< Home

Example for Configuring Multicast NAT

When an intranet and the Internet are divided into two independent multicast domains by a NAT device, you can configure multicast NAT to allow intranet receivers to demand Internet resources.

Networking Requirements

As shown in Figure 1, the FW divides the network into two multicast domains. The receiver is on the intranet and the multicast source is on the Internet. NAT is configured on the FW.

Multicast NAT is configured on the FW to allow the receiver to demand Internet resources and hide the multicast source address.

Figure 1 Networking diagram of configuring multicast NAT

Item

Data

Description

Router_A

Interface: GigabitEthernet 0/0/1

IP address: 10.1.1.1/24

PIM-SM and IGMP are enabled on the interface.

Interface: GigabitEthernet 0/0/2

IP address: 10.1.2.1/24

PIM-SM is enabled on the interface.

FW

Interface: GigabitEthernet 0/0/1

IP address: 10.1.2.2/24

PIM-SM is enabled on the interface.

Interface: GigabitEthernet 0/0/2

IP address: 2.1.1.1/24

PIM-SM is enabled on the interface.

The interface serves as the intranet BSR border.

The interface serves as the intranet logic RP.

Interface: Loopback1

IP address: 1.1.1.1/32

PIM-SM is enabled on the interface.

The interface serves as the intranet RP.

Router_B

Interface: GigabitEthernet 0/0/1

IP address: 2.1.1.2/24

PIM-SM is enabled on the interface.

Interface: GigabitEthernet 0/0/2

IP address: 2.1.2.2/24

PIM-SM is enabled on the interface.

Interface: Loopback2

IP address: 2.2.2.2/32

PIM-SM is enabled on the interface.

The interface serves as an Internet RP.

Source

IP address: 2.1.2.1

Multicast source

Configuration Roadmap

  1. Configure IP addresses, unicast routing protocols, and NAT to ensure network connectivity.

  2. Enable the multicast function and deploy PIM-SM on the intranet and Internet.

  3. Enable IGMP on the interface connected to user hosts.

  4. Configure MSDP peers so that the intranet RP can obtain information from the multicast source.

  5. Configure multicast NAT so that the intranet receiver can demand Internet resources.

Procedure

  1. Configure IP addresses, unicast routing protocols, and NAT to ensure network connectivity.

    If a unicast routing protocol has been deployed and runs properly on the network, skip this step.

    • Configure the FW.

      # Configure an IP address for GigabitEthernet 0/0/1.

      <FW> system-view
[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet0/0/1] ip address 10.1.2.2 24
[FW-GigabitEthernet0/0/1] quit

      # Configure an IP address for GigabitEthernet 0/0/2.

      [FW] interface GigabitEthernet 0/0/2
[FW-GigabitEthernet0/0/2] ip address 2.1.1.1 24
[FW-GigabitEthernet0/0/2] quit

      # Configure an IP address for Loopback 1.

      [FW] interface LoopBack 1 
[FW-LoopBack1] ip address 1.1.1.1 32
[FW-LoopBack1] quit

      # Configure OSPF.

      [FW] router id 1.1.1.1
[FW] ospf 1
[FW-ospf-1] area 0
[FW-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.255
[FW-ospf-1-area-0.0.0.0] network 2.1.1.0 0.0.0.255
[FW-ospf-1-area-0.0.0.0] quit
[FW-ospf-1] quit

      # Configure a NAT address pool and enable port address translation for reuse of public addresses. In addition, set the proportion of private network addresses to public network addresses to 256:1.

       
[FW] nat address-group addressgroup1
[FW-address-group-addressgroup1] mode pat
[FW-address-group-addressgroup1] section 0 1.1.1.10 1.1.1.15
[FW-address-group-addressgroup1] srcip-car-num 256
[FW-address-group-addressgroup1] route enable
[FW-address-group-addressgroup1] quit

      # Configure a source NAT policy so that source IP addresses are translated when devices on a specified intranet network segment access the Internet. 

      [FW] nat-policy
[FW-policy-nat] rule name policy_nat1
[FW-policy-nat-rule-policy_nat1] source-zone trust
[FW-policy-nat-rule-policy_nat1] destination-zone untrust
[FW-policy-nat-rule-policy_nat1] source-address range 10.1.1.0 10.1.2.254 
[FW-policy-nat-rule-policy_nat1] action source-nat address-group addressgroup1 
[FW-policy-nat-rule-policy_nat1] quit
[FW-policy-nat] quit

      # Configure a route on the firewall.

      [FW] ip route-static 0.0.0.0 0.0.0.0 2.1.1.2
[FW] ip route-static 10.1.1.0 255.255.255.0 10.1.2.1

    • Configure Router_A:

