IP Multicast

IP multicast provides the capability to transmit information to multiple devices in the network by efficiently utilizing bandwidth. Several video and audio applications use IP multicast as their method of communication. Many other applications, such as database replication software and emergency alert systems, also operate using IP multicast.

Traditionally, a multicast device communicates with a group of receivers by using an associated Layer 3 Class D address. The lowest bit of the first byte of the Ethernet multicast destination addresses must be a 1, which allows the device to differentiate between multicast and unicast packets.

Multicast has a mechanism that tells the network about what hosts are members of a specific group. This technique prevents unnecessary flooding. The Internet Group Multicast Protocol (IGMP) is the protocol used to prevent unnecessary flooding. IGMP is defined in RFC 2236.

IGMP

To join a specific multicast group, a host sends an IGMP report or join message to the routing device. The routing device sends query messages to discover which devices are still associated to a specific group. The host sends a response to the router query if it wants to continue to be a member of the specific group. If the router does not receive a response, it prunes the group list. This minimizes unnecessary transmissions.

The Cisco ASA can be configured as an IGMP proxy. It can forward IGMP messages from the downstream hosts. Additionally, it can send multicast transmissions from upstream routers. It can also be configured to statically join a multicast group.

IP Multicast Routing

In IP multicast routing, the network must be able to assemble packet distribution trees that identify a unique forwarding path between the source and each subnet containing members of the multicast group. One of the key objectives in the creation of distribution trees is to allow at least one copy of each packet to be forwarded to each branch of the tree. Several IP multicast protocols exist, but the most commonly used is Protocol Independent Multicast (PIM).

There are two different flavors of PIM routing protocols:

Dense mode (PIM-DM)� Routers running DM routing protocols are required to forward multicast traffic to each group by assembling distribution trees. This is done by flooding the entire network. Subsequently, they prune all the paths that do not have any receivers.
Sparse mode (PIM-SM)� The SM protocols require that few routers in the network will be drawn in each multicast group. SM IP multicast routing protocols start with an empty distribution tree and add only devices that specifically request to join the distribution.

Cisco ASA supports PIM-SM as the multicast routing protocol. It can use unicast routing information base (RIB) or multicast-capable RIB (MURIB) to route multicast packets. PIM-SM assembles unidirectional joint trees rooted at a rendezvous point (RP) per multicast group. Additionally, it can create shortest-path trees (SPTs) per each source.

Configuring Multicast Routing

This section includes the necessary steps to configure multicast routing using the CLI. You can also configure multicast routing using the Cisco Adaptive Security Device Manager (ASDM), which is covered in Chapter 19, "Firewall Management Using ASDM."

Enabling Multicast Routing

The first step to configure IP multicast routing on the Cisco ASA is to enable it by invoking the multicast-routing command in global configuration mode. Example 6-31 shows how to enable multicast routing on the Cisco ASA.

Example 6-31. Enabling Multicast Routing

Chicago(config)# configure terminal

Chicago(config)# multicast-routing

Chicago(config)# exit

To disable IP multicast routing, use the no multicast-routing command.

Note

The multicast-routing command enables IGMP on all interfaces by default. To disable IGMP on a specific interface, use the no igmp subinterface command.

The multicast-routing command enables PIM on all interfaces by default. If configured globally, use the no pim interface command to disable PIM on a specific interface.

Statically Assigning an IGMP Group

You can configure the Cisco ASA to statically join a specific multicast group. This can be accomplished by using the igmp static-group command in interface configuration mode. Example 6-32 shows how to statically assign an IGMP group in the Cisco ASA.

Example 6-32. Statically Assigning an IGMP Group

interface GigabitEthernet0/1

 igmp static-group 239.0.10.1

In Example 6-32, the statically configured group in interface GigabitEthernet0/1 is 239.0.10.1.

Limiting IGMP States

The IGMP State Limit feature provides protection against DoS attacks when attackers use IGMP packets. You can use the igmp limit command in interface configuration mode to limit the number of hosts allowed to join the multicast group on a per-interface basis. Example 6-33 shows how to configure this feature.

Example 6-33. Limiting IGMP States

Chicago(config)# interface GigabitEthernet0/1

Chicago(config-if)# igmp limit 100

In Example 6-33, the limit is set to 100 states. The maximum number of IGMP states allowed on an interface is 500. The default is 0 (unlimited).

IGMP Query Timeout

In the Cisco ASA, you can configure the timeout period before the security Cisco ASA takes over as the multicast query router for the configured interface. To do this, use the igmp query-timeout command in interface configuration mode. The range is from 60 to 300 seconds. The default is 255 seconds. Example 6-34 shows how to configure this feature with the query timeout value of 100 seconds.

Example 6-34. IGMP Query Timeout

Chicago(config)# interface GigabitEthernet0/1

Chicago(config-if)# igmp query-timeout 100

Defining the IGMP Version

Cisco ASA supports IGMP versions 1 and 2. IGMP version 2 is the default. To specify the version you want, use the igmp version interface subcommand. Example 6-35 demonstrates how to specify IGMP version 1 on the GigabitEthernet0/1 interface.

Example 6-35. Defining the IGMP Version

Chicago(config)# interface GigabitEthernet0/1

Chicago(config-if)# igmp version 1

Configuring Rendezvous Points

Rendezvous points (RPs) are used as a temporary way to connect a multicast receiver to an existing shared multicast tree. The pim rp-address command configures the address of a PIM RP for a particular group. Example 6-36 demonstrates how to configure a PIM RP for a particular group.

