[Xorp-users] troubles with PIM-SM
Dorin Olarov
dolarov@computervoice.com
Thu, 23 Feb 2006 14:49:05 -0600
This is a multi-part message in MIME format.
------=_NextPart_000_1991_01C63888.4B243690
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hello all,=20
Sorry for the long introduction, but I think a bit of a background is =
necessary:
I have a GRE tunnel going over a VPN and multicast+PIM-SM traffic going =
through this GRE tunnel.=20
The other side is a Cisco router, don't know exactly the model + IOS =
release.=20
All of this is fully operational on my side on a Cisco router as well, =
with the following configuration:
2611XM with an AIM VPN/BP encryption module, running =
c2600-ik9o3s-mz.122-27.=20
The problem is that the CPU usage is very high on the Cisco on my end.
Even though the specs say this setup should handle up to 10Mbps of =
encrypted traffic (with packets at near-MTU size),
I get this high CPU usage at much lower traffic rates, as in 1 to =
1.5Mbps.=20
Because of this, I tried to replicate the same configuration on a =
Soekris net4801 box (with a vpn1411 VPN accelerator card),=20
running on OpenBSD 3.8. The only modification from the stock 3.8 kernel =
was to add support for PIM:=20
option PIM # Protocol Independent Multicast
The part concerning the VPN and the GRE tunnel works ok and was tested =
just fine.=20
For the PIM-SM support under OpenBSD part everything pointed to xorp , =
so I deployed the xorp-1.1 package
from the 3.8 distribution.=20
This is how my config.boot file looks like:
/*XORP Configuration File, v1.0*/
interfaces {
targetname: "fea"
interface sis0 {
disable: false
description: "This is the NIC facing the Internet"
default-system-config
}
interface sis3 {
disable: false
description: "This is the NIC facing the LAN"
default-system-config
}
interface gre0 {
disable: false
description: "This is the Tunnel set up between the Soekris =
OpenBSD and the Cisco VPN router"
default-system-config
}
}
fea {
unicast-forwarding4 {
disable: false
}
}
plumbing {
mfea4 {
disable: false
interface sis3 {
vif sis3 {
disable: false
}
}
interface gre0 {
vif gre0 {
disable: false
}
}
interface register_vif {
vif register_vif {
/* Note: this vif should be always enabled */
disable: false
}
}
traceoptions {
flag all {
disable: false
}
}
}
}
protocols {
static {
route4 YYY.164.7.0/26 {
next-hop: 10.167.1.45
metric: 1
}
mrib-route4 YYY.164.7.0/24 {
next-hop: 10.167.1.45
metric: 1
}
}
igmp {
targetname: "IGMP"
disable: false
interface sis3 {
vif sis3 {
disable: false
}
}
interface gre0 {
vif gre0 {
disable: false
}
}
traceoptions {
flag all {
disable: false
}
}
}
pimsm4 {
targetname: "PIMSM_4"
disable: false
interface sis3 {
vif sis3 {
disable: false
}
}
interface register_vif {
vif register_vif {
/* Note: this vif should be always enabled */
disable: false
}
}
interface gre0 {
vif gre0 {
disable: false
}
}
static-rps {
rp YYY.164.7.254 {
group-prefix 233.119.160.0/24 {
rp-priority: 192
hash-mask-len: 30
}
}
}
}
}
/*
* Note: fib2mrib is needed for multicast only if the unicast protocols
* don't populate the MRIB with multicast-specific routes.
*/
protocols {
fib2mrib {
disable: false
}
}
and this is how the relevant network interfaces are configured:
ifconfig sis0 inet XXX.227.82.27 netmask 255.255.255.248
ifconfig sis3 inet 10.65.50.1 netmask 255.255.255.0
ifconfig sis3 inet alias 192.168.20.3 netmask 255.255.255.0
ifconfig lo1 inet 10.167.0.21 netmask 255.255.255.255
ifconfig gre0 tunnel 10.167.0.21 10.173.254.1
ifconfig gre0 inet 10.167.1.46 10.167.1.45 netmask 255.255.255.252
The configuration on the Cisco side looks like this (trimmed to the =
relevant details, VPN part left aside, too):
Current configuration : 2793 bytes
!
version 12.2
!
ip multicast-routing
!
