This document describes how to setup Protocol Independent Multicast (PIM) on Check Point Gaia OS. This document focuses on the basic configuration of PIM and does not discuss any PIM features in detail.
Before starting the PIM configuration, user should be familiar with underlying features and their configurations, such as static and dynamic routing, multicast and PIM, IGMP, ClusterXL, VRRP, SAM card configuration.
For more details, refer to relevant Administration Guides.
Notes:
On VSX Gateway / VSX Cluster Member, the configuration must be performed in the context of Virtual System / Virtual Router (vsenv <VSID>).
In ClusterXL or VRRP Cluster, the routing configuration including PIM must be identical on all cluster members.
Multicast is designed to enable the delivery of datagrams to a set of hosts that have been configured as members of a multicast group in various scattered subnetworks.
Multicasting employs a Class D destination address format (224.0.0.0 - 239.255.255.255).
Multicast Group
Individual hosts are free to join or leave a multicast group at any time. There are no restrictions on the physical location or the number of members in a multicast group. A host may be a member of more than one multicast group at any given time and does not have to belong to a group to send messages to members of a group.
Protocol Independent Multicast (PIM)
Protocol-Independent Multicast (PIM) is a family of multicast routing protocols for Internet Protocol (IP) networks that provide one-to-many and many-to-many distribution of data over a LAN, WAN or the Internet. It is termed protocol-independent because PIM does not include its own topology discovery mechanism, but instead uses routing information supplied by other routing protocols.
There are four variants of PIM:
PIM Sparse Mode (PIM-SM) - Explicitly builds unidirectional shared trees rooted at a rendezvous point (RP) per group, and optionally creates shortest-path trees per source. PIM-SM generally scales fairly well for wide-area usage.
PIM Dense Mode (PIM-DM) - Uses dense multicast routing. It implicitly builds shortest-path trees by flooding multicast traffic domain wide, and then pruning back branches of the tree where no receivers are present. PIM-DM is straightforward to implement but generally has poor scaling properties. The first multicast routing protocol, DVMRP used dense-mode multicast routing. Refer to RFC 3973.
Bidirectional PIM - Explicitly builds shared bi-directional trees. It never builds a shortest path tree, so may have longer end-to-end delays than PIM-SM, but scales well because it needs no source-specific state. Refer to RFC 5015.
Source-Specific Multicast (PIM-SSM) - Builds trees that are rooted in just one source, offering a more secure and scalable model for a limited amount of applications (mostly broadcasting of content). In SSM, an IP datagram is transmitted by a source S to an SSM destination address G, and receivers can receive this datagram by subscribing to channel (S,G). Refer to RFC 3569.
Only one mode of PIM can be enabled at a time.
Dense Mode (PIM-DM)
This mode is most useful when:
Senders and receivers are in close proximity to one another.
There are few senders and many receivers.
The volume of multicast traffic is high.
The stream of multicast traffic is constant.
Sparse Mode (PIM-SM)
This mode is most useful when:
There are few receivers in a group.
Senders and receivers are separated by WAN links.
The type of traffic is intermittent.
Source-Specific Multicast Mode (PIM-SSM)
This mode is most useful when:
Most multicast traffic is from well-known sources.
It is desirable to avoid the overhead of shared tree and Rendezvous Point processing associated with Sparse mode
SSM requires IGMPv3 to be enabled.
SSM groups are 232.0.0.0/8 and do not require an Rendezvous Point. All other groups are treated as Sparse mode and require a Rendezvous Point.
Rendezvous Point (RP)
Rendezvous Point (RP) is essential for Sparse mode operation. Also, all routers in the network must agree on the Rendezvous Point of a group. The RP facilitates multicast flows between multicast listeners and senders. When a multicast source sends traffic, the RP is notified, and when a client joins a particular groups traffic, the Rendezvous Point is notified. The Rendezvous Point builds a tree between a source and listener for multicast traffic to flow through, alleviating the flood and prune behavior of PIM Dense Mode. Rendezvous Point can be configured statically or dynamically.
BootStrap Router (BSR) Protocol
BootStrap Router (BSR) is a protocol for discovering candidate Rendezvous Points, and then advertising that information to all other routers in the network. All Candidate Rendezvous Points send their advertisements to the elected BSR. If there are multiple BSRs the one with the highest priority is elected as the BSR.
Candidate-Bootstrap Router
Candidate BootStrap router with highest priority is elected as bootstrap Router. BootStrap router receives candidate Rendezvous Point advertisements and distributes them to the rest of the network.
Candidate Rendezvous Point (Candidate-RP)
Each Candidate Rendezvous Point unicasts their Rendezvous Point Groups and Priority directly to the Bootstrap router. The Bootstrap router forwards Rendezvous Point information it receives to the rest of the network via multicast (224.0.0.13). Each individual router in the network picks the best Rendezvous Point to group mappings. For Rendezvous Point election, lowest priority wins. Candidate Rendezvous Point can advertise itself as suitable Rendezvous Point for any number of multicast addresses (default is 224.0.0.0/4).
Static Rendezvous Point (Static-RP)
A Static Rendezvous Point is used when the network is unable to use the BSR mechanism - for example when the rest or the network is using Cisco AutoRP. Static Rendezvous Point overrides all dynamically learned info. If the multicast network is small Static-RP can be configured. However, Static Rendezvous Point configuration has to be configured on all PIM routers and Security Gateways.
(3) PIM Sparse Mode (PIM-SM)
(3-1) PIM Sparse Mode in Single Gateway
Single Gateway can be configured for any of the following scenarios:
Gateway in Dynamic Rendezvous Point environment
Gateway can act as a PIM router in an environment that has some routers functioning as Candidate Rendezvous Points and Candidate Bootstrap routers.
Gateway in Static Rendezvous Point environment
Gateway can act as a PIM router in an environment that has static Rendezvous Point(s) for multicast groups. Optionally, Gateway can also act as a Static Rendezvous Point.
Gateway as PIM Router + Dynamic Rendezvous Point + Bootstrap Router
Gateway can act as a PIM router and Candidate Rendezvous Point and/or Candidate Bootstrap router in PIM environment.
Configuration:
(3-1-A) Single Gateway in Dynamic Rendezvous Point Environment
PIM on Gaia OS can be configured either in Gaia Portal, or in Clish.
Gaia OS configuration - in Gaia Portal
Connect to Gaia Portal on Security Gateway with web browser at https://Gaia_IP_Address.
Go to 'Advanced Routing' pane.
Click on 'PIM'.
In the 'PIM Global Settings' section, in the 'PIM Protocol' field, select 'Sparse Mode (SM)' - click on 'Apply' button:
In the 'PIM Interfaces' section, add the relevant interface(s):
Do not configure the 'Local Address'.
Do not check the box 'Use Virtual Address'.
Optional: Configure a 'DR Priority', if a value other than the default is desired.
Notes:
The default value is 1.
The range is between 0 and 4294967295.
The router with the highest DR priority is elected as Designated Router on the LAN - ties are broken in favor of the highest IP address.
Click on 'Save' button.
In the 'PIM Global Settings' section, click on 'Apply' button.
Gaia OS configuration - in Clish
Set PIM to work in 'Sparse' mode:
HostName:0> set pim mode sparse
Enable PIM on relevant interface(s):
HostName:0> set pim interface INTERFACE_NAME on
Optional: Configure a DR Priority, if a value other than the default is desired.
HostName:0> set pim interface INTERFACE_NAME dr-priority DR_PRIORITY
Notes:
The default value is 1.
The range is between 0 and 4294967295.
The router with the highest DR priority is elected as Designated Router on the LAN - ties are broken in favor of the highest IP address.
Save the configuration:
HostName:0> save config
Example:
Note: Refer to the example topology above.
HostName:0> set pim mode sparse
HostName:0> set pim interface eth1 on
HostName:0> set pim interface eth2 on
HostName:0> save config
Step 2: Configuration in SmartDashboard
Multicast does not require any configuration in SmartDashboard. However, if you wish to apply restrictions on multicast groups at interface level, then follow these steps:
Open Security Gateway object properties
Go to 'Topology' pane
Select the interface, on which restrictions should be applied - click on 'Edit...' button
Go to 'Multicast Restrictions' tab
Check the box 'Drop multicast packets by the following conditions:'
Select the desired condition
Click on 'Add...' button - create/select the relevant 'Multicast Address Range' object
Select the desired Tracking option
Click on 'OK' to apply the changes
Save the changes: go to 'File' menu - click on 'Save'
Install the policy onto Security Gateway object
(3-1-B) Single Gateway in Static Rendezvous Point Environment
PIM on Gaia OS can be configured either in Gaia Portal, or in Clish.
Gaia OS configuration - in Gaia Portal
Connect to Gaia Portal on Security Gateway with web browser at https://Gaia_IP_Address.
Go to 'Advanced Routing' pane.
Click on 'PIM'.
In the 'PIM Global Settings' section, in the 'PIM Protocol' field, select 'Sparse Mode (SM)' - click on 'Apply' button:
In the 'PIM Interfaces' section, add the relevant interface(s):
Do not configure the 'Local Address'.
Do not check the box 'Use Virtual Address'.
Optional: Configure a 'DR Priority', if a value other than the default is desired.
Notes:
The default value is 1.
The range is between 0 and 4294967295.
The router with the highest DR priority is elected as Designated Router on the LAN - ties are broken in favor of the highest IP address.
Click on 'Save' button.
In the 'PIM Global Settings' section, click on 'Apply' button.
In the 'Bootstrap and Rendezvous Point Settings' section, configure Static Rendezvous Point:
All PIM routers and Security Gateways in Static Rendezvous Point environment should be configured with Static Rendezvous Point addresses and their multicast groups.
Click on 'Edit Settings' button:
In the 'Static Rendezvous Point' section, check the box 'Enable Static RP'.
Click on 'Add' button - configure Static Rendezvous Point (enter the IP address).
Notes:
Optional: Add the Static Multicast Group(s), for which this Rendezvous Point is to be used. If no multicast groups are configured, the Rendezvous Point is treated as the Rendezvous Point for all multicast groups (224.0.0.0/4).
Optional: Security Gateway can also be configured as Static Rendezvous Point - configure the IP address of one of the Security Gateway's PIM interfaces.
Do not configure any other field in 'Bootstrap and Rendezvous Point Settings' window.
Click on 'Save' button.
In the 'PIM Global Settings' section, click on 'Apply' button.
Gaia OS configuration - in Clish
Set PIM to work in 'Sparse' mode:
HostName:0> set pim mode sparse
Enable PIM on relevant interface(s):
HostName:0> set pim interface INTERFACE_NAME on
Optional: Configure a DR Priority, if a value other than the default is desired.
HostName:0> set pim interface INTERFACE_NAME dr-priority DR_PRIORITY
Notes:
The default value is 1.
The range is between 0 and 4294967295.
The router with the highest DR priority is elected as Designated Router on the LAN - ties are broken in favor of the highest IP address.
Configure Static Rendezvous Point:
HostName:0> set pim static-rp rp-address IP_ADDRESS_OF_RENDEZVOUS_POINT on
Optional: Add the Static Multicast Group(s), for which this Rendezvous Point is to be used:
HostName:0> set pim static-rp rp-address IP_ADDRESS_OF_RENDEZVOUS_POINT multicast-group IP_ADDRESS_OF_MULTICAST_GROUP/MASK_LENGTH on
Note: If no multicast groups are configured, the Rendezvous Point is treated as the Rendezvous Point for all multicast groups (224.0.0.0/4).
Save the configuration:
HostName:0> save config
Example:
Note: Refer to the example topology above.
HostName:0> set pim mode sparse
HostName:0> set pim interface eth1 on
HostName:0> set pim interface eth1 dr-priority 1
HostName:0> set pim interface eth2 on
HostName:0> set pim interface eth2 dr-priority 1
HostName:0> set pim static-rp rp-address 10.100.1.59 on
HostName:0> set pim static-rp rp-address 10.100.1.59 multicast-group 225.0.0.0/8 on
HostName:0> set pim static-rp rp-address 10.110.0.3 on
HostName:0> set pim static-rp rp-address 10.110.0.3 multicast-group 226.12.0.0/16 on
HostName:0> save config
Step 2: Configuration in SmartDashboard
Multicast does not require any configuration in SmartDashboard. However, if you wish to apply restrictions on multicast groups at interface level, then follow these steps:
Open Security Gateway object properties
Go to 'Topology' pane
Select the interface, on which restrictions should be applied - click on 'Edit...' button
Go to 'Multicast Restrictions' tab
Check the box 'Drop multicast packets by the following conditions:'
Select the desired condition
Click on 'Add...' button - create/select the relevant 'Multicast Address Range' object
Select the desired Tracking option
Click on 'OK' to apply the changes
Save the changes: go to 'File' menu - click on 'Save'
Install the policy onto Security Gateway object
(3-1-C) Single Gateway as Candidate Rendezvous Point and Bootstrap Router
PIM on Gaia OS can be configured either in Gaia Portal, or in Clish.
Step 1: Configure PIM on Gaia OS
Gaia OS configuration - in Gaia Portal
Connect to Gaia Portal on Security Gateway with web browser at https://Gaia_IP_Address.
Go to 'Advanced Routing' pane.
Click on 'PIM'.
In the 'PIM Global Settings' section, in the 'PIM Protocol' field, select 'Sparse Mode (SM)' - click on 'Apply' button:
In the 'PIM Interfaces' section, add the relevant interface(s):
Do not configure the 'Local Address'.