Example 6-36. Configuring a PIM RP

Chicago# configure terminal

Chicago(config)# pim rp-address 192.168.10.2 bidir

In Example 6-36 a PIM RP with IP address 192.168.10.2 is configured. The bidir keyword indicates that the specified multicast groups operate in bidirectional mode. If the command is configured without this option, the specified groups operate in PIM sparse mode.

Note

You can, optionally, configure an ACL defining the groups that should map to the given RP. If no ACL is specified, the RP is used for all available groups.

Configuring Threshold for SPT Switchover

The pim spt-threshold command can be used to specify when a PIM leaf router should join the shortest-path source tree for a specific multicast group. The following is the command syntax:

  pim spt-threshold infinity [group-list acl]

The infinity keyword forces the PIM router to always use the shared tree instead of switching to the shortest-path source tree. This command can be associated with a group list by using the group-list acl optional tag. This dictates which groups the threshold applies to, as specified by a previously configured ACL. If no ACL is configured, the threshold applies to all groups. To restore the default value, use the no form of this command.

Filtering RP Register Messages

The pim accept-register command can configure a candidate RP to filter PIM register messages. The following is the syntax of this command:

  pim accept-register {list acl>| route-map map-name>}

This command can use a preconfigured ACL or a route map to define what will be filtered.

PIM Designated Router Priority

PIM elects a designated router (DR), which is similar to the mechanism in OSPF. You can use the pim dr-priority command in interface configuration mode to set the priority for which a router is elected as the DR. The following is the command syntax:

  pim dr-priority value

The priority value can range from 1 to 4,294,967,295, and the default is 1. The highest value is the priority in the DR election process.

PIM Hello Message Interval

The Cisco ASA sends PIM hello messages to the neighbor routers. To configure the frequency of PIM hello messages, use the pim hello-interval command in interface configuration mode. The following is the command syntax:

  pim hello-interval seconds

The number of seconds that the router waits before sending a hello message can vary from 1 to 3600 seconds. The default is 30 seconds.

Example 6-37 demonstrates all the PIM subcommand options.

Example 6-37. Customizing PIM Values at the Interface Level

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.168.10.1 255.255.255.0

 pim hello-interval 100

 pim dr-priority 5

 pim join-prune-interval 120

In Example 6-37, the PIM hello interval is set to 100 seconds, the DR priority to 5, and the PIM join and prune interval to 120 seconds on interface GigabitEthernet0/1.

Configuring a Static Multicast Route

You can configure a static multicast route entry using the mroute command. The following is the command syntax:

  mroute src mask [in-interface-name] [dense out-interface-name] [distance]

Table 6-6 lists and explains all the available options for the mroute command.

Table 6-6. mroute Command Options
Option
Description
src
IP address of the multicast source.
mask
Subnet mask of the multicast source.
in-interface-name
Incoming interface name for the multicast route.
out-interface-name
Outgoing interface name for the multicast route..
[distance] (optional)
Defines whether a unicast route or a static multicast route should be used for the Reverse Path Forwarding (RPF) lookup. The lower the distance, the higher the preference. A static multicast route takes precedence if it has the same distance as the unicast route. The default distance is 0.

Troubleshooting IP Multicast Routing

This section includes detailed information on several commands and mechanisms that are useful while troubleshooting IP multicast routing problems in the Cisco ASA.

One of the most common interoperability issues between the Cisco ASA and older Cisco IOS router versions is that the register messages were generated differently. The Cisco ASA and newer versions of Cisco IOS generate PIM RFC�compliant registers. To generate registers that are compatible with older versions of Cisco IOS, use the pim old-register-checksum command.

show Commands

The following show commands help you to monitor and view the current multicast (PIM or IGMP) configuration information:

show pim df� Shows bidirectional PIM designated forwarder (DF) information
show pim group-map� Displays PIM group-to-protocol mapping information
show pim interface� Displays PIM interface information
show pim join-prune statistic� Shows PIM join/prune information
show pim neighbor� Displays PIM neighbor information
show pim range-list� Shows PIM range-list information
show pim topology� Displays the PIM topology table information
show pim traffic� Displays PIM traffic counters
show pim tunnel� Lists information about the PIM tunnel interfaces
show igmp groups� Displays group membership information
show igmp interface� Provides interface IGMP information
show igmp traffic� Displays traffic counters
show mroute� Displays the contents of the multicast routing table:
```
  show mroute source-address group-address [summary] [count] [pruned]
```
To display the active multicast streams, use the show mroute [group] active [kbps] syntax of this command. The active multicast streams whose data rate is greater or equal to the specified value in kbps will be displayed. The default kbps is 4.

show mroute summary� Displays a summary of the multicast routing table:

Chicago# show mroute summary

Multicast Routing Table

Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group,

       C - Connected, L - Local, I - Received Source Specific Host Report,

      P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set,

      J - Join SPT

T

(*, 224.55.55.55), 23:25:49/never, RP 192.168.10.2, OIF count: 0, flags: BP

debug Commands

The following commands are crucial for debugging IP multicast routing problems:

debug pim� Enables debugging for PIM events
debug pim neighbor� Enables debugging of PIM neighbor events
debug pim group group� Enables PIM protocol activity debugging for only the matching group
debug pim interface interface� Enables debugging of PIM protocol activity for only the specified interface.
debug pim df-election� Enables debugging of PIM DF election exchange messages.
debug mrib route [group]� Enables debugging of MRIB routing activity
debug mrib client� Enables debugging of MRIB client management activity
debug mrib io� Enables debugging of MRIB I/O events
debug mrib table� Enables debugging of MRIB table management activity

Take into consideration the amount of traffic that is passing through the Cisco ASA and other activity before enabling some of the previously mentioned debug commands.

< Day Day Up >