Multicast through ASA5510 and Cisco3560

TacioNuvolari · ‎08-01-2008

There is a network in attachment.

ISP broadcasts around 9 video multicast (addresses listed in the picture). ASA5510 8.0 (3) gets all multicasts. At ASA is set PAT for the internal network. The internal network has about 10 VLans and they all terminated on Cisco 3560 (ADVIPSERVICESK9-M, Version 12.2(44)SE2). Each Cisco 2960 has about up to 5 Vlans.

Objective: to distribute multicasts to end users at their request (for example, for those who are on vlan 4).

What I did:

At Cisco 3560

[code] ip multicast-routing distributed

!

interface Vlan4

description workers_vl

ip address 10.0.0.69 255.255.255.192

ip pim passive

!

interface Vlan900

description To Firewall

ip address 10.0.2.5 255.255.255.248

ip pim sparse-dense-mode

! [/ code]

At ASA5510:

[code] multicast-routing

!

interface Ethernet0 / 1

speed 1000

nameif Internet

security-level 5

ip address 82.179.x.x 255.255.255.240

igmp join-group 225.10.20.1

!

pim rp-address 82.179.y.y

! [/ code]

But with such settings end-users do not receive the video.

[code] asa5510 # sh mroute

Multicast Routing Table

Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group,

C - Connected, L - Local, I - Received Source Specific Host Report,

P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set,

J - Join SPT

Timers: Uptime / Expires

Interface state: Interface, State

(*, 225.10.20.1), 07:07:32 / never, RP 82.179.y.y, flags: SCLJ

Incoming interface: Internet

RPF nbr: 82.179.y.y

Outgoing interface list:

(192.168.10.20, 225.10.20.1), 04:16:23 / 00:02:50, flags: SJT

Incoming interface: Internet

RPF nbr: 82.179.y.y

Immediate Outgoing interface list: Null

asa5510 # sh pim neighbor

Neighbor Address Interface Uptime Expires DR pri Bidir

82.179.yy Internet 04:17:07 00:01:37 N / A

10.0.2.5 Firewall 04:21:51 00:01:26 1 (DR) [/ code]

[code] 3560 # sh ip mroute

IP Multicast Routing Table

Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,

L - Local, P - Pruned, R - RP-bit set, F - Register flag,

T - SPT-bit set, J - Join SPT, M - MSDP created entry,

X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,

U - URD, I - Received Source Specific Host Report,

Z - Multicast Tunnel, z - MDT-data group sender,

Y - Joined MDT-data group, y - Sending to MDT-data group

V - RD & Vector, v - Vector

Outgoing interface flags: H - Hardware switched, A - Assert winner

Timers: Uptime / Expires

Interface state: Interface, Next-Hop or VCD, State / Mode

(*, 239.255.255.255), 00:01:58 / 00:02:10, RP 0.0.0.0, flags: DC

Incoming interface: Null, RPF nbr 0.0.0.0

Outgoing interface list:

Vlan900, Forward / Sparse-Dense, 00:01:58 / 00:00:00

Vlan4, Forward / Sparse-Dense, 00:01:58 / 00:02:10

(*, 239.195.255.255), 00:01:58 / 00:02:12, RP 0.0.0.0, flags: DC

Incoming interface: Null, RPF nbr 0.0.0.0

Outgoing interface list:

Vlan900, Forward / Sparse-Dense, 00:01:58 / 00:00:00

Vlan4, Forward / Sparse-Dense, 00:01:58 / 00:02:12

(*, 225.10.20.1), 00:01:50 / 00:02:08, RP 0.0.0.0, flags: DC

Incoming interface: Null, RPF nbr 0.0.0.0

Outgoing interface list:

Vlan900, Forward / Sparse-Dense, 00:01:50 / 00:00:00

Vlan4, Forward / Sparse-Dense, 00:01:50 / 00:02:08

(*, 224.0.1.60), 07:14:41 / 00:02:10, RP 0.0.0.0, flags: DC

Incoming interface: Null, RPF nbr 0.0.0.0

Outgoing interface list:

Vlan900, Forward / Sparse-Dense, 04:23:19 / 00:00:00

Vlan4, Forward / Sparse-Dense, 05:05:44 / 00:02:10

3560 # sh ip pim neighbor

PIM Neighbor Table

Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority,

P - Proxy Capable, S - State Refresh Capable

Neighbor Interface Uptime / Expires Ver DR

Address Prio / Mode

10.0.2.1 Vlan900 04:23:26 / 00:01:16 v2 1 / [/ code]

Sorry for my bad english...

teru-lei · ‎09-07-2008

I also have similar multicast problem with my FWSM with 4.01 OS. I found that the only thing I can make multicast work is to configure inside and outside interface in the firewall to the same security level (I configure them to both 100), then use "same-security-level permit inter" command, after that, the multicast work. You can still use ACL to control and filter traffic. I am trying to find that if it's a bug

bdube · ‎10-17-2008

In the ASA, as described in the documentation, you should create ACL to permit multicast traffic coming in:

From the 8.0 Config guide:

StepÂ 1- Create an access list for the multicast traffic. You can create more than one entry for a single access list. You can use extended or standard access lists.

â€¢To create a standard access list, enter the following command:

hostname(config)# access-list name standard [permit | deny] ip_addr mask

The ip_addr argument is the IP address of the multicast group being permitted or denied.

â€¢To create an extended access list, enter the following command:

hostname(config)# access-list name extended [permit | deny] protocol src_ip_addr src_mask dst_ip_addr dst_mask

The dst_ip_addr argument is the IP address of the multicast group being permitted or denied.

StepÂ 2- Apply the access list to an interface by entering the following command:

hostname(config-if)# igmp access-group acl

The acl argument is the name of a standard or extended IP access list.

For example, using standard ACL:

access-list Multicast1 standard permit host 225.10.20.1

To the outside interface, apply

igmp access-group Multicast1

Or you can remove all of your previous multicast config and simply put the ASA in multicast Stub Mode with the following command apply to the inside interface:

igmp forward interface outside.

This way, the ASA will simply forward IGMP message from inside to outside. I have not tested it, but I suppose the ASA will open a translation to leave the multicast feed coming in the outside interface. If it's not the case, look about creating a static translation & ACL/Access-group to leave the mcast traffic passing through.