Multicast ip-pim-sparse mode
Hi, my consideration are correct for the multicast protocol ?
As for the command "ip pim rp-address 173.17.2.1 VALID_GROUP" which is on the site of Padriciano I did a search and, practically, it automatically creates a tunnel interface.
This thing, as I said, you need to create / enable multicast. Being something of CCNP R & S do not know the different syntax but "PIM" stands for Protocol-Independent Multicast.
Because you do not have to do often directly with the multicast explain it to follow but it is as a reality check for me:
Multicast uses the connectionless protocol UDP for transport (transport layer, Layer 4 - L4) and allows you to send, with just sending the same packet to multiple nodes; since UDP does not guarantee delivery. You can think of as a multicast broadcast changed.
For example: if you have 6 nodes (node = router), for simplicity called ABCDEF, and the node A has to send a packet only to nodes BCDF (excluding the node E) then, with multicast, the packet is sent only once and is delivered to all hosts BCD F.
That's the theory but in practice petty commands ip pim NOT know them being the subject of CCNP R & S.
>> A concrete example of multicast: the election of the DR (Designated Router) and the Des BDR (Backup ignated Router) in multiaccess networks (such as Frame Relay networks) with OSPF.
All routers in the network that are NOT DR or BDR are Drothers (read as DR-Others). The Drothers can only communicate with the DR (simultaneously with the BDR).
This feature allows you to NOT flood the LSA (Link State Advertisement) to all routers in the network so that only the Drothers send their LSA to the DR and BDR using the multicast address 224.0.0.6 IPv4 or IPv6 multicast address ff02 :: 6.
224.0.0.6 and ff02 :: 6 = all routers DR
When the DR receives packets is responsible for forwarding these LSA to all other routers. The DR uses the multicast address 224.0.0.5 IPv4 or IPv6 multicast address ff02 :: 5. The end result is that there is only one router that does the flooding of all LSA in the multiaccess network.
>> 224.0.0.5 and ff02 :: 5 = all OSPF routers
ip multicast-routing
interface GigabitEthernet0/1.134
description LAN EDA
encapsulation dot1Q 134
ip address 134.1.192.31 255.255.255.240
no ip redirects
ip directed-broadcast
standby 134 ip 134.1.192.33
standby 134 timers msec 300 msec 950
standby 134 priority 90
standby 134 preempt delay reload 10
no shutdown
router ospf 1
network 134.1.192.32 255.255.255.240 area 15 ! LAN PMU
! Avalaible Routing Multicast for LAN EDA
ip multicast-routing
interface GigabitEthernet0/0
ip pim sparse-mode
interface GigabitEthernet0/1.500
ip pim sparse-mode
interface Serial0/1/0.36 point-to-point
ip pim sparse-mode
interface GigabitEthernet0/1.134
ip pim sparse-mode
ip igmp join-group 224.0.224.1
ip pim rp-address 173.17.2.1 VALID_GROUP
ip access-list standard VALID_GROUP
permit 224.0.224.1
router ospf 1
network 134.1.192.32 255.255.255.240 area 15 ! LAN PMU
! Avalaible Routing Multicast for LAN EDA
ip multicast-routing
interface GigabitEthernet0/0
ip pim sparse-mode
interface GigabitEthernet0/1.500
ip pim sparse-mode
interface Serial0/1/0.39 point-to-point
ip pim sparse-mode
interface GigabitEthernet0/1.134
ip pim sparse-mode
ip igmp join-group 224.0.224.1
ip pim rp-address 173.17.2.1 VALID_GROUP
ip access-list standard VALID_GROUP
permit 224.0.224.1
I did some tests simulated and I think I figured out why is assigned an IP address instead of another.
Given that the interface Tunnel0 is created when you type the command "ip pim rp-address 173.17.2.1 VALID_GROUP", in the tests I've done, I Tunnel0 Bind to the IP address associated with the FastEthernet0/0.
R-SCTI-PADRICIANO-1#sh ip int b
>> Interface IP-Address OK? Method Status Protocol
>> FastEthernet0/0 173.27.200.22 YES manual up up
>> FastEthernet0/1 unassigned YES manual up up
>> FastEthernet0/1.20 172.27.195.118 YES manual up up
>> FastEthernet0/1.30 172.27.230.100 YES manual up up
>> FastEthernet0/1.31 173.27.254.118 YES manual up up
>> FastEthernet0/1.32 173.27.216.28 YES manual up up
>> FastEthernet0/1.134 134.1.192.33 YES manual up up
>> FastEthernet0/1.500 172.27.250.37 YES manual up up
>> Serial1/0 unassigned YES unset administratively down down
>> Serial1/1 unassigned YES unset administratively down down
>> Serial1/2 unassigned YES unset administratively down down
>> Serial1/3 unassigned YES unset administratively down down
>> Loopback0 172.27.254.10 YES manual up up
>> Tunnel0 173.27.200.22 YES unset up down
R-SCTI-PADRICIANO-1#conf t
>> R-SCTI-PADRICIANO-1(config)#int f0/0
>> R-SCTI-PADRICIANO-1(config-if)#sh
>> *Feb 6 16:09:31.439 CET: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
>> *Feb 6 16:09:32.439 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
>> R-SCTI-PADRICIANO-1(config-if)#do sh ip int b
>> Interface IP-Address OK? Method Status Protocol
>> FastEthernet0/0 173.27.200.22 YES manual administratively down down
>> FastEthernet0/1 unassigned YES manual up up
>> FastEthernet0/1.20 172.27.195.118 YES manual up up
>> FastEthernet0/1.30 172.27.230.100 YES manual up up
>> FastEthernet0/1.31 173.27.254.118 YES manual up up
>> FastEthernet0/1.32 173.27.216.28 YES manual up up
>> FastEthernet0/1.134 134.1.192.33 YES manual up up
>> FastEthernet0/1.500 172.27.250.37 YES manual up up
>> Serial1/0 unassigned YES unset administratively down down
>> Serial1/1 unassigned YES unset administratively down down
>> Serial1/2 unassigned YES unset administratively down down
>> Serial1/3 unassigned YES unset administratively down down
>> Loopback0 172.27.254.10 YES manual up up
>> Tunnel0 172.27.250.37 YES unset up down
>>
>> IP address Tunnel0 = IP address FastEthernet0/1.500
Well, this is all looks like it is has to be. What confuses you?
Tun0 created by pim process to decapsulate multicast traffic coming to RP from source router. It doesn't matter what ip used inside of this interface.
Similar Messages
-
Will up coming 9.0 release support multicast in multi-context mode?
I understand that in 8.4 multicast is not support in multi-context mode. How about the up-and-coming release of 9.0?
No, multicast is still not supported on multi context mode in the upcoming 9.0 release.
However, IPSec LAN-to-LAN VPN is supported on multi context mode. -
How to protect a PIM-SM network from unauthorized pim routers and multicast sources?
Hi,
we're using pim sparse mode in a customer network with catalyst 2/3/4/6K switches, all multicast routers are redundant with pim dr running for access subnets. RPs are configured with anycast rp.
A) Is there any possiblity to prevent rogue pim routers/igmp queriers connected to host ports from getting connected to the legal pim routers and from getting involved in the local igmp traffic?
Maybe like DHCP Snooping used with DHCP. I read that in the latest Sup2T ios (http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/catalyst6500/ios/15-2SY/config_guide/sup2T/15_2_sy_swcg_2T.pdf) there is a feature called 'ipv4 router guard' which does exactly what we're looking for:
'When configured, the Router Guard feature makes the specified port a host port only. The port is prevented from becoming a router port, even if a multicast router control packets are received. In addition, any control packets normally received from multicast routers, such as IGMP queries and PIM joins, will also be discarded by this filter.'
Afaik, PIM authentication isn't supported in current catalyst ios versions.
Using a normal port ACL is not an option in our case because of a management decision.
B) Is there any possibility to prevent (on a per-subnet basis) rogue sources from sending multicast streams to legal multicast-groups?
Maybe, can I configure a svi of a host subnet or a host port to drop any incoming multicast stream while still accepting IGMP and sending out legal multicast streams?
Using 'ip pim accept-register' command on the rp is not an option because we've tons of legal sources which would end in an very huge error-prone acl
Unfortunately, a normal ACL is not an option here, too.
Best Regards
ThorstenWe use two pim routers in each host subnet for redundancy, they elect the PIM DR.
