Creating Multicast VPNs

JunosE router software provides the ability to create multicast VPNs by using GRE tunnels. This implementation is based on Multicast in MPLS/BGP VPNs (draft-rosen-vpn-mcast-06.txt and draft-rosen-vpn-mcast-08.txt) and further defined by Base Specification for Multicast in MPLS/BGP VPNs (draft-raggarwa-13vpn-2547-mvpn-00.txt).

Note: Although you can configure PIM sparse mode remote neighbors, you can no longer use these remote neighbors for BGP/MPLS VPNs. For multicast VPNs, use the functionality described in this section.

The JunosE Software supports default Multicast Distribution Trees (MDTs) and data MDTs.

Creating Multicast VPNs Using the Default MDT

The JunosE Software does not support a single MDT command. Instead, you must configure the multicast tunnel interfaces (MTIs) explicitly. The MTI is an IP interface that is stacked on a GRE tunnel interface. The destination address of the GRE tunnel is the multicast VPN (MVPN) group address of the MDT.

A tunnel mdt command specifies that the tunnel is the MTI for the default MDT, enabling the creation of a second, layer 2 interface (interface tunnel gre:name.mdt) on which an unnumbered IP interface (tied to the provider edge loopback interface) is stacked in the context of the parent virtual router.

Multicast VPN Configuration Example

In the following example (Figure 13), customer edge router 1 (CE1) and customer edge router 2 (CE2) exist in two separate VPNs. Each VPN is configured with its assigned Multicast Domain (235.1.1.1 and 235.1.1.2, respectively).

Figure 13: Multicast VPNs

To better understand the example, keep the following in mind:

• Lp is a loopback interface in the parent router. This address is the loopback interface used as the BGP peer address of the provider edge router (PE). Its address is advertised in the provider address space.
• Tv is the MTI in the VRF. This interface is typically configured as a PIM sparse-mode interface (though you can configure it for dense-mode or sparse-dense-mode). Any packets that originate in the VRF are sent using the address of this interface as the source address. You must set this interface address to be identical to loopback interface of the parent router (Lp).

  Caution: Defining the Tv interface with an address other than the loopback interface of the parent router might restrict operation with non-Juniper Networks routers.

• Tp is an unnumbered IP interface that is tied to the loopback interface of the provider edge router (PE).

To configure the example, use the following general procedures:

Note: This example provides general information for configuring a simple Multicast VPN network. For detailed information about creating GRE tunnels, see Configuring IP Tunnels in the JunosE IP Services Configuration Guide. For detailed information about PIM sparse-mode configuration, see PIM Sparse Mode.

1. Configure BGP/MPLS VPN.
   host1:PE2(config-router)#router bgp 100 host1:PE2(config-router)#address-family vpnv4 unicast host1:PE2(config-router-af)#neighbor 1.1.1.1 activate host1:PE2(config-router-af)#neighbor 1.1.1.1 next-hop-self host1:PE2(config-router-af)#neighbor 3.3.3.3 activate host1:PE2(config-router-af)#neighbor 3.3.3.3 next-hop-self host1:PE2(config-router-af)#exit-address-family

   See Configuring BGP-MPLS Applications in the JunosE BGP and MPLS Configuration Guide for details.

2. Configure PIM sparse mode in the core and RP for MVPN group addresses.

   Note: For MVPN, it is a typical practice to use shared trees.

   host1:PE1(config-router)#virtual-router PE2 host1:PE2(config)#ip multicast-routing host1:PE2(config)# host1:PE2(config)#! MDT RP is 72.72.72.72 (P1)host1:PE2(config)#access-list 1 permit ip 235.0.0.0 0.255.255.255 any host1:PE2(config)#ip pim rp-address 72.72.72.72 1 host1:PE2(config)# host1:PE2(config)#! Do not switch from RPT for MDTshost1:PE2(config)#ip pim spt-threshold infinity group-list 1 host1:PE2(config)#
3. Configure the loopback interface, Lp, in parent router PE2.
   host1:PE2(config)#interface loopback 0 host1:PE2(config-if)#ip address 2.2.2.2 255.255.255.255 host1:PE2(config-if)#ip pim sparse-mode host1:PE2(config-if)

   Note: You must configure the loopback interface for PIM sparse mode to support unnumbered MDTs.