Do not check the box 'Use Virtual Address'.
Optional: Configure a 'DR Priority', if a value other than the default is desired.
Notes:
The default value is 1.
The range is between 0 and 4294967295.
The router with the highest DR priority is elected as Designated Router on the LAN - ties are broken in favor of the highest IP address.
Click on 'Save' button.
In the 'PIM Global Settings' section, click on 'Apply' button.
In the 'Bootstrap and Rendezvous Point Settings' section, configure Candidate Rendezvous Point:
Click on 'Edit Settings' button:
In the 'Candidate Rendezvous Point' section, check the box 'Enable Candidate RP'.
Optional: Enter the IP address of one of the PIM interfaces in the 'Local Address' field.
Note: If nothing is configured, PIM automatically selects the address of one of the PIM interfaces.
Optional: Configure a 'Priority', if a value other than the default is desired.
Notes:
The default value is 0.
The range is between 0 and 255.
The Candidate Rendezvous Point with the lowest priority is preferred - ties are broken in favor of the highest IP address.
Optional: Click on 'Add' button - add the Candidate Multicast Group(s), for which this Rendezvous Point is to be used.
Note: If no multicast groups are configured, the Rendezvous Point is treated as the Rendezvous Point for all multicast groups (224.0.0.0/4).
Click on 'Save' button.
In the 'PIM Global Settings' section, click on 'Apply' button.
In the 'Bootstrap and Rendezvous Point Settings' section, configure Bootstrap Router:
Click on 'Edit Settings' button:
At the top, check the box 'Enable Bootstrap Router'.
Optional: Enter the IP address of one of the PIM interfaces in the 'Local Address' field.
Note: If nothing is configured, PIM automatically selects the address of one of the PIM interfaces.
Optional: Configure a 'Priority', if a value other than the default is desired.
Notes:
The default value is 0.
The range is between 0 and 255.
The Candidate Rendezvous Point with the lowest priority is preferred - ties are broken in favor of the highest IP address.
Click on 'Save' button.
In the 'PIM Global Settings' section, click on 'Apply' button.
Gaia OS configuration - in Clish
Set PIM to work in 'Sparse' mode:
HostName:0> set pim mode sparse
Enable PIM on relevant interface(s):
HostName:0> set pim interface INTERFACE_NAME on
Configure Candidate Rendezvous Point:
HostName:0> set pim candidate-rp on
These settings are optional:
HostName:0> set pim candidate-rp local-address IP_ADDRESS_OF_RENDEZVOUS_POINT
HostName:0> set pim candidate-rp priority PRIORITY
HostName:0> set pim candidate-rp multicast-group IP_ADDRESS_OF_MULTICAST_GROUP/MASK_LENGTH on
Configure Bootstrap Router:
HostName:0> set pim bootstrap-candidate on
These settings are optional:
HostName:0> set pim bootstrap-candidate local-address IP_ADDRESS_OF_RENDEZVOUS_POINT
HostName:0> set pim bootstrap-candidate priority PRIORITY
Save the configuration:
HostName:0> save config
Example - Candidate Rendezvous Point:
Note: Refer to the example topology above.
HostName:0> set pim mode sparse
HostName:0> set pim interface eth1 on
HostName:0> set pim interface eth2 on
HostName:0> set pim candidate-rp on
HostName:0> set pim bootstrap-candidate on
HostName:0> save config
Step 2: Configuration in SmartDashboard
Multicast does not require any configuration in SmartDashboard. However, if you wish to apply restrictions on multicast groups at interface level, then follow these steps:
Open Security Gateway object properties
Go to 'Topology' pane
Select the interface, on which restrictions should be applied - click on 'Edit...' button
Go to 'Multicast Restrictions' tab
Check the box 'Drop multicast packets by the following conditions:'
Select the desired condition
Click on 'Add...' button - create/select the relevant 'Multicast Address Range' object
Select the desired Tracking option
Click on 'OK' to apply the changes
Save the changes: go to 'File' menu - click on 'Save'
Install the policy onto Security Gateway object
(3-2) PIM Sparse Mode in ClusterXL
ClusterXL can be configured for any of the following scenarios:
ClusterXL in Dynamic Rendezvous Point environment
ClusterXL can act as a PIM router in an environment that has some routers functioning as Candidate Rendezvous Points and Candidate Bootstrap routers.
ClusterXL in Static Rendezvous Point environment
ClusterXL can act as a PIM router in an environment that has static Rendezvous Point(s) for multicast groups. Optionally, ClusterXL can also act as a Static Rendezvous Point.
ClusterXL as PIM Router + Dynamic Rendezvous Point + Bootstrap Router
ClusterXL can act as a PIM router and Candidate Rendezvous Point and/or Candidate Bootstrap router in PIM environment.
Configuration:
(3-2-A) ClusterXL in Dynamic Rendezvous Point Environment
PIM on Gaia OS can be configured either in Gaia Portal, or in Clish.
Gaia OS configuration - in Gaia Portal
Connect to Gaia Portal on each cluster member with web browser at https://Gaia_IP_Address.
Go to 'Advanced Routing' pane.
Click on 'PIM'.
In the 'PIM Global Settings' section, in the 'PIM Protocol' field, select 'Sparse Mode (SM)' - click on 'Apply' button:
In the 'PIM Interfaces' section, add the relevant interface(s):
Do not configure the 'Local Address'.
Do not check the box 'Use Virtual Address'.
Optional: Configure a 'DR Priority', if a value other than the default is desired.
Notes:
The default value is 1.
The range is between 0 and 4294967295.
The router with the highest DR priority is elected as Designated Router on the LAN - ties are broken in favor of the highest IP address.
Click on 'Save' button.
In the 'PIM Global Settings' section, click on 'Apply' button.
Gaia OS configuration - in Clish
Set PIM to work in 'Sparse' mode:
HostName:0> set pim mode sparse
Enable PIM on relevant interface(s):
HostName:0> set pim interface INTERFACE_NAME on
Optional: Configure a DR Priority, if a value other than the default is desired.
HostName:0> set pim interface INTERFACE_NAME dr-priority DR_PRIORITY
Notes:
The default value is 1.
The range is between 0 and 4294967295.
The router with the highest DR priority is elected as Designated Router on the LAN - ties are broken in favor of the highest IP address.
Save the configuration:
HostName:0> save config
Example:
HostName:0> set pim mode sparse
HostName:0> set pim interface eth1 on
HostName:0> set pim interface eth2 on
HostName:0> save config
Step 2: Configuration in SmartDashboard
Multicast does not require any configuration in SmartDashboard. However, if you wish to apply restrictions on multicast groups at interface level, then follow these steps:
Open Security Gateway object properties
Go to 'Topology' pane
Select the interface, on which restrictions should be applied - click on 'Edit...' button
Go to 'Multicast Restrictions' tab
Check the box 'Drop multicast packets by the following conditions:'
Select the desired condition
Click on 'Add...' button - create/select the relevant 'Multicast Address Range' object
Select the desired Tracking option
Click on 'OK' to apply the changes
Save the changes: go to 'File' menu - click on 'Save'
Install the policy onto Security Gateway object
(3-2-B) ClusterXL in Static Rendezvous Point Environment
PIM on Gaia OS can be configured either in Gaia Portal, or in Clish.
Gaia OS configuration - in Gaia Portal
Connect to Gaia Portal on each cluster member with web browser at https://Gaia_IP_Address.
Go to 'Advanced Routing' pane.
Click on 'PIM'.
In the 'PIM Global Settings' section, in the 'PIM Protocol' field, select 'Sparse Mode (SM)' - click on 'Apply' button:
In the 'PIM Interfaces' section, add the relevant interface(s):
Do not configure the 'Local Address'.
Do not check the box 'Use Virtual Address'.
Optional: Configure a 'DR Priority', if a value other than the default is desired.
Notes:
The default value is 1.
The range is between 0 and 4294967295.
The router with the highest DR priority is elected as Designated Router on the LAN - ties are broken in favor of the highest IP address.
Click on 'Save' button.
In the 'PIM Global Settings' section, click on 'Apply' button.
In the 'Bootstrap and Rendezvous Point Settings' section, configure Static Rendezvous Point:
All PIM routers and Security Gateways in Static Rendezvous Point environment should be configured with Static Rendezvous Point addresses and their multicast groups.
Click on 'Edit Settings' button:
In the 'Static Rendezvous Point' section, check the box 'Enable Static RP'.
Click on 'Add' button - configure Static Rendezvous Point (enter the IP address).
Notes:
Optional: Add the Static Multicast Group(s), for which this Rendezvous Point is to be used. If no multicast groups are configured, the Rendezvous Point is treated as the Rendezvous Point for all multicast groups (224.0.0.0/4).
Optional: ClusterXL can also be configured as Static Rendezvous Point - configure the Virtual IP address of one of the PIM interfaces.
Do not configure any other field in 'Bootstrap and Rendezvous Point Settings' window.
Click on 'Save' button.
In the 'PIM Global Settings' section, click on 'Apply' button.
Gaia OS configuration - in Clish
Set PIM to work in 'Sparse' mode:
HostName:0> set pim mode sparse
Enable PIM on relevant interface(s):
HostName:0> set pim interface INTERFACE_NAME on
Optional: Configure a DR Priority, if a value other than the default is desired.
HostName:0> set pim interface INTERFACE_NAME dr-priority DR_PRIORITY
Notes:
The default value is 1.
The range is between 0 and 4294967295.
The router with the highest DR priority is elected as Designated Router on the LAN - ties are broken in favor of the highest IP address.
Configure Static Rendezvous Point:
HostName:0> set pim static-rp rp-address IP_ADDRESS_OF_RENDEZVOUS_POINT on
Optional: Add the Static Multicast Group(s), for which this Rendezvous Point is to be used:
HostName:0> set pim static-rp rp-address IP_ADDRESS_OF_RENDEZVOUS_POINT multicast-group IP_ADDRESS_OF_MULTICAST_GROUP/MASK_LENGTH on
Note: If no multicast groups are configured, the Rendezvous Point is treated as the Rendezvous Point for all multicast groups (224.0.0.0/4).
Save the configuration:
HostName:0> save config
Example:
Note: Refer to the example topology above.
HostName:0> set pim mode sparse
HostName:0> set pim interface eth1 on
HostName:0> set pim interface eth2 on
HostName:0> set pim static-rp rp-address 10.100.1.59 on
HostName:0> set pim static-rp rp-address 10.100.1.59 multicast-group 225.0.0.0/8 on
HostName:0> set pim static-rp rp-address 10.110.0.3 on
HostName:0> set pim static-rp rp-address 10.110.0.3 multicast-group 226.12.0.0/16 on
HostName:0> save config
Step 2: Configuration in SmartDashboard
Multicast does not require any configuration in SmartDashboard. However, if you wish to apply restrictions on multicast groups at interface level, then follow these steps:
Open Security Gateway object properties
Go to 'Topology' pane
Select the interface, on which restrictions should be applied - click on 'Edit...' button
Go to 'Multicast Restrictions' tab
Check the box 'Drop multicast packets by the following conditions:'
Select the desired condition
Click on 'Add...' button - create/select the relevant 'Multicast Address Range' object
Select the desired Tracking option
Click on 'OK' to apply the changes
Save the changes: go to 'File' menu - click on 'Save'
Install the policy onto Security Gateway object
(3-2-C) ClusterXL as Candidate Rendezvous Point and Bootstrap Router
PIM on Gaia OS can be configured either in Gaia Portal, or in Clish.
Step 1: Configure PIM on Gaia OS
Gaia OS configuration - in Gaia Portal
Connect to Gaia Portal on each cluster member with web browser at https://Gaia_IP_Address.
Go to 'Advanced Routing' pane.
Click on 'PIM'.
In the 'PIM Global Settings' section, in the 'PIM Protocol' field, select 'Sparse Mode (SM)' - click on 'Apply' button:
In the 'PIM Interfaces' section, add the relevant interface(s):
Do not configure the 'Local Address'.
Do not check the box 'Use Virtual Address'.
Optional: Configure a 'DR Priority', if a value other than the default is desired.
Notes:
The default value is 1.
The range is between 0 and 4294967295.
The router with the highest DR priority is elected as Designated Router on the LAN - ties are broken in favor of the highest IP address.
Click on 'Save' button.
In the 'PIM Global Settings' section, click on 'Apply' button.
In the 'Bootstrap and Rendezvous Point Settings' section, configure Candidate Rendezvous Point:
Click on 'Edit Settings' button:
In the 'Candidate Rendezvous Point' section, check the box 'Enable Candidate Rendezvous Point'.
Enter the Virtual IP address of one of the PIM interfaces in the 'Local Address' field.
Important Note: Unlike in Single Security Gateway, this field is mandatory when using ClusterXL.
Optional: Configure a 'Priority', if a value other than the default is desired.
Notes:
The default value is 1.
The range is between 0 and 255.
The Candidate Rendezvous Point with the lowest priority is preferred - ties are broken in favor of the highest IP address.
Optional: Click on 'Add' button - add the Candidate Multicast Group(s), for which this Rendezvous Point is to be used.
Note: If no multicast groups are configured, the Rendezvous Point is treated as the Rendezvous Point for all multicast groups (224.0.0.0/4).
Click on 'Save' button.
In the 'PIM Global Settings' section, click on 'Apply' button.
In the 'Bootstrap and Rendezvous Point Settings' section, configure Bootstrap Router:
Click on 'Edit Settings' button:
At the top, check the box 'Enable Bootstrap Router'.
Enter the Virtual IP address of one of the PIM interfaces in the 'Local Address' field.
Important Note: Unlike in Single Security Gateway, this field is mandatory when using ClusterXL.
Optional: Configure a 'Priority', if a value other than the default is desired.
Notes:
The default value is 0.
The range is between 0 and 255.
The Candidate Bootstrap Router with the highest priority is preferred - ties are broken in favor of the highest IP address.
Click on 'Save' button.
In the 'PIM Global Settings' section, click on 'Apply' button.
Gaia OS configuration - in Clish
Set PIM to work in 'Sparse' mode:
HostName:0> set pim mode sparse
Enable PIM on relevant interface(s):
HostName:0> set pim interface INTERFACE_NAME on
Configure Candidate Rendezvous Point:
HostName:0> set pim candidate-rp on
These settings are optional:
HostName:0> set pim candidate-rp local-address IP_ADDRESS_OF_RENDEZVOUS_POINT
HostName:0> set pim candidate-rp priority PRIORITY
HostName:0> set pim candidate-rp multicast-group IP_ADDRESS_OF_MULTICAST_GROUP/MASK_LENGTH on
Configure Bootstrap Router:
HostName:0> set pim bootstrap-candidate on
These settings are optional:
HostName:0> set pim bootstrap-candidate local-address IP_ADDRESS_OF_RENDEZVOUS_POINT
HostName:0> set pim bootstrap-candidate priority PRIORITY
Save the configuration:
HostName:0> save config
Example - Candidate Rendezvous Point:
HostName:0> set pim mode sparse
HostName:0> set pim interface eth1 on
HostName:0> set pim interface eth2 on
HostName:0> set pim candidate-rp on
HostName:0> set pim candidate-rp local-address 10.110.0.3
HostName:0> set pim candidate-rp multicast-group 225.0.0.0/8 on
HostName:0> set pim bootstrap-candidate on
HostName:0> set pim bootstrap-candidate local-address 10.110.0.3
HostName:0> save config
Step 2: Configuration in SmartDashboard
Multicast does not require any configuration in SmartDashboard. However, if you wish to apply restrictions on multicast groups at interface level, then follow these steps:
Open Security Gateway object properties
Go to 'Topology' pane
Select the interface, on which restrictions should be applied - click on 'Edit...' button
Go to 'Multicast Restrictions' tab
Check the box 'Drop multicast packets by the following conditions:'
Select the desired condition
Click on 'Add...' button - create/select the relevant 'Multicast Address Range' object
Select the desired Tracking option
Click on 'OK' to apply the changes
Save the changes: go to 'File' menu - click on 'Save'
Install the policy onto Security Gateway object
(3-3) PIM Sparse Mode in VRRP cluster
VRRP cluster can be configured for any of the following scenarios:
VRRP cluster in Dynamic Rendezvous Point environment
VRRP cluster can act as a PIM router in an environment that has some routers functioning as Candidate Rendezvous Points and Candidate Bootstrap routers.
VRRP cluster in Static Rendezvous Point environment
VRRP cluster can act as a PIM router in an environment that has static Rendezvous Point(s) for multicast groups. Optionally, VRRP cluster can also act as a Static Rendezvous Point.
VRRP cluster as PIM Router + Dynamic Rendezvous Point + Bootstrap Router
VRRP cluster can act as a PIM router and Candidate Rendezvous Point and/or Candidate Bootstrap router in PIM environment.
Configuration:
(3-3-A) VRRP in Dynamic Rendezvous Point Environment
PIM on Gaia OS can be configured either in Gaia Portal, or in Clish.
Step 1: Configure PIM on Gaia OS
Gaia OS configuration - in Gaia Portal
Connect to Gaia Portal on each cluster member with web browser at https://Gaia_IP_Address.
Go to 'Advanced Routing' pane.
Click on 'PIM'.
In the 'PIM Global Settings' section, in the 'PIM Protocol' field, select 'Sparse Mode (SM)' - click on 'Apply' button:
In the 'PIM Interfaces' section, add the relevant interface(s):
Do not configure the 'Local Address'.
Check the box 'Use Virtual Address'.
Optional: Configure a 'DR Priority', if a value other than the default is desired.
Notes:
The default value is 1.
The range is between 0 and 4294967295.
The router with the highest DR priority is elected as Designated Router on the LAN - ties are broken in favor of the highest IP address.
Click on 'Save' button.
In the 'PIM Global Settings' section, click on 'Apply' button.
Gaia OS configuration - in Clish
Set PIM to work in 'Sparse' mode:
HostName:0> set pim mode sparse
Enable PIM on relevant interface(s):
HostName:0> set pim interface INTERFACE_NAME on
HostName:0> set pim interface INTERFACE_NAME virtual-address on
Optional: Configure a DR Priority, if a value other than the default is desired.
HostName:0> set pim interface INTERFACE_NAME dr-priority DR_PRIORITY
Notes:
The default value is 1.
The range is between 0 and 4294967295.
The router with the highest DR priority is elected as Designated Router on the LAN - ties are broken in favor of the highest IP address.
Save the configuration:
HostName:0> save config
Example:
HostName:0> set pim mode sparse
HostName:0> set pim interface eth1 on
HostName:0> set pim interface eth1 virtual-address on
HostName:0> set pim interface eth2 on
HostName:0> set pim interface eth2 virtual-address on
HostName:0> save config
Step 2: Configuration in SmartDashboard
Multicast does not require any configuration in SmartDashboard. However, if you wish to apply restrictions on multicast groups at interface level, then follow these steps:
Open Security Gateway object properties
Go to 'Topology' pane
Select the interface, on which restrictions should be applied - click on 'Edit...' button
Go to 'Multicast Restrictions' tab
Check the box 'Drop multicast packets by the following conditions:'
Select the desired condition
Click on 'Add...' button - create/select the relevant 'Multicast Address Range' object
Select the desired Tracking option
Click on 'OK' to apply the changes
Save the changes: go to 'File' menu - click on 'Save'
Install the policy onto Security Gateway object
(3-3-B) VRRP in Static Rendezvous Point Environment
PIM on Gaia OS can be configured either in Gaia Portal, or in Clish.
Step 1: Configure PIM on Gaia OS
Gaia OS configuration - in Gaia Portal
Connect to Gaia Portal on each cluster member with web browser at https://Gaia_IP_Address.
Go to 'Advanced Routing' pane.
Click on 'PIM'.
In the 'PIM Global Settings' section, in the 'PIM Protocol' field, select 'Sparse Mode (SM)' - click on 'Apply' button:
In the 'PIM Interfaces' section, add the relevant interface(s):
Do not configure the 'Local Address'.
Check the box 'Use Virtual Address'.
Optional: Configure a 'DR Priority', if a value other than the default is desired.
Notes:
The default value is 1.