Does pim passive mode work here?
(Config Guide: If the ip pim passive command is configured on an interface enabled for IP multicast, the router will operate this interface in PIM passive mode, which means that the router will not send PIM messages on the interface nor will it accept PIM messages from other routers across this interface. The router will instead consider that it is the only PIM router on the network and thus act as the DR and also as the DF for all bidir-PIM group ranges. IGMP operations are unaffected by this command. ... The redundant PIM stub router topology is not supported. The redundant topology exists when there is more than one PIM router forwarding multicast traffic to a single access domain. PIM messages are blocked, and the PIM asset and designated router election mechanisms are not supported on the PIM passive interfaces.)
ip pim neighbor-filter maybe would work to prevent rogue pim routers to connect to the legal pim routers but wouldn't rogue pim routers still be able to manipulate the layer2 switch to send all igmp traffic to them and not to the legal pim routers? -
Why do I get %PIM-5-NBRCHG in the logs - 6509-E?
Hello, I just had a look at the logs on a pair of 6509's with SUP-720-3B. They have a etherchannel between them (just standard basic campus config - with OSPF) and I get these so so frequently, fairly new to multicast arena so I have no idea why this is happening, could someone perhaps explain what is happening. Why would this just drop for 0.0.0.0 (itself, right?):
6509-1
May 2 21:23:46.697 BST: %PIM-5-NBRCHG: neighbor 0.0.0.0 UP on interface Vlan24
May 2 21:23:46.701 BST: %PIM-5-NBRCHG: neighbor 0.0.0.0 DOWN on interface Vlan24 non DR
May 2 21:24:16.697 BST: %PIM-5-NBRCHG: neighbor 0.0.0.0 UP on interface Vlan24
May 2 21:24:16.701 BST: %PIM-5-NBRCHG: neighbor 0.0.0.0 DOWN on interface Vlan24 non DR
May 2 21:24:46.697 BST: %PIM-5-NBRCHG: neighbor 0.0.0.0 UP on interface Vlan24
May 2 21:24:46.701 BST: %PIM-5-NBRCHG: neighbor 0.0.0.0 DOWN on interface Vlan24 non DR
May 2 21:25:16.701 BST: %PIM-5-NBRCHG: neighbor 0.0.0.0 UP on interface Vlan24
May 2 21:25:16.705 BST: %PIM-5-NBRCHG: neighbor 0.0.0.0 DOWN on interface Vlan24 non DR
May 2 21:25:46.697 BST: %PIM-5-NBRCHG: neighbor 0.0.0.0 UP on interface Vlan24
May 2 21:25:46.701 BST: %PIM-5-NBRCHG: neighbor 0.0.0.0 DOWN on interface Vlan24 non DR
May 2 21:26:16.697 BST: %PIM-5-NBRCHG: neighbor 0.0.0.0 UP on interface Vlan24
May 2 21:26:16.701 BST: %PIM-5-NBRCHG: neighbor 0.0.0.0 DOWN on interface Vlan24 non DR
May 2 21:26:46.697 BST: %PIM-5-NBRCHG: neighbor 0.0.0.0 UP on interface Vlan24
May 2 21:26:46.701 BST: %PIM-5-NBRCHG: neighbor 0.0.0.0 DOWN on interface Vlan24 non DR
May 2 21:27:16.697 BST: %PIM-5-NBRCHG: neighbor 0.0.0.0 UP on interface Vlan24
May 2 21:27:16.701 BST: %PIM-5-NBRCHG: neighbor 0.0.0.0 DOWN on interface Vlan24 non DR
May 2 21:27:46.697 BST: %PIM-5-NBRCHG: neighbor 0.0.0.0 UP on interface Vlan24
May 2 21:27:46.701 BST: %PIM-5-NBRCHG: neighbor 0.0.0.0 DOWN on interface Vlan24 non DR
6509-2
May 2 21:34:16.700 BST: %PIM-5-NBRCHG: neighbor 0.0.0.0 UP on interface Vlan24
May 2 21:34:16.704 BST: %PIM-5-NBRCHG: neighbor 0.0.0.0 DOWN on interface Vlan24 non DR
May 2 21:34:46.701 BST: %PIM-5-NBRCHG: neighbor 0.0.0.0 UP on interface Vlan24
May 2 21:34:46.705 BST: %PIM-5-NBRCHG: neighbor 0.0.0.0 DOWN on interface Vlan24 non DR
May 2 21:35:16.713 BST: %PIM-5-NBRCHG: neighbor 0.0.0.0 UP on interface Vlan24
May 2 21:35:16.717 BST: %PIM-5-NBRCHG: neighbor 0.0.0.0 DOWN on interface Vlan24 non DR
May 2 21:35:46.709 BST: %PIM-5-NBRCHG: neighbor 0.0.0.0 UP on interface Vlan24
May 2 21:35:46.713 BST: %PIM-5-NBRCHG: neighbor 0.0.0.0 DOWN on interface Vlan24 non DR
May 2 21:36:16.709 BST: %PIM-5-NBRCHG: neighbor 0.0.0.0 UP on interface Vlan24
May 2 21:36:16.713 BST: %PIM-5-NBRCHG: neighbor 0.0.0.0 DOWN on interface Vlan24 non DR
May 2 21:36:46.709 BST: %PIM-5-NBRCHG: neighbor 0.0.0.0 UP on interface Vlan24
May 2 21:36:46.713 BST: %PIM-5-NBRCHG: neighbor 0.0.0.0 DOWN on interface Vlan24 non DR
It seems exactly every 30 seconds this happens. This is the config for vlan 24
6509-1#show run int vlan 24
Building configuration...
Current configuration : 312 bytes
interface Vlan24
description *** Server VLAN***
ip address 172.25.24.2 255.255.252.0
ip helper-address 172.25.24.137
ip helper-address 172.25.24.138
ip directed-broadcast 110
ip flow ingress
ip flow egress
ip pim sparse-mode
standby 24 ip 172.25.24.1
standby 24 priority 110
standby 24 preempt
end
6509-2#show run int vlan 24
Building configuration...
Current configuration : 311 bytes
interface Vlan24
description *** Server VLAN***
ip address 172.25.24.3 255.255.252.0
ip helper-address 172.25.24.137
ip helper-address 172.25.24.138
ip directed-broadcast 110
ip flow ingress
ip flow egress
ip pim sparse-mode
standby 24 ip 172.25.24.1
standby 24 priority 90
standby 24 preempt
end
6509-1#show ip pim neighbor
PIM Neighbor Table
Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority,
P - Proxy Capable, S - State Refresh Capable, G - GenID Capable
Neighbor Interface Uptime/Expires Ver DR
Address Prio/Mode
172.25.18.3 Vlan18 29w4d/00:01:36 v2 1 / DR S P G
172.25.24.3 Vlan24 29w4d/00:01:32 v2 1 / DR S P G
172.25.28.3 Vlan28 29w4d/00:01:26 v2 1 / DR S P G
172.25.32.3 Vlan32 29w4d/00:01:40 v2 1 / DR S P G
172.25.36.3 Vlan36 29w4d/00:01:23 v2 1 / DR S P G
172.25.40.3 Vlan40 29w4d/00:01:43 v2 1 / DR S P G
172.25.44.3 Vlan44 29w4d/00:01:38 v2 1 / DR S P G
172.25.48.3 Vlan48 29w4d/00:01:41 v2 1 / DR S P G
172.25.52.3 Vlan52 29w4d/00:01:27 v2 1 / DR S P G
172.25.56.3 Vlan56 29w4d/00:01:22 v2 1 / DR S P G
172.25.60.3 Vlan60 29w4d/00:01:30 v2 1 / DR S P G
172.25.64.3 Vlan64 29w4d/00:01:21 v2 1 / DR S P G
172.25.68.3 Vlan68 29w4d/00:01:28 v2 1 / DR S P G
172.25.72.3 Vlan72 29w4d/00:01:28 v2 1 / DR S P G
172.25.76.3 Vlan76 29w4d/00:01:16 v2 1 / DR S P G
172.25.84.3 Vlan84 29w4d/00:01:30 v2 1 / DR S P G
192.168.250.3 Vlan590 10w1d/00:01:33 v2 1 / S P G
192.168.250.6 Vlan590 10w1d/00:01:35 v2 1 / DR S P G
192.168.250.5 Vlan590 10w1d/00:01:21 v2 1 / S P G
192.168.240.6 Vlan592 10w1d/00:01:21 v2 1 / DR S P G
192.168.240.5 Vlan592 15w5d/00:01:34 v2 1 / S P G
192.168.240.3 Vlan592 10w1d/00:01:16 v2 1 / S P G
Thank you
B
Please rate useful posts and remember to mark any solved questions as answered. Thank you.Hello Paul. Thanks for your reply.