      # Configure an IP address for GigabitEthernet 0/0/1.

      <Router_A> system-view
[Router_A] interface GigabitEthernet 0/0/1
[Router_A-GigabitEthernet0/0/1] ip address 10.1.1.1 24
[Router_A-GigabitEthernet0/0/1] quit

      # Configure an IP address for GigabitEthernet 0/0/2.

      [Router_A] interface GigabitEthernet 0/0/2
[Router_A-GigabitEthernet0/0/2] ip address 10.1.2.1 24
[Router_A-GigabitEthernet0/0/2] quit

      # Configure OSPF.

      [Router_A] router id 2.2.2.2
[Router_A] ospf 1
[Router_A-ospf-1] area 0
[Router_A-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[Router_A-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.255
[Router_A-ospf-1-area-0.0.0.0] quit
[Router_A-ospf-1] quit

    • Configure Router_B:

      # Configure an IP address for GigabitEthernet 0/0/1.

      <Router_A> system-view
[Router_A] interface GigabitEthernet 0/0/1
[Router_A-GigabitEthernet0/0/1] ip address 2.1.1.2 24
[Router_A-GigabitEthernet0/0/1] quit

      # Configure an IP address for GigabitEthernet 0/0/2.

      [Router_B] interface GigabitEthernet 0/0/2
[Router_B-GigabitEthernet0/0/2] ip address 2.1.2.2 24
[Router_B-GigabitEthernet0/0/2] quit

      # Configure an IP address for Loopback 2.

      [Router_B] interface LoopBack 2 
[Router_B-LoopBack2] ip address 2.2.2.2 32
[Router_B-LoopBack2] quit

      # Configure OSPF.

      [Router_B] router id 3.3.3.3
[Router_B] ospf 1
[Router_B-ospf-1] area 0
[Router_B-ospf-1-area-0.0.0.0] network 2.1.1.0 0.0.0.255
[Router_B-ospf-1-area-0.0.0.0] network 2.1.2.0 0.0.0.255
[Router_B-ospf-1-area-0.0.0.0] quit
[Router_B-ospf-1] quit

  2. Assign interfaces to security zones and configure security policies for proper network communication.

    # Add GigabitEthernet 0/0/1 to the Trust zone. 

    [FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 0/0/1
[FW-zone-trust] quit

    # Add GigabitEthernet 0/0/2 to the Untrust zone.

    [FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet0/0/2
[FW-zone-untrust] quit

    # Configure a security policy.

    [FW] security-policy
[FW-policy-security] rule name policy1
[FW-policy-security-rule-1] source-zone untrust
[FW-policy-security-rule-1] destination-zone trust 
[FW-policy-security-rule-1] source-address 10.1.1.0 24
[FW-policy-security-rule-1] source-address 10.1.2.0 24
[FW-policy-security-rule-1] destination-address 2.1.1.0 24
[FW-policy-security-rule-1] destination-address 2.1.2.0 24
[FW-policy-security-rule-1] action permit
[FW-policy-security-rule-1] quit
[FWpolicy-security] rule name policy2
[FW-policy-security-rule-1] source-zone trust
[FW-policy-security-rule-1] destination-zone untrust
[FW-policy-security-rule-1] source-address 2.1.1.0 24
[FW-policy-security-rule-1] source-address 2.1.2.0 24 24
[FW-policy-security-rule-1] destination-address 10.1.1.0 24
[FW-policy-security-rule-1] destination-address 10.1.2.0 24
[FW-policy-security-rule-1] action permit
[FW-policy-security-rule-1] quit

  3. Enable PIM-SM on each interface. 

    <FW> system-view
[FW] multicast routing-enable
[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet0/0/1] pim sm
[FW-GigabitEthernet0/0/1] quit
[FW] interface GigabitEthernet 0/0/2
[FW-GigabitEthernet0/0/2] pim sm
[FW-GigabitEthernet0/0/2] pim bsr-boundary
[FW-GigabitEthernet0/0/2] quit
[FW] interface loopback 1
[FW-LoopBack1] pim sm
[FW-LoopBack1] quit

    For details on how to enable PIM-SM on Router_A and Router_B, see the corresponding configuration scripts.

