PDA

View Full Version : Sonos across vlan defined in a 600 appliance



roveer
2017-02-28, 17:29
I have a CP 600 running our office. I defined a Vlan on the DMZ port to create a seperation between our work network and what we use as a guest network. So work network is 172.16.1.x and dmz is 192.168.200.x and Vlan 4 is 192.168.201.x. Works.

I have some remotes on the 192.168.201.x network that need to see a particular ip on the 172 network and I defined a rule allowing that and it worked just fine.

I have a sonos system on the 172 network which uses a hand full of ports (80, 443 and I believe one other) and they can't be seen on the 192 network. I believe they are sent around the network on multicast.

Is there a way I can allow the multicast from the 172 network to the 192 network and possibly add some rules that would allow devices on the guest network to see the sonos?

In reading other threads, specifically this one: https://en.community.sonos.com/troubleshooting-228999/multiple-subnets-vlans-and-sonos-workable-clavister-solution-30950 I need to allow multicast to the 192 network so the Sonos controller that is on that network knows about the sonos systems on the 172 network. Then I need to allow the devices to pass traffic. Is there a way to allow the multicast from 172 to 192? The 2nd part should just be some access policy rules (I would think).

Thanks,

Roveer

msjouw
2017-03-01, 12:05
What version do you have on the 600? I recently updated a 1450 with the R77.20.51 firmware and after that my VLAN's no longer worked, they were on the DMZ port as well..

roveer
2017-03-01, 12:22
What version do you have on the 600? I recently updated a 1450 with the R77.20.51 firmware and after that my VLAN's no longer worked, they were on the DMZ port as well..

Right now I'm sitting at R77.20.20 (990170830) with an update showing. I'm always so hesitant to upgrade because I assume I need 10-15 hours to fix whatever stops working afterward. Guess I'm going to stay on the version I'm on as I don't have 10-15 hours to give right now.

Roveer

jflemingeds
2017-03-01, 12:52
What version do you have on the 600? I recently updated a 1450 with the R77.20.51 firmware and after that my VLAN's no longer worked, they were on the DMZ port as well..

I thought you said that was R77.20.50 (which was yanked btw)?

jflemingeds
2017-03-01, 12:58
I have a CP 600 running our office. I defined a Vlan on the DMZ port to create a seperation between our work network and what we use as a guest network. So work network is 172.16.1.x and dmz is 192.168.200.x and Vlan 4 is 192.168.201.x. Works.

I have some remotes on the 192.168.201.x network that need to see a particular ip on the 172 network and I defined a rule allowing that and it worked just fine.

I have a sonos system on the 172 network which uses a hand full of ports (80, 443 and I believe one other) and they can't be seen on the 192 network. I believe they are sent around the network on multicast.

Is there a way I can allow the multicast from the 172 network to the 192 network and possibly add some rules that would allow devices on the guest network to see the sonos?

In reading other threads, specifically this one: https://en.community.sonos.com/troubleshooting-228999/multiple-subnets-vlans-and-sonos-workable-clavister-solution-30950 I need to allow multicast to the 192 network so the Sonos controller that is on that network knows about the sonos systems on the 172 network. Then I need to allow the devices to pass traffic. Is there a way to allow the multicast from 172 to 192? The 2nd part should just be some access policy rules (I would think).

Thanks,

Roveer

Multicast.. um.. its fun?

I think you need to enable PIM and IGMP on both interfaces. What I don't understand is if you'll need to configure a RP, i'm thinking not since the firewall is connected to both networks, but i really am no pro at multicast.

You'll need to allow all those protocols in addition the multicast with *I think* with the source of the multicast server and a destination of the multicast address.

roveer
2017-03-01, 18:12
Multicast.. um.. its fun?

I think you need to enable PIM and IGMP on both interfaces. What I don't understand is if you'll need to configure a RP, i'm thinking not since the firewall is connected to both networks, but i really am no pro at multicast.

You'll need to allow all those protocols in addition the multicast with *I think* with the source of the multicast server and a destination of the multicast address.

Ya huh...

So I assume this stuff would have to be done at command line not GUI correct? I have to decide if it's worth it. If it's really difficult it's easier to just put the devices that need to see sonos on the inside network. I have to be realistic on how far off the beat'n path I really want to take my configuration.

Is there a way to enable PIM and IGMP in easy commands that can be reversed? I'd be willing to give it a shot.

Roveer

laf_c
2017-03-02, 03:46
Ya huh...

So I assume this stuff would have to be done at command line not GUI correct? I have to decide if it's worth it. If it's really difficult it's easier to just put the devices that need to see sonos on the inside network. I have to be realistic on how far off the beat'n path I really want to take my configuration.

Is there a way to enable PIM and IGMP in easy commands that can be reversed? I'd be willing to give it a shot.

Roveer

Had a quick look on cli guide (http://dl3.checkpoint.com/paid/8a/8a60e635bd44592c5dc070530509d690/CP_1100_600_Appliance_CLI_AdvRouting_AdminGuide.pd f?HashKey=1488447440_c490ba81ff7b016edcb2a61c1348e afd&xtn=.pdf)

IF you have the time, you can play with this. I admit I am curious of the outcome if you try it :).
Now I had my small share with multicast on Cisco some years ago and although there can get much more complicated there, Cisco offers in depth documentation and above the average implementation of multicast.
If we would bet, I would put my money that CP didn't invest that many resources on multicast code so you might easily waste your time here.
I can tell you I spent more than 1/2h year with unfinished OSPF code on 1100 appliances while knowing very well the tech/theory behind. And I find multicast a bit more twisty than OSPF (probably because I spent much more time on the latter).

Keep us posted, please!

jflemingeds
2017-03-02, 03:52
Ya huh...

So I assume this stuff would have to be done at command line not GUI correct? I have to decide if it's worth it. If it's really difficult it's easier to just put the devices that need to see sonos on the inside network. I have to be realistic on how far off the beat'n path I really want to take my configuration.

Is there a way to enable PIM and IGMP in easy commands that can be reversed? I'd be willing to give it a shot.

Roveer

From clish
set pim mode sparse
set pim interface LAN1 on
set igmp interface LAN1 version 2

msjouw
2017-03-02, 11:12
I thought you said that was R77.20.50 (which was yanked btw)?
It could very well be, I'm on R77.20.40 at the moment for this one.

roveer
2017-03-03, 17:09
From clish
set pim mode sparse
set pim interface LAN1 on
set igmp interface LAN1 version 2

Dumb question. If I were to put these commands in, what would I need to do to reverse them? Thanks.

laf_c
2017-03-05, 15:09
Dumb question. If I were to put these commands in, what would I need to do to reverse them? Thanks.

set pim interface LAN2 off

for IGMP default is 2, so no need to reverse it:

set igmp interface LAN2 version
Default: 2.