Cisco Switching/Routing :: RV082 Firewall Multicast Pass Through
Feb 19, 2012
WAN1 <-> LAN traffic
WAN2 <-> LAN traffic
WAN1 <-> WAN2 traffic?
Say, it is set DISABLED, what is / isn't blocked?
It reads: Multicast Pass Through IP Multicasting occurs when a single data transmission is sent to multiple recipients at the same time. Using this feature, the Router allows IP multicast packets to be forwarded to the appropriate computers.
I ' m not able to configure the asa 5510 to allow the multicast traffic to pass through ASA.The multicast traffic have to pass from inside interface to outside interface.Can I configure the multicast traffic to pass through asa with a static nat ?
We have almost identical networks in two offices, with the only difference being, one uses an RV042 and the other an RV082.The setup is: two WAG54GS ADSL modems carry PPOA ADSL connections with static IPs to the two WAN ports of the RV0XX.The WAG54GS routers are configured to DMZ all incoming traffic to the relevant WAN IP of the RV0XXs. VPN pass-through is also set on them. The RV0XX port forwarding is set to forward a selection of traffic such as, PPTP, HTTP, HTTPS, RDP, POP3, SMTP and Remote Desk to the external adapter of an SBS 2003 server which processes all operations including ISA and Exchange.Mail for Exchange arrive through both ADSL connections for redundancy. VPN connection requests from remote users to the SBS come in through both ADSL connections.The office fitted with RV042 works fine and does all the following without problems.The office fitted with RV082 has issues. Remote VPN requests comming from ADSL to WAN port 1 of the RV082 connect successfully to the SBS2003 server, but the VPN requests coming from ADSL to WAN port 2 fail to connect! Similarly, incoming mail destined for Exchange don't get through if coming from ADSL of WAN port 2.I have updated the firmware on both RV042 and RV082, but the RV082 still has the above issues.
I have a RV082 connected to a Comcast business-class internet with 6 static IP's one-to-one routed to specific internal hosts. This configuration has been stable for several years.
A few days ago, the RV082 stopped routing most of the external static requests to their specific internal hosts. External machines only display the "Can't connect to the webpage" error. Rebooting the RV082 re-enabled correct operation for about 30 minutes, then it failed again.
I pulled out my backup RV082, flashed it with the current configuration, and swapped it in. It acted the same - external statics route correctly for about 30 minutes, then it just stops.
I try to pass multicast traffic between two vrf on the same 3750 switch. I have IP services IOS and sdm template routing.
here is my config:
ip routing ! ip vrf vpn2 rd 1:1 mdt default 220.127.116.11 route-target export 1:1 route-target import 1:1
Now I'm stuck - I don't know what to do to pass multicast traffic. Do I have any chance to run this config on 3750 chassis?Perhaps "Configuring Multicast VPN Extranet Support" document will be useful, but it concerns Catalyst 6500? [URL]
We have an ASA-5540 (8.4(1)) The inside interface faces a few multicast receivers. The outside interface faces the multicast source.All of the ASA multicast documents I've download describe very simple network designs, such as a single segment on the ASA inside.Our PC hosts that will be multicast receivers are a couple router hops away from the ASA inside interface. I'm not sure what the best way is to configure multicast on the ASA.Should I configure the ASA with PIM routing and a static RP address (plus the ACL to allow the multicast source traffic in) since the receiver hosts are a couple hops away? I think I understand the IGMP joins are for a local PIM router, so configuring as a Stub Multicast router wouldn't work? The two Cisco routers between the host and the inside ASA interface already have PIM, a static RP address, and IP PIM Spare-Mode configured.
I've just started a CCNA course and my lack of knowledge has me a bit stuck. My network is comprised of Cisco components and I'm semi familiar with them just from reading and looking through options. I currently am using a Cisco ASA 5520 on my network and I am trying to join another network via one of the interfaces. My network is 192.168.0.0 255.255.0.0 and my inside interface is 192.168.1.1 255.255.0.0. I enabled a second interface using a static ip of 10.0.0.1 with a subnet of 255.255.255.128. Connected to that interface, I have a Fortigate firewall at 10.0.0.2 255.255.255.128. I can ping just fine from the Fortigate network to the 10.0.0.1 interface on the Cisco ASA 5520 network, but I can not ping the 10.0.0.1 interface (or anything past it) on the ASA 5520 from any computer on the Cisco network. I've read that ACL's and NAT have to be done as well as enabling traffic between interfaces with the same security levels. (both interfaces have security levels of 100 and the option is checked to allow traffic).
