Internet2 NOC - Multicast Cookbook
Enabling IP Multicast with Internet2
Scope: Note that this isn't about multicast in general, but aimed narrowly at what a participant site has to do on a Cisco or Juniper router to connect to Internet2. It assumes basic familiarity with multicast concepts. For more information about multicast in general, multicast protocols mentioned here, and for further help or information, including some excellent troubleshooting and debugging documents, see the "For Further Information" section at the end of this document.There are three parts to a "native multicast" peering arrangement with Internet2: MBGP, PIM-Sparse Mode, and MSDP. This short document describes how to enable each and a few things to look for to determine whether they're working at all. It doesn't discuss debugging or troubleshooting strategies, which is another subject not widely understood and very much needed. Configuration examples are available here for Cisco (MBGP, PIM, and MSDP) or Juniper (MBGP, PIM, and MSDP).
Cisco configuration:
Global commands
There is one global router command just to enable multicast:ip multicast-routingThe configurations below represent what a peer might minimally do to enable multicast peering with Internet2. For these examples, we'll assume a neighbor with address 5.5.5.5 in AS 555:
Neighbor Abilene router
IP addresses 5.5.5.5/30 5.5.5.6/30
AS number 555 11537
MBGP for Cisco
NOTE: the IOS syntax for MBGP setup changed with IOS version 12.1. The present discussion will differentiate between pre- and post-12.1 implementations for the most simple configurations, but see this document for further information on the 12.1 syntax.
Enable MBGP:
- Within 'router BGP' context, change your network and neighbor statements from implicit unicast-only to unicast and multicast. Include the nlri unicast multicast phrase for each network and neighbor with whom you want both types of BGP negotiation:
- pre-12.1:
change from:
network 5.5.5.0
neighbor 5.5.5.6 remote-as 11537
to:
network 5.5.5.0 nlri unicast multicast
neighbor 5.5.5.6 remote-as 11537 nlri unicast multicast- 12.1 and later:
change from:
network 5.5.5.0
neighbor 5.5.5.6 remote-as 11537
to:
neighbor 5.5.5.6 remote-as 11537
address-family ipv4 unicast
neighbor 5.5.5.6 activate
neighbor 5.5.5.6 remote-as 11537
address-family ipv4 multicast
neighbor 5.5.5.6 activate - To verify that MBGP is talking for both unicast and multicast, see output from "show ip mbgpsum" (look for state/prefixes) and/or "show ip bgp neighbor 5.5.5.5", looking for lines like these (this is for 12.0, but 12.1 will have similar indications):
&; Neighbor NLRI negotiation:
Configured for unicast and multicast routes
Peer negotiated unicast and multicast routes
Exchanging unicast and multicast routes
- and:
Number of unicast/multicast prefixes received 3/3
PIM for Cisco
- Enable PIM on the point-to-point interface and add multicast- boundary administrative scoping:
interface ATMx/y.1 point-to-point
description to I2/Abilene,AS11537,
contact noc@abilene.iu.edu,317-278-6622
ip address 5.5.5.5 255.255.255.252
ip pim sparse-mode
ip multicast boundary multicast-boundary
- This is the multicast-boundary list we presently use in Internet2, and there have been some suggestions for additional values for which we're soliciting feedback/consensus from the I2 community. The expressions below block sending RP announce and discovery packets and set the accepted administrative scoping to block 'local' multicast.
ip access-list standard multicast-boundary
deny 224.0.1.39
deny 224.0.1.40
deny 239.0.0.0 0.255.255.255
permit any
- If PIM is configured on both sides of the connection, then each should see the other as a "PIM neighbor", e.g.:
abilene-gsr>sho ip pim interface
Address Interface Version/Mode Nbr Query DR
Count Intvl
5.5.5.6 POS0/0 v2/Sparse 1 30 0.0.0.0
1.1.1.1 ATM1/0.1 v2/Sparse *0 30 0.0.0.0
- First of all, if you have PIM enabled for an interface it will appear in this list, so that's a good first sanity check that you've turned it on at all. Note that the "
- " column indicates
- ,which are both good. In the column "
- ", look for non-zero neighbor counts:
- means that no neighbor negotiation has occured (there is no PIM neighbor there; PIM is not turned on at your neighbor's side of the connection), while
- means PIM *is* on at your neighbor's side of the connection.
