03-20-2009 04:18 AM - edited 03-04-2019 04:01 AM
Hi Pros,
I've been reading many posts regarding distributing multicast from one location to another over the internet.
I understand that multicast is difficult as well as limited (if at all possible) over IPSEC site-to-site VPN. It seems the best possible scenario is to create a GRE Tunnel between two layer3 devices which are linked by separate firewalls with an IPSEC site-to-site in between. The GRE Tunnel may then be encapsulated within an IPSec site-to-site VPN.
Ignoring restrictions on bandwidth etc., I would very much appreciate some comments /advice as to whether this would be possible, and if so, what kind of devices would be recommended.
Regarding the devices, I would think the choice of firewalls used is more important than the layer3 devices (just for info, the layer3 devices are planned to be 3750's with Advanced IPServices IOS).
Comments, suggestions & advice welcomed.
Regards,
Solved! Go to Solution.
03-27-2009 08:05 AM
Please post the output from the following commands at both left and right side router:
show ip mroute
show ip mroute count
show ip pim rp mapping
show ip pim interface
show ip pim neigh
__
Edison.
03-20-2009 06:47 AM
Hi Mario,
GRE is not supported on 37xx products so you should go with routers like ISRs.
Also another concern is the MTU of the multicast packets. Because of the GRE and IPSec overhead, the GRE endpoints should not accept packets longer than 1400 B. So first be sure PMTUD is working between the GRE endpoint and the locally multicast sources. If it's not working and if the multicast application runs on top of TCP (not very common), you can spoof the TCP MSS with the following command on the tunnel interface:
int tunnel0
ip tcp mss-adjust 1360
ip mtu 1400
!
if it's UDP, the multicast application should be configured no to send packets larger than 1400 B
Last point is RPF if your unicast traffic is not using the GRE tunnel, you will need static mroutes.
HTH
Laurent.
03-27-2009 03:44 AM
Hi,
I've been doing loads of reading and testing since sending my original question.
In fact, it seems the 3750's do support GRE tunnels - At least with the "IP Services" IOS. The option is available when configuring the Tunnel interface.
I get your point regarding the MTU, and I'll look into it once I get multicast flowing between sites.
I've managed to create the GRE tunnel (also between two ISR's), and enabled PIM on the respective interfaces (including the Tunnel interface), but the multicast does not arrive across the link. I can, however ping / ftp / telnet freely between sites.
I've attached a configuration of what's in place for the "left side" and the "right side" routers. I hope I've made it self-explanatory and should help someone with more experience than me see where I'm going wrong.
I think I am failing on the RPF, but I'm not 100% sure.
In the attached configuration, I am not sure of the ip mroute address that should be used on the "right side", and this is where I think I may be going wrong.
Note** - from my original posting, the multicast RP is remote to a local router on the "left side" LAN. My thinking is that the "right side" sends a "join" across the VPN, and the PIM in the LAN on the "left side" responds to the join request as it does for existing multicast requestors. No direct access to the RP should be needed from the "right side" as far as I can see.
I am pretty sure I am almost there with the attached configuration. Just one or two minor details missing.
Please let me know if I can provide more info to help me resolve this.
Regards,
Mario
03-27-2009 06:41 AM
Hi Mario.
Even if it's working, GRE on 3750 is not supported and the performance are very poor so if you want a design supported by the TAC, you should go with ISR.
Regarding your configuration:
- pim bidir-enable is not necessary as you are doing PIM-SM.
- mroute are necessary if your unicast traffic to the source and to the RP is using a different path. if this traffic is also using the tunnel, mroutes are not necessary
- Your RP configuration is missing:
ip pim rp-address x.x.x.x
here is a configuration example:
http://www.cisco.com/en/US/tech/tk828/technologies_configuration_example09186a00801a5aa2.shtml
Thanks
Laurent.
03-27-2009 07:19 AM
Hi Laurent,
Thanks. Point taken regarding the 3750, I'll stick with the ISR's.
The example you've provided is one of the papers I've been going over.
From what you are saying, I think I am not yet properly understanding the first steps of how Multicast moves from a Source to Receivers.
If the RP was within my LAN on the "left side", I don't believe I would be having a problem, I think I'm struggling with this because the RP is in a remote location to the router/LAN on the "left side" of the VPN.
Between the "left side" LAN and remote RP, there is a local router that has the RP info, and is providing the multicast to clients locally on the "left".
I have no control over the remote RP access lists etc.
If I had the "ip pim rp-address x.x.x.x" on the "right side" router, the RP would not recognise the source IP address and drop the request.
...Unless what should happen is that I put a routing entry on the "right side" router for the IP / Network of the RP along the Tunnel interface. In the left LAN, I enable routing to the RP via the router with the RP info?
Am I running myself round in circles with this? ;
My aim is simply to "feed off" the multicast subscription from the router currently providing multicast to the clients on the "left side".
03-27-2009 06:45 AM
In fact, it seems the 3750's do support GRE tunnels - At least with the "IP Services" IOS. The option is available when configuring the Tunnel interface.
As Laurent indicated is not supported. If you want some documentation on this matter, please refer to this link:
http://www.cisco.com/en/US/products/hw/switches/ps5023/products_tech_note09186a00807213f5.shtml
HTH,
__
Edison.
03-27-2009 07:29 AM
Thanks for confirming that Ediortiz,
The link you provided is very helpful for some other projects I work on too.
If you have time to look at my response to Laurent, do you have any advice / suggestions regarding my issue of receiving multicast?
Initially I thought it was the hardware I was using. After investigating and reading, this should work easily enough with GRE over IPSEC using ISR's, which is what I tested tested with.
The config I'm using is attached two or three posts up.
Regards,
Mario
03-27-2009 08:05 AM
Please post the output from the following commands at both left and right side router:
show ip mroute
show ip mroute count
show ip pim rp mapping
show ip pim interface
show ip pim neigh
__
Edison.
03-27-2009 08:10 AM
Ok,
I'll only be able to run through another test on Monday evening.
I'll post the results then.
Thanks,
Mario
03-27-2009 08:22 AM
There are several ways of testing multicast over GRE/IPSec:
1- Use Microsoft Windows media Server on Windows 2003 on one end and Windows media player on the other end,
2- Use IPerf,
Both of these are free
03-27-2009 05:36 PM
Thanks for the tip.
I've actually also recently found a really handy multicast server/client freely available off Nortel's website. It allows you to create a multicast source server with various parameters (multicast address, port, bandwidth etc.), and then use the client part to subscribe to the stream.
Let me know if you would like the link.
Regards,
Mario
03-31-2009 01:42 AM
Hi Edison / Laaubert,
I managed to get this working last night.
I started back with the basics and realized I was going wrong in the routing to the rp.
Thank you for taking the time to respond to my queries. Your comments helped me solve this.
Regards,
Mario
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: