Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 409
  • Last Modified:

Multicast VPN backup line with ASAs and 3750s

Here's a standard setup using a VPN as a backup for a leased line:

 (More networks) --C3750 -- ASA -- Internet -- ASA -- C3750-- (More networks)
                       \------------------------------/

Open in new window


It works fine for unicast traffic with EIGRP, and some static routes that kick in when the line goes out, allowing traffic from any network to any other network.

However, our new network layer software needs to use multicast. What is required to get this to work in the same way?

I've discovered the following:
- The IPsec VPN will not forward multicasts.
- Other solutions involve a GRE tunnel between the routers, which then goes into a tunnel on the VPN. But 3750s and ASAs don't do GRE tunnels.
- I've read about Virtual Tunnel Interfaces (VTI), but then how do you specify that encryption is unnecessary if the leased line is up? Perhaps you don't need to?
- I also don't know what PIM mode to use. I saw that spare-dense is highly recommended, and I'd rather avoid configuring my own RPs if that's possible. But then apparently the ASAs don't do sparse-dense.

What's the recommended solution for this? I figure it is a pretty standard architecture, and perhaps someone has a standard configuration.
0
Titian
Asked:
Titian
1 Solution
 
unfragmentedCommented:
Q. Does Cisco ASA support multicast traffic to be sent on an IPsec VPN tunnel?

A. No. It is not possible because this is not supported by Cisco ASA. As a workaround, you can have the multicast traffic encapsulated using GRE before that gets encrypted. Initially, the multicast packet has to be encapsulated using GRE on a Cisco router, then this GRE packet will be forwarded further to the Cisco ASA for IPSec encryption.
Ref: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml

You might be able to create a GRE tunnel interface on the 3750 for the purposes of a PoC, but I wouldn't recommend it production as GRE is process switched on a 3750 (not a good thing!)
0
 
TitianAuthor Commented:
I can't make a GRE tunnel on the 3750 according to the documentation.
0
 
rauenpcCommented:
The 3750 can indeed have a GRE tunnel configured. You may need to change the SDM template to routing for this to work. The documentation doesn't show the GRE tunnel config because it is not officially supported by Cisco because, like unfragmented said, it is process switched and cannot be handled in hardware.

The last time I configured a GRE tunnel on a 3750x went poorly. It instantly spiked the CPU to 99% and packet latency went from 30ms to 300ms+ and there were immediate application issues. This customer had fairly high traffic going across this tunnel.

I've configured this at other customers with lower traffic needs and this worked great.

Assuming you have IP Services licensing, you have a couple options. You could create the GRE tunnel and then create static mroutes with a high metric on the tunnel interface. This would make normal conditions use your leased line, and it would allow multicast to go across the GRE tunnel when the leased line is down as long as all the correct static mroutes exist. If you only create static mroutes for the tunnel and nothing else, only multicast traffic will be allowed across the tunnel and you will likely avoid the CPU spike issue.
If you want to be more dynamic, you could go with mBGP across the tunnel. I'm all for doing cool fancy things like mBGP, but realistically unless you have multicast going all different directions, you will probably be better off starting with the static mroute option.

Setting up sparse mode is usually only a couple extra commands versus sparse-dense mode. You just have one route declare itself as the RP, and configure the rest of the routers in the multicast domain to point at the RP router. Without these commands, sparse-dense mode is just dense mode since there is no RP to make it sparse.
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
Mohammed RahmanCommented:
Please have a look at few sections on the link below.
Enabling Multicast Routing
Configuring Stub Multicast Routing
Configuring a Static Multicast Route

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/multicst.html#wp1061604

** I am not a cisco asa expert. Hope this helps.
0
 
TitianAuthor Commented:
I will try to do the config this weekend and revert with feedback.
0
 
TitianAuthor Commented:
I just went with a GRE tunnel between the routers, via loopback interfaces. I added EIGRP over the tunnel, which has the nice benefit that it keeps the VPN open even when nobody is using it, and the EIGRP can then be used to give a successor that can easily be switched to if the leased line goes down. A couple of mroutes and the multicast traffic does the same as the unicast, ie everything uses the leased line until it goes down. Also, I fiddled the EIGRP over the leased line subnet so it would detect the dead route more quickly than the default.
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now