Technical Documentation

Example: Configuring NAT for Multicast Traffic

Figure 1 illustrates the network setup for the following configuration, which allows IP multicast traffic to be sent to the Adaptive Services (AS) or MultiServices PIC.

Figure 1: Configuring NAT for Multicast Traffic

Image g017224.gif

Rendezvous Point Configuration

On the rendezvous point (RP), all incoming traffic from the multicast source at 192.168.254.0/27 is sent to the static NAT pool mcast_pool, where its source is translated to 20.20.20.0/27. The service set nat_ss is a next-hop service set that allows IP multicast traffic to be sent to the AS or MultiServices PIC. The inside interface on the PIC is sp-1/1/0.1 and the outside interface is sp-1/1/0.2.

[edit services]nat {pool mcast_pool {address 20.20.20.0/27;}rule nat_rule_1 {match-direction input;term 1 {from {source-address 192.168.254.0/27;}}then {translated {source-pool mcast_pool;translation-type source static;}syslog;}}}service-set nat_ss {allow-multicast;nat-rules nat_rule_1;next-hop-service {inside-service-interface sp-1/1/0.1;outside-service-interface sp-1/1/0.2;}}

The Gigabit Ethernet interface ge-0/3/0 carries traffic out of the RP to Router 1. The adaptive services interface sp-1/1/0 has two logical interfaces: unit 1 is the inside interface for next-hop services and unit 2 is the outside interface for next-hop services. Multicast source traffic comes in on the Fast Ethernet interface fe-1/2/1, which has the firewall filter fbf applied to incoming traffic.

[edit interfaces]ge-0/3/0 {unit 0 {family inet {address 10.10.1.1/30;}}}sp-1/1/0 {unit 0 {family inet;}unit 1 {family inet;service-domain inside;}unit 2 {family inet;service-domain outside;}}fe-1/2/1 {unit 0 {family inet {filter {input fbf;}address 192.168.254.27/27;}}}

Multicast packets can only be directed to the AS or MultiServices PIC using a next-hop service set. In the case of NAT, you must also configure a VRF. Therefore, the routing instance stage is created as a “dummy” forwarding instance. To direct incoming packets to stage, you configure filter-based forwarding through a firewall filter called fbf, which is applied to the incoming interface fe-1/2/1. A lookup is performed in stage.inet.0, which has a multicast static route that is installed with the next hop pointing to the PIC’s inside interface. All multicast traffic matching this route is sent to the PIC.

[edit firewall]filter fbf {term 1 {then {routing-instance stage;}}}

The routing instance stage forwards IP multicast traffic to the inside interface sp-1/1/0.1 on the AS or MultiServices PIC:

[edit]routing-instances stage {instance-type forwarding;routing-options {static {route 224.0.0.0/4 next-hop sp-1/1/0.1;}}}

You enable OSPF and Protocol Independent Multicast (PIM) on the Fast Ethernet and Gigabit Ethernet logical interfaces over which IP multicast traffic enters and leaves the RP. You also enable PIM on the outside interface (sp-1/1/0.2) of the next-hop service set.

[edit protocols]ospf {area 0.0.0.0 {interface fe-1/2/1.0 {passive;}interface lo0.0;interface ge-0/3/0.0;}}pim {rp {local {address 10.255.14.160;}}interface fe-1/2/1.0;interface lo0.0;interface ge-0/3/0.0;interface sp-1/1/0.2;}

As with any filter-based forwarding configuration, in order for the static route in the forwarding instance stage to have a reachable next hop, you must configure routing table groups so that all interface routes are copied from inet.0 to the routing table in the forwarding instance. You configure routing tables inet.0 and stage.inet.0 as members of fbf_rib_group, so that all interface routes are imported into both tables.

[edit routing-options]interface-routes {rib-group inet fbf_rib_group;}rib-groups fbf_rib_group {import-rib [ inet.0 stage.inet.0 ];}multicast {rpf-check-policy no_rpf;}

Reverse path forwarding (RPF) checking must be disabled for the multicast group on which source NAT is applied. You can disable RPF checking for specific multicast groups by configuring a policy similar to the one in the example that follows. In this case, the no_rpf policy disables RPF check for multicast groups belonging to 224.0.0.0/4.

[edit policy-options]policy-statement no_rpf {term 1 {from {route-filter 224.0.0.0/4 orlonger;}then reject;}}

Router 1 Configuration

The Internet Group Management Protocol (IGMP), OSPF, and PIM configuration on Router 1 is as follows. Because of IGMP static group configuration, traffic is forwarded out fe-3/0/0.0 to the multicast receiver without receiving membership reports from host members.

[edit protocols]igmp {interface fe-3/0/0.0 {}}ospf {area 0.0.0.0 {interface fe-3/0/0.0 {passive;}interface lo0.0;interface ge-7/2/0.0;}pim {rp {static {address 10.255.14.160;}}interface fe-3/0/0.0;interface lo0.0;interface ge-7/2/0.0;}}

The routing option creates a static route to the NAT pool, mcast_pool, on the RP.

[edit routing-options]static {route 20.20.20.0/27 next-hop 10.10.1.1;}

Published: 2010-04-28