Multicast over Internet - FW Hardware Advice

Answered Question
Mar 20th, 2009

Hi Pros,

I've been reading many posts regarding distributing multicast from one location to another over the internet.

I understand that multicast is difficult as well as limited (if at all possible) over IPSEC site-to-site VPN. It seems the best possible scenario is to create a GRE Tunnel between two layer3 devices which are linked by separate firewalls with an IPSEC site-to-site in between. The GRE Tunnel may then be encapsulated within an IPSec site-to-site VPN.

Ignoring restrictions on bandwidth etc., I would very much appreciate some comments /advice as to whether this would be possible, and if so, what kind of devices would be recommended.

Regarding the devices, I would think the choice of firewalls used is more important than the layer3 devices (just for info, the layer3 devices are planned to be 3750's with Advanced IPServices IOS).

Comments, suggestions & advice welcomed.

Regards,

I have this problem too.
0 votes
Correct Answer by Edison Ortiz about 7 years 8 months ago

Please post the output from the following commands at both left and right side router:

show ip mroute

show ip mroute count

show ip pim rp mapping

show ip pim interface

show ip pim neigh

__

Edison.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Laurent Aubert Fri, 03/20/2009 - 06:47

Hi Mario,

GRE is not supported on 37xx products so you should go with routers like ISRs.

Also another concern is the MTU of the multicast packets. Because of the GRE and IPSec overhead, the GRE endpoints should not accept packets longer than 1400 B. So first be sure PMTUD is working between the GRE endpoint and the locally multicast sources. If it's not working and if the multicast application runs on top of TCP (not very common), you can spoof the TCP MSS with the following command on the tunnel interface:

int tunnel0

ip tcp mss-adjust 1360

ip mtu 1400

!

if it's UDP, the multicast application should be configured no to send packets larger than 1400 B

Last point is RPF if your unicast traffic is not using the GRE tunnel, you will need static mroutes.

HTH

Laurent.

mariov652 Fri, 03/27/2009 - 03:44

Hi,

I've been doing loads of reading and testing since sending my original question.

In fact, it seems the 3750's do support GRE tunnels - At least with the "IP Services" IOS. The option is available when configuring the Tunnel interface.

I get your point regarding the MTU, and I'll look into it once I get multicast flowing between sites.

I've managed to create the GRE tunnel (also between two ISR's), and enabled PIM on the respective interfaces (including the Tunnel interface), but the multicast does not arrive across the link. I can, however ping / ftp / telnet freely between sites.

I've attached a configuration of what's in place for the "left side" and the "right side" routers. I hope I've made it self-explanatory and should help someone with more experience than me see where I'm going wrong.

I think I am failing on the RPF, but I'm not 100% sure.

In the attached configuration, I am not sure of the ip mroute address that should be used on the "right side", and this is where I think I may be going wrong.

Note** - from my original posting, the multicast RP is remote to a local router on the "left side" LAN. My thinking is that the "right side" sends a "join" across the VPN, and the PIM in the LAN on the "left side" responds to the join request as it does for existing multicast requestors. No direct access to the RP should be needed from the "right side" as far as I can see.

I am pretty sure I am almost there with the attached configuration. Just one or two minor details missing.

Please let me know if I can provide more info to help me resolve this.

Regards,

Mario

Laurent Aubert Fri, 03/27/2009 - 06:41

Hi Mario.

Even if it's working, GRE on 3750 is not supported and the performance are very poor so if you want a design supported by the TAC, you should go with ISR.

Regarding your configuration:

- pim bidir-enable is not necessary as you are doing PIM-SM.

- mroute are necessary if your unicast traffic to the source and to the RP is using a different path. if this traffic is also using the tunnel, mroutes are not necessary

- Your RP configuration is missing:

ip pim rp-address x.x.x.x

here is a configuration example:

http://www.cisco.com/en/US/tech/tk828/technologies_configuration_example09186a00801a5aa2.shtml

Thanks

Laurent.

mariov652 Fri, 03/27/2009 - 07:19

Hi Laurent,

Thanks. Point taken regarding the 3750, I'll stick with the ISR's.

The example you've provided is one of the papers I've been going over.

From what you are saying, I think I am not yet properly understanding the first steps of how Multicast moves from a Source to Receivers.

If the RP was within my LAN on the "left side", I don't believe I would be having a problem, I think I'm struggling with this because the RP is in a remote location to the router/LAN on the "left side" of the VPN.

Between the "left side" LAN and remote RP, there is a local router that has the RP info, and is providing the multicast to clients locally on the "left".

I have no control over the remote RP access lists etc.

If I had the "ip pim rp-address x.x.x.x" on the "right side" router, the RP would not recognise the source IP address and drop the request.

...Unless what should happen is that I put a routing entry on the "right side" router for the IP / Network of the RP along the Tunnel interface. In the left LAN, I enable routing to the RP via the router with the RP info?

Am I running myself round in circles with this? ;

My aim is simply to "feed off" the multicast subscription from the router currently providing multicast to the clients on the "left side".

mariov652 Fri, 03/27/2009 - 07:29

Thanks for confirming that Ediortiz,

The link you provided is very helpful for some other projects I work on too.

If you have time to look at my response to Laurent, do you have any advice / suggestions regarding my issue of receiving multicast?

Initially I thought it was the hardware I was using. After investigating and reading, this should work easily enough with GRE over IPSEC using ISR's, which is what I tested tested with.

The config I'm using is attached two or three posts up.

Regards,

Mario

Correct Answer
Edison Ortiz Fri, 03/27/2009 - 08:05

Please post the output from the following commands at both left and right side router:

show ip mroute

show ip mroute count

show ip pim rp mapping

show ip pim interface

show ip pim neigh

__

Edison.

mariov652 Fri, 03/27/2009 - 08:10

Ok,

I'll only be able to run through another test on Monday evening.

I'll post the results then.

Thanks,

Mario

cisco24x7 Fri, 03/27/2009 - 08:22

There are several ways of testing multicast over GRE/IPSec:

1- Use Microsoft Windows media Server on Windows 2003 on one end and Windows media player on the other end,

2- Use IPerf,

Both of these are free

mariov652 Fri, 03/27/2009 - 17:36

Thanks for the tip.

I've actually also recently found a really handy multicast server/client freely available off Nortel's website. It allows you to create a multicast source server with various parameters (multicast address, port, bandwidth etc.), and then use the client part to subscribe to the stream.

Let me know if you would like the link.

Regards,

Mario

mariov652 Tue, 03/31/2009 - 01:42

Hi Edison / Laaubert,

I managed to get this working last night.

I started back with the basics and realized I was going wrong in the routing to the rp.

Thank you for taking the time to respond to my queries. Your comments helped me solve this.

Regards,

Mario

Actions

This Discussion