4. Add PIM-SM to core-facing interfaces.
   host1:PE2(config)#interface atm2/1.20 host1:PE2(config-subif)#ip pim sparse-mode host1:PE2(config-subif)#
5. Extend the BGP router configuration to contribute VPN routes into the multicast router table of the VRF using the ip route-type both command.
   host1:PE2(config)#router bgp 100 host1:PE2(config-router)#address-family ipv4 unicast vrf PE21 host1:PE2(config-router-af)#ip route-type both host1:PE2(config-router-af)#exit host1:PE2(config-router)#
6. Configure the GRE tunnel for VPN1.
   host1(config)#interface tunnel gre:MTI-21 transport-virtual-router PE2 host1(config-if)#tunnel source 2.2.2.2 host1(config-if)#tunnel destination 235.1.1.1 host1(config-if)#tunnel mdt host1(config-if)#exit host1(config)#
7. Configure the GRE tunnel for VPN2
   host1(config)#interface tunnel gre:MTI-22 transport-virtual-router PE2 host1(config-if)#tunnel source 2.2.2.2 host1(config-if)#tunnel destination 235.1.1.2 host1(config-if)#tunnel mdt host1(config-if)#exit host1(config)#
8. Configure the IP interface (Tv) in PE2:CE1 as a numbered or unnumbered PIM sparse-mode interface. Use the same address as the loopback interface, Lp in the parent router, PE2.
   host1(config)#virtual-router PE2:CE1 host1:PE2:CE1(config)#interface tunnel gre:MTI-21 host1:PE2:CE1(config-if)#ip address 2.2.2.2 255.255.255.255 host1:PE2:CE1(config-if)#ip pim sparse-mode host1:PE2:CE1(config-if)#exit host1:PE2:CE1#
9. Configure the IP interface (Tv) in PE2:CE2 as a numbered or unnumbered PIM sparse-mode interface. Use the same address as the loopback interface, Lp in the parent router, PE2.
   host1(config)#virtual-router PE2:CE2host1:PE2:CE2(config)#interface loopback 0 host1:PE2:CE2(config-if)#ip address 2.2.2.2 255.255.255.255 host1:PE2:CE2(config-if)#exit host1:PE2:CE2(config)# host1:PE2:CE2(config)#interface tunnel gre:MTI-22 host1:PE2:CE2(config-if)#ip unnumbered loopback 0 host1:PE2:CE2(config-if)#ip pim sparse-mode host1:PE2:CE2(config-if)#exit host1:PE2:CE2#
10. Configure the Tp interfaces in the parent router, PE2, as unnumbered PIM sparse-mode interfaces tied to the loopback interface, Lp.
    host1(config)#virtual-router PE2host1: PE2(config)#interface tunnel gre:MTI-21.mdt host1:PE2(config-if)#ip unnumbered loopback 0 host1:PE2(config-if)#ip pim sparse-mode host1:PE2(config-if)#exit host1:PE2(config)#
    host1:PE2(config)#interface tunnel gre:MTI-22.mdt host1:PE2(config-if)#ip unnumbered loopback 0 host1:PE2(config-if)#ip pim sparse-mode host1:PE2(config-if)#exit host1:PE2(config)#

Creating Multicast VPNs Using the Data MDT

A data multicast distribution tree (MDT), based on section 8 of Internet draft draft-rosen-vpn-mcast-08.txt, Multicast in MPLS/BGP IP VPNs, solves the problem of P routers flooding unnecessary multicast information to PE routers that have no interested receivers for a particular VPN multicast group. The data MDT solution requires the creation of a new tunnel by the PE router if the source exceeds a configured rate threshold parameter. All other PE routers join the new tunnel only if the PE router has receivers in the VPN for that multicast group.