I may disagree that the neighbourship is dropping. I have assigned the RP statically and it is not one of the 6509s.
All the other SVIs have the same thing as you can see from the neighbourship the PIM neighbours I.e. 6509-2 have been up for weeks including VLAN 24.
Why is it only this VLAN 24 that I am getting these logs for?
When there's a neighbourship change with another router, normally we see the address of the attached interface rather than 0.0.0.0. (This is what I have observed anyway)
When we enable PIM sparse mode on an interface, we get the 0.0.0.0 if nothing is connected to the other side?
I also don't understand why there would be consistency. Every 30 seconds or so?
Thank you
Sent from Cisco Technical Support iPhone App -
DMVPN w/ Multicasting setup/questions
Hello
I have a lot of questions, so bare with me as i puke them out of my head.
I have been doing some testing with DMVPN inconjuction with multicasting video (Hub and spoke, w/ no spoke to spoke). The test setup is using 2 cisco 2811 w/out the vpn module. I understand the performance hit with not having the module. With that being said here are my questions.
1. With encryption on both the HUB and spoke routers are using 90-97% cpu (8Mb multicast stream). With encryption off, the Hub is around 60%, and spoke around 75%. Here is where i'm confused. If i send that same stream as a unicast stream, w/ encryption on, both the Hub and spoke are only using around 30-35% cpu. Why is there so much more cpu need when its a multicast stream?
2. In the current config i'm seeing input, throttles, and ignore errors on the Hub and spoke. The Hub has these errors on the LAN interface, and the spoke has these errors on the WAN interface. All other interfaces are totally clean. I have checked and there are no duplex or speed mismatches. Any ideas?
HUB:
Current configuration : 1837 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Hub
boot-start-marker
boot-end-marker
logging message-counter syslog
enable password
no aaa new-model
clock timezone Central -6
dot11 syslog
ip source-route
ip cef
no ip domain lookup
ip name-server 8.8.8.8
ip multicast-routing
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
archive
log config
hidekeys
interface Tunnel1
bandwidth 100000
ip address 192.168.11.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
ip pim sparse-mode
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 450
no ip route-cache cef
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel bandwidth transmit 100000
tunnel bandwidth receive 100000
interface FastEthernet0/0 (WAN)
ip address 216.x.x.x 255.255.255.192
ip pim sparse-mode
load-interval 30
duplex auto
speed auto
interface FastEthernet0/1 (LAN)
ip address 128.112.64.5 255.255.248.0
ip pim sparse-mode
load-interval 30
duplex auto
speed auto
router eigrp 1
network 128.112.0.0
network 192.168.11.0
auto-summary
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 216.x.x.x
ip http server
ip http authentication local
ip http secure-server
ip pim rp-address 128.112.64.5 10
access-list 10 permit 239.10.0.0 0.0.255.255
snmp-server community public RO
Spoke:
Current configuration : 1857 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Spoke
boot-start-marker
boot-end-marker
logging message-counter syslog
enable password
no aaa new-model
clock timezone central -6
dot11 syslog
ip source-route
ip cef
no ip domain lookup
ip multicast-routing
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
archive
log config
hidekeys
interface Tunnel1
bandwidth 100000
ip address 192.168.11.2 255.255.255.0
no ip redirects
ip mtu 1400
ip pim sparse-mode
ip nhrp map 192.168.11.1 216.x.x.x
ip nhrp map multicast 216.x.x.x
ip nhrp network-id 1
ip nhrp holdtime 450
ip nhrp nhs 192.168.11.1
no ip route-cache cef
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
delay 1000
tunnel source FastEthernet0/0
tunnel destination 216.x.x.x
tunnel key 100000
tunnel bandwidth transmit 100000
tunnel bandwidth receive 100000
interface FastEthernet0/0 (WAN)
ip address 65.x.x.x 255.255.255.192
ip pim sparse-mode
load-interval 30
duplex auto
speed auto
interface FastEthernet0/1 (LAN)
ip address 128.124.64.1 255.255.248.0
ip pim sparse-mode
ip igmp join-group 239.10.10.10
load-interval 30
duplex auto
speed auto
router eigrp 1
network 128.124.0.0
network 192.168.11.0
auto-summary
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 65.x.x.x
no ip http server
no ip http secure-server
ip pim rp-address 128.112.64.5 10
access-list 10 permit 239.10.0.0 0.0.255.255
snmp-server community public ROJoe,
You ask the right question.
CPU ultization = CPU consumed by processes + IO operations (in a huge simplification - CEF)
Typically when a packet is processed by router we expect it to be be processed by CEF, i.e. very fast.
Packet is not processed by CEF:
- when there is something missing to route the packet properly (think missing ARP/CAM entry) i.e. additional lookup needs to be done.
- a feature requests that a packet is for processing/mangling
- Packet is destined to the router
(And several other, but those are the major ones).
When a packet is recived, but cannot be processed by CEF, we "punt the packet to CPU" this in turn will cause the CPU for processes to go up.
Now on the spoke this seems to be the problem:
Spoke#show ip cef switching stati Reason Drop Punt Punt2HostRP LES Packet destined for us 0 1723 0RP LES Encapsulation resource 0 1068275 0
There were also some failures on one of the buffer outputs you've attached.
Typically at this stage I would suggest:
1) "Upgrade" the device to 15.0(1)M6 or 12.4(15)T (latest image in this branch) and check if the problem persists there.
2) If it does, swing it by TAC. I don't see any obvious mistakes, but I'm just a guy in a chair same as you ;-)
Marcin -
hi,
we are getting ready to implement the nexus 7000 with otv are two sites. since multicast is required to support this configuration i am currently testing how to implement ssm multicast on our core network. i am having problems joining the ssm group. here is the output from the 6509 i am using:
hw-dc-vss-cs6509-1(config-if)#ip igmp join-group 232.1.1.1
Ignoring request to join group 232.1.1.1, SSM group without source specified
hw-dc-vss-cs6509-1(config-if)#ip igmp join-group 232.1.1.1 ?
<cr>
hw-dc-vss-cs6509-1(config-if)#ip igmp join-group 232.1.1.1
as you can see the source option is not available and i can't figure out why.
here is a copy of my running configure and show multicast show commands
sh runn
Building configuration...
Current configuration : 6830 bytes
! Last configuration change at 18:37:28 UTC Thu Dec 16 2010
upgrade fpd auto
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service counters max age 5
hostname hw-dc-vss-cs6509-1
boot-start-marker
boot system flash sup-bootdisk:s72033-ipservicesk9_wan-mz.122-33.SXI3.bin
boot-end-marker
security passwords min-length 1
no logging console
enable secret 5 $1$dZ1J$6KkcatZ2tXk055vswN1Kb1
no aaa new-model
--More-- ip subnet-zero
ip multicast-routing
mls netflow interface
mls cef error action reset
spanning-tree mode rapid-pvst
spanning-tree portfast edge default
spanning-tree portfast edge bpduguard default
spanning-tree extend system-id
spanning-tree pathcost method long
spanning-tree vlan 1,5,245,501-502 priority 16384
--More-- spanning-tree vlan 1,5,245,501-502 forward-time 9
spanning-tree vlan 1,5,245,501-502 max-age 12
diagnostic bootup level minimal
redundancy
main-cpu
auto-sync running-config
mode sso
ip access-list standard ssm-groups
permit 232.0.0.0 0.255.255.255
permit 239.232.0.0 0.0.255.255
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
interface Loopback1
ip address 10.255.255.1 255.255.255.255
interface GigabitEthernet3/1
description adcore-4503 2/1
--More-- mtu 9216
ip address 159.233.253.106 255.255.255.252
ip pim sparse-mode
ip igmp version 3
interface GigabitEthernet3/2
description pwcore-6509 3/2
mtu 9216
ip address 159.233.253.110 255.255.255.252
ip pim sparse-mode
ip igmp version 3
interface GigabitEthernet3/3
description p101-4503 1/1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,5,245,501,502
switchport mode trunk
mtu 9216
spanning-tree guard root
interface GigabitEthernet3/4
no ip address
--More-- !
