Configuring NBM in PIM Passive Mode
This section describes how to configure Non-blocking Multicast (NBM) in PIM Passive mode, which ensures that the bandwidth coming into the fabric is the same as the bandwidth that is going out.
Note: IPFM is not supported on Nexus 3000 Series of switches.
This section contains payload examples and CLIs to demonstrate how to use the NX-API REST API to configure NBM on Cisco Nexus 9000 Series
switches and to show how the REST APIs correspond to the CLI commands. For more information, see the Cisco Nexus 9000 Series NX-OS IP Fabric for Media
Solution Guide, Releases 7.0(3)I4(5), 7.0(3)F2(1), and Later Releases configuration guide:
Configuring a Flow Definition
Ingress Interface
A flow definition can be configured as Ingress Interface. The following are the methods to configure, modify, and remove an RPF Interface:
Configuring RPF Interface
Configuring RPF Interface
url: {{ip}}/api/mo/sys/nbm/conf/flows.json
{
{
"nbmFlows": {
"children": [
{
"nbmConfFlowsDom": {
"attributes": {
"name": "default"
},
"children": [
{
"nbmConfFlow": {
"attributes": {
"group": "226.1.1.1",
"source": "57.1.1.1",
"ingressIf": "eth1/3",
"status": ""
}}}]}}]}}
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload.
Modifying RPF Interface
This interface provides the new RPF interface in the ingressIf attribute.
Modifying RPF Interface
url: {{ip}}/api/mo/sys/nbm/conf/flows.json
{
{
"nbmFlows": {
"children": [
{
"nbmConfFlowsDom": {
"attributes": {
"name": "default"
},
"children": [
{
"nbmConfFlow": {
"attributes": {
"group": "226.1.1.1",
"source": "57.1.1.1",
"ingressIf": "eth1/4",
"status": ""
}}}]}}]}}
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload.
Attribute Definition
Group: Multicast Group Address
Source: Sender of the flow
ingressIf: Ingress Interface where the Multicast flow is expected to receive, that is the RPF interface
Removal of RPF Interface
Removal of RPF Interface
url: {{ip}}/api/mo/sys/nbm/conf/flows.json
{
{
"nbmFlows": {
"children": [
{
"nbmConfFlowsDom": {
"attributes": {
"name": "default"
},
"children": [
{
"nbmConfFlow": {
"attributes": {
"group": "226.1.1.1",
"source": "57.1.1.1",
"ingressIf": "unspecified",
"status": ""
}}}]}}]}}
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload.
Egress Interface
A flow definition can be configured as Egress Interface. The following are the methods to configure, modify, and remove an RPF Interface:
Configuring Egress Interface
Configuring Egress Interface
url: {{ip}}/api/mo/sys/nbm/conf/flows.json
{
{
"nbmFlows": {
"children": [
{
"nbmConfFlowsDom": {
"attributes": {
"name": "default"
},
"children": [
{"nbmConfFlow": {
"children": [
{"nbmConfFlowIf":
{"attributes":
{"id": "eth1/29/1", "isLhr": "YES"
}}}]}}]}}]}}
Attribute Definition
Id: Egress Interface Name where the Multicast flow is expected to egress.
isLhr: YES if its LHR (Last Hop Router) i.e, receiver endpoint is connected.
NO for the fabric interfaces.
Add New Egress Interface
Add New Egress Interface
url: {{ip}}/api/mo/sys/nbm/conf/flows.json
{
{
"nbmFlows": {
"children": [
{
"nbmConfFlowsDom": {
"attributes": {
"name": "default"
},
"children": [
{"nbmConfFlow": {
"children": [
{"nbmConfFlowIf":
{"attributes":
{"id": "eth1/29/4", "isLhr": "YES"
}}}]}}]}}]}}
Removal of Egress Interface
Removal of Egress Interface
url: {{ip}}/api/mo/sys/nbm/conf/flows.json
{
{
"nbmFlows": {
"children": [
{
"nbmConfFlowsDom": {
"attributes": {
"name": "default"
},
"children": [
{"nbmConfFlow": {
"children": [
{"nbmConfFlowIf":
{"attributes":
{"id": "eth1/29/1", "isLhr": "YES", "status":"deleted"
}}}]}}]}}]}}
Policer and Bandwidth
The Policer is generally set only on First Hop Router. If a Policer is applied towards the flow, set to ENABLED. Bandwidth requirement for the flow is KBPS. This value is used if the Policer is used against the flow which also published in the Flow Telemetry Data.
The following are the methods to enable and disable the Policer, modify the bandwidth, and delete the flows:
Policer Enable
Policer Enable
url: {{ip}}/api/mo/sys/nbm/conf/flows.json
{
{
"nbmFlows": {
"children": [
{
"nbmConfFlowsDom": {
"attributes": {
"name": "default"
},
"children": [
{"nbmConfFlow": {
{"attributes":
{"group":"228.1.1.1", "source": "129.1.1.2", "ingressIf": "eth1/3", "bwKbps": 1100, "policer": "ENABLED”, "status": ""
}}}]}}]}}
Attribute Definition
Policer: ENABLED if its FHR i.e sender endpoint is connected else DISABLE.
bwKbps: Rate (kbps) at which the flow should be policed by node.
Policer Disable
Policer Disable
url: {{ip}}/api/mo/sys/nbm/conf/flows.json
{
{
"nbmFlows": {
"children": [
{
"nbmConfFlowsDom": {
"attributes": {
"name": "default"
},
"children": [
{"nbmConfFlow": {
{"attributes":
{"group":"228.1.1.1", "source": "129.1.1.2", "ingressIf": "eth1/3", "bwKbps": 1100, "policer": "DISABLED”, "status": ""},
"children": [{"nbmConfFlowIf": {"attributes": {"id": "eth1/29/1", "isLhr": "YES"
}}}]}}]}}]}}
Modifying Bandwidth
Modifying Bandwidth
url: {{ip}}/api/mo/sys/nbm/conf/flows.json
{
{
"nbmFlows": {
"children": [
{
"nbmConfFlowsDom": {
"attributes": {
"name": "default"
},
"children": [
{"nbmConfFlow": {
{"attributes":
{"group":"228.1.1.1", "source": "129.1.1.2", "ingressIf": "eth1/3", "bwKbps": 1900, "policer": "ENABLED”, "status": ""},
"children": [{"nbmConfFlowIf": {"attributes": {"id": "eth1/29/1", "isLhr": "YES"
}}}]}}]}}]}}
Delete the Flow
Delete the Flow
url: {{ip}}/api/mo/sys/nbm/conf/flows.json
{
{
"nbmFlows": {
"children": [
{
"nbmConfFlowsDom": {
"attributes": {
"name": "default"
},
"children": [
{"nbmConfFlow": {
{"attributes":
{"group":"228.1.1.1", "source": "129.1.1.2", "ingressIf": "eth1/3", "bwKbps": 1100, "policer": "ENABLED”, "status": "deleted"
}}}]}}]}}
Establish RPF and Multiple Egress OIF in single payload
Establish RPF and Multiple Egress OIF in single payload
url: {{ip}}/api/mo/sys/nbm/conf/flows.json
{
{
"nbmFlows": {
"children": [
{
"nbmConfFlowsDom": {
"attributes": {
"name": "default"
},
"children": [
{"nbmConfFlow": {
{"attributes":
{"group":"228.1.1.1", "source": "129.1.1.2", "ingressIf": "eth1/3", "bwKbps": 3200000, "policer": "ENABLED”, "status": ""},
"children": [{"nbmConfFlowIf": {"attributes": {"id": "eth1/29/1", "isLhr": "NO"}}},
"children": [{"nbmConfFlowIf": {"attributes": {"id": "eth1/29/2", "isLhr": "NO"}}},
"children": [{"nbmConfFlowIf": {"attributes": {"id": "eth1/29/3", "isLhr": "NO"}}},
"children": [{"nbmConfFlowIf": {"attributes": {"id": "eth1/29/4", "isLhr": "NO"
}}}]}}]}}]}}
Modify RPF and Add/Delete Egress OIF in single payload
MOdify RPF and Add/Delete Egress OIF in single payload
url: {{ip}}/api/mo/sys/nbm/conf/flows.json
{
{
"nbmFlows": {
"children": [
{
"nbmConfFlowsDom": {
"attributes": {
"name": "default"
},
"children": [
{"nbmConfFlow": {
{"attributes":
{"group":"228.1.1.1", "source": "129.1.1.2", "ingressIf": "eth1/3", "bwKbps": 3200000, "policer": "ENABLED”, "status": ""},
"children": [{"nbmConfFlowIf": {"attributes": {"id": "eth1/29/1", "isLhr": "NO","status":"deleted"}}},
"children": [{"nbmConfFlowIf": {"attributes": {"id": "eth1/30/2", "isLhr": "YES"}}},
"children": [{"nbmConfFlowIf": {"attributes": {"id": "eth1/30/3", "isLhr": "NO"}}},
"children": [{"nbmConfFlowIf": {"attributes": {"id": "eth1/29/4", "isLhr": "NO","status":"deleted"
}}}]}}]}}]}}
