我创建了一个实验室来解决我在 PIM-SM 和 BSR 中遇到的问题。有两个站点通过两个瞻博网络 SSG5 (6.3.0r17) 连接，配置刚好足以专注于手头的问题（配置如下）。发送站点有一个模拟 Cisco 3600 作为 RP 和 BSR（配置如下），另一个站点有一个接收器。

source --- (fa0/0)R1(fa1/0) --- (bg0)FW1(e0/0) === (e0/0)FW2(bg0) --- receiver

我的问题如下： FW2 没有学习 BSR，因此也没有学习 RP 信息。

FW1 学习 BSR 就好了：

FW1-> get vrouter trust-vr protocol pim bsr
 Zone : Trust
-----------------
 Bootstrap Router address : 10.1.1.1
  BSR hash mask length    : 0
  BSR priority            : 0
  BSR timer expires in    : 00:01:31
  BSR up time             : 00:01:37

这是FW2：

FW2-> get vrouter trust-vr protocol pim bsr
 Zone : Trust
-----------------
 Bootstrap Router address : 0.0.0.0
  BSR hash mask length    : 0
  BSR priority            : 0
  BSR timer expires in    : -

使用以下两行在 FW2 上指定静态 RP 就可以了，只是为了表明 PIM 可以正常工作：

set vrouter trust-vr access-list 1 permit ip 224.0.0.0/4 1
set vrouter trust-vr protocol pim zone trust rp address 10.1.1.1 mgroup-list 1

我误解了一些基本的东西吗？debug pim all在 FW2 上正在记录“RP not found for Group”类型的消息和两个防火墙之间的问候，但没有什么突出的。

以下是在新设备中输入的配置命令（我没有看到创建可折叠部分的方法，抱歉墙上的文字！）：

R1：

ip multicast-routing
interface FastEthernet0/0
    ip address 10.1.1.1 255.255.255.0
    ip pim sparse-mode
    no shutdown
interface FastEthernet1/0
    ip address 172.16.1.2 255.255.255.0
    ip pim sparse-mode
    no shutdown
router ospf 1
    network 0.0.0.0 255.255.255.255 area 0.0.0.5
    exit
ip pim bsr-candidate FastEthernet0/0 0
ip pim rp-candidate FastEthernet0/0

FW1：

# interfaces
set interface ethernet0/0 ip 1.1.1.1/24
set interface bgroup0 ip 172.16.1.1/24
set interface bgroup0 route
set interface tunnel.1 zone trust
set interface tunnel.1 ip unnumbered interface bgroup0
# vpn
set ike gateway "GW" address 1.1.1.2 main outgoing-interface ethernet0/0 preshare password sec-level basic
set vpn "VPN" gateway "GW" sec-level basic
set vpn "VPN" monitor optimized rekey
set vpn "VPN" bind interface tunnel.1
set vpn "VPN" proxy-id local-ip 172.16.1.0/24 remote-ip 172.16.2.0/24 any
# ospf
set vrouter trust-vr protocol ospf
set vrouter trust-vr protocol ospf area 0.0.0.5
set vrouter trust-vr protocol ospf enable
set interface bgroup0 protocol ospf area 0.0.0.5
set interface bgroup0 protocol ospf enable
set interface tunnel.1 protocol ospf area 0.0.0.5
set interface tunnel.1 protocol ospf enable
# pim
set vrouter trust-vr protocol pim
set vrouter trust-vr protocol pim enable
set interface bgroup0 protocol pim
set interface bgroup0 protocol pim enable
set interface tunnel.1 protocol pim
set interface tunnel.1 protocol pim enable

FW2：

# interfaces
set interface ethernet0/0 ip 1.1.1.2/24
set interface bgroup0 ip 172.16.2.1/24
set interface bgroup0 route
set interface tunnel.1 zone trust
set interface tunnel.1 ip unnumbered interface bgroup0
# vpn
set ike gateway "GW" address 1.1.1.1 main outgoing-interface ethernet0/0 preshare password sec-level basic
set vpn "VPN" gateway "GW" sec-level basic
set vpn "VPN" monitor optimized rekey
set vpn "VPN" bind interface tunnel.1
set vpn "VPN" proxy-id local-ip 172.16.2.0/24 remote-ip 172.16.1.0/24 any
# ospf
set vrouter trust-vr protocol ospf
set vrouter trust-vr protocol ospf area 0.0.0.5
set vrouter trust-vr protocol ospf enable
set interface bgroup0 protocol ospf area 0.0.0.5
set interface bgroup0 protocol ospf enable
set interface tunnel.1 protocol ospf area 0.0.0.5
set interface tunnel.1 protocol ospf enable
# pim
set vrouter trust-vr protocol pim
set vrouter trust-vr protocol pim enable
set interface bgroup0 protocol pim
set interface bgroup0 protocol pim enable
set interface tunnel.1 protocol pim
set interface tunnel.1 protocol pim enable
# igmp
set interface bgroup0 protocol igmp router
set interface bgroup0 protocol igmp enable

编辑

将隧道绑定到“不信任”区域并添加多播策略也允许多播流量流动，但我仍然希望将隧道保留在“信任”区域中。

FW1 & FW2：

set interface tunnel.1 zone untrust
set interface tunnel.1 ip unnumbered interface ethernet0/0
set multicast-group-policy from "trust" mgroup any to "unTrust" pim-message bsr-static-rp join-prune bi-directional
set policy from untrust to trust any any any permit

我还确认在“信任”区域上禁用了区域内阻塞，这是默认设置。