Solved

Multicast VPN backup line with ASAs and 3750s

Posted on 2013-05-21
6
405 Views
Last Modified: 2013-06-12
Here's a standard setup using a VPN as a backup for a leased line:

 (More networks) --C3750 -- ASA -- Internet -- ASA -- C3750-- (More networks)
                       \------------------------------/

Open in new window


It works fine for unicast traffic with EIGRP, and some static routes that kick in when the line goes out, allowing traffic from any network to any other network.

However, our new network layer software needs to use multicast. What is required to get this to work in the same way?

I've discovered the following:
- The IPsec VPN will not forward multicasts.
- Other solutions involve a GRE tunnel between the routers, which then goes into a tunnel on the VPN. But 3750s and ASAs don't do GRE tunnels.
- I've read about Virtual Tunnel Interfaces (VTI), but then how do you specify that encryption is unnecessary if the leased line is up? Perhaps you don't need to?
- I also don't know what PIM mode to use. I saw that spare-dense is highly recommended, and I'd rather avoid configuring my own RPs if that's possible. But then apparently the ASAs don't do sparse-dense.

What's the recommended solution for this? I figure it is a pretty standard architecture, and perhaps someone has a standard configuration.
0
Comment
Question by:Titian
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 7

Expert Comment

by:unfragmented
ID: 39184101
Q. Does Cisco ASA support multicast traffic to be sent on an IPsec VPN tunnel?

A. No. It is not possible because this is not supported by Cisco ASA. As a workaround, you can have the multicast traffic encapsulated using GRE before that gets encrypted. Initially, the multicast packet has to be encapsulated using GRE on a Cisco router, then this GRE packet will be forwarded further to the Cisco ASA for IPSec encryption.
Ref: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml

You might be able to create a GRE tunnel interface on the 3750 for the purposes of a PoC, but I wouldn't recommend it production as GRE is process switched on a 3750 (not a good thing!)
0
 

Author Comment

by:Titian
ID: 39184127
I can't make a GRE tunnel on the 3750 according to the documentation.
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
ID: 39184214
The 3750 can indeed have a GRE tunnel configured. You may need to change the SDM template to routing for this to work. The documentation doesn't show the GRE tunnel config because it is not officially supported by Cisco because, like unfragmented said, it is process switched and cannot be handled in hardware.

The last time I configured a GRE tunnel on a 3750x went poorly. It instantly spiked the CPU to 99% and packet latency went from 30ms to 300ms+ and there were immediate application issues. This customer had fairly high traffic going across this tunnel.

I've configured this at other customers with lower traffic needs and this worked great.

Assuming you have IP Services licensing, you have a couple options. You could create the GRE tunnel and then create static mroutes with a high metric on the tunnel interface. This would make normal conditions use your leased line, and it would allow multicast to go across the GRE tunnel when the leased line is down as long as all the correct static mroutes exist. If you only create static mroutes for the tunnel and nothing else, only multicast traffic will be allowed across the tunnel and you will likely avoid the CPU spike issue.
If you want to be more dynamic, you could go with mBGP across the tunnel. I'm all for doing cool fancy things like mBGP, but realistically unless you have multicast going all different directions, you will probably be better off starting with the static mroute option.

Setting up sparse mode is usually only a couple extra commands versus sparse-dense mode. You just have one route declare itself as the RP, and configure the rest of the routers in the multicast domain to point at the RP router. Without these commands, sparse-dense mode is just dense mode since there is no RP to make it sparse.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 10

Expert Comment

by:Mohammed Rahman
ID: 39198413
Please have a look at few sections on the link below.
Enabling Multicast Routing
Configuring Stub Multicast Routing
Configuring a Static Multicast Route

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/multicst.html#wp1061604

** I am not a cisco asa expert. Hope this helps.
0
 

Author Comment

by:Titian
ID: 39207155
I will try to do the config this weekend and revert with feedback.
0
 

Author Closing Comment

by:Titian
ID: 39242718
I just went with a GRE tunnel between the routers, via loopback interfaces. I added EIGRP over the tunnel, which has the nice benefit that it keeps the VPN open even when nobody is using it, and the EIGRP can then be used to give a successor that can easily be switched to if the leased line goes down. A couple of mroutes and the multicast traffic does the same as the unicast, ie everything uses the leased line until it goes down. Also, I fiddled the EIGRP over the leased line subnet so it would detect the dead route more quickly than the default.
0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Equivalent of WSUS for Solaris, AIX and Cisco devices 11 137
Cisco ASA 5505 firewall open port 4 56
allow device through ASA 4 11
Linksys EA8500 3 17
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question