Deploying IP Multicast Session RST-2051
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
2
1
Geekometer
Agenda
• Basic Multicast Engineering • Advanced Multicast Engineering
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
3
Basic Multicast Engineering
• PIM Configuration Steps • Which Mode: Sparse or Dense? • RP Engineering
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
4
2
PIM Configuration Steps • Enable Multicast Routing on every router • Configure every interface for PIM • Configure the RP – Using Auto-RP or BSR • Configure certain routers as Candidate RP(s) • All other routers automatically learn elected RP
– Anycast/Static RP addressing • RP address must be configured on every router • Note: Anycast RP requires MSDP RST-2051-rev1
5
© 2003, Cisco Systems, Inc. All rights reserved.
Configure PIM on Every Interface Classic Partial Multicast Cloud Mistake #1 src
T1/E1 line has best metric to source
no ip pim dense-mode
T1/E1
56K/64K ip pim dense-mode
X
We’ll just use the spare 56K line for the IP Multicast traffic and not the T1. RST-2051-rev1
RPF Failure!!!!! Network Engineer
rcvr
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
6
3
Configure PIM on Every Router Classic Partial Multicast Cloud Mistake #2 src
Highest next-hop IP address used for RPF when equal cost paths exist.
RPF Failure!!!!! Multicast Enabled
Multicast Disabled
A
X
We’ll just keep multicast traffic off of certain routers in the network.
.1 192.168.1.0/24 .2 E0
C E1
Network Engineer RST-2051-rev1
B
rcvr
© 2003, Cisco Systems, Inc. All rights reserved.
7
Basic Multicast Engineering
• PIM Configuration Steps • Which Mode: Sparse or Dense? • RP Engineering
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
8
4
Which Mode—Sparse or Dense • Dense mode – Flood and Prune behavior very inefficient • Can cause problems in certain network topologies
– Creates (S, G) state in EVERY router • Even when there are no receivers for the traffic
– Complex Assert mechanism – Mixed control and data planes • Results in (S, G) state in every router in the network • Can result in non-deterministic topological behavior – Read: It can blackblack-hole traffic and/or melt down your network!
– Primarily usage: • Testing a router’s performance in the lab RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
9
Which Mode—Sparse or Dense
• Sparse mode – Must configure a Rendezvous Point (RP) – Very efficient • Uses Explicit Join model • Traffic only flows to where it’s needed
– Separated control and data planes • Router state only created along flow paths • Deterministic topological behavior
– Scales well • Works for both sparsely or densely populated networks
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
10
5
Which Mode—Sparse or Dense
CONCLUSION “Sparse mode Good! Dense mode Bad!” Source: “The Caveman’s Guide to IP Multicast”, ©2000, R. Davis
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
11
Group Mode vs. Interface Mode
• Group & Interface mode are independent. – Interface Mode • Determines how the interface operates when sending/receiving multicast traffic.
– Group Mode • Determines whether the group is Sparse or Dense.
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
12
6
Group Mode • Group mode is controlled by local RP info – Local RP Information • Stored in the Group-to-RP Mapping Cache • May be statically configured or learned via Auto-RP or BSR
– If RP info exists, Group = Sparse – If RP info does not exist, Group = Dense – Mode Changes are automatic. i.e. if RP info is lost, Group falls back to Dense. RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
13
Configuring Interface • Interface Mode Configuration Commands – Enables multicast forwarding on the interface. – Controls the interface’s mode of operation. ip pim dense-mode • Interface mode is set to Dense mode operation.
ip pim sparse-mode • Interface mode is set to Sparse mode operation.
ip pim sparse-dense-mode • Interface mode is determined by the Group mode. – If Group is Dense, interface operates in Dense mode. – If Group is Sparse, interface operates in Sparse mode. RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
14
7
Basic Multicast Engineering
• PIM Configuration Steps • Which Mode: Sparse or Dense? • RP Engineering
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
15
RP Engineering
• RP Configuration Methods • General RP Recommendations • Avoiding DM Fallback • Using Multiple Group Ranges
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
16
8
RP Configuration Methods
• Static • Auto-RP • BSR • Anycast-RP’s
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
17
Static RP’s
• Hard-coded RP address – When used, must be configured on every router – All routers must have the same RP address – RP fail-over not possible • Exception: If Anycast RPs are used. (More on that later.)
– Group can never fall back into Dense mode.
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
18
9
Announce
MA B B
Announce
C C
Announce
D D Announce
C-RP 1.1.1.1
A A
Announce
Announce
MA
Announce
Auto-RP Overview
Announce
C-RP 2.2.2.2
RP- Announcements multicast to the Cisco Announce (224.0.1.39) group Announce RST-2051-rev1
19
© 2003, Cisco Systems, Inc. All rights reserved.
MA
C-RP 1.1.1.1
C C
MA
Dis cov ery
Dis cov ery
A A
Disc ove ry
B B Disc ove ry
Dis cov ery
Disc ove ry
Dis cov ery
Auto-RP Overview
Disc ove ry
D D
C-RP 2.2.2.2
RP-Discoveries multicast to the Cisco Discovery (224.0.1.40) group Discovery RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
20
10
BSR Overview BSR Election Process
BSR Msg
BSR Msg
C-BSR
C-BSR A
C-BSR
BSR Msg
F
BSR Msg
BSR Msg
BSR Msg
BSR Msg
BSR Msg
D
BSR Msg
BSR Msg
BSR Msg
BSR Msg
G
B
C
BSR Msgs
E
BSR Msgs Flooded Hop -by-Hop
RST-2051-rev1
21
© 2003, Cisco Systems, Inc. All rights reserved.
BSR Overview Highest Priority C-BSR is elected as BSR G
BSR A D
F
B
C E
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
22
11
BSR Overview
G
BSR A D
CRP Ad v (un ertise ica me st) nt
nt me tise ver st) d A a RP (unic C-
C-RP
B
F
C
C-RP
E
RST-2051-rev1
23
© 2003, Cisco Systems, Inc. All rights reserved.
BSR Overview
BSR Msg
BSR Msg
G
BSR A
BSR Msg
F
BSR Msg
D
C-RP
B
BSR Msgs
C
C-RP
E
BSR Msgs containing RP-set Flooded Hop-by-Hop RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
24
12
Anycast RP—Overview
Src
RP1
X RST-2051-rev1
RP2
MSDP
A A 10.1.1.1
Rec
Src
SA
Rec
SA
B B 10.1.1.1
Rec
Rec
25
© 2003, Cisco Systems, Inc. All rights reserved.
Anycast RP—Overview
Src
RP2
A A 10.1.1.1
B B 10.1.1.1
X
RP1
Rec
RST-2051-rev1
Src
Rec
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
Rec
Rec
26
13
RP Engineering
• RP Configuration Methods • General RP Recommendations • Avoiding DM Fallback • Using Multiple Group Ranges
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
27
General RP Recommendations • Use Anycast RP’s: – When network must connect to Internet or – When rapid RP failover is critical
• Pros – Fastest RP Convergence method – Required when connecting to Internet
• Cons – Requires more configuration – Requires use of MSDP between RP’s RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
28
14
General RP Recommendations • Use Auto-RP – When minimum configuration is desired and/or – When maximum flexibility is desired
• Pros – Most flexible method – Easiest to maintain
• Cons – Increased RP Failover times vs Anycast – Special care needed to avoid DM Fallback • Some methods greatly increase configuration RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
29
General RP Recommendations • Use BSR: – When Static/Anycast RP’s cannot be used and – When maximum interoperability is needed
• Pros – Interoperates with all Vendors
• Cons – Increased RP Failover times vs Anycast – Special care needed to avoid DM Fallback • Some methods greatly increase configuration
– Not as “field-proven” as other methods RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
30
15
Dense Mode Fallback • Caused by loss of local RP information. – Entry in Group-to-RP mapping cache times out.
• Can happen when: – All C-RP’s fail. – Auto-RP/BSR mechanism fails. • Generally a result of network congestion.
• Group is switched over to Dense mode. – Dense mode state is created in the network. – Dense mode flooding begins if interfaces configured as ip pim sparse sparse-dense dense-mode mode. RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
31
Dense Mode Fallback Avoiding Dense Mode Fallback To always guarantee Sparse mode operation (and avoid falling back to Dense mode), make sure that every router always knows of an RP for every group.
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
32
16
Avoiding DM Fallback – Current Workaround
• Define an “RP-of-last-resort” – Configure as a Static RP on every router • Will only be used if all Candidate-RP’s fail • Can be a dummy address or local Loopback – Recommendation: Use local Loopback on each router
– MUST use ACL to avoid breaking AutoAuto-RP! ip pim rp-address
10 access-list 10 deny 224.0.1.39 access-list 10 deny 224.0.1.40 access-list 10 permit any
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
33
Avoiding DM Flooding – Future • New IOS global command ip pim autorp-listener
• Added support for Auto-RP Environments – Modifies interface behavior • Interface always uses DM for Auto-RP groups • Permits use of ip pim sparse sparse-mode interfaces and Auto-RP.
– Prevents DM Flooding • When ip pim sparse sparse-mode used on interfaces.
– Does not prevent DM Fallback!
• Available soon RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
34
17
Avoiding DM Flooding – Future • Deploying ip pim autorp autorp-listener – Must be configured on every router. – Use RP-of-last-resort on older IOS versions until upgraded • Assign local Loopback as RP-of-last-resort on each router. • Example ip pim rp-address 10 access-list 10 deny 224.0.1.39 access-list 10 deny 224.0.1.40 access-list 10 permit any RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
35
Avoiding DM Fallback – Future • New IOS global command no ip pim dm-fallback
• Totally prevents DM Fallback!! – No DM Flooding since all state remains in SM
• Default RP Address = 0.0.0.0 [nonexistent] – Used if all RP’s fail. • Results in loss of Shared Tree. • All SPT’s remain active.
• Available soon RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
36
18
RP Engineering
• RP Configuration Methods • General RP Recommendations • Avoiding DM Fallback • Using Multiple Group Ranges
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
37
Using Multiple Group Ranges • Definition: – Different RPs for different group ranges
• Often used to: – Directly connect an RP to group sources • Assumes Few-to-many application model
– Split up RP workload over multiple RP’s – Provide different Shared Tree topologies • Used with ‘spt-threshold = infinity”
• Caveats: – Try to avoid overlapping group ranges • Can cause unexpected RP election results RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
38
19
Using Multiple Group Ranges RP/Mapping Agent LO0: 172.16.22.1
A
B
PIM Sparse Mode C
D
RP/Mapping Agent LO0: 172.16.25.1
ip pim send-rp-announce Loopback0 scope 16 group-list 20 ip pim send-rp-discovery Loopback0 scope 16 ! access-list 20 permit 224.0.0.0 15.255.255.255 access-list 20 permit 239.255.0.0 0.0.255.255 ip pim send-rp-announce Loopback0 scope 16 group-list 20 ip pim send-rp-discovery Loopback0 scope 16 ! access-list 20 permit 224.0.0.0 15.255.255.255 access-list 20 permit 225.0.0.0 0.255.255.255 RST-2051-rev1
C-RP/Mapping Agent Configs
39
© 2003, Cisco Systems, Inc. All rights reserved.
Using Multiple Group Ranges RP/Mapping Agent LO0: 172.16.22.1
A
B
PIM Sparse Mode
Rtr-B#show ip pim rp mapping PIM Group-to-RP Mappings This system is an RP (Auto-RP) This system is an RP-mappingCagent (Loopback0)
RP/Mapping Agent
LO0: 172.16.25.1 Group(s) 224.0.0.0/4 RP 172.16.25.1 (R5), v2v1 Info source: 172.16.25.1 (R5), via Auto-RP Uptime: 01:05:03, expires: 00:02:27 RP 172.16.22.1 (R2), v2v1 Info source: 172.16.22.1 (R2), via Auto-RP Uptime: 01:05:11, expires: 00:02:43 Group(s) 225.0.0.0/8 RP 172.16.25.1 (R5), v2v1 Info source: 172.16.25.1 (R5), via Auto-RP Uptime: 00:17:29, expires: 00:02:29 Group(s) 239.255.0.0/16 RP 172.16.22.1 (R2), v2v1 Info source: 172.16.22.1 (R2), via Auto-RP Uptime: 00:56:18, expires: 00:02:41 RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
D
Mapping Agent’s Group -to-RP mapping cache contains all learned C-RP’s ordered by Group, Mask length, and C-RP address.
40
20
Using Multiple Group Ranges RP/Mapping Agent LO0: 172.16.22.1
A
B
PIM Sparse Mode
Rtr-B#show ip pim rp mapping PIM Group-to-RP Mappings This system is an RP (Auto-RP) This system is an RP-mappingCagent (Loopback0)
D
RP/Mapping Agent
LO0: 172.16.25.1 Group(s) 224.0.0.0/4 RP 172.16.25.1 (R5), v2v1 Info source: 172.16.25.1 (R5), via Auto-RP Uptime: 01:05:03, expires: 00:02:27 RP 172.16.22.1 (R2), v2v1 Info source: 172.16.22.1 (R2), via Auto-RP Uptime: 01:05:11, expires: 00:02:43 Group(s) 225.0.0.0/8 RP 172.16.25.1 (R5), v2v1 Info source: 172.16.25.1 (R5), via Auto-RP Uptime: 00:17:29, expires: 00:02:29 Group(s) 239.255.0.0/16 RP 172.16.22.1 (R2), v2v1 Info source: 172.16.22.1 (R2), via Auto-RP Uptime: 00:56:18, expires: 00:02:41 RST-2051-rev1
Mapping Agent advertises elected RP’s in Discovery Messages Note: Elected RP is always listed as first C-RP for a Group Range.
41
© 2003, Cisco Systems, Inc. All rights reserved.
Using Multiple Group Ranges RP/Mapping Agent LO0: 172.16.22.1
A
B
PIM Sparse Mode C Rtr-D#sh ip pim rp map PIM Group-to-RP Mappings
RP/Mapping Agent
Group(s) 224.0.0.0/4 RP 172.16.25.1 (Rtr-C), v2v1 Info source: 172.16.25.1 (Rtr-C), via Auto -RP Uptime: 01:00:14, expires: 00:02:25 Group(s) 225.0.0.0/8 RP 172.16.25.1 (Rtr-C), v2v1 Info source: 172.16.25.1 (Rtr-C), via Auto -RP Uptime: 00:12:40, expires: 00:02:24 Group(s) 239.255.0.0/16 RP 172.16.22.1 (Rtr-B), v2v1 Info source: 172.16.25.1 (Rtr-C), via Auto -RP Uptime: 00:51:28, expires: 00:02:24 RST-2051-rev1
D
LO0: 172.16.25.1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
Resulting Group-to-RP Mapping Cache in all non-MA routers (Notice that only elected RP’s are contained the Group-to-RP mapping cache in non-MA routers.) 42
21
Using Multiple Group Ranges RP/Mapping Agent LO0: 172.16.22.1
A
B
PIM Sparse Mode C
Join 239.255.1.1
D
RP/Mapping Agent LO0: 172.16.25.1
Rtr-D#sh ip pim rp map PIM Group-to-RP Mappings
Group(s) 224.0.0.0/4 RP 172.16.25.1 (Rtr-C), v2v1 Info source: 172.16.25.1 (Rtr-C), via Auto -RP Uptime: 01:00:14, expires: 00:02:25 Group(s) 225.0.0.0/8 RP 172.16.25.1 (Rtr-C), v2v1 Info source: 172.16.25.1 (Rtr-C), via Auto -RP Uptime: 00:12:40, expires: 00:02:24 Group(s) 239.255.0.0/16 RP 172.16.22.1 (Rtr-B), v2v1 Info source: 172.16.25.1 (Rtr-C), via Auto -RP Uptime: 00:51:28, expires: 00:02:24 RST-2051-rev1
Which entry will the router use to determine RP address? This one? (It has the highest RP address.) Or this one? (It has the longest mask.) 43
© 2003, Cisco Systems, Inc. All rights reserved.
Using Multiple Group Ranges RP/Mapping Agent LO0: 172.16.22.1
A
B
PIM Sparse Mode C Rtr-D#sh ip pim rp map PIM Group-to-RP Mappings
RP/Mapping Agent
D
LO0: 172.16.25.1
Group(s) 224.0.0.0/4 RP 172.16.25.1 (Rtr-C), v2v1 Info source: 172.16.25.1 (Rtr-C), via Auto -RP Uptime: 01:00:14, expires: 00:02:25 Group(s) 225.0.0.0/8 RP 172.16.25.1 (Rtr-C), v2v1 Info source: 172.16.25.1 (Rtr-C), via Auto -RP Uptime: 00:12:40, expires: 00:02:24 Group(s) 239.255.0.0/16 RP 172.16.22.1 (Rtr-B), v2v1 Info source: 172.16.25.1 (Rtr-C), via Auto -RP Uptime: 00:51:28, expires: 00:02:24 RST-2051-rev1
Join 239.255.1.1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
Answer: Router uses “longest match” to find matching entry in the Group-to-RP mapping cache. Moral: Avoid overlapping group ranges to reduce the chances of incorrect RP selection. 44
22
Overlapping Group Ranges Local Scope 239.255.0.0/16
239.255.255.255 239.255.0.0
Local Scope 239.255.0.0/16
239.252.255.255 Organization -Local Scope 239.192.0.0/14
Organization -Local Scope 239.192.0.0/14 239.192.0.0
Global Scope 224.0.0.0/4 238.255.255.255
Avoid!!! Can result in confusion and misconfiguration 224.0.0.0 RST-2051-rev1
Use nonnon-overlapping group ranges. Especially when using Admin. Scoping. Global Scope 224.0.0.0/8 225.0.0.0/8 226.0.0.0/8 . . . 236.0.0.0/8 237.0.0.0/8 238.0.0.0/8 45
© 2003, Cisco Systems, Inc. All rights reserved.
Overlapping Group Ranges 239.255.255.255 access-list 10 permit 239.255.0.0 0.0.255.255
239.255.0.0
Local Scope 239.255.0.0/16
239.252.255.255 Organization -Local Scope 239.192.0.0/14
access-list 20 permit 239.192.0.0 0.0.64.255
239.192.0.0
238.255.255.255 access-list 30 permit 224.0.0.0 access-list 30 permit 225.0.0.0 access-list 30 permit 226.0.0.0 . . . access-list 30 permit 236.0.0.0 access-list 30 permit 237.0.0.0 access-list 30 permit 238.0.0.0
0.0.255.255 0.0.255.255 0.0.255.255
0.0.255.255 0.0.255.255 0.0.255.255
224.0.0.0 RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
Use nonnon-overlapping group ranges. Especially when using Admin. Scoping. Global Scope 224.0.0.0/8 225.0.0.0/8 226.0.0.0/8 . . . 236.0.0.0/8 237.0.0.0/8 238.0.0.0/8 46
23
Overlapping Group Ranges • Avoiding Overlapping Group Ranges – Can’t use “deny” clause in C-RP ACL’s • Implies “Dense-mode Override” ip pim send-rp-announce loopback0 scope 16 group-list 10 accessaccess -list 10 deny 239.0.0.0 0.255.255.255 access-list 10 permit 224.0.0.0 15.255.255.255
– Must only use “permit” clauses ip pim send-rp-announce loopback0 scope 16 group-list 10 access-list 10 permit 224.0.0.0 0.255.255.255 access-list 10 permit 225.0.0.0 0.255.255.255 . . . access-list 10 permit 238.0.0.0 0.255.255.255 RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
47
Agenda
• Basic Multicast Engineering • Advanced Multicast Engineering
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
48
24
Advanced Multicast Engineering
• Security • High Availability • Using Admin. Scoped Zones • Scaling Multicast Performance
RST-2051-rev1
49
© 2003, Cisco Systems, Inc. All rights reserved.
Controlling Receivers IGMP Access-Group Approach interface VLAN100 ip igmp access-group IPMC -ACL ip access -list standard IPMC -ACL permit 239.192.244.1 deny any
No filter (default) VL AN 101
100 AN VL
IP/TV Permit VT Stream Deny Executive Meeting Stream
This is micro-management of IP Multicast traffic!!! RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
50
25
Controlling Source Registration • Global command ip pim accept-register [list ] | [route-map <map>]
–Used on RP to filter incoming Register messages –Filter on Source address alone (Simple ACL) –Filter on (S, G) pair (Extended ACL) –May use route-map to specify what to filter • Filter by AS-PATH if (m)BGP is in use.