The range is between 0 and 4294967295.
The router with the highest DR priority is elected as Designated Router on the LAN with - ties are in favor of the highest IP address.
Click on 'Save' button.
In the 'PIM Global Settings' section, click on 'Apply' button.
In the 'Bootstrap and Rendezvous Point Settings' section, configure Static Rendezvous Point:
All PIM routers and Security Gateways in Static Rendezvous Point environment should be configured with Static Rendezvous Point addresses and their multicast groups.
Click on 'Edit Settings' button:
In the 'Static Rendezvous Point' section, check the box 'Enable Static RP'.
Click on 'Add' button - configure Static Rendezvous Point (enter the IP address).
Notes:
Optional: Add the Static Multicast Group(s), for which this Rendezvous Point is to be used. If no multicast groups are configured, the Rendezvous Point is treated as the Rendezvous Point for all multicast groups (224.0.0.0/4).
Optional: VRRP Cluster can also be configured as Static Rendezvous Point - configure the Virtual IP address of one of the PIM interfaces.
Do not configure any other field in 'Bootstrap and Rendezvous Point Settings' window.
Click on 'Save' button.
In the 'PIM Global Settings' section, click on 'Apply' button.
Gaia OS configuration - in Clish
Set PIM to work in 'Sparse' mode:
HostName:0> set pim mode sparse
Enable PIM on relevant interface(s):
HostName:0> set pim interface INTERFACE_NAME on
HostName:0> set pim interface INTERFACE_NAME virtual-address on
Optional: Configure a DR Priority, if a value other than the default is desired.
HostName:0> set pim interface INTERFACE_NAME dr-priority DR_PRIORITY
Notes:
The default value is 1.
The range is between 0 and 4294967295.
The router with the highest DR priority is elected as Designated Router on the LAN - ties are broken in favor of the highest IP address.
Configure Static Rendezvous Point:
HostName:0> set pim static-rp rp-address IP_ADDRESS_OF_RENDEZVOUS_POINT on
Optional: Add the Static Multicast Group(s), for which this Rendezvous Point is to be used:
HostName:0> set pim static-rp rp-address IP_ADDRESS_OF_RENDEZVOUS_POINT multicast-group IP_ADDRESS_OF_MULTICAST_GROUP/MASK_LENGTH on
Note: If no multicast groups are configured, the Rendezvous Point is treated as the Rendezvous Point for all multicast groups (224.0.0.0/4).
Save the configuration:
HostName:0> save config
Example:
HostName:0> set pim mode sparse
HostName:0> set pim interface eth1 on
HostName:0> set pim interface eth1 virtual-address on
HostName:0> set pim interface eth2 on
HostName:0> set pim interface eth2 virtual-address on
HostName:0> set pim static-rp rp-address 10.100.1.59 on
HostName:0> set pim static-rp rp-address 10.100.1.59 multicast-group 225.0.0.0/8 on
HostName:0> set pim static-rp rp-address 10.110.0.3 on
HostName:0> set pim static-rp rp-address 10.110.0.3 multicast-group 226.12.0.0/16 on
HostName:0> save config
Step 2: Configuration in SmartDashboard
Multicast does not require any configuration in SmartDashboard. However, if you wish to apply restrictions on multicast groups at interface level, then follow these steps:
Open Security Gateway object properties
Go to 'Topology' pane
Select the interface, on which restrictions should be applied - click on 'Edit...' button
Go to 'Multicast Restrictions' tab
Check the box 'Drop multicast packets by the following conditions:'
Select the desired condition
Click on 'Add...' button - create/select the relevant 'Multicast Address Range' object
Select the desired Tracking option
Click on 'OK' to apply the changes
Save the changes: go to 'File' menu - click on 'Save'
Install the policy onto Security Gateway object
(3-3-C) VRRP as Candidate Rendezvous Point and Bootstrap Router
PIM on Gaia OS can be configured either in Gaia Portal, or in Clish.
Step 1: Configure PIM on Gaia OS
Gaia OS configuration - in Gaia Portal
Connect to Gaia Portal on each cluster member with web browser at https://Gaia_IP_Address.
Go to 'Advanced Routing' pane.
Click on 'PIM'.
In the 'PIM Global Settings' section, in the 'PIM Protocol' field, select 'Sparse Mode (SM)' - click on 'Apply' button:
In the 'PIM Interfaces' section, add the relevant interface(s):
Do not configure the 'Local Address'.
Check the box 'Use Virtual Address'.
Optional: Configure a 'DR Priority', if a value other than the default is desired.
Notes:
The default value is 1.
The range is between 0 and 4294967295.
The router with the highest DR priority is elected as Designated Router on the LAN with - ties are in favor of the highest IP address.
Click on 'Save' button.
In the 'PIM Global Settings' section, click on 'Apply' button.
In the 'Bootstrap and Rendezvous Point Settings' section, configure Candidate Rendezvous Point:
Click on 'Edit Settings' button:
In the 'Candidate Rendezvous Point' section, check the box 'Enable Candidate Rendezvous Point'.
Optional: Enter the Virtual IP address of the PIM interface in the 'Local Address' field.
Note: If nothing is configured, PIM automatically selects the address of one of the PIM interfaces.
Optional: Configure a 'Priority', if a value other than the default is desired.
Notes:
The default value is 1.
The range is between 0 and 255.
The Candidate Rendezvous Point with the lowest priority is preferred - ties are broken in favor of the highest IP address.
Optional: Click on 'Add' button - add the Candidate Multicast Group(s), for which this Rendezvous Point is to be used.
Note: If no multicast groups are configured, the Rendezvous Point is treated as the Rendezvous Point for all multicast groups (224.0.0.0/4).
Click on 'Save' button.
In the 'PIM Global Settings' section, click on 'Apply' button.
In the 'Bootstrap and Rendezvous Point Settings' section, configure Bootstrap Router:
Click on 'Edit Settings' button:
At the top, check the box 'Enable Bootstrap Router'.
Optional: Enter the Virtual IP address of one of the PIM interfaces in the 'Local Address' field.
Note: If nothing is configured, PIM automatically selects the address of one of the PIM interfaces.
Optional: Configure a 'Priority', if a value other than the default is desired.
Notes:
The default value is 0.
The range is between 0 and 255.
The Candidate Rendezvous Point with the lowest priority is preferred - ties are broken in favor of the highest IP address.
Click on 'Save' button.
In the 'PIM Global Settings' section, click on 'Apply' button.
Gaia OS configuration - in Clish
Set PIM to work in 'Sparse' mode:
HostName:0> set pim mode sparse
Enable PIM on relevant interface(s):
HostName:0> set pim interface INTERFACE_NAME on
HostName:0> set pim interface INTERFACE_NAME virtual-address on
Optional: Configure a DR Priority, if a value other than the default is desired.
