Multicast

Uberseehandel
Kind of a big deal

Multicast

 

 

I use my home network as a lab for network issues.
I am based in the UK. I do a lot of media work.Consequently, I have a BT Sport subscription with the 4K Ultra HD option.
Whilst I can handle unicast 4K TV without issues, BT TV uses multicast for the premium sports channels, which the MX does not pass correctly.
I have tested exhaustively. The diagram shows the different configurations. I'd post the diagram, but this system doesn't want to let me.
I am told by a support engineer that the MX does not handle this kind of multicast (duh). So far Meraki and Juniper (SRX300), have failed miserably.
I have a number of options including:
Talking to Meraki Systems Engineer Dimitrie Sandu. Before he joined Meraki, Dimitrie was Lead Infrastructure Solution Designer (TV Connect), and I quote from his linked in page
The speedy delivery of the Dynamic Multicast design, which changes the default 'broadcast'​ network behaviour into an 'on-demand' one, as related to which TV channels are sent downstream, enabling a major cost saving in the access space;
So he ought to understand what needs to be done.
Buying a router that is known to pass BT TV multicast correctly and connecting the BT playout device directly to it and uplinking the MX to the third party router, rather than directly to Vigor 130 modem configured to pass through BT multicast correctly. Which leaves me with double NAT issues
Looking for another security device
I'd really like to be able to connect directly to Dimitrie.
All assistance greatly welcome

 

 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
11 REPLIES 11
Uberseehandel
Kind of a big deal

rtpfailure.png

It appears that Chrome was having a wobble - Firefox let me upload the file.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

SSMSolution.jpgAs the MX devices are currently configured, they do not handle Source Specific Multicast correctly, and there is no solution, as far as Meraki is concerned.

 

However, the MS220-8P, does pass SSM correctly with IGMP v3 enabled.

So, my solution, as per the diagram above, is

  • Put an additional MS220-8P between the modem and the MX64
  • Connect the Playout Centre directly to the new switch
  • Connect the uplink from the existing MX to the new switch
  • Connect the uplink from the new switch to the modem.

Can anybody see why this shouldn't function correctly?

The Playout Centre does not need to be connected to the local LAN. It is categorised as a security risk, anyway. Its only connection to local networked devices is via HDMI.

The only problem at the moment looks like being the best way to pass PPPoE credentials (currently handled by the MX) through to the ISP network.

Suggestions?

 

 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

The addition of a MS ahead of the MX appears not to be viable in my situation as the ISP hasn't fully implemented IPv6 so the block of IP addresses is not usable. Plus Meraki has NOT fully implemented IPv6. So I shall put a third party router between the modem and the MX. At the moment, the most likely candidate is the Draytek 2862, although there are other (less expensive) devices under consideration.
If routers cheap enough to be given away by ISPs can handle SSM multicast, why can't the leading US network equipment manufacturers handle it. I've been through 3 Bay Area manufacturers this year and it has been a complete washout.
Being forced to put a third party router ahead of the MX makes a nonsense of the reporting anf give me no insight into what is going on in all parts of the network. It isn't a good solution.
Why does nobody want source specific multicast capability? It has been a standard for long enough, RFC4607 has been around since 2006. Cisco allededly handles it, although the Gin Factory also claims to handle SSM but doesn't and has no intention of handling it on SRX devices. This is an industry fail.
Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

Have you tried the MX in passthrough mode rather than NAT mode? (I.e BT Router > Meraki MX > Switch)

The meraki support page for IPv6 States: https://documentation.meraki.com/zGeneral_Administration/Other_Topics/IPv6_Device_Compatibility
"Cisco Meraki security appliances can pass IPv6 traffic in pass-through mode"


@ccnewmeraki wrote:

Have you tried the MX in passthrough mode rather than NAT mode? (I.e BT Router > Meraki MX > Switch)

The meraki support page for IPv6 States: https://documentation.meraki.com/zGeneral_Administration/Other_Topics/IPv6_Device_Compatibility
"Cisco Meraki security appliances can pass IPv6 traffic in pass-through mode"


Hi

 

The problem is that Source Specific Multicast, as used by content providers  (aka Broadcasters), is not correctly handled by the MX, it isn't an IPv6/IPv4 problem, BT is running its Sports channels (including 4K) on IPv4, I don't know if they have added IPv6 support to the subscription channels, although Meraki's Dimitrie Sandu should know the answer to that.


In any event Teredo tunnelling is being used, at least in my part of the network.

 

I considered trying the IPv6 approach, but some of the MX Advanced Security features are lost.

 

So I have ordered a Draytek 2862-K router which does handle BT SSM correctly. If the trial goes well, I'll consider switching to the 2862 with LTE failover built-in. The router has other capabilities, including running RADIUS and NAT flexibility, which could simplify small deployments. I shall run a cable from the router to the switch and out to the STB on its own VLAN. The switch handles SSM fine. All other traffic will go from switch to MX to 2862, least that is the plan . . .

 

Thanks for your interest, its good to know I'm not shouting in a vacuum.

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

Well, SSM is just a term for IGMPv3 over IPv4, or MLDv2 over IPv6. With IGMPv3 the router and end OS all have to take part in the multicast group, so it's router and OS dependent.