The JunosE Software uses dynamic point-to-multipoint GRE tunnels to configure data MDTs. In the current release, IPv6 transport over GRE (unicast or multicast) is not supported. For more information, see Configuring Dynamic IP Tunnels in the JunosE IP Services Configuration Guide.

Data MDTs are established using PIM-SM (shared RP Trees) and PIM-SSM (Source Trees). Profiles for dynamic interfaces in the VRF are restricted to sparse-mode only.

Data MDT Sources

A C-SG flow arriving in the source VRF is a candidate for a data MDT if the system matches the C-SG in the route map that you specify for the data MDT using the ip pim data-mdt command. The C-SG flow is initially forwarded on the default MDT. The system creates the data MDT when the flow rate exceeds a value you configure in the route map using the set threshold command.

When the Source C-PIM-SM first creates a data MDT for a C-SG flow, it sends a <C-SG, P-G> MDT join message with type, length, value (TLV) format to the default MDT. This message invites peer PE routers to join the new data MDT. It starts a timer that you can configure using the mdt-data-delay command to track the number of seconds before switching to the data MDT. When that timer expires, C-PIM-SM switches from sending C-SG data on the default MDT to sending data on the data MDT.

When the C-SG flow is switched to the data MDT, the Source C-PIM-SM starts a timer that you can configure using the mdt-data-holddown command to track the number of seconds before switching to the default MDT. When the timer expires, the data MDT is deleted and the C-SG flow switched back to the default MDT if the flow rate drops back below the threshold. If the flow rate exceeds the threshold, the timer restarts. If the timer expires and the flow rate is below the threshold, the data MDT is removed.

The Source C-PIM-SM maintains sent MDT Join TLV messages in its database as long as they are active. While the data MDT is active, C-PIM-SM resends that MLD Join TLV message using a setting that you can configure using the mdt-interval command to measure time in seconds between successive MLD join TLV messages.

Data MDT Receivers

When the Receiver C-PIM-SM receives a <C-SG, P-G> MDT Join TLV message from the default MDT, it extracts the C-SG and the data MDT P-Group address from the TLV and queries the route map that you specified for the data MDT to determine whether the C-SG is a candidate for a data MDT. If it matches, the C-PIM-SM adds the MDT Join TLV to its database and records the time.

If the Receiver C-PIM-SM does not receive an MDT Join TLV<C-SG, P-G> to refresh its database within the amount of time specified for the timeout in the mdt-data-timeout command, the MDT Join TLV<C-SG> is removed from the database and the associated data MDT is removed.

When a new MDT Join TLV<C-SG, P-G> is added to the database, the Receiver C-PIM-SM determines whether it has an SG, SPT state. If it has an SG state, and the incoming interface (IIF) is the default MDT, then C-PIM-SM creates the data MDT and deletes the corresponding forwarding entry. C-PIM-SM waits for the source to transmit data on the data MDT. During this period, data can continue to be received on the default MDT. C-PIM-SM fails the reverse-path forwarding (RPF) check, which results in a forwarding entry with a discarded IIF.

If the C-SG,SPT state is created (either as a result of a C-SSM join or switch from RPT to SPT), and it is the default MDT, the Receiver C-PIM-SM determines whether an MDT Join TLV<C-SG> is active. If it is, C-PIM-SM creates the data MDT.

Establishing a Data MDT Using ASM or SSM

A data MDT carries one C-SG flow. If the data MDTs are established using any-source multicast (ASM), then the P-Group address selected by a PE for the data MDT must be unique to that PE in the MDT (that is, the range of MDT P-Group addresses available in the core must be administratively divided among all the PEs that will source VPN multicasts). The VRFs in a PE must share the P-Group addresses in the assigned range for the PE.

