Hi everyone,
We are trying to deploy PIM SPARSE mode and have observed two non-standard behavior on SX 100 /650 when it comes to PIM SPARSE MODE.
Our set up is as follows:
Above R2/R3 are Cisco routers.
Design goals:
Source should generate multicast stream destined to 235.1.1.1 with source IP 30.30.30.30
We must use PIM SPASE MODE with R2 as Rp. Both R2 and R3 are Cisco routers.
SRX upon receiving multicast stream from source on f0/3, must translate the source IP 30.30.30.30 with 100.100.100.100
SRX has been configured to perform the above tasks. See blow for the full config of SRX under ADDITIONAL INFO:
Non standrad behavior observed:
ISSUES #1 SRX does not suppress REGISTER MESSAGE upon receiving " REGISTER STOP" from RP ( 2.2.2.2)
When Rp 2.2.2.2 has not downstream listener for 235.1.1.1, it generates REGISTER –STOP to FHR (SRX here) SRX should stop sending REGISTER MESSAGE for certain duration. But we noticed that SRX does not act on the REGISTER-STOP from Rp (2.2.2.2) and continue to Send REGISTER MESSAGE:
Output from RP below shows there is no DOWN STREAM LISTENERS
R2#show ip mroute
(*, 235.1.1.1), 00:00:10/stopped, RP 2.2.2.2, flags: SP
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list: Null
(100.100.100.100, 235.1.1.1), 00:00:12/00:02:57, flags: P
Incoming interface: Ethernet0/0, RPF nbr 10.10.10.1
Outgoing interface list: Null
Note above there is No DOWN STREAM LISTENERS and RP has dutifully sent REGISTER STOP TO SRX which is ignored by SRX:
ISSUE#2
when Rp ( 2.2.2.2) Intiates SPT tree by sending PIM JOIN ( 100.100.100.100, 235.1.1.1) to SRX, SRX ignores the PIM JOIN and continue to send Multicast stream ( 100.100.100.100, 235.1.1.1) inside REGISTER MESSAGE which is not very efficient and put loads on RP.
Below we can see there is DOWN STREAM LISTENERS ON RP:
R2#show ip mroute
(*, 235.1.1.1), 00:03:44/00:02:49, RP 2.2.2.2, flags: S
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Serial0/0, Forward/Sparse, 00:00:40/00:02:49
Next source generates Multicast stream for 235.1.1.1, below Rp has received the stream in REGISTER MESSAGE from SRX and created (100.100.100.100, 235.1.1.1.) entry:
R2#show ip mroute
(*, 235.1.1.1), 00:06:20/00:03:11, RP 2.2.2.2, flags: S
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Serial0/0, Forward/Sparse, 00:03:16/00:03:11
(100.100.100.100, 235.1.1.1), 00:00:21/00:03:28, flags:
Incoming interface: Ethernet0/0, RPF nbr 10.10.10.1
Outgoing interface list:
Serial0/0, Forward/Sparse, 00:00:21/00:03:10
Below we can see as expected RP initiates SOURCE BASED TREE by sending PIM JOIN (100.100.100.100, 235.1.1.1.1) to SRX:
root> monitor traffic interface vlan.301 no-timestamp no-resolve matching pim detail
In IP (tos 0xc0, ttl 1, id 144, offset 0, flags [none], proto: PIM (103), length: 54) 10.10.10.30 > 224.0.0.13: 10.10.10.30 > 224.0.0.13
IMv2, length 34
Join / Prune, cksum 0x0c15 (correct), upstream-neighbor: 10.10.10.1
1 group(s), holdtime: 3m30s
group #1: 235.1.1.1, joined sources: 1, pruned sources: 0
joined source #1: 100.100.100.100(S)
But SRX has not joined SPT, note DOWN STREAM interface still shows ppeo not vlan.301:
root> show multicast route
Instance: master Family: INET
Group: 235.1.1.1
Source: 30.30.30.30/32
Upstream interface: fe-0/0/3.0
Downstream interface list:
ppe0.32769
root> show multicast statistics
Instance: master Family: INET
Interface: local
Routing protocol: Mismatch error: 0
Mismatch: 0 Mismatch no route: 0
Kernel resolve: 0 Routing notify: 0
Resolve no route: 0 Resolve error: 0
Resolve filtered: 0 Notify filtered: 0
In kbytes: 0 In packets: 0
Out kbytes: 0 Out packets: 0
Interface: vlan.301
Routing protocol: PIM Mismatch error: 0
Mismatch: 0 Mismatch no route: 0
Kernel resolve: 0 Routing notify: 0
Resolve no route: 0 Resolve error: 0
Resolve filtered: 0 Notify filtered: 0
In kbytes: 0 In packets: 0
Out kbytes: 0 Out packets: 0
Interface: fe-0/0/3.0
Routing protocol: PIM Mismatch error: 0
Mismatch: 0 Mismatch no route: 0
Kernel resolve: 7 Routing notify: 0
Resolve no route: 1 Resolve error: 0
Resolve filtered: 0 Notify filtered: 0
In kbytes: 26 In packets: 481