Above single API call will change the RPF to eth1/4/1 and delete egress interfaces eth1/29/1, eth1/29/4 as well as add new egress interfaces eth1/30/2, eth1/30/3 for the above flows.
Non-Blocking Multicast Service Reflection
Multicast to Multicast Ingress NAT
The Ingress NAT allows translation of incoming (S,G) into a different source, group or both. All receivers inside the domain then can join the post translated flow. This feature is useful when multicast traffic:
• enters a network from a different domain with potentially overlapping address
• comes with an address that is not understood by applications in the network
The dynamic IGMP join or PIM join on a pre-translated route is not supported for ingress NAT.
Multicast to Multicast Ingress NAT works only in PIM active mode. The PIM passive mode is not supported.
Multicast to Multicast Egress NAT
The Egress NAT allows translating existing flow (S,G) to different source or group address on a per outgoing interface basis. This feature is useful for multicast distribution to external entities which may only accept a certain source or group address. It can also serve as a path to hide internal address space when flows are exposed to external entities.
The dynamic IGMP join or PIM join on a post-translated route is not supported for egress NAT.
Fault MO’s are generated when there is a mismatch in bandwidth for pre-translated and post-translated flows.
In PIM-Passive mode, bandwidth management is done by an external controller for the flows and provisions both pre-translated and post-translated flows. The flow creation is made available through APIs.
Examples for ENAT PIM Passive
Setting up the Service interface loopback1
Setting up the Service interface loopback1
url: {{ip}}/api/mo/sys/mrib/inst/dom-default/sr.json
{ "mribServiceReflect": {
"attributes": {"status": "" },
"children": [
{
"mribSrcIntf": {
"attributes": {
"srcIntf": "lo1",
"status": ""
}
}
}
]
}
}
Setting up the NAT mode to Egress
Setting up the NAT mode to Egress
url: {{ip}}/api/mo/sys/mrib/inst/dom-default/sr.json
{
"mribEgressMode": {
"attributes": {
"grpList": "225.0.0.0/8"
}}}
Setting up the mapping interface
Setting up the mapping interface
url: {{ip}}/api/mo/sys/mca/config/natsr/mappings.json
{
"mcaNatMapDefaultSif": {
"attributes": {
"domName": "default", "maxEnatReplications": "40", "siIfName": "eth1/2", "status": ""
}}}
Setting up the SR rule
Setting up the SR rule
url: {{ip}}/api/mo/sys/mrib/inst/dom-default/sr/rule.json
{"mribSrRule": {
"attributes": {
"status": ""},
"children": [{
"mribRule": {"attributes": {
"postTransGrp": "226.1.1.1", "postTransSrc": "57.1.1.2", "preTransGrp": "225.1.1.1", "preTransSrc": "47.1.1.2", "grpMasklen": 32, "srcMasklen": 32, "udpsrcPort": "10003", "udpDestPort": "20003", "staticOif": "eth1/29/1"
}}}]}}
Pre-NAT flow
Pre-NAT flow
url: {{ip}}/api/mo/sys/nbm/conf/flows.json
{
{
"nbmFlows": {
"children": [
{
"nbmConfFlowsDom": {
"attributes": {
"name": "default"
},
"children": [
{"nbmConfFlow": {
{"attributes":
{"group":"226.1.1.1", "source": "57.1.1.1", "ingressIf": "loopback1", "bwKbps": 10000, "policer": "ENABLED”, "status": ""
"children": [{"nbmConfFlowIf": {"attributes": {"id": "eth1/29/1", "isLhr": "YES", "status": ""
}}}]}}]}}]}}
Multicast to Unicast NAT
Multicast to unicast NAT is used for hosting content to public cloud. The translation is required as the cloud may not support multicast. After translation, the Unicast packet gets routed as per unicast forwarding logic.