HostName:0> set pim interface INTERFACE_NAME dr-priority DR_PRIORITY
Notes:
The default value is 1.
The range is between 0 and 4294967295.
The router with the highest DR priority is elected as Designated Router on the LAN - ties are broken in favor of the highest IP address.
Configure Candidate Rendezvous Point:
HostName:0> set pim candidate-rp on
These settings are optional:
HostName:0> set pim candidate-rp local-address IP_ADDRESS_OF_RENDEZVOUS_POINT
HostName:0> set pim candidate-rp priority PRIORITY
HostName:0> set pim candidate-rp multicast-group IP_ADDRESS_OF_MULTICAST_GROUP/MASK_LENGTH on
Configure Bootstrap Router:
HostName:0> set pim bootstrap-candidate on
These settings are optional:
HostName:0> set pim bootstrap-candidate local-address IP_ADDRESS_OF_RENDEZVOUS_POINT
HostName:0> set pim bootstrap-candidate priority PRIORITY
Save the configuration:
HostName:0> save config
Example - Candidate Rendezvous Point:
HostName:0> set pim mode sparse
HostName:0> set pim interface eth1 on
HostName:0> set pim interface eth1 virtual-address on
HostName:0> set pim interface eth2 on
HostName:0> set pim interface eth2 virtual-address on
HostName:0> set pim candidate-rp on
HostName:0> set pim candidate-rp local-address 10.110.0.3
HostName:0> set pim candidate-rp multicast-group 225.0.0.0/8 on
HostName:0> set pim bootstrap-candidate on
HostName:0> set pim bootstrap-candidate local-address 10.110.0.3
HostName:0> save config
Step 2: Configuration in SmartDashboard
Multicast does not require any configuration in SmartDashboard. However, if you wish to apply restrictions on multicast groups at interface level, then follow these steps:
Open Security Gateway object properties
Go to 'Topology' pane
Select the interface, on which restrictions should be applied - click on 'Edit...' button
Go to 'Multicast Restrictions' tab
Check the box 'Drop multicast packets by the following conditions:'
Select the desired condition
Click on 'Add...' button - create/select the relevant 'Multicast Address Range' object
Select the desired Tracking option
Click on 'OK' to apply the changes
Save the changes: go to 'File' menu - click on 'Save'
PIM on Gaia OS can be configured either in Gaia Portal, or in Clish.
Step 1: Configure PIM on Gaia OS
Gaia OS configuration - in Gaia Portal
Connect to Gaia Portal on each cluster member with web browser at https://Gaia_IP_Address.
Go to 'Advanced Routing' pane.
Click on 'PIM'.
In the 'PIM Global Settings' section, in the 'PIM Protocol' field, select 'Dense Mode (DM)' - click on 'Apply' button:
In the 'PIM Interfaces' section, add the relevant interface(s):
Do not configure the 'Local Address'.
Check the box 'Use Virtual Address'.
Optional: Configure a 'DR Priority', if a value other than the default is desired.
Notes:
The default value is 1.
The range is between 0 and 4294967295.
The router with the highest DR priority is elected as Designated Router on the LAN with - ties are in favor of the highest IP address.
Click on 'Save' button.
In the 'PIM Global Settings' section, click on 'Apply' button.
Gaia OS configuration - in Clish
Set PIM to work in 'Dense' mode:
HostName:0> set pim mode dense
Enable PIM on relevant interface(s):
HostName:0> set pim interface INTERFACE_NAME on
HostName:0> set pim interface INTERFACE_NAME virtual-address on
Optional: Configure a DR Priority, if a value other than the default is desired.
HostName:0> set pim interface INTERFACE_NAME dr-priority DR_PRIORITY
Notes:
The default value is 1.
The range is between 0 and 4294967295.
The router with the highest DR priority is elected as Designated Router on the LAN - ties are broken in favor of the highest IP address.
Save the configuration:
HostName:0> save config
Example:
HostName:0> set pim mode dense
HostName:0> set pim interface eth1 on
HostName:0> set pim interface eth1 virtual-address on
HostName:0> set pim interface eth2 on
HostName:0> set pim interface eth2 virtual-address on
HostName:0> save config
Step 2: Configuration in SmartDashboard
Multicast does not require any configuration in SmartDashboard. However, if you wish to apply restrictions on multicast groups at interface level, then follow these steps:
Open Security Gateway object properties
Go to 'Topology' pane
Select the interface, on which restrictions should be applied - click on 'Edit...' button
Go to 'Multicast Restrictions' tab
Check the box 'Drop multicast packets by the following conditions:'
Select the desired condition
Click on 'Add...' button - create/select the relevant 'Multicast Address Range' object
Select the desired Tracking option
Click on 'OK' to apply the changes
Save the changes: go to 'File' menu - click on 'Save'
Configure PIM Source-Specific Multicast (SSM) Mode and select the relevant interfaces.
Note: In SSM mode, the group range 232.0.0.0/8 is reserved for SSM. No Rendezvous Point is required for this group range, while all other groups require a Rendezvous Point and are treated as normal Sparse-Mode.
Set IGMP protocol version to 3 on all PIM interfaces.
IGMP version on interfaces can be configured either in Gaia Portal, or in Clish.
Gaia OS configuration - in Gaia Portal
Connect to Gaia Portal with web browser at https://Gaia_IP_Address.
Go to 'Advanced Routing' pane.
Click on 'IGMP'.
Select the interface(s), on which PIM was enabled - click on 'Edit' button.
In the 'Version' field, select 'v3'.
Click on 'Save' button.
Gaia OS configuration - in Clish
Set the IGMP version on relevant interface(s) to '3':
HostName:0> set igmp interface INTERFACE_NAME version 3
Save the configuration:
HostName:0> save config
Example:
HostName:0> set igmp interface eth0 version 3
HostName:0> save config
PIM-SM: It is not recommended to use Check Point gateways as a RP or DR of the sender.
PIM with NAT is not supported.
Number of interfaces that can actually run PIM is limited.
Background:
While PIM can currently be configured on any number of interfaces in Gaia OS, there is a built-in kernel limitation on the number of interfaces that can actually run PIM. Due to the Linux kernel variable MAXVIFS (defined as 32 in include/linux/mroute.h), PIM will run on no more than 31 interfaces at a time (one interface is reserved as a PIM register interface). On VSX Gateway / VSX Cluster Member, this limit applies per Virtual System.
Symptoms:
If PIM is configured on more interfaces than it can handle due to the OS limitation, the following behaviors will occur:
Output of the Clish command show pim interfaces will exclude any interfaces, on which PIM is not running.
For each excess interface, the following error message will be logged: WARNING: PIM: could not add interface to instance
First of all, make sure that underlying routing protocols are working properly and routing tables on all PIM routers contain correct information.
Verify that multicast routing is enabled on all involved multicast routers and involved Security Gateways.