• Helps prevents unwanted sources from sending –First hop router blocks traffic from reaching net –Note: Traffic can still flow under certain situations RST-2051-rev1
51
© 2003, Cisco Systems, Inc. All rights reserved.
Controlling Source Registration
RP
• RP configured to only accept Registers from specific source.
ip pim accept-register list 10 access-list 10 permit 192.16.1.1
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
52
26
Controlling Source Registration
RP Register
Register-Stop
Unwanted Sender
• Unwanted source traffic hits first-hop router. • First-hop router creates (S,G) state and sends Register.
First-hop
• RP rejects Register, sends back a Register-Stop.
Source Traffic
RST-2051-rev1
53
© 2003, Cisco Systems, Inc. All rights reserved.
Controlling Source Registration Weaknesses in ‘accept‘accept-register’ usage. RP
• Traffic will flow on local subnet where source resides. • Traffic will flow from first-hop router down any branches of the Shared Tree.
Unwanted Sender
Receiver
First-hop
Shared Tree
Receiver RST-2051-rev1
– Results when (*,G) OIL is copied to (S,G) OIL at first-hop router. – Causes (S,G) traffic to flow down all interfaces in (*,G) OIL of first-hop router. – Fundamental limitation of PIM protocol.
Receiver
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
54
27
Disabling Entire Group Ranges • Accept-Register Method ip pim accept-register group-list 10 access-list 10 deny 224.2.0.0 0.0.255.255 access-list 10 permit any
• Pros – Only configured on RP(s)
• Cons – Shared Trees and (*,G) state still created. • Results in unwanted (*,G) PIM Control Traffic.
– Source traffic can still flow. (See previous section on Accept-Register) RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
55
Disabling Entire Group Ranges • Garbage Can RP Method – Concept: • Separate RP for “disabled” groups – Could be non-existant router
• Blackholes all Registers and Joins
– Implementation: • Define separate RP for disabled groups – Use Auto-RP, BSR or Static RP definition
• Disable RP functionality on Garbage Can RP – Use ‘accept-rp’ command on GC RP to “deny” it from serving as RP for the disabled group range. RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
56
28
Disabling Entire Group Ranges • Garbage Can RP Method – Pros: • Few if any.
– Cons: • Periodic Registers still sent to GC RP • Periodic Joins still sent to GC RP • Has same source issues as Accept-Register – Source traffic can still flow under certain conditions.
• Adds significant complexity to network RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
57
Disabling Entire Group Ranges • Local Loopback RP Method – Concept: • Only Auto-RP-learned groups are authorized. • All other groups are considered unauthorized.
– Implementation: • Define local Loopback as RP for unauthorized groups on each router. ip pim rp-address 10 access-list 10 permit 224.2.0.0 0.0.255.255 Note: The permit clause defines the unauthorized group. RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
58
29
Disabling Entire Group Ranges
• Local Loopback RP Method – Operation: • Each router serves as RP for unauthorized groups. – Collapses PIM-SM domain of unauthorized groups down to the local router.
• Unauthorized group traffic cannot flow beyond local router.
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
59
Disabling Entire Group Ranges • Local Loopback RP Method – Pros: • No PIM control traffic sent. – Local router is RP so no Registers/Joins are sent.
• No additional workload on local router. – First-hop routers always have to create state anyway.
• Can also serve as RP-of-last-resort – Solving DM Fallback problem at the same time.
– Cons: • Must be configured on every router. • Local sources can still send to local receivers. RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
60
30
Disabling Entire Group Ranges
• Recommendation – Use Local Loopback RP Method • Effectively disables unauthorized group traffic. • Can also serve as RP-of-last-resort ip pim rp-address 10 access-list 10 deny 224.0.1.39 access-list 10 deny 224.0.1.40 access-list 10 permit any
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
61
Disabling Entire Group Ranges – Future
• New ‘no ip pim dm-fallback’ command – Undefined (via Auto-RP or BSR) groups default to an RP address of 0.0.0.0. – Effectively disables any group unlearned groups.
• Available soon.
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
62
31
Preventing RP-Spoofing DoS Attacks • Global command ip pim rp-announce-filter rp-list [group-list ]
rp-list – Specifies from which routers C-RP Announcements are accepted.
group-list – Specifies which groups in the C-RP Announcement are accepted. – If not specified, defaults to deny all groups
• Use on Mapping Agents to filter out bogus C-RP’s – Some protection from RP-Spoofing denial-of-service attacks – Multiple commands may be configured as needed RST-2051-rev1
63
© 2003, Cisco Systems, Inc. All rights reserved.
Preventing RP-Spoofing DoS Attacks Use ip pim rp rp--announce announce--filter on RP “Use me as your RP”
“Use me as your RP”
Mapping Agent ip pim rp-announce-filter rp-list 11 group-list 12 access-list 11 permit 10.6.2.1 access-list 12 permit 239.192.240.0 0.0.3.255 access-list 12 permit 239.192.244.0 0.0.3.255 access-list 12 permit 239.192.248.0 0.0.3.255 access-list 12 permit 239.255.0.0 0.0.255.255 access-list 12 deny 239.0.0.0 0.255.255.255 access-list 12 permit 224.0.0.0 15.255.255.255
10.6.2.1
!IP address of Permitted RP !Permit MoH !Permit Low Stream !Permit Medium Stream !Permit High Stream !Deny remaining Admin. Scoped range !Permit Link Local/Reserved Addr.
• Using this configuration allows the router to accept RP announcements from only the RP in ‘access-list 11’ for group ranges described in ‘access-list 12’
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
64
32
Advanced Multicast Engineering
• Security • High Availability • Using Admin. Scoped Zones • Scaling Multicast Performance
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
65
Auto-RP Failover • RP failover time – Function of ‘Holdtime’ in C-RP Announcement • Holdtime = 3 x <rp-announce-interval> • Default < rp-announce-interval> = 60 seconds • Default Failover ~ 3 minutes
• Minimizing impact of RP failure – Use SPTs to reduce impact • Traffic on SPTs not affected by RP failure • Immediate switch to SPTs is on by default • New and/or bursty sources still a problem RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
66
33
Tuning Auto-RP Failover • Tune Candidate RPs • Use ‘interval’ clause to control failover times ip pim send-rp-announce scope [group-list acl] [interval <seconds>]
• Allows rp-announce-interval to be adjusted • Smaller intervals = Faster RP failover • Smaller intervals increase amount Auto-RP traffic – Increase is usually insignificant
• Total RP failover time reduced – Min. failover ~ 3 seconds
• Consider using Anycast RP for faster failover RST-2051-rev1
67
© 2003, Cisco Systems, Inc. All rights reserved.
