
set access-list 2 permit ip 224.0.0.0/4 10
set interface ethernet0/0 ip 1.1.3.10/24
set interface ethernet0/0 route
set interface ethernet0/1 ip 10.3.1.1/24
set interface ethernet0/1 route
set interface ethernet0/1 protocol igmp router
set interface ethernet0/1 protocol igmp no-check-subnet
set interface ethernet0/1 protocol igmp no-check-router-alert
set interface ethernet0/1 protocol igmp enable
set interface ethernet0/0 protocol igmp router
set interface ethernet0/0 protocol igmp no-check-subnet
set interface ethernet0/0 protocol igmp no-check-router-alert
set interface ethernet0/0 protocol igmp enable
set interface ethernet0/0 protocol rip
set interface ethernet0/0 protocol rip enable
set interface ethernet0/0 protocol rip send-version v1v2
set interface ethernet0/0 protocol rip receive-version v1v2
set interface ethernet0/1 protocol rip
set interface ethernet0/1 protocol rip enable
set interface ethernet0/1 protocol rip send-version v1v2
set interface ethernet0/1 protocol rip receive-version v1v2
set interface ethernet0/0 protocol pim
set interface ethernet0/0 protocol pim enable
set interface ethernet0/1 protocol pim
set interface ethernet0/1 protocol pim enable
set vrouter "trust-vr"
set protocol pim
set zone "Untrust" rp proxy
set zone "Trust" rp address 10.4.1.1 mgroup-list 2 always
set zone "Trust" rp proxy
exit
set multicast-group-policy from "Trust" mgroup any to "Untrust" pim-message bsr-static-rp join-prune bi-directional

SSG on the Right

set interface ethernet0/0 ip 1.1.4.10/24
set interface ethernet0/0 route
set interface ethernet0/1 ip 10.4.1.1/24
set interface ethernet0/1 route
set access-list 2
set access-list 2 permit ip 224.0.0.0/4 10
set interface ethernet0/1 protocol igmp router
set interface ethernet0/1 protocol igmp no-check-subnet
set interface ethernet0/1 protocol igmp no-check-router-alert
set interface ethernet0/1 protocol igmp enable
set interface ethernet0/0 protocol igmp router
set interface ethernet0/0 protocol igmp no-check-subnet
set interface ethernet0/0 protocol igmp no-check-router-alert
set interface ethernet0/0 protocol igmp enable
set interface ethernet0/0 protocol rip
set interface ethernet0/0 protocol rip enable
set interface ethernet0/0 protocol rip send-version v1v2
set interface ethernet0/0 protocol rip receive-version v1v2
set interface ethernet0/1 protocol rip
set interface ethernet0/1 protocol rip enable
set interface ethernet0/1 protocol rip send-version v1v2
set interface ethernet0/1 protocol rip receive-version v1v2
set interface ethernet0/0 protocol pim
set interface ethernet0/0 protocol pim enable
set interface ethernet0/1 protocol pim
set interface ethernet0/1 protocol pim enable
set vrouter "trust-vr"
set protocol pim
set zone "Untrust" rp proxy
set zone "Trust" rp candidate interface ethernet0/1 mgroup-list 2
set zone "Trust" rp address 10.4.1.1 mgroup-list 2 always
set zone "Trust" rp proxy
exit
set multicast-group-policy from "Untrust" mgroup any to "Trust" pim-message bsr-static-rp join-prune bi-directional

 

Solution:

After studying the networking diagram further, it was discovered that there is only one RP and one PIM-SM domain in this setup.  RP Proxy should not be used in this environment .  For more information, please refer to the 'Configuring a Proxy Rendezvous Point' section of the Concepts & Examples ScreenOS Reference Guide, Volume 7: Routing:
ScreenOS 5.4: http://www.juniper.net/techpubs/software/screenos/screenos5.4.0/CE_v7.pdf 
ScreenOS 6.0: http://www.juniper.net/techpubs/software/screenos/screenos6.0.0/CE_v7.pdf 


After the RP proxy configuration was removed from all 3 firewalls (i.e. unset vr <vr> protocol pim zone <zone> rp proxy), the Multicast routes were updated.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search