Out kbytes: 0 Out packets: 0
Interface: ppe0.32769
Routing protocol: PIM Mismatch error: 0
Mismatch: 0 Mismatch no route: 0
Kernel resolve: 0 Routing notify: 0
Resolve no route: 0 Resolve error: 0
Resolve filtered: 0 Notify filtered: 0
In kbytes: 0 In packets: 0
Out kbytes: 6 Out packets: 111
Note above SRX has not sent any multicast natively out of vlan.301 i.e. SRX is sending Multicast stream via pim tunnel ( ppeo)
Capture shows SRX ignores PIM JOIN (100.100.100.100, 235.1.1.1) and continue to send Multicast stream inside REGISTER MESSAGE:
As expected Cisco (RP) has not received stream natively from SRX , note the absence of “ T” flag for
Entry (100.100.100.100, 235.1.1.1)
R2#show ip mroute
(*, 235.1.1.1), 00:07:14/00:03:02, RP 2.2.2.2, flags: S
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Serial2/0, Forward/Sparse, 00:04:29/00:03:02
(100.100.100.100, 235.1.1.1), 00:07:14/00:03:25, flags:
Incoming interface: FastEthernet0/0, RPF nbr 10.10.10.1
Outgoing interface list:
Serial2/0, Forward/Sparse, 00:04:29/00:03:02
####################
1) What are some possible ways we can use to force SRX to send multicast stream natively i.e not in register message with folloiwng constraints ?
Must use sparse mode
Source IP 30.30.30.30 must be translated to 100.100.100.100 by SRX when sending multicast out of vlan.301 towards RP.
Thanks and have a nice weeekend!!
ADDITIONAL INFO:
SRC CONFIG:
root> show configuration | display set
set version 11.4R7.5
set system arp
set system root-authentication encrypted-password "$1$FNZOHrui$SIlLbizu6WwnQTkFcjVV9."
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system services dhcp router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
set system services dhcp propagate-settings fe-0/0/0.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 unit 0 family ethernet-switching vlan members 301
set interfaces fe-0/0/2 unit 0
set interfaces fe-0/0/3 unit 0 family inet address 30.30.30.3/24
set interfaces vlan unit 301 family inet address 10.10.10.1/24
set routing-options max-interface-supported 0
set routing-options static route 2.2.2.2/32 next-hop 10.10.10.30
set protocols pim rp static address 2.2.2.2
set protocols pim interface vlan.301 mode sparse
set protocols pim interface fe-0/0/3.0 mode sparse
set security nat source pool TEST address 100.100.100.100/32 to 100.100.100.101/32
set security nat source pool TEST host-address-base 30.30.30.30/32
set security nat source rule-set TEST from zone ZOO
set security nat source rule-set TEST to zone junos-host
set security nat source rule-set TEST rule 1 match source-address 30.30.30.30/32
set security nat source rule-set TEST rule 1 match destination-address 235.1.1.1/32
set security nat source rule-set TEST rule 1 then source-nat pool TEST
set security policies from-zone LEE to-zone ZOO policy LEE-TO-ZOO match source-address any
set security policies from-zone LEE to-zone ZOO policy LEE-TO-ZOO match destination-address any
set security policies from-zone LEE to-zone ZOO policy LEE-TO-ZOO match application any
set security policies from-zone LEE to-zone ZOO policy LEE-TO-ZOO then permit
set security policies from-zone ZOO to-zone LEE policy LEE-TO-ZOO match source-address any
set security policies from-zone ZOO to-zone LEE policy LEE-TO-ZOO match destination-address any
set security policies from-zone ZOO to-zone LEE policy LEE-TO-ZOO match application any
set security policies from-zone ZOO to-zone LEE policy LEE-TO-ZOO then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone ZOO interfaces fe-0/0/3.0 host-inbound-traffic system-services all
set security zones security-zone ZOO interfaces fe-0/0/3.0 host-inbound-traffic protocols all
set security zones security-zone LEE interfaces vlan.301 host-inbound-traffic system-services all
set security zones security-zone LEE interfaces vlan.301 host-inbound-traffic protocols all
set security zones security-zone LEE interfaces vlan.301 host-inbound-traffic protocols igmp
set security zones security-zone LEE interfaces vlan.301 host-inbound-traffic protocols pim
set vlans VLAN-301 vlan-id 301
set vlans VLAN-301 l3-interface vlan.301