Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Multicast: Senders directly connected to SSG-550M

    Posted 05-11-2010 04:42

    Hey Folks,

     

    Reasonably simple setup:

     

    Sender <-(IGMP)-e2> SSG-550M <e1-(PIM)-> Cisco 6500 <-(PIM/MSDP)-> Cisco 6500 <-(IGMP)-> Receiver

     

    Senders are constantly sending, receivers are sending in IGMP joins.

     

    On the firewall, I see IGMP group membership from the sender, but mroutes are not installed for the state, and no PIM messages are sent.

     

    I can manually build state with a static mroute or by moving to an IGMP proxy setup, but no PIM register is sent to the 6500.

     

    Relevant config:

     

    set int eth1 protocol igmp router

    set int eth1 protocol igmp no-check-subnet

    set int eth1 protocol igmp no-check-router-alert

    set int eth1 protocol igmp enable

    set int eth1 protocol pim

    set int eth1 protocol pim enable

     

    set int eth2 protocol igmp router

    set int eth2 protocol igmp accept groups <all groups>

    set int eth2 protocol igmp no-check-subnet

    set int eth2 protocol igmp enable

     

    set vrouter trust-vr

    set protocol pim

    set zone int-zone rp candidate interface eth1 mgroup-list <all groups>

    set zone int-zone rp address <rp> mgroup-list <all groups> 

    set zone int-zone rp proxy

     

    set policy id 1 from ext-zone to int-zone any any any permit log

    set multicast-group-policy 1 from ext-zone mgroup x.x.x.x to int-zone mgroup x.x.x.x bsr-static-ip join-prune bi-directional

     

    ScreenOS cookbook / manual talk about connecting PIM either side, and directly connecting receivers with IGMP with PIM on the other side, but not directly connecting senders.

     

    What am I missing?



  • 2.  RE: Multicast: Senders directly connected to SSG-550M
    Best Answer

    Posted 05-13-2010 00:17

    A good egg from the TAC set me straight so I'll post it here for people to see:

     

    You need to setup IGMP router mode &  PIM on both sides, but ensure RP proxy is not enabled:

     

    set vrouter trust-vr

    set protocol pim

    set zone trust rp address <rp> mgroup-list <all-groups> always

    set zone untrust rp address <rp> mgroup-list <all-groups> always

     

    set multicast-group-policy from untrust mgroup-list <all-groups> to trust pim-message bsr-static-rp join-prune bidirectional

     

    You can verify that it's working correctly, because:

     

    get igmp group shows the sender interface is joined

     

    get vrouter trust-vr mroute shows S,G state for the senders

     

    get vrouter trust-vr protocol pim mroute shows S,G state for the senders with oif e1 and iif e2, and *,G with oif e2 and iif e1. Also the mroutes for the senders have "TLFR Register" as their state.

     

    If you leave RP proxy on by accident, you'll find the *,G state isn't propagated as a PIM join-prune to the RP.