interface GigabitEthernet3/5
no ip address
interface GigabitEthernet3/6
no ip address
interface GigabitEthernet3/7
no ip address
interface GigabitEthernet3/8
no ip address
interface GigabitEthernet3/9
no ip address
interface GigabitEthernet3/10
no ip address
interface GigabitEthernet3/11
no ip address
interface GigabitEthernet3/12
--More-- no ip address
interface GigabitEthernet3/13
no ip address
interface GigabitEthernet3/14
no ip address
interface GigabitEthernet3/15
no ip address
interface GigabitEthernet3/16
no ip address
interface GigabitEthernet3/17
no ip address
interface GigabitEthernet3/18
no ip address
interface GigabitEthernet3/19
no ip address
--More-- interface GigabitEthernet3/20
no ip address
interface GigabitEthernet3/21
no ip address
interface GigabitEthernet3/22
no ip address
interface GigabitEthernet3/23
no ip address
interface GigabitEthernet3/24
no ip address
interface GigabitEthernet5/1
no ip address
shutdown
interface GigabitEthernet5/2
no ip address
shutdown
--More-- interface GigabitEthernet8/1
switchport
switchport access vlan 5
switchport mode access
interface GigabitEthernet8/2
switchport
switchport access vlan 245
switchport mode access
interface GigabitEthernet8/3
no ip address
shutdown
interface GigabitEthernet8/4
no ip address
shutdown
interface GigabitEthernet8/5
no ip address
shutdown
interface GigabitEthernet8/6
--More-- no ip address
shutdown
interface GigabitEthernet8/7
no ip address
shutdown
interface GigabitEthernet8/8
no ip address
shutdown
interface GigabitEthernet8/9
no ip address
shutdown
interface GigabitEthernet8/10
no ip address
shutdown
interface GigabitEthernet8/11
no ip address
shutdown
--More-- interface GigabitEthernet8/12
no ip address
shutdown
interface GigabitEthernet8/13
no ip address
shutdown
interface GigabitEthernet8/14
no ip address
shutdown
interface GigabitEthernet8/15
no ip address
shutdown
interface GigabitEthernet8/16
no ip address
shutdown
interface GigabitEthernet8/17
no ip address
shutdown
--More-- !
interface GigabitEthernet8/18
no ip address
shutdown
interface GigabitEthernet8/19
no ip address
shutdown
interface GigabitEthernet8/20
no ip address
shutdown
interface GigabitEthernet8/21
no ip address
shutdown
interface GigabitEthernet8/22
no ip address
shutdown
interface GigabitEthernet8/23
no ip address
--More-- shutdown
interface GigabitEthernet8/24
no ip address
shutdown
interface GigabitEthernet8/25
no ip address
shutdown
interface GigabitEthernet8/26
no ip address
shutdown
interface GigabitEthernet8/27
no ip address
shutdown
interface GigabitEthernet8/28
no ip address
shutdown
interface GigabitEthernet8/29
--More-- no ip address
shutdown
interface GigabitEthernet8/30
no ip address
shutdown
interface GigabitEthernet8/31
no ip address
shutdown
interface GigabitEthernet8/32
no ip address
shutdown
interface GigabitEthernet8/33
no ip address
shutdown
interface GigabitEthernet8/34
no ip address
shutdown
--More-- interface GigabitEthernet8/35
no ip address
shutdown
interface GigabitEthernet8/36
no ip address
shutdown
interface GigabitEthernet8/37
no ip address
shutdown
interface GigabitEthernet8/38
no ip address
shutdown
interface GigabitEthernet8/39
no ip address
shutdown
interface GigabitEthernet8/40
no ip address
shutdown
--More-- !
interface GigabitEthernet8/41
no ip address
shutdown
interface GigabitEthernet8/42
no ip address
shutdown
interface GigabitEthernet8/43
no ip address
shutdown
interface GigabitEthernet8/44
no ip address
shutdown
interface GigabitEthernet8/45
no ip address
shutdown
interface GigabitEthernet8/46
no ip address
--More-- shutdown
interface GigabitEthernet8/47
no ip address
shutdown
interface GigabitEthernet8/48
no ip address
shutdown
interface Vlan1
no ip address
shutdown
interface Vlan5
mtu 9216
ip address 159.233.5.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip pim sparse-mode
ip igmp join-group 239.1.1.1
--More-- ip igmp version 3
arp timeout 200
interface Vlan245
mtu 9216
ip address 159.233.245.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip pim sparse-mode
ip igmp join-group 239.1.1.1
ip igmp version 3
arp timeout 200
interface Vlan501
mtu 9216
ip address 159.233.62.1 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 200
--More-- !
interface Vlan502
mtu 9216
ip address 159.233.1.1 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 200
router eigrp 241
network 159.233.0.0
no auto-summary
redistribute static
ip classless
no ip http server
no ip http secure-server
ip pim rp-address 10.255.255.1
ip pim ssm default
--More-- !
control-plane
dial-peer cor custom
line con 0
line vty 0 4
password f1v3c3nt2
login
line vty 5 15
password f1v3c3nt2
login
end
hw-dc-vss-cs6509-1#
sh ip mroute
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,
L - Local, P - Pruned, R - RP-bit set, F - Register flag,
T - SPT-bit set, J - Join SPT, M - MSDP created entry, E - Extranet,
X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,
U - URD, I - Received Source Specific Host Report,
Z - Multicast Tunnel, z - MDT-data group sender,
Y - Joined MDT-data group, y - Sending to MDT-data group
V - RD & Vector, v - Vector
Outgoing interface flags: H - Hardware switched, A - Assert winner
Timers: Uptime/Expires
Interface state: Interface, Next-Hop or VCD, State/Mode
(*, 239.1.1.1), 00:20:20/00:02:55, RP 10.255.255.1, flags: SJCL
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Vlan5, Forward/Sparse, 00:19:14/00:02:55
(*, 239.255.255.250), 00:26:33/00:02:35, RP 10.255.255.1, flags: SP
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list: Null
(159.233.245.100, 232.1.1.1), 00:06:48/00:02:55, flags: sPT
Incoming interface: Vlan245, RPF nbr 0.0.0.0, RPF-MFD
Outgoing interface list: Null
(*, 224.0.1.40), 02:25:53/00:02:33, RP 10.255.255.1, flags: SJCL
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
GigabitEthernet3/1, Forward/Sparse, 02:25:53/00:02:30
hw-dc-vss-cs6509-1#sj h ip igmp gr
hw-dc-vss-cs6509-1#sh ip igmp groups
IGMP Connected Group Membership
Group Address Interface Uptime Expires Last Reporter Group Accounted
239.1.1.1 Vlan5 00:19:22 00:02:48 159.233.5.1
239.1.1.1 Vlan245 00:20:14 00:02:25 159.233.245.1
239.255.255.250 Vlan245 00:26:41 00:02:28 159.233.245.100
224.0.1.40 Vlan245 01:30:34 00:02:25 159.233.245.105
224.0.1.40 GigabitEthernet3/1 1w1d 00:02:22 159.233.253.105
hw-dc-vss-cs6509-1#
any help would be greatly appreciated. thank you
i did some more digging and found the answer to my question, have to use the following command instead of the join-group command
Ip igmp static-groupI'm assuming you mean WebLogic SSM. If you set it up using organizational structure, you should see a new org in /entitlementsadministration with a number of applications bound to the SSM you declared.
-
How to send multicast message from PC to router to start multicast
Dear All
I have a PC and I want to send the video message out through multicast from the PC. Do you think I need to have some special tool installed in the PC to start the multicast ? The PC is directly connected with a router
Thank you
FrankHi Frank,
You are welcome.
To sum up basic configuration rules for your network as simply as possible to make the multicast fly:
You need to have an IGP protocol running (OSPF, EIGRP, IS-IS, RIP) on all your routers and make sure that all networks are duly advertised, both the network where the source streamer is, and the networks where the recipients are located. I suppose you already have this.
All routers in your network need to be configured with ip multicast-routing global configuration command.
All interfaces on all routers in your network need to be configured with ip pim dense-mode interface level command.