If the data MDTs are established using single-source multicast (SSM), you must configure VRFs to transmit on a tunnel using the same MDT P-Group address. Each VRF transmits using a unique P-Source address; however, each data MDT created by the VRF must use a different P-Group address. There might be one sender data MDT and possibly many receiver data MDTs sharing an IP tunnel. Each PE can assign MDT P-Groups from the same range, but the P-Group addresses must be administratively divided among the VPNs.

For a receiver on the data MDT, P-PIM-SM joins the data MDT by propagating join state into the core. The P-Group for that join is extracted from the MDT Join TLV. If SSM is not activated or the P-Group is not in the SSM group range, P-PIM-SM performs a <*, G> join towards the RP for that P-Group.

If SSM is activated and the P-Group is in the SSM group range, P-PIM-SM performs an <S, G> join towards the P-Source, where the P-Source address is the SA of the MDT Join TLV.

Configuring the Default MDT

To configure the default MDT:

1. On the parent virtual-router, configure an IP interface over the MDT interface, and make it a PIM interface.
   host1(config)#virtual-router pe1 host1:pe1(config)#ip multicast-routing host1:pe1(config)#interface loopback 0 host1:pe1(config-if)#ip address 1.1.1.1 255.255.255.255 host1:pe1(config-if)#ip pim sparse-mode host1:pe1(config-if)#exit
2. Configure the VRF.
   host1(config)#virtual-router pe1 host1:pe1(config)#ip vrf pe13 host1:pe1(config-vrf)#rd 100:13 host1:pe1(config-vrf)#route-target both 100:3 host1:pe1(config-vrf)#exit
3. To enable MDT, configure a GRE multicast tunnel interface (MTI) for VPN1.
   host1:pe1(config)#virtual-router default host1:(config)#interface tunnel gre:MTI-11 transport-virtual-router pe1 host1:(config-if)#tunnel source 1.1.1.1 host1:(config-if)#tunnel destination 233.3.1.1 host1:(config-if)#tunnel mdt host1:(config-if)#exit

   The tunnel mdt command enables the IP tunnel component to create an MDT interface.

4. For the VRF, configure an IP interface on the MTI interface.
   host1(config)#virtual-router pe1 host1:pe1(config)#virtual-router pe1:pe13 host1:pe1:pe13(config)#ip multicast-routing host1:pe1:pe13(config)#interface loopback 0 host1:pe1:pe13(config-if)#ip address 1.1.1.1 255.255.255.255 host1:pe1:pe13(config-if)#exit

   Note: The IP address that you configure for the VRF must be identical to the IP address of the loopback interface in the parent virtual router.

5. Configure the MTI interface in the VRF.
   host1:pe1:pe13(config)#interface tunnel gre:MTI-11 host1:pe1:pe13(config-if)#ip unnumbered loopback 0 host1:pe1:pe13(config-if)#ip pim sparse-mode host1:pe1:pe13(config-if)#exit

   Note: You can use the ip unnumbered loopback 0 command to configure the MTI interface on the VRF as an unnumbered interface, or the ip address 1.1.1.1 255.255.255.255 command to configure it as a numbered interface.

6. Specify the GRE tunnel configuration for the parent virtual router.
   host1:pe1(config)#interface tunnel gre:MTI-11.mdt host1:pe1(config-if)#ip unnumbered loopback 0 host1:pe1(config-if)#ip pim sparse-mode host1:pe1(config-if)#exit host1:pe1(config)#virtual-router default

   Note: The MDT interface in the parent virtual router must be unnumbered.

Configuring Data MDTs

To configure data MDTs:

1. Configure a dynamic interface profile to specify the PIM configuration of the IP interface or MTI interface in the VRF.
   host1(config)#profile pe13DataMdtMti host1(config-profile)#ip virtual-router pe1:pe13 host1(config-profile)#ip unnumbered loopback 0 host1(config-profile)#ip pim sparse-mode host1(config-profile)#exit
2. Configure a dynamic interface profile to specify the IP interface or MDT interface in the parent.
   host1(config-profile)#profile pe1DataMdtMdt host1(config-profile)#ip virtual-router pe1 host1(config-profile)#ip unnumbered loopback 0 host1(config-profile)#ip pim sparse-mode host1(config-profile)#exit
3. Configure the destination profile for dynamic IP tunnel creation.
   host1(config)#gre destination profile pe13DataMdtProfile virtual-router pe1 host1(config-dest-profile)#tunnel source 1.1.1.1 host1(config-dest-profile)#tunnel destination ip subnet 233.3.0.0/16 host1(config-dest-profile)#tunnel mdt profile pe1DataMdtMdt host1(config-dest-profile)#profile pe13DataMdtMti host1(config-dest-profile)#exit

   The router uses this destination profile to verify whether it can create a dynamic tunnel, and to supply additional configuration parameters when it creates a tunnel. For more information about creating dynamic IP tunnels, see Configuring Dynamic IP Tunnels in the JunosE IP Services Configuration Guide.

4. Configure the group address pools in the route map.
   host1(config)#virtual-router pe1 host1:pe1(config)#ip pim group-address-pool pe13DataMdtGroups 233.3.1.0 233.3.1.255

   If the data MDTs are established using ASM, you must divide the range of available MDT P-Group addresses so that PEs source VPN multicasts. All VRFs in a PE draw from a single address pool that contains the range of group addresses assigned to that PE.

   If the data MDTs are established using SSM, you can configure VRFs to transmit on a tunnel using the same MDT P-Group address. Each VRF transmits using a unique P-Source address; however, each data MDT created by the VRF must use a different P-Group address. There might be one sender data MDT and possibly many receiver data MDTs sharing an IP tunnel.

   For SSM, each PE can assign MDT P-Groups from the same range, but the P-Group addresses must be administratively divided among the VPNs as mentioned in the following example:

   host1(config)#virtual-router pe1 host1:pe1(config)#ip pim group-address-pool pe11DataMdtSSMGroups 233.3.1.0 233.3.1.255 host1:pe1(config)#ip pim group-address-pool pe12DataMdtSSMGroups 233.3.2.0 233.3.2.255 host1:pe1(config)#ip pim group-address-pool pe13DataMdtSSMGroups 233.3.3.0 233.3.3.255
5. Configure the access list to match <S,G> and <*,G> entries.
   host1:pe1(config)#virtual-router pe1:pe13 host1:pe1:pe13(config)#access-list pe13DataMdtSend permit ip host 10.13.0.100 225.1.1.0 0.0.0.255 host1:pe1:pe13(config)#access-list pe13DataMdt permit ip any 225.1.0.0 0.0.255.255
6. Specify a route map to configure the set of <S, G> for which data MDTs can be created, and the threshold to be applied for each SG.
   host1:pe1:pe13(config)#route-map pe13MdtThresholds permit 10 host1:pe1:pe13(config-route-map)#match ip address pe13DataMdtSend host1:pe1:pe13(config-route-map)#set threshold 0 host1:pe1:pe13(config-route-map)#route-map pe13MdtThresholds permit 20 host1:pe1:pe13(config-route-map)#match ip address pe13DataMdt host1:pe1:pe13(config-route-map)#exit
7. Configure the data MDT.
   host1:pe1:pe13(config)#ip pim data-mdt host1:pe1:pe13(config-ip-pim-data-mdt)#tunnel source 1.1.1.1 host1:pe1:pe13(config-ip-pim-data-mdt)#tunnel group-address-pool pe13DataMdtG$ host1:pe1:pe13(config-ip-pim-data-mdt)#route-map pe13MdtThresholds