A similar use case is seen when connecting to different sites. If the core does not support multicast end to end, then the content is delivered as unicast to the different sites. The Border box translates multicast to unicast and delivers to different sites for consumption.
For MU NAT, PMN will continue perform bandwidth management for pre-translated multicast flows. For the translated unicast flow, the outgoing interface will need to have unicast bandwidth reservation so that the translated unicast traffic will be sent without any disruption. PMN will also publish the Flow operational MO to indicate the NAT relationship. Since, there are three re-circulations that occur internally for every unicast translation, one must make sure that only one third of the recirculation port bandwidth is assumed. In case of any congestion on the service-reflect map interface used for re-circulation, PMN does not publish a Fault MO.
In PIM Passive mode, Controller will perform Bandwidth management and call Rest APIs to provision the pre-translated flow. PMN will publish the flow operational MO to indicate the NAT relationship.
Examples for MUNAT PIM Passive
MUNAT Rest API calls and Payload information.
1. Configure source interface
Configure source interface - default vrf
<switch-ip>/api/mo/sys/mrib/inst/dom-default/sr.json
{
"mribServiceReflect": {
"attributes": {"status": "" },
"children": [
{
"mribSrcIntf": {
"attributes": {
"srcIntf": "lo0",
"status": ""
}
}
}
]
}
}
Configure source interface - non-default vrf
<switch-ip>/api/mo/sys/mrib/inst/dom-mars/sr.json
{
"mribServiceReflect": {
"attributes": {"status": "" },
"children": [
{
"mribSrcIntf": {
"attributes": {
"srcIntf": "lo0",
"status": ""
}
}
}
]
}
}
2. Configure egress mode
Configure egress mode default vrf
url: <switch-ip>/api/mo/sys/mrib/inst/dom-default/sr.json
{
"mribEgressMode": {
"attributes": {
"grpList": "225.0.0.0/8"
}
}
}
Configure egress mode non-default vrf
url: <switch-ip>/api/mo/sys/mrib/inst/dom-mars/sr.json
{
"mribEgressMode": {
"attributes": {
"grpList": "225.0.0.0/8"
}
}
}
3. Configure re-circ interfaces
Configure re-circ interfaces - default vrf
url: <switch-ip>/api/mo/sys/mca/config/natsr/mappings.json
{
"mcaMappings": {
"children": [
{
"mcaMappingsDom": {
"attributes": {
"name": "default",
"status": ""
},
"children": [
{
"mcaNatMapDomDestPrefixSif": {
"attributes": {
"destPrefix": "112.3.4.2/32",
"domName": "default",
"maxEnatReplications": "40",
"siIfName": "eth1/11",
"status": ""
}
}
}
]
}
}
]
}
}
Configure re-circ interfaces - non-default vrf
url: <switch-ip>/api/mo/sys/mca/config/natsr/mappings.json
{
"mcaMappings": {
"children": [
{
"mcaMappingsDom": {
"attributes": {
"name": "mars",
"status": ""
},
"children": [
{
"mcaNatMapDomDestPrefixSif": {
"attributes": {
"destPrefix": "112.3.4.2/32",
"domName": "mars",
"maxEnatReplications": "40",
"siIfName": "eth1/11",
"status": ""
}
}
}
]
}
}
]
}
}
4. Service reflect rules
Service reflect rules - default vrf