!
interface Loopback0
ip address 10.167.0.21 255.255.255.255
!
interface Tunnel0
ip address 10.167.1.46 255.255.255.252
ip pim sparse-mode
tunnel source 10.167.0.21
tunnel destination 10.173.254.1
!
interface Ethernet0/0
ip address 10.65.50.1 255.255.255.0
ip pim sparse-mode
full-duplex
no cdp enable
!
interface Ethernet0/1
ip address XXX.227.82.27 255.255.255.248
full-duplex
crypto map cvs2set
!
ip classless
ip route 0.0.0.0 0.0.0.0 XXX.227.82.25
ip route YYY.164.7.0 255.255.255.192 Tunnel0
no ip http server
ip pim rp-address YYY.164.7.254 WAN_list
ip mroute YYY.164.7.0 255.255.255.0 Tunnel0
!
!
ip access-list standard WAN_list
permit 233.119.160.0 0.0.0.63
deny any
!
end
I think the problem in the OpenBSD setup starts with setting up the =
routes for getting to the RP through the tunnel,=20
because other than some occasional IGMP group 224.0.0.13 traffic I don't =
see anything else flowing through it.=20
My question is ... what would be the correct xorp equivalent for the two =
cisco commands below:=20
ip route YYY.164.7.0 255.255.255.192 Tunnel0=20
ip mroute YYY.164.7.0 255.255.255.0 Tunnel0
I thought that's what I'd be doing by using=20
static {
route4 YYY.164.7.0/26 {
next-hop: 10.167.1.45
metric: 1
}
mrib-route4 YYY.164.7.0/24 {
next-hop: 10.167.1.45
metric: 1
}
(10.167.1.45 being the peer on the other end of the GRE tunnel), however =
this doesn't seem to work this way.=20
Another indication is this type of messages logged by xorp_rtrmgr:
[ 2006/02/22 18:22:50 ERROR xorp_fea:5723 MFEA +1781 mfea_proto_comm.cc =
proto_socket_write ] sendmsg(proto 103 from 10.167.1.46 to 224.0.0.13 on =
vif gre
0) failed: No route to host.
Any suggestions?
Thank you,=20
Dorin.
------=_NextPart_000_1991_01C63888.4B243690
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2802" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Hello all, </FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Sorry for the long introduction, but I =
think a bit=20
of a background is necessary:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>I have a GRE tunnel going over a =
VPN and=20
multicast+PIM-SM traffic going </FONT><FONT face=3DArial =
size=3D2>through this GRE=20
tunnel. </FONT></DIV>
<DIV><FONT face=3DArial size=3D2>The other side is a Cisco router, don't =
know=20
exactly the model + IOS release. </FONT></DIV>
<DIV><FONT face=3DArial size=3D2>All of this is fully operational on my =
side on a=20
Cisco router as well, with the following configuration:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>2611XM with an AIM VPN/BP encryption =
module, =20
</FONT><FONT face=3DArial size=3D2>running <FONT face=3D"Times New =
Roman"=20
size=3D3>c2600-ik9o3s-mz.122-27</FONT>. </FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>The problem is that the CPU usage is =
very high on=20