ASM (the older, more usual form of multicast) uses IGMPv2 or MLDv1.

It sounds like the problem is that IGMPv3 isn't implemented on some of the non-ISP provided routers you have tried. I can't find any info claiming that the MX range does implement this, so it's likely this is the case.
https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Multicast_support#IGMP_Support...
"MX Security Appliances will forward IGMP traffic for a single broadcast domain. It does not forward multicast traffic upstream, between VLANs, or over a VPN."

This sounds to me to be talking about the older ASM IGMP versions, not IGMPv3 / SSM.

I'd still suggest trying the ISP-provided router (which will implement IGMPv3 for your network) for the NAT, and use the MX in bridge-mode (which as long as it doesn't have a firewall rule in place shouldn't block the traffic). You don't lose any MX advanced security features in passthrough-mode, it will still provide client tracking, AMP, IDS, AV, and firewall capability to your devices.


@ccnewmeraki wrote:

Well, SSM is just a term for IGMPv3 over IPv4, or MLDv2 over IPv6. With IGMPv3 the router and end OS all have to take part in the multicast group, so it's router and OS dependent.

ASM (the older, more usual form of multicast) uses IGMPv2 or MLDv1.

It sounds like the problem is that IGMPv3 isn't implemented on some of the non-ISP provided routers you have tried. I can't find any info claiming that the MX range does implement this, so it's likely this is the case.
https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Multicast_support#IGMP_Support...
"MX Security Appliances will forward IGMP traffic for a single broadcast domain. It does not forward multicast traffic upstream, between VLANs, or over a VPN."

This sounds to me to be talking about the older ASM IGMP versions, not IGMPv3 / SSM.

I'd still suggest trying the ISP-provided router (which will implement IGMPv3 for your network) for the NAT, and use the MX in bridge-mode (which as long as it doesn't have a firewall rule in place shouldn't block the traffic). You don't lose any MX advanced security features in passthrough-mode, it will still provide client tracking, AMP, IDS, AV, and firewall capability to your devices.


Hi

There is more to it, than you are suggesting.

 

Meraki claims to be able to support multicast, including SSM, on the MX. But when I lodged a support case they came back stating that it is not supported as the TV broadcasters are using it - which is a specific IEEE standard, that many US suppliers do not implement, for whatever reason.

I only use modems that are certified BT compliant. The MS is IGMPv3 compliant, the MX is not, in this context.

 

To quote Meraki - 

 

Cisco Meraki security appliances can pass IPv6 traffic in pass-through mode, but no traffic analysis or manipulation is possible when using IPv6.

 

The irony is that Meraki employs as an engineer the person who developed how this form of SSM was to operate whilst previously employed by BT.  So they know how to do it, but when they get round to it, who knows. Korean, Japanese and Taiwanese manufacturers know how to make this work, but then they have very advanced networks, beyond steam punk.

 

 

 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

I see in the latest Meraki update it talks about multicast support now being available in Beta for AutoVPN, and you would have to presume as a result that simple multicast routing was also available now.

 

Jump to 34 minutes into the video stream.

https://www.youtube.com/watch?v=BH3b49_cDEk&feature=push-u&attr_tag=yCuoZ-8LS7CdEwGU-6


@PhilipDAth wrote:

I see in the latest Meraki update it talks about multicast support now being available in Beta for AutoVPN, and you would have to presume as a result that simple multicast routing was also available now.

 

Jump to 34 minutes into the video stream.

https://www.youtube.com/watch?v=BH3b49_cDEk&feature=push-u&attr_tag=yCuoZ-8LS7CdEwGU-6


Philip

Thanks for pointing that out - I was expecting it about now, so good to know it is available. I'll watch it in the morning.

After quite a lot of checking, it seems that what is required on a security device is the setting up of what is called an IGMP proxy, this is all that that firm of budget network kit from San Jose had to do.

 

So I'll check the beta. I know several of the biggest European telcos sell managed network services and use Meraki kit up to a point. There are two requirements needed to make them push a full managed portfolio in a big way

  • multicast TV
  • VoIP telephone systems

They all sell triple and quad plays and need their preferred TV delivery systems and I truly feel that the VoIP phone roll out in Europe is just down to a frequently encountered misunderstanding of how phone systems operate outside North America.

 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
PhilipDAth
Kind of a big deal
Kind of a big deal

LinkedIn allows you to try "premium" for a month for free.

 

Try this, then try sending Dimitrie Sandu a message via LinkedIn ...

 

Alas I see he is now a pre-sales engineer for the MC product line.


@PhilipDAth wrote:

 

. . .

 

Alas I see he is now a pre-sales engineer for the MC product line.


Which coincidentally is the other topic on the immediate beef-list. However, that is the topic upon which I am expecting, imminently, an announcement.

I suspect that the biggest stumbling block is that how the fixed/mobile world functions outside North America remains a mystery to Californians.

Lets see - there is  a pre-sales engineer in Europe where the MC line is not available, and last month it was announced that MC now supports German, French, Italian and Spanish. 

 

Thanks for the suggestion of "trying" LinkedIn Professional.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels