PIX Security Appliance Routing Capabilities
Multicast routing

IP multicasting is a bandwidth-conserving technology that reduces traffic by simultaneously delivering a single stream of information to multiple recipients . Applications that take advantage of multicast include video conferencing, corporate communications, distance learning, and distribution of software, stock quotes, and news.

IP multicasting is actually the transmission of an IP datagram to a host group. A host group is a set of hosts identified by a single IP destination address. In order for this to work, hosts that wish to receive multicasts must join a multicast host group, and routers that forward multicast datagrams must know which hosts belong to which group. Routers discover this information by sending IGMP query messages through their attached local networks. Host members of a multicast group respond to the query by sending IGMP reports noting the multicast groups to which they belong. If a host is removed from a multicast group, it sends a leave message to the multicast router.

In software versions 6.2 and higher, the PIX Security Appliance supports Stub Multicast Routing (SMR), which enables it to pass multicast traffic. This feature is necessary when hosts that need to receive multicast transmissions are separated from the multicast router by a PIX. With SMR, the PIX acts as an IGMP proxy agent. It forwards IGMP messages from hosts to the upstream multicast router, which takes responsibility for forwarding multicast datagrams from one multicast group to all other networks that have members in the group. When SMR is used, it is not necessary to construct Generic Route Encapsulation (GRE) tunnels to allow multicast traffic to bypass the PIX.

NOTE:

The GRE protocol is used for tunneling data across an IP network.

Outside Multicast Server – Configuring the Outside Interface
When hosts that need to receive a multicast transmission are separated from the multicast router by a PIX Security Appliance, configure the PIX to forward IGMP reports from the downstream hosts and to forward multicast transmissions from the upstream router . By default, IGMP processing is enabled on an interface. Complete the following steps to allow hosts to receive multicast transmissions through the PIX:

Step 1 Use the interface command to enter the interface subcommand mode. From this prompt, the igmp commands can be entered for further multicast support.
Step 2 (Optional.) Use the permit option of the access-list command to configure an ACL that allows traffic to the desired Class D destination addresses. The deny option can also be used to deny access to transmissions from specific multicast groups. Within the ACL, the destination-addr argument is the Class D address of the multicast group to which multicast transmissions are to be permitted or denied. If ACLs are used for this purpose, the igmp access-group command must also be used to apply the ACL to the currently selected interface.

The syntax for the igmp sub-command is shown in Figure .

Outside Multicast Server – Configuring the Inside Interface
When hosts that need to receive a multicast transmission are separated from the multicast router by a PIX Security Appliance, configure the PIX to forward IGMP reports from the downstream hosts and to forward multicast transmissions from the upstream router. Complete the following steps to allow hosts to receive multicast transmissions through the PIX:

Step 3 Use the interface command to enter the interface subcommand mode. From this prompt, the igmp commands can be entered for further multicast support.
Step 4 Use the igmp forward command to enable IGMP forwarding on the PIX. The igmp forward command enables forwarding of all IGMP host report and leave messages received by the PIX to the specified interface. The interface specified is the PIX interface connected to the multicast router. In the example in Figure , this is the outside interface.
Step 5 (Optional.) Use the igmp join-group command to configure the PIX to join a multicast group. This command configures the interface to be a statically connected member of the specified group. It allows the PIX to act for a client that may not be able to respond via IGMP but that still requires reception. The igmp join-group command is applied to the downstream interface toward the receiving hosts.

A multicast group is defined by a Class D IP address. Although Internet IP multicasting uses the entire range of 224.0.0.0 to 239.255.255.255, any group address that is assigned must be within the range 224.0.0.2 to 239.255.255.255. Because the address 224.0.0.0 is the base address for Internet IP multicasting, it cannot be assigned to any group. The address 224.0.0.1 is assigned to the permanent group of all IP hosts, including gateways. This is used to address all multicast hosts on the directly connected network. There is no multicast address for all hosts on the Internet.

The syntax for the igmp sub-commands above are shown in Figure .

Outside Multicast Server – Inside Receiving Hosts
Figure shows use of the interface command with corresponding igmp subcommands. Multicast is permitted on the dmz and inside interfaces. The igmp forward command enables the PIX Security Appliance to forward IGMP reports from inside hosts to the multicast router on its dmz interface.

In the example Figure , host 10.0.0.11 joins multicast group 224.0.1.50. The PIX Security Appliance enables host 10.0.0.11 to receive multicasts from the multicast server.

Configuring Other IGMP Options
There are other IGMP options that can be set by an administrator . The administrator can choose an IGMP version and configure the IGMP timers with the igmp query-interval, and igmp query-max-response-time commands. To specify the version of IGMP, use with the igmp version command. This configures which version of IGMP is used on the subnet represented by the specified interface. The default is version 2.

For information on the differences in versions 1 and 2, see RFC 2236.

Use the igmp query-interval command to configure the frequency at which IGMP query messages are sent by the interface. The default is 60 seconds. Use the no version of this command to set the query interval back to the default.

The igmp query-max-response-time command specifies the maximum query response time and is only available with IGMP version 2. The default is 10 seconds. The permitted range of values is from 1 to 65535. Use the no version of this command to set the query response time back to the default.


Web Links