Multicast over VPN - Options?

[dave-lew99]

Posted in here since this is an enterprise problem...

Anyway, the problem - our application makes heavy use of multicast for various different data stream, we want to be able to pour this down a VPN to get it across the internet.

It would appear the default Cisco solution is to use GRE tunnels, but GRE isn't supported on the ASAs and in my mind those make better edge devices then tha routers (due to good NAT/firewalling).

A one box solution is the ideal, for NAT, firewall and VPN.

I'd rather stick with Cisco as its the one i know the most and since it's just a part of our system theres no real value to us in supporting multiple vendors (if we supply the link we can just choose the same one every time, if someone else supplies it, it just meets our spec and they look after it).

Suggestions?

I was wanting a link to set up in time for a trade show next week, however, i've only got a Pix 506E and a 871 at my disposal at the moment.

Thanks!

 

[bigredshark]

If you're bent on sticking with Cisco there is no solution which meets all your wants, either go back to routers for the CPE as they have the necessary feature set, use a two box solution or reconsider your use of multicast (given these appears to be going to customer sites, unless they have large numbers of hosts each using the same data stream, what are you gaining from multicast?)

Cisco's multicast implementation sucks, you've just been bitten by that. It seems destined to always suck as there is no move towards widespread adoption as we can just use ever larger connections and CDNs as a lazy workaround. Maybe once everybody's finished worrying about IPv6 we'll get round to thinking about implementing multicast...

...and maybe then Cisco will write an implementation which works. Not that it didn't take them forever to turn tag switching into a sane MPLS implementation of course...rant...

 

[kefkef]

...and maybe then Cisco will write an implementation which works.

Or buy a company out who have made it work.......

 

[dave-lew99]

Well i'm not completely stuck on Cisco, so feel free to suggest your favourite Juniper product

I'd just rather avoid it, as it's yet another learning curve to climb (both the product range and configuration/use) when i don't have really any time to dedicate to it anyway.

We're shunting on the order of 10 megabits of multicast data quite often so even with a handful of client hosts it's a big bandwidth saving, especially when the remote end is typically hostile (in relation to connectivity), it's not uncommon to only have ADSL MAX available.

 

[bigredshark]

Well to my knowledge any Juniper device running relatively recent ScreenOS or JUNOS will do the job, I've actually seen it done on a pair of SSG5s in the lab but it's supported on everything pretty much. There's a tech demo here:

http://kb.juniper.net/kb/documents/public/kbdocs/ns10694/ns10694.pdf

which shows how it fits together...

Given the selection of bugs which are still falling out of the SRX series VPN architecture every time it's given a shake there's an argument for sticking with the SSGs, for high bandwidth you could look at the J series...

 

[dave-lew99]

Well just taken a look at the SSGs, while the SSG5 is more expensive than the Cisco 871s we were getting as a base access device, it does offer more features and the SSG140 was less than the cost of the ASA 5510 i was looking at.

So they look reasonably priced and well featured, looks like i'll be buying some more books then...

I'll probably speak to sales for specific product advice, i'm more or less sold, if it does everything in one box i can't see it being an issue.

I've just yet to come across Juniper in the field, our bigger clients have used only Cisco or Sonicwall for VPN access, but where we supply the link, it'll cover both ends, either between two client sites or between them and our office.

 

[atomiser]

Juniper's VPN implementation in ScreenOS is pretty much rock solid, set it and forget it, or at least it has been every time I've set it up. Just download the Concepts and Examples guide for the version of ScreenOS you want to run (most likely the latest maintenance release of 6.2 I expect, seems to be what JTAC recommend at the moment) and there is tons of information there on how to set everything up. The KnowledgeBase is also a very good resource on set-up guides, etc. Any question, just holler!

 

[Curiosityx]

If it's just a single GRE/IPSEC tunnel you should get away with the using the 871 sat behind the ASA, just create a static NAT entry on the FW and present a public address to the 871.

My only concern is that the 871 can only handle 12.8Mbps sustained performance (CEF Switched) If performance is a worry i would recommend upgrading it to a 1941 ISR.

 

[dave-lew99]

That would be a bit of a problem as i'd have been using the ASA at one end and the 871 at the other, i think i'll be looking at the Juniper kit for full on data transfer links and maybe stick with the basic cisco stuff for remote admin/monitoring as it's what i know.

We're exhibiting at a trade show at the moment using a Pix in the office with an 871 at the show, demoing our system running live and it's working rather well.

As for the 12.8Mbps sustained performance, presumably you mean for encryption throughput?

I've heard stories about people having poor PAT performance, but i tested it in the office and i had the same througput on the Pix as i did on the 871 and the Draytek 2820 - ~16Mbps which is our downlink line rate.

 

[Curiosityx]

I also use the portable product sheets for referancing performance statistics:

http://www.cisco.com/web/partners/tools/quickreference/index.html

http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf

The reports from Miercom can also prove useful although bias towards the vendor who has commisioned the test

http://www.miercom.com/?url=reports/

As for PAT performance ive never had a problem on either the ASA, PIX or ISR product families, i think it generally comes down to personal preferance and ease of use.

 

[TrX]

It sounds like the only real problem you are having is handling the GRE endpoints for your multicast traffic at the central site as the ASA does not support this.

As you said you know Cisco much better from a management point of view, so it may be worth looking at a larger ISR router as your main sites GRE aggregation (and either let it take over the ASA's functions with ZBFW or just pass through GRE to the ISR and leave the ASA in place for all other existing functions).

Just my perspective, not that I'm against juniper, infact I'm looking at the SRX line myself at the moment, it just may be an alternative to learning JunOS if the project is time-constrained or you already have a decent amount of IOS knowledge floating round your office.

//TrX