the Cisco on my end.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Even though the specs say this setup =
should handle=20
up to 10Mbps of encrypted traffic (with packets at near-MTU =
size),</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>I get this high CPU usage at much lower =
traffic=20
rates, as in 1 to 1.5Mbps. </FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Because of this, I tried to replicate =
the same=20
configuration on a Soekris net4801 box (with a vpn1411 VPN accelerator =
card),=20
</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>running on OpenBSD 3.8. The only =
modification from=20
the stock 3.8 kernel was to add support for PIM: </FONT></DIV>
<DIV><FONT face=3DArial=20
size=3D2>option =20
PIM &nbs=
p; #=20
Protocol Independent Multicast</FONT></DIV>
<DIV><FONT face=3DArial size=3D2> </DIV></FONT>
<DIV><FONT face=3DArial size=3D2>The part concerning the VPN and the GRE =
tunnel=20
works ok and was tested just fine. </FONT></DIV>
<DIV><FONT face=3DArial size=3D2>For the PIM-SM support under OpenBSD =
part=20
everything pointed to xorp , so I deployed the xorp-1.1 =
package</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>from the 3.8 distribution. =
</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>This is how my config.boot file looks=20
like:</FONT></DIV>
<DIV><FONT face=3DCourier size=3D2>/*XORP Configuration File, =
v1.0*/<BR>interfaces=20
{<BR> targetname: "fea"<BR> =
interface sis0=20
{<BR> disable:=20
false<BR> description: "This =
is the=20
NIC facing the Internet"<BR> =20
default-system-config<BR> }<BR> =
interface=20
sis3 {<BR> disable:=20
false<BR> description: "This =
is the=20
NIC facing the LAN"<BR> =20
default-system-config<BR> }<BR> =
interface=20
gre0 {<BR> disable:=20
false<BR> description: "This =
is the=20
Tunnel set up between the Soekris OpenBSD and the Cisco VPN=20
router"<BR> =20
default-system-config<BR> }<BR>}<BR>fea=20
{<BR> unicast-forwarding4=20
{<BR> &n=
bsp; =20
disable: false<BR> =
}<BR>}<BR>plumbing=20
{<BR> mfea4=20
{<BR> &n=
bsp; =20
disable:=20
false<BR> &nbs=
p; =20
interface sis3=20
{<BR> &n=
bsp; =20
vif sis3=20
{<BR> &n=
bsp; &nb=
sp; =20
disable:=20
false<BR> &nbs=
p;  =
;=20
}<BR> &n=
bsp; =20
}<BR> &n=
bsp; =20
interface gre0=20
{<BR> &n=
bsp; =20
vif gre0=20
{<BR> &n=
bsp; &nb=
sp; =20
disable:=20
false<BR> &nbs=
p;  =
;=20
}<BR> &n=
bsp; =20
}<BR> &n=
bsp; =20
interface register_vif=20
{<BR> &n=
bsp; =20
vif register_vif=20
{<BR> &n=
bsp; =20
/* Note: this vif should be always enabled=20
*/<BR> &=
nbsp; &n=
bsp; =20
disable:=20
false<BR> &nbs=
p;  =
;=20
}<BR> &n=
bsp; =20
}<BR> &n=
bsp; =20
traceoptions=20
{<BR> &n=
bsp; =20
flag all=20
{<BR> &n=
bsp; &nb=
sp; =20
disable:=20
false<BR> &nbs=
p;  =
;=20
}<BR> &n=
bsp; =20
}<BR> }<BR>}<BR>protocols=20
{<BR> static =
{<BR> =20
route4 YYY.164.7.0/26=20
{<BR> &n=
bsp; =20
next-hop:=20
10.167.1.45<BR> &nbs=
p; =20
metric: 1<BR> =20
}<BR> mrib-route4 =
YYY.164.7.0/24=20
{<BR> &n=
bsp; =20
next-hop:=20
10.167.1.45<BR> &nbs=
p; =20
metric: 1<BR> =
}<BR> =20
}<BR> igmp =
{<BR> =20
targetname: "IGMP"<BR> =
disable:=20
false<BR> interface sis3=20
{<BR> &n=
bsp; =20
vif sis3=20
{<BR> &n=
bsp; =20
disable:=20
false<BR> &nbs=
p; =20
}<BR> =20
}<BR> interface gre0=20
{<BR> &n=
bsp; =20
vif gre0=20
{<BR> &n=
bsp; =20
disable:=20
false<BR> &nbs=
p; =20
}<BR> =20
}<BR> traceoptions=20
{<BR> &n=
bsp; =20
flag all=20
{<BR> &n=
bsp; =20
disable:=20
false<BR> &nbs=
p; =20
}<BR> }<BR> =20
}<BR> pimsm4 =
{<BR> =20
targetname: "PIMSM_4"<BR> =
disable:=20
false<BR> interface sis3=20
{<BR> &n=
bsp; =20
vif sis3=20
{<BR> &n=
bsp; =20
disable:=20
false<BR> &nbs=
p; =20
}<BR> =20
}<BR> interface register_vif=20
{<BR> &n=
bsp; =20
vif register_vif=20
{<BR> &n=
bsp; =20
/* Note: this vif should be always enabled=20
*/<BR> &=
nbsp; =20
disable:=20
false<BR> &nbs=
p; =20
}<BR> =20
}<BR> interface gre0=20
{<BR> &n=
bsp; =20
vif gre0=20
{<BR> &n=
bsp; =20
disable:=20
false<BR> &nbs=
p; =20
}<BR> =20
}<BR> static-rps=20
{<BR> &n=
bsp; =20
rp YYY.164.7.254=20
{<BR> &n=
bsp; =20
group-prefix 233.119.160.0/24=20
{<BR> &n=
bsp; &nb=
sp; =20
rp-priority:=20
192<BR> =
&=
nbsp; =20
hash-mask-len:=20
30<BR> &=
nbsp; =20
}<BR> &n=
bsp; =20
}<BR> }<BR> =20
}<BR>}</FONT></DIV>
<DIV><FONT face=3DArial size=3D2><BR><FONT face=3DCourier>/*<BR> * =
Note: fib2mrib=20
is needed for multicast only if the unicast protocols<BR> * don't =
populate=20
the MRIB with multicast-specific routes.<BR> */<BR>protocols=20
{<BR> fib2mrib =
{<BR> =20
disable: false<BR> }<BR>}</FONT></DIV>
<DIV> </DIV>
<DIV>and this is how the relevant network interfaces are =
configured:</DIV>
<DIV><FONT face=3DCourier>ifconfig sis0 inet XXX.227.82.27 netmask=20
255.255.255.248</FONT></DIV>
<DIV><FONT face=3DCourier>ifconfig sis3 inet 10.65.50.1 netmask=20
255.255.255.0</FONT></DIV>
<DIV><FONT face=3DCourier>
<DIV><FONT face=3DCourier>ifconfig sis3 inet alias 192.168.20.3 netmask=20
255.255.255.0</FONT></DIV></FONT></DIV>
<DIV><FONT face=3DCourier>ifconfig lo1 inet 10.167.0.21 netmask=20
255.255.255.255</FONT></DIV>
<DIV><FONT face=3DCourier>ifconfig gre0 tunnel 10.167.0.21=20
10.173.254.1<BR>ifconfig gre0 inet 10.167.1.46 10.167.1.45 netmask=20
255.255.255.252<BR></FONT><BR></DIV>
<DIV> </DIV>
<DIV>The configuration on the Cisco side looks like this (trimmed to the =
relevant details, VPN part left aside, too):</DIV>
<DIV><FONT face=3DCourier>Current configuration : 2793 =
bytes<BR>!<BR>version=20
12.2<BR>!<BR>ip multicast-routing<BR>!<BR>!<BR>interface =
Loopback0<BR> ip=20
address 10.167.0.21 255.255.255.255<BR>!<BR>interface =
Tunnel0<BR> ip=20
address 10.167.1.46 255.255.255.252<BR> ip pim =