MSDP for Cisco
- Finally, enable MSDP to your peer's RP. USUALLY (and this is the Internet2 preference),the MSDP peer address is the other end of the point-to-point connection. This will be the address to be used for Internet2. Some sites prefer to use a loopback address for their MSDP peer address, in which case they must also indicate to MSDP to use that interface. (the address in the 'peer' and the 'sa-filter' statements are the same, and are the address of your MSDP peer, usually the same as the MBGP peer.)
- (alternatively, if you're using e.g. a loopback address for
your MSDP source:)
- (alternatively, if you're using e.g. a loopback address for
ip msdp peer 5.5.5.6
ip msdp sa-filter out 5.5.5.6 list 111
ip msdp peer 5.5.5.6 connect-source Loopback0
ip msdp sa-filter out 5.5.5.6 list 111
- Also, it's a good idea to have a MSDP filter applied to the connection,to keep the peer from sending improper source-active announcements. You may also implement SA-count limits to keep the neighbor from flooding you with advertisements. This list is referred to by the "ip msdp sa-filter ... list 111" command above; the list of prefixes Internet2 blocks are listed elsewhere in this document, but this is the syntax:
access-list 111 deny ip any host 224.0.1.2... etc ... (add the rest of the list of prefixes below and remember to add these RFC1918 addresses:)
access-list 111 deny ip any host 224.0.1.3
access-list 111 deny ip 10.0.0.0 0.255.255.255 any
access-list 111 deny ip 127.0.0.0 0.255.255.255 any
access-list 111 deny ip 172.16.0.0 0.15.255.255 any
access-list 111 deny ip 192.168.0.0 0.0.255.255 any
access-list 111 permit ip any any
- To see if the MSDP peering is working bidirectionally, "show ip msdp sum" and look for a state of "up". If they're joined to multicasts through this path, you should see SAs (source advertisements) from their AS in "show ip msdp count".
Juniper router configuration:
Global considerations
No global router commands to enable multicast are necessary, however your router may need a tunnel PIC in order to do multicast (if it is acting as an RP or will have directly-connected multicast sources.) Some routers, for instance the 7i or J series, have the tunnel-PIC function built in or don't need them.The configurations below represent what an Internet2 peer must minimally do to enable multicast peering with Internet2. For these examples, we'll assume a neighbor with address 5.5.5.5 in AS 555, and the Internet2 router's address for that connection is 5.5.5.6. Abilene's AS is 11537.
Neighbor Abilene router
IP addresses 5.5.5.5/30 5.5.5.6/30
AS number 555 11537
MBGP for Juniper
JunOS assumes both unicast and multicast for ipv4 BGP peering, so if a BGP neighbor is configured, the Juniper will try to negotiate both unicast and multicast NLRI and will settle on whatever the partner is willing to do. So if you want to do both unicast and multicast peering with the Internet2 router, the configuration is simply:protocols {
bgp {
group Abilene {
neighbor 5.5.5.6 {
family inet {
any; (this does unicast and multicast;
alternatively, you could specify only "multicast")
}
type external;
description "Abilene";
peer-as 11537;
}
To verify that multicast routing has been negotiated for this BGP session, check the output of "show bgp neighbor 5.5.5.6", looking for "Address families configured" and "NLRI for this session" and the number of multicast prefixes received, for example:
Peer: 5.5.5.6 AS 11537 Local: 5.5.5.5 AS 555
Description: Abilene
Type: External State: Established Flags: <Sync>
Address families configured: inet-unicast inet-multicast
(this is what your peer says it can do:)
NLRI for this session: inet-unicast inet-multicast
Table inet.0 Bit: 10001 (v4 unicast prefixes)
Active prefixes: 46
Received prefixes: 47
Table inet.2 Bit: 20001 (v4 multicast prefixes)
Active prefixes: 3
Received prefixes: 3
