ISR Computing -

CCIE Security - Cisco ASA Stub Multicast Routing

• Cisco ASA Stub Multicast Routing
• Cisco ASA Multicast configuration
• Cisco Multicast Fundamentals

Cisco ASA Stub Multicast Routing

Cisco ASA upports PIM and SMR, but cannot run both on a single security appliance.
SMR - Stub Multicast Routing Allows end stations, like user PCs, to register for multicast streams (via IGMP). When ASA uses SMR, it acts as IGMP proxy:

• takes IGMP queries from multicast routers and forwards them to end users.
• takes IGMP reports from end users and forwards then to multicast router.

# multicast-routing

• allows the appliance to process and forward multicast packets.
• automatically enables PIM and IGMPv2 (IGMPv1 is disabled by default.

#int e0/1 //interface where IGMP end stations = inside
# igmp forward interface <outside> // interface to multicast router
# igmp join-group <multicast-group-address>

"igmp join-group" command is used for testing purposes to ensure that multicast traffic reaches ASA appliance.

Go to top

Cisco ASA Multicast configuration

In this example, the multicast sender is on the outside of the security appliance and hosts on the inside are attempting to receive the multicast traffic. Multicast group address is 224.1.2.3. RP address is 172.16.2

multicast-routing //enables multicast
 access-list OUTSIDE permit ip any host 224.1.2.3 // allow multicast messages to group 224.1.2.3 through
 access-group OUTSIDE interface outside in
 pim rp-address 172.16.1.2
 mroute 172.16.1.2 255.255.255.255 outside // define router to RP. If route already available through IGP then skip this step
 

Note: "Transparent" mode ASA does not support multicast, but you can configure ACL to pass multicast traffic.

If you run into a problem with setting up multicast through ASA, then you will need to capture some traffic and to see if Multicast traffic is indeed reaching your ASA.

access-list CAPTURE permit ip any host 224.1.2.3
 capture CAPOUT interface outside access-list CAPTURE
 capture CAPIN interface outside access-list CAPTURE
 show capture CAPOUT
 show capture CAPIN
 

Go to top

Multicast Fundamentals

There are two ways to distribute multicast traffic accross networks:

• Source Trees - multicast transmitter will send messages to all receivers directly, with the tree starting at the transmitter address. (S,G)
• Shared Trees - multicast transmitter will send messages to central host, called Rendezvous Point (RP), which in turn will forward multicast traffic to all group participants. (*, G)

There are two 3 multicast modes that router can be in:

• Dense - utilized by PIM DM - uses push with the Source Trees.
• Sparse - utilized by PIM SM - uses poll with the Shared Trees. Multicast traffic is not wanted unless requested with JOIN message. Uses RPs.
• Sparse-Dense - uses Sparse mode, but when Sparse mode is unavailable, then it switches to Dense mode.

RP - is a temporary way to connect to existing shared multicast tree through rendezvous point. Later, once receiver joined a source specific tree, feed through RP is dropped.

There are 3 way to define RP:

• Manually on each multicast router:

  ip pim rp-address <172.0.1.2/rp-ip-address>

• AutoRP - (Cisco Proprietory) - RP info is automatically distributed to multicast routers by Mapping Agents. Mapping Agents receive announcements from potential RPs, and then sends RP information. Candidate RP with highest IP address will be announced.
  224.0.1.39 - potential RPs send their info to this address.
  224.0.1.40 - Mapping Agents send RP information to this address.
  

  RPRouter# ip pim send-rp-announce Lo0 scope 16 group-list 10
  RPRouter# access-list 10 permit 239.0.0.0 0.255.255.255
  MappingAgentRouter# ip pim send-rp-discovery scope 16

• Bootstrap Router - (EITF) - Works only with PIMv2.
  Simplifies AutoRP.
  Enable Mapping Agent on each RP!
  Enable several BSRs:

  # ip pim bsr-candidate Lo0 <subnet_mask_bits> <priority>

  Configure several RPs:

  # ip pim rp-candidate Lo0 <multicast-group-ip> <bidir>

  BSRs flood all PIM routers address 224.0.0.13