url: <ip_switch>/api/mo/sys/mrib/inst/dom-default/sr/rule.json
{
"mribSrRule": {
"attributes": {
"status": ""
},
"children": [
{
"mribRule": {
"attributes": {
"childAction": "",
"grpMasklen": "32",
"postTransGrp": "14.7.1.2",
"postTransSrc": "155.102.1.1",
"preTransGrp": "225.2.1.1",
"preTransSrc": "50.37.1.2",
"srcMasklen": "32",
"staticOif": "unspecified",
"status": "",
"udpDestPort": "0",
"udpsrcPort": "0"
}
}
}
]
}
}
Service reflect rules - non-default vrf
url: <ip_switch>/api/mo/sys/mrib/inst/dom-mars/sr/rule.json
{
"mribSrRule": {
"attributes": {
"status": ""
},
"children": [
{
"mribRule": {
"attributes": {
"childAction": "",
"grpMasklen": "32",
"postTransGrp": "14.7.1.2",
"postTransSrc": "155.102.1.1",
"preTransGrp": "225.2.1.1",
"preTransSrc": "50.37.1.2",
"srcMasklen": "32",
"staticOif": "unspecified",
"status": "",
"udpDestPort": "0",
"udpsrcPort": "0"
}
}
}
]
}
}
5. NBM flows
NBM flows - default vrf
url: <ip_switch> /api/mo/sys/nbm/conf/flows.json
{
"nbmFlows": {
"children": [
{"nbmConfFlowsDom": {
"attributes": {
"name": "default"},
"children": [
{"nbmConfFlow":
{"attributes": {
"group": "225.1.1.1", "source": "112.3.1.2", "ingressIf": "eth1/3", "bwKbps": 0, "policer": "DISABLED"
}
}
}
}
}
]
}
}
NBM flows - non-default vrf
url: <ip_switch> /api/mo/sys/nbm/conf/flows.json
{
"nbmFlows": {
"children": [
{"nbmConfFlowsDom": {
"attributes": {
"name": "mars"},
"children": [
{"nbmConfFlow":
{"attributes": {
"group": "225.1.1.1", "source": "112.3.1.2", "ingressIf": "eth1/3", "bwKbps": 0, "policer": "DISABLED"
}
}
}
}
}
]
}
}
For more information refer to Cisco Nexus 9000 Series NX-OS IP Fabric for Media Solutions Guide.
Unicast to Multicast NAT
Unicast to Multicast NAT works in ingress translation mode. The multicast translated packet can be egress translated back to multicast. The destination address of the unicast packet should match the NAT source loopback interface secondary IP address.
The Unicast to Multicast NAT supports only 1:1 translation. If 1 to many translations is required, then you need to configure a 1:1 Unicast to Multicast NAT, and then
configure 1 to many Multicast-to-Multicast NAT translations.
For Unicast to Multicast NAT, you must configure unicast bandwidth reservation on the port where the pre-translated unicast traffic arrives. This enables the multicast
traffic on that port to not to consume all the port bandwidth. Using the bandwidth derived from the flow policy of the post-translated multicast group, PMN installs policer
on all the slices to police unicast flow. Since there is one re-circulation for every multicast translation, the recirculation port bandwidth must be same as the incoming
port bandwidth.
PMN publishes the flow operations MO to indicate the NAT relationship. PMN does not publish a fault MO if there is a congestion on the service-reflect map interface that is
used for re-circulation.
Examples for UMNAT PIM Passive
UMNAT Rest API calls and Payload information.
1. Configure source loopback interface
Configure source loopback interface for default vrf
<switch-ip>/api/mo/sys/mrib/inst/dom-default/sr.json
{
"mribServiceReflect":
{
"attributes": {"status": "" },
"children": [
{
"mribSrcIntf": {
"attributes": {
"srcIntf": "lo0",
"status": ""
}
}
}
]
}
}
Configure source loopback interface for non-default vrf
url: <ip>/api/mo/sys/mrib/inst/dom-vrf1/sr.json
{
"mribServiceReflect": {
"attributes": {"status": "" },
"children":
[
{
"mribSrcIntf": {
"attributes": {
"srcIntf": "lo0",
"status": ""
}
}
}
]
}
}
2. Configure re-circ interfaces
Configure re-circ interfaces - default vrf
url: <IP>/api/mo/sys/mca/config/natsr/mappings.json
{
"mcaNatMapDestPrefixSif": {
"attributes": {
"destPrefix": "0.0.0.0/0",
"domName": "default",
"maxEnatReplications": "40",
"siIfName": "eth1/14",
"status": ""
}
}
}
Configure re-circ interfaces - non-default vrf
url: <ip>/api/mo/sys/mca/config/natsr/mappings.json
{
"mcaMappings": {
"children": [
{
"mcaMappingsDom": {
"attributes": {
"name": "vrf1",
"status": ""
},
"children": [
{
"mcaNatMapDomDestPrefixSif": {
"attributes": {
"destPrefix": "0.0.0.0/0",
"domName": "vrf1",
"maxEnatReplications": "40",
"siIfName": "eth1/14",
"status": ""
}
}
}
]
}
}
]
}
}
3. Service reflect rules
Service reflect rules - default vrf
url: <IP>/api/mo/sys/mrib/inst/dom-default/sr/rule.json
{"mribSrRule": {
"attributes": {
"status": ""},
"children": [{
"mribRule": {"attributes": {
"postTransGrp": "228.1.1.11", "postTransSrc": "33.1.1.11", "preTransGrp": "32.1.1.11", "preTransSrc": "31.1.1.11", "grpMasklen": 32, "srcMasklen": 32, "udpsrcPort": "10003", "udpDestPort": "20003", "staticOif": "unspecified"
}
}
}
]
}
}
Service reflect rules - non-default vrf
url: <IP>/api/mo/sys/mrib/inst/dom-vrf1/sr/rule.json
{"mribSrRule": {
"attributes": {
"status": ""},
"children": [{
"mribRule": {"attributes": {
"postTransGrp": "225.1.1.11", "postTransSrc": "33.1.1.11", "preTransGrp": "32.1.1.11", "preTransSrc": "31.1.1.11", "grpMasklen": 32, "srcMasklen": 32, "udpsrcPort": "10003", "udpDestPort": "20003", "staticOif": "unspecified"
}
}
}
]
}
}
4. NBM flows
NBM flows - default vrf
<ip>/api/mo/sys/mrib/inst/dom-default/sr/rule.json
{"mribSrRule": {
"attributes": {
"status": ""},
"children": [{
"mribRule": {"attributes": {
"postTransGrp": "225.1.1.11", "postTransSrc": "37.1.1.11", "preTransGrp": "39.1.1.11", "preTransSrc": "31.1.1.11", "grpMasklen": 32, "srcMasklen": 32, "udpsrcPort": "10003", "udpDestPort": "20003", "staticOif": "unspecified"
}}}]}}
NBM flows - non-default vrf
url: <ip>/api/mo/sys/mrib/inst/dom-vrf1/sr/rule.json
{"mribSrRule": {
"attributes": {
"status": ""},
"children": [{
"mribRule": {"attributes": {
"postTransGrp": "225.1.1.11", "postTransSrc": "33.1.1.11", "preTransGrp": "32.1.1.11", "preTransSrc": "31.1.1.11", "grpMasklen": 32, "srcMasklen": 32, "udpsrcPort": "10003", "udpDestPort": "20003", "staticOif": "unspecified"
}
}
}
]
}
}
For more information refer to Cisco Nexus 9000 Series NX-OS IP Fabric for Media Solutions Guide.