By this, I am suggesting that you run a simple, if somewhat inefficient, version of multicast routing in your network, the so-called PIM Dense Mode. More preferred version of multicast would be PIM Sparse Mode but that one is slightly more difficult to properly configure and troubleshoot so let's start with the simplest option and test whether it works.
Once again, be careful to configure all your routers with ip multicast-routing (it's not sufficient to configure just the first or the last router with this command - all routers on the path between the source and receivers need to use this command) and ip pim dense-mode (all interfaces on these routers, both "upstream" interfaces going back to the source, and "downstream" interfaces going toward the receivers).
Best regards,
Peter -
Can someone explain shortest path switch over in Multicast?
Can someone explain shortest path switch overin Multicast?
Hi,
Shortest path switchover is used in PIM Sparse mode.
The concept of Sparse Mode is the multicast traffic should only be delivered when there are active receivers in the network. To accomplish this SM has explicit Join and Prune mechanism rather than Flood and Prune used by Dense mode.
When the last hop router (where receiver is connected) receives an IGMP join message, it sends a PIM Join towards RP. This creates shared tree from the last hop router till RP along the routers.Thus a shared tree has been created from last hop router till RP.
At the same time the above procedure was taking place, the first hop router (where source is connected) starts sending PIM Register messages to RP (when source starts sending multicast traffic). This register messages are unicast so that the intermediate routers will not aware of multicast traffic. When the RP receives Register messages from first hop rotuer, it does below checks after decapsulation:
1. Are there any shared tree for the specific multicast group. If yes then send a SPT join towards first hop router so that the multicast traffic from source will be delivered to RP via native multicast rather than encapsualted packets. Also RP sends Register Stop message to inform first hop router to stop sending encapsulated multicast packets.
2. When there are no active groups in RP (i.e RP has not received any PIM join for the multicast group from any last hop router), RP sends a Register Stop message.
By this the traffic from source flows via SPT till RP. From RP it flows via shared tree till receiver. Everything is fine till now. But the drawback in SM is placement of RP and the load on it. Since RP is located in a central location chances are there that the multicast traffic from source takes a longer path to reach the receiver. This will result in increase in latency along with increase in RP load.
So in those cases, it is desirable for the multicast traffic from source flows to receiver on optimal path. This is done by SPT switchover and this is done when the multicast group traffic crosses the SPT threshold configured. In Cisco the default SPT threshold is Zero kbps. So when the last hop router receives first multicast packet via shared tree, it does SPT switchover. This is done by sending a SPT Join towards the source thus bypassing the RP. Now the traffic from source prefers the most optimal path to reach the receiver.
The same time, last hop router sends a PIM prune towards RP to inform it that it does not want multicast traffic over shared tree. This is done to avoid duplication of the multicast packets over SPT and shared tree.
Few facts:
1. Last hop router needs information about the source to send SPT Join and this can only happen when it receives few initial multicast packets via RP shared tree.
2. If you do not want the last hop router to fall back to SPT switchover, then configure SPT threshold to infinity in last hop router.
Sorry for the long post.
HTH.
thanks
Arun
Pls rate if it is helpful -
Some basic problems with multicast, IGMP & NLB
Hi out there
We have two DC's with 10G interconnection in between - these connections are run as L2 links - put into a set of nexus 5000 (the old nx5020) - acting access-switches - and uplinked to a set of nexus 7009 which act as L3 switch for us.
We have a cluster of vmware boxes in each site and are running MS windows 2008 machines with MS NLB for TerminalServices - in IGMP multicast mode - in VLAN 21.
Now I looked in the log of the nexus 7000 and found that the PIM DR is "flapping" between the two sites from time to time:
2013 Nov 25 22:50:58 ve-coresw-01 %PIM-5-DR_CHANGE: pim [26128] DR change from 172.21.159.253 to 172.21.144.3 on interface Vlan21
2013 Nov 25 22:51:54 ve-coresw-01 %PIM-5-DR_CHANGE: pim [26128] DR change from 172.21.144.3 to 172.21.159.253 on interface Vlan21
2013 Nov 25 23:26:07 ve-coresw-01 %PIM-5-DR_CHANGE: pim [26128] DR change from 172.21.159.253 to 172.21.144.3 on interface Vlan21
2013 Nov 25 23:26:10 ve-coresw-01 %PIM-5-DR_CHANGE: pim [26128] DR change from 172.21.144.3 to 172.21.159.253 on interface Vlan21
I am not that familiar with multicast but the basic concepts are there - in the vrf I have defined
ip pim ssm range 232.0.0.0/8
the vlan is defined as:
vlan configuration 21
layer-2 multicast lookup mac
vlan 2001
under the SVI interface vlan 21 I have also defined - and there is a sample showning the nlb
interface Vlan21
vrf member DMZ_21
no ip redirects
ip address 172.21.144.3/20
ip pim sparse-mode
ip arp 172.21.149.19 0100.5E7F.9513
these flapping should only occur if the keep-alives between the two sites are missed 3 times
The uplinks to the nexus 5000 are defined as mrouters
vlan 21
ip igmp snooping mrouter interface port-channel5
ip igmp snooping mrouter interface port-channel16
SW5020-01# sh ip igmp snooping vl 21
IGMP Snooping information for vlan 21
IGMP snooping enabled
IGMP querier present, address: 172.21.144.3, version: 2, interface port-channel5 -> the DR on the nx7k
Switch-querier disabled
IGMPv3 Explicit tracking enabled
IGMPv2 Fast leave disabled
IGMPv1/v2 Report suppression enabled
IGMPv3 Report suppression disabled
Link Local Groups suppression enabled
Router port detection using PIM Hellos, IGMP Queries
Number of router-ports: 3
Number of groups: 3
VLAN vPC function enabled
Active ports:
Po10 Po15 Eth1/3 Eth1/11
Eth1/12 Eth1/13 Eth1/14 Eth1/15
Eth1/16 Eth1/17 Eth1/18 Eth1/19
Eth1/20 Eth1/25 Eth1/26 Eth1/27
Eth1/28 Eth1/29 Eth1/30 Eth1/31
Eth1/32 Po16 Po5
The link between the two sites - and boxes - is running error-free. As far as I can see there hasn't been any problems in that vlan since ??
If I look at f.ex spanning-tree the topology hast changed for long time in that vlan (2 weeks).
Could I harden the igmp multicast setup?
What is happening when a DR is changing? Will the multicast stop work or what happens?
As far as I understood the DR is the service which forwards the multicast traffic to the groups so if suddenly some re-negotiation occurs I would expect that the active traffic will be interrupted.
here the actual MS NLB clusters adresses:
SW5020-01# sh ip igmp snooping groups vl 21
Type: S - Static, D - Dynamic, R - Router port
Vlan Group Address Ver Type Port list
21 */* - R Po10 Po16 Po5
21 239.255.149.19 v1 D Eth1/14 Eth1/19 Eth1/32
21 239.255.149.24 v1 D Eth1/12 Eth1/15 Eth1/16
Eth1/26 Eth1/31
21 239.255.255.250 v2 D Po15 Eth1/11 Eth1/28
Eth1/29
SW5020-01#
Any suggeestions?What Is OneClickStarter.exe?
OneClickStarter.exe is a type of EXE file associated with TuneUp Utilities 2013 developed by AVG Technologies for the Windows Operating System. The latest known version of OneClickStarter.exe is 13.0.4000.189, which was produced for Windows.
This EXE file carries a popularity rating of 1 stars and a security rating of "UNKNOWN".
Sounds like you have some misbehaving software on your system. I would suggest a clean install to see if you still have all the problems you are reporting. -
Is it possible to create two multicast DR on the same subnet?
on server vlan 10.24.254.0/24, there are two routers:
R1 is .2 and R2 is .3 with "IP pim sparse-mode" enabled.
R1 and R2 are on two distinct Mcast domains
R1 has
ip pim rp-address 10.25.249.1 acl-one override
R2 has
ip pim rp-address 192.168.2.1 acl-two override
The problem is R2 with higher IP address is now the IGMP and PIM DR. Any multicast app with RP 10.25.249.1 is NOT working because R1 can't receive IGMP join from servers.
