Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Multicast VPN backup line with ASAs and 3750s

Posted on 2013-05-21
Medium Priority
Last Modified: 2013-06-12
Here's a standard setup using a VPN as a backup for a leased line:

 (More networks) --C3750 -- ASA -- Internet -- ASA -- C3750-- (More networks)

Open in new window

It works fine for unicast traffic with EIGRP, and some static routes that kick in when the line goes out, allowing traffic from any network to any other network.

However, our new network layer software needs to use multicast. What is required to get this to work in the same way?

I've discovered the following:
- The IPsec VPN will not forward multicasts.
- Other solutions involve a GRE tunnel between the routers, which then goes into a tunnel on the VPN. But 3750s and ASAs don't do GRE tunnels.
- I've read about Virtual Tunnel Interfaces (VTI), but then how do you specify that encryption is unnecessary if the leased line is up? Perhaps you don't need to?
- I also don't know what PIM mode to use. I saw that spare-dense is highly recommended, and I'd rather avoid configuring my own RPs if that's possible. But then apparently the ASAs don't do sparse-dense.

What's the recommended solution for this? I figure it is a pretty standard architecture, and perhaps someone has a standard configuration.
Question by:Titian
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 39184101
Q. Does Cisco ASA support multicast traffic to be sent on an IPsec VPN tunnel?

A. No. It is not possible because this is not supported by Cisco ASA. As a workaround, you can have the multicast traffic encapsulated using GRE before that gets encrypted. Initially, the multicast packet has to be encapsulated using GRE on a Cisco router, then this GRE packet will be forwarded further to the Cisco ASA for IPSec encryption.

You might be able to create a GRE tunnel interface on the 3750 for the purposes of a PoC, but I wouldn't recommend it production as GRE is process switched on a 3750 (not a good thing!)

Author Comment

ID: 39184127
I can't make a GRE tunnel on the 3750 according to the documentation.
LVL 20

Accepted Solution

rauenpc earned 2000 total points
ID: 39184214
The 3750 can indeed have a GRE tunnel configured. You may need to change the SDM template to routing for this to work. The documentation doesn't show the GRE tunnel config because it is not officially supported by Cisco because, like unfragmented said, it is process switched and cannot be handled in hardware.

The last time I configured a GRE tunnel on a 3750x went poorly. It instantly spiked the CPU to 99% and packet latency went from 30ms to 300ms+ and there were immediate application issues. This customer had fairly high traffic going across this tunnel.

I've configured this at other customers with lower traffic needs and this worked great.

Assuming you have IP Services licensing, you have a couple options. You could create the GRE tunnel and then create static mroutes with a high metric on the tunnel interface. This would make normal conditions use your leased line, and it would allow multicast to go across the GRE tunnel when the leased line is down as long as all the correct static mroutes exist. If you only create static mroutes for the tunnel and nothing else, only multicast traffic will be allowed across the tunnel and you will likely avoid the CPU spike issue.
If you want to be more dynamic, you could go with mBGP across the tunnel. I'm all for doing cool fancy things like mBGP, but realistically unless you have multicast going all different directions, you will probably be better off starting with the static mroute option.

Setting up sparse mode is usually only a couple extra commands versus sparse-dense mode. You just have one route declare itself as the RP, and configure the rest of the routers in the multicast domain to point at the RP router. Without these commands, sparse-dense mode is just dense mode since there is no RP to make it sparse.
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

LVL 10

Expert Comment

by:Mohammed Rahman
ID: 39198413
Please have a look at few sections on the link below.
Enabling Multicast Routing
Configuring Stub Multicast Routing
Configuring a Static Multicast Route

** I am not a cisco asa expert. Hope this helps.

Author Comment

ID: 39207155
I will try to do the config this weekend and revert with feedback.

Author Closing Comment

ID: 39242718
I just went with a GRE tunnel between the routers, via loopback interfaces. I added EIGRP over the tunnel, which has the nice benefit that it keeps the VPN open even when nobody is using it, and the EIGRP can then be used to give a successor that can easily be switched to if the leased line goes down. A couple of mroutes and the multicast traffic does the same as the unicast, ie everything uses the leased line until it goes down. Also, I fiddled the EIGRP over the leased line subnet so it would detect the dead route more quickly than the default.

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question