DR Failover
A .2 (DR)
B
192.168.1.0/24
Rtr -B>show ip pim neighbor PIM Neighbor Table Neighbor Address Interface 192.168.1.2 Ethernet0
Uptime 4d22h
.1
Expires 00:01:18 00:01:18
Mode Sparse-Dense (DR)
• Depends on neighbor expiration time • Expiration Time sent in PIM query messages Expiration time = 3 x Default = 30 seconds DR Failover ~ 90 seconds (worst case) by default RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
68
34
DR Failover
• Tune PIM query interval – Use interface configuration command ip pim query-interval [msec] – Default = seconds – “msec” keyword available beginning with 12.1(11b)E
– Permits DR failover to be adjusted • Min. DR failover ~ 3 seconds (worst case) • Smaller intervals increase PIM query traffic – Increase is usually insignificant
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
69
Advanced Multicast Engineering
• Security • High Availability • Using Admin. Scoped Zones • Scaling Multicast Performance
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
70
35
Administratively-Scoped Zones • Used to limit: – High-BW sources to local site – Control sensitive multicast traffic
• Simple scoped zone example: 239.255.0.0/16 = (Site) Local Scope 239.192.0.0/14 = Organization-Local Scope 224.1.0.0 - 238.255.255.255 = Global scope (Internet) zone
• High-BW sources use Site-Local scope • Low-Med. BW sources use Org.-Local scope • Internet-wide sources use Global scope RST-2051-rev1
71
© 2003, Cisco Systems, Inc. All rights reserved.
Administratively-Scoped Zones Site A (HQ)
• Site-Local Boundaries block high-rate 239.255.0.0/16 traffic from going out the WAN links.
239.255.0.0/16
Border B
Border C
239.255.0.0/16
RST-2051-rev1
Site C (ATL)
S0
S0
Site B (LA)
Site-Local Boundaries
S1
Border A S0
Site-Local Boundaries
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
239.255.0.0/16
72
36
Administratively-Scoped Zones Site A (HQ)
• Site-Local Boundaries block high-rate 239.255.0.0/16 traffic from going out the WAN links.
239.255.0.0/16 Interface Serial0 ip multicast boundary 10
Interface Serial0 ip multicast boundary 10
access-list 10 deny 239.255.0.0 0.0.255.255 access-list 10 permit any Border A
S0
S1
Site-Local Boundaries
Site-Local Boundaries
access-list 10 deny 239.255.0.0 0.0.255.255 access-list 10 permit any
Site C (ATL)
S0
S0
Site B (LA)
Border B
Border C
Interface Serial0 ip multicast boundary 10
239.255.0.0/16
239.255.0.0/16
Interface Serial1 ip multicast boundary 10
access-list 10 deny 239.255.0.0 0.0.255.255 access-list 10 permit any RST-2051-rev1
73
© 2003, Cisco Systems, Inc. All rights reserved.
Administratively-Scoped Zones Auto-RP Example Site A (HQ) Site Local C-RP/MA
Site Local C-RP/MA
• Each site needs its own set of Site Local C-RP’s and Mapping Agent(s).
Border B
Site Local C-RP/MA
Site C (ATL)
S0
S0
Site B (LA)
RST-2051-rev1
S1
Border A S0
Site Local C-RP/MA
Border C
Site Local C-RP/MA
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
Site Local C-RP/MA
74
37
Administratively-Scoped Zones Auto-RP Example Site A (HQ) Site Local C-RP/MA
Border B
Site Local C-RP/MA
RST-2051-rev1
Site C (ATL)
S0
S0
Site B (LA)
• Problem: Site-Local RP info can leak into other sites and cause wrong C-RP to be elected.
S1
Border A S0
Site Local C-RP/MA
Border C
Site Local C-RP/MA
Site Local C-RP/MA
Site Local C-RP/MA
© 2003, Cisco Systems, Inc. All rights reserved.
75
Administratively-Scoped Zones Preventing Auto-RP Info Leakage
• Multicast Boundary Command ip multicast boundary [filter-autorp]
– New ‘filter-autorp’ option • Filters contents of Auto-RP packets – Filters both Announcement and Discovery messages – C-RP entries that fail are removed from packet
• Prevents C-RP information from leaking in/out of scoped zone. • Greatly simplifies Admin. Scoped Zone support in Auto-RP. • Available in 12.0(22)S, 12.2(12). RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
76
38
Administratively-Scoped Zones Preventing Auto-RP Info Leakage
• How ‘filter-autorp’ option works: For each RP Entry in Auto-RP packet: If group-range in RP-Entry ‘intersects’ any ‘denied’ group-range in the Multicast Boundary ACL, delete RP Entry from Auto-RP packet.
If resulting Auto-RP packet is non-empty, forward across multicast boundary.
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
77
Administratively-Scoped Zones Preventing Auto-RP Info Leakage
• Using Multicast Boundary ‘filter-autorp’ – Avoid Auto-RP Group-Range Overlaps • Overlapping ranges can “intersect” denied ranges at multicast boundaries. – Can cause unexpected Auto-RP info filtering at multicast boundaries. – Results in loss of Auto-RP info to other parts of network.
– Rule of Thumb: • Make sure Auto -RP GroupGroup-Ranges match exactly any Multicast Boundary Ranges! (i.e. don’t use overlapping AutoAuto-RP group ranges.) RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
78
39
Administratively-Scoped Zones Auto-RP Example with ‘filter-autorp’ boundaries Site A (HQ)
• The ‘filter-autorp’ option prevents Site -Local RP information from leaking out of the Site.
239.255.0.0/16 Interface Serial0 ip multicast boundary 10 filter filter- autorp
Interface Serial0 ip multicast boundary 10 filter filter- autorp
access-list 10 deny 239.255.0.0 0.0.255.255 access-list 10 permit any Border A
S0
S1
Site-Local Boundaries
Site-Local Boundaries
access-list 10 deny 239.255.0.0 0.0.255.255 access-list 10 permit any
Site C (ATL)
S0
S0
Site B (LA)
Border B
Border C
Interface Serial0 ip multicast boundary 10 filter -autorp
239.255.0.0/16
239.255.0.0/16
Interface Serial1 ip multicast boundary 10 filter -autorp access-list 10 deny 239.255.0.0 0.0.255.255 access-list 10 permit any RST-2051-rev1
79
© 2003, Cisco Systems, Inc. All rights reserved.
Administratively-Scoped Zones Auto-RP Example with ‘filter-autorp’ boundaries Site A (HQ) interface Loopback0 ip address 192.168.10.2 255.255.255.255 Site Local
C-RP/MA
Site Local C-RP/MA
ip pim send-r p- discovery scope 15 ip pim send-r p- announce Loopback0 scope 15 group 20
• Configuring Site -Local RP’s and Mapping Agents at each site. (Only the LA site shown.)
access-list 20 permit 239.255.0.0 0.0.255.255 interface Loopback0 ip address 192.168.10.1 255.255.255.255
Border A S1
ip pim send-r p- discovery scope 15 S0 p- announce Loopback0 scope 15 group 20 ip pim send-r access-list 20 permit 239.255.0.0 0.0.255.255
Border B
Site Local C-RP/MA
RST-2051-rev1
Site C (ATL)
S0
S0
Site B (LA)
Site Local C-RP/MA
Border C
Site Local C-RP/MA
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
Site Local C-RP/MA
80
40
Administratively-Scoped Zones Auto-RP Example with ‘filter-autorp’ boundaries Site A (HQ) Site Local C-RP/MA
Site Local C-RP/MA
Org-Local C-RP
Org-Local C-RP
Border B
Site Local C-RP/MA
Site C (ATL)
S0
S0
Site B (LA)
RST-2051-rev1
Org-Local C-RP’s (non-Site Local Groups) S1
Border A S0
• Still need Org-Local RP for all non-Site Local Groups.
Site Local C-RP/MA
Border C
Site Local C-RP/MA
Site Local C-RP/MA
81
© 2003, Cisco Systems, Inc. All rights reserved.
Administratively-Scoped Zones Example
Australia North America
ASIAPAC China
East Coast US
Canada India
Japan
West Coast US
Core
North Region
EMEA
Eastern Region
Internet South Region
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
82
41
Administratively-Scoped Zones Example Level1: Site Scope Australia
RP
North America
ASIAPAC
RPChina RP Canada
East Coast US
India
RP
RP
Japan
West Coast US
RP
RP
Core
North RP Region
EMEA
Eastern Region
Internet
RP
•
Site Local Range: 239.255.x.x
•
RP per Site
•
Reusable range
RST-2051-rev1
South Region
RP
83
© 2003, Cisco Systems, Inc. All rights reserved.
Administratively-Scoped Zones Example Level2: Regional Scope Australia North America
ASIAPAC China
East Coast US
Canada India
Japan
West Coast US
RP
RP
Core
North Region
•
Enterprise Regional Admin Scoped Range: 239.[192-254].x.x Internet
•
RP per Region
•
Reusable range
EMEA
Eastern Region South Region
RST-2051-rev1
RP
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
84
42
Administratively-Scoped Zones Example Level3: Enterprise Global Scope Australia North America
ASIAPAC China
East Coast US
Canada India
Japan
West Coast US
RP
RP
Core
North Region
•
EMEA
Enterprise Global Administrative Scoped Range: 239.[0-191].x.x
Eastern Region
Internet
•
Multiple Admin Scoped RPs (via MSDP full mesh)
•
Private Address Space within the Enterprise, no Internet connectivity for this range
RST-2051-rev1
South Region
RP
85
© 2003, Cisco Systems, Inc. All rights reserved.
Administratively-Scoped Zones Example Level 4: Internet Global Scope Australia North America
ASIAPAC China
East Coast US
Canada India
Japan
West Coast US
RP
RP
Core
North Region
Eastern Region
Internet
•
Global Sparse mode Address Space • 224.0.[2-255].x – 238.255.255.255
•
Multiple Global RPs (via MSDP full mesh)
•
MSDP connectivity to provider’s RPs
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
EMEA
South Region
RP
86
43
Advanced Multicast Engineering
• Security • High Availability • Using Admin. Scoped Zones • Scaling Multicast Performance
RST-2051-rev1
87
© 2003, Cisco Systems, Inc. All rights reserved.
Common Campus Design
Core Network
Stub Network Users
RST-2051-rev1
Stub Network Servers
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
Stub Network Users
88
44
Non-RPF Performance Problem • Routers normally send Prunes in response to the arrival of non-RPF traffic. – On P2P links, upstream sending router prunes flow. – Prunes can be overridden on Multi-access links: • By downstream routers on the link that need the traffic. • By member hosts on the link.
• Result: – Certain multi-access network topologies result in nonRPF traffic that can’t be pruned. – Can result in high CPU loads on some routers. RST-2051-rev1
89
© 2003, Cisco Systems, Inc. All rights reserved.
Non-RPF Performance Problem Choke, Gasp, Pant, Wheeze!!
Core Network
A E0
High-rate Non-RPF Traffic
High-rate MPEG Video
B E0
10.1.1.0/24
• Non Non--RPF traffic may be dropped at ProcessProcess-Switch level! – Depends on the platform. Occurs on 6500’s and 8540’s.
• CPU load can skysky-rocket! RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
90
45
6500/8540 Stub Network Solution Core Network
A
B
E0
E0
10.1.1.0/24
Interface Interface E0 E0 ip ip access access-group -group 100 100 in in access-list access-list 100 100 permit permit ip ip 10.1.1.0 10.1.1.0 0.0.0.255 0.0.0.255 any any access-list access-list 100 100 permit permit ip ip 224.0.0.0 224.0.0.0 0.0.0.255 0.0.0.255 any any access-list access-list 100 100 permit permit ip ip 224.0.1.0 224.0.1.0 0.0.0.255 0.0.0.255 any any access-list access-list 100 100 deny deny ip ip any any 224.0.0.0 224.0.0.0 15.255.255.255 15.255.255.255 access-list 100 permit ip any any access-list 100 permit ip any any
ACL used to block non-RPF traffic RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
91
6500/8540 Stub Network Solution
• Allows multicast traffic to be sourced from network. • Permits router to receive critical protocol (OSPF, etc.) multicast. • Drops all remaining (non-RPF) multicast traffic. • Permits all other traffic.
•Handled in ACL hardware by 6500/8540. •Use only on Stub networks!!! Interface Interface E0 E0 ip ip access access-group -group 100 100 in in access-list access-list 100 100 permit permit ip ip 10.1.1.0 10.1.1.0 0.0.0.255 0.0.0.255 any any access-list access-list 100 100 permit permit ip ip 224.0.0.0 224.0.0.0 0.0.0.255 0.0.0.255 any any access-list 100 permit ip 224.0.1.0 0.0.0.255 access-list 100 permit ip 224.0.1.0 0.0.0.255 any any access-list access-list 100 100 deny deny ip ip any any 224.0.0.0 224.0.0.0 15.255.255.255 15.255.255.255 access-list access-list 100 100 permit permit ip ip any any any any
• ACL implemented automatically by the ‘ mls ip multicast stub’ command in 12.1(?)E. RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
92
46
Core Network Solution •Use p2p VLAN’s to avoid non-RPF problem. Core Network
Separate VLAN’s
Stub Network Users RST-2051-rev1
Stub Network
Stub Network
Servers
© 2003, Cisco Systems, Inc. All rights reserved.
Users 93
Multicast Router Performance
• Performance Impacted by: – Packet Replication Loads – State Maintenance Loads – PIM Signaling Loads
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
94
47
Multicast Packet Replication OIL size affects performance Receiver Gasp, pant, wheeze!!
Receiver
Receiver
Source
100 Remote Sites w/Receivers
100 Packet Replications
Receiver RST-2051-rev1
95
© 2003, Cisco Systems, Inc. All rights reserved.
