SRX Services Gateway
SRX Services Gateway

Enable multicast traffic into the same security zone

‎11-06-2019 07:58 AM

Hi,

 

I would like to send a multicast stream from a source connected on one interface to an other interface on an Juniper SRX240 (12.1X46).

 

Mutlicast source is connected on ge-0/0/3 interface.

Clients are connected on ge-0/0/1 interface.

 

Here we have the interfaces :

 

 

interfaces {
    ge-0/0/1 {
        unit 0 {
description stb; family inet { address 172.16.1.254/24; } } } ge-0/0/3 { unit 0 { description local-stream; family inet { address 172.16.3.254/24; } } }

 

 

IGMP and PIM configuration :

 

 

> show configuration protocols
igmp {
    interface all {
        version 2;
    }
}
pim {
    interface all {
        mode dense;
        version 2;
    }
}

To simplify the setup, I put the 2 interfaces in the same secury zone named "trust" :

 

 

    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
                ge-0/0/3.0;
            }

Since all interfaces are in the same zone, I don't need security rules to allow the multicast traffic between source and receiver.

 

Multicast routing from Multicast source looks good. But When I call stream from a PC I have nothing.

 

> show multicast route group 232.1.20.2 detail
Instance: master Family: INET

Group: 232.1.20.2
    Source: 172.16.3.1/32
    Upstream interface: ge-0/0/3.0
    Session description: Source specific multicast
    Statistics: 0 kBps, 0 pps, 0 packets
    Next-hop ID: 0
    Upstream protocol: PIM

The show multi route command should display a downstream interface list, containing a least the receiver interface ge/0/0/1.0

Here we can see the IGMP request done by the client :

igmp_client.PNG

 

Is it possible that my problem come from the TTL value send by the client, which is equal to 1 on the wireshark screenshot.
 
Any idea ?
 
Best Regards,
 
Bernado
 

 

5 REPLIES 5
SRX Services Gateway

Re: Enable multicast traffic into the same security zone

‎11-06-2019 08:24 AM
Configure trust to trust (intra-zone) policy to allow the multicast traffic and let us know the results. Intra-zone traffic is denied by default
Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: Enable multicast traffic into the same security zone

‎11-07-2019 12:23 AM

Hi Nellikka, first of all thanks you for helping me.

 

Even if I didn't know that intra-zone traffic is denied by default I already add a basic rules which allow anything, just in case :

 

policies {
    from-zone trust to-zone trust {
        policy trust-to-trust {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit;
            }
        }
    }

I can send ping from the receiver to the source, and on the other direction.

 

Bernardo

 

SRX Services Gateway

Re: Enable multicast traffic into the same security zone

‎11-07-2019 02:26 AM

Hi Bernardo,

 

can you change IGMP to version 3 and PIM to sparse or sparse-dense mode?

You are using Source Specific Multicast (SSM) which requires IGMPv3 to accept S,G joins from the receivers and PIM sparse mode to create Source tree between the source and the receiver.

 

Cheers,

Radek

SRX Services Gateway

Re: Enable multicast traffic into the same security zone

‎11-07-2019 02:54 AM

Hello Radek,

 

What makes you say that I use SSM ? Maybe the multicast address ? I chose it arbitrarily and I can use another one if necessary.

 

Anyway, I just set igmp version 3 and pim mode sparse (and then mode sparse-dense) but the problem still present.

 

Be advised that I can not manage receiver (it's a Set Top Box client), and the IGMP version is set on v2.

If you know any test tool simulating multicast receiver, please let me know. I also tried with VLC opening network stream.

 

BR,

 

Bernardo

 

 

Highlighted
SRX Services Gateway

Re: Enable multicast traffic into the same security zone

‎11-07-2019 03:15 AM

Yes the multicast address which is in the reserved SSM range - even the router tells that

 

> show multicast route group 232.1.20.2 detail
Instance: master Family: INET

Group: 232.1.20.2
    Source: 172.16.3.1/32
    Upstream interface: ge-0/0/3.0
    Session description: Source specific multicast
    Statistics: 0 kBps, 0 pps, 0 packets
    Next-hop ID: 0
    Upstream protocol: PIM

 

If the receiver only supports v2 can you try using different group adress out of SSM range or configure the router with "set routing-options multicast asm-override-ssm" which should allow ASM *, G joins to groups in the SSM range.

 

Thanks,


Radek