In ClusterXL and VRRP Cluster, verify that all routing configuration including PIM is identical on all cluster members.
Verify that all PIM neighborships are established on all involved multicast routers and involved Security Gateways.
Verify that data packets are arriving with TTL>1, if they need to be forwarded to other interface(s).
Initial troubleshooting steps:
Verifying that PIM is enabled on Security Gateway
HostName:0> show pim summary
Example output:
Instance ID is 0
Instance is running sparse mode
Address family of the interface is IPV4
Important Note: If the "show pim summary" command and the "show pim interfaces" command does not provide any output, then run the following commands in Expert mode and then verify how the PIM works:
[Expert@HostName:0]# dbset routed:instance:default:pim:instance:0 t [Expert@HostName:0]# dbset routed:instance:default:pim:instance:0:af:2 t [Expert@HostName:0]# dbset :save
Verifying that PIM is enabled on interfaces
HostName:0> show pim interfaces
Example output:
Status flag: V - virtual address option enabled
Mode flag: SR - state refresh enabled
Interface Status State Mode DR Address DR Pri NumNbrs
eth1 Up DR sparse 10.110.0.59 1 1 ?
eth2 Up NotDR sparse 10.13.0.52 1 1 ?
Checking the list of PIM Rendezvous Points and their corresponding group ranges
HostName:0> show pim rps
Example output:
RP Address Type Holdtime Pri #Grp Expires Group Prefix
10.100.1.59 static 0 0 1 Inactive
225.0.0.0/8
Verifying PIM neighborship
HostName:0> show pim neighbors
Example output:
Neighbor Interface DR Pri GenId Holdtime Expires
10.110.0.59 eth1 1 10724 105 11:41:35
10.13.0.52 eth2 1 10988 105 11:41:51
Note: If an entry expires, the corresponding entry will be removed from the table.
Verifying that Security Gateway forwards multicast traffic
Let multicast receiver join the group 225.1.1.1 and start multicast traffic from Source. Verify that multicast traffic is forwarded to the correct interfaces.
HostName:0> show mfc cache
Example output:
Multicast Forwarding Cache State
Prefix Type Age Expire RPF
225.1.1.1,10.100.1.53/64 Normal 2m 6m eth1
Forwarding:
eth2
Data: PktCount 52, DataRate 1 kb/s, KernelStatus Installed
Verifying multicast routing table
Verify the following:
The (S,G) and (*,G) state entries from the flags.
The incoming interface(s) is(are) correct. Otherwise, check the unicast routing table.
The outgoing interface(s) is(are) correct. Otherwise, check the state in the downstream router.
HostName:0> show pim joins
Example output:
PIM Sparse-Mode Join State
(Source, Group), Timer(Added/Expires), RP(Rendezvous Point)
Flags: C - Local members, A - Active, E - Encap, D - Decap
R - RPT-bit set, W - WC-bit set, T - SPT-bit set
M - MFC state, X - Proxy timer on
Outgoing Interface List:
Name, Timer(Added/Expires; Inactive if only local receivers present)
(*, 225.1.1.1), 12:14:54/12:15:46, RP: 10.100.1.59
Flags: R|W|A
Incoming interface: eth1, RPF neighbor: 10.110.0.59
Outgoing interface list:
eth2, 12:14:54/12:15:46
(10.100.1.53, 225.1.1.1), 12:14:55/12:18:25, RP: 10.100.1.59
Flags: T|M|A
Incoming interface: eth1, RPF neighbor: none
Outgoing interface list:
eth2, 12:14:55/12:15:51
Verifying that multicast packets are received by Security Gateway
Capture the incoming traffic on Security Gateway using the 'tcpdump' command.
Capture the data packets with a packet sniffing tool like Wireshark on a neighboring device.
Verifying that SecureXL is enabled
[Expert@HostName:0]# fwaccel stat
Example output:
Accelerator Status : on
Accept Templates : enabled
Drop Templates : disabled
NAT Templates : disabled by user
Accelerator Features : Accounting, NAT, Cryptography, Routing,
HasClock, Templates, Synchronous, IdleDetection,
Sequencing, TcpStateDetect, AutoExpire,
DelayedNotif, TcpStateDetectV2, CPLS, McastRouting,
WireMode, DropTemplates, NatTemplates,
Streaming, MultiFW, AntiSpoofing, ViolationStats,
Nac, AsychronicNotif, ERDOS, McastRoutingV2
Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL,
3DES, DES, CAST, CAST-40, AES-128, AES-256,
ESP, LinkSelection, DynamicVPN, NatTraversal,
EncRouting, AES-XCBC, SHA256
Verifying that SecureXL accelerates multicast traffic
[Expert@HostName:0]# fwaccel conns
The relevant multicast connections should not have the "F" (Forwarded to Kernel) flag.
Example output:
Source SPort Destination DPort PR Flags C2S i/f S2C i/f Inst Identity
--------------- ----- --------------- ----- -- ----------- ------- ------- ---- --------
10.13.0.52 0 224.0.0.13 0 103 F.......... 4/- -/- NA 0
225.1.1.1 2000 10.100.1.53 61127 17 ........... 3/- -/- NA 0225.1.1.1 2000 10.100.1.53 61127 17 ........... 3/4 4/3 NA 0
192.168.17.71 61841 192.168.17.208 257 6 F.......... 6/6 6/- NA 0
192.168.17.208 257 192.168.17.71 61841 6 F.......... 6/6 6/- NA 0
192.168.17.71 18192 192.168.17.208 53639 6 F.......... 6/6 -/- NA 0
192.168.17.71 18192 192.168.17.208 57747 6 F.......... 6/6 -/- NA 0
192.168.17.208 53639 192.168.17.71 18192 6 F.......... 6/6 -/- NA 0
192.168.17.208 57747 192.168.17.71 18192 6 F.......... 6/6 -/- NA 0
10.100.1.53 61127 225.1.1.1 2000 17 ........... 3/4 4/3 NA 0
10.110.0.59 0 224.0.0.13 0 103 F.......... 3/- -/- NA 0
10.100.1.53 61127 225.1.1.1 2000 17 ........... 3/- -/- NA 0
Idx Interface
--- ---------
0 lo
3 eth1
4 eth2
5 eth3
6 eth4
7 pimreg0
Total number of connections: 12
Verifying that SAM card accelerates multicast traffic
SAM acceleration is supported only on 21000 Appliances. SAM card accelerates multicast traffic only if all multicast-enabled ports are running in SAM mode. SAM acceleration is not supported if any one of the multicast interfaces is running in non-SAM mode. One or more Network Processors (NPs) may process multicast traffic. To find out which NP is processing multicast traffic, use the following command:
[Expert@HostName:0]# ipsctl -a net:dev:adp:ipsctl:slot:SLOT_NUMBER:nip:mcast
In the example below, we can see that NP2 is processing and accelerating the multicast packets.