In "show bgp summary," the unicast and multicast prefixes active/received are represented from these same two tables, inet.0 for v4 unicast and inet.2 for v4 multicast:
Peer AS Last Up/DwnState|#Active/Received/Damped
5.5.5.6 11537 2w0d18h Establ
inet.0: 46/47/0
inet.2: 3/3/0
PIM for Juniper
- Enable PIM on the point-to-point interface toward Internet2 and specify the RP:
("all" also works if you want PIM everywhere.protocols {
pim {
rp { (use this to specify your RP)
static {(if RP is elsewhere. "local" if it is this router)
interface so-0/0/0 {
family inet {
address <address of your RP here>;
group-ranges {
224.0.0.0/4;
}
}
}
This is the interface facing Abilene)
mode sparse;
version 2;
}
- If PIM is working on both sides of the connection, then each should see the other as a "PIM neighbor", e.g.:
juniper>sho pim interface
Name Stat Mode IP V State Count DR address
so-0/0/0.0 Up Sparse 4 2 P2P 1
- First of all, if you have PIM enabled for an interface it will appear in this list, so that's a good first sanity check that you've turned it on at all.
- shows "up", which is what you're looking for. Note that the "
- and
- " columns indicate 2 and
- , which should both be configured. In the column "
- ", look for non-zero neighbor counts:
- means that no neighbor negotiation has occured (there is no PIM neighbor there; PIM is not turned on at your neighbor's side of the connection), while
- means PIM *is* working from your neighbor's side of the connection to you. A DR ("designated router") isn't needed for a point-to-point connection.
MSDP for Juniper
- Finally,enable MSDP to your peer's RP. USUALLY (and this is the Internet2 preference),the MSDP peer address is the other end of the point-to-point connection. This will be the address to be used for Internet2. Some sites prefer to use a loopback address for their MSDP peering address, in which case they must also indicate to MSDP to use that interface. (The address in the 'peer' and the 'sa-filter' statements are the same, and are the address of your MSDP peer, usually the same as the MBGP peer.)
- Also, it's a good idea to have a MSDP filter applied to the connection, to keep the peer from sending improper source-active announcements. You may also implement SA-count limits to keep the neighbor from flooding you with advertisements.
protocols {
msdp {
group Abilene {
export MSDP-FILTER;
import MSDP-FILTER;
peer 5.5.5.6 {
local-address 5.5.5.5;
(you could use your loopback address here if you need to)
}
...
policy-options {
policy-statement MSDP-FILTER {
term bad-groups {
from {
route-filter 224.0.1.2/32 exact;
(etc... the content of MSDP-FILTER is listed separately in this document)
}
then reject;
}
term bad-sources {
from {
source-address-filter 10.0.0.0/8 orlonger;
source-address-filter 127.0.0.0/8 orlonger;
source-address-filter 172.16.0.0/12 orlonger;
source-address-filter 192.168.0.0/16 orlonger;
}
then reject;
}
term allow {
then accept;
}
}
- You can verify that MSDP peering is up with the "show msdp brief" command. Look for "State: Established".
Peer address Local address State Last up/down Peer-Group SA Count
5.5.5.6 5.5.5.5 Established 3w1d18h Abilene 1038/2101
MSDP Filter contents
It's a good idea to limit the source-active advertisements your peer can send to you to legitimate multicast group addresses. This can be done on both Cisco and Juniper platforms with filters applied to your MSDP peers, as shown above. Internet2's current MSDP filter blocks the prefixes listed below. Its contents have input from the Internet2 Multicast Working Group, the Internet Assigned Numbers Authority (IANA) official list of multicast networks, and recommendations in www.cisco.com/warp/customer/105/49.html and draft-nickless-ipv4-mcast-unusable-03 (December 2003).This version of the list uses Juniper syntax; Cisco's is "access-list 111 deny ip any host 224.0.2.2" for /32s or "deny ip any 224.77.0.00.0.255.255" for networks, etc. for this same set of prefixes).