sparse-mode<BR> tunnel=20
source 10.167.0.21<BR> tunnel destination =
10.173.254.1<BR>!<BR>interface=20
Ethernet0/0<BR> ip address 10.65.50.1 255.255.255.0<BR> ip pim =
sparse-mode<BR> full-duplex<BR> no cdp =
enable<BR>!<BR>interface=20
Ethernet0/1<BR> ip address XXX.227.82.27=20
255.255.255.248<BR> full-duplex<BR> crypto map =
cvs2set<BR>!<BR>ip=20
classless<BR>ip route 0.0.0.0 0.0.0.0 XXX.227.82.25<BR>ip route =
YYY.164.7.0=20
255.255.255.192 Tunnel0<BR>no ip http server<BR>ip pim rp-address =
YYY.164.7.254=20
WAN_list<BR>ip mroute YYY.164.7.0 255.255.255.0 Tunnel0<BR>!<BR>!<BR>ip=20
access-list standard WAN_list<BR> permit 233.119.160.0=20
0.0.0.63<BR> deny any<BR></FONT><FONT=20
face=3DCourier>!<BR>end<BR></FONT></DIV>
<DIV><FONT face=3DCourier></FONT> </DIV>
<DIV><FONT face=3DCourier><FONT face=3DArial>I think the problem in the =
OpenBSD=20
setup starts with setting up the routes for getting to the RP through =
the=20
tunnel, </FONT></FONT></DIV>
<DIV><FONT face=3DCourier><FONT face=3DArial>because other than some =
occasional IGMP=20
group 224.0.0.13 traffic I don't see anything else flowing through =
it.=20
</FONT></FONT></DIV>
<DIV><FONT face=3DCourier><FONT face=3DArial>My question is ... what =
would be the=20
correct xorp equivalent for the two cisco commands below: =
</FONT></FONT></DIV>
<DIV><FONT face=3DCourier>ip route YYY.164.7.0 255.255.255.192=20
Tunnel0</FONT> </DIV>
<DIV><FONT face=3DCourier><FONT face=3DArial><FONT face=3DCourier>ip =
mroute=20
YYY.164.7.0 255.255.255.0 Tunnel0</FONT></FONT></FONT></DIV>
<DIV><FONT face=3DCourier><FONT face=3DArial> </DIV></FONT></FONT>
<DIV><FONT face=3DCourier><FONT face=3DArial>I thought that's what I'd =
be doing by=20
using </FONT></FONT></DIV>
<DIV><FONT face=3DCourier> static=20
{<BR> route4 YYY.164.7.0/26=20
{<BR> &n=
bsp; =20
next-hop:=20
10.167.1.45<BR> &nbs=
p; =20
metric: 1<BR> =20
}<BR> mrib-route4 =
YYY.164.7.0/24=20
{<BR> &n=
bsp; =20
next-hop:=20
10.167.1.45<BR> &nbs=
p; =20
metric: 1<BR> }<BR><FONT=20
face=3DArial>(10.167.1.45 being the peer on the other end of the GRE=20
tunnel)</FONT></FONT><FONT face=3DCourier><FONT face=3DArial>, however =
this doesn't=20
seem to work this way. </FONT></FONT></DIV>
<DIV><FONT face=3DCourier><FONT face=3DArial>Another indication is this =
type of=20
messages logged by xorp_rtrmgr:</FONT></FONT></DIV>
<DIV><FONT face=3DCourier>[ 2006/02/22 18:22:50 ERROR =
xorp_fea:5723 MFEA=20
+1781 mfea_proto_comm.cc proto_socket_write ] sendmsg(proto 103 from =
10.167.1.46=20
to 224.0.0.13 on vif gre<BR>0) failed: No route to host.</FONT></DIV>
<DIV> </DIV>
<DIV>Any suggestions?</DIV>
<DIV> </DIV>
<DIV>Thank you, </DIV>
<DIV>Dorin.<BR></DIV>
<DIV><FONT face=3DCourier><FONT=20
face=3DArial></FONT> </DIV></FONT></FONT></BODY></HTML>
------=_NextPart_000_1991_01C63888.4B243690--