In addition, R1 by design can not reach 192.168.2.1 and same for R2 to reach 10.25.249.1
Thus configuring two "IP PIM rp-address" is not possible
how can I make R1 the DR for group IP under acl-one and R2 for group IP acl-two?
or I have to change network topology?There can be only one DR on a the same subnet.If there are more than one DR on the same subnet it would endup sending duplicate multicast traffic for connected host.For more information refer the URL
http://www.cisco.com/en/US/products/ps5763/products_configuration_guide_chapter09186a0080312878.html#wp1091449 -
Multicast clustering IBM servers with N7K and 2k
i have two severs IBM are working as a cluster and connected to Fiber fabric extender 2K using VPC as per attached diagram
two IBM server are woriking fine for network connectivity with N2k but the servers have a multicast named ( power HA 7.1) to work as acluster
but i tried to configue multicat in N7K and N2k to server working as acluster but the servers are not working
please advice me about the configuration in N7K and N2k to working IBM servers as a cluster .One option is the IGMP querier:
config t
ip igmp snooping
vlan 2
switch(config-vlan-config)# ip igmp snooping querier 10.0.10.253
(or a good source address of the interface)
The other option is run PIM on the VLAN interface:
feature pim
vlan 2
ip pim sparse-mode
Both has the same purpose: combined with IGMP snooping, the L3 interface will flood the VLAN with IGMP queries that traverse the inter-switch links. As a result, the inter-switch links will be included in the snooping port list. In turn,
packets destined to 228.5.10.5 will be sent out the inter-switch link and reach the other server.
Without the IGMP queries, 228.5.10.5 packets will not be sent from one switch to the other as it is not in the 224.0.0.0/24 range. -
Allowing Multicast to work between real servers behind the CSM??
Hi,
Just want to know if it is possible to use IP Multicast between real servers on a server subnet that is configured on the CSM. If so how could this be setup?
I've attached a copy of the our CSM config. In particular, the server subnet in question is "vlan 386 server". The Real servers belong to "serverfarm FARM-VISTA-TEST".
I suspect that maybe an interface vlan 386 needs to be created on the router, with pim sparse-mode enabled?
Any ideas?
thanks
Sheldonthe CSM does not know ip multicast, so your multicast needs to find another way to reach the servers.
You will also need a static route on the servers to point 224.x.x.x to the MSFC and keep the rest of the traffic going to the CSM.
Another solution is to use bridge mode.
Create a duplicate vlan 386 on the CSM and the MSFC.
ie:
MSFC---vlan387-----CSM-----Vlan386
On the CSM, you configure vlan387 with the same ip as vlan 386 - this will tell the CSM to bridge the 2 vlans.
Configure an ip from the same subnet on the msfc int vlan 387.
configure multicast on vlan 387.
The CSM should normally bridge all unknown traffic including multicast.
All you have to do on the servers is change the default gateway to be the MSFC instead of the CSM.
Gilles. -
What steps to verify multicast vpn?
I connected notebook with PE. But, I can't play multicast stream with VLC.
Diagram:
7609 (PE) - 7609 (AG) - 7609 (AC) - ME3400 (AC) - Notebook
I see pim neighbor on PE:
co7609s-6#sho ip pim vrf GTV-M nei
PIM Neighbor Table
Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority,
P - Proxy Capable, S - State Refresh Capable
Neighbor Interface Uptime/Expires Ver DR
Address Prio/Mode
10.5.200.89 Tunnel0 1w6d/00:01:27 v2 1 / S P
10.5.0.60 Tunnel0 3w6d/00:01:29 v2 1 / S P <- this PE is sender
10.5.200.100 Tunnel0 5w0d/00:01:19 v2 1 / DR S P
10.5.0.39 Tunnel0 6w2d/00:01:28 v2 1 / S P
co7609s-6#
And I can ping to Notebook:
co7609s-6#ping vrf GTV-M 192.168.73.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.73.2, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
co7609s-6#
PE Configuration:
interface TenGigabitEthernet2/1.1914
encapsulation dot1Q 1914
ip vrf forwarding GTV-M
ip address 192.168.73.1 255.255.255.0
ip pim sparse-mode
ip pim vrf G9TV-M rp-address 192.168.10.1
How should I doI known. Someone change encoder at source Thank you very much. Now, It's look good.
-
High cpu usage multicast bridging / l2tp
Hi,
I'm busy with a small project to bridge a "iptv" interface to a anothere site.
(one cisco 871, and 1800 series.) I use the 871 on the source site and the 1800 on destination.
I tried different configurations. First u use GRE over ipsec tunnel, and bridge groups. (official not supported). for example:
interface Tunnel0
no ip address
load-interval 30
keepalive 5 3
tunnel source Vlan1
tunnel destination 172.25.10.251
bridge-group 1
interface Vlan2
no ip address
ip pim sparse-dense-mode
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
this works, because there was a lot of traffic and high cpu usage on the 871 router 98% - 100%
Now I use L2TP like the configuration below:
pseudowire-class PW_CLASS
encapsulation l2tpv3
ip local interface Loopback0
interface Vlan2
no ip address
ip pim sparse-mode
ip virtual-reassembly
xconnect 10.0.0.1 12 encapsulation l2tpv3 pw-class PW_CLASS
router eigrp 1
passive-interface FastEthernet4
passive-interface Vlan2
network 10.0.0.0 0.0.0.255
network 10.255.1.0 0.0.0.255
auto-summary
interface Loopback0
ip address 10.0.0.2 255.255.255.255
pseudowire-class PW_CLASS
encapsulation l2tpv3
ip local interface Loopback0
interface Vlan2
no ip address
ip pim sparse-mode
ip virtual-reassembly
xconnect 10.0.0.1 12 encapsulation l2tpv3 pw-class PW_CLASS
router eigrp 1
passive-interface FastEthernet4
passive-interface Vlan2
network 10.0.0.0 0.0.0.255
network 10.255.1.0 0.0.0.255
auto-summary
interface Loopback0
ip address 10.0.0.2 255.255.255.255
This works also, but I sill have the same problem, verry high CPU usage.
Maybe someone can help me with this issue?
Kind Regards,
Felix DuivenvoordenHi Felix,
I think the problem is that all encapsulation (both GRE and L2TP) on the 800 are done in software.
This is a simply restriction of the platform's capabilities.
Obvious workaround is to use other hardware.
regards,
Leo -
ZBFW Intra zone traffic not working
I am having an issue on one of our 2811 routers where I can't get traffic between interfaces within the same zone to flow. I know this should happen by default and that's why it is so confusing.
One of the interfaces is fastethernet0/0.1 which is internal LAN And the others are tunnel interfaces using IPSEC tunnel protection back to the main datacenter. By design one tunnel is preferred over the other by using OSPF costing. Due to this there doesn't seem to be any asymmetric routing.
I inter zone traffic working just fine by defining the policy and zone pair. It is just when I enable another zone on our internal LAN interfaces it stops passing traffic. Just to note I do have this working on our LAB 2811 router running the same IOS version.
Any recommendations would be helpful. I have a case open with TAC but they aren't figuring it out. So now I'm calling the experts.
Thanks in advance. Elton
Sent from Cisco Technical Support iPhone AppHere is the sanitized configuration. The zone that I am trying to apply is "LAN".
I would like to apply it to all of the tunnel interfaces along with the fastethernet0/0.1 interface. This is working on another 2811 router.
Thanks again for the assistance.
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
hostname ****************
boot-start-marker
boot-end-marker
logging message-counter syslog
logging buffered 16384 informational
enable secret 5 ******************************
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa session-id common
clock timezone est -5
clock summer-time SummerTime recurring
dot11 syslog
ip source-route
ip traffic-export profile CAPTURE mode capture
bidirectional
incoming access-list CAPTURE_IN
outgoing access-list CAPTURE_OUT
length 512
ip cef
ip dhcp excluded-address 192.168.43.33 192.168.43.37
ip dhcp pool CREDIT_CARD_SCANNERS
network 192.168.43.32 255.255.255.224
default-router 192.168.43.33
dns-server 4.2.2.2 8.8.4.4
lease 2
no ip domain lookup
ip multicast-routing
ip inspect log drop-pkt
ip inspect name incoming tcp router-traffic
ip inspect name incoming udp router-traffic
login on-failure log every 3
no ipv6 cef
ntp server 10.69.16.1
multilink bundle-name authenticated
isdn switch-type basic-ni
voice-card 0
crypto pki trustpoint TP-self-signed-218647659
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-218647659
revocation-check none
rsakeypair TP-self-signed-218647659
crypto pki certificate chain TP-self-signed-218647659
certificate self-signed 03
30820242 308201AB A0030201 02020103 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32313836 34373635 39301E17 0D313130 36303831 38303833
395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3231 38363437
36353930 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
F9FF373A F00F58CF F4C6E6B1 C7676D6E EBD0D2D1 E239FAAA 42BD4335 B779D873
A2D654FA 04F47F90 CCC79596 B3D5B719 D3994E6E 43B05D4D 4419D92C F8EC6149
5094F9AB 7CB11EFA 5E72B723 A04D2999 BB43A8B8 11314E45 CA26BA77 909A63AA
64A95D75 411C5141 026AA11A EA27724F A6832EBF A0C5DD7B A1E48803 4B8C0585
02030100 01A36C30 6A300F06 03551D13 0101FF04 05300301 01FF3017 0603551D
11041030 0E820C42 524B2D43 32383131 2D543130 1F060355 1D230418 30168014
CA02D9F0 3B1772EE BECCFD40 888CD35B 4BF00440 301D0603 551D0E04 160414CA
02D9F03B 1772EEBE CCFD4088 8CD35B4B F0044030 0D06092A 864886F7 0D010104
05000381 810077C0 3260CF10 8652CE8D 6B0DE3F8 9BD87870 51087020 E00CC56B
F01EBC1C F6DE78D9 D309E3D6 B63B713C 80FEE77B CEA7AD0D 3CA587B3 26912CC8
EADA52D9 74698936 B8196FE0 120071EA B9F4CF3C 14D9E67C 34A0EA61 192BF856
F77B5034 D45834CE D38D241A B1B08694 C786FAAF 9833D6DD DDF00562 F4839A51
7ECEE3C1 BC06
quit
username ************************** privilege 15 secret 5 ***********************************
archive
log config
hidekeys
crypto isakmp policy 1
authentication pre-share
crypto isakmp key ***************** address *****************
crypto isakmp key **************** address *********************
crypto isakmp key ************* address **********************
crypto isakmp key ******************* address *********************
crypto isakmp keepalive 120 periodic
crypto ipsec transform-set TRANSFORM-AES esp-aes esp-sha-hmac
crypto ipsec transform-set TRANSFORM-AES-TRAN esp-aes esp-sha-hmac
mode transport require
crypto ipsec profile PROFILE-DMVPN
set transform-set TRANSFORM-AES
crypto ipsec profile PROFILE-DMVPN-TRAN
set transform-set TRANSFORM-AES-TRAN
track 1 ip sla 1 reachability
track 10 interface FastEthernet0/1 line-protocol
class-map type inspect match-any CC_SCAN_TRAFFIC_CLASS
match access-group name CC_SCAN_OUT
class-map type inspect match-all BBDBU-CMAP
match access-group name BBDBU
policy-map type inspect CC_SCAN_TRAFFIC_POLICY
class type inspect CC_SCAN_TRAFFIC_CLASS
inspect
class class-default
drop log
policy-map type inspect BBDBU-PMAP
class type inspect BBDBU-CMAP
pass
class class-default
drop log
zone security internet
zone security CC_SCAN_LAN
zone security LAN
zone-pair security self-to-internet source self destination internet
service-policy type inspect BBDBU-PMAP
zone-pair security internet-to-self source internet destination self
service-policy type inspect BBDBU-PMAP
zone-pair security CC_SCAN-TO-INTERNET source CC_SCAN_LAN destination internet
service-policy type inspect CC_SCAN_TRAFFIC_POLICY
interface Tunnel1
description Broadband backup circuit
bandwidth 256
ip address 10.69.7.111 255.255.255.0
ip mtu 1400
ip pim sparse-mode
ip nhrp authentication ****************
ip nhrp map 10.69.7.1 *********************
ip nhrp network-id **************
ip nhrp holdtime 300
ip nhrp nhs 10.69.7.1
ip nhrp server-only
ip ospf authentication-key 7 *******************
ip ospf network broadcast
ip ospf cost 130
ip ospf priority 0
tunnel source FastEthernet0/1
tunnel destination ********************
tunnel key ********************
tunnel protection ipsec profile PROFILE-DMVPN-TRAN
interface Tunnel2
description Backup Tunne2
bandwidth 512
ip address 10.69.10.111 255.255.255.0
ip mtu 1400
ip pim sparse-mode
ip nhrp authentication **************
ip nhrp map 10.69.10.1 ********************
ip nhrp network-id **************
ip nhrp holdtime 300
ip nhrp nhs 10.69.10.1
ip nhrp server-only
ip ospf authentication-key 7 ********************
ip ospf network broadcast
ip ospf priority 0
tunnel source FastEthernet0/1
tunnel destination ********************
tunnel key *********************
tunnel path-mtu-discovery
tunnel protection ipsec profile PROFILE-DMVPN-TRAN
interface Tunnel16
description mGRE TUNNEL FOR NYe0008981
bandwidth 1500
ip address 10.69.4.111 255.255.255.0
ip mtu 1400
ip flow ingress
ip pim sparse-mode
ip nat outside
ip nhrp authentication ****************
ip nhrp map 10.69.4.1 *********************
ip nhrp network-id ***************
ip nhrp holdtime 300
ip nhrp nhs 10.69.4.1
ip nhrp server-only
ip virtual-reassembly
ip ospf network broadcast
ip ospf cost 120
ip ospf priority 0
tunnel source Serial0/0/0
tunnel destination ******************
tunnel key ******************
tunnel protection ipsec profile PROFILE-DMVPN-TRAN
interface Tunnel17
description mGRE TUNNEL FOR NYe0008981
bandwidth 1450
ip address 10.69.8.111 255.255.255.0
ip mtu 1400
ip flow ingress
ip pim sparse-mode
ip nhrp authentication *******************
ip nhrp map 10.69.8.1 ****************
ip nhrp network-id **************
ip nhrp holdtime 300
ip nhrp nhs 10.69.8.1
ip nhrp server-only
ip ospf network broadcast
ip ospf cost 125
ip ospf priority 0
tunnel source Serial0/0/0
tunnel destination *****************
tunnel key ****************
tunnel protection ipsec profile PROFILE-DMVPN-TRAN
interface FastEthernet0/0
description PARENT INTERFACE
no ip address
ip flow ingress
ip traffic-export apply CAPTURE size 10000000
duplex auto
speed auto
interface FastEthernet0/0.1
description DEFAULT VLAN
encapsulation dot1Q 1 native
ip address 10.27.19.1 255.255.255.0
ip helper-address 10.69.16.7
ip pim sparse-mode
ip tcp adjust-mss 1344
ip traffic-export apply CAPTURE size 10000000
ip policy route-map PBR
ip ospf priority 0
interface FastEthernet0/0.10
description INITIAL VLAN
encapsulation dot1Q 10
ip traffic-export apply CAPTURE size 10000000
interface FastEthernet0/0.20
description AUTH-FAIL VLAN
encapsulation dot1Q 20
ip traffic-export apply CAPTURE size 10000000
shutdown
interface FastEthernet0/0.43
description CREDIT_CARD_SCANNERS
encapsulation dot1Q 43
ip address 192.168.43.33 255.255.255.224
ip nat inside
ip virtual-reassembly
zone-member security CC_SCAN_LAN
ip traffic-export apply CAPTURE size 10000000
interface FastEthernet0/0.98
description Remediation Vlan
encapsulation dot1Q 98
ip address 10.69.243.1 255.255.255.248
ip access-group Remediation in
ip helper-address 10.69.252.7
ip inspect incoming out
ip traffic-export apply CAPTURE size 10000000
ip ospf priority 0
interface FastEthernet0/0.99
description GUEST VLAN
encapsulation dot1Q 99
ip traffic-export apply CAPTURE size 10000000
interface FastEthernet0/0.666
description VENDOR VLAN
encapsulation dot1Q 666
ip traffic-export apply CAPTURE size 10000000
interface FastEthernet0/1
mtu 1492
ip address 192.168.1.47 255.255.255.0 secondary
ip address ************************** ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security internet
duplex auto
speed auto
interface Serial0/0/0
ip address **************************
ip flow ingress
encapsulation ppp
no fair-queue
service-module t1 remote-alarm-enable
service-module t1 fdl both
no cdp enable
interface BRI0/2/0
no ip address
encapsulation ppp
shutdown
dialer pool-member 1
isdn switch-type basic-ni
isdn point-to-point-setup
isdn spid1 71878317920101 7831792
isdn spid2 71878340300101 7834030
no cdp enable
interface Async0/1/0
no ip address
encapsulation slip
interface Dialer1
description T-1 Site ISDN Backup
ip address 192.168.103.38 255.255.255.0
encapsulation ppp
no ip route-cache cef
no ip route-cache
dialer pool 1
dialer idle-timeout 120 either
dialer load-threshold 32 either
dialer-group 1
no peer default ip address
no cdp enable
ppp multilink
router ospf 1
router-id 10.27.19.1
log-adjacency-changes
area 48 stub
network 10.27.19.0 0.0.0.255 area 48
network 10.69.4.0 0.0.0.255 area 48
network 10.69.7.0 0.0.0.255 area 48
network 10.69.8.0 0.0.0.255 area 48
network 10.69.10.0 0.0.0.255 area 48
network 10.69.243.0 0.0.0.7 area 48
ip forward-protocol nd
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip forward-protocol udp bootpc
ip route 198.203.191.83 255.255.255.255 ******************** track 1
ip route 198.203.192.245 255.255.255.255 *************** track 1
ip route 198.203.192.20 255.255.255.255 ****************** track 1
ip route 8.8.4.4 255.255.255.255 ***************** track 1
ip route 4.2.2.2 255.255.255.255 ******************* track 1
ip route 8.8.8.8 255.255.255.255 ********************** track 10
ip route 0.0.0.0 0.0.0.0 Dialer1 200
ip route 10.48.9.254 255.255.255.255 *****************
ip route 10.48.32.101 255.255.255.255 *****************
ip route 10.48.32.102 255.255.255.255 *****************
ip route 161.11.124.78 255.255.255.255 ******************
ip route 173.226.250.130 255.255.255.255 **************
ip route 204.89.170.126 255.255.255.255 ****************
no ip http server
no ip http secure-server
ip pim rp-address 10.69.31.1
ip nat pool CC_DMV_POOL 10.27.19.253 10.27.19.253 prefix-length 24
ip nat inside source route-map CC_BB_NAT interface FastEthernet0/1 overload
ip nat inside source route-map CC_DMV_NAT pool CC_DMV_POOL overload
ip tacacs source-interface FastEthernet0/0.1
ip access-list extended BBDBU
permit esp host *****************************
permit udp host **************************
permit gre host *******************************
permit udp host ****************************
permit gre host **************************
permit esp host ***********************
permit ip host **************************
permit ip host *****************************
permit icmp any host 8.8.8.8 echo
permit icmp host 8.8.8.8 any echo-reply
ip access-list extended BRK
permit ip 10.27.19.0 0.0.0.255 host 10.69.31.128
ip access-list extended CAPTURE_IN
permit ip host 10.27.19.10 host 10.69.66.108
ip access-list extended CAPTURE_OUT
permit ip host 10.69.66.108 host 10.27.19.10
ip access-list extended CC_SCAN_OUT
permit icmp 192.168.43.32 0.0.0.31 host 8.8.8.8
permit udp 192.168.43.32 0.0.0.31 host 8.8.8.8 eq domain
permit tcp 192.168.43.32 0.0.0.31 host 8.8.8.8 eq domain
permit tcp 192.168.43.32 0.0.0.31 host *************************
permit tcp 192.168.43.32 0.0.0.31 host **************************
permit tcp 192.168.43.32 0.0.0.31 host **************************
permit udp 192.168.43.32 0.0.0.31 host 4.2.2.2 eq domain
permit udp 192.168.43.32 0.0.0.31 host 8.8.4.4 eq domain
permit tcp 192.168.43.32 0.0.0.31 host 4.2.2.2 eq domain
permit tcp 192.168.43.32 0.0.0.31 host 8.8.4.4 eq domain
ip access-list extended Remediation
permit ip 10.69.240.0 0.0.15.255 host 10.69.252.7 log
permit icmp 10.69.240.0 0.0.15.255 10.69.66.0 0.0.0.255 log
permit tcp any host 10.69.16.182 eq 443 log
permit tcp any host 10.69.17.38 eq 8444 log
permit udp any any eq bootps
deny ip any any
ip access-list extended VTY
permit tcp 10.69.66.0 0.0.0.255 any eq telnet log
permit tcp 10.69.66.0 0.0.0.255 any eq 22 log
permit tcp 10.69.31.0 0.0.0.255 any eq 22 log
permit tcp 10.69.31.0 0.0.0.255 any eq telnet log
permit tcp 10.48.32.96 0.0.0.7 any eq telnet log
permit tcp 10.48.32.96 0.0.0.7 any eq 22 log
permit tcp 1.11.1.0 0.0.0.255 any eq telnet log
permit tcp 1.11.1.0 0.0.0.255 any eq 22 log
deny ip any any
ip sla 1
icmp-echo 8.8.8.8 source-interface FastEthernet0/1
timeout 7000
threshold 7000
frequency 10
ip sla schedule 1 life forever start-time now
logging 10.69.27.129
access-list 1 permit 10.69.66.11
access-list 1 remark SNMP Managers
access-list 1 permit 10.69.31.97
access-list 1 permit 10.69.31.100
access-list 1 permit 10.69.31.101
access-list 1 permit 10.69.66.59
access-list 1 permit 10.69.66.108
access-list 1 permit 10.69.16.223
access-list 1 permit 10.69.30.242
access-list 1 permit 10.69.16.250
access-list 1 permit 10.69.19.229
access-list 1 permit 10.69.16.150
access-list 1 permit 10.69.27.129
access-list 4 permit 10.69.31.148
access-list 4 permit 10.69.31.149
access-list 4 permit 10.69.31.150
access-list 4 permit 10.69.31.151
access-list 101 deny ospf any any
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
route-map CC_DMV_NAT permit 10
match ip address CC_SCAN_OUT
match interface Tunnel16
route-map PBR permit 10
description BRK
match ip address BRK
set ip next-hop 10.69.7.1
route-map CC_BB_NAT permit 10
match ip address CC_SCAN_OUT
match interface FastEthernet0/1
snmp-server community ******************
snmp-server community *****************
snmp-server community ******************
snmp-server location **********************
snmp-server enable traps snmp coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps flash insertion removal
snmp-server enable traps envmon
snmp-server enable traps config
snmp-server enable traps syslog
tacacs-server host 10.69.31.18 timeout 10
tacacs-server host 10.69.31.17
tacacs-server directed-request
tacacs-server key 7 ********************
control-plane
mgcp fax t38 ecm
mgcp behavior g729-variants static-pt
banner login ^C************************************
Unauthorized Entry To This Device Is
STRICTLY PROHIBITED
************************************^C
line con 0
exec-timeout 30 0
logging synchronous
line aux 0
line 0/1/0
exec-timeout 60 0
modem InOut
modem autoconfigure discovery
transport input all
stopbits 1
speed 115200
flowcontrol hardware
line vty 0 4
access-class VTY in
exec-timeout 30 0
password 7 *********************
logging synchronous
transport input ssh
scheduler allocate 20000 1000
end
Maybe you are looking for
-
Hi We have a new R12(12.0.4) PROD instance db - 45 gigs apps - 27 gigs inst - 0.4 gigs May I know the best way to get started taking backup of DB & apps. We have not yet RMAN configured over here. Some useful links will help Thanks JIL
-
Interview preparartion...
Hi, I am a two years experience in SAP R3 4.7, ECC 5.0 and ECC 6.0. and i am looking for a job change. So plz suggest me suitable documents and sites to so that I can prepare for the interview. What wouold be the most obious questions asked in a inte
-
Premiere Pro CC and the New Mac Pro (2014)
I'm expecting delivery soon of a new Mac Pro, nicely loaded, which I purchased mainly because of all the work I do with video. Yet, I read in a review that Adobe Premiere Pro isn't optimized to take advantage of the new Mac Pro, won't run faster, and
-
IE blocking activeX because of QT - no prompt to 'allow' -
I'm an online teacher and I've stored a bunch of stuff (quicktimes, captivates,etc) in a repository in an online ed platform called "Angel". I create pages in this platform, and then link to the media I created on their platform. Suddenly every link
-
Hi, two years ago I bought PSE10 in the Mac App Store. Is it possible to upgrade to PSE12 or do I have to buy the new Version in the App Store again? Thank you and kind regards Thomas