Software-based Packet Replication
Buffered I/O with 2 OIF I/O Buffer Input MAC Header
I/O Buffer Output MAC Header 2
I/O Buffer Output MAC Header 1
Copy Copy
Multicast Packet
Multicast Packet
Multicast Packet
Unused
Unused
Unused
Arriving Packet
Allocate New Buffer
Allocate New Buffer
• CPU load increases dramatically. Performance suffers. RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
96
48
Software-based Packet Replication
Particle I/O with 2 OIF Particle Buffers
Multicast Packet
Input MAC Header
Particle Buffer Output MAC Header 1
Particle Buffer Output MAC Header 2
Multicast Fragment 1
Allocate New Particle
Allocate New Particle
Multicast Fragment 2
• Reduced CPU load. Improved Performance. Multicast Fragment 3 Arriving Packet RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
97
Software-based Packet Replication
• Platforms that support Particle I/O – 7200 Series Routers – 7100 Series Routers – 2600/3600/3700 Series Routers – VIP2 Line Cards • Local card replication only
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
98
49
Hardware-based Packet Replication • Cat 4000 – Uses Special Replication Hardware
• 7600/Cat6500 – Uses Special Replication Hardware
• GSR – Method varies by line card type
• ESR (10K) – Uses Pipeline processor RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
99
Multicast State Maintenance
• CPU load factors – Must perform RPF recalculation every 5 seconds • Watch the total number of mroute table entries • Unicast route table size impacts RPF recalculation
– Must maintain Interface and Entry Timers • Large OIL sizes significantly increase load – Timer processing optimized in IOS 12.?(?) – Greatly improves PIM scalability
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
100
50
Multicast State Maintenance
• Memory load factors – (*, G) entry ~ 380 bytes + OIL size – (S, G) entry ~ 220 bytes + OIL size – Outgoing interface list (OIL) size • Each oil entry ~ 150 bytes
– Memory consumption is typically not a factor
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
101
PIM Signaling • Signaling Loads – Register sending/receiving • During source start-up • Periodic Registers every 2 minutes
– Periodic Joins/Prunes • Sent once per second
– Topology changes • Can trigger large numbers of Join/Prune messages • Batch Join/Prune signaling added in IOS 12.?(?) – Significantly improves convergence time in networks with large amounts of mroute state. RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
102
51
PIM Protocol Extensions
• Source Specific Multicast • Bidirectional (Bidir) PIM
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
103
Barriers to Multicast Deployment • Global Multicast Address Allocation –Dynamic Address Allocation • No adequate dynamic address allocation methods exist • SDR – Doesn’t scale • MASC – Long ways off!
–Static Address Allocation (GLOP) • Based on AS number. • Insufficient address space for large Content Providers.
• Multicast Content “Jammers” –Undesirable sources on a multicast group. • “Capt. Midnight” sources bogus data/noise to group. • Can cause DoS attack by congesting low speed links. RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
104
52
Source Specific Multicast (SSM)
• Uses Source Trees only. • Assumes One-to-Many model. – Most Internet multicast fits this model. – IP/TV also fits this model.
• Hosts responsible for source discovery. – Typically via some out-of-band mechanism. • Web page, Content Server, etc.
– Eliminates need for RP and Shared Trees. – Eliminates need for MSDP.
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
105
SSM Overview • Hosts join a specific source within a group. –Content identified by specific (S,G) instead of (*,G). –Hosts responsible for learning (S,G) information.
• Last-hop router sends (S,G) join toward source –Shared Tree is never Joined or used. –Eliminates possibility of content Jammers. –Only specified (S,G) flow is delivered to host.
• Simplifies address allocation. –Dissimilar content sources can use same group without fear of interfering with each other. RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
106
53
SSM Example Source
Host learns of source, group/port First-hop learns of source, group/port First-hop send PIM (S,G) Join
A
B
C
D
PIM (S, G) Join
IGMPv3 (S, G) Join
E
Out-of-band source directory, example: web server
F
Receiver 1 RST-2051-rev1
107
© 2003, Cisco Systems, Inc. All rights reserved.
SSM Example Source
Result: Shortest path tree rooted at the source, with no shared tree.
A
B
E
C
D
Out-of-band source directory, example: web server
F
Receiver 1 RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
108
54
SSM Configuration • Global command ip pim ssm {default | }
– Defines SSM address range • Default range = 232.0.0.0/8 • Use ACL for other ranges
– Prevents Shared Tree Creation • (*, G) Joins never sent or processed • PIM Registers never sent or processed
– Available in IOS versions • 12.1(5)T, 12.2, 12.0(15)S, 12.1(8)E RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
109
SSM Configuration of Legacy Routers • Only Last-Hop routers must be upgraded. –Core may be upgraded later.
• Must insure no Shared Trees in SSM range. –Use ‘ip pim accept-register’ at RP. • Prevents sources from registering in 232/8.
–Use ‘ip pim accept-rp’ on all routers. • Prevents (*,G) Joins from being processed for 232/8.
–Use ‘ip msdp sa-redistribute’ at RP. • Stops SA message origination in 232/8.
–Use ‘ip msdp sa-filter’ on MSDP peers. • Prevents forwarding of SA messages in 232/8. RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
110
55
SSM – Summary • Uses Source Trees only. –Hosts are responsible for source & group discovery. –Hosts must signal router which (S,G) to join.
• Solves multicast address allocation problems. –Flows differentiated by both source and group. –Content providers can use same group ranges. • Since each (S,G) flow is unique.
• Helps prevent certain DoS attacks –“Bogus” source traffic: • Can’t consume network bandwidth. • Not received by host application. RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
111
PIM Protocol Extensions
• Source Specific Multicast • Bidirectional (Bidir) PIM
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
112
56
Multicast Application Categories • One-to-Many Applications – Video, TV, Radio, Concerts, Stock Ticker, etc.
• Few-to-Few Applications – Small (<10 member) Video/Audio Conferences
• Few-to-Many Applications – TIBCO RV Servers (Publishing)
• Many-to-Many Applications – Stock Trading Floors, Gaming
• Many-to-Few Applications – TIBCO RV Clients (Subscriptions) RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
113
Multicast Application Categories PIM-SM (S, G) State
• One-to-Many Applications – Single (S,G) entry
• Few-to-Few Applications – Few (<10 typical) (S,G) entries
• Few-to-Many Applications – Few (<10 typical) (S,G) entries
• Many-to-Many Applications – Unlimited (S,G) entries
• Many-to-Few Applications – Unlimited (S,G) entries RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
114
57
Multicast State Maintenance • CPU load factors – Must send/receive Registers – Must send periodic Joins/Prunes – Must perform RPF recalculation every 5 seconds • Watch the total number of mroute table entries • Unicast route table size impacts RPF recalculation
• Memory load factors – (*, G) entry ~ 380 bytes + OIL size – (S, G) entry ~ 220 bytes + OIL size – Outgoing interface list (OIL) size • Each oil entry ~ 150 bytes RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
115
Many-to-Any State Problem • Creates huge amounts of (S,G) state – State maintenance workloads skyrocket • High OIL fanouts make the problem worse
– Router performance begins to suffer
• Using Shared-Trees only – Provides some (S,G) state reduction • Results in (S,G) state only along SPT to RP • Frequently still too much (S,G) state • Need a solution that only uses (*,G) state RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
116
58
Bidirectional (Bidir) PIM • Idea: – Use the same tree for traffic from sources towards RP and from RP to receivers
• Benefits: – Less state in routers • Only (*, G) state is used • Source traffic follows the Shared Tree – Flows up the Shared Tree to reach the RP. – Flows down the Shared Tree to reach all other receivers. RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
117
Bidirectional (Bidir) PIM
• Bidirectional Shared-Trees – Violates current (*,G) RPF rules • Traffic often accepted on outgoing interfaces. • Care must be taken to avoid multicast loops
– Requires a Designated Forwarder (DF) • Responsible for forwarding traffic up Shared Tree – DF’s will accept data on the interfaces in their OIL. – Then send it out all other interfaces. (Including the IIF.)