Note: each network has it's own internet connection. The connection is to share information on servers on both networks with each other.
due to upcoming changes to our network I'd like to be able to pass vlans across the FE ports of a Cisco 1841 router.1 port would go to a managed switch and then to local devices on different VLANs.the 2nd port would go upstream to a Cisco 3825 at a different location which would then connect to the internet.due to monitoring behind the Cisco3825 we would like all NAT to occur on the 3825.
what I would like to happen is this example device connected to port 7 on managed switch gets an IP (10.0.7.10) from the Cisco 1841 in VLAN 7 (10.0.7.0/24).traffic from that device goes to the switch, then in f0/1 on the 1841 and out f0/0 still with the same IP info, no NAT occuring.traffic is received on the 3825 port 0/1 and then NAT occurs and out port 0/0 to the internet.
|_voip PBX___|-----|__3650___|------fiber-------------|__3650_____|------|_voipphone__| I have a case where voipphone is registered on the voippbx but peaple on both end can't hear each other . No ACL on both 3650 , no firewalls between them , distance is about 2 miles . I tried to make telnet x.x.x.x 1720 or 1719 or 1721 (h323 ports) to opposite switch -connection refused . How can test if ports are open on the 3650 ? Is it coorect If I create allowing acl and apply it on both 3650 on the interfaces connected one switch to voippbx "IN" , second switch on the interf connected to voipphone "IN" ?
I start configuring Cisco 2821 router for multicast . First short description and attached sheme explanation. Let we say I have small network with 100 users. One router and Cisco switch 3560. Two VLAN’s, one for data another for multicast. Data from internet works fine but now I want to connect multicast servers (or source of more multicast streams) from another subnet. Router have three interfaces.I expect there should be no problems with multicast configuration, but unfortunately it is not like I expect. What I did ?
First step: enable multicast routing
Second step: on both interfaces (Fe 0/1 and Fe 0/2) - ip pim sparse-mode
Third step: configure switch that users are connected to access port in VLAN 222 (temporary to see if multicast work)
When I start VLC on computer nothing happend. If I try to connect computer on same subnet where is source of multicast streams it works fine.What I am doing wrong ? Is there anything about routing ? All subnets are directly connected. RP is not needed if I have one router or ?
I have a problem on my catalyst 6509 on which I would like to do the following things :
I have some Vlans in which multicast is enabled. In tose Vlan theres is a router which is default router for equipements.
I had enabled multicast routing because some Vlan needs to exchange multicast informations, but I wolud like to make difference between Multicast traffic. For example I have 5 vlans:
Vlan 1 and 2 need to exchange Multicast informations but the don't need multicast information from Vlan 3 and 4 Vlan 3 and 5 need to exchange Multicast informations but the don't need multicast information from Vlan 1 and 2 Vlan 5 is independant Vlan but doesn't need to have multicast information from all others vlan.
Last problem, equipement on differents vlan can use the same Mulkticast group address. In this case, Multicast routing is not working between Vlan 1 to Vlan 2 and Vlan 3 to Vlan 4.
I am configuring multicast in a environment where I have a 4506 at each site (4 total) and a 6506 as the core. Each 4506 is connected via layer 3 to the 6506. I have a mix of 3560s, 3548s, and 2960s connected to the 4506s and the 6506 via layer 2 trunk
I have multiple multicast sources and hosts communicating at a time (multiple cameras sending video / multiple computers receiving video). So this is not a scenario where there is 1 sender and many receivers. This would be many senders (~50) and some receivers (~10)
I configured ip multicast-routing on each of the 4506s and on the 6506. IGMP snooping is on by default on the 3560 and 2960 switches. CGMP is on by default on the 3548 switches.
I set up PIM sparse-dense mode and IGMP version 3 on each of the layer 3 interfaces for the 4506s and 6506 where they connect and on each VLAN that is sending or receiving multicast. Multicast is working throughout the network, however I am looking to verify the configuration as I scale this out to more clients on the network.