route-filter 224.0.1.2/32 exact; ! SGI-DOGFIGHT
route-filter 224.0.1.3/32 exact; ! RWHOD
route-filter 224.0.1.8/32 exact; ! SUB-NIS
route-filter 224.0.1.22/32 exact; ! SRVLOC
route-filter 224.0.1.24/32 exact; ! MICROSOFT-DS--WINS locator service
route-filter 224.0.1.25/32 exact; ! NBC-PRO
route-filter 224.0.1.35/32 exact; ! SRVLOC-DA
route-filter 224.0.1.39/32 exact; ! AUTORP-ANNOUNCE
route-filter 224.0.1.40/32 exact; ! AUTORP-DISCOVERY
route-filter 224.0.1.60/32 exact; ! HP-DEVICE-DISC
route-filter 224.0.2.1/32 exact; ! HP-DEVICE-DISC
route-filter 224.0.2.2/32 exact; ! SUN-RPC
route-filter 224.1.0.38/32 exact; ! Retrospect
route-filter 224.77.0.0/16 orlonger; ! NORTON GHOST
route-filter 225.1.2.3/32 exact; ! ALTIRIS
route-filter 226.77.0.0/16 orlonger; ! NORTON GHOST
route-filter 229.55.150.208/32 exact; ! NORTON GHOST
route-filter 234.42.42.40/30 orlonger; ! IMAGECAST
route-filter 234.142.142.42/31 orlonger; ! IMAGECAST
route-filter 234.142.142.44/30 orlonger; ! IMAGECAST
route-filter 234.142.142.48/28 orlonger; ! IMAGECAST
route-filter 234.142.142.64/26 orlonger; ! IMAGECAST
route-filter 234.142.142.128/29 orlonger; ! IMAGECAST
route-filter 234.142.142.136/30 orlonger; ! IMAGECAST
route-filter 234.142.142.140/31 orlonger; ! IMAGECAST
route-filter 234.142.142.142/32 exact; ! IMAGECAST
route-filter 232.0.0.0/8 orlonger; ! SSM range--should be no MSDP here
route-filter 239.0.0.0/8 orlonger; ! admin scoped
For Further Information:
- Cisco web pages: ftp://ftpeng.cisco.com/ipmulticast/index.html including recommended releases, tutorials, sample configurations, and much more.
- Internet2 Multicast working group: multicast.internet2.edu, including references, debugging tutorial, and contents of I2 hands-on multicast workshops.
- NCNE web pages: www.ncne.org/documentation/faq/multicast.html including FAQs and many tutorials from users and vendors.
- NCNE multicast introduction at I2 member meeting Spring 2000: www.internet2.edu/presentations/200003228-I2MM-Goodwin.htm
- NCNE user help: NCNE, the National Center for Network Engineering at Pittsburg Supercomputer Center, has agreed to provide technical support for sites bringing up or having troubles with multicast. Write to ncne@ncne.org and ask for help specifically with Multicast. Indicate that you're an Internet2 site.
- "Best current practices for enabling Multicast networks": a presentation by Bill Nickless at the February 2003 Joint Techs workshop.
- "Protecting multicast-enabled networks": a presentation by Matt Davy at the July 2004 Joint Techs workshop.
- IPv4 Multicast Unusable Group and Source Addresses, version 3 of a draft by Bill Nickless (Dec 2003).
- Multicast troubleshooting methodology: Bill Nickless presentation. This version is from 2003. (PDF no longer available)
- Multicast troubleshooting: presentation given at Multicast workshop held in Vancouver, Canada, May 2004. (PDF no longer available)
- Triumf AG Multicast references: several good, current (2004), multicast references.
- Internet Assigned Numbers Authority (IANA) official list of multicast networks.
- A book,
Interdomain Multicast Routing: Practical Juniper Networks and Cisco Systems Solutions (2002), available here at Amazon. - A book, Developing IP Multicast Networks: The Definitive Guide to Designing and Deploying Cisco Multicast Networks (2000), available here at Amazon.