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
118
59
Bidirectional (Bidir) PIM • Designated Forwarders (DF) – On each link the router with the best path to the RP is elected to be the DF • Note: Designated Routers (DR) are not used for bidir groups
– The DF is responsible for forwarding traffic upstream towards the RP – No special treatment is required for local sources
RST-2051-rev1
119
© 2003, Cisco Systems, Inc. All rights reserved.
Bidirectional PIM — Example
RP Receiver
Sender/ Receiver
Shared Tree Receiver RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
120
60
Bidirectional PIM — Example
Sender/ Receiver
RP Receiver
Source Traffic forwarded bidirectionally using (*,G) state. Shared Tree Source Traffic Receiver RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
121
Configuring Bidir PIM (Auto-RP Example)
• Define Candidate RP and groups / modes it is willing to serve ip pim send-rp-announce Loopback0 scope 10 group-list 45 bidir ip pim send-rp-announce Loopback1 scope 10 group-list 46 ! Two loopbacks needed due to a nature of ACLs (permit, deny) ip pim send-rp-discovery scope 10 access-list 45 permit 224.0.0.0 0.255.255.255 access-list 45 permit 227.0.0.0 0.255.255.255 ! 224/8 and 227/8 will be PIM Bidir groups access-list 45 deny 225.0.0.0 0.255.255.255 ! 225/8 will be a PIM Dense Mode group access-list 46 permit 226.0.0.0 0.255.255.255 ! 226/8 will be a PIM Sparse Mode group
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
122
61
Bidir PIM – Phantom RP RP E0 (DF) E0
E0
E
F E1 (DF)
E0
E1 (DF)
E0
A
E0
B
E1 (DF)
Source
E0
C E1 (DF)
D E1 (DF)
E1 (DF)
Receiver 2
Receiver 1
Question: Does a Bidir RP even have to physically exist? Answer: No. It can just be a phantom address. RST-2051-rev1
123
© 2003, Cisco Systems, Inc. All rights reserved.
Bidir PIM – Phantom RP E0 (DF) E0
E0
E
F E1 (DF)
E0
E0
A
B
E1 (DF)
Source
E1 (DF)
E0
C E1 (DF)
E0
D E1 (DF)
E1 (DF)
(*, 224.1.1.1), 00:32:20/00:02:59, RP 172.16.21.1, flags: BP Bidir-Upstream: Ethernet0, RPF nbr 172.16.7.1 Outgoing Receiver interface2 list: Ethernet0, Bidir-Upstream/Sparse-Dense, 00:32:20/00:00:00
Receiver 1
Router “E” forwards traffic onto core LAN segment. RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
124
62
Bidir PIM – Phantom RP E0 (DF) E0
E0
E
F E1 (DF)
E0
E0
A
E0
B
E1 (DF)
Source
E1 (DF)
E0
C E1 (DF)
D E1 (DF)
E1 (DF)
(*, 224.1.1.1), 00:00:49/00:02:41, RP 172.16.21.1, flags: B Bidir-Upstream: Ethernet0, RPF nbr 172.16.1.1 Outgoing interface list: Ethernet0, Receiver Bidir-Upstream/Sparse-Dense, 2 00:00:49/00:00:00 Ethernet1, Forward/Sparse-Dense, 00:00:49/00:02:41
Receiver 1
Router “F” forwards traffic on down the Shared Tree ala normal PIM-SM. RP doesn’t even have to physically exist. RST-2051-rev1
125
© 2003, Cisco Systems, Inc. All rights reserved.
Phantom RP on Point-to-Point Core Static Route Method P
S RP: 1.1.1.1
ip multicast-routing
ip multicast-routing
interface Loopback0 ip address 11.0.0.1 255.255.255.255 ip pim sparse-mode
interface Loopback0 ip address 11.0.0.2 255.255.255.255 ip pim sparse-mode
router ospf 11 redistribute static subnets
router ospf 11 redistribute static subnets
ip route 1.1.1.1 255.255.255.255 Loopback0
ip route 1.1.1.0 255.255.255.254 Loopback0
ip pim bidir-enable ip pim rp-address 1.1.1.1 bidir
ip pim bidir-enable ip pim rp-address 1.1.1.1 bidir
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
126
63
Phantom RP on Point-to-Point Core Netmask Method P
S RP: 1.1.1.2
ip multicast -routing ! interface Loopback0 ip address 1.1.1.1 255.255.255.252 ip pim sparse-mode ip ospf network pointpoint- to to-- point ! router ospf 11 network 1.1.1.0 0.0.0.3 area 0 network 10.1.1.0 0.0.0.255 area 0 network 10.1.2.0 0.0.0.255 area 0 ! ip pim bidir-enable ip pim rp-address 1.1.1.1 ip pim rp-address 1.1.1.2 bidir RST-2051-rev1
ip multicast -routing ! interface Loopback0 ip address 1.1.1.1 255.255.255.248 ip pim sparse-mode ip ospf network pointpoint- to to-- point ! router ospf 11 network 1.1.1.0 0.0.0.7 area 0 network 10.1.1.0 0.0.0.255 area 0 network 10.1.2.0 0.0.0.255 area 0 ! ip pim bidir-enable ip pim rp-address 1.1.1.1 ip pim rp-address 1.1.1.2 bidir
© 2003, Cisco Systems, Inc. All rights reserved.
127
Bidir PIM—Summary
• Drastically reduces network mroute state – Eliminates ALL (S,G) state in the network • SPT’s between sources to RP eliminated • Source traffic flows both up and down Shared Tree
– Allows Many-to-Any applications to scale • Permits virtually an unlimited number of sources
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
128
64
Recommended Reading Developing IP Multicast Networks, Volume I ISBN: 1578700779
Available on-site at the Cisco Company Store RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
129
Please Complete Your Evaluation Form Session RST-2051
RST-2051-rev1
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
130
65
Session Number Presentation_ID
© 2003, Cisco Systems, Inc. All rights reserved.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0863_04F9_c2.scr
131
66