cancel
Showing results for 
Search instead for 
Did you mean: 
_garfield_
Aspiring Contributor
2,481 Views
Message 1 of 13

Cisco ASA and YouView multicast

Here are some notes on how I got multicast TV channels working across a Cisco ASA 5505 firewall. Rather than just post a config, I'm going to go into a bit of background info first which I hope will be useful for anyone trying to get multicast to work on a slightly more exotic network router/firewall that the details have not already been posted for. Also the ASA firewall used for this config had a full 'Security Plus' licence, so this won't work as-is on a Base licence ASA without some changes.

 

First thing that was useful is the BT Supplier Information Note (SIN) 503 downloadable from here. This is chapter and verse on how the service works but it is a bit heavy going, and you probably don't need to read the whole thing unless you want to work it out yourself from first principals. 

 

For the rest of us, here is what it says that is useful to know:

  • IGMPv3 is used to control access to multicast.
  • Multicast traffic sits in a seperate VLAN to your normal ISP data traffic (i.e not inside the PPPoE session).
  • VLAN membership tags are stripped as they leave the Openreach network and are sent to the customer modem.
  • IGMP membership requests are rewritten to a source address of 0.0.0.0, and any VLAN tags are stripped as they enter the Openreach network from the customer modem.

The issue with the Cisco ASA is that once PPPoE is enabled on a network interface then all traffic to that interface is put in the tunnel, and so sending IGMP joins to the existing outside interface isn't going to work. I found the workaround was to create a new VLAN interface (vlan3) mapped to the same physical port I was using for the PPPoE VLAN interface (vlan2).

 

I used IP address 192.168.0.254 for vlan3 as it doesn't conflict with any range I was already using. This VLAN is only used to send IGMP joins, and they get rewritten to a source of 0.0.0.0 immediately by Openreach so I don't believe the IP is important. Also I had to enable trunk mode for the switch port to be able to have multiple VLANs, so it meant VLAN tags were being added. However these get stripped off immediately by Openreach so they have no effect on the outbound traffic.

 

Next you need to enable multicast routing on the ASA (the command is 'multicast-routing') and configure IGMP to be forwarded to the new VLAN using the 'igmp forward interface' command from your inside VLAN that the YouView box is on, this was vlan1 on my device. 

Finally, due to the multicast packets being untagged, you need to put a firewall rule into the native outside vlan (vlan2) to allow the multicast packets from Openreach back into your network. This was accomplished with 'access-list outside_access_in extended permit udp any 234.0.0.0 255.0.0.0' on my firewall. This may seem a bit counter intuative, as this is the PPPoE interface we couldn't send the joins down, but this is how the ASA deals with the untagged packets arriving.

 

I found this did work, but the multicast traffic flooded all the ASA ports assigned to the inside VLAN. To fix this I created a forth VLAN with a different internal IP address range, set up DHCP and NAT in the usual way, and assigned it to the switchport the YouView box was plugged in to. I then needed to move the 'igmp forward interface' command so it was in the config for new VLAN rather than in the config for vlan1. 

12 REPLIES 12
gavinhatton
Beginner
2,402 Views
Message 2 of 13

Re: Cisco ASA and YouView multicast

I think I understand your config here but do not understand why a new VLAN is required, does a loopback not achieve the same result?

 

Also you make no mention of where your DSL actually terminates? Are you using the Openreach modem onto the ASA?

 

If you could post a truncated config making reference only the multicat settings I should then be able to port this to my 1941/EHWIC-VA-DSL-A setup.

 

Thanks,

Gavin

0 Ratings
Reply
_garfield_
Aspiring Contributor
2,371 Views
Message 3 of 13

Re: Cisco ASA and YouView multicast

Cisco ASAs and routers are very different things, they run PIX OS rather than IOS so the configs and capabilities are different.

But to summarise:
PIX doesn't have secondary and loopback interfaces like IOS routers have.
The IGMP joins need to be forwarded out the device, but not down the PPP session, so a loopback won't help here anyway.
Openreach Huawei HG612 is connected to the outside port on the PIX.

You basically need to create two interfaces on your outgoing device (whether Ethernet or a WIC) and bind the PPP session to one, and forward the IGMP requests down the other interface. Unless there is another way of bypassing the PPP session on an IOS router, which there isn't on a PIX.
0 Ratings
Reply
t0pb0y
Newbie
2,043 Views
Message 4 of 13

Re: Cisco ASA and YouView multicast

Hi... 
I would describe myself as a network numpty...and can relate to the issue but have no idea where to start to 'fix' it


My issue is similar to your's except I have a Cisco Rv180 router which sounds like it also needs to be configured to allow mulicast so that LIVE BT web broadcast streams work.

Do you have any kind words or suggestions for a numpty such as myself???


ps all other forms of web access using the Cisco RV180 router together with the original BT Huawei HG612  modem are working as expected (only issue is BT youview channels)

 

Thanks in advance

0 Ratings
Reply
frod
Aspiring Contributor
1,911 Views
Message 5 of 13

Re: Cisco ASA and YouView multicast

would you mind posting your config?
0 Ratings
Reply
frod
Aspiring Contributor
1,870 Views
Message 6 of 13

Re: Cisco ASA and YouView multicast

I can't seem to maintain pppoe connectivity as soon as I enable trunking on the pppoe interface, any ideas?

0 Ratings
Reply
frod
Aspiring Contributor
1,826 Views
Message 7 of 13

Re: Cisco ASA and YouView multicast

I wonder if setting a native vlan might help?

 

interface Ethernet 0/0
 switchport
 switchport mode trunk
 switchport trunk native vlan 2
 switchport trunk allowed vlan 2,3

I'll try it tonight 🙂

0 Ratings
Reply
frod
Aspiring Contributor
1,804 Views
Message 8 of 13

Re: Cisco ASA and YouView multicast

Well, I managed to stay online this time but no closer to getting the streaming multicast channels coming through
0 Ratings
Reply
frod
Aspiring Contributor
1,783 Views
Message 9 of 13

Re: Cisco ASA and YouView multicast

ok, the key point I missed is to also allow access to the igmp vlan on the port your youview box is connected to

 

truncated to only have the relevant bits:

 

multicast-routing

 

interface Ethernet0/0
description to VDSL modem
switchport trunk allowed vlan 2-3
switchport trunk native vlan 2
switchport mode trunk

 

interface Ethernet0/2
description to Lounge switch where youview box lives
switchport trunk allowed vlan 1,3
switchport trunk native vlan 1
switchport mode trunk

 

interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
igmp forward interface igmpjoins
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group BTINFINITY
ip address pppoe setroute
!
interface Vlan3
nameif igmpjoins
security-level 0
ip address 192.168.0.254 255.255.255.0
igmp access-group igmpjoins_multicast
!

access-list igmpjoins_multicast standard permit any4

0 Ratings
Reply
frod
Aspiring Contributor
1,765 Views
Message 10 of 13

Re: Cisco ASA and YouView multicast

As per the original poster's assertion, I saw the same traffic flooding, which my wifi base station didn't like at all, so I moved the youview onto its own port and vlan on the ASA. Hope this is useful to someone.

 

interface Ethernet0/0
description VDSL modem
switchport trunk allowed vlan 2-3
switchport trunk native vlan 2
switchport mode trunk

interface Ethernet0/2
description YouView
switchport trunk allowed vlan 3-4
switchport trunk native vlan 4
switchport mode trunk

 

interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no igmp (this might not be necessary)

interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group BTINFINITY
ip address pppoe setroute

interface Vlan3
nameif igmpjoins
security-level 0
ip address 192.168.0.254 255.255.255.0

interface Vlan4
no forward interface Vlan1
nameif youview
security-level 90
ip address 192.168.5.1 255.255.255.0
igmp forward interface igmpjoins

 

object network youviewnat
nat (youview,outside) dynamic interface

 

object network youviewclients
range 192.168.5.5 192.168.5.20
description dhcp range on youview vlan

 

dhcpd address 192.168.5.5-192.168.5.20 youview
dhcpd dns 62.6.40.178 62.6.40.162 interface youview
dhcpd domain home.ford.cx interface youview
dhcpd enable youview

 

access-list youview_access_in extended permit ip object youviewclients any