#1 - Is it correct to us sparse-dense mode in this configuration?
#2 - Do I need to configure a rendezvous points using AUTO-RP? (ip pim send-rp-announce INTERFACE scope TTL). Not sure here if I need to designate this and what to choose. Right now I do not have this and it is working, but documentation seems to infer that I need to designate this.
#3 - Is there any other configuration settings I should be considering? I hard to find real world configurations of multicast as examples or people that know multicast routing well.
I would like test multicast routing with cisco1801.i create 2 Vlan. Vlan 200 (192.168.200.x) affect Fastethernet 1, Vlan 130 (192.168.130.x) Fastethernet 5.
Version IOS is : adipservice-k9 124-9.t1
#int Vlan 130 ip address 192.168.130.254 255.255.255.0 Ip pim dense-mode #int Vlan 200 Ip address 192.168.200.254 255.255.255.0 Ip pim dense-mode
I used VLC for my test.When i connect source (18.104.22.168) and recever ( Udp://@22.214.171.124:1234), that's ok!But, source is on the Vlan 200 and reicever on the Vlan 130, is not good!I test with "sparse-mode", i have same problem.
I can't seem to find where in ASDM (6.4.1), can we configure IGMP forwarding? ASA5520(config-if)# igmp forward interface outside The ASDM doc reference does not seem to be correct pointing to:configuring Stub Multicast Routing
Step 1 In the main ASDM window, choose Configuration > Device Setup > Routing > Multicast > IGMP. #Step 2 In the Multicast pane, check the Enable Multicast routing check box. #Step 3 Choose MForwarding.
- Catalyst 3750 Interface VLAN182 IP Address 10.62.182.254 255.255.255.0 Interface G0/2 Description Finger Print Server Switchport mode access
Here are the problem,If i connect Finger Print Device to port catalyst 2960, some device not sending data to server, but if i connect all Finger Print to HUB and from HUB connect to Catalyst 2960 at port F0/5, All Device(Finger Print) can send data to server...Is there any special configuration in catalyst so all device can direct connect to port catalyst 2960 without HUB?
while i am configuring a port on switch .The switch reloads.After reload the show version says,System returned to ROM by bus error at PC 0x458F6C, address 0x0,show version from the effected switch is,Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 12.2(58)SE2, RELEASE SOFTWARE (fc1).
I faced multicast routing problem - There is no multicast UDP stream toward host, although all igmp Joins/Reports/Leaves from the host are correct.
This is Cisco 7609 ip m route debug showing the situation: 369144: Nov 15 15:03:07.370 MSK: IGMP(0): Received v2 Report on Vlan176 from 10.XXX.XX.184 for 239.XXX.XX.46 369145: Nov 15 15:03:07.370 MSK: IGMP(0): Received Group record for group 239.XXX.XX.46, mode 2 from 10.XXX.XX.184 for 0 sources [code]....
I have an 861 that we are using for a test network and need to add static igmp addresses for multicast. We are using the router as a router on a stick with subinterfaces on the WAN link. I've looked everywhere to see how to add the static igmp addresses.
interface FastEthernet4 no ip address no ip route-cache cef
I have a subnet with a GPS clock on it that connects into a Cisco 3750. The 3750 has another subnet hanging off of it that connects into a firewall then to a server. I need the server to get time from the GPS clock. Any way to pass the NTP through the 3750? The 3750 has the 3750-IPBase code running on it so the multicast support is limited. I am under regulatory restrictions that only allow traffic to flow from the higher security level (were the time server is) to lower security level (were the server is). This prevents me from having the server go to the clock for updates.
We have a design of two 6509 running in a VSS with dual supervisor each having fthree 10/100/1000mb etherner modules. We have diagnosed a wierd problem that none of the switchports in module 1 and 2 on either switches are having layer2/layer 3 connectivity.
Tried everything from changing the cables to changing the end device but no luck with it.
Module results show pass and no errors in the logging.
I'm trying to configure multicast between 2 VLANs on a Cisco 886VA running IOS 15.2 (3) T1 (advanced security). While I can set the global "ip multicast-routing" I cannot "ip pim sparse-mode" on my interfaces - ip pim is actually unknown and also doesn't appear in the interface's ip subcommand list when using "?".
The feature navigator says pim is supported on my platform and IOS version.
My config looks like this:
interface FastEthernet3 switchport access vlan 103 no ip address
I recently created a stack using (2) 3750x switches. I have three vlans on the stack (1,105,241) Vlan 105 is configured on 6509 core switches with multicasting and are connected to the stack via gigabit fiber. It is working well with clients on the Master or SW1, however clients on SW2 do not participate in multicasting Any client pc that is connected to SW2 vlan 105 does not show up in the "sh ip igmp snooping group" command. I can statically assign a client on SW2 to the mcast groups but but they fail to register on their own. I can take the cable connection from SW2 and plug it into an SW1 Vlan 105 port and it immediately becomes a member of the groups. I can then connect it back to the SW2 port and it disappears from the group membership. IGMP and PIM are configured with the defaults.
I have a 3560X switch with interfaces 36-48 on the same LAN. All interfaces are switchports. Hosts on 38, 39 and 40 are multicast senders: all sending to the same single multicast address. Hosts on 36 and 37 are receivers, having joined that multicast group. I created an SVI for the LAN and put it in ip pim passive. (That is the only PIM mode allowed for an SVI with my IOS.) Show ip igmp snooping groups shows that 36 and 37 are the only interfaces in this group. I attach a laptop to interface 42 and Wireshark, and the laptop is receiving the multicast traffic. The laptop does not join the group. I expect it would not see the traffic.
I have the need to filter multicast between vlans as described below. PIM Sparse-Mode is being utilized for this multicast network and changing any Vlan to PIM Dense mode is not an option.
- Vlan 217 and Vlan 4 should not be communicating on mcast with any other vlan, including eachother (each vlan isolated).
-Vlan 64 and Vlan 80 are able to communicate witch each other on mcast but not with any other vlans (isolated vlan group).
-All other vlans can communicate mcast freely.
What I've created thus far is below. It does not appear to be the most elegant solution and would be difficult for the administrators to adjust as new requirements come along. Yes, I will be adding the appropriate link-local multicast addresses so as to not break routing and other dependent technologies.
ip access-list ext ANY_CONN permit ip any any ip access-list ext MCAST_INTRA_217 permit ip 126.96.36.199 188.8.131.52 184.108.40.206 255.255.224.0 permit ip 220.127.116.11 255.255.224.0 18.104.22.168 22.214.171.124 ip access-list ext MCAST_ISOLATE
I've been handed a requirement to try and get a multicast server working on my setup. Trouble is, I don't know if I can with the feature set I have on my switches. What is desired is that a multicast server (stand alone, but network connected, obviously) be accessible by everyone on the local network (multiple V LAN's, multiple SVI's) in the building.
All users will be connected to the one switch stack, although some will want to be wireless (which is one of the separate V LAN's) - I don't care if the wireless requirement goes by the wayside - they can sod off. :-) The main purpose will be multicast, high quality video.
I have a single switch stack consisting of two (soon to be 3) WS-C3750X-48P switches running the IP BASE feature set.
Question - can I do this on IP BASE, or do I need to upgrade to IP SERVICES?
If I can do it on IP BASE, does anyone have any links/pointers to setup this properly? Currently installed IOS is 12.2(58)SE2.
pinging the SVI on the core and or pinging on the core to other devices resulted in MAJOR latencies, packet loss due to the cpu usage, etc.... no other network operations were affected, i could communicate with the rest of the network, and under 1-2ms latencies. i noticed it due to my opsview server flagging the core as down (SNMP OID's wouldnt return a value)
it lasted the whole time i was multicasting, i kept a close eye on it. i highly considered canceling my job, but everything ran smooth.when i looked at the cpu sorted history i saw 2 processes, IP Input, and cat4k mgmnt hipri
I have a 2960G that I keep on the bench as a work switch. I assigned an IP address to it. The techs have had trouble imaging workstations using GHOST. Do any config changes need to be made to enable multicast to work? Everything is in VLAN1 at this point and the GHOST server is also the DHCP server.
We have a couple of switches with a L3 Vlan 238 interface which runs PIM SM and OSPF, and HSRP. We have connected to this same segment telemetry processors which have raw socket interfaces configured - which means it picks up all IP packets which hit the interface and forwards them along.So we dont want the processor to recevie any of the 224.x.x.x switch housekeeping traffic? is there anyway to prevent that ?
The two servers (red hat) use multicast for their heartbeat. Unrouted vlan 99 (only layer 2) is configured on the VTP Servers (6509).I have read this document [URL]
Switches 1 and 2 have IOS: c2960s-universalk9-mz.122-55.SE3.bin and the 6509: s72033-advipservicesk9_wan-mz.122-18.SXF17a.bin
IGMP snooping is enabled on the 2960 switches.In order for the heartbeat of the servers to work, I have tried these solutions:disable igmp snooping for vlan 99 on switch-1 & switch-2. (No additional action was taken on the 6509). This didn't work. I expected that the multicast traffic would be sent as broadcast throughout the network, but for some reason it didn't work.on switch-1 & switch-2 configured "ip igmp snooping vlan 99 querier" (no additional actions on 6509). Didn't work either.on switch-1 & switch-2 configured "ip igmp snooping vlan 99 mrouter interface gigabitEthernet 1/0/25" & "ip igmp snooping vlan 99 mrouter interface gigabitEthernet 1/0/26" for the two connections to the 6509. Again no actions taken on 6509. Didn't work. I want static mac entries on the switches to be my last resort, since the number of red hat servers on the network is going to increase and I want to give a more generic solution to the issue.
A 2960G switch is doing IGMP snooping and is configured as the querier. There is no multicast routing.
Port 1 - Video Set Top Box A Port 2 - Video Set Top Box B Port 3 - Multicast Source
Both Set Top Boxes A & B are set to receive the video delivered in the same multicast group.Every 60 seconds the switch generates an IGMP General Query message which is sent out all the ports in the VLAN.There is a 10 second timeout in the Query message. Devices that wish to join (or remain joined) to the multicast group have this amount of time to respond with a Join Message directed at the multicast group. Devices deliberately wait a random duration within the timeout time before replying.
For some reason (which I don't understand), if the switch receives a Join request message from a Set Top Box, it forwards that messages out of the port to the other Set Top Box. So, let's say Box A responded with the Join Message first. Box B now sees the Join message and now thinks there is another multicast receiver on its branch of the network, so it suppresses its Join Message to avoid sending an unnecessary message.If by chance Box A responds first 2 or 3 times in a row, the switch will not have seen a response from port 2 for awhile, so it prunes that port from the multicast. Eventually, Box B responds first and gets re-joined onto the multicast. It is now Box A that may get pruned if it is consecutively slower.
How do I prevent the switch from replicating the Join message out to the other Set Top Box? I have verified this behavior with Wireshark. But, I believe the Join message is only supposed to be forwarded to a multicast router (if there is one - and there isn't), not to other ports.The 2960 is running 12.2(58) SE2.
I am trying to resolve a situation where we need to send multiple (2 atleast) multicast feeds from a source to our multilayer switch (3560x).
The problem with the source is that it can only send a feed to a single switch at a given time. It can not send 2 (identical) feeds to two 3560x devices (on 2 different subnets/vlans). I was wondering if i could make the two 3560x devices appear as 1 device (using virtual chassis system or a similar feature). I am running ip services IOS feature set (c3560e-universalk9-mz.122-58.SE2.bin).
We are currently experiencing random multicast data dropouts on ports that are connected to a 3750X in VLAN ports. A test PC was connected to a routed port and we do not have any dropouts of the multicast data.We also took a 2960G and plugged it into VLAN ports on the 3750X. Any test PC that is on the 2960G does not lose traffic. The traffic only drops on PCs that are connected to a port on the 3750X that is in a VLAN. The data drops are random and last approximatly 55-59 seconds before we start receiving multicast traffic again.
I do not see any input/output errors on the interfacessh platform port-asic stat drop also show no drops
CPU runs at about 50% on the 3750X
Below is the configuration of the 3750X Building configuration... Current configuration : 8454!!version 12.2no service padservice timestamps debug datetime msecservice timestamps log datetime msecservice password-