Multicast through a 4510 and FW

Unanswered Question
Jul 31st, 2009

I have multicast set up on my LAN using vbricks.

I want to extend use of the vbricks to another site. To get to the remote site, the 4510 connects to a firewall locally, then hits the other firewall at the remote site, then to the 3750 user switch.

On my LAN, the vbricks are configured with the networks for access (including the remote site), the user switches have ip multicast routing and ip pim sparse dense mode on the vlan int.

I set up the remote side the same way except for the 3750 the command is ip multicast-routing distributed.

the firewall team says they don't see any multicast traffic coming from the 4510. Is there something I need to configure on the port that connects to the firewall?

Thank you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Edison Ortiz Fri, 07/31/2009 - 08:20

What type of FW?

Commonly, FWs do not support Multicast so to send Multicast traffic over a FW is often done with a GRE tunnel between Multicast routers.

We don't recommend using a 3750 switch with GRE tunnels so you will need a router at each end with Multicast routing enable to traverse the FW.




ekuvinka Fri, 07/31/2009 - 12:08

the juniper firewalls already have a tunnel built between the two sites.

Edison Ortiz Fri, 07/31/2009 - 12:11

The tunnels need to be built on the devices running Multicast and the tunnel itself will have PIM.

As I stated before, 3750 switch won't support GRE tunneling in hardware hence we don't recommend this design.

The only option is placing routers facing the FWs at each end - configure a GRE tunnel on these routers along with multicast routing.

ekuvinka Tue, 08/04/2009 - 06:15

So there is no way to point the multicast traffic for the remote site to the firewall interface, then it can tunnel the multicast? the firewall can do routing and tunneling. I wouldn't think we would need to add a extra router on both sides if the firewall will do the same thing.

Edison Ortiz Tue, 08/04/2009 - 17:25

Can you find out if this FW can run multicast natively?

If so, enable PIM and multicast in the FW and you are set.

If not, you need to tunnel multicast between devices.



ekuvinka Wed, 08/05/2009 - 05:11

as far as i know they do. i looked up the specs - juniper ssg140 and ssg350m and they list pim and multicast.

i know they have a tunnel built because we go through a cloud. so should it be just a matter of them adding pim and multicast to the existing tunnel?

thank you

Edison Ortiz Wed, 08/05/2009 - 05:49

Enable PIM on the FW under the customer facing interface and the tunnel. Best aware PIM relies on the routing table and RPF can occur if the routing takes your multicast flow via interfaces without PIM enabled.



ekuvinka Tue, 08/11/2009 - 07:20

the firewall team added multicast to the configuration and it is working for the most part.

When the users open up the vbrick application, they do not see the channels displayed but they can type in the multicast address and port number to veiw the video.

I found out that what is not making it though to the remote side is the Session Announcement Protocol(SAP)which uses port 9875. Is there something I need to add to the config on the switches or something the firewall team needs to enable. They said that they dont even see any traffic for that IP coming in from my switch. They do of course, see all the multicast address info.

I wouldn't think I need to add anything, their firewall is directly connected to our switch on the same subnet as the vbricks.

Edison Ortiz Tue, 08/11/2009 - 09:26

I'm not familiar with such application thus I recommend contacting the vendor for configuration best practice.




This Discussion