IP multicasting is a bandwidth-conserving technology that reduces traffic by
simultaneously delivering a single stream of information to multiple recipients
. Applications
that take advantage of multicast include video conferencing, corporate
communications, distance learning, and distribution of software, stock quotes,
and news.
IP multicasting is actually the transmission of an IP datagram
to a host group. A host group is a set of hosts identified by a single IP
destination address. In order for this to work, hosts that wish to receive
multicasts must join a multicast host group, and routers that forward multicast
datagrams must know which hosts belong to which group. Routers discover this
information by sending IGMP query messages through their attached local
networks. Host members of a multicast group respond to the query by sending
IGMP reports noting the multicast groups to which they belong. If a host is
removed from a multicast group, it sends a leave message to the multicast
router.
In software versions 6.2 and higher, the PIX Security Appliance
supports Stub Multicast Routing (SMR), which enables it to pass multicast
traffic. This feature is necessary when hosts that need to receive multicast
transmissions are separated from the multicast router by a PIX. With SMR, the
PIX acts as an IGMP proxy agent. It forwards IGMP messages from hosts to the
upstream multicast router, which takes responsibility for forwarding multicast
datagrams from one multicast group to all other networks that have members in
the group. When SMR is used, it is not necessary to construct Generic Route
Encapsulation (GRE) tunnels to allow multicast traffic to bypass the PIX.
 |
NOTE:
The GRE protocol is used for tunneling data across an IP network.
|
Outside Multicast Server – Configuring the Outside
Interface
When hosts that need to receive a multicast transmission are
separated from the multicast router by a PIX Security Appliance, configure the
PIX to forward IGMP reports from the downstream hosts and to forward multicast
transmissions from the upstream router
. By default,
IGMP processing is enabled on an interface. Complete the following steps to
allow hosts to receive multicast transmissions through the PIX:
Step 1 Use the interface command to
enter the interface subcommand mode. From this prompt, the
igmp commands can be entered for further multicast
support.
Step 2 (Optional.) Use the
permit option of the access-list
command to configure an ACL that allows traffic to the desired Class D
destination addresses. The deny option can also be used to
deny access to transmissions from specific multicast groups. Within the ACL,
the destination-addr argument is the Class D address of the
multicast group to which multicast transmissions are to be permitted or denied.
If ACLs are used for this purpose, the igmp access-group
command must also be used to apply the ACL to the currently selected
interface.
The syntax for the igmp
sub-command is shown in Figure
.
Outside Multicast Server – Configuring the Inside Interface
When
hosts that need to receive a multicast transmission are separated from the
multicast router by a PIX Security Appliance, configure the PIX to forward IGMP
reports from the downstream hosts and to forward multicast transmissions from
the upstream router. Complete the following steps to allow hosts to receive
multicast transmissions through the PIX:
Step 3 Use the interface command to
enter the interface subcommand mode. From this prompt, the
igmp commands can be entered for further multicast
support.
Step 4 Use the igmp
forward command to enable IGMP forwarding on the PIX. The
igmp forward command enables forwarding of all IGMP host
report and leave messages received by the PIX to the specified interface. The
interface specified is the PIX interface connected to the multicast router. In
the example in Figure
, this is the
outside interface.
Step 5 (Optional.) Use the
igmp join-group command to configure the PIX to join a
multicast group. This command configures the interface to be a statically
connected member of the specified group. It allows the PIX to act for a client
that may not be able to respond via IGMP but that still requires reception. The
igmp join-group command is applied to the downstream
interface toward the receiving hosts.
A multicast group is defined by a Class D IP address. Although Internet IP
multicasting uses the entire range of 224.0.0.0 to 239.255.255.255, any group
address that is assigned must be within the range 224.0.0.2 to 239.255.255.255.
Because the address 224.0.0.0 is the base address for Internet IP multicasting,
it cannot be assigned to any group. The address 224.0.0.1 is assigned to the
permanent group of all IP hosts, including gateways. This is used to address
all multicast hosts on the directly connected network. There is no multicast
address for all hosts on the Internet.
The syntax for the
igmp sub-commands above are shown in Figure
.
Outside Multicast Server – Inside Receiving Hosts
Figure
shows use of the
interface command with corresponding
igmp subcommands. Multicast is permitted on the dmz and
inside interfaces. The igmp forward command enables the PIX
Security Appliance to forward IGMP reports from inside hosts to the multicast
router on its dmz interface.
In the example Figure
, host 10.0.0.11
joins multicast group 224.0.1.50. The PIX Security Appliance enables host
10.0.0.11 to receive multicasts from the multicast server.
Configuring
Other IGMP Options
There are other IGMP options that can be set by an
administrator
. The
administrator can choose an IGMP version and configure the IGMP timers with the
igmp query-interval, and igmp
query-max-response-time commands. To specify the version of IGMP,
use with the igmp version command. This configures which
version of IGMP is used on the subnet represented by the specified interface.
The default is version 2.
For information on the differences in versions
1 and 2, see RFC 2236.
Use the igmp query-interval
command to configure the frequency at which IGMP query messages are sent by the
interface. The default is 60 seconds. Use the no version of
this command to set the query interval back to the default.
The igmp query-max-response-time command specifies the
maximum query response time and is only available with IGMP version 2. The
default is 10 seconds. The permitted range of values is from 1 to 65535. Use
the no version of this command to set the query response
time back to the default.