  4. Enable IGMP on the interface connecting Router_A to user hosts. 

    <Router_A> system-view
[Router_A] interface GigabitEthernet 0/0/1
[Router_A-GigabitEthernet0/0/1] igmp enable
[Router_A-GigabitEthernet0/0/1] quit

  5. Configure MSDP peers so that the intranet RP can obtain information from the multicast source.

    # Configure Loopback1 on the FW as a C-BSR and a C-RP. 

    [FW] pim
[FW-pim] c-bsr loopback 1
[FW-pim] c-rp loopback 1
[FW-pim] quit

    # Configure the MSDP peer on the FW. 

    [FW] msdp
[FW-msdp] originating-rp GigabitEthernet 0/0/2
[FW-msdp] peer 2.1.1.2 connect-interface GigabitEthernet 0/0/2
[FW-msdp] quit

    # Configure Loopback 2 on Router_B as a C-BSR and a C-RP. 

    [Router_B] pim
[Router_B-pim] c-bsr loopback 2
[Router_B-pim] c-rp loopback 2
[Router_B-pim] quit

    # Configure the MSDP peer on Router_B. 

    [Router_B] msdp
[Router_B-msdp] peer 2.1.1.1 connect-interface GigabitEthernet 0/0/2
[Router_B-msdp] quit

  6. Configure multicast NAT on the FW so that the intranet receiver can demand Internet resources. 

    [FW] multicast forwarding-table source-nat 1.1.1.1

Configuration Scripts

  • Configuration script of the FW:

    #
sysname FW
#
 multicast routing-enable
#
 multicast forwarding-table source-nat 1.1.1.1
#
interface GigabitEthernet0/0/1
 ip address 10.1.2.2 255.255.255.0
 pim sm
#
interface GigabitEthernet0/0/2
 ip address 2.1.1.1 255.255.255.0
 pim bsr-boundary
 pim sm
#
interface loopback1
 ip address 1.1.1.1 255.255.255.255
 pim sm
#
 router id 1.1.1.1
#
ospf 1
 area 0.0.0.0
  network 10.1.2.0 0.0.0.255
  network 2.1.1.0 0.0.0.255
#
pim
 c-bsr loopback 1
 c-rp loopback 1
#
nat address-group addressgroup1
 mode pat
 route enable
 srcip-car-num 256
 section 0 1.1.1.10 1.1.1.15
#                                                                               
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/1

#   
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/2
#                                                                            
security-policy                                                                 
 default action permit                                                          
 rule name policy_ospf_1                                                        
  source-zone trust                                                             
  destination-zone untrust                                                      
  source-address 10.3.0.1 mask 255.255.255.255                                  
  source-address 10.3.1.1 mask 255.255.255.255                                  
  destination-address 10.3.0.2 mask 255.255.255.255                             
  destination-address 10.3.1.2 mask 255.255.255.255                             
  service ospf                                                                  
  action permit                                                                 
 rule name policy_ospf_2                                                        
  source-zone untrust                                                           
  destination-zone trust                                                        
  source-address 10.3.0.2 mask 255.255.255.255                                  
  source-address 10.3.1.2 mask 255.255.255.255                                  
  destination-address 10.3.0.1 mask 255.255.255.255                             
  destination-address 10.3.1.1 mask 255.255.255.255                             
  service ospf                                                                  
  action permit     
#
nat-policy 
 rule name policy_nat1                                                          
 source-zone trust                                                             
 source-zone dmz                                                               
 destination-zone untrust                                                      
 source-address range 10.1.1.0 10.1.2.254                                      
 action source-nat address-group addressgroup1  
#
msdp
 originating-rp GigabitEthernet0/0/2
 peer 2.1.1.2 connect-interface GigabitEthernet0/0/2
#
 ip route-static 0.0.0.0 0.0.0.0 2.1.1.2
 ip route-static 10.1.1.0 255.255.255.0 10.1.2.1
#
return

  • Configuration script of Router_A: 

    #
sysname Router_A
#
 multicast routing-enable
#
interface GigabitEthernet0/0/1
 ip address 10.1.1.1 255.255.255.0
 igmp enable
 pim sm
#
interface GigabitEthernet0/0/2
 ip address 10.1.2.1 255.255.255.0
 pim sm
#
 router id 2.2.2.2
#
ospf 1
 area 0.0.0.0
  network 10.1.1.0 0.0.0.255
  network 10.1.2.0 0.0.0.255
#
 ip route-static 0.0.0.0 0.0.0.0 10.1.2.2
#
return

  • Configuration script of Router_B: 

    #
sysname Router_B
#
 multicast routing-enable
#
interface GigabitEthernet0/0/1
 ip address 2.1.1.2 255.255.255.0
 pim sm
#
 router id 3.3.3.3
#
ospf 1
 area 0.0.0.0
  network 2.1.1.0 0.0.0.255
  network 2.1.2.0 0.0.0.255
#
interface GigabitEthernet0/0/2
 ip address 2.1.2.2 255.255.255.0
 pim bsr-boundary
 pim sm
#
interface loopback2
 ip address 2.2.2.2 255.255.255.255
 pim sm
#
pim
 c-bsr loopback 2
 c-rp loopback 2
#
msdp
 peer 2.1.1.1 connect-interface GigabitEthernet0/0/2
#
 ip route-static 0.0.0.0 0.0.0.0 2.1.1.1
#
return
Parent Topic: Configuration Examples for PIM-SM
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic