Titian
asked on
Multicast VPN backup line with ASAs and 3750s
Here's a standard setup using a VPN as a backup for a leased line:
It works fine for unicast traffic with EIGRP, and some static routes that kick in when the line goes out, allowing traffic from any network to any other network.
However, our new network layer software needs to use multicast. What is required to get this to work in the same way?
I've discovered the following:
- The IPsec VPN will not forward multicasts.
- Other solutions involve a GRE tunnel between the routers, which then goes into a tunnel on the VPN. But 3750s and ASAs don't do GRE tunnels.
- I've read about Virtual Tunnel Interfaces (VTI), but then how do you specify that encryption is unnecessary if the leased line is up? Perhaps you don't need to?
- I also don't know what PIM mode to use. I saw that spare-dense is highly recommended, and I'd rather avoid configuring my own RPs if that's possible. But then apparently the ASAs don't do sparse-dense.
What's the recommended solution for this? I figure it is a pretty standard architecture, and perhaps someone has a standard configuration.
(More networks) --C3750 -- ASA -- Internet -- ASA -- C3750-- (More networks)
\------------------------------/It works fine for unicast traffic with EIGRP, and some static routes that kick in when the line goes out, allowing traffic from any network to any other network.
However, our new network layer software needs to use multicast. What is required to get this to work in the same way?
I've discovered the following:
- The IPsec VPN will not forward multicasts.
- Other solutions involve a GRE tunnel between the routers, which then goes into a tunnel on the VPN. But 3750s and ASAs don't do GRE tunnels.
- I've read about Virtual Tunnel Interfaces (VTI), but then how do you specify that encryption is unnecessary if the leased line is up? Perhaps you don't need to?
- I also don't know what PIM mode to use. I saw that spare-dense is highly recommended, and I'd rather avoid configuring my own RPs if that's possible. But then apparently the ASAs don't do sparse-dense.
What's the recommended solution for this? I figure it is a pretty standard architecture, and perhaps someone has a standard configuration.
ASKER
I can't make a GRE tunnel on the 3750 according to the documentation.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Please have a look at few sections on the link below.
Enabling Multicast Routing
Configuring Stub Multicast Routing
Configuring a Static Multicast Route
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/multicst.html#wp1061604
** I am not a cisco asa expert. Hope this helps.
Enabling Multicast Routing
Configuring Stub Multicast Routing
Configuring a Static Multicast Route
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/multicst.html#wp1061604
** I am not a cisco asa expert. Hope this helps.
ASKER
I will try to do the config this weekend and revert with feedback.
ASKER
I just went with a GRE tunnel between the routers, via loopback interfaces. I added EIGRP over the tunnel, which has the nice benefit that it keeps the VPN open even when nobody is using it, and the EIGRP can then be used to give a successor that can easily be switched to if the leased line goes down. A couple of mroutes and the multicast traffic does the same as the unicast, ie everything uses the leased line until it goes down. Also, I fiddled the EIGRP over the leased line subnet so it would detect the dead route more quickly than the default.
You might be able to create a GRE tunnel interface on the 3750 for the purposes of a PoC, but I wouldn't recommend it production as GRE is process switched on a 3750 (not a good thing!)