08-01-2008 07:27 AM - edited 03-06-2019 12:34 AM
There is a network in attachment.
ISP broadcasts around 9 video multicast (addresses listed in the picture). ASA5510 8.0 (3) gets all multicasts. At ASA is set PAT for the internal network. The internal network has about 10 VLans and they all terminated on Cisco 3560 (ADVIPSERVICESK9-M, Version 12.2(44)SE2). Each Cisco 2960 has about up to 5 Vlans.
Objective: to distribute multicasts to end users at their request (for example, for those who are on vlan 4).
What I did:
At Cisco 3560
[code] ip multicast-routing distributed
!
interface Vlan4
description workers_vl
ip address 10.0.0.69 255.255.255.192
ip pim passive
!
interface Vlan900
description To Firewall
ip address 10.0.2.5 255.255.255.248
ip pim sparse-dense-mode
! [/ code]
At ASA5510:
[code] multicast-routing
!
interface Ethernet0 / 1
speed 1000
nameif Internet
security-level 5
ip address 82.179.x.x 255.255.255.240
igmp join-group 225.10.20.1
!
pim rp-address 82.179.y.y
! [/ code]
But with such settings end-users do not receive the video.
[code] asa5510 # sh mroute
Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group,
C - Connected, L - Local, I - Received Source Specific Host Report,
P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set,
J - Join SPT
Timers: Uptime / Expires
Interface state: Interface, State
(*, 225.10.20.1), 07:07:32 / never, RP 82.179.y.y, flags: SCLJ
Incoming interface: Internet
RPF nbr: 82.179.y.y
Outgoing interface list:
(192.168.10.20, 225.10.20.1), 04:16:23 / 00:02:50, flags: SJT
Incoming interface: Internet
RPF nbr: 82.179.y.y
Immediate Outgoing interface list: Null
asa5510 # sh pim neighbor
Neighbor Address Interface Uptime Expires DR pri Bidir
82.179.yy Internet 04:17:07 00:01:37 N / A
10.0.2.5 Firewall 04:21:51 00:01:26 1 (DR) [/ code]
[code] 3560 # sh ip mroute
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,
L - Local, P - Pruned, R - RP-bit set, F - Register flag,
T - SPT-bit set, J - Join SPT, M - MSDP created entry,
X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,
U - URD, I - Received Source Specific Host Report,
Z - Multicast Tunnel, z - MDT-data group sender,
Y - Joined MDT-data group, y - Sending to MDT-data group
V - RD & Vector, v - Vector
Outgoing interface flags: H - Hardware switched, A - Assert winner
Timers: Uptime / Expires
Interface state: Interface, Next-Hop or VCD, State / Mode
(*, 239.255.255.255), 00:01:58 / 00:02:10, RP 0.0.0.0, flags: DC
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Vlan900, Forward / Sparse-Dense, 00:01:58 / 00:00:00
Vlan4, Forward / Sparse-Dense, 00:01:58 / 00:02:10
(*, 239.195.255.255), 00:01:58 / 00:02:12, RP 0.0.0.0, flags: DC
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Vlan900, Forward / Sparse-Dense, 00:01:58 / 00:00:00
Vlan4, Forward / Sparse-Dense, 00:01:58 / 00:02:12
(*, 225.10.20.1), 00:01:50 / 00:02:08, RP 0.0.0.0, flags: DC
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Vlan900, Forward / Sparse-Dense, 00:01:50 / 00:00:00
Vlan4, Forward / Sparse-Dense, 00:01:50 / 00:02:08
(*, 224.0.1.60), 07:14:41 / 00:02:10, RP 0.0.0.0, flags: DC
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Vlan900, Forward / Sparse-Dense, 04:23:19 / 00:00:00
Vlan4, Forward / Sparse-Dense, 05:05:44 / 00:02:10
3560 # sh ip pim neighbor
PIM Neighbor Table
Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority,
P - Proxy Capable, S - State Refresh Capable
Neighbor Interface Uptime / Expires Ver DR
Address Prio / Mode
10.0.2.1 Vlan900 04:23:26 / 00:01:16 v2 1 / [/ code]
Sorry for my bad english...
09-07-2008 08:29 AM
I also have similar multicast problem with my FWSM with 4.01 OS. I found that the only thing I can make multicast work is to configure inside and outside interface in the firewall to the same security level (I configure them to both 100), then use "same-security-level permit inter" command, after that, the multicast work. You can still use ACL to control and filter traffic. I am trying to find that if it's a bug
10-17-2008 07:03 AM
In the ASA, as described in the documentation, you should create ACL to permit multicast traffic coming in:
From the 8.0 Config guide:
Step 1- Create an access list for the multicast traffic. You can create more than one entry for a single access list. You can use extended or standard access lists.
â¢To create a standard access list, enter the following command:
hostname(config)# access-list name standard [permit | deny] ip_addr mask
The ip_addr argument is the IP address of the multicast group being permitted or denied.
â¢To create an extended access list, enter the following command:
hostname(config)# access-list name extended [permit | deny] protocol src_ip_addr src_mask dst_ip_addr dst_mask
The dst_ip_addr argument is the IP address of the multicast group being permitted or denied.
Step 2- Apply the access list to an interface by entering the following command:
hostname(config-if)# igmp access-group acl
The acl argument is the name of a standard or extended IP access list.
For example, using standard ACL:
access-list Multicast1 standard permit host 225.10.20.1
To the outside interface, apply
igmp access-group Multicast1
Or you can remove all of your previous multicast config and simply put the ASA in multicast Stub Mode with the following command apply to the inside interface:
igmp forward interface outside.
This way, the ASA will simply forward IGMP message from inside to outside. I have not tested it, but I suppose the ASA will open a translation to leave the multicast feed coming in the outside interface. If it's not the case, look about creating a static translation & ACL/Access-group to leave the mcast traffic passing through.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide